suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "decode.h"
26 
27 #include "detect.h"
28 #include "detect-engine.h"
29 #include "detect-content.h"
30 #include "detect-pcre.h"
31 #include "detect-bytejump.h"
32 #include "detect-bytetest.h"
33 #include "detect-byte-extract.h"
34 #include "detect-isdataat.h"
35 #include "detect-engine-build.h"
36 
37 #include "rust.h"
38 
39 #include "app-layer-protos.h"
40 
41 #include "util-byte.h"
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 /* the base to be used if string mode is specified. These options would be
47  * specified in DetectByteParseData->base */
48 #define DETECT_BYTE_EXTRACT_BASE_HEX BaseHex
49 #define DETECT_BYTE_EXTRACT_BASE_DEC BaseDec
50 #define DETECT_BYTE_EXTRACT_BASE_OCT BaseOct
51 
52 /* the max no of bytes that can be extracted in string mode - (string, hex)
53  * (string, oct) or (string, dec) */
54 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
55 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
56 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
57 /* the max no of bytes that can be extracted in non-string mode */
58 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
59 
60 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
61 #ifdef UNITTESTS
62 static void DetectByteExtractRegisterTests(void);
63 #endif
64 static void DetectByteExtractFree(DetectEngineCtx *, void *);
65 
66 /**
67  * \brief Registers the keyword handlers for the "byte_extract" keyword.
68  */
69 void DetectByteExtractRegister(void)
70 {
71  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
72  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
73  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
74  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
75  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
76  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
79 #endif
80 }
81 
82 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
83  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
84  uint8_t endian)
85 {
86  if (payload_len == 0) {
87  return 0;
88  }
89 
90  /* Calculate the ptr value for the bytetest and length remaining in
91  * the packet from that point.
92  */
93  const uint8_t *ptr;
94  int32_t len;
95  SCDetectByteExtractData *data = (SCDetectByteExtractData *)smd->ctx;
96  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
97  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
98  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
99 
100  ptr = payload + det_ctx->buffer_offset;
101  len = payload_len - det_ctx->buffer_offset;
102 
103  ptr += data->offset;
104  len -= data->offset;
105 
106  /* No match if there is no relative base */
107  if (len <= 0) {
108  return 0;
109  }
110  //PrintRawDataFp(stdout,ptr,len);
111  } else {
112  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
113 
114  ptr = payload + data->offset;
115  len = payload_len - data->offset;
116  }
117 
118  /* Validate that the to-be-extracted is within the packet */
119  if (ptr < payload || data->nbytes > len) {
120  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
121  payload, ptr, len, data->nbytes);
122  return 0;
123  }
124 
125  /* Extract the byte data */
126  uint64_t val = 0;
127  int extbytes;
128  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
129  extbytes = ByteExtractStringUint64(&val, data->base,
130  data->nbytes, (const char *)ptr);
131  if (extbytes <= 0) {
132  /* strtoull() return 0 if there is no numeric value in data string */
133  if (val == 0) {
134  SCLogDebug("No Numeric value");
135  return 0;
136  } else {
137  SCLogDebug("error extracting %d bytes of string data: %d",
138  data->nbytes, extbytes);
139  return -1;
140  }
141  }
142  } else {
143  int endianness = (endian == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
144  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
145  if (extbytes != data->nbytes) {
146  SCLogDebug("error extracting %d bytes of numeric data: %d",
147  data->nbytes, extbytes);
148  return 0;
149  }
150  }
151 
152  /* Adjust the jump value based on flags */
153  val *= data->multiplier_value;
154  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
155  if ((val % data->align_value) != 0) {
156  val += data->align_value - (val % data->align_value);
157  }
158  }
159 
160  ptr += extbytes;
161 
162  det_ctx->buffer_offset = ptr - payload;
163 
164  *value = val;
165  SCLogDebug("extracted value is %"PRIu64, val);
166  return 1;
167 }
168 
169 /**
170  * \internal
171  * \brief Used to parse byte_extract arg.
172  *
173  * \param de_ctx Pointer to the detection engine context
174  * \arg The argument to parse.
175  *
176  * \param bed On success an instance containing the parsed data.
177  * On failure, NULL.
178  */
179 static inline SCDetectByteExtractData *DetectByteExtractParse(
180  DetectEngineCtx *de_ctx, const char *arg)
181 {
182  SCDetectByteExtractData *bed = SCByteExtractParse(arg);
183  if (bed == NULL) {
184  SCLogError("invalid byte_extract values");
185  goto error;
186  }
187 
188  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
189  SCLogError("byte_extract slice not yet supported; see issue #6831");
190  goto error;
191  }
192  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
193  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
194  /* if are dealing with octal nos, the max no that can fit in a 8
195  * byte value is 01777777777777777777777 */
196  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
197  SCLogError("byte_extract can't process "
198  "more than %d bytes in \"string\" extraction",
199  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
200  goto error;
201  }
202  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
203  /* if are dealing with decimal nos, the max no that can fit in a 8
204  * byte value is 18446744073709551615 */
205  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
206  SCLogError("byte_extract can't process "
207  "more than %d bytes in \"string\" extraction",
208  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
209  goto error;
210  }
211  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
212  /* if are dealing with hex nos, the max no that can fit in a 8
213  * byte value is 0xFFFFFFFFFFFFFFFF */
214  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
215  SCLogError("byte_extract can't process "
216  "more than %d bytes in \"string\" extraction",
217  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
218  goto error;
219  }
220  } else {
221  ; // just a placeholder. we won't reach here.
222  }
223  } else {
224  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
225  SCLogError("byte_extract can't process "
226  "more than %d bytes in \"non-string\" extraction",
227  NO_STRING_MAX_BYTES_TO_EXTRACT);
228  goto error;
229  }
230  /* if string has not been specified and no endian option has been
231  * specified, then set the default endian level of BIG */
232  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
233  bed->endian = BigEndian;
234  }
235  return bed;
236 
237  error:
238  if (bed != NULL)
239  DetectByteExtractFree(de_ctx, bed);
240  return NULL;
241 }
242 
243 /**
244  * \brief The setup function for the byte_extract keyword for a signature.
245  *
246  * \param de_ctx Pointer to the detection engine context.
247  * \param s Pointer to signature for the current Signature being parsed
248  * from the rules.
249  * \param m Pointer to the head of the SigMatch for the current rule
250  * being parsed.
251  * \param arg Pointer to the string holding the keyword value.
252  *
253  * \retval 0 On success.
254  * \retval -1 On failure.
255  */
256 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
257 {
258  SigMatch *prev_pm = NULL;
259  SCDetectByteExtractData *data = NULL;
260  int ret = -1;
261 
262  data = DetectByteExtractParse(de_ctx, arg);
263  if (data == NULL)
264  goto error;
265 
266  int sm_list;
267  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
268  sm_list = s->init_data->list;
269 
270  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
271  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
272  }
273  } else if (data->endian == EndianDCE) {
274  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
275  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
276  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
277  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
278  if (prev_pm == NULL) {
279  sm_list = DETECT_SM_LIST_PMATCH;
280  } else {
281  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
282  if (sm_list < 0)
283  goto error;
284  }
285  } else {
286  sm_list = DETECT_SM_LIST_PMATCH;
287  }
288 
289  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
290  goto error;
291 
292  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
293  prev_pm = DetectGetLastSMFromLists(s,
294  DETECT_CONTENT, DETECT_PCRE,
295  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
296  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
297  if (prev_pm == NULL) {
298  sm_list = DETECT_SM_LIST_PMATCH;
299  } else {
300  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
301  if (sm_list < 0)
302  goto error;
303  }
304 
305  } else {
306  sm_list = DETECT_SM_LIST_PMATCH;
307  }
308 
309  if (data->endian == EndianDCE) {
310  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
311  goto error;
312 
313  if ((DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ==
314  (data->flags & (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING))) {
315  SCLogError("Invalid option. "
316  "A byte_jump keyword with dce holds other invalid modifiers.");
317  goto error;
318  }
319  }
320 
321  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
322  DETECT_BYTE_EXTRACT, -1);
323  if (prev_bed_sm == NULL)
324  data->local_id = 0;
325  else
326  data->local_id = ((SCDetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
327  if (data->local_id > de_ctx->byte_extract_max_local_id)
328  de_ctx->byte_extract_max_local_id = data->local_id;
329 
330  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
331  NULL) {
332  goto error;
333  }
334 
335  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
336  goto okay;
337 
338  if (prev_pm == NULL)
339  goto okay;
340 
341  if (prev_pm->type == DETECT_CONTENT) {
342  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
343  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
344  } else if (prev_pm->type == DETECT_PCRE) {
345  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
346  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
347  }
348 
349  okay:
350  ret = 0;
351  return ret;
352  error:
353  DetectByteExtractFree(de_ctx, data);
354  return ret;
355 }
356 
357 /**
358  * \brief Used to free instances of SCDetectByteExtractData.
359  *
360  * \param ptr Instance of SCDetectByteExtractData to be freed.
361  */
362 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
363 {
364  SCByteExtractFree(ptr);
365 }
366 
367 /**
368  * \brief Lookup the SigMatch for a named byte_extract variable.
369  *
370  * \param arg The name of the byte_extract variable to lookup.
371  * \param s Pointer the signature to look in.
372  *
373  * \retval A pointer to the SigMatch if found, otherwise NULL.
374  */
375 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
376 {
377  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
378  SigMatch *sm = s->init_data->buffers[x].head;
379  while (sm != NULL) {
380  if (sm->type == DETECT_BYTE_EXTRACT) {
381  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
382  if (strcmp(bed->name, arg) == 0) {
383  return sm;
384  }
385  }
386  sm = sm->next;
387  }
388  }
389 
390  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
391  SigMatch *sm = s->init_data->smlists[list];
392  while (sm != NULL) {
393  if (sm->type == DETECT_BYTE_EXTRACT) {
394  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
395  if (strcmp(bed->name, arg) == 0) {
396  return sm;
397  }
398  }
399  sm = sm->next;
400  }
401  }
402 
403  return NULL;
404 }
405 
406 /*************************************Unittests********************************/
407 
408 #ifdef UNITTESTS
409 
410 static int g_file_data_buffer_id = 0;
411 static int g_http_uri_buffer_id = 0;
412 
413 static int DetectByteExtractTest01(void)
414 {
415  int result = 0;
416 
417  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
418  if (bed == NULL)
419  goto end;
420 
421  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
422  bed->endian != BigEndian || bed->align_value != 0 ||
423  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
424  goto end;
425  }
426 
427  result = 1;
428  end:
429  if (bed != NULL)
430  DetectByteExtractFree(NULL, bed);
431  return result;
432 }
433 
434 static int DetectByteExtractTest02(void)
435 {
436  int result = 0;
437 
438  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
439  if (bed == NULL)
440  goto end;
441 
442  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
443  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE || bed->endian != BigEndian ||
444  bed->align_value != 0 ||
445  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
446  goto end;
447  }
448 
449  result = 1;
450  end:
451  if (bed != NULL)
452  DetectByteExtractFree(NULL, bed);
453  return result;
454 }
455 
456 static int DetectByteExtractTest03(void)
457 {
458  int result = 0;
459 
460  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
461  if (bed == NULL)
462  goto end;
463 
464  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
465  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER || bed->endian != BigEndian ||
466  bed->align_value != 0 || bed->multiplier_value != 10) {
467  goto end;
468  }
469 
470  result = 1;
471  end:
472  if (bed != NULL)
473  DetectByteExtractFree(NULL, bed);
474  return result;
475 }
476 
477 static int DetectByteExtractTest04(void)
478 {
479  int result = 0;
480 
481  SCDetectByteExtractData *bed =
482  DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
483  if (bed == NULL)
484  goto end;
485 
486  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
487  bed->flags !=
488  (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
489  bed->endian != BigEndian || bed->align_value != 0 || bed->multiplier_value != 10) {
490  goto end;
491  }
492 
493  result = 1;
494  end:
495  if (bed != NULL)
496  DetectByteExtractFree(NULL, bed);
497  return result;
498 }
499 
500 static int DetectByteExtractTest05(void)
501 {
502  int result = 0;
503 
504  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
505  if (bed == NULL)
506  goto end;
507 
508  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
509  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != BigEndian ||
510  bed->align_value != 0 ||
511  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
512  goto end;
513  }
514 
515  result = 1;
516  end:
517  if (bed != NULL)
518  DetectByteExtractFree(NULL, bed);
519  return result;
520 }
521 
522 static int DetectByteExtractTest06(void)
523 {
524  int result = 0;
525 
526  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
527  if (bed == NULL)
528  goto end;
529 
530  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
531  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != LittleEndian ||
532  bed->align_value != 0 ||
533  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
534  goto end;
535  }
536 
537  result = 1;
538  end:
539  if (bed != NULL)
540  DetectByteExtractFree(NULL, bed);
541  return result;
542 }
543 
544 static int DetectByteExtractTest07(void)
545 {
546  int result = 0;
547 
548  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
549  if (bed == NULL)
550  goto end;
551 
552  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
553  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != EndianDCE ||
554  bed->align_value != 0 ||
555  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
556  goto end;
557  }
558 
559  result = 1;
560  end:
561  if (bed != NULL)
562  DetectByteExtractFree(NULL, bed);
563  return result;
564 }
565 
566 static int DetectByteExtractTest08(void)
567 {
568  int result = 0;
569 
570  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
571  if (bed == NULL)
572  goto end;
573 
574  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
575  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
576  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
577  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
578  goto end;
579  }
580 
581  result = 1;
582  end:
583  if (bed != NULL)
584  DetectByteExtractFree(NULL, bed);
585  return result;
586 }
587 
588 static int DetectByteExtractTest09(void)
589 {
590  int result = 0;
591 
592  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
593  if (bed == NULL)
594  goto end;
595 
596  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
597  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
598  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT || bed->align_value != 0 ||
599  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
600  goto end;
601  }
602 
603  result = 1;
604  end:
605  if (bed != NULL)
606  DetectByteExtractFree(NULL, bed);
607  return result;
608 }
609 
610 static int DetectByteExtractTest10(void)
611 {
612  int result = 0;
613 
614  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
615  if (bed == NULL)
616  goto end;
617 
618  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
619  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC || bed->align_value != 0 ||
620  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
621  goto end;
622  }
623 
624  result = 1;
625  end:
626  if (bed != NULL)
627  DetectByteExtractFree(NULL, bed);
628  return result;
629 }
630 
631 static int DetectByteExtractTest11(void)
632 {
633  int result = 0;
634 
635  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
636  if (bed == NULL)
637  goto end;
638 
639  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
640  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN || bed->endian != BigEndian ||
641  bed->align_value != 4 ||
642  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
643  goto end;
644  }
645 
646  result = 1;
647  end:
648  if (bed != NULL)
649  DetectByteExtractFree(NULL, bed);
650  return result;
651 }
652 
653 static int DetectByteExtractTest12(void)
654 {
655  int result = 0;
656 
657  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
658  if (bed == NULL)
659  goto end;
660 
661  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
662  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
663  bed->endian != BigEndian || bed->align_value != 4 ||
664  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
665  goto end;
666  }
667 
668  result = 1;
669  end:
670  if (bed != NULL)
671  DetectByteExtractFree(NULL, bed);
672  return result;
673 }
674 
675 static int DetectByteExtractTest13(void)
676 {
677  int result = 0;
678 
679  SCDetectByteExtractData *bed =
680  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
681  if (bed == NULL)
682  goto end;
683 
684  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
685  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
686  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
687  bed->endian != BigEndian || bed->align_value != 4 ||
688  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
689  goto end;
690  }
691 
692  result = 1;
693  end:
694  if (bed != NULL)
695  DetectByteExtractFree(NULL, bed);
696  return result;
697 }
698 
699 static int DetectByteExtractTest14(void)
700 {
701  int result = 0;
702 
703  SCDetectByteExtractData *bed =
704  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
705  if (bed == NULL)
706  goto end;
707 
708  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
709  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
710  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
711  bed->endian != EndianDCE || bed->align_value != 4 ||
712  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
713  goto end;
714  }
715 
716  result = 1;
717  end:
718  if (bed != NULL)
719  DetectByteExtractFree(NULL, bed);
720  return result;
721 }
722 
723 static int DetectByteExtractTest15(void)
724 {
725  int result = 0;
726 
727  SCDetectByteExtractData *bed =
728  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
729  if (bed == NULL)
730  goto end;
731 
732  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
733  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
734  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
735  bed->endian != LittleEndian || bed->align_value != 4 ||
736  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
737  goto end;
738  }
739 
740  result = 1;
741  end:
742  if (bed != NULL)
743  DetectByteExtractFree(NULL, bed);
744  return result;
745 }
746 
747 static int DetectByteExtractTest16(void)
748 {
749  int result = 0;
750 
751  SCDetectByteExtractData *bed =
752  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
753  if (bed == NULL)
754  goto end;
755 
756  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
757  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
758  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
759  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
760  bed->endian != LittleEndian || bed->align_value != 4 || bed->multiplier_value != 2) {
761  goto end;
762  }
763 
764  result = 1;
765  end:
766  if (bed != NULL)
767  DetectByteExtractFree(NULL, bed);
768  return result;
769 }
770 
771 static int DetectByteExtractTest17(void)
772 {
773  int result = 0;
774 
775  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
776  "relative, little, "
777  "multiplier 2, string hex");
778  if (bed != NULL)
779  goto end;
780 
781  result = 1;
782  end:
783  if (bed != NULL)
784  DetectByteExtractFree(NULL, bed);
785  return result;
786 }
787 
788 static int DetectByteExtractTest18(void)
789 {
790  int result = 0;
791 
792  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
793  "relative, little, "
794  "multiplier 2, "
795  "relative");
796  if (bed != NULL)
797  goto end;
798 
799  result = 1;
800  end:
801  if (bed != NULL)
802  DetectByteExtractFree(NULL, bed);
803  return result;
804 }
805 
806 static int DetectByteExtractTest19(void)
807 {
808  int result = 0;
809 
810  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
811  "relative, little, "
812  "multiplier 2, "
813  "little");
814  if (bed != NULL)
815  goto end;
816 
817  result = 1;
818  end:
819  if (bed != NULL)
820  DetectByteExtractFree(NULL, bed);
821  return result;
822 }
823 
824 static int DetectByteExtractTest20(void)
825 {
826  int result = 0;
827 
828  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
829  "relative, "
830  "multiplier 2, "
831  "align 2");
832  if (bed != NULL)
833  goto end;
834 
835  result = 1;
836  end:
837  if (bed != NULL)
838  DetectByteExtractFree(NULL, bed);
839  return result;
840 }
841 
842 static int DetectByteExtractTest21(void)
843 {
844  int result = 0;
845 
846  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
847  "multiplier 2, "
848  "relative, "
849  "multiplier 2");
850  if (bed != NULL)
851  goto end;
852 
853  result = 1;
854  end:
855  if (bed != NULL)
856  DetectByteExtractFree(NULL, bed);
857  return result;
858 }
859 
860 static int DetectByteExtractTest22(void)
861 {
862  int result = 0;
863 
864  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
865  "string hex, "
866  "relative, "
867  "string hex");
868  if (bed != NULL)
869  goto end;
870 
871  result = 1;
872  end:
873  if (bed != NULL)
874  DetectByteExtractFree(NULL, bed);
875  return result;
876 }
877 
878 static int DetectByteExtractTest23(void)
879 {
880  int result = 0;
881 
882  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
883  "string hex, "
884  "relative, "
885  "string oct");
886  if (bed != NULL)
887  goto end;
888 
889  result = 1;
890  end:
891  if (bed != NULL)
892  DetectByteExtractFree(NULL, bed);
893  return result;
894 }
895 
896 static int DetectByteExtractTest24(void)
897 {
898  int result = 0;
899 
900  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
901  "string hex, "
902  "relative");
903  if (bed != NULL)
904  goto end;
905 
906  result = 1;
907  end:
908  if (bed != NULL)
909  DetectByteExtractFree(NULL, bed);
910  return result;
911 }
912 
913 static int DetectByteExtractTest25(void)
914 {
915  int result = 0;
916 
917  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
918  "little, "
919  "relative");
920  if (bed != NULL)
921  goto end;
922 
923  result = 1;
924  end:
925  if (bed != NULL)
926  DetectByteExtractFree(NULL, bed);
927  return result;
928 }
929 
930 static int DetectByteExtractTest26(void)
931 {
932  int result = 0;
933 
934  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
935  "little, "
936  "relative, "
937  "multiplier 65536");
938  if (bed != NULL)
939  goto end;
940 
941  result = 1;
942  end:
943  if (bed != NULL)
944  DetectByteExtractFree(NULL, bed);
945  return result;
946 }
947 
948 static int DetectByteExtractTest27(void)
949 {
950  int result = 0;
951 
952  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
953  "little, "
954  "relative, "
955  "multiplier 0");
956  if (bed != NULL)
957  goto end;
958 
959  result = 1;
960  end:
961  if (bed != NULL)
962  DetectByteExtractFree(NULL, bed);
963  return result;
964 }
965 
966 static int DetectByteExtractTest28(void)
967 {
968  int result = 0;
969 
970  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
971  if (bed == NULL)
972  goto end;
973 
974  result = 1;
975  end:
976  if (bed != NULL)
977  DetectByteExtractFree(NULL, bed);
978  return result;
979 }
980 
981 static int DetectByteExtractTest29(void)
982 {
983  int result = 0;
984 
985  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
986  if (bed != NULL)
987  goto end;
988 
989  result = 1;
990  end:
991  if (bed != NULL)
992  DetectByteExtractFree(NULL, bed);
993  return result;
994 }
995 
996 static int DetectByteExtractTest30(void)
997 {
998  int result = 0;
999 
1000  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1001  if (bed == NULL)
1002  goto end;
1003 
1004  result = 1;
1005  end:
1006  if (bed != NULL)
1007  DetectByteExtractFree(NULL, bed);
1008  return result;
1009 }
1010 
1011 static int DetectByteExtractTest31(void)
1012 {
1013  int result = 0;
1014 
1015  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1016  if (bed != NULL)
1017  goto end;
1018 
1019  result = 1;
1020  end:
1021  if (bed != NULL)
1022  DetectByteExtractFree(NULL, bed);
1023  return result;
1024 }
1025 
1026 static int DetectByteExtractTest32(void)
1027 {
1028  int result = 0;
1029 
1030  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1031  if (bed == NULL)
1032  goto end;
1033 
1034  result = 1;
1035  end:
1036  if (bed != NULL)
1037  DetectByteExtractFree(NULL, bed);
1038  return result;
1039 }
1040 
1041 static int DetectByteExtractTest33(void)
1042 {
1043  int result = 0;
1044 
1045  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1046  if (bed != NULL)
1047  goto end;
1048 
1049  result = 1;
1050  end:
1051  if (bed != NULL)
1052  DetectByteExtractFree(NULL, bed);
1053  return result;
1054 }
1055 
1056 static int DetectByteExtractTest34(void)
1057 {
1058  DetectEngineCtx *de_ctx = NULL;
1059  int result = 0;
1060  Signature *s = NULL;
1061  SigMatch *sm = NULL;
1062  DetectContentData *cd = NULL;
1063  SCDetectByteExtractData *bed = NULL;
1064 
1065  de_ctx = DetectEngineCtxInit();
1066  if (de_ctx == NULL)
1067  goto end;
1068 
1069  de_ctx->flags |= DE_QUIET;
1070  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1071  "(msg:\"Testing bytejump_body\"; "
1072  "content:\"one\"; "
1073  "byte_extract:4,2,two,relative,string,hex; "
1074  "sid:1;)");
1075  if (de_ctx->sig_list == NULL) {
1076  result = 0;
1077  goto end;
1078  }
1079 
1080  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1081  result = 0;
1082  goto end;
1083  }
1084 
1085  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1086  if (sm->type != DETECT_CONTENT) {
1087  result = 0;
1088  goto end;
1089  }
1090  cd = (DetectContentData *)sm->ctx;
1091  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1092  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1093  cd->flags & DETECT_CONTENT_NOCASE ||
1094  cd->flags & DETECT_CONTENT_WITHIN ||
1095  cd->flags & DETECT_CONTENT_DISTANCE ||
1096  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1097  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1098  cd->flags & DETECT_CONTENT_NEGATED ) {
1099  printf("one failed\n");
1100  result = 0;
1101  goto end;
1102  }
1103 
1104  sm = sm->next;
1105  if (sm->type != DETECT_BYTE_EXTRACT) {
1106  result = 0;
1107  goto end;
1108  }
1109  bed = (SCDetectByteExtractData *)sm->ctx;
1110  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", cd->content_len) != 0 ||
1111  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1112  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1113  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1114  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1115  goto end;
1116  }
1117 
1118  result = 1;
1119 
1120  end:
1121  SigGroupCleanup(de_ctx);
1122  SigCleanSignatures(de_ctx);
1123  DetectEngineCtxFree(de_ctx);
1124 
1125  return result;
1126 }
1127 
1128 static int DetectByteExtractTest35(void)
1129 {
1130  DetectEngineCtx *de_ctx = NULL;
1131  int result = 0;
1132  Signature *s = NULL;
1133  SigMatch *sm = NULL;
1134  DetectContentData *cd = NULL;
1135  DetectPcreData *pd = NULL;
1136  SCDetectByteExtractData *bed = NULL;
1137 
1138  de_ctx = DetectEngineCtxInit();
1139  if (de_ctx == NULL)
1140  goto end;
1141 
1142  de_ctx->flags |= DE_QUIET;
1143  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1144  "(msg:\"Testing bytejump_body\"; "
1145  "content:\"one\"; pcre:/asf/; "
1146  "byte_extract:4,0,two,relative,string,hex; "
1147  "sid:1;)");
1148  if (de_ctx->sig_list == NULL) {
1149  result = 0;
1150  goto end;
1151  }
1152 
1153  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1154  result = 0;
1155  goto end;
1156  }
1157 
1158  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1159  if (sm->type != DETECT_CONTENT) {
1160  result = 0;
1161  goto end;
1162  }
1163  cd = (DetectContentData *)sm->ctx;
1164  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1165  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1166  cd->flags & DETECT_CONTENT_NOCASE ||
1167  cd->flags & DETECT_CONTENT_WITHIN ||
1168  cd->flags & DETECT_CONTENT_DISTANCE ||
1169  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1170  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1171  cd->flags & DETECT_CONTENT_NEGATED ) {
1172  printf("one failed\n");
1173  result = 0;
1174  goto end;
1175  }
1176 
1177  sm = sm->next;
1178  if (sm->type != DETECT_PCRE) {
1179  result = 0;
1180  goto end;
1181  }
1182  pd = (DetectPcreData *)sm->ctx;
1183  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1184  result = 0;
1185  goto end;
1186  }
1187 
1188  sm = sm->next;
1189  if (sm->type != DETECT_BYTE_EXTRACT) {
1190  result = 0;
1191  goto end;
1192  }
1193  bed = (SCDetectByteExtractData *)sm->ctx;
1194  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1195  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1196  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1197  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1198  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1199  goto end;
1200  }
1201 
1202  result = 1;
1203 
1204  end:
1205  SigGroupCleanup(de_ctx);
1206  SigCleanSignatures(de_ctx);
1207  DetectEngineCtxFree(de_ctx);
1208 
1209  return result;
1210 }
1211 
1212 static int DetectByteExtractTest36(void)
1213 {
1214  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1215  FAIL_IF_NULL(de_ctx);
1216  de_ctx->flags |= DE_QUIET;
1217 
1218  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
1219  "content:\"one\"; byte_jump:1,13; "
1220  "byte_extract:4,0,two,relative,string,hex; "
1221  "sid:1;)");
1222  FAIL_IF_NULL(s);
1223  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
1224 
1225  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1226  FAIL_IF(sm->type != DETECT_CONTENT);
1227  DetectContentData *cd = (DetectContentData *)sm->ctx;
1228  FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
1229  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
1230  FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
1231  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1232  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1233  FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
1234  FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
1235  FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
1236 
1237  sm = sm->next;
1238  FAIL_IF(sm->type != DETECT_BYTEJUMP);
1239  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
1240  FAIL_IF(bjd->flags != 0);
1241  sm = sm->next;
1242  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
1243  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
1244  FAIL_IF(bed->nbytes != 4);
1245  FAIL_IF(bed->offset != 0);
1246  FAIL_IF(strcmp(bed->name, "two") != 0);
1247  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1248  DETECT_BYTE_EXTRACT_FLAG_STRING));
1249  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
1250  FAIL_IF(bed->align_value != 0);
1251  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
1252 
1253  DetectEngineCtxFree(de_ctx);
1254  PASS;
1255 }
1256 
1257 static int DetectByteExtractTest37(void)
1258 {
1259  DetectEngineCtx *de_ctx = NULL;
1260  int result = 0;
1261  Signature *s = NULL;
1262  SigMatch *sm = NULL;
1263  DetectContentData *cd = NULL;
1264  DetectContentData *ud = NULL;
1265  SCDetectByteExtractData *bed = NULL;
1266 
1267  de_ctx = DetectEngineCtxInit();
1268  if (de_ctx == NULL)
1269  goto end;
1270 
1271  de_ctx->flags |= DE_QUIET;
1272  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1273  "(msg:\"Testing bytejump_body\"; "
1274  "content:\"one\"; uricontent:\"two\"; "
1275  "byte_extract:4,0,two,relative,string,hex; "
1276  "sid:1;)");
1277  if (de_ctx->sig_list == NULL) {
1278  result = 0;
1279  goto end;
1280  }
1281 
1282  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1283  result = 0;
1284  goto end;
1285  }
1286 
1287  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1288  if (sm->type != DETECT_CONTENT) {
1289  result = 0;
1290  goto end;
1291  }
1292  cd = (DetectContentData *)sm->ctx;
1293  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1294  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1295  cd->flags & DETECT_CONTENT_NOCASE ||
1296  cd->flags & DETECT_CONTENT_WITHIN ||
1297  cd->flags & DETECT_CONTENT_DISTANCE ||
1298  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1299  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1300  cd->flags & DETECT_CONTENT_NEGATED ) {
1301  printf("one failed\n");
1302  result = 0;
1303  goto end;
1304  }
1305 
1306  if (sm->next != NULL) {
1307  result = 0;
1308  goto end;
1309  }
1310 
1311  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1312  if (sm->type != DETECT_CONTENT) {
1313  result = 0;
1314  goto end;
1315  }
1316  ud = (DetectContentData *)sm->ctx;
1317  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1318  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1319  ud->flags & DETECT_CONTENT_NOCASE ||
1320  ud->flags & DETECT_CONTENT_WITHIN ||
1321  ud->flags & DETECT_CONTENT_DISTANCE ||
1322  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1323  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1324  ud->flags & DETECT_CONTENT_NEGATED ) {
1325  printf("two failed\n");
1326  result = 0;
1327  goto end;
1328  }
1329 
1330  sm = sm->next;
1331  if (sm->type != DETECT_BYTE_EXTRACT) {
1332  result = 0;
1333  goto end;
1334  }
1335  bed = (SCDetectByteExtractData *)sm->ctx;
1336  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1337  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1338  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1339  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1340  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1341  goto end;
1342  }
1343 
1344  result = 1;
1345 
1346  end:
1347  SigGroupCleanup(de_ctx);
1348  SigCleanSignatures(de_ctx);
1349  DetectEngineCtxFree(de_ctx);
1350 
1351  return result;
1352 }
1353 
1354 static int DetectByteExtractTest38(void)
1355 {
1356  DetectEngineCtx *de_ctx = NULL;
1357  int result = 0;
1358  Signature *s = NULL;
1359  SigMatch *sm = NULL;
1360  DetectContentData *cd = NULL;
1361  DetectContentData *ud = NULL;
1362  SCDetectByteExtractData *bed = NULL;
1363 
1364  de_ctx = DetectEngineCtxInit();
1365  if (de_ctx == NULL)
1366  goto end;
1367 
1368  de_ctx->flags |= DE_QUIET;
1369  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1370  "(msg:\"Testing bytejump_body\"; "
1371  "content:\"one\"; uricontent:\"two\"; "
1372  "byte_extract:4,0,two,string,hex; "
1373  "sid:1;)");
1374  if (de_ctx->sig_list == NULL) {
1375  result = 0;
1376  goto end;
1377  }
1378 
1379  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1380  result = 0;
1381  goto end;
1382  }
1383 
1384  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1385  if (sm->type != DETECT_CONTENT) {
1386  result = 0;
1387  goto end;
1388  }
1389  cd = (DetectContentData *)sm->ctx;
1390  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1391  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1392  cd->flags & DETECT_CONTENT_NOCASE ||
1393  cd->flags & DETECT_CONTENT_WITHIN ||
1394  cd->flags & DETECT_CONTENT_DISTANCE ||
1395  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1396  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1397  cd->flags & DETECT_CONTENT_NEGATED ) {
1398  printf("one failed\n");
1399  result = 0;
1400  goto end;
1401  }
1402 
1403  sm = sm->next;
1404  if (sm->type != DETECT_BYTE_EXTRACT) {
1405  result = 0;
1406  goto end;
1407  }
1408  bed = (SCDetectByteExtractData *)sm->ctx;
1409  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1410  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1411  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1412  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1413  goto end;
1414  }
1415 
1416  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1417  if (sm->type != DETECT_CONTENT) {
1418  result = 0;
1419  goto end;
1420  }
1421  ud = (DetectContentData *)sm->ctx;
1422  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1423  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1424  ud->flags & DETECT_CONTENT_NOCASE ||
1425  ud->flags & DETECT_CONTENT_WITHIN ||
1426  ud->flags & DETECT_CONTENT_DISTANCE ||
1427  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1428  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1429  ud->flags & DETECT_CONTENT_NEGATED ) {
1430  printf("two failed\n");
1431  result = 0;
1432  goto end;
1433  }
1434 
1435  if (sm->next != NULL) {
1436  result = 0;
1437  goto end;
1438  }
1439 
1440  result = 1;
1441 
1442  end:
1443  SigGroupCleanup(de_ctx);
1444  SigCleanSignatures(de_ctx);
1445  DetectEngineCtxFree(de_ctx);
1446 
1447  return result;
1448 }
1449 
1450 static int DetectByteExtractTest39(void)
1451 {
1452  DetectEngineCtx *de_ctx = NULL;
1453  int result = 0;
1454  Signature *s = NULL;
1455  SigMatch *sm = NULL;
1456  DetectContentData *cd = NULL;
1457  DetectContentData *ud = NULL;
1458  SCDetectByteExtractData *bed = NULL;
1459 
1460  de_ctx = DetectEngineCtxInit();
1461  if (de_ctx == NULL)
1462  goto end;
1463 
1464  de_ctx->flags |= DE_QUIET;
1465  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1466  "(msg:\"Testing bytejump_body\"; "
1467  "content:\"one\"; content:\"two\"; http_uri; "
1468  "byte_extract:4,0,two,relative,string,hex; "
1469  "sid:1;)");
1470  if (de_ctx->sig_list == NULL) {
1471  result = 0;
1472  goto end;
1473  }
1474 
1475  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1476  result = 0;
1477  goto end;
1478  }
1479 
1480  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1481  if (sm->type != DETECT_CONTENT) {
1482  result = 0;
1483  goto end;
1484  }
1485  cd = (DetectContentData *)sm->ctx;
1486  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1487  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1488  cd->flags & DETECT_CONTENT_NOCASE ||
1489  cd->flags & DETECT_CONTENT_WITHIN ||
1490  cd->flags & DETECT_CONTENT_DISTANCE ||
1491  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1492  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1493  cd->flags & DETECT_CONTENT_NEGATED ) {
1494  printf("one failed\n");
1495  result = 0;
1496  goto end;
1497  }
1498 
1499  if (sm->next != NULL) {
1500  result = 0;
1501  goto end;
1502  }
1503 
1504  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1505  if (sm->type != DETECT_CONTENT) {
1506  result = 0;
1507  goto end;
1508  }
1509  ud = (DetectContentData *)sm->ctx;
1510  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1511  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1512  ud->flags & DETECT_CONTENT_NOCASE ||
1513  ud->flags & DETECT_CONTENT_WITHIN ||
1514  ud->flags & DETECT_CONTENT_DISTANCE ||
1515  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1516  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1517  ud->flags & DETECT_CONTENT_NEGATED ) {
1518  printf("two failed\n");
1519  result = 0;
1520  goto end;
1521  }
1522 
1523  sm = sm->next;
1524  if (sm->type != DETECT_BYTE_EXTRACT) {
1525  result = 0;
1526  goto end;
1527  }
1528  bed = (SCDetectByteExtractData *)sm->ctx;
1529  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1530  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1531  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1532  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1533  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1534  goto end;
1535  }
1536 
1537  result = 1;
1538 
1539  end:
1540  SigGroupCleanup(de_ctx);
1541  SigCleanSignatures(de_ctx);
1542  DetectEngineCtxFree(de_ctx);
1543 
1544  return result;
1545 }
1546 
1547 static int DetectByteExtractTest40(void)
1548 {
1549  DetectEngineCtx *de_ctx = NULL;
1550  int result = 0;
1551  Signature *s = NULL;
1552  SigMatch *sm = NULL;
1553  DetectContentData *cd = NULL;
1554  DetectContentData *ud = NULL;
1555  SCDetectByteExtractData *bed = NULL;
1556 
1557  de_ctx = DetectEngineCtxInit();
1558  if (de_ctx == NULL)
1559  goto end;
1560 
1561  de_ctx->flags |= DE_QUIET;
1562  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1563  "(msg:\"Testing bytejump_body\"; "
1564  "content:\"one\"; content:\"two\"; http_uri; "
1565  "byte_extract:4,0,two,string,hex; "
1566  "sid:1;)");
1567  if (de_ctx->sig_list == NULL) {
1568  result = 0;
1569  goto end;
1570  }
1571 
1572  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1573  result = 0;
1574  goto end;
1575  }
1576 
1577  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1578  if (sm->type != DETECT_CONTENT) {
1579  result = 0;
1580  goto end;
1581  }
1582  cd = (DetectContentData *)sm->ctx;
1583  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1584  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1585  cd->flags & DETECT_CONTENT_NOCASE ||
1586  cd->flags & DETECT_CONTENT_WITHIN ||
1587  cd->flags & DETECT_CONTENT_DISTANCE ||
1588  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1589  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1590  cd->flags & DETECT_CONTENT_NEGATED ) {
1591  printf("one failed\n");
1592  result = 0;
1593  goto end;
1594  }
1595 
1596  sm = sm->next;
1597  if (sm->type != DETECT_BYTE_EXTRACT) {
1598  result = 0;
1599  goto end;
1600  }
1601  bed = (SCDetectByteExtractData *)sm->ctx;
1602  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1603  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1604  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1605  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1606  goto end;
1607  }
1608 
1609  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1610  if (sm->type != DETECT_CONTENT) {
1611  result = 0;
1612  goto end;
1613  }
1614  ud = (DetectContentData *)sm->ctx;
1615  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1616  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1617  ud->flags & DETECT_CONTENT_NOCASE ||
1618  ud->flags & DETECT_CONTENT_WITHIN ||
1619  ud->flags & DETECT_CONTENT_DISTANCE ||
1620  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1621  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1622  ud->flags & DETECT_CONTENT_NEGATED ) {
1623  printf("two failed\n");
1624  result = 0;
1625  goto end;
1626  }
1627 
1628  if (sm->next != NULL) {
1629  result = 0;
1630  goto end;
1631  }
1632 
1633  result = 1;
1634 
1635  end:
1636  SigGroupCleanup(de_ctx);
1637  SigCleanSignatures(de_ctx);
1638  DetectEngineCtxFree(de_ctx);
1639 
1640  return result;
1641 }
1642 
1643 static int DetectByteExtractTest41(void)
1644 {
1645  DetectEngineCtx *de_ctx = NULL;
1646  int result = 0;
1647  Signature *s = NULL;
1648  SigMatch *sm = NULL;
1649  DetectContentData *cd = NULL;
1650  SCDetectByteExtractData *bed = NULL;
1651 
1652  de_ctx = DetectEngineCtxInit();
1653  if (de_ctx == NULL)
1654  goto end;
1655 
1656  de_ctx->flags |= DE_QUIET;
1657  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1658  "(msg:\"Testing bytejump_body\"; "
1659  "content:\"one\"; "
1660  "byte_extract:4,0,two,string,hex; "
1661  "byte_extract:4,0,three,string,hex; "
1662  "sid:1;)");
1663  if (de_ctx->sig_list == NULL) {
1664  result = 0;
1665  goto end;
1666  }
1667 
1668  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1669  result = 0;
1670  goto end;
1671  }
1672 
1673  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1674  if (sm->type != DETECT_CONTENT) {
1675  result = 0;
1676  goto end;
1677  }
1678  cd = (DetectContentData *)sm->ctx;
1679  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1680  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1681  cd->flags & DETECT_CONTENT_NOCASE ||
1682  cd->flags & DETECT_CONTENT_WITHIN ||
1683  cd->flags & DETECT_CONTENT_DISTANCE ||
1684  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1685  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1686  cd->flags & DETECT_CONTENT_NEGATED ) {
1687  printf("one failed\n");
1688  result = 0;
1689  goto end;
1690  }
1691 
1692  sm = sm->next;
1693  if (sm->type != DETECT_BYTE_EXTRACT) {
1694  result = 0;
1695  goto end;
1696  }
1697  bed = (SCDetectByteExtractData *)sm->ctx;
1698  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1699  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1700  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1701  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1702  goto end;
1703  }
1704  if (bed->local_id != 0) {
1705  result = 0;
1706  goto end;
1707  }
1708 
1709  sm = sm->next;
1710  if (sm->type != DETECT_BYTE_EXTRACT) {
1711  result = 0;
1712  goto end;
1713  }
1714  bed = (SCDetectByteExtractData *)sm->ctx;
1715  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "three") != 0 ||
1716  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1717  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1718  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1719  goto end;
1720  }
1721  if (bed->local_id != 1) {
1722  result = 0;
1723  goto end;
1724  }
1725 
1726  result = 1;
1727 
1728  end:
1729  SigGroupCleanup(de_ctx);
1730  SigCleanSignatures(de_ctx);
1731  DetectEngineCtxFree(de_ctx);
1732 
1733  return result;
1734 }
1735 
1736 static int DetectByteExtractTest42(void)
1737 {
1738  DetectEngineCtx *de_ctx = NULL;
1739  int result = 0;
1740  Signature *s = NULL;
1741  SigMatch *sm = NULL;
1742  DetectContentData *cd = NULL;
1743  DetectContentData *ud = NULL;
1744  SCDetectByteExtractData *bed = NULL;
1745 
1746  de_ctx = DetectEngineCtxInit();
1747  if (de_ctx == NULL)
1748  goto end;
1749 
1750  de_ctx->flags |= DE_QUIET;
1751  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1752  "(msg:\"Testing bytejump_body\"; "
1753  "content:\"one\"; "
1754  "byte_extract:4,0,two,string,hex; "
1755  "uricontent: \"three\"; "
1756  "byte_extract:4,0,four,string,hex,relative; "
1757  "byte_extract:4,0,five,string,hex; "
1758  "sid:1;)");
1759  if (de_ctx->sig_list == NULL) {
1760  result = 0;
1761  goto end;
1762  }
1763 
1764  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1765  result = 0;
1766  goto end;
1767  }
1768 
1769  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1770  if (sm->type != DETECT_CONTENT) {
1771  result = 0;
1772  goto end;
1773  }
1774  cd = (DetectContentData *)sm->ctx;
1775  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1776  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1777  cd->flags & DETECT_CONTENT_NOCASE ||
1778  cd->flags & DETECT_CONTENT_WITHIN ||
1779  cd->flags & DETECT_CONTENT_DISTANCE ||
1780  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1781  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1782  cd->flags & DETECT_CONTENT_NEGATED ) {
1783  printf("one failed\n");
1784  result = 0;
1785  goto end;
1786  }
1787 
1788  sm = sm->next;
1789  if (sm->type != DETECT_BYTE_EXTRACT) {
1790  result = 0;
1791  goto end;
1792  }
1793  bed = (SCDetectByteExtractData *)sm->ctx;
1794  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1795  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1796  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1797  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1798  goto end;
1799  }
1800  if (bed->local_id != 0) {
1801  result = 0;
1802  goto end;
1803  }
1804 
1805  sm = sm->next;
1806  if (sm->type != DETECT_BYTE_EXTRACT) {
1807  result = 0;
1808  goto end;
1809  }
1810  bed = (SCDetectByteExtractData *)sm->ctx;
1811  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "five") != 0 ||
1812  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1813  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1814  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1815  goto end;
1816  }
1817  if (bed->local_id != 1) {
1818  result = 0;
1819  goto end;
1820  }
1821 
1822  if (sm->next != NULL)
1823  goto end;
1824 
1825  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1826  if (sm->type != DETECT_CONTENT) {
1827  result = 0;
1828  goto end;
1829  }
1830  ud = (DetectContentData *)sm->ctx;
1831  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1832  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
1833  ud->flags & DETECT_CONTENT_NOCASE ||
1834  ud->flags & DETECT_CONTENT_WITHIN ||
1835  ud->flags & DETECT_CONTENT_DISTANCE ||
1836  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1837  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1838  ud->flags & DETECT_CONTENT_NEGATED ) {
1839  printf("two failed\n");
1840  result = 0;
1841  goto end;
1842  }
1843 
1844  sm = sm->next;
1845  if (sm->type != DETECT_BYTE_EXTRACT) {
1846  result = 0;
1847  goto end;
1848  }
1849  bed = (SCDetectByteExtractData *)sm->ctx;
1850  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "four") != 0 ||
1851  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1852  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1853  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1854  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1855  goto end;
1856  }
1857  if (bed->local_id != 0) {
1858  result = 0;
1859  goto end;
1860  }
1861 
1862  if (sm->next != NULL)
1863  goto end;
1864 
1865  result = 1;
1866 
1867  end:
1868  SigGroupCleanup(de_ctx);
1869  SigCleanSignatures(de_ctx);
1870  DetectEngineCtxFree(de_ctx);
1871 
1872  return result;
1873 }
1874 
1875 static int DetectByteExtractTest43(void)
1876 {
1877  DetectEngineCtx *de_ctx = NULL;
1878  int result = 0;
1879  Signature *s = NULL;
1880  SigMatch *sm = NULL;
1881  DetectContentData *cd = NULL;
1882  SCDetectByteExtractData *bed = NULL;
1883 
1884  de_ctx = DetectEngineCtxInit();
1885  if (de_ctx == NULL)
1886  goto end;
1887 
1888  de_ctx->flags |= DE_QUIET;
1889  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1890  "(msg:\"Testing bytejump_body\"; "
1891  "content:\"one\"; "
1892  "byte_extract:4,0,two,string,hex; "
1893  "content: \"three\"; offset:two; "
1894  "sid:1;)");
1895  if (de_ctx->sig_list == NULL) {
1896  result = 0;
1897  goto end;
1898  }
1899 
1900  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1901  result = 0;
1902  goto end;
1903  }
1904 
1905  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1906  if (sm->type != DETECT_CONTENT) {
1907  result = 0;
1908  goto end;
1909  }
1910  cd = (DetectContentData *)sm->ctx;
1911  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1912  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1913  cd->flags & DETECT_CONTENT_NOCASE ||
1914  cd->flags & DETECT_CONTENT_WITHIN ||
1915  cd->flags & DETECT_CONTENT_DISTANCE ||
1916  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1917  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1918  cd->flags & DETECT_CONTENT_NEGATED ) {
1919  printf("one failed\n");
1920  result = 0;
1921  goto end;
1922  }
1923 
1924  sm = sm->next;
1925  if (sm->type != DETECT_BYTE_EXTRACT) {
1926  result = 0;
1927  goto end;
1928  }
1929  bed = (SCDetectByteExtractData *)sm->ctx;
1930  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1931  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1932  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1933  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1934  goto end;
1935  }
1936  if (bed->local_id != 0) {
1937  result = 0;
1938  goto end;
1939  }
1940 
1941  sm = sm->next;
1942  if (sm->type != DETECT_CONTENT) {
1943  result = 0;
1944  goto end;
1945  }
1946  cd = (DetectContentData *)sm->ctx;
1947  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
1948  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
1949  DETECT_CONTENT_OFFSET) ||
1950  cd->offset != bed->local_id) {
1951  printf("three failed\n");
1952  result = 0;
1953  goto end;
1954  }
1955 
1956  if (sm->next != NULL)
1957  goto end;
1958 
1959  result = 1;
1960 
1961  end:
1962  SigGroupCleanup(de_ctx);
1963  SigCleanSignatures(de_ctx);
1964  DetectEngineCtxFree(de_ctx);
1965 
1966  return result;
1967 }
1968 
1969 static int DetectByteExtractTest44(void)
1970 {
1971  DetectEngineCtx *de_ctx = NULL;
1972  int result = 0;
1973  Signature *s = NULL;
1974  SigMatch *sm = NULL;
1975  DetectContentData *cd = NULL;
1976  SCDetectByteExtractData *bed1 = NULL;
1977  SCDetectByteExtractData *bed2 = NULL;
1978 
1979  de_ctx = DetectEngineCtxInit();
1980  if (de_ctx == NULL)
1981  goto end;
1982 
1983  de_ctx->flags |= DE_QUIET;
1984  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1985  "(msg:\"Testing bytejump_body\"; "
1986  "content:\"one\"; "
1987  "byte_extract:4,0,two,string,hex; "
1988  "byte_extract:4,0,three,string,hex; "
1989  "content: \"four\"; offset:two; "
1990  "content: \"five\"; offset:three; "
1991  "sid:1;)");
1992  if (de_ctx->sig_list == NULL) {
1993  result = 0;
1994  goto end;
1995  }
1996 
1997  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1998  result = 0;
1999  goto end;
2000  }
2001 
2002  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2003  if (sm->type != DETECT_CONTENT) {
2004  result = 0;
2005  goto end;
2006  }
2007  cd = (DetectContentData *)sm->ctx;
2008  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2009  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2010  cd->flags & DETECT_CONTENT_NOCASE ||
2011  cd->flags & DETECT_CONTENT_WITHIN ||
2012  cd->flags & DETECT_CONTENT_DISTANCE ||
2013  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2014  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2015  cd->flags & DETECT_CONTENT_NEGATED ) {
2016  printf("one failed\n");
2017  result = 0;
2018  goto end;
2019  }
2020 
2021  sm = sm->next;
2022  if (sm->type != DETECT_BYTE_EXTRACT) {
2023  result = 0;
2024  goto end;
2025  }
2026  bed1 = (SCDetectByteExtractData *)sm->ctx;
2027  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2028  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2029  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2030  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2031  goto end;
2032  }
2033  if (bed1->local_id != 0) {
2034  result = 0;
2035  goto end;
2036  }
2037 
2038  sm = sm->next;
2039  if (sm->type != DETECT_BYTE_EXTRACT) {
2040  result = 0;
2041  goto end;
2042  }
2043  bed2 = (SCDetectByteExtractData *)sm->ctx;
2044 
2045  sm = sm->next;
2046  if (sm->type != DETECT_CONTENT) {
2047  result = 0;
2048  goto end;
2049  }
2050  cd = (DetectContentData *)sm->ctx;
2051  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2052  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2053  DETECT_CONTENT_OFFSET) ||
2054  cd->offset != bed1->local_id) {
2055  printf("four failed\n");
2056  result = 0;
2057  goto end;
2058  }
2059 
2060  sm = sm->next;
2061  if (sm->type != DETECT_CONTENT) {
2062  result = 0;
2063  goto end;
2064  }
2065  cd = (DetectContentData *)sm->ctx;
2066  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2067  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2068  DETECT_CONTENT_OFFSET) ||
2069  cd->offset != bed2->local_id) {
2070  printf("five failed\n");
2071  result = 0;
2072  goto end;
2073  }
2074 
2075  if (sm->next != NULL)
2076  goto end;
2077 
2078  result = 1;
2079 
2080  end:
2081  SigGroupCleanup(de_ctx);
2082  SigCleanSignatures(de_ctx);
2083  DetectEngineCtxFree(de_ctx);
2084 
2085  return result;
2086 }
2087 
2088 static int DetectByteExtractTest45(void)
2089 {
2090  DetectEngineCtx *de_ctx = NULL;
2091  int result = 0;
2092  Signature *s = NULL;
2093  SigMatch *sm = NULL;
2094  DetectContentData *cd = NULL;
2095  SCDetectByteExtractData *bed = NULL;
2096 
2097  de_ctx = DetectEngineCtxInit();
2098  if (de_ctx == NULL)
2099  goto end;
2100 
2101  de_ctx->flags |= DE_QUIET;
2102  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2103  "(msg:\"Testing bytejump_body\"; "
2104  "content:\"one\"; "
2105  "byte_extract:4,0,two,string,hex; "
2106  "content: \"three\"; depth:two; "
2107  "sid:1;)");
2108  if (de_ctx->sig_list == NULL) {
2109  result = 0;
2110  goto end;
2111  }
2112 
2113  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2114  result = 0;
2115  goto end;
2116  }
2117 
2118  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2119  if (sm->type != DETECT_CONTENT) {
2120  result = 0;
2121  goto end;
2122  }
2123  cd = (DetectContentData *)sm->ctx;
2124  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2125  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2126  cd->flags & DETECT_CONTENT_NOCASE ||
2127  cd->flags & DETECT_CONTENT_WITHIN ||
2128  cd->flags & DETECT_CONTENT_DISTANCE ||
2129  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2130  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2131  cd->flags & DETECT_CONTENT_NEGATED ) {
2132  printf("one failed\n");
2133  result = 0;
2134  goto end;
2135  }
2136 
2137  sm = sm->next;
2138  if (sm->type != DETECT_BYTE_EXTRACT) {
2139  result = 0;
2140  goto end;
2141  }
2142  bed = (SCDetectByteExtractData *)sm->ctx;
2143  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2144  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2145  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2146  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2147  goto end;
2148  }
2149  if (bed->local_id != 0) {
2150  result = 0;
2151  goto end;
2152  }
2153 
2154  sm = sm->next;
2155  if (sm->type != DETECT_CONTENT) {
2156  result = 0;
2157  goto end;
2158  }
2159  cd = (DetectContentData *)sm->ctx;
2160  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2161  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2162  DETECT_CONTENT_DEPTH) ||
2163  cd->depth != bed->local_id ||
2164  cd->offset != 0) {
2165  printf("three failed\n");
2166  result = 0;
2167  goto end;
2168  }
2169 
2170  if (sm->next != NULL)
2171  goto end;
2172 
2173  result = 1;
2174 
2175  end:
2176  SigGroupCleanup(de_ctx);
2177  SigCleanSignatures(de_ctx);
2178  DetectEngineCtxFree(de_ctx);
2179 
2180  return result;
2181 }
2182 
2183 static int DetectByteExtractTest46(void)
2184 {
2185  DetectEngineCtx *de_ctx = NULL;
2186  int result = 0;
2187  Signature *s = NULL;
2188  SigMatch *sm = NULL;
2189  DetectContentData *cd = NULL;
2190  SCDetectByteExtractData *bed1 = NULL;
2191  SCDetectByteExtractData *bed2 = NULL;
2192 
2193  de_ctx = DetectEngineCtxInit();
2194  if (de_ctx == NULL)
2195  goto end;
2196 
2197  de_ctx->flags |= DE_QUIET;
2198  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2199  "(msg:\"Testing bytejump_body\"; "
2200  "content:\"one\"; "
2201  "byte_extract:4,0,two,string,hex; "
2202  "byte_extract:4,0,three,string,hex; "
2203  "content: \"four\"; depth:two; "
2204  "content: \"five\"; depth:three; "
2205  "sid:1;)");
2206  if (de_ctx->sig_list == NULL) {
2207  result = 0;
2208  goto end;
2209  }
2210 
2211  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2212  result = 0;
2213  goto end;
2214  }
2215 
2216  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2217  if (sm->type != DETECT_CONTENT) {
2218  result = 0;
2219  goto end;
2220  }
2221  cd = (DetectContentData *)sm->ctx;
2222  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2223  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2224  cd->flags & DETECT_CONTENT_NOCASE ||
2225  cd->flags & DETECT_CONTENT_WITHIN ||
2226  cd->flags & DETECT_CONTENT_DISTANCE ||
2227  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2228  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2229  cd->flags & DETECT_CONTENT_NEGATED ) {
2230  printf("one failed\n");
2231  result = 0;
2232  goto end;
2233  }
2234 
2235  sm = sm->next;
2236  if (sm->type != DETECT_BYTE_EXTRACT) {
2237  result = 0;
2238  goto end;
2239  }
2240  bed1 = (SCDetectByteExtractData *)sm->ctx;
2241  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2242  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2243  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2244  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2245  goto end;
2246  }
2247  if (bed1->local_id != 0) {
2248  result = 0;
2249  goto end;
2250  }
2251 
2252  sm = sm->next;
2253  if (sm->type != DETECT_BYTE_EXTRACT) {
2254  result = 0;
2255  goto end;
2256  }
2257  bed2 = (SCDetectByteExtractData *)sm->ctx;
2258 
2259  sm = sm->next;
2260  if (sm->type != DETECT_CONTENT) {
2261  result = 0;
2262  goto end;
2263  }
2264  cd = (DetectContentData *)sm->ctx;
2265  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2266  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2267  DETECT_CONTENT_DEPTH) ||
2268  cd->depth != bed1->local_id) {
2269  printf("four failed\n");
2270  result = 0;
2271  goto end;
2272  }
2273 
2274  sm = sm->next;
2275  if (sm->type != DETECT_CONTENT) {
2276  result = 0;
2277  goto end;
2278  }
2279  cd = (DetectContentData *)sm->ctx;
2280  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2281  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2282  DETECT_CONTENT_DEPTH) ||
2283  cd->depth != bed2->local_id) {
2284  printf("five failed\n");
2285  result = 0;
2286  goto end;
2287  }
2288 
2289  if (sm->next != NULL)
2290  goto end;
2291 
2292  result = 1;
2293 
2294  end:
2295  SigGroupCleanup(de_ctx);
2296  SigCleanSignatures(de_ctx);
2297  DetectEngineCtxFree(de_ctx);
2298 
2299  return result;
2300 }
2301 
2302 static int DetectByteExtractTest47(void)
2303 {
2304  DetectEngineCtx *de_ctx = NULL;
2305  int result = 0;
2306  Signature *s = NULL;
2307  SigMatch *sm = NULL;
2308  DetectContentData *cd = NULL;
2309  SCDetectByteExtractData *bed = NULL;
2310 
2311  de_ctx = DetectEngineCtxInit();
2312  if (de_ctx == NULL)
2313  goto end;
2314 
2315  de_ctx->flags |= DE_QUIET;
2316  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2317  "(msg:\"Testing bytejump_body\"; "
2318  "content:\"one\"; "
2319  "byte_extract:4,0,two,string,hex; "
2320  "content: \"three\"; distance:two; "
2321  "sid:1;)");
2322  if (de_ctx->sig_list == NULL) {
2323  result = 0;
2324  goto end;
2325  }
2326 
2327  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2328  result = 0;
2329  goto end;
2330  }
2331 
2332  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2333  if (sm->type != DETECT_CONTENT) {
2334  result = 0;
2335  goto end;
2336  }
2337  cd = (DetectContentData *)sm->ctx;
2338  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2339  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2340  cd->flags & DETECT_CONTENT_NOCASE ||
2341  cd->flags & DETECT_CONTENT_WITHIN ||
2342  cd->flags & DETECT_CONTENT_DISTANCE ||
2343  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2344  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2345  cd->flags & DETECT_CONTENT_NEGATED ) {
2346  printf("one failed\n");
2347  result = 0;
2348  goto end;
2349  }
2350 
2351  sm = sm->next;
2352  if (sm->type != DETECT_BYTE_EXTRACT) {
2353  result = 0;
2354  goto end;
2355  }
2356  bed = (SCDetectByteExtractData *)sm->ctx;
2357  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2358  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2359  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2360  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2361  goto end;
2362  }
2363  if (bed->local_id != 0) {
2364  result = 0;
2365  goto end;
2366  }
2367 
2368  sm = sm->next;
2369  if (sm->type != DETECT_CONTENT) {
2370  result = 0;
2371  goto end;
2372  }
2373  cd = (DetectContentData *)sm->ctx;
2374  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2375  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2376  DETECT_CONTENT_DISTANCE) ||
2377  cd->distance != bed->local_id ||
2378  cd->offset != 0 ||
2379  cd->depth != 0) {
2380  printf("three failed\n");
2381  result = 0;
2382  goto end;
2383  }
2384 
2385  if (sm->next != NULL)
2386  goto end;
2387 
2388  result = 1;
2389 
2390  end:
2391  SigGroupCleanup(de_ctx);
2392  SigCleanSignatures(de_ctx);
2393  DetectEngineCtxFree(de_ctx);
2394 
2395  return result;
2396 }
2397 
2398 static int DetectByteExtractTest48(void)
2399 {
2400  DetectEngineCtx *de_ctx = NULL;
2401  int result = 0;
2402  Signature *s = NULL;
2403  SigMatch *sm = NULL;
2404  DetectContentData *cd = NULL;
2405  SCDetectByteExtractData *bed1 = NULL;
2406  SCDetectByteExtractData *bed2 = NULL;
2407 
2408  de_ctx = DetectEngineCtxInit();
2409  if (de_ctx == NULL)
2410  goto end;
2411 
2412  de_ctx->flags |= DE_QUIET;
2413  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2414  "(msg:\"Testing bytejump_body\"; "
2415  "content:\"one\"; "
2416  "byte_extract:4,0,two,string,hex; "
2417  "byte_extract:4,0,three,string,hex; "
2418  "content: \"four\"; distance:two; "
2419  "content: \"five\"; distance:three; "
2420  "sid:1;)");
2421  if (de_ctx->sig_list == NULL) {
2422  result = 0;
2423  goto end;
2424  }
2425 
2426  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2427  result = 0;
2428  goto end;
2429  }
2430 
2431  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2432  if (sm->type != DETECT_CONTENT) {
2433  result = 0;
2434  goto end;
2435  }
2436  cd = (DetectContentData *)sm->ctx;
2437  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2438  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2439  cd->flags & DETECT_CONTENT_NOCASE ||
2440  cd->flags & DETECT_CONTENT_WITHIN ||
2441  cd->flags & DETECT_CONTENT_DISTANCE ||
2442  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2443  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2444  cd->flags & DETECT_CONTENT_NEGATED ) {
2445  printf("one failed\n");
2446  result = 0;
2447  goto end;
2448  }
2449 
2450  sm = sm->next;
2451  if (sm->type != DETECT_BYTE_EXTRACT) {
2452  result = 0;
2453  goto end;
2454  }
2455  bed1 = (SCDetectByteExtractData *)sm->ctx;
2456  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2457  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2458  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2459  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2460  goto end;
2461  }
2462  if (bed1->local_id != 0) {
2463  result = 0;
2464  goto end;
2465  }
2466 
2467  sm = sm->next;
2468  if (sm->type != DETECT_BYTE_EXTRACT) {
2469  result = 0;
2470  goto end;
2471  }
2472  bed2 = (SCDetectByteExtractData *)sm->ctx;
2473 
2474  sm = sm->next;
2475  if (sm->type != DETECT_CONTENT) {
2476  result = 0;
2477  goto end;
2478  }
2479  cd = (DetectContentData *)sm->ctx;
2480  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2481  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2482  DETECT_CONTENT_DISTANCE |
2483  DETECT_CONTENT_DISTANCE_NEXT) ||
2484  cd->distance != bed1->local_id ||
2485  cd->depth != 0 ||
2486  cd->offset != 0) {
2487  printf("four failed\n");
2488  result = 0;
2489  goto end;
2490  }
2491 
2492  sm = sm->next;
2493  if (sm->type != DETECT_CONTENT) {
2494  result = 0;
2495  goto end;
2496  }
2497  cd = (DetectContentData *)sm->ctx;
2498  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2499  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2500  DETECT_CONTENT_DISTANCE) ||
2501  cd->distance != bed2->local_id ||
2502  cd->depth != 0 ||
2503  cd->offset != 0) {
2504  printf("five failed\n");
2505  result = 0;
2506  goto end;
2507  }
2508 
2509  if (sm->next != NULL)
2510  goto end;
2511 
2512  result = 1;
2513 
2514  end:
2515  SigGroupCleanup(de_ctx);
2516  SigCleanSignatures(de_ctx);
2517  DetectEngineCtxFree(de_ctx);
2518 
2519  return result;
2520 }
2521 
2522 static int DetectByteExtractTest49(void)
2523 {
2524  DetectEngineCtx *de_ctx = NULL;
2525  int result = 0;
2526  Signature *s = NULL;
2527  SigMatch *sm = NULL;
2528  DetectContentData *cd = NULL;
2529  SCDetectByteExtractData *bed = NULL;
2530 
2531  de_ctx = DetectEngineCtxInit();
2532  if (de_ctx == NULL)
2533  goto end;
2534 
2535  de_ctx->flags |= DE_QUIET;
2536  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2537  "(msg:\"Testing bytejump_body\"; "
2538  "content:\"one\"; "
2539  "byte_extract:4,0,two,string,hex; "
2540  "content: \"three\"; within:two; "
2541  "sid:1;)");
2542  if (de_ctx->sig_list == NULL) {
2543  result = 0;
2544  goto end;
2545  }
2546 
2547  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2548  result = 0;
2549  goto end;
2550  }
2551 
2552  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2553  if (sm->type != DETECT_CONTENT) {
2554  result = 0;
2555  goto end;
2556  }
2557  cd = (DetectContentData *)sm->ctx;
2558  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2559  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2560  cd->flags & DETECT_CONTENT_NOCASE ||
2561  cd->flags & DETECT_CONTENT_WITHIN ||
2562  cd->flags & DETECT_CONTENT_DISTANCE ||
2563  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2564  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2565  cd->flags & DETECT_CONTENT_NEGATED ) {
2566  printf("one failed\n");
2567  result = 0;
2568  goto end;
2569  }
2570 
2571  sm = sm->next;
2572  if (sm->type != DETECT_BYTE_EXTRACT) {
2573  result = 0;
2574  goto end;
2575  }
2576  bed = (SCDetectByteExtractData *)sm->ctx;
2577  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2578  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2579  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2580  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2581  goto end;
2582  }
2583  if (bed->local_id != 0) {
2584  result = 0;
2585  goto end;
2586  }
2587 
2588  sm = sm->next;
2589  if (sm->type != DETECT_CONTENT) {
2590  result = 0;
2591  goto end;
2592  }
2593  cd = (DetectContentData *)sm->ctx;
2594  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2595  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
2596  DETECT_CONTENT_WITHIN) ||
2597  cd->within != bed->local_id ||
2598  cd->offset != 0 ||
2599  cd->depth != 0 ||
2600  cd->distance != 0) {
2601  printf("three failed\n");
2602  result = 0;
2603  goto end;
2604  }
2605 
2606  if (sm->next != NULL)
2607  goto end;
2608 
2609  result = 1;
2610 
2611  end:
2612  SigGroupCleanup(de_ctx);
2613  SigCleanSignatures(de_ctx);
2614  DetectEngineCtxFree(de_ctx);
2615 
2616  return result;
2617 }
2618 
2619 static int DetectByteExtractTest50(void)
2620 {
2621  DetectEngineCtx *de_ctx = NULL;
2622  int result = 0;
2623  Signature *s = NULL;
2624  SigMatch *sm = NULL;
2625  DetectContentData *cd = NULL;
2626  SCDetectByteExtractData *bed1 = NULL;
2627  SCDetectByteExtractData *bed2 = NULL;
2628 
2629  de_ctx = DetectEngineCtxInit();
2630  if (de_ctx == NULL)
2631  goto end;
2632 
2633  de_ctx->flags |= DE_QUIET;
2634  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2635  "(msg:\"Testing bytejump_body\"; "
2636  "content:\"one\"; "
2637  "byte_extract:4,0,two,string,hex; "
2638  "byte_extract:4,0,three,string,hex; "
2639  "content: \"four\"; within:two; "
2640  "content: \"five\"; within:three; "
2641  "sid:1;)");
2642  if (de_ctx->sig_list == NULL) {
2643  result = 0;
2644  goto end;
2645  }
2646 
2647  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2648  result = 0;
2649  goto end;
2650  }
2651 
2652  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2653  if (sm->type != DETECT_CONTENT) {
2654  result = 0;
2655  goto end;
2656  }
2657  cd = (DetectContentData *)sm->ctx;
2658  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2659  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2660  cd->flags & DETECT_CONTENT_NOCASE ||
2661  cd->flags & DETECT_CONTENT_WITHIN ||
2662  cd->flags & DETECT_CONTENT_DISTANCE ||
2663  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2664  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2665  cd->flags & DETECT_CONTENT_NEGATED ) {
2666  printf("one failed\n");
2667  result = 0;
2668  goto end;
2669  }
2670 
2671  sm = sm->next;
2672  if (sm->type != DETECT_BYTE_EXTRACT) {
2673  result = 0;
2674  goto end;
2675  }
2676  bed1 = (SCDetectByteExtractData *)sm->ctx;
2677  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2678  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2679  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2680  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2681  goto end;
2682  }
2683  if (bed1->local_id != 0) {
2684  result = 0;
2685  goto end;
2686  }
2687 
2688  sm = sm->next;
2689  if (sm->type != DETECT_BYTE_EXTRACT) {
2690  result = 0;
2691  goto end;
2692  }
2693  bed2 = (SCDetectByteExtractData *)sm->ctx;
2694 
2695  sm = sm->next;
2696  if (sm->type != DETECT_CONTENT) {
2697  result = 0;
2698  goto end;
2699  }
2700  cd = (DetectContentData *)sm->ctx;
2701  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2702  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
2703  DETECT_CONTENT_WITHIN|
2704  DETECT_CONTENT_WITHIN_NEXT) ||
2705  cd->within != bed1->local_id ||
2706  cd->depth != 0 ||
2707  cd->offset != 0 ||
2708  cd->distance != 0) {
2709  printf("four failed\n");
2710  result = 0;
2711  goto end;
2712  }
2713 
2714  sm = sm->next;
2715  if (sm->type != DETECT_CONTENT) {
2716  result = 0;
2717  goto end;
2718  }
2719  cd = (DetectContentData *)sm->ctx;
2720  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2721  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
2722  DETECT_CONTENT_WITHIN) ||
2723  cd->within != bed2->local_id ||
2724  cd->depth != 0 ||
2725  cd->offset != 0 ||
2726  cd->distance != 0) {
2727  printf("five failed\n");
2728  result = 0;
2729  goto end;
2730  }
2731 
2732  if (sm->next != NULL)
2733  goto end;
2734 
2735  result = 1;
2736 
2737  end:
2738  SigGroupCleanup(de_ctx);
2739  SigCleanSignatures(de_ctx);
2740  DetectEngineCtxFree(de_ctx);
2741 
2742  return result;
2743 }
2744 
2745 static int DetectByteExtractTest51(void)
2746 {
2747  DetectEngineCtx *de_ctx = NULL;
2748  int result = 0;
2749  Signature *s = NULL;
2750  SigMatch *sm = NULL;
2751  DetectContentData *cd = NULL;
2752  SCDetectByteExtractData *bed = NULL;
2753  DetectBytetestData *btd = NULL;
2754 
2755  de_ctx = DetectEngineCtxInit();
2756  if (de_ctx == NULL)
2757  goto end;
2758 
2759  de_ctx->flags |= DE_QUIET;
2760  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2761  "(msg:\"Testing bytejump_body\"; "
2762  "content:\"one\"; "
2763  "byte_extract:4,0,two,string,hex; "
2764  "byte_test: 2,=,10, two; "
2765  "sid:1;)");
2766  if (de_ctx->sig_list == NULL) {
2767  result = 0;
2768  goto end;
2769  }
2770 
2771  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2772  result = 0;
2773  goto end;
2774  }
2775 
2776  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2777  if (sm->type != DETECT_CONTENT) {
2778  result = 0;
2779  goto end;
2780  }
2781  cd = (DetectContentData *)sm->ctx;
2782  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2783  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2784  cd->flags & DETECT_CONTENT_NOCASE ||
2785  cd->flags & DETECT_CONTENT_WITHIN ||
2786  cd->flags & DETECT_CONTENT_DISTANCE ||
2787  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2788  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2789  cd->flags & DETECT_CONTENT_NEGATED ) {
2790  printf("one failed\n");
2791  result = 0;
2792  goto end;
2793  }
2794 
2795  sm = sm->next;
2796  if (sm->type != DETECT_BYTE_EXTRACT) {
2797  result = 0;
2798  goto end;
2799  }
2800  bed = (SCDetectByteExtractData *)sm->ctx;
2801  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2802  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2803  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2804  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2805  goto end;
2806  }
2807  if (bed->local_id != 0) {
2808  result = 0;
2809  goto end;
2810  }
2811 
2812  sm = sm->next;
2813  if (sm->type != DETECT_BYTETEST) {
2814  result = 0;
2815  goto end;
2816  }
2817  btd = (DetectBytetestData *)sm->ctx;
2818  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2819  btd->value != 10 ||
2820  btd->offset != 0) {
2821  printf("three failed\n");
2822  result = 0;
2823  goto end;
2824  }
2825 
2826  if (sm->next != NULL)
2827  goto end;
2828 
2829  result = 1;
2830 
2831  end:
2832  SigGroupCleanup(de_ctx);
2833  SigCleanSignatures(de_ctx);
2834  DetectEngineCtxFree(de_ctx);
2835 
2836  return result;
2837 }
2838 
2839 static int DetectByteExtractTest52(void)
2840 {
2841  DetectEngineCtx *de_ctx = NULL;
2842  int result = 0;
2843  Signature *s = NULL;
2844  SigMatch *sm = NULL;
2845  DetectContentData *cd = NULL;
2846  SCDetectByteExtractData *bed1 = NULL;
2847  DetectBytetestData *btd = NULL;
2848 
2849  de_ctx = DetectEngineCtxInit();
2850  if (de_ctx == NULL)
2851  goto end;
2852 
2853  de_ctx->flags |= DE_QUIET;
2854  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2855  "(msg:\"Testing bytejump_body\"; "
2856  "content:\"one\"; "
2857  "byte_extract:4,0,two,string,hex; "
2858  "byte_extract:4,0,three,string,hex; "
2859  "byte_test: 2,=,two,three; "
2860  "byte_test: 3,=,10,three; "
2861  "sid:1;)");
2862  if (de_ctx->sig_list == NULL) {
2863  result = 0;
2864  goto end;
2865  }
2866 
2867  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2868  result = 0;
2869  goto end;
2870  }
2871 
2872  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2873  if (sm->type != DETECT_CONTENT) {
2874  result = 0;
2875  goto end;
2876  }
2877  cd = (DetectContentData *)sm->ctx;
2878  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2879  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2880  cd->flags & DETECT_CONTENT_NOCASE ||
2881  cd->flags & DETECT_CONTENT_WITHIN ||
2882  cd->flags & DETECT_CONTENT_DISTANCE ||
2883  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2884  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2885  cd->flags & DETECT_CONTENT_NEGATED ) {
2886  printf("one failed\n");
2887  result = 0;
2888  goto end;
2889  }
2890 
2891  sm = sm->next;
2892  if (sm->type != DETECT_BYTE_EXTRACT) {
2893  result = 0;
2894  goto end;
2895  }
2896  bed1 = (SCDetectByteExtractData *)sm->ctx;
2897  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2898  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2899  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2900  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2901  goto end;
2902  }
2903  if (bed1->local_id != 0) {
2904  result = 0;
2905  goto end;
2906  }
2907 
2908  sm = sm->next;
2909  if (sm->type != DETECT_BYTE_EXTRACT) {
2910  result = 0;
2911  goto end;
2912  }
2913 
2914  sm = sm->next;
2915  if (sm->type != DETECT_BYTETEST) {
2916  result = 0;
2917  goto end;
2918  }
2919  btd = (DetectBytetestData *)sm->ctx;
2920  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
2921  DETECT_BYTETEST_VALUE_VAR) ||
2922  btd->value != 0 ||
2923  btd->offset != 1) {
2924  printf("three failed\n");
2925  result = 0;
2926  goto end;
2927  }
2928 
2929  sm = sm->next;
2930  if (sm->type != DETECT_BYTETEST) {
2931  result = 0;
2932  goto end;
2933  }
2934  btd = (DetectBytetestData *)sm->ctx;
2935  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2936  btd->value != 10 ||
2937  btd->offset != 1) {
2938  printf("four failed\n");
2939  result = 0;
2940  goto end;
2941  }
2942 
2943  if (sm->next != NULL)
2944  goto end;
2945 
2946  result = 1;
2947 
2948  end:
2949  SigGroupCleanup(de_ctx);
2950  SigCleanSignatures(de_ctx);
2951  DetectEngineCtxFree(de_ctx);
2952 
2953  return result;
2954 }
2955 
2956 static int DetectByteExtractTest53(void)
2957 {
2958  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2959  FAIL_IF_NULL(de_ctx);
2960  de_ctx->flags |= DE_QUIET;
2961 
2962  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2963  "content:\"one\"; "
2964  "byte_extract:4,0,two,string,hex; "
2965  "byte_jump: 2,two; "
2966  "sid:1;)");
2967  FAIL_IF_NULL(s);
2968  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2969 
2970  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2971  FAIL_IF(sm->type != DETECT_CONTENT);
2972  DetectContentData *cd = (DetectContentData *)sm->ctx;
2973  FAIL_IF(cd->flags != 0);
2974 
2975  sm = sm->next;
2976  FAIL_IF_NULL(sm);
2977  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
2978  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
2979 
2980  FAIL_IF(bed->nbytes != 4);
2981  FAIL_IF(bed->offset != 0);
2982  FAIL_IF(strcmp(bed->name, "two") != 0);
2983  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
2984  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
2985  FAIL_IF(bed->align_value != 0);
2986  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
2987  FAIL_IF(bed->local_id != 0);
2988 
2989  sm = sm->next;
2990  FAIL_IF_NULL(sm);
2991  FAIL_IF(sm->type != DETECT_BYTEJUMP);
2992  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
2993 
2994  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
2995  FAIL_IF(bjd->offset != 0);
2996 
2997  FAIL_IF_NOT_NULL(sm->next);
2998  DetectEngineCtxFree(de_ctx);
2999  PASS;
3000 }
3001 
3002 static int DetectByteExtractTest54(void)
3003 {
3004  DetectEngineCtx *de_ctx = NULL;
3005  int result = 0;
3006  Signature *s = NULL;
3007  SigMatch *sm = NULL;
3008  DetectContentData *cd = NULL;
3009  SCDetectByteExtractData *bed1 = NULL;
3010  DetectBytejumpData *bjd = NULL;
3011 
3012  de_ctx = DetectEngineCtxInit();
3013  if (de_ctx == NULL)
3014  goto end;
3015 
3016  de_ctx->flags |= DE_QUIET;
3017  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3018  "(msg:\"Testing bytejump_body\"; "
3019  "content:\"one\"; "
3020  "byte_extract:4,0,two,string,hex; "
3021  "byte_extract:4,0,three,string,hex; "
3022  "byte_jump: 2,two; "
3023  "byte_jump: 3,three; "
3024  "sid:1;)");
3025  if (de_ctx->sig_list == NULL) {
3026  result = 0;
3027  goto end;
3028  }
3029 
3030  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3031  result = 0;
3032  goto end;
3033  }
3034 
3035  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3036  if (sm->type != DETECT_CONTENT) {
3037  result = 0;
3038  goto end;
3039  }
3040  cd = (DetectContentData *)sm->ctx;
3041  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3042  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3043  cd->flags & DETECT_CONTENT_NOCASE ||
3044  cd->flags & DETECT_CONTENT_WITHIN ||
3045  cd->flags & DETECT_CONTENT_DISTANCE ||
3046  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3047  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3048  cd->flags & DETECT_CONTENT_NEGATED ) {
3049  printf("one failed\n");
3050  result = 0;
3051  goto end;
3052  }
3053 
3054  sm = sm->next;
3055  if (sm->type != DETECT_BYTE_EXTRACT) {
3056  result = 0;
3057  goto end;
3058  }
3059  bed1 = (SCDetectByteExtractData *)sm->ctx;
3060  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3061  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3062  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3063  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3064  goto end;
3065  }
3066  if (bed1->local_id != 0) {
3067  result = 0;
3068  goto end;
3069  }
3070 
3071  sm = sm->next;
3072  if (sm->type != DETECT_BYTE_EXTRACT) {
3073  result = 0;
3074  goto end;
3075  }
3076 
3077  sm = sm->next;
3078  if (sm->type != DETECT_BYTEJUMP) {
3079  result = 0;
3080  goto end;
3081  }
3082  bjd = (DetectBytejumpData *)sm->ctx;
3083  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3084  printf("three failed\n");
3085  result = 0;
3086  goto end;
3087  }
3088 
3089  sm = sm->next;
3090  if (sm->type != DETECT_BYTEJUMP) {
3091  result = 0;
3092  goto end;
3093  }
3094  bjd = (DetectBytejumpData *)sm->ctx;
3095  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3096  printf("four failed\n");
3097  result = 0;
3098  goto end;
3099  }
3100 
3101  if (sm->next != NULL)
3102  goto end;
3103 
3104  result = 1;
3105 
3106  end:
3107  SigGroupCleanup(de_ctx);
3108  SigCleanSignatures(de_ctx);
3109  DetectEngineCtxFree(de_ctx);
3110 
3111  return result;
3112 }
3113 
3114 static int DetectByteExtractTest55(void)
3115 {
3116  DetectEngineCtx *de_ctx = NULL;
3117  int result = 0;
3118  Signature *s = NULL;
3119  SigMatch *sm = NULL;
3120  DetectContentData *cd = NULL;
3121  SCDetectByteExtractData *bed1 = NULL;
3122  SCDetectByteExtractData *bed2 = NULL;
3123 
3124  de_ctx = DetectEngineCtxInit();
3125  if (de_ctx == NULL)
3126  goto end;
3127 
3128  de_ctx->flags |= DE_QUIET;
3129  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3130  "(msg:\"Testing byte_extract\"; "
3131  "content:\"one\"; "
3132  "byte_extract:4,0,two,string,hex; "
3133  "byte_extract:4,0,three,string,hex; "
3134  "byte_extract:4,0,four,string,hex; "
3135  "byte_extract:4,0,five,string,hex; "
3136  "content: \"four\"; within:two; distance:three; "
3137  "sid:1;)");
3138  if (de_ctx->sig_list == NULL) {
3139  goto end;
3140  }
3141 
3142  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3143  goto end;
3144  }
3145 
3146  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3147  if (sm->type != DETECT_CONTENT) {
3148  goto end;
3149  }
3150  cd = (DetectContentData *)sm->ctx;
3151  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3152  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3153  cd->flags & DETECT_CONTENT_NOCASE ||
3154  cd->flags & DETECT_CONTENT_WITHIN ||
3155  cd->flags & DETECT_CONTENT_DISTANCE ||
3156  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3157  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3158  cd->flags & DETECT_CONTENT_NEGATED ) {
3159  printf("one failed: ");
3160  goto end;
3161  }
3162 
3163  sm = sm->next;
3164  if (sm->type != DETECT_BYTE_EXTRACT) {
3165  goto end;
3166  }
3167  bed1 = (SCDetectByteExtractData *)sm->ctx;
3168  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3169  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3170  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3171  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3172  goto end;
3173  }
3174  if (bed1->local_id != 0) {
3175  goto end;
3176  }
3177 
3178  sm = sm->next;
3179  if (sm->type != DETECT_BYTE_EXTRACT) {
3180  goto end;
3181  }
3182  bed2 = (SCDetectByteExtractData *)sm->ctx;
3183 
3184  sm = sm->next;
3185  if (sm->type != DETECT_BYTE_EXTRACT) {
3186  goto end;
3187  }
3188 
3189  sm = sm->next;
3190  if (sm->type != DETECT_BYTE_EXTRACT) {
3191  goto end;
3192  }
3193 
3194  sm = sm->next;
3195  if (sm->type != DETECT_CONTENT) {
3196  goto end;
3197  }
3198  cd = (DetectContentData *)sm->ctx;
3199  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3200  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3201  DETECT_CONTENT_WITHIN_VAR |
3202  DETECT_CONTENT_DISTANCE |
3203  DETECT_CONTENT_WITHIN) ||
3204  cd->within != bed1->local_id ||
3205  cd->distance != bed2->local_id) {
3206  printf("four failed: ");
3207  goto end;
3208  }
3209 
3210  if (sm->next != NULL) {
3211  goto end;
3212  }
3213 
3214  result = 1;
3215 
3216  end:
3217  SigGroupCleanup(de_ctx);
3218  SigCleanSignatures(de_ctx);
3219  DetectEngineCtxFree(de_ctx);
3220 
3221  return result;
3222 }
3223 
3224 static int DetectByteExtractTest56(void)
3225 {
3226  DetectEngineCtx *de_ctx = NULL;
3227  int result = 0;
3228  Signature *s = NULL;
3229  SigMatch *sm = NULL;
3230  DetectContentData *cd = NULL;
3231  SCDetectByteExtractData *bed1 = NULL;
3232  SCDetectByteExtractData *bed2 = NULL;
3233 
3234  de_ctx = DetectEngineCtxInit();
3235  if (de_ctx == NULL)
3236  goto end;
3237 
3238  de_ctx->flags |= DE_QUIET;
3239  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3240  "(msg:\"Testing bytejump_body\"; "
3241  "uricontent:\"urione\"; "
3242  "content:\"one\"; "
3243  "byte_extract:4,0,two,string,hex; "
3244  "byte_extract:4,0,three,string,hex; "
3245  "byte_extract:4,0,four,string,hex; "
3246  "byte_extract:4,0,five,string,hex; "
3247  "content: \"four\"; within:two; distance:three; "
3248  "sid:1;)");
3249  if (de_ctx->sig_list == NULL) {
3250  result = 0;
3251  goto end;
3252  }
3253 
3254  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3255  result = 0;
3256  goto end;
3257  }
3258 
3259  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3260  if (sm->type != DETECT_CONTENT) {
3261  result = 0;
3262  goto end;
3263  }
3264  cd = (DetectContentData *)sm->ctx;
3265  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3266  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3267  cd->flags & DETECT_CONTENT_NOCASE ||
3268  cd->flags & DETECT_CONTENT_WITHIN ||
3269  cd->flags & DETECT_CONTENT_DISTANCE ||
3270  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3271  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3272  cd->flags & DETECT_CONTENT_NEGATED ) {
3273  printf("one failed\n");
3274  result = 0;
3275  goto end;
3276  }
3277 
3278  if (sm->next != NULL)
3279  goto end;
3280 
3281  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3282  if (sm->type != DETECT_CONTENT) {
3283  result = 0;
3284  goto end;
3285  }
3286  cd = (DetectContentData *)sm->ctx;
3287  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3288  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3289  cd->flags & DETECT_CONTENT_NOCASE ||
3290  cd->flags & DETECT_CONTENT_WITHIN ||
3291  cd->flags & DETECT_CONTENT_DISTANCE ||
3292  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3293  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3294  cd->flags & DETECT_CONTENT_NEGATED ) {
3295  printf("one failed\n");
3296  result = 0;
3297  goto end;
3298  }
3299 
3300  sm = sm->next;
3301  if (sm->type != DETECT_BYTE_EXTRACT) {
3302  result = 0;
3303  goto end;
3304  }
3305  bed1 = (SCDetectByteExtractData *)sm->ctx;
3306  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3307  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3308  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3309  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3310  goto end;
3311  }
3312  if (bed1->local_id != 0) {
3313  result = 0;
3314  goto end;
3315  }
3316 
3317  sm = sm->next;
3318  if (sm->type != DETECT_BYTE_EXTRACT) {
3319  result = 0;
3320  goto end;
3321  }
3322  bed2 = (SCDetectByteExtractData *)sm->ctx;
3323 
3324  sm = sm->next;
3325  if (sm->type != DETECT_BYTE_EXTRACT) {
3326  result = 0;
3327  goto end;
3328  }
3329 
3330  sm = sm->next;
3331  if (sm->type != DETECT_BYTE_EXTRACT) {
3332  result = 0;
3333  goto end;
3334  }
3335 
3336  sm = sm->next;
3337  if (sm->type != DETECT_CONTENT) {
3338  result = 0;
3339  goto end;
3340  }
3341  cd = (DetectContentData *)sm->ctx;
3342  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3343  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3344  DETECT_CONTENT_WITHIN_VAR |
3345  DETECT_CONTENT_DISTANCE |
3346  DETECT_CONTENT_WITHIN) ||
3347  cd->within != bed1->local_id ||
3348  cd->distance != bed2->local_id ) {
3349  printf("four failed\n");
3350  result = 0;
3351  goto end;
3352  }
3353 
3354  if (sm->next != NULL) {
3355  goto end;
3356  }
3357 
3358  result = 1;
3359 
3360  end:
3361  SigGroupCleanup(de_ctx);
3362  SigCleanSignatures(de_ctx);
3363  DetectEngineCtxFree(de_ctx);
3364 
3365  return result;
3366 }
3367 
3368 static int DetectByteExtractTest57(void)
3369 {
3370  DetectEngineCtx *de_ctx = NULL;
3371  int result = 0;
3372  Signature *s = NULL;
3373  SigMatch *sm = NULL;
3374  DetectContentData *cd = NULL;
3375  SCDetectByteExtractData *bed1 = NULL;
3376  SCDetectByteExtractData *bed2 = NULL;
3377  SCDetectByteExtractData *bed3 = NULL;
3378  SCDetectByteExtractData *bed4 = NULL;
3379 
3380  de_ctx = DetectEngineCtxInit();
3381  if (de_ctx == NULL)
3382  goto end;
3383 
3384  de_ctx->flags |= DE_QUIET;
3385  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3386  "(msg:\"Testing bytejump_body\"; "
3387  "content:\"one\"; "
3388  "uricontent: \"urione\"; "
3389  "byte_extract:4,0,two,string,hex,relative; "
3390  "byte_extract:4,0,three,string,hex,relative; "
3391  "byte_extract:4,0,four,string,hex,relative; "
3392  "byte_extract:4,0,five,string,hex,relative; "
3393  "uricontent: \"four\"; within:two; distance:three; "
3394  "sid:1;)");
3395  if (de_ctx->sig_list == NULL) {
3396  result = 0;
3397  goto end;
3398  }
3399 
3400  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3401  result = 0;
3402  goto end;
3403  }
3404 
3405  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3406  if (sm->type != DETECT_CONTENT) {
3407  result = 0;
3408  goto end;
3409  }
3410  cd = (DetectContentData *)sm->ctx;
3411  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3412  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3413  cd->flags & DETECT_CONTENT_NOCASE ||
3414  cd->flags & DETECT_CONTENT_WITHIN ||
3415  cd->flags & DETECT_CONTENT_DISTANCE ||
3416  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3417  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3418  cd->flags & DETECT_CONTENT_NEGATED ) {
3419  printf("one failed\n");
3420  result = 0;
3421  goto end;
3422  }
3423 
3424  if (sm->next != NULL)
3425  goto end;
3426 
3427  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3428  if (sm->type != DETECT_CONTENT) {
3429  result = 0;
3430  goto end;
3431  }
3432  cd = (DetectContentData *)sm->ctx;
3433  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3434  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3435  cd->flags & DETECT_CONTENT_NOCASE ||
3436  cd->flags & DETECT_CONTENT_WITHIN ||
3437  cd->flags & DETECT_CONTENT_DISTANCE ||
3438  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3439  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3440  cd->flags & DETECT_CONTENT_NEGATED ) {
3441  printf("one failed\n");
3442  result = 0;
3443  goto end;
3444  }
3445 
3446  sm = sm->next;
3447  if (sm->type != DETECT_BYTE_EXTRACT) {
3448  result = 0;
3449  goto end;
3450  }
3451  bed1 = (SCDetectByteExtractData *)sm->ctx;
3452  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3453  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3454  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3455  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3456  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3457  goto end;
3458  }
3459  if (bed1->local_id != 0) {
3460  result = 0;
3461  goto end;
3462  }
3463 
3464  sm = sm->next;
3465  if (sm->type != DETECT_BYTE_EXTRACT) {
3466  result = 0;
3467  goto end;
3468  }
3469  bed2 = (SCDetectByteExtractData *)sm->ctx;
3470  if (bed2->local_id != 1) {
3471  result = 0;
3472  goto end;
3473  }
3474 
3475  sm = sm->next;
3476  if (sm->type != DETECT_BYTE_EXTRACT) {
3477  result = 0;
3478  goto end;
3479  }
3480  bed3 = (SCDetectByteExtractData *)sm->ctx;
3481  if (bed3->local_id != 2) {
3482  result = 0;
3483  goto end;
3484  }
3485 
3486  sm = sm->next;
3487  if (sm->type != DETECT_BYTE_EXTRACT) {
3488  result = 0;
3489  goto end;
3490  }
3491  bed4 = (SCDetectByteExtractData *)sm->ctx;
3492  if (bed4->local_id != 3) {
3493  result = 0;
3494  goto end;
3495  }
3496 
3497  sm = sm->next;
3498  if (sm->type != DETECT_CONTENT) {
3499  result = 0;
3500  goto end;
3501  }
3502  cd = (DetectContentData *)sm->ctx;
3503  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3504  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3505  DETECT_CONTENT_WITHIN_VAR |
3506  DETECT_CONTENT_DISTANCE |
3507  DETECT_CONTENT_WITHIN) ||
3508  cd->within != bed1->local_id ||
3509  cd->distance != bed2->local_id) {
3510  printf("four failed\n");
3511  result = 0;
3512  goto end;
3513  }
3514 
3515  if (sm->next != NULL) {
3516  goto end;
3517  }
3518 
3519  result = 1;
3520 
3521  end:
3522  SigGroupCleanup(de_ctx);
3523  SigCleanSignatures(de_ctx);
3524  DetectEngineCtxFree(de_ctx);
3525 
3526  return result;
3527 }
3528 
3529 static int DetectByteExtractTest58(void)
3530 {
3531  DetectEngineCtx *de_ctx = NULL;
3532  int result = 0;
3533  Signature *s = NULL;
3534  SigMatch *sm = NULL;
3535  DetectContentData *cd = NULL;
3536  SCDetectByteExtractData *bed1 = NULL;
3537  DetectBytejumpData *bjd = NULL;
3538  DetectIsdataatData *isdd = NULL;
3539 
3540  de_ctx = DetectEngineCtxInit();
3541  if (de_ctx == NULL)
3542  goto end;
3543 
3544  de_ctx->flags |= DE_QUIET;
3545  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3546  "(msg:\"Testing bytejump_body\"; "
3547  "content:\"one\"; "
3548  "byte_extract:4,0,two,string,hex; "
3549  "byte_extract:4,0,three,string,hex; "
3550  "byte_jump: 2,two; "
3551  "byte_jump: 3,three; "
3552  "isdataat: three; "
3553  "sid:1;)");
3554  if (de_ctx->sig_list == NULL) {
3555  result = 0;
3556  goto end;
3557  }
3558 
3559  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3560  result = 0;
3561  goto end;
3562  }
3563 
3564  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3565  if (sm->type != DETECT_CONTENT) {
3566  result = 0;
3567  goto end;
3568  }
3569  cd = (DetectContentData *)sm->ctx;
3570  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3571  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3572  cd->flags & DETECT_CONTENT_NOCASE ||
3573  cd->flags & DETECT_CONTENT_WITHIN ||
3574  cd->flags & DETECT_CONTENT_DISTANCE ||
3575  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3576  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3577  cd->flags & DETECT_CONTENT_NEGATED ) {
3578  printf("one failed\n");
3579  result = 0;
3580  goto end;
3581  }
3582 
3583  sm = sm->next;
3584  if (sm->type != DETECT_BYTE_EXTRACT) {
3585  result = 0;
3586  goto end;
3587  }
3588  bed1 = (SCDetectByteExtractData *)sm->ctx;
3589  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3590  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3591  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3592  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3593  goto end;
3594  }
3595  if (bed1->local_id != 0) {
3596  result = 0;
3597  goto end;
3598  }
3599 
3600  sm = sm->next;
3601  if (sm->type != DETECT_BYTE_EXTRACT) {
3602  result = 0;
3603  goto end;
3604  }
3605 
3606  sm = sm->next;
3607  if (sm->type != DETECT_BYTEJUMP) {
3608  result = 0;
3609  goto end;
3610  }
3611  bjd = (DetectBytejumpData *)sm->ctx;
3612  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3613  printf("three failed\n");
3614  result = 0;
3615  goto end;
3616  }
3617 
3618  sm = sm->next;
3619  if (sm->type != DETECT_BYTEJUMP) {
3620  result = 0;
3621  goto end;
3622  }
3623  bjd = (DetectBytejumpData *)sm->ctx;
3624  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3625  printf("four failed\n");
3626  result = 0;
3627  goto end;
3628  }
3629 
3630  sm = sm->next;
3631  if (sm->type != DETECT_ISDATAAT) {
3632  result = 0;
3633  goto end;
3634  }
3635  isdd = (DetectIsdataatData *)sm->ctx;
3636  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
3637  isdd->dataat != 1) {
3638  printf("isdataat failed\n");
3639  result = 0;
3640  goto end;
3641  }
3642 
3643  if (sm->next != NULL)
3644  goto end;
3645 
3646  result = 1;
3647 
3648  end:
3649  SigGroupCleanup(de_ctx);
3650  SigCleanSignatures(de_ctx);
3651  DetectEngineCtxFree(de_ctx);
3652 
3653  return result;
3654 }
3655 
3656 static int DetectByteExtractTest59(void)
3657 {
3658  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3659  FAIL_IF_NULL(de_ctx);
3660  de_ctx->flags |= DE_QUIET;
3661 
3662  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3663  "content:\"one\"; "
3664  "byte_extract:4,0,two,string,hex; "
3665  "byte_extract:4,0,three,string,hex; "
3666  "byte_jump: 2,two; "
3667  "byte_jump: 3,three; "
3668  "isdataat: three,relative; "
3669  "sid:1;)");
3670  FAIL_IF_NULL(s);
3671 
3672  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
3673  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3674  FAIL_IF(sm->type != DETECT_CONTENT);
3675 
3676  DetectContentData *cd = (DetectContentData *)sm->ctx;
3677  FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
3678  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
3679  FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
3680  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
3681  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
3682  FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
3683  FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
3684  FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
3685 
3686  sm = sm->next;
3687  FAIL_IF_NULL(sm);
3688  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3689 
3690  SCDetectByteExtractData *bed1 = (SCDetectByteExtractData *)sm->ctx;
3691  FAIL_IF(bed1->nbytes != 4);
3692  FAIL_IF(bed1->offset != 0);
3693  FAIL_IF(strcmp(bed1->name, "two") != 0);
3694  printf("a\n");
3695  FAIL_IF(bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
3696  printf("b\n");
3697  FAIL_IF(bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX);
3698  FAIL_IF(bed1->align_value != 0);
3699  FAIL_IF(bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
3700 
3701  FAIL_IF(bed1->local_id != 0);
3702 
3703  sm = sm->next;
3704  FAIL_IF_NULL(sm);
3705  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3706 
3707  sm = sm->next;
3708  FAIL_IF_NULL(sm);
3709  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3710 
3711  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
3712  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3713  FAIL_IF(bjd->offset != 0);
3714 
3715  sm = sm->next;
3716  FAIL_IF_NULL(sm);
3717  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3718 
3719  bjd = (DetectBytejumpData *)sm->ctx;
3720  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3721  FAIL_IF(bjd->offset != 1);
3722 
3723  sm = sm->next;
3724  FAIL_IF_NULL(sm);
3725  FAIL_IF(sm->type != DETECT_ISDATAAT);
3726  DetectIsdataatData *isdd = (DetectIsdataatData *)sm->ctx;
3727  FAIL_IF(isdd->flags != (ISDATAAT_OFFSET_VAR | ISDATAAT_RELATIVE));
3728  FAIL_IF(isdd->dataat != 1);
3729 
3730  FAIL_IF(sm->next != NULL);
3731  DetectEngineCtxFree(de_ctx);
3732 
3733  PASS;
3734 }
3735 
3736 static int DetectByteExtractTest60(void)
3737 {
3738  DetectEngineCtx *de_ctx = NULL;
3739  int result = 0;
3740  Signature *s = NULL;
3741  SigMatch *sm = NULL;
3742  DetectContentData *cd = NULL;
3743  SCDetectByteExtractData *bed1 = NULL;
3744  DetectIsdataatData *isdd = NULL;
3745 
3746  de_ctx = DetectEngineCtxInit();
3747  if (de_ctx == NULL)
3748  goto end;
3749 
3750  de_ctx->flags |= DE_QUIET;
3751  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3752  "(msg:\"Testing bytejump_body\"; "
3753  "content:\"one\"; "
3754  "byte_extract:4,0,two,string,hex,relative; "
3755  "uricontent: \"three\"; "
3756  "byte_extract:4,0,four,string,hex,relative; "
3757  "isdataat: two; "
3758  "sid:1;)");
3759  if (de_ctx->sig_list == NULL) {
3760  result = 0;
3761  goto end;
3762  }
3763 
3764  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3765  result = 0;
3766  goto end;
3767  }
3768 
3769  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3770  if (sm->type != DETECT_CONTENT) {
3771  result = 0;
3772  goto end;
3773  }
3774  cd = (DetectContentData *)sm->ctx;
3775  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3776  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3777  cd->flags & DETECT_CONTENT_NOCASE ||
3778  cd->flags & DETECT_CONTENT_WITHIN ||
3779  cd->flags & DETECT_CONTENT_DISTANCE ||
3780  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3781  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3782  cd->flags & DETECT_CONTENT_NEGATED ) {
3783  printf("one failed\n");
3784  result = 0;
3785  goto end;
3786  }
3787 
3788  sm = sm->next;
3789  if (sm->type != DETECT_BYTE_EXTRACT) {
3790  result = 0;
3791  goto end;
3792  }
3793  bed1 = (SCDetectByteExtractData *)sm->ctx;
3794  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3795  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3796  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3797  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3798  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3799  goto end;
3800  }
3801  if (bed1->local_id != 0) {
3802  result = 0;
3803  goto end;
3804  }
3805 
3806  sm = sm->next;
3807  if (sm->type != DETECT_ISDATAAT) {
3808  result = 0;
3809  goto end;
3810  }
3811  isdd = (DetectIsdataatData *)sm->ctx;
3812  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
3813  isdd->dataat != bed1->local_id) {
3814  printf("isdataat failed\n");
3815  result = 0;
3816  goto end;
3817  }
3818 
3819  if (sm->next != NULL)
3820  goto end;
3821 
3822  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3823  if (sm == NULL) {
3824  result = 0;
3825  goto end;
3826  }
3827  if (sm->type != DETECT_CONTENT) {
3828  result = 0;
3829  goto end;
3830  }
3831  cd = (DetectContentData *)sm->ctx;
3832  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
3833  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3834  printf("one failed\n");
3835  result = 0;
3836  goto end;
3837  }
3838 
3839  sm = sm->next;
3840  if (sm->type != DETECT_BYTE_EXTRACT) {
3841  result = 0;
3842  goto end;
3843  }
3844  bed1 = (SCDetectByteExtractData *)sm->ctx;
3845  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3846  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3847  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3848  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3849  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3850  goto end;
3851  }
3852  if (bed1->local_id != 0) {
3853  result = 0;
3854  goto end;
3855  }
3856 
3857  if (sm->next != NULL)
3858  goto end;
3859 
3860  result = 1;
3861 
3862  end:
3863  SigGroupCleanup(de_ctx);
3864  SigCleanSignatures(de_ctx);
3865  DetectEngineCtxFree(de_ctx);
3866 
3867  return result;
3868 }
3869 
3870 static int DetectByteExtractTest61(void)
3871 {
3872  DetectEngineCtx *de_ctx = NULL;
3873  int result = 0;
3874  Signature *s = NULL;
3875  SigMatch *sm = NULL;
3876  DetectContentData *cd = NULL;
3877  SCDetectByteExtractData *bed1 = NULL;
3878  DetectIsdataatData *isdd = NULL;
3879 
3880  de_ctx = DetectEngineCtxInit();
3881  if (de_ctx == NULL)
3882  goto end;
3883 
3884  de_ctx->flags |= DE_QUIET;
3885  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3886  "(msg:\"Testing bytejump_body\"; "
3887  "content:\"one\"; "
3888  "byte_extract:4,0,two,string,hex,relative; "
3889  "uricontent: \"three\"; "
3890  "byte_extract:4,0,four,string,hex,relative; "
3891  "isdataat: four, relative; "
3892  "sid:1;)");
3893  if (de_ctx->sig_list == NULL) {
3894  result = 0;
3895  goto end;
3896  }
3897 
3898  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3899  result = 0;
3900  goto end;
3901  }
3902 
3903  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3904  if (sm->type != DETECT_CONTENT) {
3905  result = 0;
3906  goto end;
3907  }
3908  cd = (DetectContentData *)sm->ctx;
3909  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3910  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3911  cd->flags & DETECT_CONTENT_NOCASE ||
3912  cd->flags & DETECT_CONTENT_WITHIN ||
3913  cd->flags & DETECT_CONTENT_DISTANCE ||
3914  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3915  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3916  cd->flags & DETECT_CONTENT_NEGATED ) {
3917  printf("one failed\n");
3918  result = 0;
3919  goto end;
3920  }
3921 
3922  sm = sm->next;
3923  if (sm->type != DETECT_BYTE_EXTRACT) {
3924  result = 0;
3925  goto end;
3926  }
3927  bed1 = (SCDetectByteExtractData *)sm->ctx;
3928  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3929  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3930  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3931  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3932  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3933  goto end;
3934  }
3935  if (bed1->local_id != 0) {
3936  result = 0;
3937  goto end;
3938  }
3939 
3940  if (sm->next != NULL)
3941  goto end;
3942 
3943  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3944  if (sm == NULL) {
3945  result = 0;
3946  goto end;
3947  }
3948  if (sm->type != DETECT_CONTENT) {
3949  result = 0;
3950  goto end;
3951  }
3952  cd = (DetectContentData *)sm->ctx;
3953  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
3954  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3955  printf("one failed\n");
3956  result = 0;
3957  goto end;
3958  }
3959 
3960  sm = sm->next;
3961  if (sm->type != DETECT_BYTE_EXTRACT) {
3962  result = 0;
3963  goto end;
3964  }
3965  bed1 = (SCDetectByteExtractData *)sm->ctx;
3966  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3967  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3968  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3969  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3970  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3971  goto end;
3972  }
3973  if (bed1->local_id != 0) {
3974  result = 0;
3975  goto end;
3976  }
3977 
3978  sm = sm->next;
3979  if (sm->type != DETECT_ISDATAAT) {
3980  result = 0;
3981  goto end;
3982  }
3983  isdd = (DetectIsdataatData *)sm->ctx;
3984  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
3985  ISDATAAT_RELATIVE) ||
3986  isdd->dataat != bed1->local_id) {
3987  printf("isdataat failed\n");
3988  result = 0;
3989  goto end;
3990  }
3991 
3992  if (sm->next != NULL)
3993  goto end;
3994 
3995  result = 1;
3996 
3997  end:
3998  SigGroupCleanup(de_ctx);
3999  SigCleanSignatures(de_ctx);
4000  DetectEngineCtxFree(de_ctx);
4001 
4002  return result;
4003 }
4004 
4005 static int DetectByteExtractTest62(void)
4006 {
4007  DetectEngineCtx *de_ctx = NULL;
4008  int result = 0;
4009  Signature *s = NULL;
4010  SigMatch *sm = NULL;
4011  SCDetectByteExtractData *bed = NULL;
4012 
4013  de_ctx = DetectEngineCtxInit();
4014  if (de_ctx == NULL)
4015  goto end;
4016 
4017  de_ctx->flags |= DE_QUIET;
4018  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4019  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4020  "sid:1;)");
4021  if (de_ctx->sig_list == NULL) {
4022  goto end;
4023  }
4024 
4025  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4026  if (sm == NULL) {
4027  goto end;
4028  }
4029  if (sm->type != DETECT_BYTE_EXTRACT) {
4030  goto end;
4031  }
4032  bed = (SCDetectByteExtractData *)sm->ctx;
4033  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 ||
4034  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
4035  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4036  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
4037  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4038  goto end;
4039  }
4040 
4041  result = 1;
4042 
4043  end:
4044  SigGroupCleanup(de_ctx);
4045  SigCleanSignatures(de_ctx);
4046  DetectEngineCtxFree(de_ctx);
4047 
4048  return result;
4049 }
4050 
4051 static int DetectByteExtractTest63(void)
4052 {
4053  int result = 0;
4054 
4055  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4056  if (bed == NULL)
4057  goto end;
4058 
4059  if (bed->nbytes != 4 || bed->offset != -2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
4060  bed->endian != BigEndian || bed->align_value != 0 ||
4061  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4062  goto end;
4063  }
4064 
4065  result = 1;
4066  end:
4067  if (bed != NULL)
4068  DetectByteExtractFree(NULL, bed);
4069  return result;
4070 }
4071 
4072 static int DetectByteExtractTestParseNoBase(void)
4073 {
4074  int result = 0;
4075 
4076  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4077  if (bed == NULL)
4078  goto end;
4079 
4080  if (bed->nbytes != 4) {
4081  goto end;
4082  }
4083  if (bed->offset != 2) {
4084  goto end;
4085  }
4086  if (strcmp(bed->name, "one") != 0) {
4087  goto end;
4088  }
4089  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4090  goto end;
4091  }
4092  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4093  goto end;
4094  }
4095  if (bed->align_value != 0) {
4096  goto end;
4097  }
4098  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4099  goto end;
4100  }
4101 
4102  result = 1;
4103  end:
4104  if (bed != NULL)
4105  DetectByteExtractFree(NULL, bed);
4106  return result;
4107 }
4108 
4109 static void DetectByteExtractRegisterTests(void)
4110 {
4111  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4112  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4113 
4114  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4115  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4116  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4117  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4118  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4119  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4120  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4121  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4122  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4123  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4124  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4125  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4126  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4127  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4128  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4129  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4130  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4131  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4132  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4133  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4134  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4135  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4136  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4137  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4138  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4139  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4140  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4141  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4142  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4143  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4144  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4145  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4146  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4147  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4148  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4149  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4150  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4151  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4152  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4153  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4154  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4155  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4156 
4157  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4158  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4159 
4160  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4161  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4162 
4163  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4164  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4165 
4166  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4167  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4168 
4169  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4170  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4171 
4172  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4173  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4174 
4175  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4176  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4177  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4178 
4179  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4180  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4181  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4182  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4183  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4184  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4185 
4186  UtRegisterTest("DetectByteExtractTestParseNoBase",
4187  DetectByteExtractTestParseNoBase);
4188 }
4189 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1307
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1737
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:535
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1122
detect-engine.h
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1325
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
SigTableElmt_::desc
const char * desc
Definition: detect.h:1306
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:127
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:58
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1294
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1304
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:588
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:84
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:70
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:49
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:361
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:48
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:46
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:53
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
SigMatchData_
Data needed for Match()
Definition: detect.h:358
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1289
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:46
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:50
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1093
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:700
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:82
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:54
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:570
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:50
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:353
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:352
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2211
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1272
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:375
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:919
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:72
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:344
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:141
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:83
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:350
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:55
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:591
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:805
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:86
Signature_
Signature container.
Definition: detect.h:601
SigMatch_
a single match condition for a signature
Definition: detect.h:349
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:94
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:132
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:69
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:42
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:85
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:606
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:436
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:592
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:56
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:62
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1296
DETECT_BYTEJUMP_OFFSET_VAR
#define DETECT_BYTEJUMP_OFFSET_VAR
Definition: detect-bytejump.h:44
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:49
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h