suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 
40 #include "app-layer-protos.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-byte.h"
47 #include "util-debug.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-spm.h"
51 
52 /* the default value of endianess to be used, if none's specified */
53 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
54 
55 /* the base to be used if string mode is specified. These options would be
56  * specified in DetectByteParseData->base */
57 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
58 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
59 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
60 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
61 
62 /* the default value for multiplier. Either ways we always store a
63  * multiplier, 1 or otherwise, so that we can always multiply the extracted
64  * value and store it, instead of checking if a multiplier is set or not */
65 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
66 /* the min/max limit for multiplier */
67 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
69 
70 /* the max no of bytes that can be extracted in string mode - (string, hex)
71  * (string, oct) or (string, dec) */
72 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
75 /* the max no of bytes that can be extraced in non-string mode */
76 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
77 
78 #define PARSE_REGEX "^" \
79  "\\s*([0-9]+)\\s*" \
80  ",\\s*(-?[0-9]+)\\s*" \
81  ",\\s*([^\\s,]+)\\s*" \
82  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "$"
88 
89 static DetectParseRegex parse_regex;
90 
91 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
92 #ifdef UNITTESTS
93 static void DetectByteExtractRegisterTests(void);
94 #endif
95 static void DetectByteExtractFree(DetectEngineCtx *, void *);
96 
97 /**
98  * \brief Registers the keyword handlers for the "byte_extract" keyword.
99  */
100 void DetectByteExtractRegister(void)
101 {
102  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
103  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
104  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
105  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
106  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
107  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
108 #ifdef UNITTESTS
109  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
110 #endif
111  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
112 }
113 
114 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
115  const Signature *s, const uint8_t *payload,
116  uint16_t payload_len, uint64_t *value,
117  uint8_t endian)
118 {
119  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
120  const uint8_t *ptr = NULL;
121  int32_t len = 0;
122  uint64_t val = 0;
123  int extbytes;
124 
125  if (payload_len == 0) {
126  return 0;
127  }
128 
129  /* Calculate the ptr value for the bytetest and length remaining in
130  * the packet from that point.
131  */
132  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
133  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
134  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
135 
136  ptr = payload + det_ctx->buffer_offset;
137  len = payload_len - det_ctx->buffer_offset;
138 
139  ptr += data->offset;
140  len -= data->offset;
141 
142  /* No match if there is no relative base */
143  if (len <= 0) {
144  return 0;
145  }
146  //PrintRawDataFp(stdout,ptr,len);
147  } else {
148  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
149 
150  ptr = payload + data->offset;
151  len = payload_len - data->offset;
152  }
153 
154  /* Validate that the to-be-extracted is within the packet */
155  if (ptr < payload || data->nbytes > len) {
156  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
157  payload, ptr, len, data->nbytes);
158  return 0;
159  }
160 
161  /* Extract the byte data */
162  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
163  extbytes = ByteExtractStringUint64(&val, data->base,
164  data->nbytes, (const char *)ptr);
165  if (extbytes <= 0) {
166  /* strtoull() return 0 if there is no numeric value in data string */
167  if (val == 0) {
168  SCLogDebug("No Numeric value");
169  return 0;
170  } else {
171  SCLogDebug("error extracting %d bytes of string data: %d",
172  data->nbytes, extbytes);
173  return -1;
174  }
175  }
176  } else {
177  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
178  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
179  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
180  if (extbytes != data->nbytes) {
181  SCLogDebug("error extracting %d bytes of numeric data: %d",
182  data->nbytes, extbytes);
183  return 0;
184  }
185  }
186 
187  /* Adjust the jump value based on flags */
188  val *= data->multiplier_value;
189  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
190  if ((val % data->align_value) != 0) {
191  val += data->align_value - (val % data->align_value);
192  }
193  }
194 
195  ptr += extbytes;
196 
197  det_ctx->buffer_offset = ptr - payload;
198 
199  *value = val;
200  SCLogDebug("extracted value is %"PRIu64, val);
201  return 1;
202 }
203 
204 /**
205  * \internal
206  * \brief Used to parse byte_extract arg.
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \arg The argument to parse.
210  *
211  * \param bed On success an instance containing the parsed data.
212  * On failure, NULL.
213  */
214 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
215 {
216  DetectByteExtractData *bed = NULL;
217 #undef MAX_SUBSTRINGS
218 #define MAX_SUBSTRINGS 100
219  int ret = 0, res = 0;
220  int ov[MAX_SUBSTRINGS];
221  int i = 0;
222 
223  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0, ov, MAX_SUBSTRINGS);
224  if (ret < 3 || ret > 19) {
225  SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
226  ", string \"%s\"", ret, arg);
227  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg to byte_extract : %s "
228  "for byte_extract", arg);
229  goto error;
230  }
231 
232  bed = SCMalloc(sizeof(DetectByteExtractData));
233  if (unlikely(bed == NULL))
234  goto error;
235  memset(bed, 0, sizeof(DetectByteExtractData));
236 
237  /* no of bytes to extract */
238  char nbytes_str[64] = "";
239  res = pcre_copy_substring((char *)arg, ov,
240  MAX_SUBSTRINGS, 1, nbytes_str, sizeof(nbytes_str));
241  if (res < 0) {
242  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
243  "for arg 1 for byte_extract");
244  goto error;
245  }
246  if (StringParseUint8(&bed->nbytes, 10, 0,
247  (const char *)nbytes_str) < 0) {
248  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid value for number of bytes"
249  " to be extracted: \"%s\".", nbytes_str);
250  goto error;
251  }
252 
253  /* offset */
254  char offset_str[64] = "";
255  res = pcre_copy_substring((char *)arg, ov,
256  MAX_SUBSTRINGS, 2, offset_str, sizeof(offset_str));
257  if (res < 0) {
258  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
259  "for arg 2 for byte_extract");
260  goto error;
261  }
262  int32_t offset;
263  if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
264  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid value for offset: \"%s\".", offset_str);
265  goto error;
266  }
267  bed->offset = offset;
268 
269  /* var name */
270  char varname_str[256] = "";
271  res = pcre_copy_substring((char *)arg, ov,
272  MAX_SUBSTRINGS, 3, varname_str, sizeof(varname_str));
273  if (res < 0) {
274  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
275  "for arg 3 for byte_extract");
276  goto error;
277  }
278  bed->name = SCStrdup(varname_str);
279  if (bed->name == NULL)
280  goto error;
281 
282  /* check out other optional args */
283  for (i = 4; i < ret; i++) {
284  char opt_str[64] = "";
285  res = pcre_copy_substring((char *)arg, ov,
286  MAX_SUBSTRINGS, i, opt_str, sizeof(opt_str));
287  if (res < 0) {
288  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
289  "for arg %d for byte_extract", i);
290  goto error;
291  }
292 
293  if (strcmp("relative", opt_str) == 0) {
294  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
295  SCLogError(SC_ERR_INVALID_SIGNATURE, "relative specified more "
296  "than once for byte_extract");
297  goto error;
298  }
299  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
300  } else if (strcmp("multiplier", opt_str) == 0) {
301  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
302  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiplier specified more "
303  "than once for byte_extract");
304  goto error;
305  }
306  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
307  i++;
308 
309  char multiplier_str[16] = "";
310  res = pcre_copy_substring((char *)arg, ov,
311  MAX_SUBSTRINGS, i, multiplier_str, sizeof(multiplier_str));
312  if (res < 0) {
313  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
314  "for arg %d for byte_extract", i);
315  goto error;
316  }
317  int32_t multiplier;
318  if (StringParseI32RangeCheck(&multiplier, 10, 0,
319  (const char *)multiplier_str,
320  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
321  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) < 0) {
322  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid value for"
323  "multiplier: \"%s\".", multiplier_str);
324  goto error;
325  }
326  bed->multiplier_value = multiplier;
327  } else if (strcmp("big", opt_str) == 0) {
328  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
329  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
330  "more than once for byte_extract");
331  goto error;
332  }
333  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
334  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
335  } else if (strcmp("little", opt_str) == 0) {
336  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
337  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
338  "more than once for byte_extract");
339  goto error;
340  }
341  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
342  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
343  } else if (strcmp("dce", opt_str) == 0) {
344  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
345  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
346  "more than once for byte_extract");
347  goto error;
348  }
349  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
350  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
351  } else if (strcmp("string", opt_str) == 0) {
352  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
353  SCLogError(SC_ERR_INVALID_SIGNATURE, "string specified more "
354  "than once for byte_extract");
355  goto error;
356  }
357  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
358  SCLogError(SC_ERR_INVALID_SIGNATURE, "The right way to specify "
359  "base is (string, base) and not (base, string) "
360  "for byte_extract");
361  goto error;
362  }
363  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
364  } else if (strcmp("hex", opt_str) == 0) {
365  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
366  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(hex) specified "
367  "without specifying string. The right way is "
368  "(string, base) and not (base, string)");
369  goto error;
370  }
371  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
372  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
373  "specified for byte_extract");
374  goto error;
375  }
376  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
377  } else if (strcmp("oct", opt_str) == 0) {
378  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
379  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(oct) specified "
380  "without specifying string. The right way is "
381  "(string, base) and not (base, string)");
382  goto error;
383  }
384  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
385  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
386  "specified for byte_extract");
387  goto error;
388  }
389  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
390  } else if (strcmp("dec", opt_str) == 0) {
391  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
392  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(dec) specified "
393  "without specifying string. The right way is "
394  "(string, base) and not (base, string)");
395  goto error;
396  }
397  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
398  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
399  "specified for byte_extract");
400  goto error;
401  }
402  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
403  } else if (strcmp("align", opt_str) == 0) {
404  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
405  SCLogError(SC_ERR_INVALID_SIGNATURE, "Align specified more "
406  "than once for byte_extract");
407  goto error;
408  }
409  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
410  i++;
411 
412  char align_str[16] = "";
413  res = pcre_copy_substring((char *)arg, ov,
414  MAX_SUBSTRINGS, i, align_str, sizeof(align_str));
415  if (res < 0) {
416  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
417  "for arg %d in byte_extract", i);
418  goto error;
419  }
420  if (StringParseUint8(&bed->align_value, 10, 0,
421  (const char *)align_str) < 0) {
422  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value: "
423  "\"%s\".", align_str);
424  goto error;
425  }
426  if (!(bed->align_value == 2 || bed->align_value == 4)) {
427  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value for "
428  "byte_extract - \"%d\"", bed->align_value);
429  goto error;
430  }
431  } else if (strcmp("", opt_str) == 0) {
432  ;
433  } else {
434  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid option - \"%s\" "
435  "specified in byte_extract", opt_str);
436  goto error;
437  }
438  } /* for (i = 4; i < ret; i++) */
439 
440  /* validation */
441  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
442  /* default value */
443  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
444  }
445 
446  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
447  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
448  /* Default to decimal if base not specified. */
449  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
450  }
451  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
452  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't have "
453  "endian \"big\" or \"little\" specified along with "
454  "\"string\"");
455  goto error;
456  }
457  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
458  /* if are dealing with octal nos, the max no that can fit in a 8
459  * byte value is 01777777777777777777777 */
460  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
461  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
462  "more than %d bytes in \"string\" extraction",
463  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
464  goto error;
465  }
466  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
467  /* if are dealing with decimal nos, the max no that can fit in a 8
468  * byte value is 18446744073709551615 */
469  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
470  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
471  "more than %d bytes in \"string\" extraction",
472  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
473  goto error;
474  }
475  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
476  /* if are dealing with hex nos, the max no that can fit in a 8
477  * byte value is 0xFFFFFFFFFFFFFFFF */
478  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
479  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
480  "more than %d bytes in \"string\" extraction",
481  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
482  goto error;
483  }
484  } else {
485  ; // just a placeholder. we won't reach here.
486  }
487  } else {
488  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
489  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
490  "more than %d bytes in \"non-string\" extraction",
491  NO_STRING_MAX_BYTES_TO_EXTRACT);
492  goto error;
493  }
494  /* if string has not been specified and no endian option has been
495  * specified, then set the default endian level of BIG */
496  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
497  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
498  }
499 
500  return bed;
501  error:
502  if (bed != NULL)
503  DetectByteExtractFree(de_ctx, bed);
504  return NULL;
505 }
506 
507 /**
508  * \brief The setup function for the byte_extract keyword for a signature.
509  *
510  * \param de_ctx Pointer to the detection engine context.
511  * \param s Pointer to signature for the current Signature being parsed
512  * from the rules.
513  * \param m Pointer to the head of the SigMatch for the current rule
514  * being parsed.
515  * \param arg Pointer to the string holding the keyword value.
516  *
517  * \retval 0 On success.
518  * \retval -1 On failure.
519  */
520 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
521 {
522  SigMatch *sm = NULL;
523  SigMatch *prev_pm = NULL;
524  DetectByteExtractData *data = NULL;
525  int ret = -1;
526 
527  data = DetectByteExtractParse(de_ctx, arg);
528  if (data == NULL)
529  goto error;
530 
531  int sm_list;
532  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
533  sm_list = s->init_data->list;
534 
535  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
536  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
537  }
538  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
539  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
540  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
541  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
542  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
543  if (prev_pm == NULL) {
544  sm_list = DETECT_SM_LIST_PMATCH;
545  } else {
546  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
547  if (sm_list < 0)
548  goto error;
549  }
550  } else {
551  sm_list = DETECT_SM_LIST_PMATCH;
552  }
553 
554  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
555  goto error;
556  s->flags |= SIG_FLAG_APPLAYER;
557 
558  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
559  prev_pm = DetectGetLastSMFromLists(s,
560  DETECT_CONTENT, DETECT_PCRE,
561  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
562  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
563  if (prev_pm == NULL) {
564  sm_list = DETECT_SM_LIST_PMATCH;
565  } else {
566  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
567  if (sm_list < 0)
568  goto error;
569  if (sm_list != DETECT_SM_LIST_PMATCH)
570  s->flags |= SIG_FLAG_APPLAYER;
571  }
572 
573  } else {
574  sm_list = DETECT_SM_LIST_PMATCH;
575  }
576 
577  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
578  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
579  goto error;
580 
581  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
582  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
583  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
584  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
585  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
586  "A byte_jump keyword with dce holds other invalid modifiers.");
587  goto error;
588  }
589  }
590 
591  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
592  DETECT_BYTE_EXTRACT, -1);
593  if (prev_bed_sm == NULL)
594  data->local_id = 0;
595  else
596  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
597  if (data->local_id > de_ctx->byte_extract_max_local_id)
598  de_ctx->byte_extract_max_local_id = data->local_id;
599 
600 
601  sm = SigMatchAlloc();
602  if (sm == NULL)
603  goto error;
604  sm->type = DETECT_BYTE_EXTRACT;
605  sm->ctx = (void *)data;
606  SigMatchAppendSMToList(s, sm, sm_list);
607 
608 
609  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
610  goto okay;
611 
612  if (prev_pm == NULL)
613  goto okay;
614 
615  if (prev_pm->type == DETECT_CONTENT) {
616  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
617  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
618  } else if (prev_pm->type == DETECT_PCRE) {
619  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
620  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
621  }
622 
623  okay:
624  ret = 0;
625  return ret;
626  error:
627  DetectByteExtractFree(de_ctx, data);
628  return ret;
629 }
630 
631 /**
632  * \brief Used to free instances of DetectByteExtractData.
633  *
634  * \param ptr Instance of DetectByteExtractData to be freed.
635  */
636 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
637 {
638  if (ptr != NULL) {
639  DetectByteExtractData *bed = ptr;
640  if (bed->name != NULL)
641  SCFree((void *)bed->name);
642  SCFree(bed);
643  }
644 
645  return;
646 }
647 
648 /**
649  * \brief Lookup the SigMatch for a named byte_extract variable.
650  *
651  * \param arg The name of the byte_extract variable to lookup.
652  * \param s Pointer the signature to look in.
653  *
654  * \retval A pointer to the SigMatch if found, otherwise NULL.
655  */
656 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
657 {
658  const int nlists = s->init_data->smlists_array_size;
659  for (int list = 0; list < nlists; list++) {
660  SigMatch *sm = s->init_data->smlists[list];
661  while (sm != NULL) {
662  if (sm->type == DETECT_BYTE_EXTRACT) {
663  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
664  if (strcmp(bed->name, arg) == 0) {
665  return sm;
666  }
667  }
668  sm = sm->next;
669  }
670  }
671 
672  return NULL;
673 }
674 
675 /*************************************Unittests********************************/
676 
677 #ifdef UNITTESTS
678 
679 static int g_file_data_buffer_id = 0;
680 static int g_http_uri_buffer_id = 0;
681 
682 static int DetectByteExtractTest01(void)
683 {
684  int result = 0;
685 
686  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
687  if (bed == NULL)
688  goto end;
689 
690  if (bed->nbytes != 4 ||
691  bed->offset != 2 ||
692  strcmp(bed->name, "one") != 0 ||
693  bed->flags != 0 ||
694  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
695  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
696  bed->align_value != 0 ||
697  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
698  goto end;
699  }
700 
701  result = 1;
702  end:
703  if (bed != NULL)
704  DetectByteExtractFree(NULL, bed);
705  return result;
706 }
707 
708 static int DetectByteExtractTest02(void)
709 {
710  int result = 0;
711 
712  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
713  if (bed == NULL)
714  goto end;
715 
716  if (bed->nbytes != 4 ||
717  bed->offset != 2 ||
718  strcmp(bed->name, "one") != 0 ||
719  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
720  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
721  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
722  bed->align_value != 0 ||
723  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
724  goto end;
725  }
726 
727  result = 1;
728  end:
729  if (bed != NULL)
730  DetectByteExtractFree(NULL, bed);
731  return result;
732 }
733 
734 static int DetectByteExtractTest03(void)
735 {
736  int result = 0;
737 
738  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
739  if (bed == NULL)
740  goto end;
741 
742  if (bed->nbytes != 4 ||
743  bed->offset != 2 ||
744  strcmp(bed->name, "one") != 0 ||
745  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
746  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
747  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
748  bed->align_value != 0 ||
749  bed->multiplier_value != 10) {
750  goto end;
751  }
752 
753  result = 1;
754  end:
755  if (bed != NULL)
756  DetectByteExtractFree(NULL, bed);
757  return result;
758 }
759 
760 static int DetectByteExtractTest04(void)
761 {
762  int result = 0;
763 
764  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
765  if (bed == NULL)
766  goto end;
767 
768  if (bed->nbytes != 4 ||
769  bed->offset != 2 ||
770  strcmp(bed->name, "one") != 0 ||
771  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
772  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
773  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
774  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
775  bed->align_value != 0 ||
776  bed->multiplier_value != 10) {
777  goto end;
778  }
779 
780  result = 1;
781  end:
782  if (bed != NULL)
783  DetectByteExtractFree(NULL, bed);
784  return result;
785 }
786 
787 static int DetectByteExtractTest05(void)
788 {
789  int result = 0;
790 
791  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
792  if (bed == NULL)
793  goto end;
794 
795  if (bed->nbytes != 4 ||
796  bed->offset != 2 ||
797  strcmp(bed->name, "one") != 0 ||
798  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
799  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
800  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
801  bed->align_value != 0 ||
802  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
803  goto end;
804  }
805 
806  result = 1;
807  end:
808  if (bed != NULL)
809  DetectByteExtractFree(NULL, bed);
810  return result;
811 }
812 
813 static int DetectByteExtractTest06(void)
814 {
815  int result = 0;
816 
817  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
818  if (bed == NULL)
819  goto end;
820 
821  if (bed->nbytes != 4 ||
822  bed->offset != 2 ||
823  strcmp(bed->name, "one") != 0 ||
824  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
825  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
826  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
827  bed->align_value != 0 ||
828  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
829  goto end;
830  }
831 
832  result = 1;
833  end:
834  if (bed != NULL)
835  DetectByteExtractFree(NULL, bed);
836  return result;
837 }
838 
839 static int DetectByteExtractTest07(void)
840 {
841  int result = 0;
842 
843  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
844  if (bed == NULL)
845  goto end;
846 
847  if (bed->nbytes != 4 ||
848  bed->offset != 2 ||
849  strcmp(bed->name, "one") != 0 ||
850  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
851  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
852  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
853  bed->align_value != 0 ||
854  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
855  goto end;
856  }
857 
858  result = 1;
859  end:
860  if (bed != NULL)
861  DetectByteExtractFree(NULL, bed);
862  return result;
863 }
864 
865 static int DetectByteExtractTest08(void)
866 {
867  int result = 0;
868 
869  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
870  if (bed == NULL)
871  goto end;
872 
873  if (bed->nbytes != 4 ||
874  bed->offset != 2 ||
875  strcmp(bed->name, "one") != 0 ||
876  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
877  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
878  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
879  bed->align_value != 0 ||
880  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
881  goto end;
882  }
883 
884  result = 1;
885  end:
886  if (bed != NULL)
887  DetectByteExtractFree(NULL, bed);
888  return result;
889 }
890 
891 static int DetectByteExtractTest09(void)
892 {
893  int result = 0;
894 
895  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
896  if (bed == NULL)
897  goto end;
898 
899  if (bed->nbytes != 4 ||
900  bed->offset != 2 ||
901  strcmp(bed->name, "one") != 0 ||
902  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
903  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
904  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
905  bed->align_value != 0 ||
906  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
907  goto end;
908  }
909 
910  result = 1;
911  end:
912  if (bed != NULL)
913  DetectByteExtractFree(NULL, bed);
914  return result;
915 }
916 
917 static int DetectByteExtractTest10(void)
918 {
919  int result = 0;
920 
921  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
922  if (bed == NULL)
923  goto end;
924 
925  if (bed->nbytes != 4 ||
926  bed->offset != 2 ||
927  strcmp(bed->name, "one") != 0 ||
928  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
929  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
930  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
931  bed->align_value != 0 ||
932  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
933  goto end;
934  }
935 
936  result = 1;
937  end:
938  if (bed != NULL)
939  DetectByteExtractFree(NULL, bed);
940  return result;
941 }
942 
943 static int DetectByteExtractTest11(void)
944 {
945  int result = 0;
946 
947  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
948  if (bed == NULL)
949  goto end;
950 
951  if (bed->nbytes != 4 ||
952  bed->offset != 2 ||
953  strcmp(bed->name, "one") != 0 ||
954  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
955  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
956  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
957  bed->align_value != 4 ||
958  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
959  goto end;
960  }
961 
962  result = 1;
963  end:
964  if (bed != NULL)
965  DetectByteExtractFree(NULL, bed);
966  return result;
967 }
968 
969 static int DetectByteExtractTest12(void)
970 {
971  int result = 0;
972 
973  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
974  if (bed == NULL)
975  goto end;
976 
977  if (bed->nbytes != 4 ||
978  bed->offset != 2 ||
979  strcmp(bed->name, "one") != 0 ||
980  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
981  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
982  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
983  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
984  bed->align_value != 4 ||
985  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
986  goto end;
987  }
988 
989  result = 1;
990  end:
991  if (bed != NULL)
992  DetectByteExtractFree(NULL, bed);
993  return result;
994 }
995 
996 static int DetectByteExtractTest13(void)
997 {
998  int result = 0;
999 
1000  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
1001  if (bed == NULL)
1002  goto end;
1003 
1004  if (bed->nbytes != 4 ||
1005  bed->offset != 2 ||
1006  strcmp(bed->name, "one") != 0 ||
1007  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1008  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1009  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1010  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
1011  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1012  bed->align_value != 4 ||
1013  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1014  goto end;
1015  }
1016 
1017  result = 1;
1018  end:
1019  if (bed != NULL)
1020  DetectByteExtractFree(NULL, bed);
1021  return result;
1022 }
1023 
1024 static int DetectByteExtractTest14(void)
1025 {
1026  int result = 0;
1027 
1028  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1029  if (bed == NULL)
1030  goto end;
1031 
1032  if (bed->nbytes != 4 ||
1033  bed->offset != 2 ||
1034  strcmp(bed->name, "one") != 0 ||
1035  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1036  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1037  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1038  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1039  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1040  bed->align_value != 4 ||
1041  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1042  goto end;
1043  }
1044 
1045  result = 1;
1046  end:
1047  if (bed != NULL)
1048  DetectByteExtractFree(NULL, bed);
1049  return result;
1050 }
1051 
1052 static int DetectByteExtractTest15(void)
1053 {
1054  int result = 0;
1055 
1056  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1057  if (bed == NULL)
1058  goto end;
1059 
1060  if (bed->nbytes != 4 ||
1061  bed->offset != 2 ||
1062  strcmp(bed->name, "one") != 0 ||
1063  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1064  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1065  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1066  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1067  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1068  bed->align_value != 4 ||
1069  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1070  goto end;
1071  }
1072 
1073  result = 1;
1074  end:
1075  if (bed != NULL)
1076  DetectByteExtractFree(NULL, bed);
1077  return result;
1078 }
1079 
1080 static int DetectByteExtractTest16(void)
1081 {
1082  int result = 0;
1083 
1084  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1085  if (bed == NULL)
1086  goto end;
1087 
1088  if (bed->nbytes != 4 ||
1089  bed->offset != 2 ||
1090  strcmp(bed->name, "one") != 0 ||
1091  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1092  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1093  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1094  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1095  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1096  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1097  bed->align_value != 4 ||
1098  bed->multiplier_value != 2) {
1099  goto end;
1100  }
1101 
1102  result = 1;
1103  end:
1104  if (bed != NULL)
1105  DetectByteExtractFree(NULL, bed);
1106  return result;
1107 }
1108 
1109 static int DetectByteExtractTest17(void)
1110 {
1111  int result = 0;
1112 
1113  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1114  "relative, little, "
1115  "multiplier 2, string hex");
1116  if (bed != NULL)
1117  goto end;
1118 
1119  result = 1;
1120  end:
1121  if (bed != NULL)
1122  DetectByteExtractFree(NULL, bed);
1123  return result;
1124 }
1125 
1126 static int DetectByteExtractTest18(void)
1127 {
1128  int result = 0;
1129 
1130  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1131  "relative, little, "
1132  "multiplier 2, "
1133  "relative");
1134  if (bed != NULL)
1135  goto end;
1136 
1137  result = 1;
1138  end:
1139  if (bed != NULL)
1140  DetectByteExtractFree(NULL, bed);
1141  return result;
1142 }
1143 
1144 static int DetectByteExtractTest19(void)
1145 {
1146  int result = 0;
1147 
1148  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1149  "relative, little, "
1150  "multiplier 2, "
1151  "little");
1152  if (bed != NULL)
1153  goto end;
1154 
1155  result = 1;
1156  end:
1157  if (bed != NULL)
1158  DetectByteExtractFree(NULL, bed);
1159  return result;
1160 }
1161 
1162 static int DetectByteExtractTest20(void)
1163 {
1164  int result = 0;
1165 
1166  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1167  "relative, "
1168  "multiplier 2, "
1169  "align 2");
1170  if (bed != NULL)
1171  goto end;
1172 
1173  result = 1;
1174  end:
1175  if (bed != NULL)
1176  DetectByteExtractFree(NULL, bed);
1177  return result;
1178 }
1179 
1180 static int DetectByteExtractTest21(void)
1181 {
1182  int result = 0;
1183 
1184  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1185  "multiplier 2, "
1186  "relative, "
1187  "multiplier 2");
1188  if (bed != NULL)
1189  goto end;
1190 
1191  result = 1;
1192  end:
1193  if (bed != NULL)
1194  DetectByteExtractFree(NULL, bed);
1195  return result;
1196 }
1197 
1198 static int DetectByteExtractTest22(void)
1199 {
1200  int result = 0;
1201 
1202  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1203  "string hex, "
1204  "relative, "
1205  "string hex");
1206  if (bed != NULL)
1207  goto end;
1208 
1209  result = 1;
1210  end:
1211  if (bed != NULL)
1212  DetectByteExtractFree(NULL, bed);
1213  return result;
1214 }
1215 
1216 static int DetectByteExtractTest23(void)
1217 {
1218  int result = 0;
1219 
1220  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1221  "string hex, "
1222  "relative, "
1223  "string oct");
1224  if (bed != NULL)
1225  goto end;
1226 
1227  result = 1;
1228  end:
1229  if (bed != NULL)
1230  DetectByteExtractFree(NULL, bed);
1231  return result;
1232 }
1233 
1234 static int DetectByteExtractTest24(void)
1235 {
1236  int result = 0;
1237 
1238  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1239  "string hex, "
1240  "relative");
1241  if (bed != NULL)
1242  goto end;
1243 
1244  result = 1;
1245  end:
1246  if (bed != NULL)
1247  DetectByteExtractFree(NULL, bed);
1248  return result;
1249 }
1250 
1251 static int DetectByteExtractTest25(void)
1252 {
1253  int result = 0;
1254 
1255  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1256  "little, "
1257  "relative");
1258  if (bed != NULL)
1259  goto end;
1260 
1261  result = 1;
1262  end:
1263  if (bed != NULL)
1264  DetectByteExtractFree(NULL, bed);
1265  return result;
1266 }
1267 
1268 static int DetectByteExtractTest26(void)
1269 {
1270  int result = 0;
1271 
1272  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1273  "little, "
1274  "relative, "
1275  "multiplier 65536");
1276  if (bed != NULL)
1277  goto end;
1278 
1279  result = 1;
1280  end:
1281  if (bed != NULL)
1282  DetectByteExtractFree(NULL, bed);
1283  return result;
1284 }
1285 
1286 static int DetectByteExtractTest27(void)
1287 {
1288  int result = 0;
1289 
1290  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1291  "little, "
1292  "relative, "
1293  "multiplier 0");
1294  if (bed != NULL)
1295  goto end;
1296 
1297  result = 1;
1298  end:
1299  if (bed != NULL)
1300  DetectByteExtractFree(NULL, bed);
1301  return result;
1302 }
1303 
1304 static int DetectByteExtractTest28(void)
1305 {
1306  int result = 0;
1307 
1308  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1309  if (bed == NULL)
1310  goto end;
1311 
1312  result = 1;
1313  end:
1314  if (bed != NULL)
1315  DetectByteExtractFree(NULL, bed);
1316  return result;
1317 }
1318 
1319 static int DetectByteExtractTest29(void)
1320 {
1321  int result = 0;
1322 
1323  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1324  if (bed != NULL)
1325  goto end;
1326 
1327  result = 1;
1328  end:
1329  if (bed != NULL)
1330  DetectByteExtractFree(NULL, bed);
1331  return result;
1332 }
1333 
1334 static int DetectByteExtractTest30(void)
1335 {
1336  int result = 0;
1337 
1338  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1339  if (bed == NULL)
1340  goto end;
1341 
1342  result = 1;
1343  end:
1344  if (bed != NULL)
1345  DetectByteExtractFree(NULL, bed);
1346  return result;
1347 }
1348 
1349 static int DetectByteExtractTest31(void)
1350 {
1351  int result = 0;
1352 
1353  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1354  if (bed != NULL)
1355  goto end;
1356 
1357  result = 1;
1358  end:
1359  if (bed != NULL)
1360  DetectByteExtractFree(NULL, bed);
1361  return result;
1362 }
1363 
1364 static int DetectByteExtractTest32(void)
1365 {
1366  int result = 0;
1367 
1368  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1369  if (bed == NULL)
1370  goto end;
1371 
1372  result = 1;
1373  end:
1374  if (bed != NULL)
1375  DetectByteExtractFree(NULL, bed);
1376  return result;
1377 }
1378 
1379 static int DetectByteExtractTest33(void)
1380 {
1381  int result = 0;
1382 
1383  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1384  if (bed != NULL)
1385  goto end;
1386 
1387  result = 1;
1388  end:
1389  if (bed != NULL)
1390  DetectByteExtractFree(NULL, bed);
1391  return result;
1392 }
1393 
1394 static int DetectByteExtractTest34(void)
1395 {
1396  DetectEngineCtx *de_ctx = NULL;
1397  int result = 0;
1398  Signature *s = NULL;
1399  SigMatch *sm = NULL;
1400  DetectContentData *cd = NULL;
1401  DetectByteExtractData *bed = NULL;
1402 
1403  de_ctx = DetectEngineCtxInit();
1404  if (de_ctx == NULL)
1405  goto end;
1406 
1407  de_ctx->flags |= DE_QUIET;
1408  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1409  "(msg:\"Testing bytejump_body\"; "
1410  "content:\"one\"; "
1411  "byte_extract:4,2,two,relative,string,hex; "
1412  "sid:1;)");
1413  if (de_ctx->sig_list == NULL) {
1414  result = 0;
1415  goto end;
1416  }
1417 
1418  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1419  result = 0;
1420  goto end;
1421  }
1422 
1423  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1424  if (sm->type != DETECT_CONTENT) {
1425  result = 0;
1426  goto end;
1427  }
1428  cd = (DetectContentData *)sm->ctx;
1429  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1430  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1431  cd->flags & DETECT_CONTENT_NOCASE ||
1432  cd->flags & DETECT_CONTENT_WITHIN ||
1433  cd->flags & DETECT_CONTENT_DISTANCE ||
1434  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1435  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1436  cd->flags & DETECT_CONTENT_NEGATED ) {
1437  printf("one failed\n");
1438  result = 0;
1439  goto end;
1440  }
1441 
1442  sm = sm->next;
1443  if (sm->type != DETECT_BYTE_EXTRACT) {
1444  result = 0;
1445  goto end;
1446  }
1447  bed = (DetectByteExtractData *)sm->ctx;
1448  if (bed->nbytes != 4 ||
1449  bed->offset != 2 ||
1450  strncmp(bed->name, "two", cd->content_len) != 0 ||
1451  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1452  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1453  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1454  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1455  bed->align_value != 0 ||
1456  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1457  goto end;
1458  }
1459 
1460  result = 1;
1461 
1462  end:
1463  SigGroupCleanup(de_ctx);
1464  SigCleanSignatures(de_ctx);
1465  DetectEngineCtxFree(de_ctx);
1466 
1467  return result;
1468 }
1469 
1470 static int DetectByteExtractTest35(void)
1471 {
1472  DetectEngineCtx *de_ctx = NULL;
1473  int result = 0;
1474  Signature *s = NULL;
1475  SigMatch *sm = NULL;
1476  DetectContentData *cd = NULL;
1477  DetectPcreData *pd = NULL;
1478  DetectByteExtractData *bed = NULL;
1479 
1480  de_ctx = DetectEngineCtxInit();
1481  if (de_ctx == NULL)
1482  goto end;
1483 
1484  de_ctx->flags |= DE_QUIET;
1485  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1486  "(msg:\"Testing bytejump_body\"; "
1487  "content:\"one\"; pcre:/asf/; "
1488  "byte_extract:4,0,two,relative,string,hex; "
1489  "sid:1;)");
1490  if (de_ctx->sig_list == NULL) {
1491  result = 0;
1492  goto end;
1493  }
1494 
1495  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1496  result = 0;
1497  goto end;
1498  }
1499 
1500  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1501  if (sm->type != DETECT_CONTENT) {
1502  result = 0;
1503  goto end;
1504  }
1505  cd = (DetectContentData *)sm->ctx;
1506  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1507  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1508  cd->flags & DETECT_CONTENT_NOCASE ||
1509  cd->flags & DETECT_CONTENT_WITHIN ||
1510  cd->flags & DETECT_CONTENT_DISTANCE ||
1511  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1512  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1513  cd->flags & DETECT_CONTENT_NEGATED ) {
1514  printf("one failed\n");
1515  result = 0;
1516  goto end;
1517  }
1518 
1519  sm = sm->next;
1520  if (sm->type != DETECT_PCRE) {
1521  result = 0;
1522  goto end;
1523  }
1524  pd = (DetectPcreData *)sm->ctx;
1525  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1526  result = 0;
1527  goto end;
1528  }
1529 
1530  sm = sm->next;
1531  if (sm->type != DETECT_BYTE_EXTRACT) {
1532  result = 0;
1533  goto end;
1534  }
1535  bed = (DetectByteExtractData *)sm->ctx;
1536  if (bed->nbytes != 4 ||
1537  bed->offset != 0 ||
1538  strcmp(bed->name, "two") != 0 ||
1539  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1540  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1541  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1542  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1543  bed->align_value != 0 ||
1544  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1545  goto end;
1546  }
1547 
1548  result = 1;
1549 
1550  end:
1551  SigGroupCleanup(de_ctx);
1552  SigCleanSignatures(de_ctx);
1553  DetectEngineCtxFree(de_ctx);
1554 
1555  return result;
1556 }
1557 
1558 static int DetectByteExtractTest36(void)
1559 {
1560  DetectEngineCtx *de_ctx = NULL;
1561  int result = 0;
1562  Signature *s = NULL;
1563  SigMatch *sm = NULL;
1564  DetectContentData *cd = NULL;
1565  DetectBytejumpData *bjd = NULL;
1566  DetectByteExtractData *bed = NULL;
1567 
1568  de_ctx = DetectEngineCtxInit();
1569  if (de_ctx == NULL)
1570  goto end;
1571 
1572  de_ctx->flags |= DE_QUIET;
1573  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1574  "(msg:\"Testing bytejump_body\"; "
1575  "content:\"one\"; byte_jump:1,13; "
1576  "byte_extract:4,0,two,relative,string,hex; "
1577  "sid:1;)");
1578  if (de_ctx->sig_list == NULL) {
1579  result = 0;
1580  goto end;
1581  }
1582 
1583  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1584  result = 0;
1585  goto end;
1586  }
1587 
1588  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1589  if (sm->type != DETECT_CONTENT) {
1590  result = 0;
1591  goto end;
1592  }
1593  cd = (DetectContentData *)sm->ctx;
1594  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1595  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1596  cd->flags & DETECT_CONTENT_NOCASE ||
1597  cd->flags & DETECT_CONTENT_WITHIN ||
1598  cd->flags & DETECT_CONTENT_DISTANCE ||
1599  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1600  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1601  cd->flags & DETECT_CONTENT_NEGATED ) {
1602  printf("one failed\n");
1603  result = 0;
1604  goto end;
1605  }
1606 
1607  sm = sm->next;
1608  if (sm->type != DETECT_BYTEJUMP) {
1609  result = 0;
1610  goto end;
1611  }
1612  bjd = (DetectBytejumpData *)sm->ctx;
1613  if (bjd->flags != 0) {
1614  result = 0;
1615  goto end;
1616  }
1617 
1618  sm = sm->next;
1619  if (sm->type != DETECT_BYTE_EXTRACT) {
1620  result = 0;
1621  goto end;
1622  }
1623  bed = (DetectByteExtractData *)sm->ctx;
1624  if (bed->nbytes != 4 ||
1625  bed->offset != 0 ||
1626  strcmp(bed->name, "two") != 0 ||
1627  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1628  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1629  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1630  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1631  bed->align_value != 0 ||
1632  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1633  goto end;
1634  }
1635 
1636  result = 1;
1637 
1638  end:
1639  SigGroupCleanup(de_ctx);
1640  SigCleanSignatures(de_ctx);
1641  DetectEngineCtxFree(de_ctx);
1642 
1643  return result;
1644 }
1645 
1646 static int DetectByteExtractTest37(void)
1647 {
1648  DetectEngineCtx *de_ctx = NULL;
1649  int result = 0;
1650  Signature *s = NULL;
1651  SigMatch *sm = NULL;
1652  DetectContentData *cd = NULL;
1653  DetectContentData *ud = NULL;
1654  DetectByteExtractData *bed = NULL;
1655 
1656  de_ctx = DetectEngineCtxInit();
1657  if (de_ctx == NULL)
1658  goto end;
1659 
1660  de_ctx->flags |= DE_QUIET;
1661  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1662  "(msg:\"Testing bytejump_body\"; "
1663  "content:\"one\"; uricontent:\"two\"; "
1664  "byte_extract:4,0,two,relative,string,hex; "
1665  "sid:1;)");
1666  if (de_ctx->sig_list == NULL) {
1667  result = 0;
1668  goto end;
1669  }
1670 
1671  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1672  result = 0;
1673  goto end;
1674  }
1675 
1676  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1677  if (sm->type != DETECT_CONTENT) {
1678  result = 0;
1679  goto end;
1680  }
1681  cd = (DetectContentData *)sm->ctx;
1682  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1683  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1684  cd->flags & DETECT_CONTENT_NOCASE ||
1685  cd->flags & DETECT_CONTENT_WITHIN ||
1686  cd->flags & DETECT_CONTENT_DISTANCE ||
1687  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1688  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1689  cd->flags & DETECT_CONTENT_NEGATED ) {
1690  printf("one failed\n");
1691  result = 0;
1692  goto end;
1693  }
1694 
1695  if (sm->next != NULL) {
1696  result = 0;
1697  goto end;
1698  }
1699 
1700  sm = s->sm_lists[g_http_uri_buffer_id];
1701  if (sm->type != DETECT_CONTENT) {
1702  result = 0;
1703  goto end;
1704  }
1705  ud = (DetectContentData *)sm->ctx;
1706  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1707  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1708  ud->flags & DETECT_CONTENT_NOCASE ||
1709  ud->flags & DETECT_CONTENT_WITHIN ||
1710  ud->flags & DETECT_CONTENT_DISTANCE ||
1711  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1712  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1713  ud->flags & DETECT_CONTENT_NEGATED ) {
1714  printf("two failed\n");
1715  result = 0;
1716  goto end;
1717  }
1718 
1719  sm = sm->next;
1720  if (sm->type != DETECT_BYTE_EXTRACT) {
1721  result = 0;
1722  goto end;
1723  }
1724  bed = (DetectByteExtractData *)sm->ctx;
1725  if (bed->nbytes != 4 ||
1726  bed->offset != 0 ||
1727  strcmp(bed->name, "two") != 0 ||
1728  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1729  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1730  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1731  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1732  bed->align_value != 0 ||
1733  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1734  goto end;
1735  }
1736 
1737  result = 1;
1738 
1739  end:
1740  SigGroupCleanup(de_ctx);
1741  SigCleanSignatures(de_ctx);
1742  DetectEngineCtxFree(de_ctx);
1743 
1744  return result;
1745 }
1746 
1747 static int DetectByteExtractTest38(void)
1748 {
1749  DetectEngineCtx *de_ctx = NULL;
1750  int result = 0;
1751  Signature *s = NULL;
1752  SigMatch *sm = NULL;
1753  DetectContentData *cd = NULL;
1754  DetectContentData *ud = NULL;
1755  DetectByteExtractData *bed = NULL;
1756 
1757  de_ctx = DetectEngineCtxInit();
1758  if (de_ctx == NULL)
1759  goto end;
1760 
1761  de_ctx->flags |= DE_QUIET;
1762  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1763  "(msg:\"Testing bytejump_body\"; "
1764  "content:\"one\"; uricontent:\"two\"; "
1765  "byte_extract:4,0,two,string,hex; "
1766  "sid:1;)");
1767  if (de_ctx->sig_list == NULL) {
1768  result = 0;
1769  goto end;
1770  }
1771 
1772  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1773  result = 0;
1774  goto end;
1775  }
1776 
1777  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1778  if (sm->type != DETECT_CONTENT) {
1779  result = 0;
1780  goto end;
1781  }
1782  cd = (DetectContentData *)sm->ctx;
1783  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1784  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1785  cd->flags & DETECT_CONTENT_NOCASE ||
1786  cd->flags & DETECT_CONTENT_WITHIN ||
1787  cd->flags & DETECT_CONTENT_DISTANCE ||
1788  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1789  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1790  cd->flags & DETECT_CONTENT_NEGATED ) {
1791  printf("one failed\n");
1792  result = 0;
1793  goto end;
1794  }
1795 
1796  sm = sm->next;
1797  if (sm->type != DETECT_BYTE_EXTRACT) {
1798  result = 0;
1799  goto end;
1800  }
1801  bed = (DetectByteExtractData *)sm->ctx;
1802  if (bed->nbytes != 4 ||
1803  bed->offset != 0 ||
1804  strcmp(bed->name, "two") != 0 ||
1805  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1806  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1807  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1808  bed->align_value != 0 ||
1809  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1810  goto end;
1811  }
1812 
1813  sm = s->sm_lists[g_http_uri_buffer_id];
1814  if (sm->type != DETECT_CONTENT) {
1815  result = 0;
1816  goto end;
1817  }
1818  ud = (DetectContentData *)sm->ctx;
1819  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1820  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1821  ud->flags & DETECT_CONTENT_NOCASE ||
1822  ud->flags & DETECT_CONTENT_WITHIN ||
1823  ud->flags & DETECT_CONTENT_DISTANCE ||
1824  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1825  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1826  ud->flags & DETECT_CONTENT_NEGATED ) {
1827  printf("two failed\n");
1828  result = 0;
1829  goto end;
1830  }
1831 
1832  if (sm->next != NULL) {
1833  result = 0;
1834  goto end;
1835  }
1836 
1837  result = 1;
1838 
1839  end:
1840  SigGroupCleanup(de_ctx);
1841  SigCleanSignatures(de_ctx);
1842  DetectEngineCtxFree(de_ctx);
1843 
1844  return result;
1845 }
1846 
1847 static int DetectByteExtractTest39(void)
1848 {
1849  DetectEngineCtx *de_ctx = NULL;
1850  int result = 0;
1851  Signature *s = NULL;
1852  SigMatch *sm = NULL;
1853  DetectContentData *cd = NULL;
1854  DetectContentData *ud = NULL;
1855  DetectByteExtractData *bed = NULL;
1856 
1857  de_ctx = DetectEngineCtxInit();
1858  if (de_ctx == NULL)
1859  goto end;
1860 
1861  de_ctx->flags |= DE_QUIET;
1862  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1863  "(msg:\"Testing bytejump_body\"; "
1864  "content:\"one\"; content:\"two\"; http_uri; "
1865  "byte_extract:4,0,two,relative,string,hex; "
1866  "sid:1;)");
1867  if (de_ctx->sig_list == NULL) {
1868  result = 0;
1869  goto end;
1870  }
1871 
1872  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1873  result = 0;
1874  goto end;
1875  }
1876 
1877  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1878  if (sm->type != DETECT_CONTENT) {
1879  result = 0;
1880  goto end;
1881  }
1882  cd = (DetectContentData *)sm->ctx;
1883  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1884  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1885  cd->flags & DETECT_CONTENT_NOCASE ||
1886  cd->flags & DETECT_CONTENT_WITHIN ||
1887  cd->flags & DETECT_CONTENT_DISTANCE ||
1888  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1889  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1890  cd->flags & DETECT_CONTENT_NEGATED ) {
1891  printf("one failed\n");
1892  result = 0;
1893  goto end;
1894  }
1895 
1896  if (sm->next != NULL) {
1897  result = 0;
1898  goto end;
1899  }
1900 
1901  sm = s->sm_lists[g_http_uri_buffer_id];
1902  if (sm->type != DETECT_CONTENT) {
1903  result = 0;
1904  goto end;
1905  }
1906  ud = (DetectContentData *)sm->ctx;
1907  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1908  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1909  ud->flags & DETECT_CONTENT_NOCASE ||
1910  ud->flags & DETECT_CONTENT_WITHIN ||
1911  ud->flags & DETECT_CONTENT_DISTANCE ||
1912  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1913  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1914  ud->flags & DETECT_CONTENT_NEGATED ) {
1915  printf("two failed\n");
1916  result = 0;
1917  goto end;
1918  }
1919 
1920  sm = sm->next;
1921  if (sm->type != DETECT_BYTE_EXTRACT) {
1922  result = 0;
1923  goto end;
1924  }
1925  bed = (DetectByteExtractData *)sm->ctx;
1926  if (bed->nbytes != 4 ||
1927  bed->offset != 0 ||
1928  strcmp(bed->name, "two") != 0 ||
1929  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1930  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1931  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1932  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1933  bed->align_value != 0 ||
1934  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1935  goto end;
1936  }
1937 
1938  result = 1;
1939 
1940  end:
1941  SigGroupCleanup(de_ctx);
1942  SigCleanSignatures(de_ctx);
1943  DetectEngineCtxFree(de_ctx);
1944 
1945  return result;
1946 }
1947 
1948 static int DetectByteExtractTest40(void)
1949 {
1950  DetectEngineCtx *de_ctx = NULL;
1951  int result = 0;
1952  Signature *s = NULL;
1953  SigMatch *sm = NULL;
1954  DetectContentData *cd = NULL;
1955  DetectContentData *ud = NULL;
1956  DetectByteExtractData *bed = NULL;
1957 
1958  de_ctx = DetectEngineCtxInit();
1959  if (de_ctx == NULL)
1960  goto end;
1961 
1962  de_ctx->flags |= DE_QUIET;
1963  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1964  "(msg:\"Testing bytejump_body\"; "
1965  "content:\"one\"; content:\"two\"; http_uri; "
1966  "byte_extract:4,0,two,string,hex; "
1967  "sid:1;)");
1968  if (de_ctx->sig_list == NULL) {
1969  result = 0;
1970  goto end;
1971  }
1972 
1973  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1974  result = 0;
1975  goto end;
1976  }
1977 
1978  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1979  if (sm->type != DETECT_CONTENT) {
1980  result = 0;
1981  goto end;
1982  }
1983  cd = (DetectContentData *)sm->ctx;
1984  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1985  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1986  cd->flags & DETECT_CONTENT_NOCASE ||
1987  cd->flags & DETECT_CONTENT_WITHIN ||
1988  cd->flags & DETECT_CONTENT_DISTANCE ||
1989  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1990  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1991  cd->flags & DETECT_CONTENT_NEGATED ) {
1992  printf("one failed\n");
1993  result = 0;
1994  goto end;
1995  }
1996 
1997  sm = sm->next;
1998  if (sm->type != DETECT_BYTE_EXTRACT) {
1999  result = 0;
2000  goto end;
2001  }
2002  bed = (DetectByteExtractData *)sm->ctx;
2003  if (bed->nbytes != 4 ||
2004  bed->offset != 0 ||
2005  strcmp(bed->name, "two") != 0 ||
2006  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
2007  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2008  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2009  bed->align_value != 0 ||
2010  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2011  goto end;
2012  }
2013 
2014  sm = s->sm_lists[g_http_uri_buffer_id];
2015  if (sm->type != DETECT_CONTENT) {
2016  result = 0;
2017  goto end;
2018  }
2019  ud = (DetectContentData *)sm->ctx;
2020  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2021  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2022  ud->flags & DETECT_CONTENT_NOCASE ||
2023  ud->flags & DETECT_CONTENT_WITHIN ||
2024  ud->flags & DETECT_CONTENT_DISTANCE ||
2025  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2026  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2027  ud->flags & DETECT_CONTENT_NEGATED ) {
2028  printf("two failed\n");
2029  result = 0;
2030  goto end;
2031  }
2032 
2033  if (sm->next != NULL) {
2034  result = 0;
2035  goto end;
2036  }
2037 
2038  result = 1;
2039 
2040  end:
2041  SigGroupCleanup(de_ctx);
2042  SigCleanSignatures(de_ctx);
2043  DetectEngineCtxFree(de_ctx);
2044 
2045  return result;
2046 }
2047 
2048 static int DetectByteExtractTest41(void)
2049 {
2050  DetectEngineCtx *de_ctx = NULL;
2051  int result = 0;
2052  Signature *s = NULL;
2053  SigMatch *sm = NULL;
2054  DetectContentData *cd = NULL;
2055  DetectByteExtractData *bed = NULL;
2056 
2057  de_ctx = DetectEngineCtxInit();
2058  if (de_ctx == NULL)
2059  goto end;
2060 
2061  de_ctx->flags |= DE_QUIET;
2062  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2063  "(msg:\"Testing bytejump_body\"; "
2064  "content:\"one\"; "
2065  "byte_extract:4,0,two,string,hex; "
2066  "byte_extract:4,0,three,string,hex; "
2067  "sid:1;)");
2068  if (de_ctx->sig_list == NULL) {
2069  result = 0;
2070  goto end;
2071  }
2072 
2073  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2074  result = 0;
2075  goto end;
2076  }
2077 
2078  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2079  if (sm->type != DETECT_CONTENT) {
2080  result = 0;
2081  goto end;
2082  }
2083  cd = (DetectContentData *)sm->ctx;
2084  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2085  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2086  cd->flags & DETECT_CONTENT_NOCASE ||
2087  cd->flags & DETECT_CONTENT_WITHIN ||
2088  cd->flags & DETECT_CONTENT_DISTANCE ||
2089  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2090  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2091  cd->flags & DETECT_CONTENT_NEGATED ) {
2092  printf("one failed\n");
2093  result = 0;
2094  goto end;
2095  }
2096 
2097  sm = sm->next;
2098  if (sm->type != DETECT_BYTE_EXTRACT) {
2099  result = 0;
2100  goto end;
2101  }
2102  bed = (DetectByteExtractData *)sm->ctx;
2103  if (bed->nbytes != 4 ||
2104  bed->offset != 0 ||
2105  strcmp(bed->name, "two") != 0 ||
2106  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2107  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2108  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2109  bed->align_value != 0 ||
2110  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2111  goto end;
2112  }
2113  if (bed->local_id != 0) {
2114  result = 0;
2115  goto end;
2116  }
2117 
2118  sm = sm->next;
2119  if (sm->type != DETECT_BYTE_EXTRACT) {
2120  result = 0;
2121  goto end;
2122  }
2123  bed = (DetectByteExtractData *)sm->ctx;
2124  if (bed->nbytes != 4 ||
2125  bed->offset != 0 ||
2126  strcmp(bed->name, "three") != 0 ||
2127  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2128  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2129  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2130  bed->align_value != 0 ||
2131  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2132  goto end;
2133  }
2134  if (bed->local_id != 1) {
2135  result = 0;
2136  goto end;
2137  }
2138 
2139  result = 1;
2140 
2141  end:
2142  SigGroupCleanup(de_ctx);
2143  SigCleanSignatures(de_ctx);
2144  DetectEngineCtxFree(de_ctx);
2145 
2146  return result;
2147 }
2148 
2149 static int DetectByteExtractTest42(void)
2150 {
2151  DetectEngineCtx *de_ctx = NULL;
2152  int result = 0;
2153  Signature *s = NULL;
2154  SigMatch *sm = NULL;
2155  DetectContentData *cd = NULL;
2156  DetectContentData *ud = NULL;
2157  DetectByteExtractData *bed = NULL;
2158 
2159  de_ctx = DetectEngineCtxInit();
2160  if (de_ctx == NULL)
2161  goto end;
2162 
2163  de_ctx->flags |= DE_QUIET;
2164  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2165  "(msg:\"Testing bytejump_body\"; "
2166  "content:\"one\"; "
2167  "byte_extract:4,0,two,string,hex; "
2168  "uricontent: \"three\"; "
2169  "byte_extract:4,0,four,string,hex,relative; "
2170  "byte_extract:4,0,five,string,hex; "
2171  "sid:1;)");
2172  if (de_ctx->sig_list == NULL) {
2173  result = 0;
2174  goto end;
2175  }
2176 
2177  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2178  result = 0;
2179  goto end;
2180  }
2181 
2182  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2183  if (sm->type != DETECT_CONTENT) {
2184  result = 0;
2185  goto end;
2186  }
2187  cd = (DetectContentData *)sm->ctx;
2188  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2189  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2190  cd->flags & DETECT_CONTENT_NOCASE ||
2191  cd->flags & DETECT_CONTENT_WITHIN ||
2192  cd->flags & DETECT_CONTENT_DISTANCE ||
2193  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2194  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2195  cd->flags & DETECT_CONTENT_NEGATED ) {
2196  printf("one failed\n");
2197  result = 0;
2198  goto end;
2199  }
2200 
2201  sm = sm->next;
2202  if (sm->type != DETECT_BYTE_EXTRACT) {
2203  result = 0;
2204  goto end;
2205  }
2206  bed = (DetectByteExtractData *)sm->ctx;
2207  if (bed->nbytes != 4 ||
2208  bed->offset != 0 ||
2209  strcmp(bed->name, "two") != 0 ||
2210  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2211  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2212  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2213  bed->align_value != 0 ||
2214  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2215  goto end;
2216  }
2217  if (bed->local_id != 0) {
2218  result = 0;
2219  goto end;
2220  }
2221 
2222  sm = sm->next;
2223  if (sm->type != DETECT_BYTE_EXTRACT) {
2224  result = 0;
2225  goto end;
2226  }
2227  bed = (DetectByteExtractData *)sm->ctx;
2228  if (bed->nbytes != 4 ||
2229  bed->offset != 0 ||
2230  strcmp(bed->name, "five") != 0 ||
2231  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2232  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2233  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2234  bed->align_value != 0 ||
2235  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2236  goto end;
2237  }
2238  if (bed->local_id != 1) {
2239  result = 0;
2240  goto end;
2241  }
2242 
2243  if (sm->next != NULL)
2244  goto end;
2245 
2246  sm = s->sm_lists[g_http_uri_buffer_id];
2247  if (sm->type != DETECT_CONTENT) {
2248  result = 0;
2249  goto end;
2250  }
2251  ud = (DetectContentData *)sm->ctx;
2252  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2253  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2254  ud->flags & DETECT_CONTENT_NOCASE ||
2255  ud->flags & DETECT_CONTENT_WITHIN ||
2256  ud->flags & DETECT_CONTENT_DISTANCE ||
2257  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2258  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2259  ud->flags & DETECT_CONTENT_NEGATED ) {
2260  printf("two failed\n");
2261  result = 0;
2262  goto end;
2263  }
2264 
2265  sm = sm->next;
2266  if (sm->type != DETECT_BYTE_EXTRACT) {
2267  result = 0;
2268  goto end;
2269  }
2270  bed = (DetectByteExtractData *)sm->ctx;
2271  if (bed->nbytes != 4 ||
2272  bed->offset != 0 ||
2273  strcmp(bed->name, "four") != 0 ||
2274  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2275  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2276  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2277  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2278  bed->align_value != 0 ||
2279  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2280  goto end;
2281  }
2282  if (bed->local_id != 0) {
2283  result = 0;
2284  goto end;
2285  }
2286 
2287  if (sm->next != NULL)
2288  goto end;
2289 
2290  result = 1;
2291 
2292  end:
2293  SigGroupCleanup(de_ctx);
2294  SigCleanSignatures(de_ctx);
2295  DetectEngineCtxFree(de_ctx);
2296 
2297  return result;
2298 }
2299 
2300 static int DetectByteExtractTest43(void)
2301 {
2302  DetectEngineCtx *de_ctx = NULL;
2303  int result = 0;
2304  Signature *s = NULL;
2305  SigMatch *sm = NULL;
2306  DetectContentData *cd = NULL;
2307  DetectByteExtractData *bed = NULL;
2308 
2309  de_ctx = DetectEngineCtxInit();
2310  if (de_ctx == NULL)
2311  goto end;
2312 
2313  de_ctx->flags |= DE_QUIET;
2314  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2315  "(msg:\"Testing bytejump_body\"; "
2316  "content:\"one\"; "
2317  "byte_extract:4,0,two,string,hex; "
2318  "content: \"three\"; offset:two; "
2319  "sid:1;)");
2320  if (de_ctx->sig_list == NULL) {
2321  result = 0;
2322  goto end;
2323  }
2324 
2325  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2326  result = 0;
2327  goto end;
2328  }
2329 
2330  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2331  if (sm->type != DETECT_CONTENT) {
2332  result = 0;
2333  goto end;
2334  }
2335  cd = (DetectContentData *)sm->ctx;
2336  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2337  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2338  cd->flags & DETECT_CONTENT_NOCASE ||
2339  cd->flags & DETECT_CONTENT_WITHIN ||
2340  cd->flags & DETECT_CONTENT_DISTANCE ||
2341  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2342  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2343  cd->flags & DETECT_CONTENT_NEGATED ) {
2344  printf("one failed\n");
2345  result = 0;
2346  goto end;
2347  }
2348 
2349  sm = sm->next;
2350  if (sm->type != DETECT_BYTE_EXTRACT) {
2351  result = 0;
2352  goto end;
2353  }
2354  bed = (DetectByteExtractData *)sm->ctx;
2355  if (bed->nbytes != 4 ||
2356  bed->offset != 0 ||
2357  strcmp(bed->name, "two") != 0 ||
2358  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2359  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2360  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2361  bed->align_value != 0 ||
2362  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2363  goto end;
2364  }
2365  if (bed->local_id != 0) {
2366  result = 0;
2367  goto end;
2368  }
2369 
2370  sm = sm->next;
2371  if (sm->type != DETECT_CONTENT) {
2372  result = 0;
2373  goto end;
2374  }
2375  cd = (DetectContentData *)sm->ctx;
2376  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2377  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2378  DETECT_CONTENT_OFFSET) ||
2379  cd->offset != bed->local_id) {
2380  printf("three failed\n");
2381  result = 0;
2382  goto end;
2383  }
2384 
2385  if (sm->next != NULL)
2386  goto end;
2387 
2388  result = 1;
2389 
2390  end:
2391  SigGroupCleanup(de_ctx);
2392  SigCleanSignatures(de_ctx);
2393  DetectEngineCtxFree(de_ctx);
2394 
2395  return result;
2396 }
2397 
2398 static int DetectByteExtractTest44(void)
2399 {
2400  DetectEngineCtx *de_ctx = NULL;
2401  int result = 0;
2402  Signature *s = NULL;
2403  SigMatch *sm = NULL;
2404  DetectContentData *cd = NULL;
2405  DetectByteExtractData *bed1 = NULL;
2406  DetectByteExtractData *bed2 = NULL;
2407 
2408  de_ctx = DetectEngineCtxInit();
2409  if (de_ctx == NULL)
2410  goto end;
2411 
2412  de_ctx->flags |= DE_QUIET;
2413  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2414  "(msg:\"Testing bytejump_body\"; "
2415  "content:\"one\"; "
2416  "byte_extract:4,0,two,string,hex; "
2417  "byte_extract:4,0,three,string,hex; "
2418  "content: \"four\"; offset:two; "
2419  "content: \"five\"; offset:three; "
2420  "sid:1;)");
2421  if (de_ctx->sig_list == NULL) {
2422  result = 0;
2423  goto end;
2424  }
2425 
2426  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2427  result = 0;
2428  goto end;
2429  }
2430 
2431  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2432  if (sm->type != DETECT_CONTENT) {
2433  result = 0;
2434  goto end;
2435  }
2436  cd = (DetectContentData *)sm->ctx;
2437  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2438  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2439  cd->flags & DETECT_CONTENT_NOCASE ||
2440  cd->flags & DETECT_CONTENT_WITHIN ||
2441  cd->flags & DETECT_CONTENT_DISTANCE ||
2442  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2443  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2444  cd->flags & DETECT_CONTENT_NEGATED ) {
2445  printf("one failed\n");
2446  result = 0;
2447  goto end;
2448  }
2449 
2450  sm = sm->next;
2451  if (sm->type != DETECT_BYTE_EXTRACT) {
2452  result = 0;
2453  goto end;
2454  }
2455  bed1 = (DetectByteExtractData *)sm->ctx;
2456  if (bed1->nbytes != 4 ||
2457  bed1->offset != 0 ||
2458  strcmp(bed1->name, "two") != 0 ||
2459  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2460  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2461  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2462  bed1->align_value != 0 ||
2463  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2464  goto end;
2465  }
2466  if (bed1->local_id != 0) {
2467  result = 0;
2468  goto end;
2469  }
2470 
2471  sm = sm->next;
2472  if (sm->type != DETECT_BYTE_EXTRACT) {
2473  result = 0;
2474  goto end;
2475  }
2476  bed2 = (DetectByteExtractData *)sm->ctx;
2477 
2478  sm = sm->next;
2479  if (sm->type != DETECT_CONTENT) {
2480  result = 0;
2481  goto end;
2482  }
2483  cd = (DetectContentData *)sm->ctx;
2484  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2485  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2486  DETECT_CONTENT_OFFSET) ||
2487  cd->offset != bed1->local_id) {
2488  printf("four failed\n");
2489  result = 0;
2490  goto end;
2491  }
2492 
2493  sm = sm->next;
2494  if (sm->type != DETECT_CONTENT) {
2495  result = 0;
2496  goto end;
2497  }
2498  cd = (DetectContentData *)sm->ctx;
2499  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2500  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2501  DETECT_CONTENT_OFFSET) ||
2502  cd->offset != bed2->local_id) {
2503  printf("five failed\n");
2504  result = 0;
2505  goto end;
2506  }
2507 
2508  if (sm->next != NULL)
2509  goto end;
2510 
2511  result = 1;
2512 
2513  end:
2514  SigGroupCleanup(de_ctx);
2515  SigCleanSignatures(de_ctx);
2516  DetectEngineCtxFree(de_ctx);
2517 
2518  return result;
2519 }
2520 
2521 static int DetectByteExtractTest45(void)
2522 {
2523  DetectEngineCtx *de_ctx = NULL;
2524  int result = 0;
2525  Signature *s = NULL;
2526  SigMatch *sm = NULL;
2527  DetectContentData *cd = NULL;
2528  DetectByteExtractData *bed = NULL;
2529 
2530  de_ctx = DetectEngineCtxInit();
2531  if (de_ctx == NULL)
2532  goto end;
2533 
2534  de_ctx->flags |= DE_QUIET;
2535  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2536  "(msg:\"Testing bytejump_body\"; "
2537  "content:\"one\"; "
2538  "byte_extract:4,0,two,string,hex; "
2539  "content: \"three\"; depth:two; "
2540  "sid:1;)");
2541  if (de_ctx->sig_list == NULL) {
2542  result = 0;
2543  goto end;
2544  }
2545 
2546  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2547  result = 0;
2548  goto end;
2549  }
2550 
2551  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2552  if (sm->type != DETECT_CONTENT) {
2553  result = 0;
2554  goto end;
2555  }
2556  cd = (DetectContentData *)sm->ctx;
2557  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2558  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2559  cd->flags & DETECT_CONTENT_NOCASE ||
2560  cd->flags & DETECT_CONTENT_WITHIN ||
2561  cd->flags & DETECT_CONTENT_DISTANCE ||
2562  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2563  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2564  cd->flags & DETECT_CONTENT_NEGATED ) {
2565  printf("one failed\n");
2566  result = 0;
2567  goto end;
2568  }
2569 
2570  sm = sm->next;
2571  if (sm->type != DETECT_BYTE_EXTRACT) {
2572  result = 0;
2573  goto end;
2574  }
2575  bed = (DetectByteExtractData *)sm->ctx;
2576  if (bed->nbytes != 4 ||
2577  bed->offset != 0 ||
2578  strcmp(bed->name, "two") != 0 ||
2579  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2580  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2581  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2582  bed->align_value != 0 ||
2583  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2584  goto end;
2585  }
2586  if (bed->local_id != 0) {
2587  result = 0;
2588  goto end;
2589  }
2590 
2591  sm = sm->next;
2592  if (sm->type != DETECT_CONTENT) {
2593  result = 0;
2594  goto end;
2595  }
2596  cd = (DetectContentData *)sm->ctx;
2597  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2598  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2599  DETECT_CONTENT_DEPTH) ||
2600  cd->depth != bed->local_id ||
2601  cd->offset != 0) {
2602  printf("three failed\n");
2603  result = 0;
2604  goto end;
2605  }
2606 
2607  if (sm->next != NULL)
2608  goto end;
2609 
2610  result = 1;
2611 
2612  end:
2613  SigGroupCleanup(de_ctx);
2614  SigCleanSignatures(de_ctx);
2615  DetectEngineCtxFree(de_ctx);
2616 
2617  return result;
2618 }
2619 
2620 static int DetectByteExtractTest46(void)
2621 {
2622  DetectEngineCtx *de_ctx = NULL;
2623  int result = 0;
2624  Signature *s = NULL;
2625  SigMatch *sm = NULL;
2626  DetectContentData *cd = NULL;
2627  DetectByteExtractData *bed1 = NULL;
2628  DetectByteExtractData *bed2 = NULL;
2629 
2630  de_ctx = DetectEngineCtxInit();
2631  if (de_ctx == NULL)
2632  goto end;
2633 
2634  de_ctx->flags |= DE_QUIET;
2635  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2636  "(msg:\"Testing bytejump_body\"; "
2637  "content:\"one\"; "
2638  "byte_extract:4,0,two,string,hex; "
2639  "byte_extract:4,0,three,string,hex; "
2640  "content: \"four\"; depth:two; "
2641  "content: \"five\"; depth:three; "
2642  "sid:1;)");
2643  if (de_ctx->sig_list == NULL) {
2644  result = 0;
2645  goto end;
2646  }
2647 
2648  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2649  result = 0;
2650  goto end;
2651  }
2652 
2653  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2654  if (sm->type != DETECT_CONTENT) {
2655  result = 0;
2656  goto end;
2657  }
2658  cd = (DetectContentData *)sm->ctx;
2659  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2660  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2661  cd->flags & DETECT_CONTENT_NOCASE ||
2662  cd->flags & DETECT_CONTENT_WITHIN ||
2663  cd->flags & DETECT_CONTENT_DISTANCE ||
2664  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2665  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2666  cd->flags & DETECT_CONTENT_NEGATED ) {
2667  printf("one failed\n");
2668  result = 0;
2669  goto end;
2670  }
2671 
2672  sm = sm->next;
2673  if (sm->type != DETECT_BYTE_EXTRACT) {
2674  result = 0;
2675  goto end;
2676  }
2677  bed1 = (DetectByteExtractData *)sm->ctx;
2678  if (bed1->nbytes != 4 ||
2679  bed1->offset != 0 ||
2680  strcmp(bed1->name, "two") != 0 ||
2681  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2682  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2683  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2684  bed1->align_value != 0 ||
2685  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2686  goto end;
2687  }
2688  if (bed1->local_id != 0) {
2689  result = 0;
2690  goto end;
2691  }
2692 
2693  sm = sm->next;
2694  if (sm->type != DETECT_BYTE_EXTRACT) {
2695  result = 0;
2696  goto end;
2697  }
2698  bed2 = (DetectByteExtractData *)sm->ctx;
2699 
2700  sm = sm->next;
2701  if (sm->type != DETECT_CONTENT) {
2702  result = 0;
2703  goto end;
2704  }
2705  cd = (DetectContentData *)sm->ctx;
2706  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2707  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2708  DETECT_CONTENT_DEPTH) ||
2709  cd->depth != bed1->local_id) {
2710  printf("four failed\n");
2711  result = 0;
2712  goto end;
2713  }
2714 
2715  sm = sm->next;
2716  if (sm->type != DETECT_CONTENT) {
2717  result = 0;
2718  goto end;
2719  }
2720  cd = (DetectContentData *)sm->ctx;
2721  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2722  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2723  DETECT_CONTENT_DEPTH) ||
2724  cd->depth != bed2->local_id) {
2725  printf("five failed\n");
2726  result = 0;
2727  goto end;
2728  }
2729 
2730  if (sm->next != NULL)
2731  goto end;
2732 
2733  result = 1;
2734 
2735  end:
2736  SigGroupCleanup(de_ctx);
2737  SigCleanSignatures(de_ctx);
2738  DetectEngineCtxFree(de_ctx);
2739 
2740  return result;
2741 }
2742 
2743 static int DetectByteExtractTest47(void)
2744 {
2745  DetectEngineCtx *de_ctx = NULL;
2746  int result = 0;
2747  Signature *s = NULL;
2748  SigMatch *sm = NULL;
2749  DetectContentData *cd = NULL;
2750  DetectByteExtractData *bed = NULL;
2751 
2752  de_ctx = DetectEngineCtxInit();
2753  if (de_ctx == NULL)
2754  goto end;
2755 
2756  de_ctx->flags |= DE_QUIET;
2757  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2758  "(msg:\"Testing bytejump_body\"; "
2759  "content:\"one\"; "
2760  "byte_extract:4,0,two,string,hex; "
2761  "content: \"three\"; distance:two; "
2762  "sid:1;)");
2763  if (de_ctx->sig_list == NULL) {
2764  result = 0;
2765  goto end;
2766  }
2767 
2768  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2769  result = 0;
2770  goto end;
2771  }
2772 
2773  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2774  if (sm->type != DETECT_CONTENT) {
2775  result = 0;
2776  goto end;
2777  }
2778  cd = (DetectContentData *)sm->ctx;
2779  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2780  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2781  cd->flags & DETECT_CONTENT_NOCASE ||
2782  cd->flags & DETECT_CONTENT_WITHIN ||
2783  cd->flags & DETECT_CONTENT_DISTANCE ||
2784  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2785  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2786  cd->flags & DETECT_CONTENT_NEGATED ) {
2787  printf("one failed\n");
2788  result = 0;
2789  goto end;
2790  }
2791 
2792  sm = sm->next;
2793  if (sm->type != DETECT_BYTE_EXTRACT) {
2794  result = 0;
2795  goto end;
2796  }
2797  bed = (DetectByteExtractData *)sm->ctx;
2798  if (bed->nbytes != 4 ||
2799  bed->offset != 0 ||
2800  strcmp(bed->name, "two") != 0 ||
2801  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2802  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2803  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2804  bed->align_value != 0 ||
2805  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2806  goto end;
2807  }
2808  if (bed->local_id != 0) {
2809  result = 0;
2810  goto end;
2811  }
2812 
2813  sm = sm->next;
2814  if (sm->type != DETECT_CONTENT) {
2815  result = 0;
2816  goto end;
2817  }
2818  cd = (DetectContentData *)sm->ctx;
2819  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2820  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2821  DETECT_CONTENT_DISTANCE) ||
2822  cd->distance != bed->local_id ||
2823  cd->offset != 0 ||
2824  cd->depth != 0) {
2825  printf("three failed\n");
2826  result = 0;
2827  goto end;
2828  }
2829 
2830  if (sm->next != NULL)
2831  goto end;
2832 
2833  result = 1;
2834 
2835  end:
2836  SigGroupCleanup(de_ctx);
2837  SigCleanSignatures(de_ctx);
2838  DetectEngineCtxFree(de_ctx);
2839 
2840  return result;
2841 }
2842 
2843 static int DetectByteExtractTest48(void)
2844 {
2845  DetectEngineCtx *de_ctx = NULL;
2846  int result = 0;
2847  Signature *s = NULL;
2848  SigMatch *sm = NULL;
2849  DetectContentData *cd = NULL;
2850  DetectByteExtractData *bed1 = NULL;
2851  DetectByteExtractData *bed2 = NULL;
2852 
2853  de_ctx = DetectEngineCtxInit();
2854  if (de_ctx == NULL)
2855  goto end;
2856 
2857  de_ctx->flags |= DE_QUIET;
2858  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2859  "(msg:\"Testing bytejump_body\"; "
2860  "content:\"one\"; "
2861  "byte_extract:4,0,two,string,hex; "
2862  "byte_extract:4,0,three,string,hex; "
2863  "content: \"four\"; distance:two; "
2864  "content: \"five\"; distance:three; "
2865  "sid:1;)");
2866  if (de_ctx->sig_list == NULL) {
2867  result = 0;
2868  goto end;
2869  }
2870 
2871  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2872  result = 0;
2873  goto end;
2874  }
2875 
2876  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2877  if (sm->type != DETECT_CONTENT) {
2878  result = 0;
2879  goto end;
2880  }
2881  cd = (DetectContentData *)sm->ctx;
2882  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2883  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2884  cd->flags & DETECT_CONTENT_NOCASE ||
2885  cd->flags & DETECT_CONTENT_WITHIN ||
2886  cd->flags & DETECT_CONTENT_DISTANCE ||
2887  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2888  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2889  cd->flags & DETECT_CONTENT_NEGATED ) {
2890  printf("one failed\n");
2891  result = 0;
2892  goto end;
2893  }
2894 
2895  sm = sm->next;
2896  if (sm->type != DETECT_BYTE_EXTRACT) {
2897  result = 0;
2898  goto end;
2899  }
2900  bed1 = (DetectByteExtractData *)sm->ctx;
2901  if (bed1->nbytes != 4 ||
2902  bed1->offset != 0 ||
2903  strcmp(bed1->name, "two") != 0 ||
2904  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2905  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2906  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2907  bed1->align_value != 0 ||
2908  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2909  goto end;
2910  }
2911  if (bed1->local_id != 0) {
2912  result = 0;
2913  goto end;
2914  }
2915 
2916  sm = sm->next;
2917  if (sm->type != DETECT_BYTE_EXTRACT) {
2918  result = 0;
2919  goto end;
2920  }
2921  bed2 = (DetectByteExtractData *)sm->ctx;
2922 
2923  sm = sm->next;
2924  if (sm->type != DETECT_CONTENT) {
2925  result = 0;
2926  goto end;
2927  }
2928  cd = (DetectContentData *)sm->ctx;
2929  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2930  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2931  DETECT_CONTENT_DISTANCE |
2932  DETECT_CONTENT_DISTANCE_NEXT) ||
2933  cd->distance != bed1->local_id ||
2934  cd->depth != 0 ||
2935  cd->offset != 0) {
2936  printf("four failed\n");
2937  result = 0;
2938  goto end;
2939  }
2940 
2941  sm = sm->next;
2942  if (sm->type != DETECT_CONTENT) {
2943  result = 0;
2944  goto end;
2945  }
2946  cd = (DetectContentData *)sm->ctx;
2947  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2948  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2949  DETECT_CONTENT_DISTANCE) ||
2950  cd->distance != bed2->local_id ||
2951  cd->depth != 0 ||
2952  cd->offset != 0) {
2953  printf("five failed\n");
2954  result = 0;
2955  goto end;
2956  }
2957 
2958  if (sm->next != NULL)
2959  goto end;
2960 
2961  result = 1;
2962 
2963  end:
2964  SigGroupCleanup(de_ctx);
2965  SigCleanSignatures(de_ctx);
2966  DetectEngineCtxFree(de_ctx);
2967 
2968  return result;
2969 }
2970 
2971 static int DetectByteExtractTest49(void)
2972 {
2973  DetectEngineCtx *de_ctx = NULL;
2974  int result = 0;
2975  Signature *s = NULL;
2976  SigMatch *sm = NULL;
2977  DetectContentData *cd = NULL;
2978  DetectByteExtractData *bed = NULL;
2979 
2980  de_ctx = DetectEngineCtxInit();
2981  if (de_ctx == NULL)
2982  goto end;
2983 
2984  de_ctx->flags |= DE_QUIET;
2985  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2986  "(msg:\"Testing bytejump_body\"; "
2987  "content:\"one\"; "
2988  "byte_extract:4,0,two,string,hex; "
2989  "content: \"three\"; within:two; "
2990  "sid:1;)");
2991  if (de_ctx->sig_list == NULL) {
2992  result = 0;
2993  goto end;
2994  }
2995 
2996  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2997  result = 0;
2998  goto end;
2999  }
3000 
3001  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3002  if (sm->type != DETECT_CONTENT) {
3003  result = 0;
3004  goto end;
3005  }
3006  cd = (DetectContentData *)sm->ctx;
3007  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3008  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3009  cd->flags & DETECT_CONTENT_NOCASE ||
3010  cd->flags & DETECT_CONTENT_WITHIN ||
3011  cd->flags & DETECT_CONTENT_DISTANCE ||
3012  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3013  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3014  cd->flags & DETECT_CONTENT_NEGATED ) {
3015  printf("one failed\n");
3016  result = 0;
3017  goto end;
3018  }
3019 
3020  sm = sm->next;
3021  if (sm->type != DETECT_BYTE_EXTRACT) {
3022  result = 0;
3023  goto end;
3024  }
3025  bed = (DetectByteExtractData *)sm->ctx;
3026  if (bed->nbytes != 4 ||
3027  bed->offset != 0 ||
3028  strcmp(bed->name, "two") != 0 ||
3029  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3030  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3031  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3032  bed->align_value != 0 ||
3033  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3034  goto end;
3035  }
3036  if (bed->local_id != 0) {
3037  result = 0;
3038  goto end;
3039  }
3040 
3041  sm = sm->next;
3042  if (sm->type != DETECT_CONTENT) {
3043  result = 0;
3044  goto end;
3045  }
3046  cd = (DetectContentData *)sm->ctx;
3047  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3048  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3049  DETECT_CONTENT_WITHIN) ||
3050  cd->within != bed->local_id ||
3051  cd->offset != 0 ||
3052  cd->depth != 0 ||
3053  cd->distance != 0) {
3054  printf("three failed\n");
3055  result = 0;
3056  goto end;
3057  }
3058 
3059  if (sm->next != NULL)
3060  goto end;
3061 
3062  result = 1;
3063 
3064  end:
3065  SigGroupCleanup(de_ctx);
3066  SigCleanSignatures(de_ctx);
3067  DetectEngineCtxFree(de_ctx);
3068 
3069  return result;
3070 }
3071 
3072 static int DetectByteExtractTest50(void)
3073 {
3074  DetectEngineCtx *de_ctx = NULL;
3075  int result = 0;
3076  Signature *s = NULL;
3077  SigMatch *sm = NULL;
3078  DetectContentData *cd = NULL;
3079  DetectByteExtractData *bed1 = NULL;
3080  DetectByteExtractData *bed2 = NULL;
3081 
3082  de_ctx = DetectEngineCtxInit();
3083  if (de_ctx == NULL)
3084  goto end;
3085 
3086  de_ctx->flags |= DE_QUIET;
3087  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3088  "(msg:\"Testing bytejump_body\"; "
3089  "content:\"one\"; "
3090  "byte_extract:4,0,two,string,hex; "
3091  "byte_extract:4,0,three,string,hex; "
3092  "content: \"four\"; within:two; "
3093  "content: \"five\"; within:three; "
3094  "sid:1;)");
3095  if (de_ctx->sig_list == NULL) {
3096  result = 0;
3097  goto end;
3098  }
3099 
3100  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3101  result = 0;
3102  goto end;
3103  }
3104 
3105  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3106  if (sm->type != DETECT_CONTENT) {
3107  result = 0;
3108  goto end;
3109  }
3110  cd = (DetectContentData *)sm->ctx;
3111  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3112  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3113  cd->flags & DETECT_CONTENT_NOCASE ||
3114  cd->flags & DETECT_CONTENT_WITHIN ||
3115  cd->flags & DETECT_CONTENT_DISTANCE ||
3116  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3117  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3118  cd->flags & DETECT_CONTENT_NEGATED ) {
3119  printf("one failed\n");
3120  result = 0;
3121  goto end;
3122  }
3123 
3124  sm = sm->next;
3125  if (sm->type != DETECT_BYTE_EXTRACT) {
3126  result = 0;
3127  goto end;
3128  }
3129  bed1 = (DetectByteExtractData *)sm->ctx;
3130  if (bed1->nbytes != 4 ||
3131  bed1->offset != 0 ||
3132  strcmp(bed1->name, "two") != 0 ||
3133  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3134  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3135  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3136  bed1->align_value != 0 ||
3137  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3138  goto end;
3139  }
3140  if (bed1->local_id != 0) {
3141  result = 0;
3142  goto end;
3143  }
3144 
3145  sm = sm->next;
3146  if (sm->type != DETECT_BYTE_EXTRACT) {
3147  result = 0;
3148  goto end;
3149  }
3150  bed2 = (DetectByteExtractData *)sm->ctx;
3151 
3152  sm = sm->next;
3153  if (sm->type != DETECT_CONTENT) {
3154  result = 0;
3155  goto end;
3156  }
3157  cd = (DetectContentData *)sm->ctx;
3158  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3159  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3160  DETECT_CONTENT_WITHIN|
3161  DETECT_CONTENT_WITHIN_NEXT) ||
3162  cd->within != bed1->local_id ||
3163  cd->depth != 0 ||
3164  cd->offset != 0 ||
3165  cd->distance != 0) {
3166  printf("four failed\n");
3167  result = 0;
3168  goto end;
3169  }
3170 
3171  sm = sm->next;
3172  if (sm->type != DETECT_CONTENT) {
3173  result = 0;
3174  goto end;
3175  }
3176  cd = (DetectContentData *)sm->ctx;
3177  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3178  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3179  DETECT_CONTENT_WITHIN) ||
3180  cd->within != bed2->local_id ||
3181  cd->depth != 0 ||
3182  cd->offset != 0 ||
3183  cd->distance != 0) {
3184  printf("five failed\n");
3185  result = 0;
3186  goto end;
3187  }
3188 
3189  if (sm->next != NULL)
3190  goto end;
3191 
3192  result = 1;
3193 
3194  end:
3195  SigGroupCleanup(de_ctx);
3196  SigCleanSignatures(de_ctx);
3197  DetectEngineCtxFree(de_ctx);
3198 
3199  return result;
3200 }
3201 
3202 static int DetectByteExtractTest51(void)
3203 {
3204  DetectEngineCtx *de_ctx = NULL;
3205  int result = 0;
3206  Signature *s = NULL;
3207  SigMatch *sm = NULL;
3208  DetectContentData *cd = NULL;
3209  DetectByteExtractData *bed = NULL;
3210  DetectBytetestData *btd = NULL;
3211 
3212  de_ctx = DetectEngineCtxInit();
3213  if (de_ctx == NULL)
3214  goto end;
3215 
3216  de_ctx->flags |= DE_QUIET;
3217  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3218  "(msg:\"Testing bytejump_body\"; "
3219  "content:\"one\"; "
3220  "byte_extract:4,0,two,string,hex; "
3221  "byte_test: 2,=,10, two; "
3222  "sid:1;)");
3223  if (de_ctx->sig_list == NULL) {
3224  result = 0;
3225  goto end;
3226  }
3227 
3228  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3229  result = 0;
3230  goto end;
3231  }
3232 
3233  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3234  if (sm->type != DETECT_CONTENT) {
3235  result = 0;
3236  goto end;
3237  }
3238  cd = (DetectContentData *)sm->ctx;
3239  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3240  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3241  cd->flags & DETECT_CONTENT_NOCASE ||
3242  cd->flags & DETECT_CONTENT_WITHIN ||
3243  cd->flags & DETECT_CONTENT_DISTANCE ||
3244  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3245  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3246  cd->flags & DETECT_CONTENT_NEGATED ) {
3247  printf("one failed\n");
3248  result = 0;
3249  goto end;
3250  }
3251 
3252  sm = sm->next;
3253  if (sm->type != DETECT_BYTE_EXTRACT) {
3254  result = 0;
3255  goto end;
3256  }
3257  bed = (DetectByteExtractData *)sm->ctx;
3258  if (bed->nbytes != 4 ||
3259  bed->offset != 0 ||
3260  strcmp(bed->name, "two") != 0 ||
3261  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3262  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3263  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3264  bed->align_value != 0 ||
3265  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3266  goto end;
3267  }
3268  if (bed->local_id != 0) {
3269  result = 0;
3270  goto end;
3271  }
3272 
3273  sm = sm->next;
3274  if (sm->type != DETECT_BYTETEST) {
3275  result = 0;
3276  goto end;
3277  }
3278  btd = (DetectBytetestData *)sm->ctx;
3279  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3280  btd->value != 10 ||
3281  btd->offset != 0) {
3282  printf("three failed\n");
3283  result = 0;
3284  goto end;
3285  }
3286 
3287  if (sm->next != NULL)
3288  goto end;
3289 
3290  result = 1;
3291 
3292  end:
3293  SigGroupCleanup(de_ctx);
3294  SigCleanSignatures(de_ctx);
3295  DetectEngineCtxFree(de_ctx);
3296 
3297  return result;
3298 }
3299 
3300 static int DetectByteExtractTest52(void)
3301 {
3302  DetectEngineCtx *de_ctx = NULL;
3303  int result = 0;
3304  Signature *s = NULL;
3305  SigMatch *sm = NULL;
3306  DetectContentData *cd = NULL;
3307  DetectByteExtractData *bed1 = NULL;
3308  DetectBytetestData *btd = NULL;
3309 
3310  de_ctx = DetectEngineCtxInit();
3311  if (de_ctx == NULL)
3312  goto end;
3313 
3314  de_ctx->flags |= DE_QUIET;
3315  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3316  "(msg:\"Testing bytejump_body\"; "
3317  "content:\"one\"; "
3318  "byte_extract:4,0,two,string,hex; "
3319  "byte_extract:4,0,three,string,hex; "
3320  "byte_test: 2,=,two,three; "
3321  "byte_test: 3,=,10,three; "
3322  "sid:1;)");
3323  if (de_ctx->sig_list == NULL) {
3324  result = 0;
3325  goto end;
3326  }
3327 
3328  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3329  result = 0;
3330  goto end;
3331  }
3332 
3333  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3334  if (sm->type != DETECT_CONTENT) {
3335  result = 0;
3336  goto end;
3337  }
3338  cd = (DetectContentData *)sm->ctx;
3339  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3340  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3341  cd->flags & DETECT_CONTENT_NOCASE ||
3342  cd->flags & DETECT_CONTENT_WITHIN ||
3343  cd->flags & DETECT_CONTENT_DISTANCE ||
3344  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3345  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3346  cd->flags & DETECT_CONTENT_NEGATED ) {
3347  printf("one failed\n");
3348  result = 0;
3349  goto end;
3350  }
3351 
3352  sm = sm->next;
3353  if (sm->type != DETECT_BYTE_EXTRACT) {
3354  result = 0;
3355  goto end;
3356  }
3357  bed1 = (DetectByteExtractData *)sm->ctx;
3358  if (bed1->nbytes != 4 ||
3359  bed1->offset != 0 ||
3360  strcmp(bed1->name, "two") != 0 ||
3361  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3362  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3363  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3364  bed1->align_value != 0 ||
3365  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3366  goto end;
3367  }
3368  if (bed1->local_id != 0) {
3369  result = 0;
3370  goto end;
3371  }
3372 
3373  sm = sm->next;
3374  if (sm->type != DETECT_BYTE_EXTRACT) {
3375  result = 0;
3376  goto end;
3377  }
3378 
3379  sm = sm->next;
3380  if (sm->type != DETECT_BYTETEST) {
3381  result = 0;
3382  goto end;
3383  }
3384  btd = (DetectBytetestData *)sm->ctx;
3385  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
3386  DETECT_BYTETEST_VALUE_VAR) ||
3387  btd->value != 0 ||
3388  btd->offset != 1) {
3389  printf("three failed\n");
3390  result = 0;
3391  goto end;
3392  }
3393 
3394  sm = sm->next;
3395  if (sm->type != DETECT_BYTETEST) {
3396  result = 0;
3397  goto end;
3398  }
3399  btd = (DetectBytetestData *)sm->ctx;
3400  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3401  btd->value != 10 ||
3402  btd->offset != 1) {
3403  printf("four failed\n");
3404  result = 0;
3405  goto end;
3406  }
3407 
3408  if (sm->next != NULL)
3409  goto end;
3410 
3411  result = 1;
3412 
3413  end:
3414  SigGroupCleanup(de_ctx);
3415  SigCleanSignatures(de_ctx);
3416  DetectEngineCtxFree(de_ctx);
3417 
3418  return result;
3419 }
3420 
3421 static int DetectByteExtractTest53(void)
3422 {
3423  DetectEngineCtx *de_ctx = NULL;
3424  int result = 0;
3425  Signature *s = NULL;
3426  SigMatch *sm = NULL;
3427  DetectContentData *cd = NULL;
3428  DetectByteExtractData *bed = NULL;
3429  DetectBytejumpData *bjd = NULL;
3430 
3431  de_ctx = DetectEngineCtxInit();
3432  if (de_ctx == NULL)
3433  goto end;
3434 
3435  de_ctx->flags |= DE_QUIET;
3436  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3437  "(msg:\"Testing bytejump_body\"; "
3438  "content:\"one\"; "
3439  "byte_extract:4,0,two,string,hex; "
3440  "byte_jump: 2,two; "
3441  "sid:1;)");
3442  if (de_ctx->sig_list == NULL) {
3443  result = 0;
3444  goto end;
3445  }
3446 
3447  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3448  result = 0;
3449  goto end;
3450  }
3451 
3452  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3453  if (sm->type != DETECT_CONTENT) {
3454  result = 0;
3455  goto end;
3456  }
3457  cd = (DetectContentData *)sm->ctx;
3458  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3459  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3460  cd->flags & DETECT_CONTENT_NOCASE ||
3461  cd->flags & DETECT_CONTENT_WITHIN ||
3462  cd->flags & DETECT_CONTENT_DISTANCE ||
3463  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3464  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3465  cd->flags & DETECT_CONTENT_NEGATED ) {
3466  printf("one failed\n");
3467  result = 0;
3468  goto end;
3469  }
3470 
3471  sm = sm->next;
3472  if (sm->type != DETECT_BYTE_EXTRACT) {
3473  result = 0;
3474  goto end;
3475  }
3476  bed = (DetectByteExtractData *)sm->ctx;
3477  if (bed->nbytes != 4 ||
3478  bed->offset != 0 ||
3479  strcmp(bed->name, "two") != 0 ||
3480  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3481  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3482  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3483  bed->align_value != 0 ||
3484  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3485  goto end;
3486  }
3487  if (bed->local_id != 0) {
3488  result = 0;
3489  goto end;
3490  }
3491 
3492  sm = sm->next;
3493  if (sm->type != DETECT_BYTEJUMP) {
3494  result = 0;
3495  goto end;
3496  }
3497  bjd = (DetectBytejumpData *)sm->ctx;
3498  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3499  bjd->offset != 0) {
3500  printf("three failed\n");
3501  result = 0;
3502  goto end;
3503  }
3504 
3505  if (sm->next != NULL)
3506  goto end;
3507 
3508  result = 1;
3509 
3510  end:
3511  SigGroupCleanup(de_ctx);
3512  SigCleanSignatures(de_ctx);
3513  DetectEngineCtxFree(de_ctx);
3514 
3515  return result;
3516 }
3517 
3518 static int DetectByteExtractTest54(void)
3519 {
3520  DetectEngineCtx *de_ctx = NULL;
3521  int result = 0;
3522  Signature *s = NULL;
3523  SigMatch *sm = NULL;
3524  DetectContentData *cd = NULL;
3525  DetectByteExtractData *bed1 = NULL;
3526  DetectBytejumpData *bjd = NULL;
3527 
3528  de_ctx = DetectEngineCtxInit();
3529  if (de_ctx == NULL)
3530  goto end;
3531 
3532  de_ctx->flags |= DE_QUIET;
3533  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3534  "(msg:\"Testing bytejump_body\"; "
3535  "content:\"one\"; "
3536  "byte_extract:4,0,two,string,hex; "
3537  "byte_extract:4,0,three,string,hex; "
3538  "byte_jump: 2,two; "
3539  "byte_jump: 3,three; "
3540  "sid:1;)");
3541  if (de_ctx->sig_list == NULL) {
3542  result = 0;
3543  goto end;
3544  }
3545 
3546  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3547  result = 0;
3548  goto end;
3549  }
3550 
3551  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3552  if (sm->type != DETECT_CONTENT) {
3553  result = 0;
3554  goto end;
3555  }
3556  cd = (DetectContentData *)sm->ctx;
3557  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3558  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3559  cd->flags & DETECT_CONTENT_NOCASE ||
3560  cd->flags & DETECT_CONTENT_WITHIN ||
3561  cd->flags & DETECT_CONTENT_DISTANCE ||
3562  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3563  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3564  cd->flags & DETECT_CONTENT_NEGATED ) {
3565  printf("one failed\n");
3566  result = 0;
3567  goto end;
3568  }
3569 
3570  sm = sm->next;
3571  if (sm->type != DETECT_BYTE_EXTRACT) {
3572  result = 0;
3573  goto end;
3574  }
3575  bed1 = (DetectByteExtractData *)sm->ctx;
3576  if (bed1->nbytes != 4 ||
3577  bed1->offset != 0 ||
3578  strcmp(bed1->name, "two") != 0 ||
3579  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3580  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3581  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3582  bed1->align_value != 0 ||
3583  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3584  goto end;
3585  }
3586  if (bed1->local_id != 0) {
3587  result = 0;
3588  goto end;
3589  }
3590 
3591  sm = sm->next;
3592  if (sm->type != DETECT_BYTE_EXTRACT) {
3593  result = 0;
3594  goto end;
3595  }
3596 
3597  sm = sm->next;
3598  if (sm->type != DETECT_BYTEJUMP) {
3599  result = 0;
3600  goto end;
3601  }
3602  bjd = (DetectBytejumpData *)sm->ctx;
3603  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3604  bjd->offset != 0) {
3605  printf("three failed\n");
3606  result = 0;
3607  goto end;
3608  }
3609 
3610  sm = sm->next;
3611  if (sm->type != DETECT_BYTEJUMP) {
3612  result = 0;
3613  goto end;
3614  }
3615  bjd = (DetectBytejumpData *)sm->ctx;
3616  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3617  bjd->offset != 1) {
3618  printf("four failed\n");
3619  result = 0;
3620  goto end;
3621  }
3622 
3623  if (sm->next != NULL)
3624  goto end;
3625 
3626  result = 1;
3627 
3628  end:
3629  SigGroupCleanup(de_ctx);
3630  SigCleanSignatures(de_ctx);
3631  DetectEngineCtxFree(de_ctx);
3632 
3633  return result;
3634 }
3635 
3636 static int DetectByteExtractTest55(void)
3637 {
3638  DetectEngineCtx *de_ctx = NULL;
3639  int result = 0;
3640  Signature *s = NULL;
3641  SigMatch *sm = NULL;
3642  DetectContentData *cd = NULL;
3643  DetectByteExtractData *bed1 = NULL;
3644  DetectByteExtractData *bed2 = NULL;
3645 
3646  de_ctx = DetectEngineCtxInit();
3647  if (de_ctx == NULL)
3648  goto end;
3649 
3650  de_ctx->flags |= DE_QUIET;
3651  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3652  "(msg:\"Testing byte_extract\"; "
3653  "content:\"one\"; "
3654  "byte_extract:4,0,two,string,hex; "
3655  "byte_extract:4,0,three,string,hex; "
3656  "byte_extract:4,0,four,string,hex; "
3657  "byte_extract:4,0,five,string,hex; "
3658  "content: \"four\"; within:two; distance:three; "
3659  "sid:1;)");
3660  if (de_ctx->sig_list == NULL) {
3661  goto end;
3662  }
3663 
3664  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3665  goto end;
3666  }
3667 
3668  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3669  if (sm->type != DETECT_CONTENT) {
3670  goto end;
3671  }
3672  cd = (DetectContentData *)sm->ctx;
3673  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3674  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3675  cd->flags & DETECT_CONTENT_NOCASE ||
3676  cd->flags & DETECT_CONTENT_WITHIN ||
3677  cd->flags & DETECT_CONTENT_DISTANCE ||
3678  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3679  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3680  cd->flags & DETECT_CONTENT_NEGATED ) {
3681  printf("one failed: ");
3682  goto end;
3683  }
3684 
3685  sm = sm->next;
3686  if (sm->type != DETECT_BYTE_EXTRACT) {
3687  goto end;
3688  }
3689  bed1 = (DetectByteExtractData *)sm->ctx;
3690  if (bed1->nbytes != 4 ||
3691  bed1->offset != 0 ||
3692  strcmp(bed1->name, "two") != 0 ||
3693  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3694  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3695  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3696  bed1->align_value != 0 ||
3697  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3698  goto end;
3699  }
3700  if (bed1->local_id != 0) {
3701  goto end;
3702  }
3703 
3704  sm = sm->next;
3705  if (sm->type != DETECT_BYTE_EXTRACT) {
3706  goto end;
3707  }
3708  bed2 = (DetectByteExtractData *)sm->ctx;
3709 
3710  sm = sm->next;
3711  if (sm->type != DETECT_BYTE_EXTRACT) {
3712  goto end;
3713  }
3714 
3715  sm = sm->next;
3716  if (sm->type != DETECT_BYTE_EXTRACT) {
3717  goto end;
3718  }
3719 
3720  sm = sm->next;
3721  if (sm->type != DETECT_CONTENT) {
3722  goto end;
3723  }
3724  cd = (DetectContentData *)sm->ctx;
3725  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3726  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3727  DETECT_CONTENT_WITHIN_VAR |
3728  DETECT_CONTENT_DISTANCE |
3729  DETECT_CONTENT_WITHIN) ||
3730  cd->within != bed1->local_id ||
3731  cd->distance != bed2->local_id) {
3732  printf("four failed: ");
3733  goto end;
3734  }
3735 
3736  if (sm->next != NULL) {
3737  goto end;
3738  }
3739 
3740  result = 1;
3741 
3742  end:
3743  SigGroupCleanup(de_ctx);
3744  SigCleanSignatures(de_ctx);
3745  DetectEngineCtxFree(de_ctx);
3746 
3747  return result;
3748 }
3749 
3750 static int DetectByteExtractTest56(void)
3751 {
3752  DetectEngineCtx *de_ctx = NULL;
3753  int result = 0;
3754  Signature *s = NULL;
3755  SigMatch *sm = NULL;
3756  DetectContentData *cd = NULL;
3757  DetectByteExtractData *bed1 = NULL;
3758  DetectByteExtractData *bed2 = NULL;
3759 
3760  de_ctx = DetectEngineCtxInit();
3761  if (de_ctx == NULL)
3762  goto end;
3763 
3764  de_ctx->flags |= DE_QUIET;
3765  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3766  "(msg:\"Testing bytejump_body\"; "
3767  "uricontent:\"urione\"; "
3768  "content:\"one\"; "
3769  "byte_extract:4,0,two,string,hex; "
3770  "byte_extract:4,0,three,string,hex; "
3771  "byte_extract:4,0,four,string,hex; "
3772  "byte_extract:4,0,five,string,hex; "
3773  "content: \"four\"; within:two; distance:three; "
3774  "sid:1;)");
3775  if (de_ctx->sig_list == NULL) {
3776  result = 0;
3777  goto end;
3778  }
3779 
3780  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3781  result = 0;
3782  goto end;
3783  }
3784 
3785  sm = s->sm_lists[g_http_uri_buffer_id];
3786  if (sm->type != DETECT_CONTENT) {
3787  result = 0;
3788  goto end;
3789  }
3790  cd = (DetectContentData *)sm->ctx;
3791  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3792  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3793  cd->flags & DETECT_CONTENT_NOCASE ||
3794  cd->flags & DETECT_CONTENT_WITHIN ||
3795  cd->flags & DETECT_CONTENT_DISTANCE ||
3796  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3797  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3798  cd->flags & DETECT_CONTENT_NEGATED ) {
3799  printf("one failed\n");
3800  result = 0;
3801  goto end;
3802  }
3803 
3804  if (sm->next != NULL)
3805  goto end;
3806 
3807  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3808  if (sm->type != DETECT_CONTENT) {
3809  result = 0;
3810  goto end;
3811  }
3812  cd = (DetectContentData *)sm->ctx;
3813  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3814  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3815  cd->flags & DETECT_CONTENT_NOCASE ||
3816  cd->flags & DETECT_CONTENT_WITHIN ||
3817  cd->flags & DETECT_CONTENT_DISTANCE ||
3818  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3819  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3820  cd->flags & DETECT_CONTENT_NEGATED ) {
3821  printf("one failed\n");
3822  result = 0;
3823  goto end;
3824  }
3825 
3826  sm = sm->next;
3827  if (sm->type != DETECT_BYTE_EXTRACT) {
3828  result = 0;
3829  goto end;
3830  }
3831  bed1 = (DetectByteExtractData *)sm->ctx;
3832  if (bed1->nbytes != 4 ||
3833  bed1->offset != 0 ||
3834  strcmp(bed1->name, "two") != 0 ||
3835  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3836  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3837  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3838  bed1->align_value != 0 ||
3839  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3840  goto end;
3841  }
3842  if (bed1->local_id != 0) {
3843  result = 0;
3844  goto end;
3845  }
3846 
3847  sm = sm->next;
3848  if (sm->type != DETECT_BYTE_EXTRACT) {
3849  result = 0;
3850  goto end;
3851  }
3852  bed2 = (DetectByteExtractData *)sm->ctx;
3853 
3854  sm = sm->next;
3855  if (sm->type != DETECT_BYTE_EXTRACT) {
3856  result = 0;
3857  goto end;
3858  }
3859 
3860  sm = sm->next;
3861  if (sm->type != DETECT_BYTE_EXTRACT) {
3862  result = 0;
3863  goto end;
3864  }
3865 
3866  sm = sm->next;
3867  if (sm->type != DETECT_CONTENT) {
3868  result = 0;
3869  goto end;
3870  }
3871  cd = (DetectContentData *)sm->ctx;
3872  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3873  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3874  DETECT_CONTENT_WITHIN_VAR |
3875  DETECT_CONTENT_DISTANCE |
3876  DETECT_CONTENT_WITHIN) ||
3877  cd->within != bed1->local_id ||
3878  cd->distance != bed2->local_id ) {
3879  printf("four failed\n");
3880  result = 0;
3881  goto end;
3882  }
3883 
3884  if (sm->next != NULL) {
3885  goto end;
3886  }
3887 
3888  result = 1;
3889 
3890  end:
3891  SigGroupCleanup(de_ctx);
3892  SigCleanSignatures(de_ctx);
3893  DetectEngineCtxFree(de_ctx);
3894 
3895  return result;
3896 }
3897 
3898 static int DetectByteExtractTest57(void)
3899 {
3900  DetectEngineCtx *de_ctx = NULL;
3901  int result = 0;
3902  Signature *s = NULL;
3903  SigMatch *sm = NULL;
3904  DetectContentData *cd = NULL;
3905  DetectByteExtractData *bed1 = NULL;
3906  DetectByteExtractData *bed2 = NULL;
3907  DetectByteExtractData *bed3 = NULL;
3908  DetectByteExtractData *bed4 = NULL;
3909 
3910  de_ctx = DetectEngineCtxInit();
3911  if (de_ctx == NULL)
3912  goto end;
3913 
3914  de_ctx->flags |= DE_QUIET;
3915  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3916  "(msg:\"Testing bytejump_body\"; "
3917  "content:\"one\"; "
3918  "uricontent: \"urione\"; "
3919  "byte_extract:4,0,two,string,hex,relative; "
3920  "byte_extract:4,0,three,string,hex,relative; "
3921  "byte_extract:4,0,four,string,hex,relative; "
3922  "byte_extract:4,0,five,string,hex,relative; "
3923  "uricontent: \"four\"; within:two; distance:three; "
3924  "sid:1;)");
3925  if (de_ctx->sig_list == NULL) {
3926  result = 0;
3927  goto end;
3928  }
3929 
3930  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3931  result = 0;
3932  goto end;
3933  }
3934 
3935  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3936  if (sm->type != DETECT_CONTENT) {
3937  result = 0;
3938  goto end;
3939  }
3940  cd = (DetectContentData *)sm->ctx;
3941  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3942  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3943  cd->flags & DETECT_CONTENT_NOCASE ||
3944  cd->flags & DETECT_CONTENT_WITHIN ||
3945  cd->flags & DETECT_CONTENT_DISTANCE ||
3946  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3947  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3948  cd->flags & DETECT_CONTENT_NEGATED ) {
3949  printf("one failed\n");
3950  result = 0;
3951  goto end;
3952  }
3953 
3954  if (sm->next != NULL)
3955  goto end;
3956 
3957  sm = s->sm_lists[g_http_uri_buffer_id];
3958  if (sm->type != DETECT_CONTENT) {
3959  result = 0;
3960  goto end;
3961  }
3962  cd = (DetectContentData *)sm->ctx;
3963  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3964  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3965  cd->flags & DETECT_CONTENT_NOCASE ||
3966  cd->flags & DETECT_CONTENT_WITHIN ||
3967  cd->flags & DETECT_CONTENT_DISTANCE ||
3968  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3969  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3970  cd->flags & DETECT_CONTENT_NEGATED ) {
3971  printf("one failed\n");
3972  result = 0;
3973  goto end;
3974  }
3975 
3976  sm = sm->next;
3977  if (sm->type != DETECT_BYTE_EXTRACT) {
3978  result = 0;
3979  goto end;
3980  }
3981  bed1 = (DetectByteExtractData *)sm->ctx;
3982  if (bed1->nbytes != 4 ||
3983  bed1->offset != 0 ||
3984  strcmp(bed1->name, "two") != 0 ||
3985  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
3986  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3987  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3988  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3989  bed1->align_value != 0 ||
3990  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3991  goto end;
3992  }
3993  if (bed1->local_id != 0) {
3994  result = 0;
3995  goto end;
3996  }
3997 
3998  sm = sm->next;
3999  if (sm->type != DETECT_BYTE_EXTRACT) {
4000  result = 0;
4001  goto end;
4002  }
4003  bed2 = (DetectByteExtractData *)sm->ctx;
4004  if (bed2->local_id != 1) {
4005  result = 0;
4006  goto end;
4007  }
4008 
4009  sm = sm->next;
4010  if (sm->type != DETECT_BYTE_EXTRACT) {
4011  result = 0;
4012  goto end;
4013  }
4014  bed3 = (DetectByteExtractData *)sm->ctx;
4015  if (bed3->local_id != 2) {
4016  result = 0;
4017  goto end;
4018  }
4019 
4020  sm = sm->next;
4021  if (sm->type != DETECT_BYTE_EXTRACT) {
4022  result = 0;
4023  goto end;
4024  }
4025  bed4 = (DetectByteExtractData *)sm->ctx;
4026  if (bed4->local_id != 3) {
4027  result = 0;
4028  goto end;
4029  }
4030 
4031  sm = sm->next;
4032  if (sm->type != DETECT_CONTENT) {
4033  result = 0;
4034  goto end;
4035  }
4036  cd = (DetectContentData *)sm->ctx;
4037  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4038  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
4039  DETECT_CONTENT_WITHIN_VAR |
4040  DETECT_CONTENT_DISTANCE |
4041  DETECT_CONTENT_WITHIN) ||
4042  cd->within != bed1->local_id ||
4043  cd->distance != bed2->local_id) {
4044  printf("four failed\n");
4045  result = 0;
4046  goto end;
4047  }
4048 
4049  if (sm->next != NULL) {
4050  goto end;
4051  }
4052 
4053  result = 1;
4054 
4055  end:
4056  SigGroupCleanup(de_ctx);
4057  SigCleanSignatures(de_ctx);
4058  DetectEngineCtxFree(de_ctx);
4059 
4060  return result;
4061 }
4062 
4063 static int DetectByteExtractTest58(void)
4064 {
4065  DetectEngineCtx *de_ctx = NULL;
4066  int result = 0;
4067  Signature *s = NULL;
4068  SigMatch *sm = NULL;
4069  DetectContentData *cd = NULL;
4070  DetectByteExtractData *bed1 = NULL;
4071  DetectBytejumpData *bjd = NULL;
4072  DetectIsdataatData *isdd = NULL;
4073 
4074  de_ctx = DetectEngineCtxInit();
4075  if (de_ctx == NULL)
4076  goto end;
4077 
4078  de_ctx->flags |= DE_QUIET;
4079  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4080  "(msg:\"Testing bytejump_body\"; "
4081  "content:\"one\"; "
4082  "byte_extract:4,0,two,string,hex; "
4083  "byte_extract:4,0,three,string,hex; "
4084  "byte_jump: 2,two; "
4085  "byte_jump: 3,three; "
4086  "isdataat: three; "
4087  "sid:1;)");
4088  if (de_ctx->sig_list == NULL) {
4089  result = 0;
4090  goto end;
4091  }
4092 
4093  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4094  result = 0;
4095  goto end;
4096  }
4097 
4098  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4099  if (sm->type != DETECT_CONTENT) {
4100  result = 0;
4101  goto end;
4102  }
4103  cd = (DetectContentData *)sm->ctx;
4104  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4105  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4106  cd->flags & DETECT_CONTENT_NOCASE ||
4107  cd->flags & DETECT_CONTENT_WITHIN ||
4108  cd->flags & DETECT_CONTENT_DISTANCE ||
4109  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4110  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4111  cd->flags & DETECT_CONTENT_NEGATED ) {
4112  printf("one failed\n");
4113  result = 0;
4114  goto end;
4115  }
4116 
4117  sm = sm->next;
4118  if (sm->type != DETECT_BYTE_EXTRACT) {
4119  result = 0;
4120  goto end;
4121  }
4122  bed1 = (DetectByteExtractData *)sm->ctx;
4123  if (bed1->nbytes != 4 ||
4124  bed1->offset != 0 ||
4125  strcmp(bed1->name, "two") != 0 ||
4126  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4127  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4128  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4129  bed1->align_value != 0 ||
4130  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4131  goto end;
4132  }
4133  if (bed1->local_id != 0) {
4134  result = 0;
4135  goto end;
4136  }
4137 
4138  sm = sm->next;
4139  if (sm->type != DETECT_BYTE_EXTRACT) {
4140  result = 0;
4141  goto end;
4142  }
4143 
4144  sm = sm->next;
4145  if (sm->type != DETECT_BYTEJUMP) {
4146  result = 0;
4147  goto end;
4148  }
4149  bjd = (DetectBytejumpData *)sm->ctx;
4150  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4151  bjd->offset != 0) {
4152  printf("three failed\n");
4153  result = 0;
4154  goto end;
4155  }
4156 
4157  sm = sm->next;
4158  if (sm->type != DETECT_BYTEJUMP) {
4159  result = 0;
4160  goto end;
4161  }
4162  bjd = (DetectBytejumpData *)sm->ctx;
4163  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4164  bjd->offset != 1) {
4165  printf("four failed\n");
4166  result = 0;
4167  goto end;
4168  }
4169 
4170  sm = sm->next;
4171  if (sm->type != DETECT_ISDATAAT) {
4172  result = 0;
4173  goto end;
4174  }
4175  isdd = (DetectIsdataatData *)sm->ctx;
4176  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
4177  isdd->dataat != 1) {
4178  printf("isdataat failed\n");
4179  result = 0;
4180  goto end;
4181  }
4182 
4183  if (sm->next != NULL)
4184  goto end;
4185 
4186  result = 1;
4187 
4188  end:
4189  SigGroupCleanup(de_ctx);
4190  SigCleanSignatures(de_ctx);
4191  DetectEngineCtxFree(de_ctx);
4192 
4193  return result;
4194 }
4195 
4196 static int DetectByteExtractTest59(void)
4197 {
4198  DetectEngineCtx *de_ctx = NULL;
4199  int result = 0;
4200  Signature *s = NULL;
4201  SigMatch *sm = NULL;
4202  DetectContentData *cd = NULL;
4203  DetectByteExtractData *bed1 = NULL;
4204  DetectBytejumpData *bjd = NULL;
4205  DetectIsdataatData *isdd = NULL;
4206 
4207  de_ctx = DetectEngineCtxInit();
4208  if (de_ctx == NULL)
4209  goto end;
4210 
4211  de_ctx->flags |= DE_QUIET;
4212  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4213  "(msg:\"Testing bytejump_body\"; "
4214  "content:\"one\"; "
4215  "byte_extract:4,0,two,string,hex; "
4216  "byte_extract:4,0,three,string,hex; "
4217  "byte_jump: 2,two; "
4218  "byte_jump: 3,three; "
4219  "isdataat: three,relative; "
4220  "sid:1;)");
4221  if (de_ctx->sig_list == NULL) {
4222  result = 0;
4223  goto end;
4224  }
4225 
4226  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4227  result = 0;
4228  goto end;
4229  }
4230 
4231  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4232  if (sm->type != DETECT_CONTENT) {
4233  result = 0;
4234  goto end;
4235  }
4236  cd = (DetectContentData *)sm->ctx;
4237  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4238  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4239  cd->flags & DETECT_CONTENT_NOCASE ||
4240  cd->flags & DETECT_CONTENT_WITHIN ||
4241  cd->flags & DETECT_CONTENT_DISTANCE ||
4242  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4243  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4244  cd->flags & DETECT_CONTENT_NEGATED ) {
4245  printf("one failed\n");
4246  result = 0;
4247  goto end;
4248  }
4249 
4250  sm = sm->next;
4251  if (sm->type != DETECT_BYTE_EXTRACT) {
4252  result = 0;
4253  goto end;
4254  }
4255  bed1 = (DetectByteExtractData *)sm->ctx;
4256  if (bed1->nbytes != 4 ||
4257  bed1->offset != 0 ||
4258  strcmp(bed1->name, "two") != 0 ||
4259  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4260  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4261  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4262  bed1->align_value != 0 ||
4263  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4264  goto end;
4265  }
4266  if (bed1->local_id != 0) {
4267  result = 0;
4268  goto end;
4269  }
4270 
4271  sm = sm->next;
4272  if (sm->type != DETECT_BYTE_EXTRACT) {
4273  result = 0;
4274  goto end;
4275  }
4276 
4277  sm = sm->next;
4278  if (sm->type != DETECT_BYTEJUMP) {
4279  result = 0;
4280  goto end;
4281  }
4282  bjd = (DetectBytejumpData *)sm->ctx;
4283  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4284  bjd->offset != 0) {
4285  printf("three failed\n");
4286  result = 0;
4287  goto end;
4288  }
4289 
4290  sm = sm->next;
4291  if (sm->type != DETECT_BYTEJUMP) {
4292  result = 0;
4293  goto end;
4294  }
4295  bjd = (DetectBytejumpData *)sm->ctx;
4296  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4297  bjd->offset != 1) {
4298  printf("four failed\n");
4299  result = 0;
4300  goto end;
4301  }
4302 
4303  sm = sm->next;
4304  if (sm->type != DETECT_ISDATAAT) {
4305  result = 0;
4306  goto end;
4307  }
4308  isdd = (DetectIsdataatData *)sm->ctx;
4309  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4310  ISDATAAT_RELATIVE) ||
4311  isdd->dataat != 1) {
4312  printf("isdataat failed\n");
4313  result = 0;
4314  goto end;
4315  }
4316 
4317  if (sm->next != NULL)
4318  goto end;
4319 
4320  result = 1;
4321 
4322  end:
4323  SigGroupCleanup(de_ctx);
4324  SigCleanSignatures(de_ctx);
4325  DetectEngineCtxFree(de_ctx);
4326 
4327  return result;
4328 }
4329 
4330 static int DetectByteExtractTest60(void)
4331 {
4332  DetectEngineCtx *de_ctx = NULL;
4333  int result = 0;
4334  Signature *s = NULL;
4335  SigMatch *sm = NULL;
4336  DetectContentData *cd = NULL;
4337  DetectByteExtractData *bed1 = NULL;
4338  DetectIsdataatData *isdd = NULL;
4339 
4340  de_ctx = DetectEngineCtxInit();
4341  if (de_ctx == NULL)
4342  goto end;
4343 
4344  de_ctx->flags |= DE_QUIET;
4345  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4346  "(msg:\"Testing bytejump_body\"; "
4347  "content:\"one\"; "
4348  "byte_extract:4,0,two,string,hex,relative; "
4349  "uricontent: \"three\"; "
4350  "byte_extract:4,0,four,string,hex,relative; "
4351  "isdataat: two; "
4352  "sid:1;)");
4353  if (de_ctx->sig_list == NULL) {
4354  result = 0;
4355  goto end;
4356  }
4357 
4358  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4359  result = 0;
4360  goto end;
4361  }
4362 
4363  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4364  if (sm->type != DETECT_CONTENT) {
4365  result = 0;
4366  goto end;
4367  }
4368  cd = (DetectContentData *)sm->ctx;
4369  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4370  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4371  cd->flags & DETECT_CONTENT_NOCASE ||
4372  cd->flags & DETECT_CONTENT_WITHIN ||
4373  cd->flags & DETECT_CONTENT_DISTANCE ||
4374  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4375  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4376  cd->flags & DETECT_CONTENT_NEGATED ) {
4377  printf("one failed\n");
4378  result = 0;
4379  goto end;
4380  }
4381 
4382  sm = sm->next;
4383  if (sm->type != DETECT_BYTE_EXTRACT) {
4384  result = 0;
4385  goto end;
4386  }
4387  bed1 = (DetectByteExtractData *)sm->ctx;
4388  if (bed1->nbytes != 4 ||
4389  bed1->offset != 0 ||
4390  strcmp(bed1->name, "two") != 0 ||
4391  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4392  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4393  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4394  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4395  bed1->align_value != 0 ||
4396  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4397  goto end;
4398  }
4399  if (bed1->local_id != 0) {
4400  result = 0;
4401  goto end;
4402  }
4403 
4404  sm = sm->next;
4405  if (sm->type != DETECT_ISDATAAT) {
4406  result = 0;
4407  goto end;
4408  }
4409  isdd = (DetectIsdataatData *)sm->ctx;
4410  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
4411  isdd->dataat != bed1->local_id) {
4412  printf("isdataat failed\n");
4413  result = 0;
4414  goto end;
4415  }
4416 
4417  if (sm->next != NULL)
4418  goto end;
4419 
4420  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4421  result = 0;
4422  goto end;
4423  }
4424 
4425  sm = s->sm_lists[g_http_uri_buffer_id];
4426  if (sm->type != DETECT_CONTENT) {
4427  result = 0;
4428  goto end;
4429  }
4430  cd = (DetectContentData *)sm->ctx;
4431  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4432  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4433  printf("one failed\n");
4434  result = 0;
4435  goto end;
4436  }
4437 
4438  sm = sm->next;
4439  if (sm->type != DETECT_BYTE_EXTRACT) {
4440  result = 0;
4441  goto end;
4442  }
4443  bed1 = (DetectByteExtractData *)sm->ctx;
4444  if (bed1->nbytes != 4 ||
4445  bed1->offset != 0 ||
4446  strcmp(bed1->name, "four") != 0 ||
4447  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4448  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4449  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4450  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4451  bed1->align_value != 0 ||
4452  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4453  goto end;
4454  }
4455  if (bed1->local_id != 0) {
4456  result = 0;
4457  goto end;
4458  }
4459 
4460  if (sm->next != NULL)
4461  goto end;
4462 
4463  result = 1;
4464 
4465  end:
4466  SigGroupCleanup(de_ctx);
4467  SigCleanSignatures(de_ctx);
4468  DetectEngineCtxFree(de_ctx);
4469 
4470  return result;
4471 }
4472 
4473 static int DetectByteExtractTest61(void)
4474 {
4475  DetectEngineCtx *de_ctx = NULL;
4476  int result = 0;
4477  Signature *s = NULL;
4478  SigMatch *sm = NULL;
4479  DetectContentData *cd = NULL;
4480  DetectByteExtractData *bed1 = NULL;
4481  DetectIsdataatData *isdd = NULL;
4482 
4483  de_ctx = DetectEngineCtxInit();
4484  if (de_ctx == NULL)
4485  goto end;
4486 
4487  de_ctx->flags |= DE_QUIET;
4488  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4489  "(msg:\"Testing bytejump_body\"; "
4490  "content:\"one\"; "
4491  "byte_extract:4,0,two,string,hex,relative; "
4492  "uricontent: \"three\"; "
4493  "byte_extract:4,0,four,string,hex,relative; "
4494  "isdataat: four, relative; "
4495  "sid:1;)");
4496  if (de_ctx->sig_list == NULL) {
4497  result = 0;
4498  goto end;
4499  }
4500 
4501  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4502  result = 0;
4503  goto end;
4504  }
4505 
4506  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4507  if (sm->type != DETECT_CONTENT) {
4508  result = 0;
4509  goto end;
4510  }
4511  cd = (DetectContentData *)sm->ctx;
4512  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4513  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4514  cd->flags & DETECT_CONTENT_NOCASE ||
4515  cd->flags & DETECT_CONTENT_WITHIN ||
4516  cd->flags & DETECT_CONTENT_DISTANCE ||
4517  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4518  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4519  cd->flags & DETECT_CONTENT_NEGATED ) {
4520  printf("one failed\n");
4521  result = 0;
4522  goto end;
4523  }
4524 
4525  sm = sm->next;
4526  if (sm->type != DETECT_BYTE_EXTRACT) {
4527  result = 0;
4528  goto end;
4529  }
4530  bed1 = (DetectByteExtractData *)sm->ctx;
4531  if (bed1->nbytes != 4 ||
4532  bed1->offset != 0 ||
4533  strcmp(bed1->name, "two") != 0 ||
4534  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4535  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4536  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4537  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4538  bed1->align_value != 0 ||
4539  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4540  goto end;
4541  }
4542  if (bed1->local_id != 0) {
4543  result = 0;
4544  goto end;
4545  }
4546 
4547  if (sm->next != NULL)
4548  goto end;
4549 
4550  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4551  result = 0;
4552  goto end;
4553  }
4554 
4555  sm = s->sm_lists[g_http_uri_buffer_id];
4556  if (sm->type != DETECT_CONTENT) {
4557  result = 0;
4558  goto end;
4559  }
4560  cd = (DetectContentData *)sm->ctx;
4561  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4562  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4563  printf("one failed\n");
4564  result = 0;
4565  goto end;
4566  }
4567 
4568  sm = sm->next;
4569  if (sm->type != DETECT_BYTE_EXTRACT) {
4570  result = 0;
4571  goto end;
4572  }
4573  bed1 = (DetectByteExtractData *)sm->ctx;
4574  if (bed1->nbytes != 4 ||
4575  bed1->offset != 0 ||
4576  strcmp(bed1->name, "four") != 0 ||
4577  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4578  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4579  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4580  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4581  bed1->align_value != 0 ||
4582  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4583  goto end;
4584  }
4585  if (bed1->local_id != 0) {
4586  result = 0;
4587  goto end;
4588  }
4589 
4590  sm = sm->next;
4591  if (sm->type != DETECT_ISDATAAT) {
4592  result = 0;
4593  goto end;
4594  }
4595  isdd = (DetectIsdataatData *)sm->ctx;
4596  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4597  ISDATAAT_RELATIVE) ||
4598  isdd->dataat != bed1->local_id) {
4599  printf("isdataat failed\n");
4600  result = 0;
4601  goto end;
4602  }
4603 
4604  if (sm->next != NULL)
4605  goto end;
4606 
4607  result = 1;
4608 
4609  end:
4610  SigGroupCleanup(de_ctx);
4611  SigCleanSignatures(de_ctx);
4612  DetectEngineCtxFree(de_ctx);
4613 
4614  return result;
4615 }
4616 
4617 static int DetectByteExtractTest62(void)
4618 {
4619  DetectEngineCtx *de_ctx = NULL;
4620  int result = 0;
4621  Signature *s = NULL;
4622  SigMatch *sm = NULL;
4623  DetectByteExtractData *bed = NULL;
4624 
4625  de_ctx = DetectEngineCtxInit();
4626  if (de_ctx == NULL)
4627  goto end;
4628 
4629  de_ctx->flags |= DE_QUIET;
4630  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4631  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4632  "sid:1;)");
4633  if (de_ctx->sig_list == NULL) {
4634  goto end;
4635  }
4636 
4637  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
4638  goto end;
4639  }
4640 
4641  sm = s->sm_lists[g_file_data_buffer_id];
4642  if (sm->type != DETECT_BYTE_EXTRACT) {
4643  result = 0;
4644  goto end;
4645  }
4646  bed = (DetectByteExtractData *)sm->ctx;
4647  if (bed->nbytes != 4 ||
4648  bed->offset != 2 ||
4649  strncmp(bed->name, "two", 3) != 0 ||
4650  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4651  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4652  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4653  bed->align_value != 0 ||
4654  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4655  goto end;
4656  }
4657 
4658  result = 1;
4659 
4660  end:
4661  SigGroupCleanup(de_ctx);
4662  SigCleanSignatures(de_ctx);
4663  DetectEngineCtxFree(de_ctx);
4664 
4665  return result;
4666 }
4667 
4668 static int DetectByteExtractTest63(void)
4669 {
4670  int result = 0;
4671 
4672  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4673  if (bed == NULL)
4674  goto end;
4675 
4676  if (bed->nbytes != 4 ||
4677  bed->offset != -2 ||
4678  strcmp(bed->name, "one") != 0 ||
4679  bed->flags != 0 ||
4680  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4681  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4682  bed->align_value != 0 ||
4683  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4684  goto end;
4685  }
4686 
4687  result = 1;
4688  end:
4689  if (bed != NULL)
4690  DetectByteExtractFree(NULL, bed);
4691  return result;
4692 }
4693 
4694 static int DetectByteExtractTestParseNoBase(void)
4695 {
4696  int result = 0;
4697 
4698  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4699  if (bed == NULL)
4700  goto end;
4701 
4702  if (bed->nbytes != 4) {
4703  goto end;
4704  }
4705  if (bed->offset != 2) {
4706  goto end;
4707  }
4708  if (strcmp(bed->name, "one") != 0) {
4709  goto end;
4710  }
4711  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4712  goto end;
4713  }
4714  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4715  goto end;
4716  }
4717  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4718  goto end;
4719  }
4720  if (bed->align_value != 0) {
4721  goto end;
4722  }
4723  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4724  goto end;
4725  }
4726 
4727  result = 1;
4728  end:
4729  if (bed != NULL)
4730  DetectByteExtractFree(NULL, bed);
4731  return result;
4732 }
4733 
4734 static void DetectByteExtractRegisterTests(void)
4735 {
4736  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4737  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4738 
4739  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4740  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4741  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4742  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4743  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4744  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4745  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4746  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4747  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4748  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4749  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4750  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4751  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4752  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4753  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4754  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4755  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4756  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4757  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4758  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4759  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4760  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4761  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4762  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4763  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4764  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4765  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4766  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4767  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4768  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4769  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4770  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4771  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4772  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4773  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4774  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4775  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4776  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4777  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4778  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4779  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4780  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4781 
4782  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4783  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4784 
4785  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4786  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4787 
4788  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4789  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4790 
4791  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4792  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4793 
4794  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4795  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4796 
4797  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4798  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4799 
4800  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4801  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4802  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4803 
4804  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4805  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4806  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4807  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4808  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4809  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4810 
4811  UtRegisterTest("DetectByteExtractTestParseNoBase",
4812  DetectByteExtractTestParseNoBase);
4813 }
4814 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:100
util-byte.h
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1203
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1487
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1030
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1202
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:76
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1190
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1200
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:74
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:102
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:59
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2070
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:755
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2040
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:58
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:329
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1185
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:49
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:825
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:540
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:72
decode.h
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:53
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:65
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:999
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2507
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:492
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:60
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
Signature_::flags
uint32_t flags
Definition: detect.h:516
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2437
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:584
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1168
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:509
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:656
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:846
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:62
SigMatch_::type
uint8_t type
Definition: detect.h:321
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:73
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:57
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:73
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:101
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:761
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:625
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:171
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:114
detect-parse.h
Signature_
Signature container.
Definition: detect.h:515
SigMatch_
a single match condition for a signature
Definition: detect.h:320
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:67
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:36
StringParseUint8
int StringParseUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:359
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1995
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:100
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:234
DetectPcreData_
Definition: detect-pcre.h:39
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:78
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:75
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:756
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:68
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:74
StringParseI32RangeCheck
int StringParseI32RangeCheck(int32_t *res, int base, uint16_t len, const char *str, int32_t min, int32_t max)
Definition: util-byte.c:704
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1192
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:507
detect-bytetest.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171