suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "decode.h"
26 
27 #include "detect.h"
28 #include "detect-engine.h"
29 #include "detect-content.h"
30 #include "detect-pcre.h"
31 #include "detect-bytejump.h"
32 #include "detect-bytetest.h"
33 #include "detect-byte-extract.h"
34 #include "detect-isdataat.h"
35 #include "detect-engine-build.h"
36 
37 #include "rust.h"
38 
39 #include "app-layer-protos.h"
40 
41 #include "util-byte.h"
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 /* the base to be used if string mode is specified. These options would be
47  * specified in DetectByteParseData->base */
48 #define DETECT_BYTE_EXTRACT_BASE_HEX BaseHex
49 #define DETECT_BYTE_EXTRACT_BASE_DEC BaseDec
50 #define DETECT_BYTE_EXTRACT_BASE_OCT BaseOct
51 
52 /* the max no of bytes that can be extracted in string mode - (string, hex)
53  * (string, oct) or (string, dec) */
54 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
55 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
56 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
57 /* the max no of bytes that can be extracted in non-string mode */
58 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
59 
60 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
61 #ifdef UNITTESTS
62 static void DetectByteExtractRegisterTests(void);
63 #endif
64 static void DetectByteExtractFree(DetectEngineCtx *, void *);
65 
66 /**
67  * \brief Registers the keyword handlers for the "byte_extract" keyword.
68  */
70 {
71  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
72  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
73  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
75  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
76  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
79 #endif
80 }
81 
83  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
84  uint8_t endian)
85 {
86  if (payload_len == 0) {
87  return 0;
88  }
89 
90  /* Calculate the ptr value for the bytetest and length remaining in
91  * the packet from that point.
92  */
93  const uint8_t *ptr;
94  int32_t len;
95  SCDetectByteExtractData *data = (SCDetectByteExtractData *)smd->ctx;
96  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
97  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
98  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
99 
100  ptr = payload + det_ctx->buffer_offset;
101  len = payload_len - det_ctx->buffer_offset;
102 
103  ptr += data->offset;
104  len -= data->offset;
105 
106  /* No match if there is no relative base */
107  if (len <= 0) {
108  return 0;
109  }
110  //PrintRawDataFp(stdout,ptr,len);
111  } else {
112  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
113 
114  ptr = payload + data->offset;
115  len = payload_len - data->offset;
116  }
117 
118  /* Validate that the to-be-extracted is within the packet */
119  if (ptr < payload || data->nbytes > len) {
120  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
121  payload, ptr, len, data->nbytes);
122  return 0;
123  }
124 
125  /* Extract the byte data */
126  uint64_t val = 0;
127  int extbytes;
128  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
129  extbytes = ByteExtractStringUint64(&val, data->base,
130  data->nbytes, (const char *)ptr);
131  if (extbytes <= 0) {
132  /* strtoull() return 0 if there is no numeric value in data string */
133  if (val == 0) {
134  SCLogDebug("No Numeric value");
135  return 0;
136  } else {
137  SCLogDebug("error extracting %d bytes of string data: %d",
138  data->nbytes, extbytes);
139  return -1;
140  }
141  }
142  } else {
143  int endianness = (endian == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
144  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
145  if (extbytes != data->nbytes) {
146  SCLogDebug("error extracting %d bytes of numeric data: %d",
147  data->nbytes, extbytes);
148  return 0;
149  }
150  }
151 
152  /* Adjust the jump value based on flags */
153  val *= data->multiplier_value;
154  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
155  if ((val % data->align_value) != 0) {
156  val += data->align_value - (val % data->align_value);
157  }
158  }
159 
160  ptr += extbytes;
161 
162  det_ctx->buffer_offset = (uint32_t)(ptr - payload);
163 
164  *value = val;
165  SCLogDebug("extracted value is %"PRIu64, val);
166  return 1;
167 }
168 
169 /**
170  * \internal
171  * \brief Used to parse byte_extract arg.
172  *
173  * \param de_ctx Pointer to the detection engine context
174  * \arg The argument to parse.
175  *
176  * \param bed On success an instance containing the parsed data.
177  * On failure, NULL.
178  */
179 static inline SCDetectByteExtractData *DetectByteExtractParse(
180  DetectEngineCtx *de_ctx, const char *arg)
181 {
182  SCDetectByteExtractData *bed = SCByteExtractParse(arg);
183  if (bed == NULL) {
184  SCLogError("invalid byte_extract values");
185  goto error;
186  }
187 
188  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
189  SCLogError("byte_extract slice not yet supported; see issue #6831");
190  goto error;
191  }
192  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
193  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
194  /* if are dealing with octal nos, the max no that can fit in a 8
195  * byte value is 01777777777777777777777 */
196  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
197  SCLogError("byte_extract can't process "
198  "more than %d bytes in \"string\" extraction",
200  goto error;
201  }
202  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
203  /* if are dealing with decimal nos, the max no that can fit in a 8
204  * byte value is 18446744073709551615 */
205  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
206  SCLogError("byte_extract can't process "
207  "more than %d bytes in \"string\" extraction",
209  goto error;
210  }
211  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
212  /* if are dealing with hex nos, the max no that can fit in a 8
213  * byte value is 0xFFFFFFFFFFFFFFFF */
214  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
215  SCLogError("byte_extract can't process "
216  "more than %d bytes in \"string\" extraction",
218  goto error;
219  }
220  } else {
221  ; // just a placeholder. we won't reach here.
222  }
223  } else {
224  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
225  SCLogError("byte_extract can't process "
226  "more than %d bytes in \"non-string\" extraction",
228  goto error;
229  }
230  /* if string has not been specified and no endian option has been
231  * specified, then set the default endian level of BIG */
232  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
233  bed->endian = BigEndian;
234  }
235  return bed;
236 
237  error:
238  if (bed != NULL)
239  DetectByteExtractFree(de_ctx, bed);
240  return NULL;
241 }
242 
243 /**
244  * \brief The setup function for the byte_extract keyword for a signature.
245  *
246  * \param de_ctx Pointer to the detection engine context.
247  * \param s Pointer to signature for the current Signature being parsed
248  * from the rules.
249  * \param m Pointer to the head of the SigMatch for the current rule
250  * being parsed.
251  * \param arg Pointer to the string holding the keyword value.
252  *
253  * \retval 0 On success.
254  * \retval -1 On failure.
255  */
256 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
257 {
258  SigMatch *prev_pm = NULL;
259  SCDetectByteExtractData *data = NULL;
260  int ret = -1;
261 
262  data = DetectByteExtractParse(de_ctx, arg);
263  if (data == NULL)
264  goto error;
265 
266  int sm_list;
267  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
268  sm_list = s->init_data->list;
269 
270  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
272  }
273  } else if (data->endian == EndianDCE) {
274  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
278  if (prev_pm == NULL) {
279  sm_list = DETECT_SM_LIST_PMATCH;
280  } else {
281  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
282  if (sm_list < 0)
283  goto error;
284  }
285  } else {
286  sm_list = DETECT_SM_LIST_PMATCH;
287  }
288 
290  goto error;
291 
292  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
293  prev_pm = DetectGetLastSMFromLists(s,
297  if (prev_pm == NULL) {
298  sm_list = DETECT_SM_LIST_PMATCH;
299  } else {
300  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
301  if (sm_list < 0)
302  goto error;
303  }
304 
305  } else {
306  sm_list = DETECT_SM_LIST_PMATCH;
307  }
308 
309  if (data->endian == EndianDCE) {
311  goto error;
312 
313  if ((DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ==
314  (data->flags & (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING))) {
315  SCLogError("Invalid option. "
316  "A byte_jump keyword with dce holds other invalid modifiers.");
317  goto error;
318  }
319  }
320 
321  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
322  DETECT_BYTE_EXTRACT, -1);
323  if (prev_bed_sm == NULL)
324  data->local_id = 0;
325  else
326  data->local_id = ((SCDetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
327  if (data->local_id > de_ctx->byte_extract_max_local_id)
328  de_ctx->byte_extract_max_local_id = data->local_id;
329 
330  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
331  NULL) {
332  goto error;
333  }
334 
335  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
336  goto okay;
337 
338  if (prev_pm == NULL)
339  goto okay;
340 
341  if (prev_pm->type == DETECT_CONTENT) {
342  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
344  } else if (prev_pm->type == DETECT_PCRE) {
345  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
347  }
348 
349  okay:
350  ret = 0;
351  return ret;
352  error:
353  DetectByteExtractFree(de_ctx, data);
354  return ret;
355 }
356 
357 /**
358  * \brief Used to free instances of SCDetectByteExtractData.
359  *
360  * \param ptr Instance of SCDetectByteExtractData to be freed.
361  */
362 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
363 {
364  SCByteExtractFree(ptr);
365 }
366 
367 /**
368  * \brief Lookup the SigMatch for a named byte_extract variable.
369  *
370  * \param arg The name of the byte_extract variable to lookup.
371  * \param s Pointer the signature to look in.
372  *
373  * \retval A pointer to the SigMatch if found, otherwise NULL.
374  */
376 {
377  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
378  SigMatch *sm = s->init_data->buffers[x].head;
379  while (sm != NULL) {
380  if (sm->type == DETECT_BYTE_EXTRACT) {
381  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
382  if (strcmp(bed->name, arg) == 0) {
383  return sm;
384  }
385  }
386  sm = sm->next;
387  }
388  }
389 
390  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
391  SigMatch *sm = s->init_data->smlists[list];
392  while (sm != NULL) {
393  if (sm->type == DETECT_BYTE_EXTRACT) {
394  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
395  if (strcmp(bed->name, arg) == 0) {
396  return sm;
397  }
398  }
399  sm = sm->next;
400  }
401  }
402 
403  return NULL;
404 }
405 
406 /*************************************Unittests********************************/
407 
408 #ifdef UNITTESTS
409 
410 #include "detect-engine-buffer.h"
411 
412 static int g_file_data_buffer_id = 0;
413 static int g_http_uri_buffer_id = 0;
414 
415 static int DetectByteExtractTest01(void)
416 {
417  int result = 0;
418 
419  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
420  if (bed == NULL)
421  goto end;
422 
423  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
424  bed->endian != BigEndian || bed->align_value != 0 ||
425  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
426  goto end;
427  }
428 
429  result = 1;
430  end:
431  if (bed != NULL)
432  DetectByteExtractFree(NULL, bed);
433  return result;
434 }
435 
436 static int DetectByteExtractTest02(void)
437 {
438  int result = 0;
439 
440  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
441  if (bed == NULL)
442  goto end;
443 
444  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
445  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE || bed->endian != BigEndian ||
446  bed->align_value != 0 ||
447  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
448  goto end;
449  }
450 
451  result = 1;
452  end:
453  if (bed != NULL)
454  DetectByteExtractFree(NULL, bed);
455  return result;
456 }
457 
458 static int DetectByteExtractTest03(void)
459 {
460  int result = 0;
461 
462  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
463  if (bed == NULL)
464  goto end;
465 
466  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
467  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER || bed->endian != BigEndian ||
468  bed->align_value != 0 || bed->multiplier_value != 10) {
469  goto end;
470  }
471 
472  result = 1;
473  end:
474  if (bed != NULL)
475  DetectByteExtractFree(NULL, bed);
476  return result;
477 }
478 
479 static int DetectByteExtractTest04(void)
480 {
481  int result = 0;
482 
483  SCDetectByteExtractData *bed =
484  DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
485  if (bed == NULL)
486  goto end;
487 
488  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
489  bed->flags !=
490  (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
491  bed->endian != BigEndian || bed->align_value != 0 || bed->multiplier_value != 10) {
492  goto end;
493  }
494 
495  result = 1;
496  end:
497  if (bed != NULL)
498  DetectByteExtractFree(NULL, bed);
499  return result;
500 }
501 
502 static int DetectByteExtractTest05(void)
503 {
504  int result = 0;
505 
506  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
507  if (bed == NULL)
508  goto end;
509 
510  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
511  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != BigEndian ||
512  bed->align_value != 0 ||
513  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
514  goto end;
515  }
516 
517  result = 1;
518  end:
519  if (bed != NULL)
520  DetectByteExtractFree(NULL, bed);
521  return result;
522 }
523 
524 static int DetectByteExtractTest06(void)
525 {
526  int result = 0;
527 
528  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
529  if (bed == NULL)
530  goto end;
531 
532  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
533  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != LittleEndian ||
534  bed->align_value != 0 ||
535  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
536  goto end;
537  }
538 
539  result = 1;
540  end:
541  if (bed != NULL)
542  DetectByteExtractFree(NULL, bed);
543  return result;
544 }
545 
546 static int DetectByteExtractTest07(void)
547 {
548  int result = 0;
549 
550  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
551  if (bed == NULL)
552  goto end;
553 
554  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
555  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != EndianDCE ||
556  bed->align_value != 0 ||
557  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
558  goto end;
559  }
560 
561  result = 1;
562  end:
563  if (bed != NULL)
564  DetectByteExtractFree(NULL, bed);
565  return result;
566 }
567 
568 static int DetectByteExtractTest08(void)
569 {
570  int result = 0;
571 
572  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
573  if (bed == NULL)
574  goto end;
575 
576  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
577  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
578  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
579  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
580  goto end;
581  }
582 
583  result = 1;
584  end:
585  if (bed != NULL)
586  DetectByteExtractFree(NULL, bed);
587  return result;
588 }
589 
590 static int DetectByteExtractTest09(void)
591 {
592  int result = 0;
593 
594  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
595  if (bed == NULL)
596  goto end;
597 
598  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
599  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
600  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT || bed->align_value != 0 ||
601  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
602  goto end;
603  }
604 
605  result = 1;
606  end:
607  if (bed != NULL)
608  DetectByteExtractFree(NULL, bed);
609  return result;
610 }
611 
612 static int DetectByteExtractTest10(void)
613 {
614  int result = 0;
615 
616  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
617  if (bed == NULL)
618  goto end;
619 
620  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
621  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC || bed->align_value != 0 ||
622  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
623  goto end;
624  }
625 
626  result = 1;
627  end:
628  if (bed != NULL)
629  DetectByteExtractFree(NULL, bed);
630  return result;
631 }
632 
633 static int DetectByteExtractTest11(void)
634 {
635  int result = 0;
636 
637  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
638  if (bed == NULL)
639  goto end;
640 
641  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
642  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN || bed->endian != BigEndian ||
643  bed->align_value != 4 ||
644  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
645  goto end;
646  }
647 
648  result = 1;
649  end:
650  if (bed != NULL)
651  DetectByteExtractFree(NULL, bed);
652  return result;
653 }
654 
655 static int DetectByteExtractTest12(void)
656 {
657  int result = 0;
658 
659  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
660  if (bed == NULL)
661  goto end;
662 
663  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
664  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
665  bed->endian != BigEndian || bed->align_value != 4 ||
666  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
667  goto end;
668  }
669 
670  result = 1;
671  end:
672  if (bed != NULL)
673  DetectByteExtractFree(NULL, bed);
674  return result;
675 }
676 
677 static int DetectByteExtractTest13(void)
678 {
679  int result = 0;
680 
681  SCDetectByteExtractData *bed =
682  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
683  if (bed == NULL)
684  goto end;
685 
686  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
687  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
688  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
689  bed->endian != BigEndian || bed->align_value != 4 ||
690  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
691  goto end;
692  }
693 
694  result = 1;
695  end:
696  if (bed != NULL)
697  DetectByteExtractFree(NULL, bed);
698  return result;
699 }
700 
701 static int DetectByteExtractTest14(void)
702 {
703  int result = 0;
704 
705  SCDetectByteExtractData *bed =
706  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
707  if (bed == NULL)
708  goto end;
709 
710  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
711  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
712  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
713  bed->endian != EndianDCE || bed->align_value != 4 ||
714  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
715  goto end;
716  }
717 
718  result = 1;
719  end:
720  if (bed != NULL)
721  DetectByteExtractFree(NULL, bed);
722  return result;
723 }
724 
725 static int DetectByteExtractTest15(void)
726 {
727  int result = 0;
728 
729  SCDetectByteExtractData *bed =
730  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
731  if (bed == NULL)
732  goto end;
733 
734  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
735  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
736  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
737  bed->endian != LittleEndian || bed->align_value != 4 ||
738  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
739  goto end;
740  }
741 
742  result = 1;
743  end:
744  if (bed != NULL)
745  DetectByteExtractFree(NULL, bed);
746  return result;
747 }
748 
749 static int DetectByteExtractTest16(void)
750 {
751  int result = 0;
752 
753  SCDetectByteExtractData *bed =
754  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
755  if (bed == NULL)
756  goto end;
757 
758  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
759  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
760  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
761  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
762  bed->endian != LittleEndian || bed->align_value != 4 || bed->multiplier_value != 2) {
763  goto end;
764  }
765 
766  result = 1;
767  end:
768  if (bed != NULL)
769  DetectByteExtractFree(NULL, bed);
770  return result;
771 }
772 
773 static int DetectByteExtractTest17(void)
774 {
775  int result = 0;
776 
777  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
778  "relative, little, "
779  "multiplier 2, string hex");
780  if (bed != NULL)
781  goto end;
782 
783  result = 1;
784  end:
785  if (bed != NULL)
786  DetectByteExtractFree(NULL, bed);
787  return result;
788 }
789 
790 static int DetectByteExtractTest18(void)
791 {
792  int result = 0;
793 
794  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
795  "relative, little, "
796  "multiplier 2, "
797  "relative");
798  if (bed != NULL)
799  goto end;
800 
801  result = 1;
802  end:
803  if (bed != NULL)
804  DetectByteExtractFree(NULL, bed);
805  return result;
806 }
807 
808 static int DetectByteExtractTest19(void)
809 {
810  int result = 0;
811 
812  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
813  "relative, little, "
814  "multiplier 2, "
815  "little");
816  if (bed != NULL)
817  goto end;
818 
819  result = 1;
820  end:
821  if (bed != NULL)
822  DetectByteExtractFree(NULL, bed);
823  return result;
824 }
825 
826 static int DetectByteExtractTest20(void)
827 {
828  int result = 0;
829 
830  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
831  "relative, "
832  "multiplier 2, "
833  "align 2");
834  if (bed != NULL)
835  goto end;
836 
837  result = 1;
838  end:
839  if (bed != NULL)
840  DetectByteExtractFree(NULL, bed);
841  return result;
842 }
843 
844 static int DetectByteExtractTest21(void)
845 {
846  int result = 0;
847 
848  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
849  "multiplier 2, "
850  "relative, "
851  "multiplier 2");
852  if (bed != NULL)
853  goto end;
854 
855  result = 1;
856  end:
857  if (bed != NULL)
858  DetectByteExtractFree(NULL, bed);
859  return result;
860 }
861 
862 static int DetectByteExtractTest22(void)
863 {
864  int result = 0;
865 
866  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
867  "string hex, "
868  "relative, "
869  "string hex");
870  if (bed != NULL)
871  goto end;
872 
873  result = 1;
874  end:
875  if (bed != NULL)
876  DetectByteExtractFree(NULL, bed);
877  return result;
878 }
879 
880 static int DetectByteExtractTest23(void)
881 {
882  int result = 0;
883 
884  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
885  "string hex, "
886  "relative, "
887  "string oct");
888  if (bed != NULL)
889  goto end;
890 
891  result = 1;
892  end:
893  if (bed != NULL)
894  DetectByteExtractFree(NULL, bed);
895  return result;
896 }
897 
898 static int DetectByteExtractTest24(void)
899 {
900  int result = 0;
901 
902  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
903  "string hex, "
904  "relative");
905  if (bed != NULL)
906  goto end;
907 
908  result = 1;
909  end:
910  if (bed != NULL)
911  DetectByteExtractFree(NULL, bed);
912  return result;
913 }
914 
915 static int DetectByteExtractTest25(void)
916 {
917  int result = 0;
918 
919  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
920  "little, "
921  "relative");
922  if (bed != NULL)
923  goto end;
924 
925  result = 1;
926  end:
927  if (bed != NULL)
928  DetectByteExtractFree(NULL, bed);
929  return result;
930 }
931 
932 static int DetectByteExtractTest26(void)
933 {
934  int result = 0;
935 
936  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
937  "little, "
938  "relative, "
939  "multiplier 65536");
940  if (bed != NULL)
941  goto end;
942 
943  result = 1;
944  end:
945  if (bed != NULL)
946  DetectByteExtractFree(NULL, bed);
947  return result;
948 }
949 
950 static int DetectByteExtractTest27(void)
951 {
952  int result = 0;
953 
954  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
955  "little, "
956  "relative, "
957  "multiplier 0");
958  if (bed != NULL)
959  goto end;
960 
961  result = 1;
962  end:
963  if (bed != NULL)
964  DetectByteExtractFree(NULL, bed);
965  return result;
966 }
967 
968 static int DetectByteExtractTest28(void)
969 {
970  int result = 0;
971 
972  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
973  if (bed == NULL)
974  goto end;
975 
976  result = 1;
977  end:
978  if (bed != NULL)
979  DetectByteExtractFree(NULL, bed);
980  return result;
981 }
982 
983 static int DetectByteExtractTest29(void)
984 {
985  int result = 0;
986 
987  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
988  if (bed != NULL)
989  goto end;
990 
991  result = 1;
992  end:
993  if (bed != NULL)
994  DetectByteExtractFree(NULL, bed);
995  return result;
996 }
997 
998 static int DetectByteExtractTest30(void)
999 {
1000  int result = 0;
1001 
1002  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1003  if (bed == NULL)
1004  goto end;
1005 
1006  result = 1;
1007  end:
1008  if (bed != NULL)
1009  DetectByteExtractFree(NULL, bed);
1010  return result;
1011 }
1012 
1013 static int DetectByteExtractTest31(void)
1014 {
1015  int result = 0;
1016 
1017  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1018  if (bed != NULL)
1019  goto end;
1020 
1021  result = 1;
1022  end:
1023  if (bed != NULL)
1024  DetectByteExtractFree(NULL, bed);
1025  return result;
1026 }
1027 
1028 static int DetectByteExtractTest32(void)
1029 {
1030  int result = 0;
1031 
1032  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1033  if (bed == NULL)
1034  goto end;
1035 
1036  result = 1;
1037  end:
1038  if (bed != NULL)
1039  DetectByteExtractFree(NULL, bed);
1040  return result;
1041 }
1042 
1043 static int DetectByteExtractTest33(void)
1044 {
1045  int result = 0;
1046 
1047  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1048  if (bed != NULL)
1049  goto end;
1050 
1051  result = 1;
1052  end:
1053  if (bed != NULL)
1054  DetectByteExtractFree(NULL, bed);
1055  return result;
1056 }
1057 
1058 static int DetectByteExtractTest34(void)
1059 {
1060  DetectEngineCtx *de_ctx = NULL;
1061  int result = 0;
1062  Signature *s = NULL;
1063  SigMatch *sm = NULL;
1064  DetectContentData *cd = NULL;
1065  SCDetectByteExtractData *bed = NULL;
1066 
1068  if (de_ctx == NULL)
1069  goto end;
1070 
1071  de_ctx->flags |= DE_QUIET;
1072  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1073  "(msg:\"Testing bytejump_body\"; "
1074  "content:\"one\"; "
1075  "byte_extract:4,2,two,relative,string,hex; "
1076  "sid:1;)");
1077  if (de_ctx->sig_list == NULL) {
1078  result = 0;
1079  goto end;
1080  }
1081 
1082  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1083  result = 0;
1084  goto end;
1085  }
1086 
1088  if (sm->type != DETECT_CONTENT) {
1089  result = 0;
1090  goto end;
1091  }
1092  cd = (DetectContentData *)sm->ctx;
1093  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1094  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1095  cd->flags & DETECT_CONTENT_NOCASE ||
1096  cd->flags & DETECT_CONTENT_WITHIN ||
1100  cd->flags & DETECT_CONTENT_NEGATED ) {
1101  printf("one failed\n");
1102  result = 0;
1103  goto end;
1104  }
1105 
1106  sm = sm->next;
1107  if (sm->type != DETECT_BYTE_EXTRACT) {
1108  result = 0;
1109  goto end;
1110  }
1111  bed = (SCDetectByteExtractData *)sm->ctx;
1112  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", cd->content_len) != 0 ||
1113  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1114  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1115  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1116  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1117  goto end;
1118  }
1119 
1120  result = 1;
1121 
1122  end:
1126 
1127  return result;
1128 }
1129 
1130 static int DetectByteExtractTest35(void)
1131 {
1132  DetectEngineCtx *de_ctx = NULL;
1133  int result = 0;
1134  Signature *s = NULL;
1135  SigMatch *sm = NULL;
1136  DetectContentData *cd = NULL;
1137  DetectPcreData *pd = NULL;
1138  SCDetectByteExtractData *bed = NULL;
1139 
1141  if (de_ctx == NULL)
1142  goto end;
1143 
1144  de_ctx->flags |= DE_QUIET;
1145  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1146  "(msg:\"Testing bytejump_body\"; "
1147  "content:\"one\"; pcre:/asf/; "
1148  "byte_extract:4,0,two,relative,string,hex; "
1149  "sid:1;)");
1150  if (de_ctx->sig_list == NULL) {
1151  result = 0;
1152  goto end;
1153  }
1154 
1155  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1156  result = 0;
1157  goto end;
1158  }
1159 
1161  if (sm->type != DETECT_CONTENT) {
1162  result = 0;
1163  goto end;
1164  }
1165  cd = (DetectContentData *)sm->ctx;
1166  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1167  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1168  cd->flags & DETECT_CONTENT_NOCASE ||
1169  cd->flags & DETECT_CONTENT_WITHIN ||
1173  cd->flags & DETECT_CONTENT_NEGATED ) {
1174  printf("one failed\n");
1175  result = 0;
1176  goto end;
1177  }
1178 
1179  sm = sm->next;
1180  if (sm->type != DETECT_PCRE) {
1181  result = 0;
1182  goto end;
1183  }
1184  pd = (DetectPcreData *)sm->ctx;
1185  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1186  result = 0;
1187  goto end;
1188  }
1189 
1190  sm = sm->next;
1191  if (sm->type != DETECT_BYTE_EXTRACT) {
1192  result = 0;
1193  goto end;
1194  }
1195  bed = (SCDetectByteExtractData *)sm->ctx;
1196  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1197  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1198  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1199  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1200  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1201  goto end;
1202  }
1203 
1204  result = 1;
1205 
1206  end:
1210 
1211  return result;
1212 }
1213 
1214 static int DetectByteExtractTest36(void)
1215 {
1218  de_ctx->flags |= DE_QUIET;
1219 
1220  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
1221  "content:\"one\"; byte_jump:1,13; "
1222  "byte_extract:4,0,two,relative,string,hex; "
1223  "sid:1;)");
1224  FAIL_IF_NULL(s);
1226 
1228  FAIL_IF(sm->type != DETECT_CONTENT);
1231  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
1238 
1239  sm = sm->next;
1240  FAIL_IF(sm->type != DETECT_BYTEJUMP);
1242  FAIL_IF(bjd->flags != 0);
1243  sm = sm->next;
1245  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
1246  FAIL_IF(bed->nbytes != 4);
1247  FAIL_IF(bed->offset != 0);
1248  FAIL_IF(strcmp(bed->name, "two") != 0);
1249  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1250  DETECT_BYTE_EXTRACT_FLAG_STRING));
1251  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
1252  FAIL_IF(bed->align_value != 0);
1253  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
1254 
1256  PASS;
1257 }
1258 
1259 static int DetectByteExtractTest37(void)
1260 {
1261  DetectEngineCtx *de_ctx = NULL;
1262  int result = 0;
1263  Signature *s = NULL;
1264  SigMatch *sm = NULL;
1265  DetectContentData *cd = NULL;
1266  DetectContentData *ud = NULL;
1267  SCDetectByteExtractData *bed = NULL;
1268 
1270  if (de_ctx == NULL)
1271  goto end;
1272 
1273  de_ctx->flags |= DE_QUIET;
1274  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1275  "(msg:\"Testing bytejump_body\"; "
1276  "content:\"one\"; uricontent:\"two\"; "
1277  "byte_extract:4,0,two,relative,string,hex; "
1278  "sid:1;)");
1279  if (de_ctx->sig_list == NULL) {
1280  result = 0;
1281  goto end;
1282  }
1283 
1284  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1285  result = 0;
1286  goto end;
1287  }
1288 
1290  if (sm->type != DETECT_CONTENT) {
1291  result = 0;
1292  goto end;
1293  }
1294  cd = (DetectContentData *)sm->ctx;
1295  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1296  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1297  cd->flags & DETECT_CONTENT_NOCASE ||
1298  cd->flags & DETECT_CONTENT_WITHIN ||
1302  cd->flags & DETECT_CONTENT_NEGATED ) {
1303  printf("one failed\n");
1304  result = 0;
1305  goto end;
1306  }
1307 
1308  if (sm->next != NULL) {
1309  result = 0;
1310  goto end;
1311  }
1312 
1313  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1314  if (sm->type != DETECT_CONTENT) {
1315  result = 0;
1316  goto end;
1317  }
1318  ud = (DetectContentData *)sm->ctx;
1319  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1320  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1321  ud->flags & DETECT_CONTENT_NOCASE ||
1322  ud->flags & DETECT_CONTENT_WITHIN ||
1326  ud->flags & DETECT_CONTENT_NEGATED ) {
1327  printf("two failed\n");
1328  result = 0;
1329  goto end;
1330  }
1331 
1332  sm = sm->next;
1333  if (sm->type != DETECT_BYTE_EXTRACT) {
1334  result = 0;
1335  goto end;
1336  }
1337  bed = (SCDetectByteExtractData *)sm->ctx;
1338  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1339  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1340  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1341  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1342  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1343  goto end;
1344  }
1345 
1346  result = 1;
1347 
1348  end:
1352 
1353  return result;
1354 }
1355 
1356 static int DetectByteExtractTest38(void)
1357 {
1358  DetectEngineCtx *de_ctx = NULL;
1359  int result = 0;
1360  Signature *s = NULL;
1361  SigMatch *sm = NULL;
1362  DetectContentData *cd = NULL;
1363  DetectContentData *ud = NULL;
1364  SCDetectByteExtractData *bed = NULL;
1365 
1367  if (de_ctx == NULL)
1368  goto end;
1369 
1370  de_ctx->flags |= DE_QUIET;
1371  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1372  "(msg:\"Testing bytejump_body\"; "
1373  "content:\"one\"; uricontent:\"two\"; "
1374  "byte_extract:4,0,two,string,hex; "
1375  "sid:1;)");
1376  if (de_ctx->sig_list == NULL) {
1377  result = 0;
1378  goto end;
1379  }
1380 
1381  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1382  result = 0;
1383  goto end;
1384  }
1385 
1387  if (sm->type != DETECT_CONTENT) {
1388  result = 0;
1389  goto end;
1390  }
1391  cd = (DetectContentData *)sm->ctx;
1392  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1393  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1394  cd->flags & DETECT_CONTENT_NOCASE ||
1395  cd->flags & DETECT_CONTENT_WITHIN ||
1399  cd->flags & DETECT_CONTENT_NEGATED ) {
1400  printf("one failed\n");
1401  result = 0;
1402  goto end;
1403  }
1404 
1405  sm = sm->next;
1406  if (sm->type != DETECT_BYTE_EXTRACT) {
1407  result = 0;
1408  goto end;
1409  }
1410  bed = (SCDetectByteExtractData *)sm->ctx;
1411  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1412  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1413  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1414  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1415  goto end;
1416  }
1417 
1418  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1419  if (sm->type != DETECT_CONTENT) {
1420  result = 0;
1421  goto end;
1422  }
1423  ud = (DetectContentData *)sm->ctx;
1424  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1425  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1426  ud->flags & DETECT_CONTENT_NOCASE ||
1427  ud->flags & DETECT_CONTENT_WITHIN ||
1431  ud->flags & DETECT_CONTENT_NEGATED ) {
1432  printf("two failed\n");
1433  result = 0;
1434  goto end;
1435  }
1436 
1437  if (sm->next != NULL) {
1438  result = 0;
1439  goto end;
1440  }
1441 
1442  result = 1;
1443 
1444  end:
1448 
1449  return result;
1450 }
1451 
1452 static int DetectByteExtractTest39(void)
1453 {
1454  DetectEngineCtx *de_ctx = NULL;
1455  int result = 0;
1456  Signature *s = NULL;
1457  SigMatch *sm = NULL;
1458  DetectContentData *cd = NULL;
1459  DetectContentData *ud = NULL;
1460  SCDetectByteExtractData *bed = NULL;
1461 
1463  if (de_ctx == NULL)
1464  goto end;
1465 
1466  de_ctx->flags |= DE_QUIET;
1467  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1468  "(msg:\"Testing bytejump_body\"; "
1469  "content:\"one\"; content:\"two\"; http_uri; "
1470  "byte_extract:4,0,two,relative,string,hex; "
1471  "sid:1;)");
1472  if (de_ctx->sig_list == NULL) {
1473  result = 0;
1474  goto end;
1475  }
1476 
1477  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1478  result = 0;
1479  goto end;
1480  }
1481 
1483  if (sm->type != DETECT_CONTENT) {
1484  result = 0;
1485  goto end;
1486  }
1487  cd = (DetectContentData *)sm->ctx;
1488  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1489  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1490  cd->flags & DETECT_CONTENT_NOCASE ||
1491  cd->flags & DETECT_CONTENT_WITHIN ||
1495  cd->flags & DETECT_CONTENT_NEGATED ) {
1496  printf("one failed\n");
1497  result = 0;
1498  goto end;
1499  }
1500 
1501  if (sm->next != NULL) {
1502  result = 0;
1503  goto end;
1504  }
1505 
1506  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1507  if (sm->type != DETECT_CONTENT) {
1508  result = 0;
1509  goto end;
1510  }
1511  ud = (DetectContentData *)sm->ctx;
1512  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1513  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1514  ud->flags & DETECT_CONTENT_NOCASE ||
1515  ud->flags & DETECT_CONTENT_WITHIN ||
1519  ud->flags & DETECT_CONTENT_NEGATED ) {
1520  printf("two failed\n");
1521  result = 0;
1522  goto end;
1523  }
1524 
1525  sm = sm->next;
1526  if (sm->type != DETECT_BYTE_EXTRACT) {
1527  result = 0;
1528  goto end;
1529  }
1530  bed = (SCDetectByteExtractData *)sm->ctx;
1531  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1532  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1533  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1534  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1535  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1536  goto end;
1537  }
1538 
1539  result = 1;
1540 
1541  end:
1545 
1546  return result;
1547 }
1548 
1549 static int DetectByteExtractTest40(void)
1550 {
1551  DetectEngineCtx *de_ctx = NULL;
1552  int result = 0;
1553  Signature *s = NULL;
1554  SigMatch *sm = NULL;
1555  DetectContentData *cd = NULL;
1556  DetectContentData *ud = NULL;
1557  SCDetectByteExtractData *bed = NULL;
1558 
1560  if (de_ctx == NULL)
1561  goto end;
1562 
1563  de_ctx->flags |= DE_QUIET;
1564  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1565  "(msg:\"Testing bytejump_body\"; "
1566  "content:\"one\"; content:\"two\"; http_uri; "
1567  "byte_extract:4,0,two,string,hex; "
1568  "sid:1;)");
1569  if (de_ctx->sig_list == NULL) {
1570  result = 0;
1571  goto end;
1572  }
1573 
1574  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1575  result = 0;
1576  goto end;
1577  }
1578 
1580  if (sm->type != DETECT_CONTENT) {
1581  result = 0;
1582  goto end;
1583  }
1584  cd = (DetectContentData *)sm->ctx;
1585  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1586  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1587  cd->flags & DETECT_CONTENT_NOCASE ||
1588  cd->flags & DETECT_CONTENT_WITHIN ||
1592  cd->flags & DETECT_CONTENT_NEGATED ) {
1593  printf("one failed\n");
1594  result = 0;
1595  goto end;
1596  }
1597 
1598  sm = sm->next;
1599  if (sm->type != DETECT_BYTE_EXTRACT) {
1600  result = 0;
1601  goto end;
1602  }
1603  bed = (SCDetectByteExtractData *)sm->ctx;
1604  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1605  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1606  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1607  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1608  goto end;
1609  }
1610 
1611  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1612  if (sm->type != DETECT_CONTENT) {
1613  result = 0;
1614  goto end;
1615  }
1616  ud = (DetectContentData *)sm->ctx;
1617  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1618  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1619  ud->flags & DETECT_CONTENT_NOCASE ||
1620  ud->flags & DETECT_CONTENT_WITHIN ||
1624  ud->flags & DETECT_CONTENT_NEGATED ) {
1625  printf("two failed\n");
1626  result = 0;
1627  goto end;
1628  }
1629 
1630  if (sm->next != NULL) {
1631  result = 0;
1632  goto end;
1633  }
1634 
1635  result = 1;
1636 
1637  end:
1641 
1642  return result;
1643 }
1644 
1645 static int DetectByteExtractTest41(void)
1646 {
1647  DetectEngineCtx *de_ctx = NULL;
1648  int result = 0;
1649  Signature *s = NULL;
1650  SigMatch *sm = NULL;
1651  DetectContentData *cd = NULL;
1652  SCDetectByteExtractData *bed = NULL;
1653 
1655  if (de_ctx == NULL)
1656  goto end;
1657 
1658  de_ctx->flags |= DE_QUIET;
1659  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1660  "(msg:\"Testing bytejump_body\"; "
1661  "content:\"one\"; "
1662  "byte_extract:4,0,two,string,hex; "
1663  "byte_extract:4,0,three,string,hex; "
1664  "sid:1;)");
1665  if (de_ctx->sig_list == NULL) {
1666  result = 0;
1667  goto end;
1668  }
1669 
1670  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1671  result = 0;
1672  goto end;
1673  }
1674 
1676  if (sm->type != DETECT_CONTENT) {
1677  result = 0;
1678  goto end;
1679  }
1680  cd = (DetectContentData *)sm->ctx;
1681  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1682  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1683  cd->flags & DETECT_CONTENT_NOCASE ||
1684  cd->flags & DETECT_CONTENT_WITHIN ||
1688  cd->flags & DETECT_CONTENT_NEGATED ) {
1689  printf("one failed\n");
1690  result = 0;
1691  goto end;
1692  }
1693 
1694  sm = sm->next;
1695  if (sm->type != DETECT_BYTE_EXTRACT) {
1696  result = 0;
1697  goto end;
1698  }
1699  bed = (SCDetectByteExtractData *)sm->ctx;
1700  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1701  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1702  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1703  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1704  goto end;
1705  }
1706  if (bed->local_id != 0) {
1707  result = 0;
1708  goto end;
1709  }
1710 
1711  sm = sm->next;
1712  if (sm->type != DETECT_BYTE_EXTRACT) {
1713  result = 0;
1714  goto end;
1715  }
1716  bed = (SCDetectByteExtractData *)sm->ctx;
1717  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "three") != 0 ||
1718  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1719  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1720  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1721  goto end;
1722  }
1723  if (bed->local_id != 1) {
1724  result = 0;
1725  goto end;
1726  }
1727 
1728  result = 1;
1729 
1730  end:
1734 
1735  return result;
1736 }
1737 
1738 static int DetectByteExtractTest42(void)
1739 {
1740  DetectEngineCtx *de_ctx = NULL;
1741  int result = 0;
1742  Signature *s = NULL;
1743  SigMatch *sm = NULL;
1744  DetectContentData *cd = NULL;
1745  DetectContentData *ud = NULL;
1746  SCDetectByteExtractData *bed = NULL;
1747 
1749  if (de_ctx == NULL)
1750  goto end;
1751 
1752  de_ctx->flags |= DE_QUIET;
1753  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1754  "(msg:\"Testing bytejump_body\"; "
1755  "content:\"one\"; "
1756  "byte_extract:4,0,two,string,hex; "
1757  "uricontent: \"three\"; "
1758  "byte_extract:4,0,four,string,hex,relative; "
1759  "byte_extract:4,0,five,string,hex; "
1760  "sid:1;)");
1761  if (de_ctx->sig_list == NULL) {
1762  result = 0;
1763  goto end;
1764  }
1765 
1766  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1767  result = 0;
1768  goto end;
1769  }
1770 
1772  if (sm->type != DETECT_CONTENT) {
1773  result = 0;
1774  goto end;
1775  }
1776  cd = (DetectContentData *)sm->ctx;
1777  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1778  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1779  cd->flags & DETECT_CONTENT_NOCASE ||
1780  cd->flags & DETECT_CONTENT_WITHIN ||
1784  cd->flags & DETECT_CONTENT_NEGATED ) {
1785  printf("one failed\n");
1786  result = 0;
1787  goto end;
1788  }
1789 
1790  sm = sm->next;
1791  if (sm->type != DETECT_BYTE_EXTRACT) {
1792  result = 0;
1793  goto end;
1794  }
1795  bed = (SCDetectByteExtractData *)sm->ctx;
1796  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1797  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1798  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1799  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1800  goto end;
1801  }
1802  if (bed->local_id != 0) {
1803  result = 0;
1804  goto end;
1805  }
1806 
1807  sm = sm->next;
1808  if (sm->type != DETECT_BYTE_EXTRACT) {
1809  result = 0;
1810  goto end;
1811  }
1812  bed = (SCDetectByteExtractData *)sm->ctx;
1813  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "five") != 0 ||
1814  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1815  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1816  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1817  goto end;
1818  }
1819  if (bed->local_id != 1) {
1820  result = 0;
1821  goto end;
1822  }
1823 
1824  if (sm->next != NULL)
1825  goto end;
1826 
1827  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1828  if (sm->type != DETECT_CONTENT) {
1829  result = 0;
1830  goto end;
1831  }
1832  ud = (DetectContentData *)sm->ctx;
1833  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1834  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
1835  ud->flags & DETECT_CONTENT_NOCASE ||
1836  ud->flags & DETECT_CONTENT_WITHIN ||
1840  ud->flags & DETECT_CONTENT_NEGATED ) {
1841  printf("two failed\n");
1842  result = 0;
1843  goto end;
1844  }
1845 
1846  sm = sm->next;
1847  if (sm->type != DETECT_BYTE_EXTRACT) {
1848  result = 0;
1849  goto end;
1850  }
1851  bed = (SCDetectByteExtractData *)sm->ctx;
1852  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "four") != 0 ||
1853  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1854  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1855  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1856  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1857  goto end;
1858  }
1859  if (bed->local_id != 0) {
1860  result = 0;
1861  goto end;
1862  }
1863 
1864  if (sm->next != NULL)
1865  goto end;
1866 
1867  result = 1;
1868 
1869  end:
1873 
1874  return result;
1875 }
1876 
1877 static int DetectByteExtractTest43(void)
1878 {
1879  DetectEngineCtx *de_ctx = NULL;
1880  int result = 0;
1881  Signature *s = NULL;
1882  SigMatch *sm = NULL;
1883  DetectContentData *cd = NULL;
1884  SCDetectByteExtractData *bed = NULL;
1885 
1887  if (de_ctx == NULL)
1888  goto end;
1889 
1890  de_ctx->flags |= DE_QUIET;
1891  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1892  "(msg:\"Testing bytejump_body\"; "
1893  "content:\"one\"; "
1894  "byte_extract:4,0,two,string,hex; "
1895  "content: \"three\"; offset:two; "
1896  "sid:1;)");
1897  if (de_ctx->sig_list == NULL) {
1898  result = 0;
1899  goto end;
1900  }
1901 
1902  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1903  result = 0;
1904  goto end;
1905  }
1906 
1908  if (sm->type != DETECT_CONTENT) {
1909  result = 0;
1910  goto end;
1911  }
1912  cd = (DetectContentData *)sm->ctx;
1913  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1914  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1915  cd->flags & DETECT_CONTENT_NOCASE ||
1916  cd->flags & DETECT_CONTENT_WITHIN ||
1920  cd->flags & DETECT_CONTENT_NEGATED ) {
1921  printf("one failed\n");
1922  result = 0;
1923  goto end;
1924  }
1925 
1926  sm = sm->next;
1927  if (sm->type != DETECT_BYTE_EXTRACT) {
1928  result = 0;
1929  goto end;
1930  }
1931  bed = (SCDetectByteExtractData *)sm->ctx;
1932  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1933  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1934  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1935  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1936  goto end;
1937  }
1938  if (bed->local_id != 0) {
1939  result = 0;
1940  goto end;
1941  }
1942 
1943  sm = sm->next;
1944  if (sm->type != DETECT_CONTENT) {
1945  result = 0;
1946  goto end;
1947  }
1948  cd = (DetectContentData *)sm->ctx;
1949  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
1951  cd->offset != bed->local_id) {
1952  printf("three failed\n");
1953  result = 0;
1954  goto end;
1955  }
1956 
1957  if (sm->next != NULL)
1958  goto end;
1959 
1960  result = 1;
1961 
1962  end:
1966 
1967  return result;
1968 }
1969 
1970 static int DetectByteExtractTest44(void)
1971 {
1972  DetectEngineCtx *de_ctx = NULL;
1973  int result = 0;
1974  Signature *s = NULL;
1975  SigMatch *sm = NULL;
1976  DetectContentData *cd = NULL;
1977  SCDetectByteExtractData *bed1 = NULL;
1978  SCDetectByteExtractData *bed2 = NULL;
1979 
1981  if (de_ctx == NULL)
1982  goto end;
1983 
1984  de_ctx->flags |= DE_QUIET;
1985  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1986  "(msg:\"Testing bytejump_body\"; "
1987  "content:\"one\"; "
1988  "byte_extract:4,0,two,string,hex; "
1989  "byte_extract:4,0,three,string,hex; "
1990  "content: \"four\"; offset:two; "
1991  "content: \"five\"; offset:three; "
1992  "sid:1;)");
1993  if (de_ctx->sig_list == NULL) {
1994  result = 0;
1995  goto end;
1996  }
1997 
1998  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1999  result = 0;
2000  goto end;
2001  }
2002 
2004  if (sm->type != DETECT_CONTENT) {
2005  result = 0;
2006  goto end;
2007  }
2008  cd = (DetectContentData *)sm->ctx;
2009  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2010  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2011  cd->flags & DETECT_CONTENT_NOCASE ||
2012  cd->flags & DETECT_CONTENT_WITHIN ||
2016  cd->flags & DETECT_CONTENT_NEGATED ) {
2017  printf("one failed\n");
2018  result = 0;
2019  goto end;
2020  }
2021 
2022  sm = sm->next;
2023  if (sm->type != DETECT_BYTE_EXTRACT) {
2024  result = 0;
2025  goto end;
2026  }
2027  bed1 = (SCDetectByteExtractData *)sm->ctx;
2028  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2029  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2030  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2031  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2032  goto end;
2033  }
2034  if (bed1->local_id != 0) {
2035  result = 0;
2036  goto end;
2037  }
2038 
2039  sm = sm->next;
2040  if (sm->type != DETECT_BYTE_EXTRACT) {
2041  result = 0;
2042  goto end;
2043  }
2044  bed2 = (SCDetectByteExtractData *)sm->ctx;
2045 
2046  sm = sm->next;
2047  if (sm->type != DETECT_CONTENT) {
2048  result = 0;
2049  goto end;
2050  }
2051  cd = (DetectContentData *)sm->ctx;
2052  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2054  cd->offset != bed1->local_id) {
2055  printf("four failed\n");
2056  result = 0;
2057  goto end;
2058  }
2059 
2060  sm = sm->next;
2061  if (sm->type != DETECT_CONTENT) {
2062  result = 0;
2063  goto end;
2064  }
2065  cd = (DetectContentData *)sm->ctx;
2066  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2069  cd->offset != bed2->local_id) {
2070  printf("five failed\n");
2071  result = 0;
2072  goto end;
2073  }
2074 
2075  if (sm->next != NULL)
2076  goto end;
2077 
2078  result = 1;
2079 
2080  end:
2084 
2085  return result;
2086 }
2087 
2088 static int DetectByteExtractTest45(void)
2089 {
2090  DetectEngineCtx *de_ctx = NULL;
2091  int result = 0;
2092  Signature *s = NULL;
2093  SigMatch *sm = NULL;
2094  DetectContentData *cd = NULL;
2095  SCDetectByteExtractData *bed = NULL;
2096 
2098  if (de_ctx == NULL)
2099  goto end;
2100 
2101  de_ctx->flags |= DE_QUIET;
2102  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2103  "(msg:\"Testing bytejump_body\"; "
2104  "content:\"one\"; "
2105  "byte_extract:4,0,two,string,hex; "
2106  "content: \"three\"; depth:two; "
2107  "sid:1;)");
2108  if (de_ctx->sig_list == NULL) {
2109  result = 0;
2110  goto end;
2111  }
2112 
2113  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2114  result = 0;
2115  goto end;
2116  }
2117 
2119  if (sm->type != DETECT_CONTENT) {
2120  result = 0;
2121  goto end;
2122  }
2123  cd = (DetectContentData *)sm->ctx;
2124  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2125  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2126  cd->flags & DETECT_CONTENT_NOCASE ||
2127  cd->flags & DETECT_CONTENT_WITHIN ||
2131  cd->flags & DETECT_CONTENT_NEGATED ) {
2132  printf("one failed\n");
2133  result = 0;
2134  goto end;
2135  }
2136 
2137  sm = sm->next;
2138  if (sm->type != DETECT_BYTE_EXTRACT) {
2139  result = 0;
2140  goto end;
2141  }
2142  bed = (SCDetectByteExtractData *)sm->ctx;
2143  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2144  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2145  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2146  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2147  goto end;
2148  }
2149  if (bed->local_id != 0) {
2150  result = 0;
2151  goto end;
2152  }
2153 
2154  sm = sm->next;
2155  if (sm->type != DETECT_CONTENT) {
2156  result = 0;
2157  goto end;
2158  }
2159  cd = (DetectContentData *)sm->ctx;
2160  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2162  cd->depth != bed->local_id || cd->offset != 0) {
2163  printf("three failed\n");
2164  result = 0;
2165  goto end;
2166  }
2167 
2168  if (sm->next != NULL)
2169  goto end;
2170 
2171  result = 1;
2172 
2173  end:
2177 
2178  return result;
2179 }
2180 
2181 static int DetectByteExtractTest46(void)
2182 {
2183  DetectEngineCtx *de_ctx = NULL;
2184  int result = 0;
2185  Signature *s = NULL;
2186  SigMatch *sm = NULL;
2187  DetectContentData *cd = NULL;
2188  SCDetectByteExtractData *bed1 = NULL;
2189  SCDetectByteExtractData *bed2 = NULL;
2190 
2192  if (de_ctx == NULL)
2193  goto end;
2194 
2195  de_ctx->flags |= DE_QUIET;
2196  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2197  "(msg:\"Testing bytejump_body\"; "
2198  "content:\"one\"; "
2199  "byte_extract:4,0,two,string,hex; "
2200  "byte_extract:4,0,three,string,hex; "
2201  "content: \"four\"; depth:two; "
2202  "content: \"five\"; depth:three; "
2203  "sid:1;)");
2204  if (de_ctx->sig_list == NULL) {
2205  result = 0;
2206  goto end;
2207  }
2208 
2209  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2210  result = 0;
2211  goto end;
2212  }
2213 
2215  if (sm->type != DETECT_CONTENT) {
2216  result = 0;
2217  goto end;
2218  }
2219  cd = (DetectContentData *)sm->ctx;
2220  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2221  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2222  cd->flags & DETECT_CONTENT_NOCASE ||
2223  cd->flags & DETECT_CONTENT_WITHIN ||
2227  cd->flags & DETECT_CONTENT_NEGATED ) {
2228  printf("one failed\n");
2229  result = 0;
2230  goto end;
2231  }
2232 
2233  sm = sm->next;
2234  if (sm->type != DETECT_BYTE_EXTRACT) {
2235  result = 0;
2236  goto end;
2237  }
2238  bed1 = (SCDetectByteExtractData *)sm->ctx;
2239  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2240  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2241  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2242  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2243  goto end;
2244  }
2245  if (bed1->local_id != 0) {
2246  result = 0;
2247  goto end;
2248  }
2249 
2250  sm = sm->next;
2251  if (sm->type != DETECT_BYTE_EXTRACT) {
2252  result = 0;
2253  goto end;
2254  }
2255  bed2 = (SCDetectByteExtractData *)sm->ctx;
2256 
2257  sm = sm->next;
2258  if (sm->type != DETECT_CONTENT) {
2259  result = 0;
2260  goto end;
2261  }
2262  cd = (DetectContentData *)sm->ctx;
2263  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2265  cd->depth != bed1->local_id) {
2266  printf("four failed\n");
2267  result = 0;
2268  goto end;
2269  }
2270 
2271  sm = sm->next;
2272  if (sm->type != DETECT_CONTENT) {
2273  result = 0;
2274  goto end;
2275  }
2276  cd = (DetectContentData *)sm->ctx;
2277  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2280  cd->depth != bed2->local_id) {
2281  printf("five failed\n");
2282  result = 0;
2283  goto end;
2284  }
2285 
2286  if (sm->next != NULL)
2287  goto end;
2288 
2289  result = 1;
2290 
2291  end:
2295 
2296  return result;
2297 }
2298 
2299 static int DetectByteExtractTest47(void)
2300 {
2301  DetectEngineCtx *de_ctx = NULL;
2302  int result = 0;
2303  Signature *s = NULL;
2304  SigMatch *sm = NULL;
2305  DetectContentData *cd = NULL;
2306  SCDetectByteExtractData *bed = NULL;
2307 
2309  if (de_ctx == NULL)
2310  goto end;
2311 
2312  de_ctx->flags |= DE_QUIET;
2313  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2314  "(msg:\"Testing bytejump_body\"; "
2315  "content:\"one\"; "
2316  "byte_extract:4,0,two,string,hex; "
2317  "content: \"three\"; distance:two; "
2318  "sid:1;)");
2319  if (de_ctx->sig_list == NULL) {
2320  result = 0;
2321  goto end;
2322  }
2323 
2324  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2325  result = 0;
2326  goto end;
2327  }
2328 
2330  if (sm->type != DETECT_CONTENT) {
2331  result = 0;
2332  goto end;
2333  }
2334  cd = (DetectContentData *)sm->ctx;
2335  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2336  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2337  cd->flags & DETECT_CONTENT_NOCASE ||
2338  cd->flags & DETECT_CONTENT_WITHIN ||
2342  cd->flags & DETECT_CONTENT_NEGATED ) {
2343  printf("one failed\n");
2344  result = 0;
2345  goto end;
2346  }
2347 
2348  sm = sm->next;
2349  if (sm->type != DETECT_BYTE_EXTRACT) {
2350  result = 0;
2351  goto end;
2352  }
2353  bed = (SCDetectByteExtractData *)sm->ctx;
2354  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2355  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2356  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2357  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2358  goto end;
2359  }
2360  if (bed->local_id != 0) {
2361  result = 0;
2362  goto end;
2363  }
2364 
2365  sm = sm->next;
2366  if (sm->type != DETECT_CONTENT) {
2367  result = 0;
2368  goto end;
2369  }
2370  cd = (DetectContentData *)sm->ctx;
2371  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2372  cd->flags !=
2374  cd->distance != bed->local_id || cd->offset != 0 || cd->depth != 0) {
2375  printf("three failed\n");
2376  result = 0;
2377  goto end;
2378  }
2379 
2380  if (sm->next != NULL)
2381  goto end;
2382 
2383  result = 1;
2384 
2385  end:
2389 
2390  return result;
2391 }
2392 
2393 static int DetectByteExtractTest48(void)
2394 {
2395  DetectEngineCtx *de_ctx = NULL;
2396  int result = 0;
2397  Signature *s = NULL;
2398  SigMatch *sm = NULL;
2399  DetectContentData *cd = NULL;
2400  SCDetectByteExtractData *bed1 = NULL;
2401  SCDetectByteExtractData *bed2 = NULL;
2402 
2404  if (de_ctx == NULL)
2405  goto end;
2406 
2407  de_ctx->flags |= DE_QUIET;
2408  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2409  "(msg:\"Testing bytejump_body\"; "
2410  "content:\"one\"; "
2411  "byte_extract:4,0,two,string,hex; "
2412  "byte_extract:4,0,three,string,hex; "
2413  "content: \"four\"; distance:two; "
2414  "content: \"five\"; distance:three; "
2415  "sid:1;)");
2416  if (de_ctx->sig_list == NULL) {
2417  result = 0;
2418  goto end;
2419  }
2420 
2421  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2422  result = 0;
2423  goto end;
2424  }
2425 
2427  if (sm->type != DETECT_CONTENT) {
2428  result = 0;
2429  goto end;
2430  }
2431  cd = (DetectContentData *)sm->ctx;
2432  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2433  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2434  cd->flags & DETECT_CONTENT_NOCASE ||
2435  cd->flags & DETECT_CONTENT_WITHIN ||
2439  cd->flags & DETECT_CONTENT_NEGATED ) {
2440  printf("one failed\n");
2441  result = 0;
2442  goto end;
2443  }
2444 
2445  sm = sm->next;
2446  if (sm->type != DETECT_BYTE_EXTRACT) {
2447  result = 0;
2448  goto end;
2449  }
2450  bed1 = (SCDetectByteExtractData *)sm->ctx;
2451  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2452  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2453  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2454  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2455  goto end;
2456  }
2457  if (bed1->local_id != 0) {
2458  result = 0;
2459  goto end;
2460  }
2461 
2462  sm = sm->next;
2463  if (sm->type != DETECT_BYTE_EXTRACT) {
2464  result = 0;
2465  goto end;
2466  }
2467  bed2 = (SCDetectByteExtractData *)sm->ctx;
2468 
2469  sm = sm->next;
2470  if (sm->type != DETECT_CONTENT) {
2471  result = 0;
2472  goto end;
2473  }
2474  cd = (DetectContentData *)sm->ctx;
2475  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2478  cd->distance != bed1->local_id || cd->depth != 0 || cd->offset != 0) {
2479  printf("four failed\n");
2480  result = 0;
2481  goto end;
2482  }
2483 
2484  sm = sm->next;
2485  if (sm->type != DETECT_CONTENT) {
2486  result = 0;
2487  goto end;
2488  }
2489  cd = (DetectContentData *)sm->ctx;
2490  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2493  cd->distance != bed2->local_id ||
2494  cd->depth != 0 ||
2495  cd->offset != 0) {
2496  printf("five failed\n");
2497  result = 0;
2498  goto end;
2499  }
2500 
2501  if (sm->next != NULL)
2502  goto end;
2503 
2504  result = 1;
2505 
2506  end:
2510 
2511  return result;
2512 }
2513 
2514 static int DetectByteExtractTest49(void)
2515 {
2516  DetectEngineCtx *de_ctx = NULL;
2517  int result = 0;
2518  Signature *s = NULL;
2519  SigMatch *sm = NULL;
2520  DetectContentData *cd = NULL;
2521  SCDetectByteExtractData *bed = NULL;
2522 
2524  if (de_ctx == NULL)
2525  goto end;
2526 
2527  de_ctx->flags |= DE_QUIET;
2528  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2529  "(msg:\"Testing bytejump_body\"; "
2530  "content:\"one\"; "
2531  "byte_extract:4,0,two,string,hex; "
2532  "content: \"three\"; within:two; "
2533  "sid:1;)");
2534  if (de_ctx->sig_list == NULL) {
2535  result = 0;
2536  goto end;
2537  }
2538 
2539  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2540  result = 0;
2541  goto end;
2542  }
2543 
2545  if (sm->type != DETECT_CONTENT) {
2546  result = 0;
2547  goto end;
2548  }
2549  cd = (DetectContentData *)sm->ctx;
2550  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2551  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2552  cd->flags & DETECT_CONTENT_NOCASE ||
2553  cd->flags & DETECT_CONTENT_WITHIN ||
2557  cd->flags & DETECT_CONTENT_NEGATED ) {
2558  printf("one failed\n");
2559  result = 0;
2560  goto end;
2561  }
2562 
2563  sm = sm->next;
2564  if (sm->type != DETECT_BYTE_EXTRACT) {
2565  result = 0;
2566  goto end;
2567  }
2568  bed = (SCDetectByteExtractData *)sm->ctx;
2569  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2570  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2571  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2572  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2573  goto end;
2574  }
2575  if (bed->local_id != 0) {
2576  result = 0;
2577  goto end;
2578  }
2579 
2580  sm = sm->next;
2581  if (sm->type != DETECT_CONTENT) {
2582  result = 0;
2583  goto end;
2584  }
2585  cd = (DetectContentData *)sm->ctx;
2586  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2588  cd->within != bed->local_id || cd->offset != 0 || cd->depth != 0 || cd->distance != 0) {
2589  printf("three failed\n");
2590  result = 0;
2591  goto end;
2592  }
2593 
2594  if (sm->next != NULL)
2595  goto end;
2596 
2597  result = 1;
2598 
2599  end:
2603 
2604  return result;
2605 }
2606 
2607 static int DetectByteExtractTest50(void)
2608 {
2609  DetectEngineCtx *de_ctx = NULL;
2610  int result = 0;
2611  Signature *s = NULL;
2612  SigMatch *sm = NULL;
2613  DetectContentData *cd = NULL;
2614  SCDetectByteExtractData *bed1 = NULL;
2615  SCDetectByteExtractData *bed2 = NULL;
2616 
2618  if (de_ctx == NULL)
2619  goto end;
2620 
2621  de_ctx->flags |= DE_QUIET;
2622  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2623  "(msg:\"Testing bytejump_body\"; "
2624  "content:\"one\"; "
2625  "byte_extract:4,0,two,string,hex; "
2626  "byte_extract:4,0,three,string,hex; "
2627  "content: \"four\"; within:two; "
2628  "content: \"five\"; within:three; "
2629  "sid:1;)");
2630  if (de_ctx->sig_list == NULL) {
2631  result = 0;
2632  goto end;
2633  }
2634 
2635  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2636  result = 0;
2637  goto end;
2638  }
2639 
2641  if (sm->type != DETECT_CONTENT) {
2642  result = 0;
2643  goto end;
2644  }
2645  cd = (DetectContentData *)sm->ctx;
2646  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2647  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2648  cd->flags & DETECT_CONTENT_NOCASE ||
2649  cd->flags & DETECT_CONTENT_WITHIN ||
2653  cd->flags & DETECT_CONTENT_NEGATED ) {
2654  printf("one failed\n");
2655  result = 0;
2656  goto end;
2657  }
2658 
2659  sm = sm->next;
2660  if (sm->type != DETECT_BYTE_EXTRACT) {
2661  result = 0;
2662  goto end;
2663  }
2664  bed1 = (SCDetectByteExtractData *)sm->ctx;
2665  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2666  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2667  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2668  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2669  goto end;
2670  }
2671  if (bed1->local_id != 0) {
2672  result = 0;
2673  goto end;
2674  }
2675 
2676  sm = sm->next;
2677  if (sm->type != DETECT_BYTE_EXTRACT) {
2678  result = 0;
2679  goto end;
2680  }
2681  bed2 = (SCDetectByteExtractData *)sm->ctx;
2682 
2683  sm = sm->next;
2684  if (sm->type != DETECT_CONTENT) {
2685  result = 0;
2686  goto end;
2687  }
2688  cd = (DetectContentData *)sm->ctx;
2689  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2692  cd->within != bed1->local_id || cd->depth != 0 || cd->offset != 0 ||
2693  cd->distance != 0) {
2694  printf("four failed\n");
2695  result = 0;
2696  goto end;
2697  }
2698 
2699  sm = sm->next;
2700  if (sm->type != DETECT_CONTENT) {
2701  result = 0;
2702  goto end;
2703  }
2704  cd = (DetectContentData *)sm->ctx;
2705  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2708  cd->within != bed2->local_id ||
2709  cd->depth != 0 ||
2710  cd->offset != 0 ||
2711  cd->distance != 0) {
2712  printf("five failed\n");
2713  result = 0;
2714  goto end;
2715  }
2716 
2717  if (sm->next != NULL)
2718  goto end;
2719 
2720  result = 1;
2721 
2722  end:
2726 
2727  return result;
2728 }
2729 
2730 static int DetectByteExtractTest51(void)
2731 {
2732  DetectEngineCtx *de_ctx = NULL;
2733  int result = 0;
2734  Signature *s = NULL;
2735  SigMatch *sm = NULL;
2736  DetectContentData *cd = NULL;
2737  SCDetectByteExtractData *bed = NULL;
2738  DetectBytetestData *btd = NULL;
2739 
2741  if (de_ctx == NULL)
2742  goto end;
2743 
2744  de_ctx->flags |= DE_QUIET;
2745  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2746  "(msg:\"Testing bytejump_body\"; "
2747  "content:\"one\"; "
2748  "byte_extract:4,0,two,string,hex; "
2749  "byte_test: 2,=,10, two; "
2750  "sid:1;)");
2751  if (de_ctx->sig_list == NULL) {
2752  result = 0;
2753  goto end;
2754  }
2755 
2756  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2757  result = 0;
2758  goto end;
2759  }
2760 
2762  if (sm->type != DETECT_CONTENT) {
2763  result = 0;
2764  goto end;
2765  }
2766  cd = (DetectContentData *)sm->ctx;
2767  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2768  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2769  cd->flags & DETECT_CONTENT_NOCASE ||
2770  cd->flags & DETECT_CONTENT_WITHIN ||
2774  cd->flags & DETECT_CONTENT_NEGATED ) {
2775  printf("one failed\n");
2776  result = 0;
2777  goto end;
2778  }
2779 
2780  sm = sm->next;
2781  if (sm->type != DETECT_BYTE_EXTRACT) {
2782  result = 0;
2783  goto end;
2784  }
2785  bed = (SCDetectByteExtractData *)sm->ctx;
2786  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2787  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2788  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2789  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2790  goto end;
2791  }
2792  if (bed->local_id != 0) {
2793  result = 0;
2794  goto end;
2795  }
2796 
2797  sm = sm->next;
2798  if (sm->type != DETECT_BYTETEST) {
2799  result = 0;
2800  goto end;
2801  }
2802  btd = (DetectBytetestData *)sm->ctx;
2803  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2804  btd->value != 10 ||
2805  btd->offset != 0) {
2806  printf("three failed\n");
2807  result = 0;
2808  goto end;
2809  }
2810 
2811  if (sm->next != NULL)
2812  goto end;
2813 
2814  result = 1;
2815 
2816  end:
2820 
2821  return result;
2822 }
2823 
2824 static int DetectByteExtractTest52(void)
2825 {
2826  DetectEngineCtx *de_ctx = NULL;
2827  int result = 0;
2828  Signature *s = NULL;
2829  SigMatch *sm = NULL;
2830  DetectContentData *cd = NULL;
2831  SCDetectByteExtractData *bed1 = NULL;
2832  DetectBytetestData *btd = NULL;
2833 
2835  if (de_ctx == NULL)
2836  goto end;
2837 
2838  de_ctx->flags |= DE_QUIET;
2839  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2840  "(msg:\"Testing bytejump_body\"; "
2841  "content:\"one\"; "
2842  "byte_extract:4,0,two,string,hex; "
2843  "byte_extract:4,0,three,string,hex; "
2844  "byte_test: 2,=,two,three; "
2845  "byte_test: 3,=,10,three; "
2846  "sid:1;)");
2847  if (de_ctx->sig_list == NULL) {
2848  result = 0;
2849  goto end;
2850  }
2851 
2852  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2853  result = 0;
2854  goto end;
2855  }
2856 
2858  if (sm->type != DETECT_CONTENT) {
2859  result = 0;
2860  goto end;
2861  }
2862  cd = (DetectContentData *)sm->ctx;
2863  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2864  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2865  cd->flags & DETECT_CONTENT_NOCASE ||
2866  cd->flags & DETECT_CONTENT_WITHIN ||
2870  cd->flags & DETECT_CONTENT_NEGATED ) {
2871  printf("one failed\n");
2872  result = 0;
2873  goto end;
2874  }
2875 
2876  sm = sm->next;
2877  if (sm->type != DETECT_BYTE_EXTRACT) {
2878  result = 0;
2879  goto end;
2880  }
2881  bed1 = (SCDetectByteExtractData *)sm->ctx;
2882  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2883  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2884  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2885  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2886  goto end;
2887  }
2888  if (bed1->local_id != 0) {
2889  result = 0;
2890  goto end;
2891  }
2892 
2893  sm = sm->next;
2894  if (sm->type != DETECT_BYTE_EXTRACT) {
2895  result = 0;
2896  goto end;
2897  }
2898 
2899  sm = sm->next;
2900  if (sm->type != DETECT_BYTETEST) {
2901  result = 0;
2902  goto end;
2903  }
2904  btd = (DetectBytetestData *)sm->ctx;
2905  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
2907  btd->value != 0 ||
2908  btd->offset != 1) {
2909  printf("three failed\n");
2910  result = 0;
2911  goto end;
2912  }
2913 
2914  sm = sm->next;
2915  if (sm->type != DETECT_BYTETEST) {
2916  result = 0;
2917  goto end;
2918  }
2919  btd = (DetectBytetestData *)sm->ctx;
2920  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2921  btd->value != 10 ||
2922  btd->offset != 1) {
2923  printf("four failed\n");
2924  result = 0;
2925  goto end;
2926  }
2927 
2928  if (sm->next != NULL)
2929  goto end;
2930 
2931  result = 1;
2932 
2933  end:
2937 
2938  return result;
2939 }
2940 
2941 static int DetectByteExtractTest53(void)
2942 {
2945  de_ctx->flags |= DE_QUIET;
2946 
2947  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2948  "content:\"one\"; "
2949  "byte_extract:4,0,two,string,hex; "
2950  "byte_jump: 2,two; "
2951  "sid:1;)");
2952  FAIL_IF_NULL(s);
2954 
2956  FAIL_IF(sm->type != DETECT_CONTENT);
2959 
2960  sm = sm->next;
2961  FAIL_IF_NULL(sm);
2963  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
2964 
2965  FAIL_IF(bed->nbytes != 4);
2966  FAIL_IF(bed->offset != 0);
2967  FAIL_IF(strcmp(bed->name, "two") != 0);
2968  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
2969  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
2970  FAIL_IF(bed->align_value != 0);
2971  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
2972  FAIL_IF(bed->local_id != 0);
2973 
2974  sm = sm->next;
2975  FAIL_IF_NULL(sm);
2976  FAIL_IF(sm->type != DETECT_BYTEJUMP);
2978 
2980  FAIL_IF(bjd->offset != 0);
2981 
2982  FAIL_IF_NOT_NULL(sm->next);
2984  PASS;
2985 }
2986 
2987 static int DetectByteExtractTest54(void)
2988 {
2989  DetectEngineCtx *de_ctx = NULL;
2990  int result = 0;
2991  Signature *s = NULL;
2992  SigMatch *sm = NULL;
2993  DetectContentData *cd = NULL;
2994  SCDetectByteExtractData *bed1 = NULL;
2995  DetectBytejumpData *bjd = NULL;
2996 
2998  if (de_ctx == NULL)
2999  goto end;
3000 
3001  de_ctx->flags |= DE_QUIET;
3002  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3003  "(msg:\"Testing bytejump_body\"; "
3004  "content:\"one\"; "
3005  "byte_extract:4,0,two,string,hex; "
3006  "byte_extract:4,0,three,string,hex; "
3007  "byte_jump: 2,two; "
3008  "byte_jump: 3,three; "
3009  "sid:1;)");
3010  if (de_ctx->sig_list == NULL) {
3011  result = 0;
3012  goto end;
3013  }
3014 
3015  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3016  result = 0;
3017  goto end;
3018  }
3019 
3021  if (sm->type != DETECT_CONTENT) {
3022  result = 0;
3023  goto end;
3024  }
3025  cd = (DetectContentData *)sm->ctx;
3026  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3027  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3028  cd->flags & DETECT_CONTENT_NOCASE ||
3029  cd->flags & DETECT_CONTENT_WITHIN ||
3033  cd->flags & DETECT_CONTENT_NEGATED ) {
3034  printf("one failed\n");
3035  result = 0;
3036  goto end;
3037  }
3038 
3039  sm = sm->next;
3040  if (sm->type != DETECT_BYTE_EXTRACT) {
3041  result = 0;
3042  goto end;
3043  }
3044  bed1 = (SCDetectByteExtractData *)sm->ctx;
3045  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3046  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3047  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3048  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3049  goto end;
3050  }
3051  if (bed1->local_id != 0) {
3052  result = 0;
3053  goto end;
3054  }
3055 
3056  sm = sm->next;
3057  if (sm->type != DETECT_BYTE_EXTRACT) {
3058  result = 0;
3059  goto end;
3060  }
3061 
3062  sm = sm->next;
3063  if (sm->type != DETECT_BYTEJUMP) {
3064  result = 0;
3065  goto end;
3066  }
3067  bjd = (DetectBytejumpData *)sm->ctx;
3068  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3069  printf("three failed\n");
3070  result = 0;
3071  goto end;
3072  }
3073 
3074  sm = sm->next;
3075  if (sm->type != DETECT_BYTEJUMP) {
3076  result = 0;
3077  goto end;
3078  }
3079  bjd = (DetectBytejumpData *)sm->ctx;
3081  FAIL_IF(bjd->offset != 1);
3082 
3083  if (sm->next != NULL)
3084  goto end;
3085 
3086  result = 1;
3087 
3088  end:
3092 
3093  return result;
3094 }
3095 
3096 static int DetectByteExtractTest55(void)
3097 {
3098  DetectEngineCtx *de_ctx = NULL;
3099  int result = 0;
3100  Signature *s = NULL;
3101  SigMatch *sm = NULL;
3102  DetectContentData *cd = NULL;
3103  SCDetectByteExtractData *bed1 = NULL;
3104  SCDetectByteExtractData *bed2 = NULL;
3105 
3107  if (de_ctx == NULL)
3108  goto end;
3109 
3110  de_ctx->flags |= DE_QUIET;
3111  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3112  "(msg:\"Testing byte_extract\"; "
3113  "content:\"one\"; "
3114  "byte_extract:4,0,two,string,hex; "
3115  "byte_extract:4,0,three,string,hex; "
3116  "byte_extract:4,0,four,string,hex; "
3117  "byte_extract:4,0,five,string,hex; "
3118  "content: \"four\"; within:two; distance:three; "
3119  "sid:1;)");
3120  if (de_ctx->sig_list == NULL) {
3121  goto end;
3122  }
3123 
3124  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3125  goto end;
3126  }
3127 
3129  if (sm->type != DETECT_CONTENT) {
3130  goto end;
3131  }
3132  cd = (DetectContentData *)sm->ctx;
3133  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3134  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3135  cd->flags & DETECT_CONTENT_NOCASE ||
3136  cd->flags & DETECT_CONTENT_WITHIN ||
3140  cd->flags & DETECT_CONTENT_NEGATED ) {
3141  printf("one failed: ");
3142  goto end;
3143  }
3144 
3145  sm = sm->next;
3146  if (sm->type != DETECT_BYTE_EXTRACT) {
3147  goto end;
3148  }
3149  bed1 = (SCDetectByteExtractData *)sm->ctx;
3150  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3151  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3152  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3153  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3154  goto end;
3155  }
3156  if (bed1->local_id != 0) {
3157  goto end;
3158  }
3159 
3160  sm = sm->next;
3161  if (sm->type != DETECT_BYTE_EXTRACT) {
3162  goto end;
3163  }
3164  bed2 = (SCDetectByteExtractData *)sm->ctx;
3165 
3166  sm = sm->next;
3167  if (sm->type != DETECT_BYTE_EXTRACT) {
3168  goto end;
3169  }
3170 
3171  sm = sm->next;
3172  if (sm->type != DETECT_BYTE_EXTRACT) {
3173  goto end;
3174  }
3175 
3176  sm = sm->next;
3177  if (sm->type != DETECT_CONTENT) {
3178  goto end;
3179  }
3180  cd = (DetectContentData *)sm->ctx;
3181  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3182  cd->flags !=
3185  cd->within != bed1->local_id || cd->distance != bed2->local_id) {
3186  printf("four failed: ");
3187  goto end;
3188  }
3189 
3190  if (sm->next != NULL) {
3191  goto end;
3192  }
3193 
3194  result = 1;
3195 
3196  end:
3200 
3201  return result;
3202 }
3203 
3204 static int DetectByteExtractTest56(void)
3205 {
3206  DetectEngineCtx *de_ctx = NULL;
3207  int result = 0;
3208  Signature *s = NULL;
3209  SigMatch *sm = NULL;
3210  DetectContentData *cd = NULL;
3211  SCDetectByteExtractData *bed1 = NULL;
3212  SCDetectByteExtractData *bed2 = NULL;
3213 
3215  if (de_ctx == NULL)
3216  goto end;
3217 
3218  de_ctx->flags |= DE_QUIET;
3219  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3220  "(msg:\"Testing bytejump_body\"; "
3221  "uricontent:\"urione\"; "
3222  "content:\"one\"; "
3223  "byte_extract:4,0,two,string,hex; "
3224  "byte_extract:4,0,three,string,hex; "
3225  "byte_extract:4,0,four,string,hex; "
3226  "byte_extract:4,0,five,string,hex; "
3227  "content: \"four\"; within:two; distance:three; "
3228  "sid:1;)");
3229  if (de_ctx->sig_list == NULL) {
3230  result = 0;
3231  goto end;
3232  }
3233 
3234  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3235  result = 0;
3236  goto end;
3237  }
3238 
3239  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3240  if (sm->type != DETECT_CONTENT) {
3241  result = 0;
3242  goto end;
3243  }
3244  cd = (DetectContentData *)sm->ctx;
3245  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3246  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3247  cd->flags & DETECT_CONTENT_NOCASE ||
3248  cd->flags & DETECT_CONTENT_WITHIN ||
3252  cd->flags & DETECT_CONTENT_NEGATED ) {
3253  printf("one failed\n");
3254  result = 0;
3255  goto end;
3256  }
3257 
3258  if (sm->next != NULL)
3259  goto end;
3260 
3262  if (sm->type != DETECT_CONTENT) {
3263  result = 0;
3264  goto end;
3265  }
3266  cd = (DetectContentData *)sm->ctx;
3267  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3268  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3269  cd->flags & DETECT_CONTENT_NOCASE ||
3270  cd->flags & DETECT_CONTENT_WITHIN ||
3274  cd->flags & DETECT_CONTENT_NEGATED ) {
3275  printf("one failed\n");
3276  result = 0;
3277  goto end;
3278  }
3279 
3280  sm = sm->next;
3281  if (sm->type != DETECT_BYTE_EXTRACT) {
3282  result = 0;
3283  goto end;
3284  }
3285  bed1 = (SCDetectByteExtractData *)sm->ctx;
3286  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3287  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3288  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3289  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3290  goto end;
3291  }
3292  if (bed1->local_id != 0) {
3293  result = 0;
3294  goto end;
3295  }
3296 
3297  sm = sm->next;
3298  if (sm->type != DETECT_BYTE_EXTRACT) {
3299  result = 0;
3300  goto end;
3301  }
3302  bed2 = (SCDetectByteExtractData *)sm->ctx;
3303 
3304  sm = sm->next;
3305  if (sm->type != DETECT_BYTE_EXTRACT) {
3306  result = 0;
3307  goto end;
3308  }
3309 
3310  sm = sm->next;
3311  if (sm->type != DETECT_BYTE_EXTRACT) {
3312  result = 0;
3313  goto end;
3314  }
3315 
3316  sm = sm->next;
3317  if (sm->type != DETECT_CONTENT) {
3318  result = 0;
3319  goto end;
3320  }
3321  cd = (DetectContentData *)sm->ctx;
3322  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3327  cd->within != bed1->local_id ||
3328  cd->distance != bed2->local_id ) {
3329  printf("four failed\n");
3330  result = 0;
3331  goto end;
3332  }
3333 
3334  if (sm->next != NULL) {
3335  goto end;
3336  }
3337 
3338  result = 1;
3339 
3340  end:
3344 
3345  return result;
3346 }
3347 
3348 static int DetectByteExtractTest57(void)
3349 {
3350  DetectEngineCtx *de_ctx = NULL;
3351  int result = 0;
3352  Signature *s = NULL;
3353  SigMatch *sm = NULL;
3354  DetectContentData *cd = NULL;
3355  SCDetectByteExtractData *bed1 = NULL;
3356  SCDetectByteExtractData *bed2 = NULL;
3357  SCDetectByteExtractData *bed3 = NULL;
3358  SCDetectByteExtractData *bed4 = NULL;
3359 
3361  if (de_ctx == NULL)
3362  goto end;
3363 
3364  de_ctx->flags |= DE_QUIET;
3365  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3366  "(msg:\"Testing bytejump_body\"; "
3367  "content:\"one\"; "
3368  "uricontent: \"urione\"; "
3369  "byte_extract:4,0,two,string,hex,relative; "
3370  "byte_extract:4,0,three,string,hex,relative; "
3371  "byte_extract:4,0,four,string,hex,relative; "
3372  "byte_extract:4,0,five,string,hex,relative; "
3373  "uricontent: \"four\"; within:two; distance:three; "
3374  "sid:1;)");
3375  if (de_ctx->sig_list == NULL) {
3376  result = 0;
3377  goto end;
3378  }
3379 
3380  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3381  result = 0;
3382  goto end;
3383  }
3384 
3386  if (sm->type != DETECT_CONTENT) {
3387  result = 0;
3388  goto end;
3389  }
3390  cd = (DetectContentData *)sm->ctx;
3391  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3392  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3393  cd->flags & DETECT_CONTENT_NOCASE ||
3394  cd->flags & DETECT_CONTENT_WITHIN ||
3398  cd->flags & DETECT_CONTENT_NEGATED ) {
3399  printf("one failed\n");
3400  result = 0;
3401  goto end;
3402  }
3403 
3404  if (sm->next != NULL)
3405  goto end;
3406 
3407  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3408  if (sm->type != DETECT_CONTENT) {
3409  result = 0;
3410  goto end;
3411  }
3412  cd = (DetectContentData *)sm->ctx;
3413  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3414  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3415  cd->flags & DETECT_CONTENT_NOCASE ||
3416  cd->flags & DETECT_CONTENT_WITHIN ||
3420  cd->flags & DETECT_CONTENT_NEGATED ) {
3421  printf("one failed\n");
3422  result = 0;
3423  goto end;
3424  }
3425 
3426  sm = sm->next;
3427  if (sm->type != DETECT_BYTE_EXTRACT) {
3428  result = 0;
3429  goto end;
3430  }
3431  bed1 = (SCDetectByteExtractData *)sm->ctx;
3432  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3433  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3434  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3435  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3436  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3437  goto end;
3438  }
3439  if (bed1->local_id != 0) {
3440  result = 0;
3441  goto end;
3442  }
3443 
3444  sm = sm->next;
3445  if (sm->type != DETECT_BYTE_EXTRACT) {
3446  result = 0;
3447  goto end;
3448  }
3449  bed2 = (SCDetectByteExtractData *)sm->ctx;
3450  if (bed2->local_id != 1) {
3451  result = 0;
3452  goto end;
3453  }
3454 
3455  sm = sm->next;
3456  if (sm->type != DETECT_BYTE_EXTRACT) {
3457  result = 0;
3458  goto end;
3459  }
3460  bed3 = (SCDetectByteExtractData *)sm->ctx;
3461  if (bed3->local_id != 2) {
3462  result = 0;
3463  goto end;
3464  }
3465 
3466  sm = sm->next;
3467  if (sm->type != DETECT_BYTE_EXTRACT) {
3468  result = 0;
3469  goto end;
3470  }
3471  bed4 = (SCDetectByteExtractData *)sm->ctx;
3472  if (bed4->local_id != 3) {
3473  result = 0;
3474  goto end;
3475  }
3476 
3477  sm = sm->next;
3478  if (sm->type != DETECT_CONTENT) {
3479  result = 0;
3480  goto end;
3481  }
3482  cd = (DetectContentData *)sm->ctx;
3483  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3488  cd->within != bed1->local_id ||
3489  cd->distance != bed2->local_id) {
3490  printf("four failed\n");
3491  result = 0;
3492  goto end;
3493  }
3494 
3495  if (sm->next != NULL) {
3496  goto end;
3497  }
3498 
3499  result = 1;
3500 
3501  end:
3505 
3506  return result;
3507 }
3508 
3509 static int DetectByteExtractTest58(void)
3510 {
3511  DetectEngineCtx *de_ctx = NULL;
3512  int result = 0;
3513  Signature *s = NULL;
3514  SigMatch *sm = NULL;
3515  DetectContentData *cd = NULL;
3516  SCDetectByteExtractData *bed1 = NULL;
3517  DetectBytejumpData *bjd = NULL;
3518  DetectIsdataatData *isdd = NULL;
3519 
3521  if (de_ctx == NULL)
3522  goto end;
3523 
3524  de_ctx->flags |= DE_QUIET;
3525  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3526  "(msg:\"Testing bytejump_body\"; "
3527  "content:\"one\"; "
3528  "byte_extract:4,0,two,string,hex; "
3529  "byte_extract:4,0,three,string,hex; "
3530  "byte_jump: 2,two; "
3531  "byte_jump: 3,three; "
3532  "isdataat: three; "
3533  "sid:1;)");
3534  if (de_ctx->sig_list == NULL) {
3535  result = 0;
3536  goto end;
3537  }
3538 
3539  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3540  result = 0;
3541  goto end;
3542  }
3543 
3545  if (sm->type != DETECT_CONTENT) {
3546  result = 0;
3547  goto end;
3548  }
3549  cd = (DetectContentData *)sm->ctx;
3550  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3551  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3552  cd->flags & DETECT_CONTENT_NOCASE ||
3553  cd->flags & DETECT_CONTENT_WITHIN ||
3557  cd->flags & DETECT_CONTENT_NEGATED ) {
3558  printf("one failed\n");
3559  result = 0;
3560  goto end;
3561  }
3562 
3563  sm = sm->next;
3564  if (sm->type != DETECT_BYTE_EXTRACT) {
3565  result = 0;
3566  goto end;
3567  }
3568  bed1 = (SCDetectByteExtractData *)sm->ctx;
3569  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3570  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3571  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3572  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3573  goto end;
3574  }
3575  if (bed1->local_id != 0) {
3576  result = 0;
3577  goto end;
3578  }
3579 
3580  sm = sm->next;
3581  if (sm->type != DETECT_BYTE_EXTRACT) {
3582  result = 0;
3583  goto end;
3584  }
3585 
3586  sm = sm->next;
3587  if (sm->type != DETECT_BYTEJUMP) {
3588  result = 0;
3589  goto end;
3590  }
3591  bjd = (DetectBytejumpData *)sm->ctx;
3592  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3593  printf("three failed\n");
3594  result = 0;
3595  goto end;
3596  }
3597 
3598  sm = sm->next;
3599  if (sm->type != DETECT_BYTEJUMP) {
3600  result = 0;
3601  goto end;
3602  }
3603  bjd = (DetectBytejumpData *)sm->ctx;
3604  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3605  printf("four failed\n");
3606  result = 0;
3607  goto end;
3608  }
3609 
3610  sm = sm->next;
3611  if (sm->type != DETECT_ISDATAAT) {
3612  result = 0;
3613  goto end;
3614  }
3615  isdd = (DetectIsdataatData *)sm->ctx;
3616  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
3617  isdd->dataat != 1) {
3618  printf("isdataat failed\n");
3619  result = 0;
3620  goto end;
3621  }
3622 
3623  if (sm->next != NULL)
3624  goto end;
3625 
3626  result = 1;
3627 
3628  end:
3632 
3633  return result;
3634 }
3635 
3636 static int DetectByteExtractTest59(void)
3637 {
3640  de_ctx->flags |= DE_QUIET;
3641 
3642  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3643  "content:\"one\"; "
3644  "byte_extract:4,0,two,string,hex; "
3645  "byte_extract:4,0,three,string,hex; "
3646  "byte_jump: 2,two; "
3647  "byte_jump: 3,three; "
3648  "isdataat: three,relative; "
3649  "sid:1;)");
3650  FAIL_IF_NULL(s);
3651 
3654  FAIL_IF(sm->type != DETECT_CONTENT);
3655 
3658  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
3665 
3666  sm = sm->next;
3667  FAIL_IF_NULL(sm);
3669 
3670  SCDetectByteExtractData *bed1 = (SCDetectByteExtractData *)sm->ctx;
3671  FAIL_IF(bed1->nbytes != 4);
3672  FAIL_IF(bed1->offset != 0);
3673  FAIL_IF(strcmp(bed1->name, "two") != 0);
3674  printf("a\n");
3675  FAIL_IF(bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
3676  printf("b\n");
3677  FAIL_IF(bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX);
3678  FAIL_IF(bed1->align_value != 0);
3679  FAIL_IF(bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
3680 
3681  FAIL_IF(bed1->local_id != 0);
3682 
3683  sm = sm->next;
3684  FAIL_IF_NULL(sm);
3686 
3687  sm = sm->next;
3688  FAIL_IF_NULL(sm);
3689  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3690 
3693  FAIL_IF(bjd->offset != 0);
3694 
3695  sm = sm->next;
3696  FAIL_IF_NULL(sm);
3697  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3698 
3699  bjd = (DetectBytejumpData *)sm->ctx;
3701  FAIL_IF(bjd->offset != 1);
3702 
3703  sm = sm->next;
3704  FAIL_IF_NULL(sm);
3705  FAIL_IF(sm->type != DETECT_ISDATAAT);
3706  DetectIsdataatData *isdd = (DetectIsdataatData *)sm->ctx;
3708  FAIL_IF(isdd->dataat != 1);
3709 
3710  FAIL_IF(sm->next != NULL);
3712 
3713  PASS;
3714 }
3715 
3716 static int DetectByteExtractTest60(void)
3717 {
3718  DetectEngineCtx *de_ctx = NULL;
3719  int result = 0;
3720  Signature *s = NULL;
3721  SigMatch *sm = NULL;
3722  DetectContentData *cd = NULL;
3723  SCDetectByteExtractData *bed1 = NULL;
3724  DetectIsdataatData *isdd = NULL;
3725 
3727  if (de_ctx == NULL)
3728  goto end;
3729 
3730  de_ctx->flags |= DE_QUIET;
3731  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3732  "(msg:\"Testing bytejump_body\"; "
3733  "content:\"one\"; "
3734  "byte_extract:4,0,two,string,hex,relative; "
3735  "uricontent: \"three\"; "
3736  "byte_extract:4,0,four,string,hex,relative; "
3737  "isdataat: two; "
3738  "sid:1;)");
3739  if (de_ctx->sig_list == NULL) {
3740  result = 0;
3741  goto end;
3742  }
3743 
3744  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3745  result = 0;
3746  goto end;
3747  }
3748 
3750  if (sm->type != DETECT_CONTENT) {
3751  result = 0;
3752  goto end;
3753  }
3754  cd = (DetectContentData *)sm->ctx;
3755  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3756  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3757  cd->flags & DETECT_CONTENT_NOCASE ||
3758  cd->flags & DETECT_CONTENT_WITHIN ||
3762  cd->flags & DETECT_CONTENT_NEGATED ) {
3763  printf("one failed\n");
3764  result = 0;
3765  goto end;
3766  }
3767 
3768  sm = sm->next;
3769  if (sm->type != DETECT_BYTE_EXTRACT) {
3770  result = 0;
3771  goto end;
3772  }
3773  bed1 = (SCDetectByteExtractData *)sm->ctx;
3774  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3775  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3776  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3777  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3778  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3779  goto end;
3780  }
3781  if (bed1->local_id != 0) {
3782  result = 0;
3783  goto end;
3784  }
3785 
3786  sm = sm->next;
3787  if (sm->type != DETECT_ISDATAAT) {
3788  result = 0;
3789  goto end;
3790  }
3791  isdd = (DetectIsdataatData *)sm->ctx;
3792  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
3793  isdd->dataat != bed1->local_id) {
3794  printf("isdataat failed\n");
3795  result = 0;
3796  goto end;
3797  }
3798 
3799  if (sm->next != NULL)
3800  goto end;
3801 
3802  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3803  if (sm == NULL) {
3804  result = 0;
3805  goto end;
3806  }
3807  if (sm->type != DETECT_CONTENT) {
3808  result = 0;
3809  goto end;
3810  }
3811  cd = (DetectContentData *)sm->ctx;
3813  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3814  printf("one failed\n");
3815  result = 0;
3816  goto end;
3817  }
3818 
3819  sm = sm->next;
3820  if (sm->type != DETECT_BYTE_EXTRACT) {
3821  result = 0;
3822  goto end;
3823  }
3824  bed1 = (SCDetectByteExtractData *)sm->ctx;
3825  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3826  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3827  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3828  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3829  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3830  goto end;
3831  }
3832  if (bed1->local_id != 0) {
3833  result = 0;
3834  goto end;
3835  }
3836 
3837  if (sm->next != NULL)
3838  goto end;
3839 
3840  result = 1;
3841 
3842  end:
3846 
3847  return result;
3848 }
3849 
3850 static int DetectByteExtractTest61(void)
3851 {
3852  DetectEngineCtx *de_ctx = NULL;
3853  int result = 0;
3854  Signature *s = NULL;
3855  SigMatch *sm = NULL;
3856  DetectContentData *cd = NULL;
3857  SCDetectByteExtractData *bed1 = NULL;
3858  DetectIsdataatData *isdd = NULL;
3859 
3861  if (de_ctx == NULL)
3862  goto end;
3863 
3864  de_ctx->flags |= DE_QUIET;
3865  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3866  "(msg:\"Testing bytejump_body\"; "
3867  "content:\"one\"; "
3868  "byte_extract:4,0,two,string,hex,relative; "
3869  "uricontent: \"three\"; "
3870  "byte_extract:4,0,four,string,hex,relative; "
3871  "isdataat: four, relative; "
3872  "sid:1;)");
3873  if (de_ctx->sig_list == NULL) {
3874  result = 0;
3875  goto end;
3876  }
3877 
3878  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3879  result = 0;
3880  goto end;
3881  }
3882 
3884  if (sm->type != DETECT_CONTENT) {
3885  result = 0;
3886  goto end;
3887  }
3888  cd = (DetectContentData *)sm->ctx;
3889  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3890  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3891  cd->flags & DETECT_CONTENT_NOCASE ||
3892  cd->flags & DETECT_CONTENT_WITHIN ||
3896  cd->flags & DETECT_CONTENT_NEGATED ) {
3897  printf("one failed\n");
3898  result = 0;
3899  goto end;
3900  }
3901 
3902  sm = sm->next;
3903  if (sm->type != DETECT_BYTE_EXTRACT) {
3904  result = 0;
3905  goto end;
3906  }
3907  bed1 = (SCDetectByteExtractData *)sm->ctx;
3908  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3909  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3910  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3911  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3912  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3913  goto end;
3914  }
3915  if (bed1->local_id != 0) {
3916  result = 0;
3917  goto end;
3918  }
3919 
3920  if (sm->next != NULL)
3921  goto end;
3922 
3923  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3924  if (sm == NULL) {
3925  result = 0;
3926  goto end;
3927  }
3928  if (sm->type != DETECT_CONTENT) {
3929  result = 0;
3930  goto end;
3931  }
3932  cd = (DetectContentData *)sm->ctx;
3934  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3935  printf("one failed\n");
3936  result = 0;
3937  goto end;
3938  }
3939 
3940  sm = sm->next;
3941  if (sm->type != DETECT_BYTE_EXTRACT) {
3942  result = 0;
3943  goto end;
3944  }
3945  bed1 = (SCDetectByteExtractData *)sm->ctx;
3946  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3947  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3948  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3949  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3950  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3951  goto end;
3952  }
3953  if (bed1->local_id != 0) {
3954  result = 0;
3955  goto end;
3956  }
3957 
3958  sm = sm->next;
3959  if (sm->type != DETECT_ISDATAAT) {
3960  result = 0;
3961  goto end;
3962  }
3963  isdd = (DetectIsdataatData *)sm->ctx;
3964  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
3965  ISDATAAT_RELATIVE) ||
3966  isdd->dataat != bed1->local_id) {
3967  printf("isdataat failed\n");
3968  result = 0;
3969  goto end;
3970  }
3971 
3972  if (sm->next != NULL)
3973  goto end;
3974 
3975  result = 1;
3976 
3977  end:
3981 
3982  return result;
3983 }
3984 
3985 static int DetectByteExtractTest62(void)
3986 {
3987  DetectEngineCtx *de_ctx = NULL;
3988  int result = 0;
3989  Signature *s = NULL;
3990  SigMatch *sm = NULL;
3991  SCDetectByteExtractData *bed = NULL;
3992 
3994  if (de_ctx == NULL)
3995  goto end;
3996 
3997  de_ctx->flags |= DE_QUIET;
3998  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3999  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4000  "sid:1;)");
4001  if (de_ctx->sig_list == NULL) {
4002  goto end;
4003  }
4004 
4005  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4006  if (sm == NULL) {
4007  goto end;
4008  }
4009  if (sm->type != DETECT_BYTE_EXTRACT) {
4010  goto end;
4011  }
4012  bed = (SCDetectByteExtractData *)sm->ctx;
4013  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 ||
4014  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
4015  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4016  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
4017  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4018  goto end;
4019  }
4020 
4021  result = 1;
4022 
4023  end:
4027 
4028  return result;
4029 }
4030 
4031 static int DetectByteExtractTest63(void)
4032 {
4033  int result = 0;
4034 
4035  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4036  if (bed == NULL)
4037  goto end;
4038 
4039  if (bed->nbytes != 4 || bed->offset != -2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
4040  bed->endian != BigEndian || bed->align_value != 0 ||
4041  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4042  goto end;
4043  }
4044 
4045  result = 1;
4046  end:
4047  if (bed != NULL)
4048  DetectByteExtractFree(NULL, bed);
4049  return result;
4050 }
4051 
4052 static int DetectByteExtractTestParseNoBase(void)
4053 {
4054  int result = 0;
4055 
4056  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4057  if (bed == NULL)
4058  goto end;
4059 
4060  if (bed->nbytes != 4) {
4061  goto end;
4062  }
4063  if (bed->offset != 2) {
4064  goto end;
4065  }
4066  if (strcmp(bed->name, "one") != 0) {
4067  goto end;
4068  }
4069  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4070  goto end;
4071  }
4072  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4073  goto end;
4074  }
4075  if (bed->align_value != 0) {
4076  goto end;
4077  }
4078  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4079  goto end;
4080  }
4081 
4082  result = 1;
4083  end:
4084  if (bed != NULL)
4085  DetectByteExtractFree(NULL, bed);
4086  return result;
4087 }
4088 
4089 static void DetectByteExtractRegisterTests(void)
4090 {
4091  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4092  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4093 
4094  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4095  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4096  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4097  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4098  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4099  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4100  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4101  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4102  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4103  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4104  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4105  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4106  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4107  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4108  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4109  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4110  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4111  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4112  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4113  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4114  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4115  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4116  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4117  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4118  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4119  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4120  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4121  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4122  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4123  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4124  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4125  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4126  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4127  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4128  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4129  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4130  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4131  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4132  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4133  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4134  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4135  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4136 
4137  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4138  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4139 
4140  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4141  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4142 
4143  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4144  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4145 
4146  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4147  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4148 
4149  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4150  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4151 
4152  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4153  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4154 
4155  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4156  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4157  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4158 
4159  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4160  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4161  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4162  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4163  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4164  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4165 
4166  UtRegisterTest("DetectByteExtractTestParseNoBase",
4167  DetectByteExtractTestParseNoBase);
4168 }
4169 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1431
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2313
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:548
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1247
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:118
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:644
SigTableElmt_::desc
const char * desc
Definition: detect.h:1430
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:155
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:58
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1418
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:157
SigTableElmt_::name
const char * name
Definition: detect.h:1428
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:646
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:83
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:49
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
Definition: detect-content.h:55
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:931
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2674
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:329
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:48
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:51
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:53
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
SigMatchData_
Data needed for Match()
Definition: detect.h:365
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1413
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:46
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:50
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1157
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:734
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:82
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:54
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1223
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:630
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:50
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2200
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:749
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1396
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:375
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:1009
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:71
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:143
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:82
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:55
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
detect-engine-buffer.h
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:940
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:649
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:839
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:85
DETECT_CONTENT_MPM
#define DETECT_CONTENT_MPM
Definition: detect-content.h:61
Signature_
Signature container.
Definition: detect.h:670
SigMatch_
a single match condition for a signature
Definition: detect.h:356
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:93
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:134
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2635
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:69
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:47
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:84
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:640
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:464
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:933
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:650
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:56
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:62
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1420
DETECT_BYTEJUMP_OFFSET_VAR
#define DETECT_BYTEJUMP_OFFSET_VAR
Definition: detect-bytejump.h:44
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:49
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h