suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "decode.h"
26 
27 #include "detect.h"
28 #include "detect-engine.h"
29 #include "detect-content.h"
30 #include "detect-pcre.h"
31 #include "detect-bytejump.h"
32 #include "detect-bytetest.h"
33 #include "detect-byte-extract.h"
34 #include "detect-isdataat.h"
35 #include "detect-engine-build.h"
36 
37 #include "rust.h"
38 
39 #include "app-layer-protos.h"
40 
41 #include "util-byte.h"
42 #include "util-debug.h"
43 #include "util-unittest.h"
44 #include "util-unittest-helper.h"
45 
46 /* the base to be used if string mode is specified. These options would be
47  * specified in DetectByteParseData->base */
48 #define DETECT_BYTE_EXTRACT_BASE_HEX BaseHex
49 #define DETECT_BYTE_EXTRACT_BASE_DEC BaseDec
50 #define DETECT_BYTE_EXTRACT_BASE_OCT BaseOct
51 
52 /* the max no of bytes that can be extracted in string mode - (string, hex)
53  * (string, oct) or (string, dec) */
54 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
55 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
56 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
57 /* the max no of bytes that can be extracted in non-string mode */
58 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
59 
60 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
61 #ifdef UNITTESTS
62 static void DetectByteExtractRegisterTests(void);
63 #endif
64 static void DetectByteExtractFree(DetectEngineCtx *, void *);
65 
66 /**
67  * \brief Registers the keyword handlers for the "byte_extract" keyword.
68  */
69 void DetectByteExtractRegister(void)
70 {
71  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
72  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
73  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
74  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
75  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
76  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
77 #ifdef UNITTESTS
78  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
79 #endif
80 }
81 
82 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
83  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
84  uint8_t endian)
85 {
86  if (payload_len == 0) {
87  return 0;
88  }
89 
90  /* Calculate the ptr value for the bytetest and length remaining in
91  * the packet from that point.
92  */
93  const uint8_t *ptr;
94  int32_t len;
95  SCDetectByteExtractData *data = (SCDetectByteExtractData *)smd->ctx;
96  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
97  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
98  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
99 
100  ptr = payload + det_ctx->buffer_offset;
101  len = payload_len - det_ctx->buffer_offset;
102 
103  ptr += data->offset;
104  len -= data->offset;
105 
106  /* No match if there is no relative base */
107  if (len <= 0) {
108  return 0;
109  }
110  //PrintRawDataFp(stdout,ptr,len);
111  } else {
112  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
113 
114  ptr = payload + data->offset;
115  len = payload_len - data->offset;
116  }
117 
118  /* Validate that the to-be-extracted is within the packet */
119  if (ptr < payload || data->nbytes > len) {
120  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
121  payload, ptr, len, data->nbytes);
122  return 0;
123  }
124 
125  /* Extract the byte data */
126  uint64_t val = 0;
127  int extbytes;
128  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
129  extbytes = ByteExtractStringUint64(&val, data->base,
130  data->nbytes, (const char *)ptr);
131  if (extbytes <= 0) {
132  /* strtoull() return 0 if there is no numeric value in data string */
133  if (val == 0) {
134  SCLogDebug("No Numeric value");
135  return 0;
136  } else {
137  SCLogDebug("error extracting %d bytes of string data: %d",
138  data->nbytes, extbytes);
139  return -1;
140  }
141  }
142  } else {
143  int endianness = (endian == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
144  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
145  if (extbytes != data->nbytes) {
146  SCLogDebug("error extracting %d bytes of numeric data: %d",
147  data->nbytes, extbytes);
148  return 0;
149  }
150  }
151 
152  /* Adjust the jump value based on flags */
153  val *= data->multiplier_value;
154  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
155  if ((val % data->align_value) != 0) {
156  val += data->align_value - (val % data->align_value);
157  }
158  }
159 
160  ptr += extbytes;
161 
162  det_ctx->buffer_offset = ptr - payload;
163 
164  *value = val;
165  SCLogDebug("extracted value is %"PRIu64, val);
166  return 1;
167 }
168 
169 /**
170  * \internal
171  * \brief Used to parse byte_extract arg.
172  *
173  * \param de_ctx Pointer to the detection engine context
174  * \arg The argument to parse.
175  *
176  * \param bed On success an instance containing the parsed data.
177  * On failure, NULL.
178  */
179 static inline SCDetectByteExtractData *DetectByteExtractParse(
180  DetectEngineCtx *de_ctx, const char *arg)
181 {
182  SCDetectByteExtractData *bed = SCByteExtractParse(arg);
183  if (bed == NULL) {
184  SCLogError("invalid byte_extract values");
185  goto error;
186  }
187 
188  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
189  SCLogError("byte_extract slice not yet supported; see issue #6831");
190  goto error;
191  }
192  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
193  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
194  /* if are dealing with octal nos, the max no that can fit in a 8
195  * byte value is 01777777777777777777777 */
196  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
197  SCLogError("byte_extract can't process "
198  "more than %d bytes in \"string\" extraction",
199  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
200  goto error;
201  }
202  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
203  /* if are dealing with decimal nos, the max no that can fit in a 8
204  * byte value is 18446744073709551615 */
205  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
206  SCLogError("byte_extract can't process "
207  "more than %d bytes in \"string\" extraction",
208  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
209  goto error;
210  }
211  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
212  /* if are dealing with hex nos, the max no that can fit in a 8
213  * byte value is 0xFFFFFFFFFFFFFFFF */
214  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
215  SCLogError("byte_extract can't process "
216  "more than %d bytes in \"string\" extraction",
217  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
218  goto error;
219  }
220  } else {
221  ; // just a placeholder. we won't reach here.
222  }
223  } else {
224  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
225  SCLogError("byte_extract can't process "
226  "more than %d bytes in \"non-string\" extraction",
227  NO_STRING_MAX_BYTES_TO_EXTRACT);
228  goto error;
229  }
230  /* if string has not been specified and no endian option has been
231  * specified, then set the default endian level of BIG */
232  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
233  bed->endian = BigEndian;
234  }
235  return bed;
236 
237  error:
238  if (bed != NULL)
239  DetectByteExtractFree(de_ctx, bed);
240  return NULL;
241 }
242 
243 /**
244  * \brief The setup function for the byte_extract keyword for a signature.
245  *
246  * \param de_ctx Pointer to the detection engine context.
247  * \param s Pointer to signature for the current Signature being parsed
248  * from the rules.
249  * \param m Pointer to the head of the SigMatch for the current rule
250  * being parsed.
251  * \param arg Pointer to the string holding the keyword value.
252  *
253  * \retval 0 On success.
254  * \retval -1 On failure.
255  */
256 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
257 {
258  SigMatch *prev_pm = NULL;
259  SCDetectByteExtractData *data = NULL;
260  int ret = -1;
261 
262  data = DetectByteExtractParse(de_ctx, arg);
263  if (data == NULL)
264  goto error;
265 
266  int sm_list;
267  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
268  sm_list = s->init_data->list;
269 
270  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
271  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
272  }
273  } else if (data->endian == EndianDCE) {
274  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
275  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
276  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
277  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
278  if (prev_pm == NULL) {
279  sm_list = DETECT_SM_LIST_PMATCH;
280  } else {
281  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
282  if (sm_list < 0)
283  goto error;
284  }
285  } else {
286  sm_list = DETECT_SM_LIST_PMATCH;
287  }
288 
289  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
290  goto error;
291 
292  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
293  prev_pm = DetectGetLastSMFromLists(s,
294  DETECT_CONTENT, DETECT_PCRE,
295  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
296  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
297  if (prev_pm == NULL) {
298  sm_list = DETECT_SM_LIST_PMATCH;
299  } else {
300  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
301  if (sm_list < 0)
302  goto error;
303  }
304 
305  } else {
306  sm_list = DETECT_SM_LIST_PMATCH;
307  }
308 
309  if (data->endian == EndianDCE) {
310  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
311  goto error;
312 
313  if ((DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ==
314  (data->flags & (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING))) {
315  SCLogError("Invalid option. "
316  "A byte_jump keyword with dce holds other invalid modifiers.");
317  goto error;
318  }
319  }
320 
321  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
322  DETECT_BYTE_EXTRACT, -1);
323  if (prev_bed_sm == NULL)
324  data->local_id = 0;
325  else
326  data->local_id = ((SCDetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
327  if (data->local_id > de_ctx->byte_extract_max_local_id)
328  de_ctx->byte_extract_max_local_id = data->local_id;
329 
330  if (SigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
331  NULL) {
332  goto error;
333  }
334 
335  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
336  goto okay;
337 
338  if (prev_pm == NULL)
339  goto okay;
340 
341  if (prev_pm->type == DETECT_CONTENT) {
342  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
343  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
344  } else if (prev_pm->type == DETECT_PCRE) {
345  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
346  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
347  }
348 
349  okay:
350  ret = 0;
351  return ret;
352  error:
353  DetectByteExtractFree(de_ctx, data);
354  return ret;
355 }
356 
357 /**
358  * \brief Used to free instances of SCDetectByteExtractData.
359  *
360  * \param ptr Instance of SCDetectByteExtractData to be freed.
361  */
362 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
363 {
364  SCByteExtractFree(ptr);
365 }
366 
367 /**
368  * \brief Lookup the SigMatch for a named byte_extract variable.
369  *
370  * \param arg The name of the byte_extract variable to lookup.
371  * \param s Pointer the signature to look in.
372  *
373  * \retval A pointer to the SigMatch if found, otherwise NULL.
374  */
375 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
376 {
377  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
378  SigMatch *sm = s->init_data->buffers[x].head;
379  while (sm != NULL) {
380  if (sm->type == DETECT_BYTE_EXTRACT) {
381  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
382  if (strcmp(bed->name, arg) == 0) {
383  return sm;
384  }
385  }
386  sm = sm->next;
387  }
388  }
389 
390  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
391  SigMatch *sm = s->init_data->smlists[list];
392  while (sm != NULL) {
393  if (sm->type == DETECT_BYTE_EXTRACT) {
394  const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
395  if (strcmp(bed->name, arg) == 0) {
396  return sm;
397  }
398  }
399  sm = sm->next;
400  }
401  }
402 
403  return NULL;
404 }
405 
406 /*************************************Unittests********************************/
407 
408 #ifdef UNITTESTS
409 
410 static int g_file_data_buffer_id = 0;
411 static int g_http_uri_buffer_id = 0;
412 
413 static int DetectByteExtractTest01(void)
414 {
415  int result = 0;
416 
417  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
418  if (bed == NULL)
419  goto end;
420 
421  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
422  bed->endian != BigEndian || bed->align_value != 0 ||
423  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
424  goto end;
425  }
426 
427  result = 1;
428  end:
429  if (bed != NULL)
430  DetectByteExtractFree(NULL, bed);
431  return result;
432 }
433 
434 static int DetectByteExtractTest02(void)
435 {
436  int result = 0;
437 
438  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
439  if (bed == NULL)
440  goto end;
441 
442  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
443  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE || bed->endian != BigEndian ||
444  bed->align_value != 0 ||
445  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
446  goto end;
447  }
448 
449  result = 1;
450  end:
451  if (bed != NULL)
452  DetectByteExtractFree(NULL, bed);
453  return result;
454 }
455 
456 static int DetectByteExtractTest03(void)
457 {
458  int result = 0;
459 
460  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
461  if (bed == NULL)
462  goto end;
463 
464  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
465  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER || bed->endian != BigEndian ||
466  bed->align_value != 0 || bed->multiplier_value != 10) {
467  goto end;
468  }
469 
470  result = 1;
471  end:
472  if (bed != NULL)
473  DetectByteExtractFree(NULL, bed);
474  return result;
475 }
476 
477 static int DetectByteExtractTest04(void)
478 {
479  int result = 0;
480 
481  SCDetectByteExtractData *bed =
482  DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
483  if (bed == NULL)
484  goto end;
485 
486  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
487  bed->flags !=
488  (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
489  bed->endian != BigEndian || bed->align_value != 0 || bed->multiplier_value != 10) {
490  goto end;
491  }
492 
493  result = 1;
494  end:
495  if (bed != NULL)
496  DetectByteExtractFree(NULL, bed);
497  return result;
498 }
499 
500 static int DetectByteExtractTest05(void)
501 {
502  int result = 0;
503 
504  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
505  if (bed == NULL)
506  goto end;
507 
508  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
509  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != BigEndian ||
510  bed->align_value != 0 ||
511  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
512  goto end;
513  }
514 
515  result = 1;
516  end:
517  if (bed != NULL)
518  DetectByteExtractFree(NULL, bed);
519  return result;
520 }
521 
522 static int DetectByteExtractTest06(void)
523 {
524  int result = 0;
525 
526  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
527  if (bed == NULL)
528  goto end;
529 
530  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
531  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != LittleEndian ||
532  bed->align_value != 0 ||
533  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
534  goto end;
535  }
536 
537  result = 1;
538  end:
539  if (bed != NULL)
540  DetectByteExtractFree(NULL, bed);
541  return result;
542 }
543 
544 static int DetectByteExtractTest07(void)
545 {
546  int result = 0;
547 
548  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
549  if (bed == NULL)
550  goto end;
551 
552  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
553  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != EndianDCE ||
554  bed->align_value != 0 ||
555  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
556  goto end;
557  }
558 
559  result = 1;
560  end:
561  if (bed != NULL)
562  DetectByteExtractFree(NULL, bed);
563  return result;
564 }
565 
566 static int DetectByteExtractTest08(void)
567 {
568  int result = 0;
569 
570  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
571  if (bed == NULL)
572  goto end;
573 
574  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
575  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
576  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
577  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
578  goto end;
579  }
580 
581  result = 1;
582  end:
583  if (bed != NULL)
584  DetectByteExtractFree(NULL, bed);
585  return result;
586 }
587 
588 static int DetectByteExtractTest09(void)
589 {
590  int result = 0;
591 
592  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
593  if (bed == NULL)
594  goto end;
595 
596  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
597  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
598  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT || bed->align_value != 0 ||
599  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
600  goto end;
601  }
602 
603  result = 1;
604  end:
605  if (bed != NULL)
606  DetectByteExtractFree(NULL, bed);
607  return result;
608 }
609 
610 static int DetectByteExtractTest10(void)
611 {
612  int result = 0;
613 
614  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
615  if (bed == NULL)
616  goto end;
617 
618  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
619  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC || bed->align_value != 0 ||
620  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
621  goto end;
622  }
623 
624  result = 1;
625  end:
626  if (bed != NULL)
627  DetectByteExtractFree(NULL, bed);
628  return result;
629 }
630 
631 static int DetectByteExtractTest11(void)
632 {
633  int result = 0;
634 
635  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
636  if (bed == NULL)
637  goto end;
638 
639  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
640  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN || bed->endian != BigEndian ||
641  bed->align_value != 4 ||
642  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
643  goto end;
644  }
645 
646  result = 1;
647  end:
648  if (bed != NULL)
649  DetectByteExtractFree(NULL, bed);
650  return result;
651 }
652 
653 static int DetectByteExtractTest12(void)
654 {
655  int result = 0;
656 
657  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
658  if (bed == NULL)
659  goto end;
660 
661  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
662  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
663  bed->endian != BigEndian || bed->align_value != 4 ||
664  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
665  goto end;
666  }
667 
668  result = 1;
669  end:
670  if (bed != NULL)
671  DetectByteExtractFree(NULL, bed);
672  return result;
673 }
674 
675 static int DetectByteExtractTest13(void)
676 {
677  int result = 0;
678 
679  SCDetectByteExtractData *bed =
680  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
681  if (bed == NULL)
682  goto end;
683 
684  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
685  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
686  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
687  bed->endian != BigEndian || bed->align_value != 4 ||
688  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
689  goto end;
690  }
691 
692  result = 1;
693  end:
694  if (bed != NULL)
695  DetectByteExtractFree(NULL, bed);
696  return result;
697 }
698 
699 static int DetectByteExtractTest14(void)
700 {
701  int result = 0;
702 
703  SCDetectByteExtractData *bed =
704  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
705  if (bed == NULL)
706  goto end;
707 
708  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
709  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
710  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
711  bed->endian != EndianDCE || bed->align_value != 4 ||
712  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
713  goto end;
714  }
715 
716  result = 1;
717  end:
718  if (bed != NULL)
719  DetectByteExtractFree(NULL, bed);
720  return result;
721 }
722 
723 static int DetectByteExtractTest15(void)
724 {
725  int result = 0;
726 
727  SCDetectByteExtractData *bed =
728  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
729  if (bed == NULL)
730  goto end;
731 
732  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
733  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
734  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
735  bed->endian != LittleEndian || bed->align_value != 4 ||
736  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
737  goto end;
738  }
739 
740  result = 1;
741  end:
742  if (bed != NULL)
743  DetectByteExtractFree(NULL, bed);
744  return result;
745 }
746 
747 static int DetectByteExtractTest16(void)
748 {
749  int result = 0;
750 
751  SCDetectByteExtractData *bed =
752  DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
753  if (bed == NULL)
754  goto end;
755 
756  if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
757  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
758  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
759  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
760  bed->endian != LittleEndian || bed->align_value != 4 || bed->multiplier_value != 2) {
761  goto end;
762  }
763 
764  result = 1;
765  end:
766  if (bed != NULL)
767  DetectByteExtractFree(NULL, bed);
768  return result;
769 }
770 
771 static int DetectByteExtractTest17(void)
772 {
773  int result = 0;
774 
775  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
776  "relative, little, "
777  "multiplier 2, string hex");
778  if (bed != NULL)
779  goto end;
780 
781  result = 1;
782  end:
783  if (bed != NULL)
784  DetectByteExtractFree(NULL, bed);
785  return result;
786 }
787 
788 static int DetectByteExtractTest18(void)
789 {
790  int result = 0;
791 
792  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
793  "relative, little, "
794  "multiplier 2, "
795  "relative");
796  if (bed != NULL)
797  goto end;
798 
799  result = 1;
800  end:
801  if (bed != NULL)
802  DetectByteExtractFree(NULL, bed);
803  return result;
804 }
805 
806 static int DetectByteExtractTest19(void)
807 {
808  int result = 0;
809 
810  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
811  "relative, little, "
812  "multiplier 2, "
813  "little");
814  if (bed != NULL)
815  goto end;
816 
817  result = 1;
818  end:
819  if (bed != NULL)
820  DetectByteExtractFree(NULL, bed);
821  return result;
822 }
823 
824 static int DetectByteExtractTest20(void)
825 {
826  int result = 0;
827 
828  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
829  "relative, "
830  "multiplier 2, "
831  "align 2");
832  if (bed != NULL)
833  goto end;
834 
835  result = 1;
836  end:
837  if (bed != NULL)
838  DetectByteExtractFree(NULL, bed);
839  return result;
840 }
841 
842 static int DetectByteExtractTest21(void)
843 {
844  int result = 0;
845 
846  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
847  "multiplier 2, "
848  "relative, "
849  "multiplier 2");
850  if (bed != NULL)
851  goto end;
852 
853  result = 1;
854  end:
855  if (bed != NULL)
856  DetectByteExtractFree(NULL, bed);
857  return result;
858 }
859 
860 static int DetectByteExtractTest22(void)
861 {
862  int result = 0;
863 
864  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
865  "string hex, "
866  "relative, "
867  "string hex");
868  if (bed != NULL)
869  goto end;
870 
871  result = 1;
872  end:
873  if (bed != NULL)
874  DetectByteExtractFree(NULL, bed);
875  return result;
876 }
877 
878 static int DetectByteExtractTest23(void)
879 {
880  int result = 0;
881 
882  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
883  "string hex, "
884  "relative, "
885  "string oct");
886  if (bed != NULL)
887  goto end;
888 
889  result = 1;
890  end:
891  if (bed != NULL)
892  DetectByteExtractFree(NULL, bed);
893  return result;
894 }
895 
896 static int DetectByteExtractTest24(void)
897 {
898  int result = 0;
899 
900  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
901  "string hex, "
902  "relative");
903  if (bed != NULL)
904  goto end;
905 
906  result = 1;
907  end:
908  if (bed != NULL)
909  DetectByteExtractFree(NULL, bed);
910  return result;
911 }
912 
913 static int DetectByteExtractTest25(void)
914 {
915  int result = 0;
916 
917  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
918  "little, "
919  "relative");
920  if (bed != NULL)
921  goto end;
922 
923  result = 1;
924  end:
925  if (bed != NULL)
926  DetectByteExtractFree(NULL, bed);
927  return result;
928 }
929 
930 static int DetectByteExtractTest26(void)
931 {
932  int result = 0;
933 
934  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
935  "little, "
936  "relative, "
937  "multiplier 65536");
938  if (bed != NULL)
939  goto end;
940 
941  result = 1;
942  end:
943  if (bed != NULL)
944  DetectByteExtractFree(NULL, bed);
945  return result;
946 }
947 
948 static int DetectByteExtractTest27(void)
949 {
950  int result = 0;
951 
952  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
953  "little, "
954  "relative, "
955  "multiplier 0");
956  if (bed != NULL)
957  goto end;
958 
959  result = 1;
960  end:
961  if (bed != NULL)
962  DetectByteExtractFree(NULL, bed);
963  return result;
964 }
965 
966 static int DetectByteExtractTest28(void)
967 {
968  int result = 0;
969 
970  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
971  if (bed == NULL)
972  goto end;
973 
974  result = 1;
975  end:
976  if (bed != NULL)
977  DetectByteExtractFree(NULL, bed);
978  return result;
979 }
980 
981 static int DetectByteExtractTest29(void)
982 {
983  int result = 0;
984 
985  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
986  if (bed != NULL)
987  goto end;
988 
989  result = 1;
990  end:
991  if (bed != NULL)
992  DetectByteExtractFree(NULL, bed);
993  return result;
994 }
995 
996 static int DetectByteExtractTest30(void)
997 {
998  int result = 0;
999 
1000  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1001  if (bed == NULL)
1002  goto end;
1003 
1004  result = 1;
1005  end:
1006  if (bed != NULL)
1007  DetectByteExtractFree(NULL, bed);
1008  return result;
1009 }
1010 
1011 static int DetectByteExtractTest31(void)
1012 {
1013  int result = 0;
1014 
1015  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1016  if (bed != NULL)
1017  goto end;
1018 
1019  result = 1;
1020  end:
1021  if (bed != NULL)
1022  DetectByteExtractFree(NULL, bed);
1023  return result;
1024 }
1025 
1026 static int DetectByteExtractTest32(void)
1027 {
1028  int result = 0;
1029 
1030  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1031  if (bed == NULL)
1032  goto end;
1033 
1034  result = 1;
1035  end:
1036  if (bed != NULL)
1037  DetectByteExtractFree(NULL, bed);
1038  return result;
1039 }
1040 
1041 static int DetectByteExtractTest33(void)
1042 {
1043  int result = 0;
1044 
1045  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1046  if (bed != NULL)
1047  goto end;
1048 
1049  result = 1;
1050  end:
1051  if (bed != NULL)
1052  DetectByteExtractFree(NULL, bed);
1053  return result;
1054 }
1055 
1056 static int DetectByteExtractTest34(void)
1057 {
1058  DetectEngineCtx *de_ctx = NULL;
1059  int result = 0;
1060  Signature *s = NULL;
1061  SigMatch *sm = NULL;
1062  DetectContentData *cd = NULL;
1063  SCDetectByteExtractData *bed = NULL;
1064 
1065  de_ctx = DetectEngineCtxInit();
1066  if (de_ctx == NULL)
1067  goto end;
1068 
1069  de_ctx->flags |= DE_QUIET;
1070  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1071  "(msg:\"Testing bytejump_body\"; "
1072  "content:\"one\"; "
1073  "byte_extract:4,2,two,relative,string,hex; "
1074  "sid:1;)");
1075  if (de_ctx->sig_list == NULL) {
1076  result = 0;
1077  goto end;
1078  }
1079 
1080  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1081  result = 0;
1082  goto end;
1083  }
1084 
1085  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1086  if (sm->type != DETECT_CONTENT) {
1087  result = 0;
1088  goto end;
1089  }
1090  cd = (DetectContentData *)sm->ctx;
1091  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1092  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1093  cd->flags & DETECT_CONTENT_NOCASE ||
1094  cd->flags & DETECT_CONTENT_WITHIN ||
1095  cd->flags & DETECT_CONTENT_DISTANCE ||
1096  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1097  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1098  cd->flags & DETECT_CONTENT_NEGATED ) {
1099  printf("one failed\n");
1100  result = 0;
1101  goto end;
1102  }
1103 
1104  sm = sm->next;
1105  if (sm->type != DETECT_BYTE_EXTRACT) {
1106  result = 0;
1107  goto end;
1108  }
1109  bed = (SCDetectByteExtractData *)sm->ctx;
1110  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", cd->content_len) != 0 ||
1111  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1112  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1113  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1114  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1115  goto end;
1116  }
1117 
1118  result = 1;
1119 
1120  end:
1121  SigGroupCleanup(de_ctx);
1122  SigCleanSignatures(de_ctx);
1123  DetectEngineCtxFree(de_ctx);
1124 
1125  return result;
1126 }
1127 
1128 static int DetectByteExtractTest35(void)
1129 {
1130  DetectEngineCtx *de_ctx = NULL;
1131  int result = 0;
1132  Signature *s = NULL;
1133  SigMatch *sm = NULL;
1134  DetectContentData *cd = NULL;
1135  DetectPcreData *pd = NULL;
1136  SCDetectByteExtractData *bed = NULL;
1137 
1138  de_ctx = DetectEngineCtxInit();
1139  if (de_ctx == NULL)
1140  goto end;
1141 
1142  de_ctx->flags |= DE_QUIET;
1143  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1144  "(msg:\"Testing bytejump_body\"; "
1145  "content:\"one\"; pcre:/asf/; "
1146  "byte_extract:4,0,two,relative,string,hex; "
1147  "sid:1;)");
1148  if (de_ctx->sig_list == NULL) {
1149  result = 0;
1150  goto end;
1151  }
1152 
1153  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1154  result = 0;
1155  goto end;
1156  }
1157 
1158  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1159  if (sm->type != DETECT_CONTENT) {
1160  result = 0;
1161  goto end;
1162  }
1163  cd = (DetectContentData *)sm->ctx;
1164  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1165  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1166  cd->flags & DETECT_CONTENT_NOCASE ||
1167  cd->flags & DETECT_CONTENT_WITHIN ||
1168  cd->flags & DETECT_CONTENT_DISTANCE ||
1169  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1170  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1171  cd->flags & DETECT_CONTENT_NEGATED ) {
1172  printf("one failed\n");
1173  result = 0;
1174  goto end;
1175  }
1176 
1177  sm = sm->next;
1178  if (sm->type != DETECT_PCRE) {
1179  result = 0;
1180  goto end;
1181  }
1182  pd = (DetectPcreData *)sm->ctx;
1183  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1184  result = 0;
1185  goto end;
1186  }
1187 
1188  sm = sm->next;
1189  if (sm->type != DETECT_BYTE_EXTRACT) {
1190  result = 0;
1191  goto end;
1192  }
1193  bed = (SCDetectByteExtractData *)sm->ctx;
1194  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1195  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1196  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1197  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1198  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1199  goto end;
1200  }
1201 
1202  result = 1;
1203 
1204  end:
1205  SigGroupCleanup(de_ctx);
1206  SigCleanSignatures(de_ctx);
1207  DetectEngineCtxFree(de_ctx);
1208 
1209  return result;
1210 }
1211 
1212 static int DetectByteExtractTest36(void)
1213 {
1214  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1215  FAIL_IF_NULL(de_ctx);
1216  de_ctx->flags |= DE_QUIET;
1217 
1218  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
1219  "content:\"one\"; byte_jump:1,13; "
1220  "byte_extract:4,0,two,relative,string,hex; "
1221  "sid:1;)");
1222  FAIL_IF_NULL(s);
1223  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
1224 
1225  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1226  FAIL_IF(sm->type != DETECT_CONTENT);
1227  DetectContentData *cd = (DetectContentData *)sm->ctx;
1228  FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
1229  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
1230  FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
1231  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1232  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1233  FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
1234  FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
1235  FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
1236 
1237  sm = sm->next;
1238  FAIL_IF(sm->type != DETECT_BYTEJUMP);
1239  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
1240  FAIL_IF(bjd->flags != 0);
1241  sm = sm->next;
1242  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
1243  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
1244  FAIL_IF(bed->nbytes != 4);
1245  FAIL_IF(bed->offset != 0);
1246  FAIL_IF(strcmp(bed->name, "two") != 0);
1247  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1248  DETECT_BYTE_EXTRACT_FLAG_STRING));
1249  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
1250  FAIL_IF(bed->align_value != 0);
1251  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
1252 
1253  DetectEngineCtxFree(de_ctx);
1254  PASS;
1255 }
1256 
1257 static int DetectByteExtractTest37(void)
1258 {
1259  DetectEngineCtx *de_ctx = NULL;
1260  int result = 0;
1261  Signature *s = NULL;
1262  SigMatch *sm = NULL;
1263  DetectContentData *cd = NULL;
1264  DetectContentData *ud = NULL;
1265  SCDetectByteExtractData *bed = NULL;
1266 
1267  de_ctx = DetectEngineCtxInit();
1268  if (de_ctx == NULL)
1269  goto end;
1270 
1271  de_ctx->flags |= DE_QUIET;
1272  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1273  "(msg:\"Testing bytejump_body\"; "
1274  "content:\"one\"; uricontent:\"two\"; "
1275  "byte_extract:4,0,two,relative,string,hex; "
1276  "sid:1;)");
1277  if (de_ctx->sig_list == NULL) {
1278  result = 0;
1279  goto end;
1280  }
1281 
1282  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1283  result = 0;
1284  goto end;
1285  }
1286 
1287  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1288  if (sm->type != DETECT_CONTENT) {
1289  result = 0;
1290  goto end;
1291  }
1292  cd = (DetectContentData *)sm->ctx;
1293  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1294  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1295  cd->flags & DETECT_CONTENT_NOCASE ||
1296  cd->flags & DETECT_CONTENT_WITHIN ||
1297  cd->flags & DETECT_CONTENT_DISTANCE ||
1298  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1299  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1300  cd->flags & DETECT_CONTENT_NEGATED ) {
1301  printf("one failed\n");
1302  result = 0;
1303  goto end;
1304  }
1305 
1306  if (sm->next != NULL) {
1307  result = 0;
1308  goto end;
1309  }
1310 
1311  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1312  if (sm->type != DETECT_CONTENT) {
1313  result = 0;
1314  goto end;
1315  }
1316  ud = (DetectContentData *)sm->ctx;
1317  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1318  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1319  ud->flags & DETECT_CONTENT_NOCASE ||
1320  ud->flags & DETECT_CONTENT_WITHIN ||
1321  ud->flags & DETECT_CONTENT_DISTANCE ||
1322  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1323  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1324  ud->flags & DETECT_CONTENT_NEGATED ) {
1325  printf("two failed\n");
1326  result = 0;
1327  goto end;
1328  }
1329 
1330  sm = sm->next;
1331  if (sm->type != DETECT_BYTE_EXTRACT) {
1332  result = 0;
1333  goto end;
1334  }
1335  bed = (SCDetectByteExtractData *)sm->ctx;
1336  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1337  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1338  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1339  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1340  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1341  goto end;
1342  }
1343 
1344  result = 1;
1345 
1346  end:
1347  SigGroupCleanup(de_ctx);
1348  SigCleanSignatures(de_ctx);
1349  DetectEngineCtxFree(de_ctx);
1350 
1351  return result;
1352 }
1353 
1354 static int DetectByteExtractTest38(void)
1355 {
1356  DetectEngineCtx *de_ctx = NULL;
1357  int result = 0;
1358  Signature *s = NULL;
1359  SigMatch *sm = NULL;
1360  DetectContentData *cd = NULL;
1361  DetectContentData *ud = NULL;
1362  SCDetectByteExtractData *bed = NULL;
1363 
1364  de_ctx = DetectEngineCtxInit();
1365  if (de_ctx == NULL)
1366  goto end;
1367 
1368  de_ctx->flags |= DE_QUIET;
1369  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1370  "(msg:\"Testing bytejump_body\"; "
1371  "content:\"one\"; uricontent:\"two\"; "
1372  "byte_extract:4,0,two,string,hex; "
1373  "sid:1;)");
1374  if (de_ctx->sig_list == NULL) {
1375  result = 0;
1376  goto end;
1377  }
1378 
1379  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1380  result = 0;
1381  goto end;
1382  }
1383 
1384  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1385  if (sm->type != DETECT_CONTENT) {
1386  result = 0;
1387  goto end;
1388  }
1389  cd = (DetectContentData *)sm->ctx;
1390  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1391  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1392  cd->flags & DETECT_CONTENT_NOCASE ||
1393  cd->flags & DETECT_CONTENT_WITHIN ||
1394  cd->flags & DETECT_CONTENT_DISTANCE ||
1395  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1396  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1397  cd->flags & DETECT_CONTENT_NEGATED ) {
1398  printf("one failed\n");
1399  result = 0;
1400  goto end;
1401  }
1402 
1403  sm = sm->next;
1404  if (sm->type != DETECT_BYTE_EXTRACT) {
1405  result = 0;
1406  goto end;
1407  }
1408  bed = (SCDetectByteExtractData *)sm->ctx;
1409  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1410  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1411  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1412  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1413  goto end;
1414  }
1415 
1416  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1417  if (sm->type != DETECT_CONTENT) {
1418  result = 0;
1419  goto end;
1420  }
1421  ud = (DetectContentData *)sm->ctx;
1422  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1423  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1424  ud->flags & DETECT_CONTENT_NOCASE ||
1425  ud->flags & DETECT_CONTENT_WITHIN ||
1426  ud->flags & DETECT_CONTENT_DISTANCE ||
1427  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1428  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1429  ud->flags & DETECT_CONTENT_NEGATED ) {
1430  printf("two failed\n");
1431  result = 0;
1432  goto end;
1433  }
1434 
1435  if (sm->next != NULL) {
1436  result = 0;
1437  goto end;
1438  }
1439 
1440  result = 1;
1441 
1442  end:
1443  SigGroupCleanup(de_ctx);
1444  SigCleanSignatures(de_ctx);
1445  DetectEngineCtxFree(de_ctx);
1446 
1447  return result;
1448 }
1449 
1450 static int DetectByteExtractTest39(void)
1451 {
1452  DetectEngineCtx *de_ctx = NULL;
1453  int result = 0;
1454  Signature *s = NULL;
1455  SigMatch *sm = NULL;
1456  DetectContentData *cd = NULL;
1457  DetectContentData *ud = NULL;
1458  SCDetectByteExtractData *bed = NULL;
1459 
1460  de_ctx = DetectEngineCtxInit();
1461  if (de_ctx == NULL)
1462  goto end;
1463 
1464  de_ctx->flags |= DE_QUIET;
1465  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1466  "(msg:\"Testing bytejump_body\"; "
1467  "content:\"one\"; content:\"two\"; http_uri; "
1468  "byte_extract:4,0,two,relative,string,hex; "
1469  "sid:1;)");
1470  if (de_ctx->sig_list == NULL) {
1471  result = 0;
1472  goto end;
1473  }
1474 
1475  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1476  result = 0;
1477  goto end;
1478  }
1479 
1480  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1481  if (sm->type != DETECT_CONTENT) {
1482  result = 0;
1483  goto end;
1484  }
1485  cd = (DetectContentData *)sm->ctx;
1486  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1487  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1488  cd->flags & DETECT_CONTENT_NOCASE ||
1489  cd->flags & DETECT_CONTENT_WITHIN ||
1490  cd->flags & DETECT_CONTENT_DISTANCE ||
1491  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1492  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1493  cd->flags & DETECT_CONTENT_NEGATED ) {
1494  printf("one failed\n");
1495  result = 0;
1496  goto end;
1497  }
1498 
1499  if (sm->next != NULL) {
1500  result = 0;
1501  goto end;
1502  }
1503 
1504  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1505  if (sm->type != DETECT_CONTENT) {
1506  result = 0;
1507  goto end;
1508  }
1509  ud = (DetectContentData *)sm->ctx;
1510  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1511  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1512  ud->flags & DETECT_CONTENT_NOCASE ||
1513  ud->flags & DETECT_CONTENT_WITHIN ||
1514  ud->flags & DETECT_CONTENT_DISTANCE ||
1515  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1516  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1517  ud->flags & DETECT_CONTENT_NEGATED ) {
1518  printf("two failed\n");
1519  result = 0;
1520  goto end;
1521  }
1522 
1523  sm = sm->next;
1524  if (sm->type != DETECT_BYTE_EXTRACT) {
1525  result = 0;
1526  goto end;
1527  }
1528  bed = (SCDetectByteExtractData *)sm->ctx;
1529  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1530  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1531  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1532  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1533  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1534  goto end;
1535  }
1536 
1537  result = 1;
1538 
1539  end:
1540  SigGroupCleanup(de_ctx);
1541  SigCleanSignatures(de_ctx);
1542  DetectEngineCtxFree(de_ctx);
1543 
1544  return result;
1545 }
1546 
1547 static int DetectByteExtractTest40(void)
1548 {
1549  DetectEngineCtx *de_ctx = NULL;
1550  int result = 0;
1551  Signature *s = NULL;
1552  SigMatch *sm = NULL;
1553  DetectContentData *cd = NULL;
1554  DetectContentData *ud = NULL;
1555  SCDetectByteExtractData *bed = NULL;
1556 
1557  de_ctx = DetectEngineCtxInit();
1558  if (de_ctx == NULL)
1559  goto end;
1560 
1561  de_ctx->flags |= DE_QUIET;
1562  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1563  "(msg:\"Testing bytejump_body\"; "
1564  "content:\"one\"; content:\"two\"; http_uri; "
1565  "byte_extract:4,0,two,string,hex; "
1566  "sid:1;)");
1567  if (de_ctx->sig_list == NULL) {
1568  result = 0;
1569  goto end;
1570  }
1571 
1572  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1573  result = 0;
1574  goto end;
1575  }
1576 
1577  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1578  if (sm->type != DETECT_CONTENT) {
1579  result = 0;
1580  goto end;
1581  }
1582  cd = (DetectContentData *)sm->ctx;
1583  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1584  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1585  cd->flags & DETECT_CONTENT_NOCASE ||
1586  cd->flags & DETECT_CONTENT_WITHIN ||
1587  cd->flags & DETECT_CONTENT_DISTANCE ||
1588  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1589  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1590  cd->flags & DETECT_CONTENT_NEGATED ) {
1591  printf("one failed\n");
1592  result = 0;
1593  goto end;
1594  }
1595 
1596  sm = sm->next;
1597  if (sm->type != DETECT_BYTE_EXTRACT) {
1598  result = 0;
1599  goto end;
1600  }
1601  bed = (SCDetectByteExtractData *)sm->ctx;
1602  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1603  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1604  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1605  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1606  goto end;
1607  }
1608 
1609  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1610  if (sm->type != DETECT_CONTENT) {
1611  result = 0;
1612  goto end;
1613  }
1614  ud = (DetectContentData *)sm->ctx;
1615  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1616  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1617  ud->flags & DETECT_CONTENT_NOCASE ||
1618  ud->flags & DETECT_CONTENT_WITHIN ||
1619  ud->flags & DETECT_CONTENT_DISTANCE ||
1620  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1621  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1622  ud->flags & DETECT_CONTENT_NEGATED ) {
1623  printf("two failed\n");
1624  result = 0;
1625  goto end;
1626  }
1627 
1628  if (sm->next != NULL) {
1629  result = 0;
1630  goto end;
1631  }
1632 
1633  result = 1;
1634 
1635  end:
1636  SigGroupCleanup(de_ctx);
1637  SigCleanSignatures(de_ctx);
1638  DetectEngineCtxFree(de_ctx);
1639 
1640  return result;
1641 }
1642 
1643 static int DetectByteExtractTest41(void)
1644 {
1645  DetectEngineCtx *de_ctx = NULL;
1646  int result = 0;
1647  Signature *s = NULL;
1648  SigMatch *sm = NULL;
1649  DetectContentData *cd = NULL;
1650  SCDetectByteExtractData *bed = NULL;
1651 
1652  de_ctx = DetectEngineCtxInit();
1653  if (de_ctx == NULL)
1654  goto end;
1655 
1656  de_ctx->flags |= DE_QUIET;
1657  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1658  "(msg:\"Testing bytejump_body\"; "
1659  "content:\"one\"; "
1660  "byte_extract:4,0,two,string,hex; "
1661  "byte_extract:4,0,three,string,hex; "
1662  "sid:1;)");
1663  if (de_ctx->sig_list == NULL) {
1664  result = 0;
1665  goto end;
1666  }
1667 
1668  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1669  result = 0;
1670  goto end;
1671  }
1672 
1673  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1674  if (sm->type != DETECT_CONTENT) {
1675  result = 0;
1676  goto end;
1677  }
1678  cd = (DetectContentData *)sm->ctx;
1679  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1680  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1681  cd->flags & DETECT_CONTENT_NOCASE ||
1682  cd->flags & DETECT_CONTENT_WITHIN ||
1683  cd->flags & DETECT_CONTENT_DISTANCE ||
1684  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1685  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1686  cd->flags & DETECT_CONTENT_NEGATED ) {
1687  printf("one failed\n");
1688  result = 0;
1689  goto end;
1690  }
1691 
1692  sm = sm->next;
1693  if (sm->type != DETECT_BYTE_EXTRACT) {
1694  result = 0;
1695  goto end;
1696  }
1697  bed = (SCDetectByteExtractData *)sm->ctx;
1698  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1699  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1700  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1701  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1702  goto end;
1703  }
1704  if (bed->local_id != 0) {
1705  result = 0;
1706  goto end;
1707  }
1708 
1709  sm = sm->next;
1710  if (sm->type != DETECT_BYTE_EXTRACT) {
1711  result = 0;
1712  goto end;
1713  }
1714  bed = (SCDetectByteExtractData *)sm->ctx;
1715  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "three") != 0 ||
1716  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1717  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1718  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1719  goto end;
1720  }
1721  if (bed->local_id != 1) {
1722  result = 0;
1723  goto end;
1724  }
1725 
1726  result = 1;
1727 
1728  end:
1729  SigGroupCleanup(de_ctx);
1730  SigCleanSignatures(de_ctx);
1731  DetectEngineCtxFree(de_ctx);
1732 
1733  return result;
1734 }
1735 
1736 static int DetectByteExtractTest42(void)
1737 {
1738  DetectEngineCtx *de_ctx = NULL;
1739  int result = 0;
1740  Signature *s = NULL;
1741  SigMatch *sm = NULL;
1742  DetectContentData *cd = NULL;
1743  DetectContentData *ud = NULL;
1744  SCDetectByteExtractData *bed = NULL;
1745 
1746  de_ctx = DetectEngineCtxInit();
1747  if (de_ctx == NULL)
1748  goto end;
1749 
1750  de_ctx->flags |= DE_QUIET;
1751  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1752  "(msg:\"Testing bytejump_body\"; "
1753  "content:\"one\"; "
1754  "byte_extract:4,0,two,string,hex; "
1755  "uricontent: \"three\"; "
1756  "byte_extract:4,0,four,string,hex,relative; "
1757  "byte_extract:4,0,five,string,hex; "
1758  "sid:1;)");
1759  if (de_ctx->sig_list == NULL) {
1760  result = 0;
1761  goto end;
1762  }
1763 
1764  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1765  result = 0;
1766  goto end;
1767  }
1768 
1769  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1770  if (sm->type != DETECT_CONTENT) {
1771  result = 0;
1772  goto end;
1773  }
1774  cd = (DetectContentData *)sm->ctx;
1775  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1776  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1777  cd->flags & DETECT_CONTENT_NOCASE ||
1778  cd->flags & DETECT_CONTENT_WITHIN ||
1779  cd->flags & DETECT_CONTENT_DISTANCE ||
1780  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1781  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1782  cd->flags & DETECT_CONTENT_NEGATED ) {
1783  printf("one failed\n");
1784  result = 0;
1785  goto end;
1786  }
1787 
1788  sm = sm->next;
1789  if (sm->type != DETECT_BYTE_EXTRACT) {
1790  result = 0;
1791  goto end;
1792  }
1793  bed = (SCDetectByteExtractData *)sm->ctx;
1794  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1795  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1796  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1797  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1798  goto end;
1799  }
1800  if (bed->local_id != 0) {
1801  result = 0;
1802  goto end;
1803  }
1804 
1805  sm = sm->next;
1806  if (sm->type != DETECT_BYTE_EXTRACT) {
1807  result = 0;
1808  goto end;
1809  }
1810  bed = (SCDetectByteExtractData *)sm->ctx;
1811  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "five") != 0 ||
1812  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1813  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1814  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1815  goto end;
1816  }
1817  if (bed->local_id != 1) {
1818  result = 0;
1819  goto end;
1820  }
1821 
1822  if (sm->next != NULL)
1823  goto end;
1824 
1825  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1826  if (sm->type != DETECT_CONTENT) {
1827  result = 0;
1828  goto end;
1829  }
1830  ud = (DetectContentData *)sm->ctx;
1831  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1832  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
1833  ud->flags & DETECT_CONTENT_NOCASE ||
1834  ud->flags & DETECT_CONTENT_WITHIN ||
1835  ud->flags & DETECT_CONTENT_DISTANCE ||
1836  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1837  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1838  ud->flags & DETECT_CONTENT_NEGATED ) {
1839  printf("two failed\n");
1840  result = 0;
1841  goto end;
1842  }
1843 
1844  sm = sm->next;
1845  if (sm->type != DETECT_BYTE_EXTRACT) {
1846  result = 0;
1847  goto end;
1848  }
1849  bed = (SCDetectByteExtractData *)sm->ctx;
1850  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "four") != 0 ||
1851  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1852  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1853  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1854  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1855  goto end;
1856  }
1857  if (bed->local_id != 0) {
1858  result = 0;
1859  goto end;
1860  }
1861 
1862  if (sm->next != NULL)
1863  goto end;
1864 
1865  result = 1;
1866 
1867  end:
1868  SigGroupCleanup(de_ctx);
1869  SigCleanSignatures(de_ctx);
1870  DetectEngineCtxFree(de_ctx);
1871 
1872  return result;
1873 }
1874 
1875 static int DetectByteExtractTest43(void)
1876 {
1877  DetectEngineCtx *de_ctx = NULL;
1878  int result = 0;
1879  Signature *s = NULL;
1880  SigMatch *sm = NULL;
1881  DetectContentData *cd = NULL;
1882  SCDetectByteExtractData *bed = NULL;
1883 
1884  de_ctx = DetectEngineCtxInit();
1885  if (de_ctx == NULL)
1886  goto end;
1887 
1888  de_ctx->flags |= DE_QUIET;
1889  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1890  "(msg:\"Testing bytejump_body\"; "
1891  "content:\"one\"; "
1892  "byte_extract:4,0,two,string,hex; "
1893  "content: \"three\"; offset:two; "
1894  "sid:1;)");
1895  if (de_ctx->sig_list == NULL) {
1896  result = 0;
1897  goto end;
1898  }
1899 
1900  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1901  result = 0;
1902  goto end;
1903  }
1904 
1905  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1906  if (sm->type != DETECT_CONTENT) {
1907  result = 0;
1908  goto end;
1909  }
1910  cd = (DetectContentData *)sm->ctx;
1911  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1912  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1913  cd->flags & DETECT_CONTENT_NOCASE ||
1914  cd->flags & DETECT_CONTENT_WITHIN ||
1915  cd->flags & DETECT_CONTENT_DISTANCE ||
1916  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1917  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1918  cd->flags & DETECT_CONTENT_NEGATED ) {
1919  printf("one failed\n");
1920  result = 0;
1921  goto end;
1922  }
1923 
1924  sm = sm->next;
1925  if (sm->type != DETECT_BYTE_EXTRACT) {
1926  result = 0;
1927  goto end;
1928  }
1929  bed = (SCDetectByteExtractData *)sm->ctx;
1930  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1931  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1932  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1933  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1934  goto end;
1935  }
1936  if (bed->local_id != 0) {
1937  result = 0;
1938  goto end;
1939  }
1940 
1941  sm = sm->next;
1942  if (sm->type != DETECT_CONTENT) {
1943  result = 0;
1944  goto end;
1945  }
1946  cd = (DetectContentData *)sm->ctx;
1947  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
1948  cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
1949  cd->offset != bed->local_id) {
1950  printf("three failed\n");
1951  result = 0;
1952  goto end;
1953  }
1954 
1955  if (sm->next != NULL)
1956  goto end;
1957 
1958  result = 1;
1959 
1960  end:
1961  SigGroupCleanup(de_ctx);
1962  SigCleanSignatures(de_ctx);
1963  DetectEngineCtxFree(de_ctx);
1964 
1965  return result;
1966 }
1967 
1968 static int DetectByteExtractTest44(void)
1969 {
1970  DetectEngineCtx *de_ctx = NULL;
1971  int result = 0;
1972  Signature *s = NULL;
1973  SigMatch *sm = NULL;
1974  DetectContentData *cd = NULL;
1975  SCDetectByteExtractData *bed1 = NULL;
1976  SCDetectByteExtractData *bed2 = NULL;
1977 
1978  de_ctx = DetectEngineCtxInit();
1979  if (de_ctx == NULL)
1980  goto end;
1981 
1982  de_ctx->flags |= DE_QUIET;
1983  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1984  "(msg:\"Testing bytejump_body\"; "
1985  "content:\"one\"; "
1986  "byte_extract:4,0,two,string,hex; "
1987  "byte_extract:4,0,three,string,hex; "
1988  "content: \"four\"; offset:two; "
1989  "content: \"five\"; offset:three; "
1990  "sid:1;)");
1991  if (de_ctx->sig_list == NULL) {
1992  result = 0;
1993  goto end;
1994  }
1995 
1996  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1997  result = 0;
1998  goto end;
1999  }
2000 
2001  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2002  if (sm->type != DETECT_CONTENT) {
2003  result = 0;
2004  goto end;
2005  }
2006  cd = (DetectContentData *)sm->ctx;
2007  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2008  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2009  cd->flags & DETECT_CONTENT_NOCASE ||
2010  cd->flags & DETECT_CONTENT_WITHIN ||
2011  cd->flags & DETECT_CONTENT_DISTANCE ||
2012  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2013  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2014  cd->flags & DETECT_CONTENT_NEGATED ) {
2015  printf("one failed\n");
2016  result = 0;
2017  goto end;
2018  }
2019 
2020  sm = sm->next;
2021  if (sm->type != DETECT_BYTE_EXTRACT) {
2022  result = 0;
2023  goto end;
2024  }
2025  bed1 = (SCDetectByteExtractData *)sm->ctx;
2026  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2027  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2028  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2029  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2030  goto end;
2031  }
2032  if (bed1->local_id != 0) {
2033  result = 0;
2034  goto end;
2035  }
2036 
2037  sm = sm->next;
2038  if (sm->type != DETECT_BYTE_EXTRACT) {
2039  result = 0;
2040  goto end;
2041  }
2042  bed2 = (SCDetectByteExtractData *)sm->ctx;
2043 
2044  sm = sm->next;
2045  if (sm->type != DETECT_CONTENT) {
2046  result = 0;
2047  goto end;
2048  }
2049  cd = (DetectContentData *)sm->ctx;
2050  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2051  cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
2052  cd->offset != bed1->local_id) {
2053  printf("four failed\n");
2054  result = 0;
2055  goto end;
2056  }
2057 
2058  sm = sm->next;
2059  if (sm->type != DETECT_CONTENT) {
2060  result = 0;
2061  goto end;
2062  }
2063  cd = (DetectContentData *)sm->ctx;
2064  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2065  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2066  DETECT_CONTENT_OFFSET) ||
2067  cd->offset != bed2->local_id) {
2068  printf("five failed\n");
2069  result = 0;
2070  goto end;
2071  }
2072 
2073  if (sm->next != NULL)
2074  goto end;
2075 
2076  result = 1;
2077 
2078  end:
2079  SigGroupCleanup(de_ctx);
2080  SigCleanSignatures(de_ctx);
2081  DetectEngineCtxFree(de_ctx);
2082 
2083  return result;
2084 }
2085 
2086 static int DetectByteExtractTest45(void)
2087 {
2088  DetectEngineCtx *de_ctx = NULL;
2089  int result = 0;
2090  Signature *s = NULL;
2091  SigMatch *sm = NULL;
2092  DetectContentData *cd = NULL;
2093  SCDetectByteExtractData *bed = NULL;
2094 
2095  de_ctx = DetectEngineCtxInit();
2096  if (de_ctx == NULL)
2097  goto end;
2098 
2099  de_ctx->flags |= DE_QUIET;
2100  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2101  "(msg:\"Testing bytejump_body\"; "
2102  "content:\"one\"; "
2103  "byte_extract:4,0,two,string,hex; "
2104  "content: \"three\"; depth:two; "
2105  "sid:1;)");
2106  if (de_ctx->sig_list == NULL) {
2107  result = 0;
2108  goto end;
2109  }
2110 
2111  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2112  result = 0;
2113  goto end;
2114  }
2115 
2116  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2117  if (sm->type != DETECT_CONTENT) {
2118  result = 0;
2119  goto end;
2120  }
2121  cd = (DetectContentData *)sm->ctx;
2122  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2123  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2124  cd->flags & DETECT_CONTENT_NOCASE ||
2125  cd->flags & DETECT_CONTENT_WITHIN ||
2126  cd->flags & DETECT_CONTENT_DISTANCE ||
2127  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2128  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2129  cd->flags & DETECT_CONTENT_NEGATED ) {
2130  printf("one failed\n");
2131  result = 0;
2132  goto end;
2133  }
2134 
2135  sm = sm->next;
2136  if (sm->type != DETECT_BYTE_EXTRACT) {
2137  result = 0;
2138  goto end;
2139  }
2140  bed = (SCDetectByteExtractData *)sm->ctx;
2141  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2142  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2143  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2144  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2145  goto end;
2146  }
2147  if (bed->local_id != 0) {
2148  result = 0;
2149  goto end;
2150  }
2151 
2152  sm = sm->next;
2153  if (sm->type != DETECT_CONTENT) {
2154  result = 0;
2155  goto end;
2156  }
2157  cd = (DetectContentData *)sm->ctx;
2158  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2159  cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
2160  cd->depth != bed->local_id || cd->offset != 0) {
2161  printf("three failed\n");
2162  result = 0;
2163  goto end;
2164  }
2165 
2166  if (sm->next != NULL)
2167  goto end;
2168 
2169  result = 1;
2170 
2171  end:
2172  SigGroupCleanup(de_ctx);
2173  SigCleanSignatures(de_ctx);
2174  DetectEngineCtxFree(de_ctx);
2175 
2176  return result;
2177 }
2178 
2179 static int DetectByteExtractTest46(void)
2180 {
2181  DetectEngineCtx *de_ctx = NULL;
2182  int result = 0;
2183  Signature *s = NULL;
2184  SigMatch *sm = NULL;
2185  DetectContentData *cd = NULL;
2186  SCDetectByteExtractData *bed1 = NULL;
2187  SCDetectByteExtractData *bed2 = NULL;
2188 
2189  de_ctx = DetectEngineCtxInit();
2190  if (de_ctx == NULL)
2191  goto end;
2192 
2193  de_ctx->flags |= DE_QUIET;
2194  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2195  "(msg:\"Testing bytejump_body\"; "
2196  "content:\"one\"; "
2197  "byte_extract:4,0,two,string,hex; "
2198  "byte_extract:4,0,three,string,hex; "
2199  "content: \"four\"; depth:two; "
2200  "content: \"five\"; depth:three; "
2201  "sid:1;)");
2202  if (de_ctx->sig_list == NULL) {
2203  result = 0;
2204  goto end;
2205  }
2206 
2207  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2208  result = 0;
2209  goto end;
2210  }
2211 
2212  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2213  if (sm->type != DETECT_CONTENT) {
2214  result = 0;
2215  goto end;
2216  }
2217  cd = (DetectContentData *)sm->ctx;
2218  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2219  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2220  cd->flags & DETECT_CONTENT_NOCASE ||
2221  cd->flags & DETECT_CONTENT_WITHIN ||
2222  cd->flags & DETECT_CONTENT_DISTANCE ||
2223  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2224  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2225  cd->flags & DETECT_CONTENT_NEGATED ) {
2226  printf("one failed\n");
2227  result = 0;
2228  goto end;
2229  }
2230 
2231  sm = sm->next;
2232  if (sm->type != DETECT_BYTE_EXTRACT) {
2233  result = 0;
2234  goto end;
2235  }
2236  bed1 = (SCDetectByteExtractData *)sm->ctx;
2237  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2238  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2239  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2240  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2241  goto end;
2242  }
2243  if (bed1->local_id != 0) {
2244  result = 0;
2245  goto end;
2246  }
2247 
2248  sm = sm->next;
2249  if (sm->type != DETECT_BYTE_EXTRACT) {
2250  result = 0;
2251  goto end;
2252  }
2253  bed2 = (SCDetectByteExtractData *)sm->ctx;
2254 
2255  sm = sm->next;
2256  if (sm->type != DETECT_CONTENT) {
2257  result = 0;
2258  goto end;
2259  }
2260  cd = (DetectContentData *)sm->ctx;
2261  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2262  cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
2263  cd->depth != bed1->local_id) {
2264  printf("four failed\n");
2265  result = 0;
2266  goto end;
2267  }
2268 
2269  sm = sm->next;
2270  if (sm->type != DETECT_CONTENT) {
2271  result = 0;
2272  goto end;
2273  }
2274  cd = (DetectContentData *)sm->ctx;
2275  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2276  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2277  DETECT_CONTENT_DEPTH) ||
2278  cd->depth != bed2->local_id) {
2279  printf("five failed\n");
2280  result = 0;
2281  goto end;
2282  }
2283 
2284  if (sm->next != NULL)
2285  goto end;
2286 
2287  result = 1;
2288 
2289  end:
2290  SigGroupCleanup(de_ctx);
2291  SigCleanSignatures(de_ctx);
2292  DetectEngineCtxFree(de_ctx);
2293 
2294  return result;
2295 }
2296 
2297 static int DetectByteExtractTest47(void)
2298 {
2299  DetectEngineCtx *de_ctx = NULL;
2300  int result = 0;
2301  Signature *s = NULL;
2302  SigMatch *sm = NULL;
2303  DetectContentData *cd = NULL;
2304  SCDetectByteExtractData *bed = NULL;
2305 
2306  de_ctx = DetectEngineCtxInit();
2307  if (de_ctx == NULL)
2308  goto end;
2309 
2310  de_ctx->flags |= DE_QUIET;
2311  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2312  "(msg:\"Testing bytejump_body\"; "
2313  "content:\"one\"; "
2314  "byte_extract:4,0,two,string,hex; "
2315  "content: \"three\"; distance:two; "
2316  "sid:1;)");
2317  if (de_ctx->sig_list == NULL) {
2318  result = 0;
2319  goto end;
2320  }
2321 
2322  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2323  result = 0;
2324  goto end;
2325  }
2326 
2327  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2328  if (sm->type != DETECT_CONTENT) {
2329  result = 0;
2330  goto end;
2331  }
2332  cd = (DetectContentData *)sm->ctx;
2333  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2334  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2335  cd->flags & DETECT_CONTENT_NOCASE ||
2336  cd->flags & DETECT_CONTENT_WITHIN ||
2337  cd->flags & DETECT_CONTENT_DISTANCE ||
2338  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2339  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2340  cd->flags & DETECT_CONTENT_NEGATED ) {
2341  printf("one failed\n");
2342  result = 0;
2343  goto end;
2344  }
2345 
2346  sm = sm->next;
2347  if (sm->type != DETECT_BYTE_EXTRACT) {
2348  result = 0;
2349  goto end;
2350  }
2351  bed = (SCDetectByteExtractData *)sm->ctx;
2352  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2353  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2354  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2355  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2356  goto end;
2357  }
2358  if (bed->local_id != 0) {
2359  result = 0;
2360  goto end;
2361  }
2362 
2363  sm = sm->next;
2364  if (sm->type != DETECT_CONTENT) {
2365  result = 0;
2366  goto end;
2367  }
2368  cd = (DetectContentData *)sm->ctx;
2369  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2370  cd->flags !=
2371  (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM) ||
2372  cd->distance != bed->local_id || cd->offset != 0 || cd->depth != 0) {
2373  printf("three failed\n");
2374  result = 0;
2375  goto end;
2376  }
2377 
2378  if (sm->next != NULL)
2379  goto end;
2380 
2381  result = 1;
2382 
2383  end:
2384  SigGroupCleanup(de_ctx);
2385  SigCleanSignatures(de_ctx);
2386  DetectEngineCtxFree(de_ctx);
2387 
2388  return result;
2389 }
2390 
2391 static int DetectByteExtractTest48(void)
2392 {
2393  DetectEngineCtx *de_ctx = NULL;
2394  int result = 0;
2395  Signature *s = NULL;
2396  SigMatch *sm = NULL;
2397  DetectContentData *cd = NULL;
2398  SCDetectByteExtractData *bed1 = NULL;
2399  SCDetectByteExtractData *bed2 = NULL;
2400 
2401  de_ctx = DetectEngineCtxInit();
2402  if (de_ctx == NULL)
2403  goto end;
2404 
2405  de_ctx->flags |= DE_QUIET;
2406  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2407  "(msg:\"Testing bytejump_body\"; "
2408  "content:\"one\"; "
2409  "byte_extract:4,0,two,string,hex; "
2410  "byte_extract:4,0,three,string,hex; "
2411  "content: \"four\"; distance:two; "
2412  "content: \"five\"; distance:three; "
2413  "sid:1;)");
2414  if (de_ctx->sig_list == NULL) {
2415  result = 0;
2416  goto end;
2417  }
2418 
2419  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2420  result = 0;
2421  goto end;
2422  }
2423 
2424  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2425  if (sm->type != DETECT_CONTENT) {
2426  result = 0;
2427  goto end;
2428  }
2429  cd = (DetectContentData *)sm->ctx;
2430  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2431  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2432  cd->flags & DETECT_CONTENT_NOCASE ||
2433  cd->flags & DETECT_CONTENT_WITHIN ||
2434  cd->flags & DETECT_CONTENT_DISTANCE ||
2435  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2436  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2437  cd->flags & DETECT_CONTENT_NEGATED ) {
2438  printf("one failed\n");
2439  result = 0;
2440  goto end;
2441  }
2442 
2443  sm = sm->next;
2444  if (sm->type != DETECT_BYTE_EXTRACT) {
2445  result = 0;
2446  goto end;
2447  }
2448  bed1 = (SCDetectByteExtractData *)sm->ctx;
2449  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2450  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2451  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2452  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2453  goto end;
2454  }
2455  if (bed1->local_id != 0) {
2456  result = 0;
2457  goto end;
2458  }
2459 
2460  sm = sm->next;
2461  if (sm->type != DETECT_BYTE_EXTRACT) {
2462  result = 0;
2463  goto end;
2464  }
2465  bed2 = (SCDetectByteExtractData *)sm->ctx;
2466 
2467  sm = sm->next;
2468  if (sm->type != DETECT_CONTENT) {
2469  result = 0;
2470  goto end;
2471  }
2472  cd = (DetectContentData *)sm->ctx;
2473  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2474  cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE |
2475  DETECT_CONTENT_DISTANCE_NEXT | DETECT_CONTENT_MPM) ||
2476  cd->distance != bed1->local_id || cd->depth != 0 || cd->offset != 0) {
2477  printf("four failed\n");
2478  result = 0;
2479  goto end;
2480  }
2481 
2482  sm = sm->next;
2483  if (sm->type != DETECT_CONTENT) {
2484  result = 0;
2485  goto end;
2486  }
2487  cd = (DetectContentData *)sm->ctx;
2488  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2489  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2490  DETECT_CONTENT_DISTANCE) ||
2491  cd->distance != bed2->local_id ||
2492  cd->depth != 0 ||
2493  cd->offset != 0) {
2494  printf("five failed\n");
2495  result = 0;
2496  goto end;
2497  }
2498 
2499  if (sm->next != NULL)
2500  goto end;
2501 
2502  result = 1;
2503 
2504  end:
2505  SigGroupCleanup(de_ctx);
2506  SigCleanSignatures(de_ctx);
2507  DetectEngineCtxFree(de_ctx);
2508 
2509  return result;
2510 }
2511 
2512 static int DetectByteExtractTest49(void)
2513 {
2514  DetectEngineCtx *de_ctx = NULL;
2515  int result = 0;
2516  Signature *s = NULL;
2517  SigMatch *sm = NULL;
2518  DetectContentData *cd = NULL;
2519  SCDetectByteExtractData *bed = NULL;
2520 
2521  de_ctx = DetectEngineCtxInit();
2522  if (de_ctx == NULL)
2523  goto end;
2524 
2525  de_ctx->flags |= DE_QUIET;
2526  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2527  "(msg:\"Testing bytejump_body\"; "
2528  "content:\"one\"; "
2529  "byte_extract:4,0,two,string,hex; "
2530  "content: \"three\"; within:two; "
2531  "sid:1;)");
2532  if (de_ctx->sig_list == NULL) {
2533  result = 0;
2534  goto end;
2535  }
2536 
2537  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2538  result = 0;
2539  goto end;
2540  }
2541 
2542  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2543  if (sm->type != DETECT_CONTENT) {
2544  result = 0;
2545  goto end;
2546  }
2547  cd = (DetectContentData *)sm->ctx;
2548  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2549  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2550  cd->flags & DETECT_CONTENT_NOCASE ||
2551  cd->flags & DETECT_CONTENT_WITHIN ||
2552  cd->flags & DETECT_CONTENT_DISTANCE ||
2553  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2554  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2555  cd->flags & DETECT_CONTENT_NEGATED ) {
2556  printf("one failed\n");
2557  result = 0;
2558  goto end;
2559  }
2560 
2561  sm = sm->next;
2562  if (sm->type != DETECT_BYTE_EXTRACT) {
2563  result = 0;
2564  goto end;
2565  }
2566  bed = (SCDetectByteExtractData *)sm->ctx;
2567  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2568  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2569  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2570  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2571  goto end;
2572  }
2573  if (bed->local_id != 0) {
2574  result = 0;
2575  goto end;
2576  }
2577 
2578  sm = sm->next;
2579  if (sm->type != DETECT_CONTENT) {
2580  result = 0;
2581  goto end;
2582  }
2583  cd = (DetectContentData *)sm->ctx;
2584  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2585  cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
2586  cd->within != bed->local_id || cd->offset != 0 || cd->depth != 0 || cd->distance != 0) {
2587  printf("three failed\n");
2588  result = 0;
2589  goto end;
2590  }
2591 
2592  if (sm->next != NULL)
2593  goto end;
2594 
2595  result = 1;
2596 
2597  end:
2598  SigGroupCleanup(de_ctx);
2599  SigCleanSignatures(de_ctx);
2600  DetectEngineCtxFree(de_ctx);
2601 
2602  return result;
2603 }
2604 
2605 static int DetectByteExtractTest50(void)
2606 {
2607  DetectEngineCtx *de_ctx = NULL;
2608  int result = 0;
2609  Signature *s = NULL;
2610  SigMatch *sm = NULL;
2611  DetectContentData *cd = NULL;
2612  SCDetectByteExtractData *bed1 = NULL;
2613  SCDetectByteExtractData *bed2 = NULL;
2614 
2615  de_ctx = DetectEngineCtxInit();
2616  if (de_ctx == NULL)
2617  goto end;
2618 
2619  de_ctx->flags |= DE_QUIET;
2620  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2621  "(msg:\"Testing bytejump_body\"; "
2622  "content:\"one\"; "
2623  "byte_extract:4,0,two,string,hex; "
2624  "byte_extract:4,0,three,string,hex; "
2625  "content: \"four\"; within:two; "
2626  "content: \"five\"; within:three; "
2627  "sid:1;)");
2628  if (de_ctx->sig_list == NULL) {
2629  result = 0;
2630  goto end;
2631  }
2632 
2633  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2634  result = 0;
2635  goto end;
2636  }
2637 
2638  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2639  if (sm->type != DETECT_CONTENT) {
2640  result = 0;
2641  goto end;
2642  }
2643  cd = (DetectContentData *)sm->ctx;
2644  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2645  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2646  cd->flags & DETECT_CONTENT_NOCASE ||
2647  cd->flags & DETECT_CONTENT_WITHIN ||
2648  cd->flags & DETECT_CONTENT_DISTANCE ||
2649  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2650  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2651  cd->flags & DETECT_CONTENT_NEGATED ) {
2652  printf("one failed\n");
2653  result = 0;
2654  goto end;
2655  }
2656 
2657  sm = sm->next;
2658  if (sm->type != DETECT_BYTE_EXTRACT) {
2659  result = 0;
2660  goto end;
2661  }
2662  bed1 = (SCDetectByteExtractData *)sm->ctx;
2663  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2664  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2665  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2666  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2667  goto end;
2668  }
2669  if (bed1->local_id != 0) {
2670  result = 0;
2671  goto end;
2672  }
2673 
2674  sm = sm->next;
2675  if (sm->type != DETECT_BYTE_EXTRACT) {
2676  result = 0;
2677  goto end;
2678  }
2679  bed2 = (SCDetectByteExtractData *)sm->ctx;
2680 
2681  sm = sm->next;
2682  if (sm->type != DETECT_CONTENT) {
2683  result = 0;
2684  goto end;
2685  }
2686  cd = (DetectContentData *)sm->ctx;
2687  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2688  cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN |
2689  DETECT_CONTENT_WITHIN_NEXT | DETECT_CONTENT_MPM) ||
2690  cd->within != bed1->local_id || cd->depth != 0 || cd->offset != 0 ||
2691  cd->distance != 0) {
2692  printf("four failed\n");
2693  result = 0;
2694  goto end;
2695  }
2696 
2697  sm = sm->next;
2698  if (sm->type != DETECT_CONTENT) {
2699  result = 0;
2700  goto end;
2701  }
2702  cd = (DetectContentData *)sm->ctx;
2703  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2704  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
2705  DETECT_CONTENT_WITHIN) ||
2706  cd->within != bed2->local_id ||
2707  cd->depth != 0 ||
2708  cd->offset != 0 ||
2709  cd->distance != 0) {
2710  printf("five failed\n");
2711  result = 0;
2712  goto end;
2713  }
2714 
2715  if (sm->next != NULL)
2716  goto end;
2717 
2718  result = 1;
2719 
2720  end:
2721  SigGroupCleanup(de_ctx);
2722  SigCleanSignatures(de_ctx);
2723  DetectEngineCtxFree(de_ctx);
2724 
2725  return result;
2726 }
2727 
2728 static int DetectByteExtractTest51(void)
2729 {
2730  DetectEngineCtx *de_ctx = NULL;
2731  int result = 0;
2732  Signature *s = NULL;
2733  SigMatch *sm = NULL;
2734  DetectContentData *cd = NULL;
2735  SCDetectByteExtractData *bed = NULL;
2736  DetectBytetestData *btd = NULL;
2737 
2738  de_ctx = DetectEngineCtxInit();
2739  if (de_ctx == NULL)
2740  goto end;
2741 
2742  de_ctx->flags |= DE_QUIET;
2743  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2744  "(msg:\"Testing bytejump_body\"; "
2745  "content:\"one\"; "
2746  "byte_extract:4,0,two,string,hex; "
2747  "byte_test: 2,=,10, two; "
2748  "sid:1;)");
2749  if (de_ctx->sig_list == NULL) {
2750  result = 0;
2751  goto end;
2752  }
2753 
2754  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2755  result = 0;
2756  goto end;
2757  }
2758 
2759  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2760  if (sm->type != DETECT_CONTENT) {
2761  result = 0;
2762  goto end;
2763  }
2764  cd = (DetectContentData *)sm->ctx;
2765  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2766  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2767  cd->flags & DETECT_CONTENT_NOCASE ||
2768  cd->flags & DETECT_CONTENT_WITHIN ||
2769  cd->flags & DETECT_CONTENT_DISTANCE ||
2770  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2771  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2772  cd->flags & DETECT_CONTENT_NEGATED ) {
2773  printf("one failed\n");
2774  result = 0;
2775  goto end;
2776  }
2777 
2778  sm = sm->next;
2779  if (sm->type != DETECT_BYTE_EXTRACT) {
2780  result = 0;
2781  goto end;
2782  }
2783  bed = (SCDetectByteExtractData *)sm->ctx;
2784  if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2785  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2786  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2787  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2788  goto end;
2789  }
2790  if (bed->local_id != 0) {
2791  result = 0;
2792  goto end;
2793  }
2794 
2795  sm = sm->next;
2796  if (sm->type != DETECT_BYTETEST) {
2797  result = 0;
2798  goto end;
2799  }
2800  btd = (DetectBytetestData *)sm->ctx;
2801  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2802  btd->value != 10 ||
2803  btd->offset != 0) {
2804  printf("three failed\n");
2805  result = 0;
2806  goto end;
2807  }
2808 
2809  if (sm->next != NULL)
2810  goto end;
2811 
2812  result = 1;
2813 
2814  end:
2815  SigGroupCleanup(de_ctx);
2816  SigCleanSignatures(de_ctx);
2817  DetectEngineCtxFree(de_ctx);
2818 
2819  return result;
2820 }
2821 
2822 static int DetectByteExtractTest52(void)
2823 {
2824  DetectEngineCtx *de_ctx = NULL;
2825  int result = 0;
2826  Signature *s = NULL;
2827  SigMatch *sm = NULL;
2828  DetectContentData *cd = NULL;
2829  SCDetectByteExtractData *bed1 = NULL;
2830  DetectBytetestData *btd = NULL;
2831 
2832  de_ctx = DetectEngineCtxInit();
2833  if (de_ctx == NULL)
2834  goto end;
2835 
2836  de_ctx->flags |= DE_QUIET;
2837  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2838  "(msg:\"Testing bytejump_body\"; "
2839  "content:\"one\"; "
2840  "byte_extract:4,0,two,string,hex; "
2841  "byte_extract:4,0,three,string,hex; "
2842  "byte_test: 2,=,two,three; "
2843  "byte_test: 3,=,10,three; "
2844  "sid:1;)");
2845  if (de_ctx->sig_list == NULL) {
2846  result = 0;
2847  goto end;
2848  }
2849 
2850  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2851  result = 0;
2852  goto end;
2853  }
2854 
2855  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2856  if (sm->type != DETECT_CONTENT) {
2857  result = 0;
2858  goto end;
2859  }
2860  cd = (DetectContentData *)sm->ctx;
2861  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2862  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2863  cd->flags & DETECT_CONTENT_NOCASE ||
2864  cd->flags & DETECT_CONTENT_WITHIN ||
2865  cd->flags & DETECT_CONTENT_DISTANCE ||
2866  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2867  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2868  cd->flags & DETECT_CONTENT_NEGATED ) {
2869  printf("one failed\n");
2870  result = 0;
2871  goto end;
2872  }
2873 
2874  sm = sm->next;
2875  if (sm->type != DETECT_BYTE_EXTRACT) {
2876  result = 0;
2877  goto end;
2878  }
2879  bed1 = (SCDetectByteExtractData *)sm->ctx;
2880  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2881  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2882  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2883  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2884  goto end;
2885  }
2886  if (bed1->local_id != 0) {
2887  result = 0;
2888  goto end;
2889  }
2890 
2891  sm = sm->next;
2892  if (sm->type != DETECT_BYTE_EXTRACT) {
2893  result = 0;
2894  goto end;
2895  }
2896 
2897  sm = sm->next;
2898  if (sm->type != DETECT_BYTETEST) {
2899  result = 0;
2900  goto end;
2901  }
2902  btd = (DetectBytetestData *)sm->ctx;
2903  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
2904  DETECT_BYTETEST_VALUE_VAR) ||
2905  btd->value != 0 ||
2906  btd->offset != 1) {
2907  printf("three failed\n");
2908  result = 0;
2909  goto end;
2910  }
2911 
2912  sm = sm->next;
2913  if (sm->type != DETECT_BYTETEST) {
2914  result = 0;
2915  goto end;
2916  }
2917  btd = (DetectBytetestData *)sm->ctx;
2918  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2919  btd->value != 10 ||
2920  btd->offset != 1) {
2921  printf("four failed\n");
2922  result = 0;
2923  goto end;
2924  }
2925 
2926  if (sm->next != NULL)
2927  goto end;
2928 
2929  result = 1;
2930 
2931  end:
2932  SigGroupCleanup(de_ctx);
2933  SigCleanSignatures(de_ctx);
2934  DetectEngineCtxFree(de_ctx);
2935 
2936  return result;
2937 }
2938 
2939 static int DetectByteExtractTest53(void)
2940 {
2941  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2942  FAIL_IF_NULL(de_ctx);
2943  de_ctx->flags |= DE_QUIET;
2944 
2945  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2946  "content:\"one\"; "
2947  "byte_extract:4,0,two,string,hex; "
2948  "byte_jump: 2,two; "
2949  "sid:1;)");
2950  FAIL_IF_NULL(s);
2951  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2952 
2953  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2954  FAIL_IF(sm->type != DETECT_CONTENT);
2955  DetectContentData *cd = (DetectContentData *)sm->ctx;
2956  FAIL_IF(cd->flags != (DETECT_CONTENT_MPM | DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED));
2957 
2958  sm = sm->next;
2959  FAIL_IF_NULL(sm);
2960  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
2961  SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
2962 
2963  FAIL_IF(bed->nbytes != 4);
2964  FAIL_IF(bed->offset != 0);
2965  FAIL_IF(strcmp(bed->name, "two") != 0);
2966  FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
2967  FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
2968  FAIL_IF(bed->align_value != 0);
2969  FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
2970  FAIL_IF(bed->local_id != 0);
2971 
2972  sm = sm->next;
2973  FAIL_IF_NULL(sm);
2974  FAIL_IF(sm->type != DETECT_BYTEJUMP);
2975  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
2976 
2977  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
2978  FAIL_IF(bjd->offset != 0);
2979 
2980  FAIL_IF_NOT_NULL(sm->next);
2981  DetectEngineCtxFree(de_ctx);
2982  PASS;
2983 }
2984 
2985 static int DetectByteExtractTest54(void)
2986 {
2987  DetectEngineCtx *de_ctx = NULL;
2988  int result = 0;
2989  Signature *s = NULL;
2990  SigMatch *sm = NULL;
2991  DetectContentData *cd = NULL;
2992  SCDetectByteExtractData *bed1 = NULL;
2993  DetectBytejumpData *bjd = NULL;
2994 
2995  de_ctx = DetectEngineCtxInit();
2996  if (de_ctx == NULL)
2997  goto end;
2998 
2999  de_ctx->flags |= DE_QUIET;
3000  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3001  "(msg:\"Testing bytejump_body\"; "
3002  "content:\"one\"; "
3003  "byte_extract:4,0,two,string,hex; "
3004  "byte_extract:4,0,three,string,hex; "
3005  "byte_jump: 2,two; "
3006  "byte_jump: 3,three; "
3007  "sid:1;)");
3008  if (de_ctx->sig_list == NULL) {
3009  result = 0;
3010  goto end;
3011  }
3012 
3013  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3014  result = 0;
3015  goto end;
3016  }
3017 
3018  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3019  if (sm->type != DETECT_CONTENT) {
3020  result = 0;
3021  goto end;
3022  }
3023  cd = (DetectContentData *)sm->ctx;
3024  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3025  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3026  cd->flags & DETECT_CONTENT_NOCASE ||
3027  cd->flags & DETECT_CONTENT_WITHIN ||
3028  cd->flags & DETECT_CONTENT_DISTANCE ||
3029  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3030  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3031  cd->flags & DETECT_CONTENT_NEGATED ) {
3032  printf("one failed\n");
3033  result = 0;
3034  goto end;
3035  }
3036 
3037  sm = sm->next;
3038  if (sm->type != DETECT_BYTE_EXTRACT) {
3039  result = 0;
3040  goto end;
3041  }
3042  bed1 = (SCDetectByteExtractData *)sm->ctx;
3043  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3044  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3045  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3046  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3047  goto end;
3048  }
3049  if (bed1->local_id != 0) {
3050  result = 0;
3051  goto end;
3052  }
3053 
3054  sm = sm->next;
3055  if (sm->type != DETECT_BYTE_EXTRACT) {
3056  result = 0;
3057  goto end;
3058  }
3059 
3060  sm = sm->next;
3061  if (sm->type != DETECT_BYTEJUMP) {
3062  result = 0;
3063  goto end;
3064  }
3065  bjd = (DetectBytejumpData *)sm->ctx;
3066  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3067  printf("three failed\n");
3068  result = 0;
3069  goto end;
3070  }
3071 
3072  sm = sm->next;
3073  if (sm->type != DETECT_BYTEJUMP) {
3074  result = 0;
3075  goto end;
3076  }
3077  bjd = (DetectBytejumpData *)sm->ctx;
3078  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3079  FAIL_IF(bjd->offset != 1);
3080 
3081  if (sm->next != NULL)
3082  goto end;
3083 
3084  result = 1;
3085 
3086  end:
3087  SigGroupCleanup(de_ctx);
3088  SigCleanSignatures(de_ctx);
3089  DetectEngineCtxFree(de_ctx);
3090 
3091  return result;
3092 }
3093 
3094 static int DetectByteExtractTest55(void)
3095 {
3096  DetectEngineCtx *de_ctx = NULL;
3097  int result = 0;
3098  Signature *s = NULL;
3099  SigMatch *sm = NULL;
3100  DetectContentData *cd = NULL;
3101  SCDetectByteExtractData *bed1 = NULL;
3102  SCDetectByteExtractData *bed2 = NULL;
3103 
3104  de_ctx = DetectEngineCtxInit();
3105  if (de_ctx == NULL)
3106  goto end;
3107 
3108  de_ctx->flags |= DE_QUIET;
3109  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3110  "(msg:\"Testing byte_extract\"; "
3111  "content:\"one\"; "
3112  "byte_extract:4,0,two,string,hex; "
3113  "byte_extract:4,0,three,string,hex; "
3114  "byte_extract:4,0,four,string,hex; "
3115  "byte_extract:4,0,five,string,hex; "
3116  "content: \"four\"; within:two; distance:three; "
3117  "sid:1;)");
3118  if (de_ctx->sig_list == NULL) {
3119  goto end;
3120  }
3121 
3122  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3123  goto end;
3124  }
3125 
3126  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3127  if (sm->type != DETECT_CONTENT) {
3128  goto end;
3129  }
3130  cd = (DetectContentData *)sm->ctx;
3131  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3132  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3133  cd->flags & DETECT_CONTENT_NOCASE ||
3134  cd->flags & DETECT_CONTENT_WITHIN ||
3135  cd->flags & DETECT_CONTENT_DISTANCE ||
3136  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3137  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3138  cd->flags & DETECT_CONTENT_NEGATED ) {
3139  printf("one failed: ");
3140  goto end;
3141  }
3142 
3143  sm = sm->next;
3144  if (sm->type != DETECT_BYTE_EXTRACT) {
3145  goto end;
3146  }
3147  bed1 = (SCDetectByteExtractData *)sm->ctx;
3148  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3149  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3150  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3151  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3152  goto end;
3153  }
3154  if (bed1->local_id != 0) {
3155  goto end;
3156  }
3157 
3158  sm = sm->next;
3159  if (sm->type != DETECT_BYTE_EXTRACT) {
3160  goto end;
3161  }
3162  bed2 = (SCDetectByteExtractData *)sm->ctx;
3163 
3164  sm = sm->next;
3165  if (sm->type != DETECT_BYTE_EXTRACT) {
3166  goto end;
3167  }
3168 
3169  sm = sm->next;
3170  if (sm->type != DETECT_BYTE_EXTRACT) {
3171  goto end;
3172  }
3173 
3174  sm = sm->next;
3175  if (sm->type != DETECT_CONTENT) {
3176  goto end;
3177  }
3178  cd = (DetectContentData *)sm->ctx;
3179  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3180  cd->flags !=
3181  (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_WITHIN_VAR |
3182  DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
3183  cd->within != bed1->local_id || cd->distance != bed2->local_id) {
3184  printf("four failed: ");
3185  goto end;
3186  }
3187 
3188  if (sm->next != NULL) {
3189  goto end;
3190  }
3191 
3192  result = 1;
3193 
3194  end:
3195  SigGroupCleanup(de_ctx);
3196  SigCleanSignatures(de_ctx);
3197  DetectEngineCtxFree(de_ctx);
3198 
3199  return result;
3200 }
3201 
3202 static int DetectByteExtractTest56(void)
3203 {
3204  DetectEngineCtx *de_ctx = NULL;
3205  int result = 0;
3206  Signature *s = NULL;
3207  SigMatch *sm = NULL;
3208  DetectContentData *cd = NULL;
3209  SCDetectByteExtractData *bed1 = NULL;
3210  SCDetectByteExtractData *bed2 = NULL;
3211 
3212  de_ctx = DetectEngineCtxInit();
3213  if (de_ctx == NULL)
3214  goto end;
3215 
3216  de_ctx->flags |= DE_QUIET;
3217  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3218  "(msg:\"Testing bytejump_body\"; "
3219  "uricontent:\"urione\"; "
3220  "content:\"one\"; "
3221  "byte_extract:4,0,two,string,hex; "
3222  "byte_extract:4,0,three,string,hex; "
3223  "byte_extract:4,0,four,string,hex; "
3224  "byte_extract:4,0,five,string,hex; "
3225  "content: \"four\"; within:two; distance:three; "
3226  "sid:1;)");
3227  if (de_ctx->sig_list == NULL) {
3228  result = 0;
3229  goto end;
3230  }
3231 
3232  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3233  result = 0;
3234  goto end;
3235  }
3236 
3237  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3238  if (sm->type != DETECT_CONTENT) {
3239  result = 0;
3240  goto end;
3241  }
3242  cd = (DetectContentData *)sm->ctx;
3243  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3244  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3245  cd->flags & DETECT_CONTENT_NOCASE ||
3246  cd->flags & DETECT_CONTENT_WITHIN ||
3247  cd->flags & DETECT_CONTENT_DISTANCE ||
3248  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3249  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3250  cd->flags & DETECT_CONTENT_NEGATED ) {
3251  printf("one failed\n");
3252  result = 0;
3253  goto end;
3254  }
3255 
3256  if (sm->next != NULL)
3257  goto end;
3258 
3259  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3260  if (sm->type != DETECT_CONTENT) {
3261  result = 0;
3262  goto end;
3263  }
3264  cd = (DetectContentData *)sm->ctx;
3265  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3266  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3267  cd->flags & DETECT_CONTENT_NOCASE ||
3268  cd->flags & DETECT_CONTENT_WITHIN ||
3269  cd->flags & DETECT_CONTENT_DISTANCE ||
3270  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3271  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3272  cd->flags & DETECT_CONTENT_NEGATED ) {
3273  printf("one failed\n");
3274  result = 0;
3275  goto end;
3276  }
3277 
3278  sm = sm->next;
3279  if (sm->type != DETECT_BYTE_EXTRACT) {
3280  result = 0;
3281  goto end;
3282  }
3283  bed1 = (SCDetectByteExtractData *)sm->ctx;
3284  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3285  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3286  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3287  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3288  goto end;
3289  }
3290  if (bed1->local_id != 0) {
3291  result = 0;
3292  goto end;
3293  }
3294 
3295  sm = sm->next;
3296  if (sm->type != DETECT_BYTE_EXTRACT) {
3297  result = 0;
3298  goto end;
3299  }
3300  bed2 = (SCDetectByteExtractData *)sm->ctx;
3301 
3302  sm = sm->next;
3303  if (sm->type != DETECT_BYTE_EXTRACT) {
3304  result = 0;
3305  goto end;
3306  }
3307 
3308  sm = sm->next;
3309  if (sm->type != DETECT_BYTE_EXTRACT) {
3310  result = 0;
3311  goto end;
3312  }
3313 
3314  sm = sm->next;
3315  if (sm->type != DETECT_CONTENT) {
3316  result = 0;
3317  goto end;
3318  }
3319  cd = (DetectContentData *)sm->ctx;
3320  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3321  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3322  DETECT_CONTENT_WITHIN_VAR |
3323  DETECT_CONTENT_DISTANCE |
3324  DETECT_CONTENT_WITHIN) ||
3325  cd->within != bed1->local_id ||
3326  cd->distance != bed2->local_id ) {
3327  printf("four failed\n");
3328  result = 0;
3329  goto end;
3330  }
3331 
3332  if (sm->next != NULL) {
3333  goto end;
3334  }
3335 
3336  result = 1;
3337 
3338  end:
3339  SigGroupCleanup(de_ctx);
3340  SigCleanSignatures(de_ctx);
3341  DetectEngineCtxFree(de_ctx);
3342 
3343  return result;
3344 }
3345 
3346 static int DetectByteExtractTest57(void)
3347 {
3348  DetectEngineCtx *de_ctx = NULL;
3349  int result = 0;
3350  Signature *s = NULL;
3351  SigMatch *sm = NULL;
3352  DetectContentData *cd = NULL;
3353  SCDetectByteExtractData *bed1 = NULL;
3354  SCDetectByteExtractData *bed2 = NULL;
3355  SCDetectByteExtractData *bed3 = NULL;
3356  SCDetectByteExtractData *bed4 = NULL;
3357 
3358  de_ctx = DetectEngineCtxInit();
3359  if (de_ctx == NULL)
3360  goto end;
3361 
3362  de_ctx->flags |= DE_QUIET;
3363  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3364  "(msg:\"Testing bytejump_body\"; "
3365  "content:\"one\"; "
3366  "uricontent: \"urione\"; "
3367  "byte_extract:4,0,two,string,hex,relative; "
3368  "byte_extract:4,0,three,string,hex,relative; "
3369  "byte_extract:4,0,four,string,hex,relative; "
3370  "byte_extract:4,0,five,string,hex,relative; "
3371  "uricontent: \"four\"; within:two; distance:three; "
3372  "sid:1;)");
3373  if (de_ctx->sig_list == NULL) {
3374  result = 0;
3375  goto end;
3376  }
3377 
3378  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3379  result = 0;
3380  goto end;
3381  }
3382 
3383  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3384  if (sm->type != DETECT_CONTENT) {
3385  result = 0;
3386  goto end;
3387  }
3388  cd = (DetectContentData *)sm->ctx;
3389  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3390  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3391  cd->flags & DETECT_CONTENT_NOCASE ||
3392  cd->flags & DETECT_CONTENT_WITHIN ||
3393  cd->flags & DETECT_CONTENT_DISTANCE ||
3394  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3395  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3396  cd->flags & DETECT_CONTENT_NEGATED ) {
3397  printf("one failed\n");
3398  result = 0;
3399  goto end;
3400  }
3401 
3402  if (sm->next != NULL)
3403  goto end;
3404 
3405  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3406  if (sm->type != DETECT_CONTENT) {
3407  result = 0;
3408  goto end;
3409  }
3410  cd = (DetectContentData *)sm->ctx;
3411  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3412  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3413  cd->flags & DETECT_CONTENT_NOCASE ||
3414  cd->flags & DETECT_CONTENT_WITHIN ||
3415  cd->flags & DETECT_CONTENT_DISTANCE ||
3416  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3417  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3418  cd->flags & DETECT_CONTENT_NEGATED ) {
3419  printf("one failed\n");
3420  result = 0;
3421  goto end;
3422  }
3423 
3424  sm = sm->next;
3425  if (sm->type != DETECT_BYTE_EXTRACT) {
3426  result = 0;
3427  goto end;
3428  }
3429  bed1 = (SCDetectByteExtractData *)sm->ctx;
3430  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3431  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3432  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3433  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3434  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3435  goto end;
3436  }
3437  if (bed1->local_id != 0) {
3438  result = 0;
3439  goto end;
3440  }
3441 
3442  sm = sm->next;
3443  if (sm->type != DETECT_BYTE_EXTRACT) {
3444  result = 0;
3445  goto end;
3446  }
3447  bed2 = (SCDetectByteExtractData *)sm->ctx;
3448  if (bed2->local_id != 1) {
3449  result = 0;
3450  goto end;
3451  }
3452 
3453  sm = sm->next;
3454  if (sm->type != DETECT_BYTE_EXTRACT) {
3455  result = 0;
3456  goto end;
3457  }
3458  bed3 = (SCDetectByteExtractData *)sm->ctx;
3459  if (bed3->local_id != 2) {
3460  result = 0;
3461  goto end;
3462  }
3463 
3464  sm = sm->next;
3465  if (sm->type != DETECT_BYTE_EXTRACT) {
3466  result = 0;
3467  goto end;
3468  }
3469  bed4 = (SCDetectByteExtractData *)sm->ctx;
3470  if (bed4->local_id != 3) {
3471  result = 0;
3472  goto end;
3473  }
3474 
3475  sm = sm->next;
3476  if (sm->type != DETECT_CONTENT) {
3477  result = 0;
3478  goto end;
3479  }
3480  cd = (DetectContentData *)sm->ctx;
3481  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3482  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3483  DETECT_CONTENT_WITHIN_VAR |
3484  DETECT_CONTENT_DISTANCE |
3485  DETECT_CONTENT_WITHIN) ||
3486  cd->within != bed1->local_id ||
3487  cd->distance != bed2->local_id) {
3488  printf("four failed\n");
3489  result = 0;
3490  goto end;
3491  }
3492 
3493  if (sm->next != NULL) {
3494  goto end;
3495  }
3496 
3497  result = 1;
3498 
3499  end:
3500  SigGroupCleanup(de_ctx);
3501  SigCleanSignatures(de_ctx);
3502  DetectEngineCtxFree(de_ctx);
3503 
3504  return result;
3505 }
3506 
3507 static int DetectByteExtractTest58(void)
3508 {
3509  DetectEngineCtx *de_ctx = NULL;
3510  int result = 0;
3511  Signature *s = NULL;
3512  SigMatch *sm = NULL;
3513  DetectContentData *cd = NULL;
3514  SCDetectByteExtractData *bed1 = NULL;
3515  DetectBytejumpData *bjd = NULL;
3516  DetectIsdataatData *isdd = NULL;
3517 
3518  de_ctx = DetectEngineCtxInit();
3519  if (de_ctx == NULL)
3520  goto end;
3521 
3522  de_ctx->flags |= DE_QUIET;
3523  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3524  "(msg:\"Testing bytejump_body\"; "
3525  "content:\"one\"; "
3526  "byte_extract:4,0,two,string,hex; "
3527  "byte_extract:4,0,three,string,hex; "
3528  "byte_jump: 2,two; "
3529  "byte_jump: 3,three; "
3530  "isdataat: three; "
3531  "sid:1;)");
3532  if (de_ctx->sig_list == NULL) {
3533  result = 0;
3534  goto end;
3535  }
3536 
3537  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3538  result = 0;
3539  goto end;
3540  }
3541 
3542  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3543  if (sm->type != DETECT_CONTENT) {
3544  result = 0;
3545  goto end;
3546  }
3547  cd = (DetectContentData *)sm->ctx;
3548  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3549  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3550  cd->flags & DETECT_CONTENT_NOCASE ||
3551  cd->flags & DETECT_CONTENT_WITHIN ||
3552  cd->flags & DETECT_CONTENT_DISTANCE ||
3553  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3554  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3555  cd->flags & DETECT_CONTENT_NEGATED ) {
3556  printf("one failed\n");
3557  result = 0;
3558  goto end;
3559  }
3560 
3561  sm = sm->next;
3562  if (sm->type != DETECT_BYTE_EXTRACT) {
3563  result = 0;
3564  goto end;
3565  }
3566  bed1 = (SCDetectByteExtractData *)sm->ctx;
3567  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3568  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3569  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3570  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3571  goto end;
3572  }
3573  if (bed1->local_id != 0) {
3574  result = 0;
3575  goto end;
3576  }
3577 
3578  sm = sm->next;
3579  if (sm->type != DETECT_BYTE_EXTRACT) {
3580  result = 0;
3581  goto end;
3582  }
3583 
3584  sm = sm->next;
3585  if (sm->type != DETECT_BYTEJUMP) {
3586  result = 0;
3587  goto end;
3588  }
3589  bjd = (DetectBytejumpData *)sm->ctx;
3590  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3591  printf("three failed\n");
3592  result = 0;
3593  goto end;
3594  }
3595 
3596  sm = sm->next;
3597  if (sm->type != DETECT_BYTEJUMP) {
3598  result = 0;
3599  goto end;
3600  }
3601  bjd = (DetectBytejumpData *)sm->ctx;
3602  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3603  printf("four failed\n");
3604  result = 0;
3605  goto end;
3606  }
3607 
3608  sm = sm->next;
3609  if (sm->type != DETECT_ISDATAAT) {
3610  result = 0;
3611  goto end;
3612  }
3613  isdd = (DetectIsdataatData *)sm->ctx;
3614  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
3615  isdd->dataat != 1) {
3616  printf("isdataat failed\n");
3617  result = 0;
3618  goto end;
3619  }
3620 
3621  if (sm->next != NULL)
3622  goto end;
3623 
3624  result = 1;
3625 
3626  end:
3627  SigGroupCleanup(de_ctx);
3628  SigCleanSignatures(de_ctx);
3629  DetectEngineCtxFree(de_ctx);
3630 
3631  return result;
3632 }
3633 
3634 static int DetectByteExtractTest59(void)
3635 {
3636  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3637  FAIL_IF_NULL(de_ctx);
3638  de_ctx->flags |= DE_QUIET;
3639 
3640  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3641  "content:\"one\"; "
3642  "byte_extract:4,0,two,string,hex; "
3643  "byte_extract:4,0,three,string,hex; "
3644  "byte_jump: 2,two; "
3645  "byte_jump: 3,three; "
3646  "isdataat: three,relative; "
3647  "sid:1;)");
3648  FAIL_IF_NULL(s);
3649 
3650  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
3651  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3652  FAIL_IF(sm->type != DETECT_CONTENT);
3653 
3654  DetectContentData *cd = (DetectContentData *)sm->ctx;
3655  FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
3656  FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
3657  FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
3658  FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
3659  FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
3660  FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
3661  FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
3662  FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
3663 
3664  sm = sm->next;
3665  FAIL_IF_NULL(sm);
3666  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3667 
3668  SCDetectByteExtractData *bed1 = (SCDetectByteExtractData *)sm->ctx;
3669  FAIL_IF(bed1->nbytes != 4);
3670  FAIL_IF(bed1->offset != 0);
3671  FAIL_IF(strcmp(bed1->name, "two") != 0);
3672  printf("a\n");
3673  FAIL_IF(bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
3674  printf("b\n");
3675  FAIL_IF(bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX);
3676  FAIL_IF(bed1->align_value != 0);
3677  FAIL_IF(bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
3678 
3679  FAIL_IF(bed1->local_id != 0);
3680 
3681  sm = sm->next;
3682  FAIL_IF_NULL(sm);
3683  FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3684 
3685  sm = sm->next;
3686  FAIL_IF_NULL(sm);
3687  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3688 
3689  DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
3690  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3691  FAIL_IF(bjd->offset != 0);
3692 
3693  sm = sm->next;
3694  FAIL_IF_NULL(sm);
3695  FAIL_IF(sm->type != DETECT_BYTEJUMP);
3696 
3697  bjd = (DetectBytejumpData *)sm->ctx;
3698  FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3699  FAIL_IF(bjd->offset != 1);
3700 
3701  sm = sm->next;
3702  FAIL_IF_NULL(sm);
3703  FAIL_IF(sm->type != DETECT_ISDATAAT);
3704  DetectIsdataatData *isdd = (DetectIsdataatData *)sm->ctx;
3705  FAIL_IF(isdd->flags != (ISDATAAT_OFFSET_VAR | ISDATAAT_RELATIVE));
3706  FAIL_IF(isdd->dataat != 1);
3707 
3708  FAIL_IF(sm->next != NULL);
3709  DetectEngineCtxFree(de_ctx);
3710 
3711  PASS;
3712 }
3713 
3714 static int DetectByteExtractTest60(void)
3715 {
3716  DetectEngineCtx *de_ctx = NULL;
3717  int result = 0;
3718  Signature *s = NULL;
3719  SigMatch *sm = NULL;
3720  DetectContentData *cd = NULL;
3721  SCDetectByteExtractData *bed1 = NULL;
3722  DetectIsdataatData *isdd = NULL;
3723 
3724  de_ctx = DetectEngineCtxInit();
3725  if (de_ctx == NULL)
3726  goto end;
3727 
3728  de_ctx->flags |= DE_QUIET;
3729  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3730  "(msg:\"Testing bytejump_body\"; "
3731  "content:\"one\"; "
3732  "byte_extract:4,0,two,string,hex,relative; "
3733  "uricontent: \"three\"; "
3734  "byte_extract:4,0,four,string,hex,relative; "
3735  "isdataat: two; "
3736  "sid:1;)");
3737  if (de_ctx->sig_list == NULL) {
3738  result = 0;
3739  goto end;
3740  }
3741 
3742  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3743  result = 0;
3744  goto end;
3745  }
3746 
3747  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3748  if (sm->type != DETECT_CONTENT) {
3749  result = 0;
3750  goto end;
3751  }
3752  cd = (DetectContentData *)sm->ctx;
3753  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3754  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3755  cd->flags & DETECT_CONTENT_NOCASE ||
3756  cd->flags & DETECT_CONTENT_WITHIN ||
3757  cd->flags & DETECT_CONTENT_DISTANCE ||
3758  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3759  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3760  cd->flags & DETECT_CONTENT_NEGATED ) {
3761  printf("one failed\n");
3762  result = 0;
3763  goto end;
3764  }
3765 
3766  sm = sm->next;
3767  if (sm->type != DETECT_BYTE_EXTRACT) {
3768  result = 0;
3769  goto end;
3770  }
3771  bed1 = (SCDetectByteExtractData *)sm->ctx;
3772  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3773  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3774  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3775  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3776  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3777  goto end;
3778  }
3779  if (bed1->local_id != 0) {
3780  result = 0;
3781  goto end;
3782  }
3783 
3784  sm = sm->next;
3785  if (sm->type != DETECT_ISDATAAT) {
3786  result = 0;
3787  goto end;
3788  }
3789  isdd = (DetectIsdataatData *)sm->ctx;
3790  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
3791  isdd->dataat != bed1->local_id) {
3792  printf("isdataat failed\n");
3793  result = 0;
3794  goto end;
3795  }
3796 
3797  if (sm->next != NULL)
3798  goto end;
3799 
3800  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3801  if (sm == NULL) {
3802  result = 0;
3803  goto end;
3804  }
3805  if (sm->type != DETECT_CONTENT) {
3806  result = 0;
3807  goto end;
3808  }
3809  cd = (DetectContentData *)sm->ctx;
3810  if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
3811  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3812  printf("one failed\n");
3813  result = 0;
3814  goto end;
3815  }
3816 
3817  sm = sm->next;
3818  if (sm->type != DETECT_BYTE_EXTRACT) {
3819  result = 0;
3820  goto end;
3821  }
3822  bed1 = (SCDetectByteExtractData *)sm->ctx;
3823  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3824  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3825  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3826  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3827  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3828  goto end;
3829  }
3830  if (bed1->local_id != 0) {
3831  result = 0;
3832  goto end;
3833  }
3834 
3835  if (sm->next != NULL)
3836  goto end;
3837 
3838  result = 1;
3839 
3840  end:
3841  SigGroupCleanup(de_ctx);
3842  SigCleanSignatures(de_ctx);
3843  DetectEngineCtxFree(de_ctx);
3844 
3845  return result;
3846 }
3847 
3848 static int DetectByteExtractTest61(void)
3849 {
3850  DetectEngineCtx *de_ctx = NULL;
3851  int result = 0;
3852  Signature *s = NULL;
3853  SigMatch *sm = NULL;
3854  DetectContentData *cd = NULL;
3855  SCDetectByteExtractData *bed1 = NULL;
3856  DetectIsdataatData *isdd = NULL;
3857 
3858  de_ctx = DetectEngineCtxInit();
3859  if (de_ctx == NULL)
3860  goto end;
3861 
3862  de_ctx->flags |= DE_QUIET;
3863  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3864  "(msg:\"Testing bytejump_body\"; "
3865  "content:\"one\"; "
3866  "byte_extract:4,0,two,string,hex,relative; "
3867  "uricontent: \"three\"; "
3868  "byte_extract:4,0,four,string,hex,relative; "
3869  "isdataat: four, relative; "
3870  "sid:1;)");
3871  if (de_ctx->sig_list == NULL) {
3872  result = 0;
3873  goto end;
3874  }
3875 
3876  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3877  result = 0;
3878  goto end;
3879  }
3880 
3881  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3882  if (sm->type != DETECT_CONTENT) {
3883  result = 0;
3884  goto end;
3885  }
3886  cd = (DetectContentData *)sm->ctx;
3887  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3888  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3889  cd->flags & DETECT_CONTENT_NOCASE ||
3890  cd->flags & DETECT_CONTENT_WITHIN ||
3891  cd->flags & DETECT_CONTENT_DISTANCE ||
3892  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3893  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3894  cd->flags & DETECT_CONTENT_NEGATED ) {
3895  printf("one failed\n");
3896  result = 0;
3897  goto end;
3898  }
3899 
3900  sm = sm->next;
3901  if (sm->type != DETECT_BYTE_EXTRACT) {
3902  result = 0;
3903  goto end;
3904  }
3905  bed1 = (SCDetectByteExtractData *)sm->ctx;
3906  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3907  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3908  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3909  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3910  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3911  goto end;
3912  }
3913  if (bed1->local_id != 0) {
3914  result = 0;
3915  goto end;
3916  }
3917 
3918  if (sm->next != NULL)
3919  goto end;
3920 
3921  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3922  if (sm == NULL) {
3923  result = 0;
3924  goto end;
3925  }
3926  if (sm->type != DETECT_CONTENT) {
3927  result = 0;
3928  goto end;
3929  }
3930  cd = (DetectContentData *)sm->ctx;
3931  if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
3932  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3933  printf("one failed\n");
3934  result = 0;
3935  goto end;
3936  }
3937 
3938  sm = sm->next;
3939  if (sm->type != DETECT_BYTE_EXTRACT) {
3940  result = 0;
3941  goto end;
3942  }
3943  bed1 = (SCDetectByteExtractData *)sm->ctx;
3944  if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3945  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3946  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3947  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3948  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3949  goto end;
3950  }
3951  if (bed1->local_id != 0) {
3952  result = 0;
3953  goto end;
3954  }
3955 
3956  sm = sm->next;
3957  if (sm->type != DETECT_ISDATAAT) {
3958  result = 0;
3959  goto end;
3960  }
3961  isdd = (DetectIsdataatData *)sm->ctx;
3962  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
3963  ISDATAAT_RELATIVE) ||
3964  isdd->dataat != bed1->local_id) {
3965  printf("isdataat failed\n");
3966  result = 0;
3967  goto end;
3968  }
3969 
3970  if (sm->next != NULL)
3971  goto end;
3972 
3973  result = 1;
3974 
3975  end:
3976  SigGroupCleanup(de_ctx);
3977  SigCleanSignatures(de_ctx);
3978  DetectEngineCtxFree(de_ctx);
3979 
3980  return result;
3981 }
3982 
3983 static int DetectByteExtractTest62(void)
3984 {
3985  DetectEngineCtx *de_ctx = NULL;
3986  int result = 0;
3987  Signature *s = NULL;
3988  SigMatch *sm = NULL;
3989  SCDetectByteExtractData *bed = NULL;
3990 
3991  de_ctx = DetectEngineCtxInit();
3992  if (de_ctx == NULL)
3993  goto end;
3994 
3995  de_ctx->flags |= DE_QUIET;
3996  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3997  "(file_data; byte_extract:4,2,two,relative,string,hex; "
3998  "sid:1;)");
3999  if (de_ctx->sig_list == NULL) {
4000  goto end;
4001  }
4002 
4003  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4004  if (sm == NULL) {
4005  goto end;
4006  }
4007  if (sm->type != DETECT_BYTE_EXTRACT) {
4008  goto end;
4009  }
4010  bed = (SCDetectByteExtractData *)sm->ctx;
4011  if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 ||
4012  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
4013  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4014  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
4015  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4016  goto end;
4017  }
4018 
4019  result = 1;
4020 
4021  end:
4022  SigGroupCleanup(de_ctx);
4023  SigCleanSignatures(de_ctx);
4024  DetectEngineCtxFree(de_ctx);
4025 
4026  return result;
4027 }
4028 
4029 static int DetectByteExtractTest63(void)
4030 {
4031  int result = 0;
4032 
4033  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4034  if (bed == NULL)
4035  goto end;
4036 
4037  if (bed->nbytes != 4 || bed->offset != -2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
4038  bed->endian != BigEndian || bed->align_value != 0 ||
4039  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4040  goto end;
4041  }
4042 
4043  result = 1;
4044  end:
4045  if (bed != NULL)
4046  DetectByteExtractFree(NULL, bed);
4047  return result;
4048 }
4049 
4050 static int DetectByteExtractTestParseNoBase(void)
4051 {
4052  int result = 0;
4053 
4054  SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4055  if (bed == NULL)
4056  goto end;
4057 
4058  if (bed->nbytes != 4) {
4059  goto end;
4060  }
4061  if (bed->offset != 2) {
4062  goto end;
4063  }
4064  if (strcmp(bed->name, "one") != 0) {
4065  goto end;
4066  }
4067  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4068  goto end;
4069  }
4070  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4071  goto end;
4072  }
4073  if (bed->align_value != 0) {
4074  goto end;
4075  }
4076  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4077  goto end;
4078  }
4079 
4080  result = 1;
4081  end:
4082  if (bed != NULL)
4083  DetectByteExtractFree(NULL, bed);
4084  return result;
4085 }
4086 
4087 static void DetectByteExtractRegisterTests(void)
4088 {
4089  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4090  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4091 
4092  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4093  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4094  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4095  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4096  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4097  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4098  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4099  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4100  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4101  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4102  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4103  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4104  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4105  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4106  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4107  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4108  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4109  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4110  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4111  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4112  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4113  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4114  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4115  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4116  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4117  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4118  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4119  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4120  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4121  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4122  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4123  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4124  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4125  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4126  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4127  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4128  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4129  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4130  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4131  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4132  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4133  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4134 
4135  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4136  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4137 
4138  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4139  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4140 
4141  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4142  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4143 
4144  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4145  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4146 
4147  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4148  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4149 
4150  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4151  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4152 
4153  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4154  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4155  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4156 
4157  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4158  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4159  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4160  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4161  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4162  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4163 
4164  UtRegisterTest("DetectByteExtractTestParseNoBase",
4165  DetectByteExtractTestParseNoBase);
4166 }
4167 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectBytetestData_::flags
uint16_t flags
Definition: detect-bytetest.h:58
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1322
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1770
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:539
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1138
detect-engine.h
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1331
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:118
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:591
SigTableElmt_::desc
const char * desc
Definition: detect.h:1321
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:153
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:58
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1309
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
SigTableElmt_::name
const char * name
Definition: detect.h:1319
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:593
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:86
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:72
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:49
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:363
DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
Definition: detect-content.h:55
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:854
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2648
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:325
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:48
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:51
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:53
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2694
SigMatchData_
Data needed for Match()
Definition: detect.h:360
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1304
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:46
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:50
util-unittest-helper.h
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1099
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:726
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:82
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:54
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1109
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:577
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:50
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:355
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2392
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:354
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2180
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:683
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1287
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:375
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:935
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:74
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:346
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:143
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:85
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:352
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:55
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:862
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:596
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:831
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:88
DETECT_CONTENT_MPM
#define DETECT_CONTENT_MPM
Definition: detect-content.h:61
Signature_
Signature container.
Definition: detect.h:614
SigMatch_
a single match condition for a signature
Definition: detect.h:351
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:96
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:134
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:60
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2609
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:69
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
DetectPcreData_
Definition: detect-pcre.h:47
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:87
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:632
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:462
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:856
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:597
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:56
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:62
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1311
DETECT_BYTEJUMP_OFFSET_VAR
#define DETECT_BYTEJUMP_OFFSET_VAR
Definition: detect-bytejump.h:44
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:49
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h