suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 
40 #include "app-layer-protos.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-byte.h"
47 #include "util-debug.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-spm.h"
51 
52 /* the default value of endianess to be used, if none's specified */
53 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
54 
55 /* the base to be used if string mode is specified. These options would be
56  * specified in DetectByteParseData->base */
57 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
58 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
59 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
60 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
61 
62 /* the default value for multiplier. Either ways we always store a
63  * multiplier, 1 or otherwise, so that we can always multiply the extracted
64  * value and store it, instead of checking if a multiplier is set or not */
65 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
66 /* the min/max limit for multiplier */
67 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
69 
70 /* the max no of bytes that can be extracted in string mode - (string, hex)
71  * (string, oct) or (string, dec) */
72 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
75 /* the max no of bytes that can be extraced in non-string mode */
76 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
77 
78 #define PARSE_REGEX "^" \
79  "\\s*([0-9]+)\\s*" \
80  ",\\s*(-?[0-9]+)\\s*" \
81  ",\\s*([^\\s,]+)\\s*" \
82  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "$"
88 
89 static DetectParseRegex parse_regex;
90 
91 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
92 static void DetectByteExtractRegisterTests(void);
93 static void DetectByteExtractFree(DetectEngineCtx *, void *);
94 
95 /**
96  * \brief Registers the keyword handlers for the "byte_extract" keyword.
97  */
98 void DetectByteExtractRegister(void)
99 {
100  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
101  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
102  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
103  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
104  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
105  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
106  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
107 
108  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
109 }
110 
111 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
112  const Signature *s, const uint8_t *payload,
113  uint16_t payload_len, uint64_t *value,
114  uint8_t endian)
115 {
116  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
117  const uint8_t *ptr = NULL;
118  int32_t len = 0;
119  uint64_t val = 0;
120  int extbytes;
121 
122  if (payload_len == 0) {
123  return 0;
124  }
125 
126  /* Calculate the ptr value for the bytetest and length remaining in
127  * the packet from that point.
128  */
129  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
130  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
131  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
132 
133  ptr = payload + det_ctx->buffer_offset;
134  len = payload_len - det_ctx->buffer_offset;
135 
136  ptr += data->offset;
137  len -= data->offset;
138 
139  /* No match if there is no relative base */
140  if (len <= 0) {
141  return 0;
142  }
143  //PrintRawDataFp(stdout,ptr,len);
144  } else {
145  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
146 
147  ptr = payload + data->offset;
148  len = payload_len - data->offset;
149  }
150 
151  /* Validate that the to-be-extracted is within the packet */
152  if (ptr < payload || data->nbytes > len) {
153  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
154  payload, ptr, len, data->nbytes);
155  return 0;
156  }
157 
158  /* Extract the byte data */
159  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
160  extbytes = ByteExtractStringUint64(&val, data->base,
161  data->nbytes, (const char *)ptr);
162  if (extbytes <= 0) {
163  /* strtoull() return 0 if there is no numeric value in data string */
164  if (val == 0) {
165  SCLogDebug("No Numeric value");
166  return 0;
167  } else {
168  SCLogDebug("error extracting %d bytes of string data: %d",
169  data->nbytes, extbytes);
170  return -1;
171  }
172  }
173  } else {
174  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
175  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
176  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
177  if (extbytes != data->nbytes) {
178  SCLogDebug("error extracting %d bytes of numeric data: %d",
179  data->nbytes, extbytes);
180  return 0;
181  }
182  }
183 
184  /* Adjust the jump value based on flags */
185  val *= data->multiplier_value;
186  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
187  if ((val % data->align_value) != 0) {
188  val += data->align_value - (val % data->align_value);
189  }
190  }
191 
192  ptr += extbytes;
193 
194  det_ctx->buffer_offset = ptr - payload;
195 
196  *value = val;
197  SCLogDebug("extracted value is %"PRIu64, val);
198  return 1;
199 }
200 
201 /**
202  * \internal
203  * \brief Used to parse byte_extract arg.
204  *
205  * \param de_ctx Pointer to the detection engine context
206  * \arg The argument to parse.
207  *
208  * \param bed On success an instance containing the parsed data.
209  * On failure, NULL.
210  */
211 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
212 {
213  DetectByteExtractData *bed = NULL;
214 #undef MAX_SUBSTRINGS
215 #define MAX_SUBSTRINGS 100
216  int ret = 0, res = 0;
217  int ov[MAX_SUBSTRINGS];
218  int i = 0;
219 
220  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0, ov, MAX_SUBSTRINGS);
221  if (ret < 3 || ret > 19) {
222  SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
223  ", string \"%s\"", ret, arg);
224  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg to byte_extract : %s "
225  "for byte_extract", arg);
226  goto error;
227  }
228 
229  bed = SCMalloc(sizeof(DetectByteExtractData));
230  if (unlikely(bed == NULL))
231  goto error;
232  memset(bed, 0, sizeof(DetectByteExtractData));
233 
234  /* no of bytes to extract */
235  char nbytes_str[64] = "";
236  res = pcre_copy_substring((char *)arg, ov,
237  MAX_SUBSTRINGS, 1, nbytes_str, sizeof(nbytes_str));
238  if (res < 0) {
239  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
240  "for arg 1 for byte_extract");
241  goto error;
242  }
243  bed->nbytes = atoi(nbytes_str);
244 
245  /* offset */
246  char offset_str[64] = "";
247  res = pcre_copy_substring((char *)arg, ov,
248  MAX_SUBSTRINGS, 2, offset_str, sizeof(offset_str));
249  if (res < 0) {
250  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
251  "for arg 2 for byte_extract");
252  goto error;
253  }
254  int offset = atoi(offset_str);
255  if (offset < -65535 || offset > 65535) {
256  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract offset invalid - %d. "
257  "The right offset range is -65535 to 65535", offset);
258  goto error;
259  }
260  bed->offset = offset;
261 
262  /* var name */
263  char varname_str[256] = "";
264  res = pcre_copy_substring((char *)arg, ov,
265  MAX_SUBSTRINGS, 3, varname_str, sizeof(varname_str));
266  if (res < 0) {
267  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
268  "for arg 3 for byte_extract");
269  goto error;
270  }
271  bed->name = SCStrdup(varname_str);
272  if (bed->name == NULL)
273  goto error;
274 
275  /* check out other optional args */
276  for (i = 4; i < ret; i++) {
277  char opt_str[64] = "";
278  res = pcre_copy_substring((char *)arg, ov,
279  MAX_SUBSTRINGS, i, opt_str, sizeof(opt_str));
280  if (res < 0) {
281  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
282  "for arg %d for byte_extract", i);
283  goto error;
284  }
285 
286  if (strcmp("relative", opt_str) == 0) {
287  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
288  SCLogError(SC_ERR_INVALID_SIGNATURE, "relative specified more "
289  "than once for byte_extract");
290  goto error;
291  }
292  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
293  } else if (strcmp("multiplier", opt_str) == 0) {
294  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
295  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiplier specified more "
296  "than once for byte_extract");
297  goto error;
298  }
299  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
300  i++;
301 
302  char multiplier_str[16] = "";
303  res = pcre_copy_substring((char *)arg, ov,
304  MAX_SUBSTRINGS, i, multiplier_str, sizeof(multiplier_str));
305  if (res < 0) {
306  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
307  "for arg %d for byte_extract", i);
308  goto error;
309  }
310  int multiplier = atoi(multiplier_str);
311  if (multiplier < DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT ||
312  multiplier > DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) {
313  SCLogError(SC_ERR_INVALID_SIGNATURE, "multipiler_value invalid "
314  "- %d. The range is %d-%d",
315  multiplier,
316  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
317  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT);
318  goto error;
319  }
320  bed->multiplier_value = multiplier;
321  } else if (strcmp("big", opt_str) == 0) {
322  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
323  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
324  "more than once for byte_extract");
325  goto error;
326  }
327  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
328  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
329  } else if (strcmp("little", opt_str) == 0) {
330  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
331  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
332  "more than once for byte_extract");
333  goto error;
334  }
335  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
336  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
337  } else if (strcmp("dce", opt_str) == 0) {
338  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
339  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
340  "more than once for byte_extract");
341  goto error;
342  }
343  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
344  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
345  } else if (strcmp("string", opt_str) == 0) {
346  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
347  SCLogError(SC_ERR_INVALID_SIGNATURE, "string specified more "
348  "than once for byte_extract");
349  goto error;
350  }
351  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
352  SCLogError(SC_ERR_INVALID_SIGNATURE, "The right way to specify "
353  "base is (string, base) and not (base, string) "
354  "for byte_extract");
355  goto error;
356  }
357  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
358  } else if (strcmp("hex", opt_str) == 0) {
359  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
360  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(hex) specified "
361  "without specifying string. The right way is "
362  "(string, base) and not (base, string)");
363  goto error;
364  }
365  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
366  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
367  "specified for byte_extract");
368  goto error;
369  }
370  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
371  } else if (strcmp("oct", opt_str) == 0) {
372  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
373  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(oct) specified "
374  "without specifying string. The right way is "
375  "(string, base) and not (base, string)");
376  goto error;
377  }
378  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
379  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
380  "specified for byte_extract");
381  goto error;
382  }
383  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
384  } else if (strcmp("dec", opt_str) == 0) {
385  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
386  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(dec) specified "
387  "without specifying string. The right way is "
388  "(string, base) and not (base, string)");
389  goto error;
390  }
391  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
392  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
393  "specified for byte_extract");
394  goto error;
395  }
396  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
397  } else if (strcmp("align", opt_str) == 0) {
398  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
399  SCLogError(SC_ERR_INVALID_SIGNATURE, "Align specified more "
400  "than once for byte_extract");
401  goto error;
402  }
403  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
404  i++;
405 
406  char align_str[16] = "";
407  res = pcre_copy_substring((char *)arg, ov,
408  MAX_SUBSTRINGS, i, align_str, sizeof(align_str));
409  if (res < 0) {
410  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
411  "for arg %d in byte_extract", i);
412  goto error;
413  }
414  bed->align_value = atoi(align_str);
415  if (!(bed->align_value == 2 || bed->align_value == 4)) {
416  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value for "
417  "byte_extract - \"%d\"", bed->align_value);
418  goto error;
419  }
420  } else if (strcmp("", opt_str) == 0) {
421  ;
422  } else {
423  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid option - \"%s\" "
424  "specified in byte_extract", opt_str);
425  goto error;
426  }
427  } /* for (i = 4; i < ret; i++) */
428 
429  /* validation */
430  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
431  /* default value */
432  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
433  }
434 
435  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
436  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
437  /* Default to decimal if base not specified. */
438  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
439  }
440  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
441  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't have "
442  "endian \"big\" or \"little\" specified along with "
443  "\"string\"");
444  goto error;
445  }
446  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
447  /* if are dealing with octal nos, the max no that can fit in a 8
448  * byte value is 01777777777777777777777 */
449  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
450  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
451  "more than %d bytes in \"string\" extraction",
452  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
453  goto error;
454  }
455  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
456  /* if are dealing with decimal nos, the max no that can fit in a 8
457  * byte value is 18446744073709551615 */
458  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
459  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
460  "more than %d bytes in \"string\" extraction",
461  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
462  goto error;
463  }
464  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
465  /* if are dealing with hex nos, the max no that can fit in a 8
466  * byte value is 0xFFFFFFFFFFFFFFFF */
467  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
468  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
469  "more than %d bytes in \"string\" extraction",
470  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
471  goto error;
472  }
473  } else {
474  ; // just a placeholder. we won't reach here.
475  }
476  } else {
477  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
478  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
479  "more than %d bytes in \"non-string\" extraction",
480  NO_STRING_MAX_BYTES_TO_EXTRACT);
481  goto error;
482  }
483  /* if string has not been specified and no endian option has been
484  * specified, then set the default endian level of BIG */
485  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
486  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
487  }
488 
489  return bed;
490  error:
491  if (bed != NULL)
492  DetectByteExtractFree(de_ctx, bed);
493  return NULL;
494 }
495 
496 /**
497  * \brief The setup function for the byte_extract keyword for a signature.
498  *
499  * \param de_ctx Pointer to the detection engine context.
500  * \param s Pointer to signature for the current Signature being parsed
501  * from the rules.
502  * \param m Pointer to the head of the SigMatch for the current rule
503  * being parsed.
504  * \param arg Pointer to the string holding the keyword value.
505  *
506  * \retval 0 On success.
507  * \retval -1 On failure.
508  */
509 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
510 {
511  SigMatch *sm = NULL;
512  SigMatch *prev_pm = NULL;
513  DetectByteExtractData *data = NULL;
514  int ret = -1;
515 
516  data = DetectByteExtractParse(de_ctx, arg);
517  if (data == NULL)
518  goto error;
519 
520  int sm_list;
521  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
522  sm_list = s->init_data->list;
523 
524  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
525  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
526  }
527  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
528  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
529  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
530  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
531  DETECT_ISDATAAT, -1);
532  if (prev_pm == NULL) {
533  sm_list = DETECT_SM_LIST_PMATCH;
534  } else {
535  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
536  if (sm_list < 0)
537  goto error;
538  }
539  } else {
540  sm_list = DETECT_SM_LIST_PMATCH;
541  }
542 
543  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
544  goto error;
545  s->flags |= SIG_FLAG_APPLAYER;
546 
547  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
548  prev_pm = DetectGetLastSMFromLists(s,
549  DETECT_CONTENT, DETECT_PCRE,
550  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
551  DETECT_ISDATAAT, -1);
552  if (prev_pm == NULL) {
553  sm_list = DETECT_SM_LIST_PMATCH;
554  } else {
555  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
556  if (sm_list < 0)
557  goto error;
558  if (sm_list != DETECT_SM_LIST_PMATCH)
559  s->flags |= SIG_FLAG_APPLAYER;
560  }
561 
562  } else {
563  sm_list = DETECT_SM_LIST_PMATCH;
564  }
565 
566  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
567  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
568  goto error;
569 
570  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
571  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
572  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
573  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
574  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
575  "A byte_jump keyword with dce holds other invalid modifiers.");
576  goto error;
577  }
578  }
579 
580  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
581  DETECT_BYTE_EXTRACT, -1);
582  if (prev_bed_sm == NULL)
583  data->local_id = 0;
584  else
585  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
586  if (data->local_id > de_ctx->byte_extract_max_local_id)
587  de_ctx->byte_extract_max_local_id = data->local_id;
588 
589 
590  sm = SigMatchAlloc();
591  if (sm == NULL)
592  goto error;
593  sm->type = DETECT_BYTE_EXTRACT;
594  sm->ctx = (void *)data;
595  SigMatchAppendSMToList(s, sm, sm_list);
596 
597 
598  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
599  goto okay;
600 
601  if (prev_pm == NULL)
602  goto okay;
603 
604  if (prev_pm->type == DETECT_CONTENT) {
605  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
606  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
607  } else if (prev_pm->type == DETECT_PCRE) {
608  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
609  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
610  }
611 
612  okay:
613  ret = 0;
614  return ret;
615  error:
616  DetectByteExtractFree(de_ctx, data);
617  return ret;
618 }
619 
620 /**
621  * \brief Used to free instances of DetectByteExtractData.
622  *
623  * \param ptr Instance of DetectByteExtractData to be freed.
624  */
625 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
626 {
627  if (ptr != NULL) {
628  DetectByteExtractData *bed = ptr;
629  if (bed->name != NULL)
630  SCFree((void *)bed->name);
631  SCFree(bed);
632  }
633 
634  return;
635 }
636 
637 /**
638  * \brief Lookup the SigMatch for a named byte_extract variable.
639  *
640  * \param arg The name of the byte_extract variable to lookup.
641  * \param s Pointer the signature to look in.
642  *
643  * \retval A pointer to the SigMatch if found, otherwise NULL.
644  */
645 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
646 {
647  const int nlists = s->init_data->smlists_array_size;
648  for (int list = 0; list < nlists; list++) {
649  SigMatch *sm = s->init_data->smlists[list];
650  while (sm != NULL) {
651  if (sm->type == DETECT_BYTE_EXTRACT) {
652  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
653  if (strcmp(bed->name, arg) == 0) {
654  return sm;
655  }
656  }
657  sm = sm->next;
658  }
659  }
660 
661  return NULL;
662 }
663 
664 /*************************************Unittests********************************/
665 
666 #ifdef UNITTESTS
667 
668 static int g_file_data_buffer_id = 0;
669 static int g_http_uri_buffer_id = 0;
670 
671 static int DetectByteExtractTest01(void)
672 {
673  int result = 0;
674 
675  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
676  if (bed == NULL)
677  goto end;
678 
679  if (bed->nbytes != 4 ||
680  bed->offset != 2 ||
681  strcmp(bed->name, "one") != 0 ||
682  bed->flags != 0 ||
683  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
684  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
685  bed->align_value != 0 ||
686  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
687  goto end;
688  }
689 
690  result = 1;
691  end:
692  if (bed != NULL)
693  DetectByteExtractFree(NULL, bed);
694  return result;
695 }
696 
697 static int DetectByteExtractTest02(void)
698 {
699  int result = 0;
700 
701  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
702  if (bed == NULL)
703  goto end;
704 
705  if (bed->nbytes != 4 ||
706  bed->offset != 2 ||
707  strcmp(bed->name, "one") != 0 ||
708  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
709  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
710  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
711  bed->align_value != 0 ||
712  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
713  goto end;
714  }
715 
716  result = 1;
717  end:
718  if (bed != NULL)
719  DetectByteExtractFree(NULL, bed);
720  return result;
721 }
722 
723 static int DetectByteExtractTest03(void)
724 {
725  int result = 0;
726 
727  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
728  if (bed == NULL)
729  goto end;
730 
731  if (bed->nbytes != 4 ||
732  bed->offset != 2 ||
733  strcmp(bed->name, "one") != 0 ||
734  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
735  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
736  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
737  bed->align_value != 0 ||
738  bed->multiplier_value != 10) {
739  goto end;
740  }
741 
742  result = 1;
743  end:
744  if (bed != NULL)
745  DetectByteExtractFree(NULL, bed);
746  return result;
747 }
748 
749 static int DetectByteExtractTest04(void)
750 {
751  int result = 0;
752 
753  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
754  if (bed == NULL)
755  goto end;
756 
757  if (bed->nbytes != 4 ||
758  bed->offset != 2 ||
759  strcmp(bed->name, "one") != 0 ||
760  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
761  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
762  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
763  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
764  bed->align_value != 0 ||
765  bed->multiplier_value != 10) {
766  goto end;
767  }
768 
769  result = 1;
770  end:
771  if (bed != NULL)
772  DetectByteExtractFree(NULL, bed);
773  return result;
774 }
775 
776 static int DetectByteExtractTest05(void)
777 {
778  int result = 0;
779 
780  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
781  if (bed == NULL)
782  goto end;
783 
784  if (bed->nbytes != 4 ||
785  bed->offset != 2 ||
786  strcmp(bed->name, "one") != 0 ||
787  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
788  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
789  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
790  bed->align_value != 0 ||
791  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
792  goto end;
793  }
794 
795  result = 1;
796  end:
797  if (bed != NULL)
798  DetectByteExtractFree(NULL, bed);
799  return result;
800 }
801 
802 static int DetectByteExtractTest06(void)
803 {
804  int result = 0;
805 
806  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
807  if (bed == NULL)
808  goto end;
809 
810  if (bed->nbytes != 4 ||
811  bed->offset != 2 ||
812  strcmp(bed->name, "one") != 0 ||
813  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
814  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
815  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
816  bed->align_value != 0 ||
817  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
818  goto end;
819  }
820 
821  result = 1;
822  end:
823  if (bed != NULL)
824  DetectByteExtractFree(NULL, bed);
825  return result;
826 }
827 
828 static int DetectByteExtractTest07(void)
829 {
830  int result = 0;
831 
832  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
833  if (bed == NULL)
834  goto end;
835 
836  if (bed->nbytes != 4 ||
837  bed->offset != 2 ||
838  strcmp(bed->name, "one") != 0 ||
839  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
840  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
841  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
842  bed->align_value != 0 ||
843  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
844  goto end;
845  }
846 
847  result = 1;
848  end:
849  if (bed != NULL)
850  DetectByteExtractFree(NULL, bed);
851  return result;
852 }
853 
854 static int DetectByteExtractTest08(void)
855 {
856  int result = 0;
857 
858  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
859  if (bed == NULL)
860  goto end;
861 
862  if (bed->nbytes != 4 ||
863  bed->offset != 2 ||
864  strcmp(bed->name, "one") != 0 ||
865  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
866  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
867  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
868  bed->align_value != 0 ||
869  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
870  goto end;
871  }
872 
873  result = 1;
874  end:
875  if (bed != NULL)
876  DetectByteExtractFree(NULL, bed);
877  return result;
878 }
879 
880 static int DetectByteExtractTest09(void)
881 {
882  int result = 0;
883 
884  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
885  if (bed == NULL)
886  goto end;
887 
888  if (bed->nbytes != 4 ||
889  bed->offset != 2 ||
890  strcmp(bed->name, "one") != 0 ||
891  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
892  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
893  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
894  bed->align_value != 0 ||
895  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
896  goto end;
897  }
898 
899  result = 1;
900  end:
901  if (bed != NULL)
902  DetectByteExtractFree(NULL, bed);
903  return result;
904 }
905 
906 static int DetectByteExtractTest10(void)
907 {
908  int result = 0;
909 
910  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
911  if (bed == NULL)
912  goto end;
913 
914  if (bed->nbytes != 4 ||
915  bed->offset != 2 ||
916  strcmp(bed->name, "one") != 0 ||
917  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
918  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
919  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
920  bed->align_value != 0 ||
921  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
922  goto end;
923  }
924 
925  result = 1;
926  end:
927  if (bed != NULL)
928  DetectByteExtractFree(NULL, bed);
929  return result;
930 }
931 
932 static int DetectByteExtractTest11(void)
933 {
934  int result = 0;
935 
936  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
937  if (bed == NULL)
938  goto end;
939 
940  if (bed->nbytes != 4 ||
941  bed->offset != 2 ||
942  strcmp(bed->name, "one") != 0 ||
943  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
944  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
945  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
946  bed->align_value != 4 ||
947  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
948  goto end;
949  }
950 
951  result = 1;
952  end:
953  if (bed != NULL)
954  DetectByteExtractFree(NULL, bed);
955  return result;
956 }
957 
958 static int DetectByteExtractTest12(void)
959 {
960  int result = 0;
961 
962  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
963  if (bed == NULL)
964  goto end;
965 
966  if (bed->nbytes != 4 ||
967  bed->offset != 2 ||
968  strcmp(bed->name, "one") != 0 ||
969  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
970  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
971  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
972  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
973  bed->align_value != 4 ||
974  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
975  goto end;
976  }
977 
978  result = 1;
979  end:
980  if (bed != NULL)
981  DetectByteExtractFree(NULL, bed);
982  return result;
983 }
984 
985 static int DetectByteExtractTest13(void)
986 {
987  int result = 0;
988 
989  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
990  if (bed == NULL)
991  goto end;
992 
993  if (bed->nbytes != 4 ||
994  bed->offset != 2 ||
995  strcmp(bed->name, "one") != 0 ||
996  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
997  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
998  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
999  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
1000  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1001  bed->align_value != 4 ||
1002  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1003  goto end;
1004  }
1005 
1006  result = 1;
1007  end:
1008  if (bed != NULL)
1009  DetectByteExtractFree(NULL, bed);
1010  return result;
1011 }
1012 
1013 static int DetectByteExtractTest14(void)
1014 {
1015  int result = 0;
1016 
1017  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1018  if (bed == NULL)
1019  goto end;
1020 
1021  if (bed->nbytes != 4 ||
1022  bed->offset != 2 ||
1023  strcmp(bed->name, "one") != 0 ||
1024  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1025  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1026  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1027  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1028  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1029  bed->align_value != 4 ||
1030  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1031  goto end;
1032  }
1033 
1034  result = 1;
1035  end:
1036  if (bed != NULL)
1037  DetectByteExtractFree(NULL, bed);
1038  return result;
1039 }
1040 
1041 static int DetectByteExtractTest15(void)
1042 {
1043  int result = 0;
1044 
1045  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1046  if (bed == NULL)
1047  goto end;
1048 
1049  if (bed->nbytes != 4 ||
1050  bed->offset != 2 ||
1051  strcmp(bed->name, "one") != 0 ||
1052  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1053  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1054  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1055  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1056  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1057  bed->align_value != 4 ||
1058  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1059  goto end;
1060  }
1061 
1062  result = 1;
1063  end:
1064  if (bed != NULL)
1065  DetectByteExtractFree(NULL, bed);
1066  return result;
1067 }
1068 
1069 static int DetectByteExtractTest16(void)
1070 {
1071  int result = 0;
1072 
1073  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1074  if (bed == NULL)
1075  goto end;
1076 
1077  if (bed->nbytes != 4 ||
1078  bed->offset != 2 ||
1079  strcmp(bed->name, "one") != 0 ||
1080  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1081  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1082  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1083  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1084  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1085  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1086  bed->align_value != 4 ||
1087  bed->multiplier_value != 2) {
1088  goto end;
1089  }
1090 
1091  result = 1;
1092  end:
1093  if (bed != NULL)
1094  DetectByteExtractFree(NULL, bed);
1095  return result;
1096 }
1097 
1098 static int DetectByteExtractTest17(void)
1099 {
1100  int result = 0;
1101 
1102  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1103  "relative, little, "
1104  "multiplier 2, string hex");
1105  if (bed != NULL)
1106  goto end;
1107 
1108  result = 1;
1109  end:
1110  if (bed != NULL)
1111  DetectByteExtractFree(NULL, bed);
1112  return result;
1113 }
1114 
1115 static int DetectByteExtractTest18(void)
1116 {
1117  int result = 0;
1118 
1119  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1120  "relative, little, "
1121  "multiplier 2, "
1122  "relative");
1123  if (bed != NULL)
1124  goto end;
1125 
1126  result = 1;
1127  end:
1128  if (bed != NULL)
1129  DetectByteExtractFree(NULL, bed);
1130  return result;
1131 }
1132 
1133 static int DetectByteExtractTest19(void)
1134 {
1135  int result = 0;
1136 
1137  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1138  "relative, little, "
1139  "multiplier 2, "
1140  "little");
1141  if (bed != NULL)
1142  goto end;
1143 
1144  result = 1;
1145  end:
1146  if (bed != NULL)
1147  DetectByteExtractFree(NULL, bed);
1148  return result;
1149 }
1150 
1151 static int DetectByteExtractTest20(void)
1152 {
1153  int result = 0;
1154 
1155  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1156  "relative, "
1157  "multiplier 2, "
1158  "align 2");
1159  if (bed != NULL)
1160  goto end;
1161 
1162  result = 1;
1163  end:
1164  if (bed != NULL)
1165  DetectByteExtractFree(NULL, bed);
1166  return result;
1167 }
1168 
1169 static int DetectByteExtractTest21(void)
1170 {
1171  int result = 0;
1172 
1173  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1174  "multiplier 2, "
1175  "relative, "
1176  "multiplier 2");
1177  if (bed != NULL)
1178  goto end;
1179 
1180  result = 1;
1181  end:
1182  if (bed != NULL)
1183  DetectByteExtractFree(NULL, bed);
1184  return result;
1185 }
1186 
1187 static int DetectByteExtractTest22(void)
1188 {
1189  int result = 0;
1190 
1191  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1192  "string hex, "
1193  "relative, "
1194  "string hex");
1195  if (bed != NULL)
1196  goto end;
1197 
1198  result = 1;
1199  end:
1200  if (bed != NULL)
1201  DetectByteExtractFree(NULL, bed);
1202  return result;
1203 }
1204 
1205 static int DetectByteExtractTest23(void)
1206 {
1207  int result = 0;
1208 
1209  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1210  "string hex, "
1211  "relative, "
1212  "string oct");
1213  if (bed != NULL)
1214  goto end;
1215 
1216  result = 1;
1217  end:
1218  if (bed != NULL)
1219  DetectByteExtractFree(NULL, bed);
1220  return result;
1221 }
1222 
1223 static int DetectByteExtractTest24(void)
1224 {
1225  int result = 0;
1226 
1227  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1228  "string hex, "
1229  "relative");
1230  if (bed != NULL)
1231  goto end;
1232 
1233  result = 1;
1234  end:
1235  if (bed != NULL)
1236  DetectByteExtractFree(NULL, bed);
1237  return result;
1238 }
1239 
1240 static int DetectByteExtractTest25(void)
1241 {
1242  int result = 0;
1243 
1244  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1245  "little, "
1246  "relative");
1247  if (bed != NULL)
1248  goto end;
1249 
1250  result = 1;
1251  end:
1252  if (bed != NULL)
1253  DetectByteExtractFree(NULL, bed);
1254  return result;
1255 }
1256 
1257 static int DetectByteExtractTest26(void)
1258 {
1259  int result = 0;
1260 
1261  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1262  "little, "
1263  "relative, "
1264  "multiplier 65536");
1265  if (bed != NULL)
1266  goto end;
1267 
1268  result = 1;
1269  end:
1270  if (bed != NULL)
1271  DetectByteExtractFree(NULL, bed);
1272  return result;
1273 }
1274 
1275 static int DetectByteExtractTest27(void)
1276 {
1277  int result = 0;
1278 
1279  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1280  "little, "
1281  "relative, "
1282  "multiplier 0");
1283  if (bed != NULL)
1284  goto end;
1285 
1286  result = 1;
1287  end:
1288  if (bed != NULL)
1289  DetectByteExtractFree(NULL, bed);
1290  return result;
1291 }
1292 
1293 static int DetectByteExtractTest28(void)
1294 {
1295  int result = 0;
1296 
1297  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1298  if (bed == NULL)
1299  goto end;
1300 
1301  result = 1;
1302  end:
1303  if (bed != NULL)
1304  DetectByteExtractFree(NULL, bed);
1305  return result;
1306 }
1307 
1308 static int DetectByteExtractTest29(void)
1309 {
1310  int result = 0;
1311 
1312  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1313  if (bed != NULL)
1314  goto end;
1315 
1316  result = 1;
1317  end:
1318  if (bed != NULL)
1319  DetectByteExtractFree(NULL, bed);
1320  return result;
1321 }
1322 
1323 static int DetectByteExtractTest30(void)
1324 {
1325  int result = 0;
1326 
1327  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1328  if (bed == NULL)
1329  goto end;
1330 
1331  result = 1;
1332  end:
1333  if (bed != NULL)
1334  DetectByteExtractFree(NULL, bed);
1335  return result;
1336 }
1337 
1338 static int DetectByteExtractTest31(void)
1339 {
1340  int result = 0;
1341 
1342  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1343  if (bed != NULL)
1344  goto end;
1345 
1346  result = 1;
1347  end:
1348  if (bed != NULL)
1349  DetectByteExtractFree(NULL, bed);
1350  return result;
1351 }
1352 
1353 static int DetectByteExtractTest32(void)
1354 {
1355  int result = 0;
1356 
1357  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1358  if (bed == NULL)
1359  goto end;
1360 
1361  result = 1;
1362  end:
1363  if (bed != NULL)
1364  DetectByteExtractFree(NULL, bed);
1365  return result;
1366 }
1367 
1368 static int DetectByteExtractTest33(void)
1369 {
1370  int result = 0;
1371 
1372  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1373  if (bed != NULL)
1374  goto end;
1375 
1376  result = 1;
1377  end:
1378  if (bed != NULL)
1379  DetectByteExtractFree(NULL, bed);
1380  return result;
1381 }
1382 
1383 static int DetectByteExtractTest34(void)
1384 {
1385  DetectEngineCtx *de_ctx = NULL;
1386  int result = 0;
1387  Signature *s = NULL;
1388  SigMatch *sm = NULL;
1389  DetectContentData *cd = NULL;
1390  DetectByteExtractData *bed = NULL;
1391 
1392  de_ctx = DetectEngineCtxInit();
1393  if (de_ctx == NULL)
1394  goto end;
1395 
1396  de_ctx->flags |= DE_QUIET;
1397  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1398  "(msg:\"Testing bytejump_body\"; "
1399  "content:\"one\"; "
1400  "byte_extract:4,2,two,relative,string,hex; "
1401  "sid:1;)");
1402  if (de_ctx->sig_list == NULL) {
1403  result = 0;
1404  goto end;
1405  }
1406 
1407  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1408  result = 0;
1409  goto end;
1410  }
1411 
1412  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1413  if (sm->type != DETECT_CONTENT) {
1414  result = 0;
1415  goto end;
1416  }
1417  cd = (DetectContentData *)sm->ctx;
1418  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1419  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1420  cd->flags & DETECT_CONTENT_NOCASE ||
1421  cd->flags & DETECT_CONTENT_WITHIN ||
1422  cd->flags & DETECT_CONTENT_DISTANCE ||
1423  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1424  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1425  cd->flags & DETECT_CONTENT_NEGATED ) {
1426  printf("one failed\n");
1427  result = 0;
1428  goto end;
1429  }
1430 
1431  sm = sm->next;
1432  if (sm->type != DETECT_BYTE_EXTRACT) {
1433  result = 0;
1434  goto end;
1435  }
1436  bed = (DetectByteExtractData *)sm->ctx;
1437  if (bed->nbytes != 4 ||
1438  bed->offset != 2 ||
1439  strncmp(bed->name, "two", cd->content_len) != 0 ||
1440  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1441  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1442  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1443  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1444  bed->align_value != 0 ||
1445  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1446  goto end;
1447  }
1448 
1449  result = 1;
1450 
1451  end:
1452  SigGroupCleanup(de_ctx);
1453  SigCleanSignatures(de_ctx);
1454  DetectEngineCtxFree(de_ctx);
1455 
1456  return result;
1457 }
1458 
1459 static int DetectByteExtractTest35(void)
1460 {
1461  DetectEngineCtx *de_ctx = NULL;
1462  int result = 0;
1463  Signature *s = NULL;
1464  SigMatch *sm = NULL;
1465  DetectContentData *cd = NULL;
1466  DetectPcreData *pd = NULL;
1467  DetectByteExtractData *bed = NULL;
1468 
1469  de_ctx = DetectEngineCtxInit();
1470  if (de_ctx == NULL)
1471  goto end;
1472 
1473  de_ctx->flags |= DE_QUIET;
1474  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1475  "(msg:\"Testing bytejump_body\"; "
1476  "content:\"one\"; pcre:/asf/; "
1477  "byte_extract:4,0,two,relative,string,hex; "
1478  "sid:1;)");
1479  if (de_ctx->sig_list == NULL) {
1480  result = 0;
1481  goto end;
1482  }
1483 
1484  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1485  result = 0;
1486  goto end;
1487  }
1488 
1489  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1490  if (sm->type != DETECT_CONTENT) {
1491  result = 0;
1492  goto end;
1493  }
1494  cd = (DetectContentData *)sm->ctx;
1495  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1496  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1497  cd->flags & DETECT_CONTENT_NOCASE ||
1498  cd->flags & DETECT_CONTENT_WITHIN ||
1499  cd->flags & DETECT_CONTENT_DISTANCE ||
1500  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1501  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1502  cd->flags & DETECT_CONTENT_NEGATED ) {
1503  printf("one failed\n");
1504  result = 0;
1505  goto end;
1506  }
1507 
1508  sm = sm->next;
1509  if (sm->type != DETECT_PCRE) {
1510  result = 0;
1511  goto end;
1512  }
1513  pd = (DetectPcreData *)sm->ctx;
1514  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1515  result = 0;
1516  goto end;
1517  }
1518 
1519  sm = sm->next;
1520  if (sm->type != DETECT_BYTE_EXTRACT) {
1521  result = 0;
1522  goto end;
1523  }
1524  bed = (DetectByteExtractData *)sm->ctx;
1525  if (bed->nbytes != 4 ||
1526  bed->offset != 0 ||
1527  strcmp(bed->name, "two") != 0 ||
1528  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1529  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1530  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1531  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1532  bed->align_value != 0 ||
1533  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1534  goto end;
1535  }
1536 
1537  result = 1;
1538 
1539  end:
1540  SigGroupCleanup(de_ctx);
1541  SigCleanSignatures(de_ctx);
1542  DetectEngineCtxFree(de_ctx);
1543 
1544  return result;
1545 }
1546 
1547 static int DetectByteExtractTest36(void)
1548 {
1549  DetectEngineCtx *de_ctx = NULL;
1550  int result = 0;
1551  Signature *s = NULL;
1552  SigMatch *sm = NULL;
1553  DetectContentData *cd = NULL;
1554  DetectBytejumpData *bjd = NULL;
1555  DetectByteExtractData *bed = NULL;
1556 
1557  de_ctx = DetectEngineCtxInit();
1558  if (de_ctx == NULL)
1559  goto end;
1560 
1561  de_ctx->flags |= DE_QUIET;
1562  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1563  "(msg:\"Testing bytejump_body\"; "
1564  "content:\"one\"; byte_jump:1,13; "
1565  "byte_extract:4,0,two,relative,string,hex; "
1566  "sid:1;)");
1567  if (de_ctx->sig_list == NULL) {
1568  result = 0;
1569  goto end;
1570  }
1571 
1572  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1573  result = 0;
1574  goto end;
1575  }
1576 
1577  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1578  if (sm->type != DETECT_CONTENT) {
1579  result = 0;
1580  goto end;
1581  }
1582  cd = (DetectContentData *)sm->ctx;
1583  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1584  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1585  cd->flags & DETECT_CONTENT_NOCASE ||
1586  cd->flags & DETECT_CONTENT_WITHIN ||
1587  cd->flags & DETECT_CONTENT_DISTANCE ||
1588  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1589  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1590  cd->flags & DETECT_CONTENT_NEGATED ) {
1591  printf("one failed\n");
1592  result = 0;
1593  goto end;
1594  }
1595 
1596  sm = sm->next;
1597  if (sm->type != DETECT_BYTEJUMP) {
1598  result = 0;
1599  goto end;
1600  }
1601  bjd = (DetectBytejumpData *)sm->ctx;
1602  if (bjd->flags != 0) {
1603  result = 0;
1604  goto end;
1605  }
1606 
1607  sm = sm->next;
1608  if (sm->type != DETECT_BYTE_EXTRACT) {
1609  result = 0;
1610  goto end;
1611  }
1612  bed = (DetectByteExtractData *)sm->ctx;
1613  if (bed->nbytes != 4 ||
1614  bed->offset != 0 ||
1615  strcmp(bed->name, "two") != 0 ||
1616  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1617  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1618  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1619  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1620  bed->align_value != 0 ||
1621  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1622  goto end;
1623  }
1624 
1625  result = 1;
1626 
1627  end:
1628  SigGroupCleanup(de_ctx);
1629  SigCleanSignatures(de_ctx);
1630  DetectEngineCtxFree(de_ctx);
1631 
1632  return result;
1633 }
1634 
1635 static int DetectByteExtractTest37(void)
1636 {
1637  DetectEngineCtx *de_ctx = NULL;
1638  int result = 0;
1639  Signature *s = NULL;
1640  SigMatch *sm = NULL;
1641  DetectContentData *cd = NULL;
1642  DetectContentData *ud = NULL;
1643  DetectByteExtractData *bed = NULL;
1644 
1645  de_ctx = DetectEngineCtxInit();
1646  if (de_ctx == NULL)
1647  goto end;
1648 
1649  de_ctx->flags |= DE_QUIET;
1650  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1651  "(msg:\"Testing bytejump_body\"; "
1652  "content:\"one\"; uricontent:\"two\"; "
1653  "byte_extract:4,0,two,relative,string,hex; "
1654  "sid:1;)");
1655  if (de_ctx->sig_list == NULL) {
1656  result = 0;
1657  goto end;
1658  }
1659 
1660  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1661  result = 0;
1662  goto end;
1663  }
1664 
1665  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1666  if (sm->type != DETECT_CONTENT) {
1667  result = 0;
1668  goto end;
1669  }
1670  cd = (DetectContentData *)sm->ctx;
1671  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1672  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1673  cd->flags & DETECT_CONTENT_NOCASE ||
1674  cd->flags & DETECT_CONTENT_WITHIN ||
1675  cd->flags & DETECT_CONTENT_DISTANCE ||
1676  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1677  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1678  cd->flags & DETECT_CONTENT_NEGATED ) {
1679  printf("one failed\n");
1680  result = 0;
1681  goto end;
1682  }
1683 
1684  if (sm->next != NULL) {
1685  result = 0;
1686  goto end;
1687  }
1688 
1689  sm = s->sm_lists[g_http_uri_buffer_id];
1690  if (sm->type != DETECT_CONTENT) {
1691  result = 0;
1692  goto end;
1693  }
1694  ud = (DetectContentData *)sm->ctx;
1695  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1696  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1697  ud->flags & DETECT_CONTENT_NOCASE ||
1698  ud->flags & DETECT_CONTENT_WITHIN ||
1699  ud->flags & DETECT_CONTENT_DISTANCE ||
1700  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1701  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1702  ud->flags & DETECT_CONTENT_NEGATED ) {
1703  printf("two failed\n");
1704  result = 0;
1705  goto end;
1706  }
1707 
1708  sm = sm->next;
1709  if (sm->type != DETECT_BYTE_EXTRACT) {
1710  result = 0;
1711  goto end;
1712  }
1713  bed = (DetectByteExtractData *)sm->ctx;
1714  if (bed->nbytes != 4 ||
1715  bed->offset != 0 ||
1716  strcmp(bed->name, "two") != 0 ||
1717  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1718  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1719  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1720  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1721  bed->align_value != 0 ||
1722  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1723  goto end;
1724  }
1725 
1726  result = 1;
1727 
1728  end:
1729  SigGroupCleanup(de_ctx);
1730  SigCleanSignatures(de_ctx);
1731  DetectEngineCtxFree(de_ctx);
1732 
1733  return result;
1734 }
1735 
1736 static int DetectByteExtractTest38(void)
1737 {
1738  DetectEngineCtx *de_ctx = NULL;
1739  int result = 0;
1740  Signature *s = NULL;
1741  SigMatch *sm = NULL;
1742  DetectContentData *cd = NULL;
1743  DetectContentData *ud = NULL;
1744  DetectByteExtractData *bed = NULL;
1745 
1746  de_ctx = DetectEngineCtxInit();
1747  if (de_ctx == NULL)
1748  goto end;
1749 
1750  de_ctx->flags |= DE_QUIET;
1751  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1752  "(msg:\"Testing bytejump_body\"; "
1753  "content:\"one\"; uricontent:\"two\"; "
1754  "byte_extract:4,0,two,string,hex; "
1755  "sid:1;)");
1756  if (de_ctx->sig_list == NULL) {
1757  result = 0;
1758  goto end;
1759  }
1760 
1761  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1762  result = 0;
1763  goto end;
1764  }
1765 
1766  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1767  if (sm->type != DETECT_CONTENT) {
1768  result = 0;
1769  goto end;
1770  }
1771  cd = (DetectContentData *)sm->ctx;
1772  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1773  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1774  cd->flags & DETECT_CONTENT_NOCASE ||
1775  cd->flags & DETECT_CONTENT_WITHIN ||
1776  cd->flags & DETECT_CONTENT_DISTANCE ||
1777  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1778  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1779  cd->flags & DETECT_CONTENT_NEGATED ) {
1780  printf("one failed\n");
1781  result = 0;
1782  goto end;
1783  }
1784 
1785  sm = sm->next;
1786  if (sm->type != DETECT_BYTE_EXTRACT) {
1787  result = 0;
1788  goto end;
1789  }
1790  bed = (DetectByteExtractData *)sm->ctx;
1791  if (bed->nbytes != 4 ||
1792  bed->offset != 0 ||
1793  strcmp(bed->name, "two") != 0 ||
1794  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1795  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1796  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1797  bed->align_value != 0 ||
1798  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1799  goto end;
1800  }
1801 
1802  sm = s->sm_lists[g_http_uri_buffer_id];
1803  if (sm->type != DETECT_CONTENT) {
1804  result = 0;
1805  goto end;
1806  }
1807  ud = (DetectContentData *)sm->ctx;
1808  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1809  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1810  ud->flags & DETECT_CONTENT_NOCASE ||
1811  ud->flags & DETECT_CONTENT_WITHIN ||
1812  ud->flags & DETECT_CONTENT_DISTANCE ||
1813  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1814  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1815  ud->flags & DETECT_CONTENT_NEGATED ) {
1816  printf("two failed\n");
1817  result = 0;
1818  goto end;
1819  }
1820 
1821  if (sm->next != NULL) {
1822  result = 0;
1823  goto end;
1824  }
1825 
1826  result = 1;
1827 
1828  end:
1829  SigGroupCleanup(de_ctx);
1830  SigCleanSignatures(de_ctx);
1831  DetectEngineCtxFree(de_ctx);
1832 
1833  return result;
1834 }
1835 
1836 static int DetectByteExtractTest39(void)
1837 {
1838  DetectEngineCtx *de_ctx = NULL;
1839  int result = 0;
1840  Signature *s = NULL;
1841  SigMatch *sm = NULL;
1842  DetectContentData *cd = NULL;
1843  DetectContentData *ud = NULL;
1844  DetectByteExtractData *bed = NULL;
1845 
1846  de_ctx = DetectEngineCtxInit();
1847  if (de_ctx == NULL)
1848  goto end;
1849 
1850  de_ctx->flags |= DE_QUIET;
1851  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1852  "(msg:\"Testing bytejump_body\"; "
1853  "content:\"one\"; content:\"two\"; http_uri; "
1854  "byte_extract:4,0,two,relative,string,hex; "
1855  "sid:1;)");
1856  if (de_ctx->sig_list == NULL) {
1857  result = 0;
1858  goto end;
1859  }
1860 
1861  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1862  result = 0;
1863  goto end;
1864  }
1865 
1866  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1867  if (sm->type != DETECT_CONTENT) {
1868  result = 0;
1869  goto end;
1870  }
1871  cd = (DetectContentData *)sm->ctx;
1872  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1873  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1874  cd->flags & DETECT_CONTENT_NOCASE ||
1875  cd->flags & DETECT_CONTENT_WITHIN ||
1876  cd->flags & DETECT_CONTENT_DISTANCE ||
1877  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1878  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1879  cd->flags & DETECT_CONTENT_NEGATED ) {
1880  printf("one failed\n");
1881  result = 0;
1882  goto end;
1883  }
1884 
1885  if (sm->next != NULL) {
1886  result = 0;
1887  goto end;
1888  }
1889 
1890  sm = s->sm_lists[g_http_uri_buffer_id];
1891  if (sm->type != DETECT_CONTENT) {
1892  result = 0;
1893  goto end;
1894  }
1895  ud = (DetectContentData *)sm->ctx;
1896  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1897  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1898  ud->flags & DETECT_CONTENT_NOCASE ||
1899  ud->flags & DETECT_CONTENT_WITHIN ||
1900  ud->flags & DETECT_CONTENT_DISTANCE ||
1901  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1902  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1903  ud->flags & DETECT_CONTENT_NEGATED ) {
1904  printf("two failed\n");
1905  result = 0;
1906  goto end;
1907  }
1908 
1909  sm = sm->next;
1910  if (sm->type != DETECT_BYTE_EXTRACT) {
1911  result = 0;
1912  goto end;
1913  }
1914  bed = (DetectByteExtractData *)sm->ctx;
1915  if (bed->nbytes != 4 ||
1916  bed->offset != 0 ||
1917  strcmp(bed->name, "two") != 0 ||
1918  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1919  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1920  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1921  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1922  bed->align_value != 0 ||
1923  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1924  goto end;
1925  }
1926 
1927  result = 1;
1928 
1929  end:
1930  SigGroupCleanup(de_ctx);
1931  SigCleanSignatures(de_ctx);
1932  DetectEngineCtxFree(de_ctx);
1933 
1934  return result;
1935 }
1936 
1937 static int DetectByteExtractTest40(void)
1938 {
1939  DetectEngineCtx *de_ctx = NULL;
1940  int result = 0;
1941  Signature *s = NULL;
1942  SigMatch *sm = NULL;
1943  DetectContentData *cd = NULL;
1944  DetectContentData *ud = NULL;
1945  DetectByteExtractData *bed = NULL;
1946 
1947  de_ctx = DetectEngineCtxInit();
1948  if (de_ctx == NULL)
1949  goto end;
1950 
1951  de_ctx->flags |= DE_QUIET;
1952  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1953  "(msg:\"Testing bytejump_body\"; "
1954  "content:\"one\"; content:\"two\"; http_uri; "
1955  "byte_extract:4,0,two,string,hex; "
1956  "sid:1;)");
1957  if (de_ctx->sig_list == NULL) {
1958  result = 0;
1959  goto end;
1960  }
1961 
1962  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1963  result = 0;
1964  goto end;
1965  }
1966 
1967  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1968  if (sm->type != DETECT_CONTENT) {
1969  result = 0;
1970  goto end;
1971  }
1972  cd = (DetectContentData *)sm->ctx;
1973  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1974  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1975  cd->flags & DETECT_CONTENT_NOCASE ||
1976  cd->flags & DETECT_CONTENT_WITHIN ||
1977  cd->flags & DETECT_CONTENT_DISTANCE ||
1978  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1979  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1980  cd->flags & DETECT_CONTENT_NEGATED ) {
1981  printf("one failed\n");
1982  result = 0;
1983  goto end;
1984  }
1985 
1986  sm = sm->next;
1987  if (sm->type != DETECT_BYTE_EXTRACT) {
1988  result = 0;
1989  goto end;
1990  }
1991  bed = (DetectByteExtractData *)sm->ctx;
1992  if (bed->nbytes != 4 ||
1993  bed->offset != 0 ||
1994  strcmp(bed->name, "two") != 0 ||
1995  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1996  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1997  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1998  bed->align_value != 0 ||
1999  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2000  goto end;
2001  }
2002 
2003  sm = s->sm_lists[g_http_uri_buffer_id];
2004  if (sm->type != DETECT_CONTENT) {
2005  result = 0;
2006  goto end;
2007  }
2008  ud = (DetectContentData *)sm->ctx;
2009  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2010  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2011  ud->flags & DETECT_CONTENT_NOCASE ||
2012  ud->flags & DETECT_CONTENT_WITHIN ||
2013  ud->flags & DETECT_CONTENT_DISTANCE ||
2014  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2015  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2016  ud->flags & DETECT_CONTENT_NEGATED ) {
2017  printf("two failed\n");
2018  result = 0;
2019  goto end;
2020  }
2021 
2022  if (sm->next != NULL) {
2023  result = 0;
2024  goto end;
2025  }
2026 
2027  result = 1;
2028 
2029  end:
2030  SigGroupCleanup(de_ctx);
2031  SigCleanSignatures(de_ctx);
2032  DetectEngineCtxFree(de_ctx);
2033 
2034  return result;
2035 }
2036 
2037 static int DetectByteExtractTest41(void)
2038 {
2039  DetectEngineCtx *de_ctx = NULL;
2040  int result = 0;
2041  Signature *s = NULL;
2042  SigMatch *sm = NULL;
2043  DetectContentData *cd = NULL;
2044  DetectByteExtractData *bed = NULL;
2045 
2046  de_ctx = DetectEngineCtxInit();
2047  if (de_ctx == NULL)
2048  goto end;
2049 
2050  de_ctx->flags |= DE_QUIET;
2051  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2052  "(msg:\"Testing bytejump_body\"; "
2053  "content:\"one\"; "
2054  "byte_extract:4,0,two,string,hex; "
2055  "byte_extract:4,0,three,string,hex; "
2056  "sid:1;)");
2057  if (de_ctx->sig_list == NULL) {
2058  result = 0;
2059  goto end;
2060  }
2061 
2062  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2063  result = 0;
2064  goto end;
2065  }
2066 
2067  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2068  if (sm->type != DETECT_CONTENT) {
2069  result = 0;
2070  goto end;
2071  }
2072  cd = (DetectContentData *)sm->ctx;
2073  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2074  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2075  cd->flags & DETECT_CONTENT_NOCASE ||
2076  cd->flags & DETECT_CONTENT_WITHIN ||
2077  cd->flags & DETECT_CONTENT_DISTANCE ||
2078  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2079  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2080  cd->flags & DETECT_CONTENT_NEGATED ) {
2081  printf("one failed\n");
2082  result = 0;
2083  goto end;
2084  }
2085 
2086  sm = sm->next;
2087  if (sm->type != DETECT_BYTE_EXTRACT) {
2088  result = 0;
2089  goto end;
2090  }
2091  bed = (DetectByteExtractData *)sm->ctx;
2092  if (bed->nbytes != 4 ||
2093  bed->offset != 0 ||
2094  strcmp(bed->name, "two") != 0 ||
2095  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2096  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2097  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2098  bed->align_value != 0 ||
2099  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2100  goto end;
2101  }
2102  if (bed->local_id != 0) {
2103  result = 0;
2104  goto end;
2105  }
2106 
2107  sm = sm->next;
2108  if (sm->type != DETECT_BYTE_EXTRACT) {
2109  result = 0;
2110  goto end;
2111  }
2112  bed = (DetectByteExtractData *)sm->ctx;
2113  if (bed->nbytes != 4 ||
2114  bed->offset != 0 ||
2115  strcmp(bed->name, "three") != 0 ||
2116  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2117  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2118  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2119  bed->align_value != 0 ||
2120  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2121  goto end;
2122  }
2123  if (bed->local_id != 1) {
2124  result = 0;
2125  goto end;
2126  }
2127 
2128  result = 1;
2129 
2130  end:
2131  SigGroupCleanup(de_ctx);
2132  SigCleanSignatures(de_ctx);
2133  DetectEngineCtxFree(de_ctx);
2134 
2135  return result;
2136 }
2137 
2138 static int DetectByteExtractTest42(void)
2139 {
2140  DetectEngineCtx *de_ctx = NULL;
2141  int result = 0;
2142  Signature *s = NULL;
2143  SigMatch *sm = NULL;
2144  DetectContentData *cd = NULL;
2145  DetectContentData *ud = NULL;
2146  DetectByteExtractData *bed = NULL;
2147 
2148  de_ctx = DetectEngineCtxInit();
2149  if (de_ctx == NULL)
2150  goto end;
2151 
2152  de_ctx->flags |= DE_QUIET;
2153  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2154  "(msg:\"Testing bytejump_body\"; "
2155  "content:\"one\"; "
2156  "byte_extract:4,0,two,string,hex; "
2157  "uricontent: \"three\"; "
2158  "byte_extract:4,0,four,string,hex,relative; "
2159  "byte_extract:4,0,five,string,hex; "
2160  "sid:1;)");
2161  if (de_ctx->sig_list == NULL) {
2162  result = 0;
2163  goto end;
2164  }
2165 
2166  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2167  result = 0;
2168  goto end;
2169  }
2170 
2171  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2172  if (sm->type != DETECT_CONTENT) {
2173  result = 0;
2174  goto end;
2175  }
2176  cd = (DetectContentData *)sm->ctx;
2177  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2178  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2179  cd->flags & DETECT_CONTENT_NOCASE ||
2180  cd->flags & DETECT_CONTENT_WITHIN ||
2181  cd->flags & DETECT_CONTENT_DISTANCE ||
2182  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2183  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2184  cd->flags & DETECT_CONTENT_NEGATED ) {
2185  printf("one failed\n");
2186  result = 0;
2187  goto end;
2188  }
2189 
2190  sm = sm->next;
2191  if (sm->type != DETECT_BYTE_EXTRACT) {
2192  result = 0;
2193  goto end;
2194  }
2195  bed = (DetectByteExtractData *)sm->ctx;
2196  if (bed->nbytes != 4 ||
2197  bed->offset != 0 ||
2198  strcmp(bed->name, "two") != 0 ||
2199  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2200  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2201  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2202  bed->align_value != 0 ||
2203  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2204  goto end;
2205  }
2206  if (bed->local_id != 0) {
2207  result = 0;
2208  goto end;
2209  }
2210 
2211  sm = sm->next;
2212  if (sm->type != DETECT_BYTE_EXTRACT) {
2213  result = 0;
2214  goto end;
2215  }
2216  bed = (DetectByteExtractData *)sm->ctx;
2217  if (bed->nbytes != 4 ||
2218  bed->offset != 0 ||
2219  strcmp(bed->name, "five") != 0 ||
2220  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2221  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2222  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2223  bed->align_value != 0 ||
2224  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2225  goto end;
2226  }
2227  if (bed->local_id != 1) {
2228  result = 0;
2229  goto end;
2230  }
2231 
2232  if (sm->next != NULL)
2233  goto end;
2234 
2235  sm = s->sm_lists[g_http_uri_buffer_id];
2236  if (sm->type != DETECT_CONTENT) {
2237  result = 0;
2238  goto end;
2239  }
2240  ud = (DetectContentData *)sm->ctx;
2241  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2242  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2243  ud->flags & DETECT_CONTENT_NOCASE ||
2244  ud->flags & DETECT_CONTENT_WITHIN ||
2245  ud->flags & DETECT_CONTENT_DISTANCE ||
2246  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2247  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2248  ud->flags & DETECT_CONTENT_NEGATED ) {
2249  printf("two failed\n");
2250  result = 0;
2251  goto end;
2252  }
2253 
2254  sm = sm->next;
2255  if (sm->type != DETECT_BYTE_EXTRACT) {
2256  result = 0;
2257  goto end;
2258  }
2259  bed = (DetectByteExtractData *)sm->ctx;
2260  if (bed->nbytes != 4 ||
2261  bed->offset != 0 ||
2262  strcmp(bed->name, "four") != 0 ||
2263  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2264  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2265  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2266  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2267  bed->align_value != 0 ||
2268  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2269  goto end;
2270  }
2271  if (bed->local_id != 0) {
2272  result = 0;
2273  goto end;
2274  }
2275 
2276  if (sm->next != NULL)
2277  goto end;
2278 
2279  result = 1;
2280 
2281  end:
2282  SigGroupCleanup(de_ctx);
2283  SigCleanSignatures(de_ctx);
2284  DetectEngineCtxFree(de_ctx);
2285 
2286  return result;
2287 }
2288 
2289 static int DetectByteExtractTest43(void)
2290 {
2291  DetectEngineCtx *de_ctx = NULL;
2292  int result = 0;
2293  Signature *s = NULL;
2294  SigMatch *sm = NULL;
2295  DetectContentData *cd = NULL;
2296  DetectByteExtractData *bed = NULL;
2297 
2298  de_ctx = DetectEngineCtxInit();
2299  if (de_ctx == NULL)
2300  goto end;
2301 
2302  de_ctx->flags |= DE_QUIET;
2303  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2304  "(msg:\"Testing bytejump_body\"; "
2305  "content:\"one\"; "
2306  "byte_extract:4,0,two,string,hex; "
2307  "content: \"three\"; offset:two; "
2308  "sid:1;)");
2309  if (de_ctx->sig_list == NULL) {
2310  result = 0;
2311  goto end;
2312  }
2313 
2314  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2315  result = 0;
2316  goto end;
2317  }
2318 
2319  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2320  if (sm->type != DETECT_CONTENT) {
2321  result = 0;
2322  goto end;
2323  }
2324  cd = (DetectContentData *)sm->ctx;
2325  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2326  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2327  cd->flags & DETECT_CONTENT_NOCASE ||
2328  cd->flags & DETECT_CONTENT_WITHIN ||
2329  cd->flags & DETECT_CONTENT_DISTANCE ||
2330  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2331  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2332  cd->flags & DETECT_CONTENT_NEGATED ) {
2333  printf("one failed\n");
2334  result = 0;
2335  goto end;
2336  }
2337 
2338  sm = sm->next;
2339  if (sm->type != DETECT_BYTE_EXTRACT) {
2340  result = 0;
2341  goto end;
2342  }
2343  bed = (DetectByteExtractData *)sm->ctx;
2344  if (bed->nbytes != 4 ||
2345  bed->offset != 0 ||
2346  strcmp(bed->name, "two") != 0 ||
2347  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2348  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2349  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2350  bed->align_value != 0 ||
2351  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2352  goto end;
2353  }
2354  if (bed->local_id != 0) {
2355  result = 0;
2356  goto end;
2357  }
2358 
2359  sm = sm->next;
2360  if (sm->type != DETECT_CONTENT) {
2361  result = 0;
2362  goto end;
2363  }
2364  cd = (DetectContentData *)sm->ctx;
2365  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2366  cd->flags != (DETECT_CONTENT_OFFSET_BE |
2367  DETECT_CONTENT_OFFSET) ||
2368  cd->offset != bed->local_id) {
2369  printf("three failed\n");
2370  result = 0;
2371  goto end;
2372  }
2373 
2374  if (sm->next != NULL)
2375  goto end;
2376 
2377  result = 1;
2378 
2379  end:
2380  SigGroupCleanup(de_ctx);
2381  SigCleanSignatures(de_ctx);
2382  DetectEngineCtxFree(de_ctx);
2383 
2384  return result;
2385 }
2386 
2387 static int DetectByteExtractTest44(void)
2388 {
2389  DetectEngineCtx *de_ctx = NULL;
2390  int result = 0;
2391  Signature *s = NULL;
2392  SigMatch *sm = NULL;
2393  DetectContentData *cd = NULL;
2394  DetectByteExtractData *bed1 = NULL;
2395  DetectByteExtractData *bed2 = NULL;
2396 
2397  de_ctx = DetectEngineCtxInit();
2398  if (de_ctx == NULL)
2399  goto end;
2400 
2401  de_ctx->flags |= DE_QUIET;
2402  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2403  "(msg:\"Testing bytejump_body\"; "
2404  "content:\"one\"; "
2405  "byte_extract:4,0,two,string,hex; "
2406  "byte_extract:4,0,three,string,hex; "
2407  "content: \"four\"; offset:two; "
2408  "content: \"five\"; offset:three; "
2409  "sid:1;)");
2410  if (de_ctx->sig_list == NULL) {
2411  result = 0;
2412  goto end;
2413  }
2414 
2415  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2416  result = 0;
2417  goto end;
2418  }
2419 
2420  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2421  if (sm->type != DETECT_CONTENT) {
2422  result = 0;
2423  goto end;
2424  }
2425  cd = (DetectContentData *)sm->ctx;
2426  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2427  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2428  cd->flags & DETECT_CONTENT_NOCASE ||
2429  cd->flags & DETECT_CONTENT_WITHIN ||
2430  cd->flags & DETECT_CONTENT_DISTANCE ||
2431  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2432  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2433  cd->flags & DETECT_CONTENT_NEGATED ) {
2434  printf("one failed\n");
2435  result = 0;
2436  goto end;
2437  }
2438 
2439  sm = sm->next;
2440  if (sm->type != DETECT_BYTE_EXTRACT) {
2441  result = 0;
2442  goto end;
2443  }
2444  bed1 = (DetectByteExtractData *)sm->ctx;
2445  if (bed1->nbytes != 4 ||
2446  bed1->offset != 0 ||
2447  strcmp(bed1->name, "two") != 0 ||
2448  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2449  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2450  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2451  bed1->align_value != 0 ||
2452  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2453  goto end;
2454  }
2455  if (bed1->local_id != 0) {
2456  result = 0;
2457  goto end;
2458  }
2459 
2460  sm = sm->next;
2461  if (sm->type != DETECT_BYTE_EXTRACT) {
2462  result = 0;
2463  goto end;
2464  }
2465  bed2 = (DetectByteExtractData *)sm->ctx;
2466 
2467  sm = sm->next;
2468  if (sm->type != DETECT_CONTENT) {
2469  result = 0;
2470  goto end;
2471  }
2472  cd = (DetectContentData *)sm->ctx;
2473  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2474  cd->flags != (DETECT_CONTENT_OFFSET_BE |
2475  DETECT_CONTENT_OFFSET) ||
2476  cd->offset != bed1->local_id) {
2477  printf("four failed\n");
2478  result = 0;
2479  goto end;
2480  }
2481 
2482  sm = sm->next;
2483  if (sm->type != DETECT_CONTENT) {
2484  result = 0;
2485  goto end;
2486  }
2487  cd = (DetectContentData *)sm->ctx;
2488  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2489  cd->flags != (DETECT_CONTENT_OFFSET_BE |
2490  DETECT_CONTENT_OFFSET) ||
2491  cd->offset != bed2->local_id) {
2492  printf("five failed\n");
2493  result = 0;
2494  goto end;
2495  }
2496 
2497  if (sm->next != NULL)
2498  goto end;
2499 
2500  result = 1;
2501 
2502  end:
2503  SigGroupCleanup(de_ctx);
2504  SigCleanSignatures(de_ctx);
2505  DetectEngineCtxFree(de_ctx);
2506 
2507  return result;
2508 }
2509 
2510 static int DetectByteExtractTest45(void)
2511 {
2512  DetectEngineCtx *de_ctx = NULL;
2513  int result = 0;
2514  Signature *s = NULL;
2515  SigMatch *sm = NULL;
2516  DetectContentData *cd = NULL;
2517  DetectByteExtractData *bed = NULL;
2518 
2519  de_ctx = DetectEngineCtxInit();
2520  if (de_ctx == NULL)
2521  goto end;
2522 
2523  de_ctx->flags |= DE_QUIET;
2524  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2525  "(msg:\"Testing bytejump_body\"; "
2526  "content:\"one\"; "
2527  "byte_extract:4,0,two,string,hex; "
2528  "content: \"three\"; depth:two; "
2529  "sid:1;)");
2530  if (de_ctx->sig_list == NULL) {
2531  result = 0;
2532  goto end;
2533  }
2534 
2535  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2536  result = 0;
2537  goto end;
2538  }
2539 
2540  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2541  if (sm->type != DETECT_CONTENT) {
2542  result = 0;
2543  goto end;
2544  }
2545  cd = (DetectContentData *)sm->ctx;
2546  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2547  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2548  cd->flags & DETECT_CONTENT_NOCASE ||
2549  cd->flags & DETECT_CONTENT_WITHIN ||
2550  cd->flags & DETECT_CONTENT_DISTANCE ||
2551  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2552  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2553  cd->flags & DETECT_CONTENT_NEGATED ) {
2554  printf("one failed\n");
2555  result = 0;
2556  goto end;
2557  }
2558 
2559  sm = sm->next;
2560  if (sm->type != DETECT_BYTE_EXTRACT) {
2561  result = 0;
2562  goto end;
2563  }
2564  bed = (DetectByteExtractData *)sm->ctx;
2565  if (bed->nbytes != 4 ||
2566  bed->offset != 0 ||
2567  strcmp(bed->name, "two") != 0 ||
2568  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2569  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2570  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2571  bed->align_value != 0 ||
2572  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2573  goto end;
2574  }
2575  if (bed->local_id != 0) {
2576  result = 0;
2577  goto end;
2578  }
2579 
2580  sm = sm->next;
2581  if (sm->type != DETECT_CONTENT) {
2582  result = 0;
2583  goto end;
2584  }
2585  cd = (DetectContentData *)sm->ctx;
2586  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2587  cd->flags != (DETECT_CONTENT_DEPTH_BE |
2588  DETECT_CONTENT_DEPTH) ||
2589  cd->depth != bed->local_id ||
2590  cd->offset != 0) {
2591  printf("three failed\n");
2592  result = 0;
2593  goto end;
2594  }
2595 
2596  if (sm->next != NULL)
2597  goto end;
2598 
2599  result = 1;
2600 
2601  end:
2602  SigGroupCleanup(de_ctx);
2603  SigCleanSignatures(de_ctx);
2604  DetectEngineCtxFree(de_ctx);
2605 
2606  return result;
2607 }
2608 
2609 static int DetectByteExtractTest46(void)
2610 {
2611  DetectEngineCtx *de_ctx = NULL;
2612  int result = 0;
2613  Signature *s = NULL;
2614  SigMatch *sm = NULL;
2615  DetectContentData *cd = NULL;
2616  DetectByteExtractData *bed1 = NULL;
2617  DetectByteExtractData *bed2 = NULL;
2618 
2619  de_ctx = DetectEngineCtxInit();
2620  if (de_ctx == NULL)
2621  goto end;
2622 
2623  de_ctx->flags |= DE_QUIET;
2624  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2625  "(msg:\"Testing bytejump_body\"; "
2626  "content:\"one\"; "
2627  "byte_extract:4,0,two,string,hex; "
2628  "byte_extract:4,0,three,string,hex; "
2629  "content: \"four\"; depth:two; "
2630  "content: \"five\"; depth:three; "
2631  "sid:1;)");
2632  if (de_ctx->sig_list == NULL) {
2633  result = 0;
2634  goto end;
2635  }
2636 
2637  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2638  result = 0;
2639  goto end;
2640  }
2641 
2642  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2643  if (sm->type != DETECT_CONTENT) {
2644  result = 0;
2645  goto end;
2646  }
2647  cd = (DetectContentData *)sm->ctx;
2648  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2649  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2650  cd->flags & DETECT_CONTENT_NOCASE ||
2651  cd->flags & DETECT_CONTENT_WITHIN ||
2652  cd->flags & DETECT_CONTENT_DISTANCE ||
2653  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2654  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2655  cd->flags & DETECT_CONTENT_NEGATED ) {
2656  printf("one failed\n");
2657  result = 0;
2658  goto end;
2659  }
2660 
2661  sm = sm->next;
2662  if (sm->type != DETECT_BYTE_EXTRACT) {
2663  result = 0;
2664  goto end;
2665  }
2666  bed1 = (DetectByteExtractData *)sm->ctx;
2667  if (bed1->nbytes != 4 ||
2668  bed1->offset != 0 ||
2669  strcmp(bed1->name, "two") != 0 ||
2670  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2671  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2672  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2673  bed1->align_value != 0 ||
2674  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2675  goto end;
2676  }
2677  if (bed1->local_id != 0) {
2678  result = 0;
2679  goto end;
2680  }
2681 
2682  sm = sm->next;
2683  if (sm->type != DETECT_BYTE_EXTRACT) {
2684  result = 0;
2685  goto end;
2686  }
2687  bed2 = (DetectByteExtractData *)sm->ctx;
2688 
2689  sm = sm->next;
2690  if (sm->type != DETECT_CONTENT) {
2691  result = 0;
2692  goto end;
2693  }
2694  cd = (DetectContentData *)sm->ctx;
2695  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2696  cd->flags != (DETECT_CONTENT_DEPTH_BE |
2697  DETECT_CONTENT_DEPTH) ||
2698  cd->depth != bed1->local_id) {
2699  printf("four failed\n");
2700  result = 0;
2701  goto end;
2702  }
2703 
2704  sm = sm->next;
2705  if (sm->type != DETECT_CONTENT) {
2706  result = 0;
2707  goto end;
2708  }
2709  cd = (DetectContentData *)sm->ctx;
2710  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2711  cd->flags != (DETECT_CONTENT_DEPTH_BE |
2712  DETECT_CONTENT_DEPTH) ||
2713  cd->depth != bed2->local_id) {
2714  printf("five failed\n");
2715  result = 0;
2716  goto end;
2717  }
2718 
2719  if (sm->next != NULL)
2720  goto end;
2721 
2722  result = 1;
2723 
2724  end:
2725  SigGroupCleanup(de_ctx);
2726  SigCleanSignatures(de_ctx);
2727  DetectEngineCtxFree(de_ctx);
2728 
2729  return result;
2730 }
2731 
2732 static int DetectByteExtractTest47(void)
2733 {
2734  DetectEngineCtx *de_ctx = NULL;
2735  int result = 0;
2736  Signature *s = NULL;
2737  SigMatch *sm = NULL;
2738  DetectContentData *cd = NULL;
2739  DetectByteExtractData *bed = NULL;
2740 
2741  de_ctx = DetectEngineCtxInit();
2742  if (de_ctx == NULL)
2743  goto end;
2744 
2745  de_ctx->flags |= DE_QUIET;
2746  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2747  "(msg:\"Testing bytejump_body\"; "
2748  "content:\"one\"; "
2749  "byte_extract:4,0,two,string,hex; "
2750  "content: \"three\"; distance:two; "
2751  "sid:1;)");
2752  if (de_ctx->sig_list == NULL) {
2753  result = 0;
2754  goto end;
2755  }
2756 
2757  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2758  result = 0;
2759  goto end;
2760  }
2761 
2762  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2763  if (sm->type != DETECT_CONTENT) {
2764  result = 0;
2765  goto end;
2766  }
2767  cd = (DetectContentData *)sm->ctx;
2768  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2769  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2770  cd->flags & DETECT_CONTENT_NOCASE ||
2771  cd->flags & DETECT_CONTENT_WITHIN ||
2772  cd->flags & DETECT_CONTENT_DISTANCE ||
2773  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2774  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2775  cd->flags & DETECT_CONTENT_NEGATED ) {
2776  printf("one failed\n");
2777  result = 0;
2778  goto end;
2779  }
2780 
2781  sm = sm->next;
2782  if (sm->type != DETECT_BYTE_EXTRACT) {
2783  result = 0;
2784  goto end;
2785  }
2786  bed = (DetectByteExtractData *)sm->ctx;
2787  if (bed->nbytes != 4 ||
2788  bed->offset != 0 ||
2789  strcmp(bed->name, "two") != 0 ||
2790  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2791  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2792  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2793  bed->align_value != 0 ||
2794  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2795  goto end;
2796  }
2797  if (bed->local_id != 0) {
2798  result = 0;
2799  goto end;
2800  }
2801 
2802  sm = sm->next;
2803  if (sm->type != DETECT_CONTENT) {
2804  result = 0;
2805  goto end;
2806  }
2807  cd = (DetectContentData *)sm->ctx;
2808  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2809  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
2810  DETECT_CONTENT_DISTANCE) ||
2811  cd->distance != bed->local_id ||
2812  cd->offset != 0 ||
2813  cd->depth != 0) {
2814  printf("three failed\n");
2815  result = 0;
2816  goto end;
2817  }
2818 
2819  if (sm->next != NULL)
2820  goto end;
2821 
2822  result = 1;
2823 
2824  end:
2825  SigGroupCleanup(de_ctx);
2826  SigCleanSignatures(de_ctx);
2827  DetectEngineCtxFree(de_ctx);
2828 
2829  return result;
2830 }
2831 
2832 static int DetectByteExtractTest48(void)
2833 {
2834  DetectEngineCtx *de_ctx = NULL;
2835  int result = 0;
2836  Signature *s = NULL;
2837  SigMatch *sm = NULL;
2838  DetectContentData *cd = NULL;
2839  DetectByteExtractData *bed1 = NULL;
2840  DetectByteExtractData *bed2 = NULL;
2841 
2842  de_ctx = DetectEngineCtxInit();
2843  if (de_ctx == NULL)
2844  goto end;
2845 
2846  de_ctx->flags |= DE_QUIET;
2847  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2848  "(msg:\"Testing bytejump_body\"; "
2849  "content:\"one\"; "
2850  "byte_extract:4,0,two,string,hex; "
2851  "byte_extract:4,0,three,string,hex; "
2852  "content: \"four\"; distance:two; "
2853  "content: \"five\"; distance:three; "
2854  "sid:1;)");
2855  if (de_ctx->sig_list == NULL) {
2856  result = 0;
2857  goto end;
2858  }
2859 
2860  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2861  result = 0;
2862  goto end;
2863  }
2864 
2865  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2866  if (sm->type != DETECT_CONTENT) {
2867  result = 0;
2868  goto end;
2869  }
2870  cd = (DetectContentData *)sm->ctx;
2871  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2872  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2873  cd->flags & DETECT_CONTENT_NOCASE ||
2874  cd->flags & DETECT_CONTENT_WITHIN ||
2875  cd->flags & DETECT_CONTENT_DISTANCE ||
2876  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2877  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2878  cd->flags & DETECT_CONTENT_NEGATED ) {
2879  printf("one failed\n");
2880  result = 0;
2881  goto end;
2882  }
2883 
2884  sm = sm->next;
2885  if (sm->type != DETECT_BYTE_EXTRACT) {
2886  result = 0;
2887  goto end;
2888  }
2889  bed1 = (DetectByteExtractData *)sm->ctx;
2890  if (bed1->nbytes != 4 ||
2891  bed1->offset != 0 ||
2892  strcmp(bed1->name, "two") != 0 ||
2893  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2894  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2895  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2896  bed1->align_value != 0 ||
2897  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2898  goto end;
2899  }
2900  if (bed1->local_id != 0) {
2901  result = 0;
2902  goto end;
2903  }
2904 
2905  sm = sm->next;
2906  if (sm->type != DETECT_BYTE_EXTRACT) {
2907  result = 0;
2908  goto end;
2909  }
2910  bed2 = (DetectByteExtractData *)sm->ctx;
2911 
2912  sm = sm->next;
2913  if (sm->type != DETECT_CONTENT) {
2914  result = 0;
2915  goto end;
2916  }
2917  cd = (DetectContentData *)sm->ctx;
2918  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2919  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
2920  DETECT_CONTENT_DISTANCE |
2921  DETECT_CONTENT_DISTANCE_NEXT) ||
2922  cd->distance != bed1->local_id ||
2923  cd->depth != 0 ||
2924  cd->offset != 0) {
2925  printf("four failed\n");
2926  result = 0;
2927  goto end;
2928  }
2929 
2930  sm = sm->next;
2931  if (sm->type != DETECT_CONTENT) {
2932  result = 0;
2933  goto end;
2934  }
2935  cd = (DetectContentData *)sm->ctx;
2936  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2937  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
2938  DETECT_CONTENT_DISTANCE) ||
2939  cd->distance != bed2->local_id ||
2940  cd->depth != 0 ||
2941  cd->offset != 0) {
2942  printf("five failed\n");
2943  result = 0;
2944  goto end;
2945  }
2946 
2947  if (sm->next != NULL)
2948  goto end;
2949 
2950  result = 1;
2951 
2952  end:
2953  SigGroupCleanup(de_ctx);
2954  SigCleanSignatures(de_ctx);
2955  DetectEngineCtxFree(de_ctx);
2956 
2957  return result;
2958 }
2959 
2960 static int DetectByteExtractTest49(void)
2961 {
2962  DetectEngineCtx *de_ctx = NULL;
2963  int result = 0;
2964  Signature *s = NULL;
2965  SigMatch *sm = NULL;
2966  DetectContentData *cd = NULL;
2967  DetectByteExtractData *bed = NULL;
2968 
2969  de_ctx = DetectEngineCtxInit();
2970  if (de_ctx == NULL)
2971  goto end;
2972 
2973  de_ctx->flags |= DE_QUIET;
2974  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2975  "(msg:\"Testing bytejump_body\"; "
2976  "content:\"one\"; "
2977  "byte_extract:4,0,two,string,hex; "
2978  "content: \"three\"; within:two; "
2979  "sid:1;)");
2980  if (de_ctx->sig_list == NULL) {
2981  result = 0;
2982  goto end;
2983  }
2984 
2985  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2986  result = 0;
2987  goto end;
2988  }
2989 
2990  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2991  if (sm->type != DETECT_CONTENT) {
2992  result = 0;
2993  goto end;
2994  }
2995  cd = (DetectContentData *)sm->ctx;
2996  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2997  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2998  cd->flags & DETECT_CONTENT_NOCASE ||
2999  cd->flags & DETECT_CONTENT_WITHIN ||
3000  cd->flags & DETECT_CONTENT_DISTANCE ||
3001  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3002  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3003  cd->flags & DETECT_CONTENT_NEGATED ) {
3004  printf("one failed\n");
3005  result = 0;
3006  goto end;
3007  }
3008 
3009  sm = sm->next;
3010  if (sm->type != DETECT_BYTE_EXTRACT) {
3011  result = 0;
3012  goto end;
3013  }
3014  bed = (DetectByteExtractData *)sm->ctx;
3015  if (bed->nbytes != 4 ||
3016  bed->offset != 0 ||
3017  strcmp(bed->name, "two") != 0 ||
3018  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3019  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3020  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3021  bed->align_value != 0 ||
3022  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3023  goto end;
3024  }
3025  if (bed->local_id != 0) {
3026  result = 0;
3027  goto end;
3028  }
3029 
3030  sm = sm->next;
3031  if (sm->type != DETECT_CONTENT) {
3032  result = 0;
3033  goto end;
3034  }
3035  cd = (DetectContentData *)sm->ctx;
3036  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3037  cd->flags != (DETECT_CONTENT_WITHIN_BE |
3038  DETECT_CONTENT_WITHIN) ||
3039  cd->within != bed->local_id ||
3040  cd->offset != 0 ||
3041  cd->depth != 0 ||
3042  cd->distance != 0) {
3043  printf("three failed\n");
3044  result = 0;
3045  goto end;
3046  }
3047 
3048  if (sm->next != NULL)
3049  goto end;
3050 
3051  result = 1;
3052 
3053  end:
3054  SigGroupCleanup(de_ctx);
3055  SigCleanSignatures(de_ctx);
3056  DetectEngineCtxFree(de_ctx);
3057 
3058  return result;
3059 }
3060 
3061 static int DetectByteExtractTest50(void)
3062 {
3063  DetectEngineCtx *de_ctx = NULL;
3064  int result = 0;
3065  Signature *s = NULL;
3066  SigMatch *sm = NULL;
3067  DetectContentData *cd = NULL;
3068  DetectByteExtractData *bed1 = NULL;
3069  DetectByteExtractData *bed2 = NULL;
3070 
3071  de_ctx = DetectEngineCtxInit();
3072  if (de_ctx == NULL)
3073  goto end;
3074 
3075  de_ctx->flags |= DE_QUIET;
3076  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3077  "(msg:\"Testing bytejump_body\"; "
3078  "content:\"one\"; "
3079  "byte_extract:4,0,two,string,hex; "
3080  "byte_extract:4,0,three,string,hex; "
3081  "content: \"four\"; within:two; "
3082  "content: \"five\"; within:three; "
3083  "sid:1;)");
3084  if (de_ctx->sig_list == NULL) {
3085  result = 0;
3086  goto end;
3087  }
3088 
3089  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3090  result = 0;
3091  goto end;
3092  }
3093 
3094  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3095  if (sm->type != DETECT_CONTENT) {
3096  result = 0;
3097  goto end;
3098  }
3099  cd = (DetectContentData *)sm->ctx;
3100  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3101  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3102  cd->flags & DETECT_CONTENT_NOCASE ||
3103  cd->flags & DETECT_CONTENT_WITHIN ||
3104  cd->flags & DETECT_CONTENT_DISTANCE ||
3105  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3106  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3107  cd->flags & DETECT_CONTENT_NEGATED ) {
3108  printf("one failed\n");
3109  result = 0;
3110  goto end;
3111  }
3112 
3113  sm = sm->next;
3114  if (sm->type != DETECT_BYTE_EXTRACT) {
3115  result = 0;
3116  goto end;
3117  }
3118  bed1 = (DetectByteExtractData *)sm->ctx;
3119  if (bed1->nbytes != 4 ||
3120  bed1->offset != 0 ||
3121  strcmp(bed1->name, "two") != 0 ||
3122  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3123  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3124  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3125  bed1->align_value != 0 ||
3126  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3127  goto end;
3128  }
3129  if (bed1->local_id != 0) {
3130  result = 0;
3131  goto end;
3132  }
3133 
3134  sm = sm->next;
3135  if (sm->type != DETECT_BYTE_EXTRACT) {
3136  result = 0;
3137  goto end;
3138  }
3139  bed2 = (DetectByteExtractData *)sm->ctx;
3140 
3141  sm = sm->next;
3142  if (sm->type != DETECT_CONTENT) {
3143  result = 0;
3144  goto end;
3145  }
3146  cd = (DetectContentData *)sm->ctx;
3147  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3148  cd->flags != (DETECT_CONTENT_WITHIN_BE |
3149  DETECT_CONTENT_WITHIN|
3150  DETECT_CONTENT_WITHIN_NEXT) ||
3151  cd->within != bed1->local_id ||
3152  cd->depth != 0 ||
3153  cd->offset != 0 ||
3154  cd->distance != 0) {
3155  printf("four failed\n");
3156  result = 0;
3157  goto end;
3158  }
3159 
3160  sm = sm->next;
3161  if (sm->type != DETECT_CONTENT) {
3162  result = 0;
3163  goto end;
3164  }
3165  cd = (DetectContentData *)sm->ctx;
3166  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3167  cd->flags != (DETECT_CONTENT_WITHIN_BE |
3168  DETECT_CONTENT_WITHIN) ||
3169  cd->within != bed2->local_id ||
3170  cd->depth != 0 ||
3171  cd->offset != 0 ||
3172  cd->distance != 0) {
3173  printf("five failed\n");
3174  result = 0;
3175  goto end;
3176  }
3177 
3178  if (sm->next != NULL)
3179  goto end;
3180 
3181  result = 1;
3182 
3183  end:
3184  SigGroupCleanup(de_ctx);
3185  SigCleanSignatures(de_ctx);
3186  DetectEngineCtxFree(de_ctx);
3187 
3188  return result;
3189 }
3190 
3191 static int DetectByteExtractTest51(void)
3192 {
3193  DetectEngineCtx *de_ctx = NULL;
3194  int result = 0;
3195  Signature *s = NULL;
3196  SigMatch *sm = NULL;
3197  DetectContentData *cd = NULL;
3198  DetectByteExtractData *bed = NULL;
3199  DetectBytetestData *btd = NULL;
3200 
3201  de_ctx = DetectEngineCtxInit();
3202  if (de_ctx == NULL)
3203  goto end;
3204 
3205  de_ctx->flags |= DE_QUIET;
3206  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3207  "(msg:\"Testing bytejump_body\"; "
3208  "content:\"one\"; "
3209  "byte_extract:4,0,two,string,hex; "
3210  "byte_test: 2,=,10, two; "
3211  "sid:1;)");
3212  if (de_ctx->sig_list == NULL) {
3213  result = 0;
3214  goto end;
3215  }
3216 
3217  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3218  result = 0;
3219  goto end;
3220  }
3221 
3222  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3223  if (sm->type != DETECT_CONTENT) {
3224  result = 0;
3225  goto end;
3226  }
3227  cd = (DetectContentData *)sm->ctx;
3228  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3229  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3230  cd->flags & DETECT_CONTENT_NOCASE ||
3231  cd->flags & DETECT_CONTENT_WITHIN ||
3232  cd->flags & DETECT_CONTENT_DISTANCE ||
3233  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3234  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3235  cd->flags & DETECT_CONTENT_NEGATED ) {
3236  printf("one failed\n");
3237  result = 0;
3238  goto end;
3239  }
3240 
3241  sm = sm->next;
3242  if (sm->type != DETECT_BYTE_EXTRACT) {
3243  result = 0;
3244  goto end;
3245  }
3246  bed = (DetectByteExtractData *)sm->ctx;
3247  if (bed->nbytes != 4 ||
3248  bed->offset != 0 ||
3249  strcmp(bed->name, "two") != 0 ||
3250  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3251  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3252  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3253  bed->align_value != 0 ||
3254  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3255  goto end;
3256  }
3257  if (bed->local_id != 0) {
3258  result = 0;
3259  goto end;
3260  }
3261 
3262  sm = sm->next;
3263  if (sm->type != DETECT_BYTETEST) {
3264  result = 0;
3265  goto end;
3266  }
3267  btd = (DetectBytetestData *)sm->ctx;
3268  if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
3269  btd->value != 10 ||
3270  btd->offset != 0) {
3271  printf("three failed\n");
3272  result = 0;
3273  goto end;
3274  }
3275 
3276  if (sm->next != NULL)
3277  goto end;
3278 
3279  result = 1;
3280 
3281  end:
3282  SigGroupCleanup(de_ctx);
3283  SigCleanSignatures(de_ctx);
3284  DetectEngineCtxFree(de_ctx);
3285 
3286  return result;
3287 }
3288 
3289 static int DetectByteExtractTest52(void)
3290 {
3291  DetectEngineCtx *de_ctx = NULL;
3292  int result = 0;
3293  Signature *s = NULL;
3294  SigMatch *sm = NULL;
3295  DetectContentData *cd = NULL;
3296  DetectByteExtractData *bed1 = NULL;
3297  DetectBytetestData *btd = NULL;
3298 
3299  de_ctx = DetectEngineCtxInit();
3300  if (de_ctx == NULL)
3301  goto end;
3302 
3303  de_ctx->flags |= DE_QUIET;
3304  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3305  "(msg:\"Testing bytejump_body\"; "
3306  "content:\"one\"; "
3307  "byte_extract:4,0,two,string,hex; "
3308  "byte_extract:4,0,three,string,hex; "
3309  "byte_test: 2,=,two,three; "
3310  "byte_test: 3,=,10,three; "
3311  "sid:1;)");
3312  if (de_ctx->sig_list == NULL) {
3313  result = 0;
3314  goto end;
3315  }
3316 
3317  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3318  result = 0;
3319  goto end;
3320  }
3321 
3322  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3323  if (sm->type != DETECT_CONTENT) {
3324  result = 0;
3325  goto end;
3326  }
3327  cd = (DetectContentData *)sm->ctx;
3328  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3329  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3330  cd->flags & DETECT_CONTENT_NOCASE ||
3331  cd->flags & DETECT_CONTENT_WITHIN ||
3332  cd->flags & DETECT_CONTENT_DISTANCE ||
3333  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3334  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3335  cd->flags & DETECT_CONTENT_NEGATED ) {
3336  printf("one failed\n");
3337  result = 0;
3338  goto end;
3339  }
3340 
3341  sm = sm->next;
3342  if (sm->type != DETECT_BYTE_EXTRACT) {
3343  result = 0;
3344  goto end;
3345  }
3346  bed1 = (DetectByteExtractData *)sm->ctx;
3347  if (bed1->nbytes != 4 ||
3348  bed1->offset != 0 ||
3349  strcmp(bed1->name, "two") != 0 ||
3350  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3351  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3352  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3353  bed1->align_value != 0 ||
3354  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3355  goto end;
3356  }
3357  if (bed1->local_id != 0) {
3358  result = 0;
3359  goto end;
3360  }
3361 
3362  sm = sm->next;
3363  if (sm->type != DETECT_BYTE_EXTRACT) {
3364  result = 0;
3365  goto end;
3366  }
3367 
3368  sm = sm->next;
3369  if (sm->type != DETECT_BYTETEST) {
3370  result = 0;
3371  goto end;
3372  }
3373  btd = (DetectBytetestData *)sm->ctx;
3374  if (btd->flags != (DETECT_BYTETEST_OFFSET_BE |
3375  DETECT_BYTETEST_VALUE_BE) ||
3376  btd->value != 0 ||
3377  btd->offset != 1) {
3378  printf("three failed\n");
3379  result = 0;
3380  goto end;
3381  }
3382 
3383  sm = sm->next;
3384  if (sm->type != DETECT_BYTETEST) {
3385  result = 0;
3386  goto end;
3387  }
3388  btd = (DetectBytetestData *)sm->ctx;
3389  if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
3390  btd->value != 10 ||
3391  btd->offset != 1) {
3392  printf("four failed\n");
3393  result = 0;
3394  goto end;
3395  }
3396 
3397  if (sm->next != NULL)
3398  goto end;
3399 
3400  result = 1;
3401 
3402  end:
3403  SigGroupCleanup(de_ctx);
3404  SigCleanSignatures(de_ctx);
3405  DetectEngineCtxFree(de_ctx);
3406 
3407  return result;
3408 }
3409 
3410 static int DetectByteExtractTest53(void)
3411 {
3412  DetectEngineCtx *de_ctx = NULL;
3413  int result = 0;
3414  Signature *s = NULL;
3415  SigMatch *sm = NULL;
3416  DetectContentData *cd = NULL;
3417  DetectByteExtractData *bed = NULL;
3418  DetectBytejumpData *bjd = NULL;
3419 
3420  de_ctx = DetectEngineCtxInit();
3421  if (de_ctx == NULL)
3422  goto end;
3423 
3424  de_ctx->flags |= DE_QUIET;
3425  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3426  "(msg:\"Testing bytejump_body\"; "
3427  "content:\"one\"; "
3428  "byte_extract:4,0,two,string,hex; "
3429  "byte_jump: 2,two; "
3430  "sid:1;)");
3431  if (de_ctx->sig_list == NULL) {
3432  result = 0;
3433  goto end;
3434  }
3435 
3436  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3437  result = 0;
3438  goto end;
3439  }
3440 
3441  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3442  if (sm->type != DETECT_CONTENT) {
3443  result = 0;
3444  goto end;
3445  }
3446  cd = (DetectContentData *)sm->ctx;
3447  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3448  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3449  cd->flags & DETECT_CONTENT_NOCASE ||
3450  cd->flags & DETECT_CONTENT_WITHIN ||
3451  cd->flags & DETECT_CONTENT_DISTANCE ||
3452  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3453  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3454  cd->flags & DETECT_CONTENT_NEGATED ) {
3455  printf("one failed\n");
3456  result = 0;
3457  goto end;
3458  }
3459 
3460  sm = sm->next;
3461  if (sm->type != DETECT_BYTE_EXTRACT) {
3462  result = 0;
3463  goto end;
3464  }
3465  bed = (DetectByteExtractData *)sm->ctx;
3466  if (bed->nbytes != 4 ||
3467  bed->offset != 0 ||
3468  strcmp(bed->name, "two") != 0 ||
3469  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3470  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3471  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3472  bed->align_value != 0 ||
3473  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3474  goto end;
3475  }
3476  if (bed->local_id != 0) {
3477  result = 0;
3478  goto end;
3479  }
3480 
3481  sm = sm->next;
3482  if (sm->type != DETECT_BYTEJUMP) {
3483  result = 0;
3484  goto end;
3485  }
3486  bjd = (DetectBytejumpData *)sm->ctx;
3487  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
3488  bjd->offset != 0) {
3489  printf("three failed\n");
3490  result = 0;
3491  goto end;
3492  }
3493 
3494  if (sm->next != NULL)
3495  goto end;
3496 
3497  result = 1;
3498 
3499  end:
3500  SigGroupCleanup(de_ctx);
3501  SigCleanSignatures(de_ctx);
3502  DetectEngineCtxFree(de_ctx);
3503 
3504  return result;
3505 }
3506 
3507 static int DetectByteExtractTest54(void)
3508 {
3509  DetectEngineCtx *de_ctx = NULL;
3510  int result = 0;
3511  Signature *s = NULL;
3512  SigMatch *sm = NULL;
3513  DetectContentData *cd = NULL;
3514  DetectByteExtractData *bed1 = NULL;
3515  DetectBytejumpData *bjd = NULL;
3516 
3517  de_ctx = DetectEngineCtxInit();
3518  if (de_ctx == NULL)
3519  goto end;
3520 
3521  de_ctx->flags |= DE_QUIET;
3522  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3523  "(msg:\"Testing bytejump_body\"; "
3524  "content:\"one\"; "
3525  "byte_extract:4,0,two,string,hex; "
3526  "byte_extract:4,0,three,string,hex; "
3527  "byte_jump: 2,two; "
3528  "byte_jump: 3,three; "
3529  "sid:1;)");
3530  if (de_ctx->sig_list == NULL) {
3531  result = 0;
3532  goto end;
3533  }
3534 
3535  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3536  result = 0;
3537  goto end;
3538  }
3539 
3540  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3541  if (sm->type != DETECT_CONTENT) {
3542  result = 0;
3543  goto end;
3544  }
3545  cd = (DetectContentData *)sm->ctx;
3546  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3547  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3548  cd->flags & DETECT_CONTENT_NOCASE ||
3549  cd->flags & DETECT_CONTENT_WITHIN ||
3550  cd->flags & DETECT_CONTENT_DISTANCE ||
3551  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3552  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3553  cd->flags & DETECT_CONTENT_NEGATED ) {
3554  printf("one failed\n");
3555  result = 0;
3556  goto end;
3557  }
3558 
3559  sm = sm->next;
3560  if (sm->type != DETECT_BYTE_EXTRACT) {
3561  result = 0;
3562  goto end;
3563  }
3564  bed1 = (DetectByteExtractData *)sm->ctx;
3565  if (bed1->nbytes != 4 ||
3566  bed1->offset != 0 ||
3567  strcmp(bed1->name, "two") != 0 ||
3568  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3569  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3570  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3571  bed1->align_value != 0 ||
3572  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3573  goto end;
3574  }
3575  if (bed1->local_id != 0) {
3576  result = 0;
3577  goto end;
3578  }
3579 
3580  sm = sm->next;
3581  if (sm->type != DETECT_BYTE_EXTRACT) {
3582  result = 0;
3583  goto end;
3584  }
3585 
3586  sm = sm->next;
3587  if (sm->type != DETECT_BYTEJUMP) {
3588  result = 0;
3589  goto end;
3590  }
3591  bjd = (DetectBytejumpData *)sm->ctx;
3592  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
3593  bjd->offset != 0) {
3594  printf("three failed\n");
3595  result = 0;
3596  goto end;
3597  }
3598 
3599  sm = sm->next;
3600  if (sm->type != DETECT_BYTEJUMP) {
3601  result = 0;
3602  goto end;
3603  }
3604  bjd = (DetectBytejumpData *)sm->ctx;
3605  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
3606  bjd->offset != 1) {
3607  printf("four failed\n");
3608  result = 0;
3609  goto end;
3610  }
3611 
3612  if (sm->next != NULL)
3613  goto end;
3614 
3615  result = 1;
3616 
3617  end:
3618  SigGroupCleanup(de_ctx);
3619  SigCleanSignatures(de_ctx);
3620  DetectEngineCtxFree(de_ctx);
3621 
3622  return result;
3623 }
3624 
3625 static int DetectByteExtractTest55(void)
3626 {
3627  DetectEngineCtx *de_ctx = NULL;
3628  int result = 0;
3629  Signature *s = NULL;
3630  SigMatch *sm = NULL;
3631  DetectContentData *cd = NULL;
3632  DetectByteExtractData *bed1 = NULL;
3633  DetectByteExtractData *bed2 = NULL;
3634 
3635  de_ctx = DetectEngineCtxInit();
3636  if (de_ctx == NULL)
3637  goto end;
3638 
3639  de_ctx->flags |= DE_QUIET;
3640  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3641  "(msg:\"Testing byte_extract\"; "
3642  "content:\"one\"; "
3643  "byte_extract:4,0,two,string,hex; "
3644  "byte_extract:4,0,three,string,hex; "
3645  "byte_extract:4,0,four,string,hex; "
3646  "byte_extract:4,0,five,string,hex; "
3647  "content: \"four\"; within:two; distance:three; "
3648  "sid:1;)");
3649  if (de_ctx->sig_list == NULL) {
3650  goto end;
3651  }
3652 
3653  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3654  goto end;
3655  }
3656 
3657  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3658  if (sm->type != DETECT_CONTENT) {
3659  goto end;
3660  }
3661  cd = (DetectContentData *)sm->ctx;
3662  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3663  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3664  cd->flags & DETECT_CONTENT_NOCASE ||
3665  cd->flags & DETECT_CONTENT_WITHIN ||
3666  cd->flags & DETECT_CONTENT_DISTANCE ||
3667  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3668  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3669  cd->flags & DETECT_CONTENT_NEGATED ) {
3670  printf("one failed: ");
3671  goto end;
3672  }
3673 
3674  sm = sm->next;
3675  if (sm->type != DETECT_BYTE_EXTRACT) {
3676  goto end;
3677  }
3678  bed1 = (DetectByteExtractData *)sm->ctx;
3679  if (bed1->nbytes != 4 ||
3680  bed1->offset != 0 ||
3681  strcmp(bed1->name, "two") != 0 ||
3682  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3683  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3684  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3685  bed1->align_value != 0 ||
3686  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3687  goto end;
3688  }
3689  if (bed1->local_id != 0) {
3690  goto end;
3691  }
3692 
3693  sm = sm->next;
3694  if (sm->type != DETECT_BYTE_EXTRACT) {
3695  goto end;
3696  }
3697  bed2 = (DetectByteExtractData *)sm->ctx;
3698 
3699  sm = sm->next;
3700  if (sm->type != DETECT_BYTE_EXTRACT) {
3701  goto end;
3702  }
3703 
3704  sm = sm->next;
3705  if (sm->type != DETECT_BYTE_EXTRACT) {
3706  goto end;
3707  }
3708 
3709  sm = sm->next;
3710  if (sm->type != DETECT_CONTENT) {
3711  goto end;
3712  }
3713  cd = (DetectContentData *)sm->ctx;
3714  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3715  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
3716  DETECT_CONTENT_WITHIN_BE |
3717  DETECT_CONTENT_DISTANCE |
3718  DETECT_CONTENT_WITHIN) ||
3719  cd->within != bed1->local_id ||
3720  cd->distance != bed2->local_id) {
3721  printf("four failed: ");
3722  goto end;
3723  }
3724 
3725  if (sm->next != NULL) {
3726  goto end;
3727  }
3728 
3729  result = 1;
3730 
3731  end:
3732  SigGroupCleanup(de_ctx);
3733  SigCleanSignatures(de_ctx);
3734  DetectEngineCtxFree(de_ctx);
3735 
3736  return result;
3737 }
3738 
3739 static int DetectByteExtractTest56(void)
3740 {
3741  DetectEngineCtx *de_ctx = NULL;
3742  int result = 0;
3743  Signature *s = NULL;
3744  SigMatch *sm = NULL;
3745  DetectContentData *cd = NULL;
3746  DetectByteExtractData *bed1 = NULL;
3747  DetectByteExtractData *bed2 = NULL;
3748 
3749  de_ctx = DetectEngineCtxInit();
3750  if (de_ctx == NULL)
3751  goto end;
3752 
3753  de_ctx->flags |= DE_QUIET;
3754  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3755  "(msg:\"Testing bytejump_body\"; "
3756  "uricontent:\"urione\"; "
3757  "content:\"one\"; "
3758  "byte_extract:4,0,two,string,hex; "
3759  "byte_extract:4,0,three,string,hex; "
3760  "byte_extract:4,0,four,string,hex; "
3761  "byte_extract:4,0,five,string,hex; "
3762  "content: \"four\"; within:two; distance:three; "
3763  "sid:1;)");
3764  if (de_ctx->sig_list == NULL) {
3765  result = 0;
3766  goto end;
3767  }
3768 
3769  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3770  result = 0;
3771  goto end;
3772  }
3773 
3774  sm = s->sm_lists[g_http_uri_buffer_id];
3775  if (sm->type != DETECT_CONTENT) {
3776  result = 0;
3777  goto end;
3778  }
3779  cd = (DetectContentData *)sm->ctx;
3780  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3781  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3782  cd->flags & DETECT_CONTENT_NOCASE ||
3783  cd->flags & DETECT_CONTENT_WITHIN ||
3784  cd->flags & DETECT_CONTENT_DISTANCE ||
3785  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3786  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3787  cd->flags & DETECT_CONTENT_NEGATED ) {
3788  printf("one failed\n");
3789  result = 0;
3790  goto end;
3791  }
3792 
3793  if (sm->next != NULL)
3794  goto end;
3795 
3796  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3797  if (sm->type != DETECT_CONTENT) {
3798  result = 0;
3799  goto end;
3800  }
3801  cd = (DetectContentData *)sm->ctx;
3802  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3803  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3804  cd->flags & DETECT_CONTENT_NOCASE ||
3805  cd->flags & DETECT_CONTENT_WITHIN ||
3806  cd->flags & DETECT_CONTENT_DISTANCE ||
3807  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3808  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3809  cd->flags & DETECT_CONTENT_NEGATED ) {
3810  printf("one failed\n");
3811  result = 0;
3812  goto end;
3813  }
3814 
3815  sm = sm->next;
3816  if (sm->type != DETECT_BYTE_EXTRACT) {
3817  result = 0;
3818  goto end;
3819  }
3820  bed1 = (DetectByteExtractData *)sm->ctx;
3821  if (bed1->nbytes != 4 ||
3822  bed1->offset != 0 ||
3823  strcmp(bed1->name, "two") != 0 ||
3824  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3825  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3826  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3827  bed1->align_value != 0 ||
3828  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3829  goto end;
3830  }
3831  if (bed1->local_id != 0) {
3832  result = 0;
3833  goto end;
3834  }
3835 
3836  sm = sm->next;
3837  if (sm->type != DETECT_BYTE_EXTRACT) {
3838  result = 0;
3839  goto end;
3840  }
3841  bed2 = (DetectByteExtractData *)sm->ctx;
3842 
3843  sm = sm->next;
3844  if (sm->type != DETECT_BYTE_EXTRACT) {
3845  result = 0;
3846  goto end;
3847  }
3848 
3849  sm = sm->next;
3850  if (sm->type != DETECT_BYTE_EXTRACT) {
3851  result = 0;
3852  goto end;
3853  }
3854 
3855  sm = sm->next;
3856  if (sm->type != DETECT_CONTENT) {
3857  result = 0;
3858  goto end;
3859  }
3860  cd = (DetectContentData *)sm->ctx;
3861  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3862  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
3863  DETECT_CONTENT_WITHIN_BE |
3864  DETECT_CONTENT_DISTANCE |
3865  DETECT_CONTENT_WITHIN) ||
3866  cd->within != bed1->local_id ||
3867  cd->distance != bed2->local_id ) {
3868  printf("four failed\n");
3869  result = 0;
3870  goto end;
3871  }
3872 
3873  if (sm->next != NULL) {
3874  goto end;
3875  }
3876 
3877  result = 1;
3878 
3879  end:
3880  SigGroupCleanup(de_ctx);
3881  SigCleanSignatures(de_ctx);
3882  DetectEngineCtxFree(de_ctx);
3883 
3884  return result;
3885 }
3886 
3887 static int DetectByteExtractTest57(void)
3888 {
3889  DetectEngineCtx *de_ctx = NULL;
3890  int result = 0;
3891  Signature *s = NULL;
3892  SigMatch *sm = NULL;
3893  DetectContentData *cd = NULL;
3894  DetectByteExtractData *bed1 = NULL;
3895  DetectByteExtractData *bed2 = NULL;
3896  DetectByteExtractData *bed3 = NULL;
3897  DetectByteExtractData *bed4 = NULL;
3898 
3899  de_ctx = DetectEngineCtxInit();
3900  if (de_ctx == NULL)
3901  goto end;
3902 
3903  de_ctx->flags |= DE_QUIET;
3904  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3905  "(msg:\"Testing bytejump_body\"; "
3906  "content:\"one\"; "
3907  "uricontent: \"urione\"; "
3908  "byte_extract:4,0,two,string,hex,relative; "
3909  "byte_extract:4,0,three,string,hex,relative; "
3910  "byte_extract:4,0,four,string,hex,relative; "
3911  "byte_extract:4,0,five,string,hex,relative; "
3912  "uricontent: \"four\"; within:two; distance:three; "
3913  "sid:1;)");
3914  if (de_ctx->sig_list == NULL) {
3915  result = 0;
3916  goto end;
3917  }
3918 
3919  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3920  result = 0;
3921  goto end;
3922  }
3923 
3924  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3925  if (sm->type != DETECT_CONTENT) {
3926  result = 0;
3927  goto end;
3928  }
3929  cd = (DetectContentData *)sm->ctx;
3930  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3931  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3932  cd->flags & DETECT_CONTENT_NOCASE ||
3933  cd->flags & DETECT_CONTENT_WITHIN ||
3934  cd->flags & DETECT_CONTENT_DISTANCE ||
3935  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3936  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3937  cd->flags & DETECT_CONTENT_NEGATED ) {
3938  printf("one failed\n");
3939  result = 0;
3940  goto end;
3941  }
3942 
3943  if (sm->next != NULL)
3944  goto end;
3945 
3946  sm = s->sm_lists[g_http_uri_buffer_id];
3947  if (sm->type != DETECT_CONTENT) {
3948  result = 0;
3949  goto end;
3950  }
3951  cd = (DetectContentData *)sm->ctx;
3952  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3953  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3954  cd->flags & DETECT_CONTENT_NOCASE ||
3955  cd->flags & DETECT_CONTENT_WITHIN ||
3956  cd->flags & DETECT_CONTENT_DISTANCE ||
3957  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3958  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3959  cd->flags & DETECT_CONTENT_NEGATED ) {
3960  printf("one failed\n");
3961  result = 0;
3962  goto end;
3963  }
3964 
3965  sm = sm->next;
3966  if (sm->type != DETECT_BYTE_EXTRACT) {
3967  result = 0;
3968  goto end;
3969  }
3970  bed1 = (DetectByteExtractData *)sm->ctx;
3971  if (bed1->nbytes != 4 ||
3972  bed1->offset != 0 ||
3973  strcmp(bed1->name, "two") != 0 ||
3974  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
3975  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3976  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3977  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3978  bed1->align_value != 0 ||
3979  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3980  goto end;
3981  }
3982  if (bed1->local_id != 0) {
3983  result = 0;
3984  goto end;
3985  }
3986 
3987  sm = sm->next;
3988  if (sm->type != DETECT_BYTE_EXTRACT) {
3989  result = 0;
3990  goto end;
3991  }
3992  bed2 = (DetectByteExtractData *)sm->ctx;
3993  if (bed2->local_id != 1) {
3994  result = 0;
3995  goto end;
3996  }
3997 
3998  sm = sm->next;
3999  if (sm->type != DETECT_BYTE_EXTRACT) {
4000  result = 0;
4001  goto end;
4002  }
4003  bed3 = (DetectByteExtractData *)sm->ctx;
4004  if (bed3->local_id != 2) {
4005  result = 0;
4006  goto end;
4007  }
4008 
4009  sm = sm->next;
4010  if (sm->type != DETECT_BYTE_EXTRACT) {
4011  result = 0;
4012  goto end;
4013  }
4014  bed4 = (DetectByteExtractData *)sm->ctx;
4015  if (bed4->local_id != 3) {
4016  result = 0;
4017  goto end;
4018  }
4019 
4020  sm = sm->next;
4021  if (sm->type != DETECT_CONTENT) {
4022  result = 0;
4023  goto end;
4024  }
4025  cd = (DetectContentData *)sm->ctx;
4026  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4027  cd->flags != (DETECT_CONTENT_DISTANCE_BE |
4028  DETECT_CONTENT_WITHIN_BE |
4029  DETECT_CONTENT_DISTANCE |
4030  DETECT_CONTENT_WITHIN) ||
4031  cd->within != bed1->local_id ||
4032  cd->distance != bed2->local_id) {
4033  printf("four failed\n");
4034  result = 0;
4035  goto end;
4036  }
4037 
4038  if (sm->next != NULL) {
4039  goto end;
4040  }
4041 
4042  result = 1;
4043 
4044  end:
4045  SigGroupCleanup(de_ctx);
4046  SigCleanSignatures(de_ctx);
4047  DetectEngineCtxFree(de_ctx);
4048 
4049  return result;
4050 }
4051 
4052 static int DetectByteExtractTest58(void)
4053 {
4054  DetectEngineCtx *de_ctx = NULL;
4055  int result = 0;
4056  Signature *s = NULL;
4057  SigMatch *sm = NULL;
4058  DetectContentData *cd = NULL;
4059  DetectByteExtractData *bed1 = NULL;
4060  DetectBytejumpData *bjd = NULL;
4061  DetectIsdataatData *isdd = NULL;
4062 
4063  de_ctx = DetectEngineCtxInit();
4064  if (de_ctx == NULL)
4065  goto end;
4066 
4067  de_ctx->flags |= DE_QUIET;
4068  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4069  "(msg:\"Testing bytejump_body\"; "
4070  "content:\"one\"; "
4071  "byte_extract:4,0,two,string,hex; "
4072  "byte_extract:4,0,three,string,hex; "
4073  "byte_jump: 2,two; "
4074  "byte_jump: 3,three; "
4075  "isdataat: three; "
4076  "sid:1;)");
4077  if (de_ctx->sig_list == NULL) {
4078  result = 0;
4079  goto end;
4080  }
4081 
4082  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4083  result = 0;
4084  goto end;
4085  }
4086 
4087  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4088  if (sm->type != DETECT_CONTENT) {
4089  result = 0;
4090  goto end;
4091  }
4092  cd = (DetectContentData *)sm->ctx;
4093  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4094  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4095  cd->flags & DETECT_CONTENT_NOCASE ||
4096  cd->flags & DETECT_CONTENT_WITHIN ||
4097  cd->flags & DETECT_CONTENT_DISTANCE ||
4098  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4099  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4100  cd->flags & DETECT_CONTENT_NEGATED ) {
4101  printf("one failed\n");
4102  result = 0;
4103  goto end;
4104  }
4105 
4106  sm = sm->next;
4107  if (sm->type != DETECT_BYTE_EXTRACT) {
4108  result = 0;
4109  goto end;
4110  }
4111  bed1 = (DetectByteExtractData *)sm->ctx;
4112  if (bed1->nbytes != 4 ||
4113  bed1->offset != 0 ||
4114  strcmp(bed1->name, "two") != 0 ||
4115  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4116  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4117  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4118  bed1->align_value != 0 ||
4119  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4120  goto end;
4121  }
4122  if (bed1->local_id != 0) {
4123  result = 0;
4124  goto end;
4125  }
4126 
4127  sm = sm->next;
4128  if (sm->type != DETECT_BYTE_EXTRACT) {
4129  result = 0;
4130  goto end;
4131  }
4132 
4133  sm = sm->next;
4134  if (sm->type != DETECT_BYTEJUMP) {
4135  result = 0;
4136  goto end;
4137  }
4138  bjd = (DetectBytejumpData *)sm->ctx;
4139  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4140  bjd->offset != 0) {
4141  printf("three failed\n");
4142  result = 0;
4143  goto end;
4144  }
4145 
4146  sm = sm->next;
4147  if (sm->type != DETECT_BYTEJUMP) {
4148  result = 0;
4149  goto end;
4150  }
4151  bjd = (DetectBytejumpData *)sm->ctx;
4152  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4153  bjd->offset != 1) {
4154  printf("four failed\n");
4155  result = 0;
4156  goto end;
4157  }
4158 
4159  sm = sm->next;
4160  if (sm->type != DETECT_ISDATAAT) {
4161  result = 0;
4162  goto end;
4163  }
4164  isdd = (DetectIsdataatData *)sm->ctx;
4165  if (isdd->flags != ISDATAAT_OFFSET_BE ||
4166  isdd->dataat != 1) {
4167  printf("isdataat failed\n");
4168  result = 0;
4169  goto end;
4170  }
4171 
4172  if (sm->next != NULL)
4173  goto end;
4174 
4175  result = 1;
4176 
4177  end:
4178  SigGroupCleanup(de_ctx);
4179  SigCleanSignatures(de_ctx);
4180  DetectEngineCtxFree(de_ctx);
4181 
4182  return result;
4183 }
4184 
4185 static int DetectByteExtractTest59(void)
4186 {
4187  DetectEngineCtx *de_ctx = NULL;
4188  int result = 0;
4189  Signature *s = NULL;
4190  SigMatch *sm = NULL;
4191  DetectContentData *cd = NULL;
4192  DetectByteExtractData *bed1 = NULL;
4193  DetectBytejumpData *bjd = NULL;
4194  DetectIsdataatData *isdd = NULL;
4195 
4196  de_ctx = DetectEngineCtxInit();
4197  if (de_ctx == NULL)
4198  goto end;
4199 
4200  de_ctx->flags |= DE_QUIET;
4201  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4202  "(msg:\"Testing bytejump_body\"; "
4203  "content:\"one\"; "
4204  "byte_extract:4,0,two,string,hex; "
4205  "byte_extract:4,0,three,string,hex; "
4206  "byte_jump: 2,two; "
4207  "byte_jump: 3,three; "
4208  "isdataat: three,relative; "
4209  "sid:1;)");
4210  if (de_ctx->sig_list == NULL) {
4211  result = 0;
4212  goto end;
4213  }
4214 
4215  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4216  result = 0;
4217  goto end;
4218  }
4219 
4220  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4221  if (sm->type != DETECT_CONTENT) {
4222  result = 0;
4223  goto end;
4224  }
4225  cd = (DetectContentData *)sm->ctx;
4226  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4227  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4228  cd->flags & DETECT_CONTENT_NOCASE ||
4229  cd->flags & DETECT_CONTENT_WITHIN ||
4230  cd->flags & DETECT_CONTENT_DISTANCE ||
4231  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4232  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4233  cd->flags & DETECT_CONTENT_NEGATED ) {
4234  printf("one failed\n");
4235  result = 0;
4236  goto end;
4237  }
4238 
4239  sm = sm->next;
4240  if (sm->type != DETECT_BYTE_EXTRACT) {
4241  result = 0;
4242  goto end;
4243  }
4244  bed1 = (DetectByteExtractData *)sm->ctx;
4245  if (bed1->nbytes != 4 ||
4246  bed1->offset != 0 ||
4247  strcmp(bed1->name, "two") != 0 ||
4248  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4249  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4250  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4251  bed1->align_value != 0 ||
4252  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4253  goto end;
4254  }
4255  if (bed1->local_id != 0) {
4256  result = 0;
4257  goto end;
4258  }
4259 
4260  sm = sm->next;
4261  if (sm->type != DETECT_BYTE_EXTRACT) {
4262  result = 0;
4263  goto end;
4264  }
4265 
4266  sm = sm->next;
4267  if (sm->type != DETECT_BYTEJUMP) {
4268  result = 0;
4269  goto end;
4270  }
4271  bjd = (DetectBytejumpData *)sm->ctx;
4272  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4273  bjd->offset != 0) {
4274  printf("three failed\n");
4275  result = 0;
4276  goto end;
4277  }
4278 
4279  sm = sm->next;
4280  if (sm->type != DETECT_BYTEJUMP) {
4281  result = 0;
4282  goto end;
4283  }
4284  bjd = (DetectBytejumpData *)sm->ctx;
4285  if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
4286  bjd->offset != 1) {
4287  printf("four failed\n");
4288  result = 0;
4289  goto end;
4290  }
4291 
4292  sm = sm->next;
4293  if (sm->type != DETECT_ISDATAAT) {
4294  result = 0;
4295  goto end;
4296  }
4297  isdd = (DetectIsdataatData *)sm->ctx;
4298  if (isdd->flags != (ISDATAAT_OFFSET_BE |
4299  ISDATAAT_RELATIVE) ||
4300  isdd->dataat != 1) {
4301  printf("isdataat failed\n");
4302  result = 0;
4303  goto end;
4304  }
4305 
4306  if (sm->next != NULL)
4307  goto end;
4308 
4309  result = 1;
4310 
4311  end:
4312  SigGroupCleanup(de_ctx);
4313  SigCleanSignatures(de_ctx);
4314  DetectEngineCtxFree(de_ctx);
4315 
4316  return result;
4317 }
4318 
4319 static int DetectByteExtractTest60(void)
4320 {
4321  DetectEngineCtx *de_ctx = NULL;
4322  int result = 0;
4323  Signature *s = NULL;
4324  SigMatch *sm = NULL;
4325  DetectContentData *cd = NULL;
4326  DetectByteExtractData *bed1 = NULL;
4327  DetectIsdataatData *isdd = NULL;
4328 
4329  de_ctx = DetectEngineCtxInit();
4330  if (de_ctx == NULL)
4331  goto end;
4332 
4333  de_ctx->flags |= DE_QUIET;
4334  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4335  "(msg:\"Testing bytejump_body\"; "
4336  "content:\"one\"; "
4337  "byte_extract:4,0,two,string,hex,relative; "
4338  "uricontent: \"three\"; "
4339  "byte_extract:4,0,four,string,hex,relative; "
4340  "isdataat: two; "
4341  "sid:1;)");
4342  if (de_ctx->sig_list == NULL) {
4343  result = 0;
4344  goto end;
4345  }
4346 
4347  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4348  result = 0;
4349  goto end;
4350  }
4351 
4352  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4353  if (sm->type != DETECT_CONTENT) {
4354  result = 0;
4355  goto end;
4356  }
4357  cd = (DetectContentData *)sm->ctx;
4358  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4359  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4360  cd->flags & DETECT_CONTENT_NOCASE ||
4361  cd->flags & DETECT_CONTENT_WITHIN ||
4362  cd->flags & DETECT_CONTENT_DISTANCE ||
4363  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4364  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4365  cd->flags & DETECT_CONTENT_NEGATED ) {
4366  printf("one failed\n");
4367  result = 0;
4368  goto end;
4369  }
4370 
4371  sm = sm->next;
4372  if (sm->type != DETECT_BYTE_EXTRACT) {
4373  result = 0;
4374  goto end;
4375  }
4376  bed1 = (DetectByteExtractData *)sm->ctx;
4377  if (bed1->nbytes != 4 ||
4378  bed1->offset != 0 ||
4379  strcmp(bed1->name, "two") != 0 ||
4380  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4381  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4382  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4383  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4384  bed1->align_value != 0 ||
4385  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4386  goto end;
4387  }
4388  if (bed1->local_id != 0) {
4389  result = 0;
4390  goto end;
4391  }
4392 
4393  sm = sm->next;
4394  if (sm->type != DETECT_ISDATAAT) {
4395  result = 0;
4396  goto end;
4397  }
4398  isdd = (DetectIsdataatData *)sm->ctx;
4399  if (isdd->flags != (ISDATAAT_OFFSET_BE) ||
4400  isdd->dataat != bed1->local_id) {
4401  printf("isdataat failed\n");
4402  result = 0;
4403  goto end;
4404  }
4405 
4406  if (sm->next != NULL)
4407  goto end;
4408 
4409  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4410  result = 0;
4411  goto end;
4412  }
4413 
4414  sm = s->sm_lists[g_http_uri_buffer_id];
4415  if (sm->type != DETECT_CONTENT) {
4416  result = 0;
4417  goto end;
4418  }
4419  cd = (DetectContentData *)sm->ctx;
4420  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4421  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4422  printf("one failed\n");
4423  result = 0;
4424  goto end;
4425  }
4426 
4427  sm = sm->next;
4428  if (sm->type != DETECT_BYTE_EXTRACT) {
4429  result = 0;
4430  goto end;
4431  }
4432  bed1 = (DetectByteExtractData *)sm->ctx;
4433  if (bed1->nbytes != 4 ||
4434  bed1->offset != 0 ||
4435  strcmp(bed1->name, "four") != 0 ||
4436  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4437  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4438  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4439  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4440  bed1->align_value != 0 ||
4441  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4442  goto end;
4443  }
4444  if (bed1->local_id != 0) {
4445  result = 0;
4446  goto end;
4447  }
4448 
4449  if (sm->next != NULL)
4450  goto end;
4451 
4452  result = 1;
4453 
4454  end:
4455  SigGroupCleanup(de_ctx);
4456  SigCleanSignatures(de_ctx);
4457  DetectEngineCtxFree(de_ctx);
4458 
4459  return result;
4460 }
4461 
4462 static int DetectByteExtractTest61(void)
4463 {
4464  DetectEngineCtx *de_ctx = NULL;
4465  int result = 0;
4466  Signature *s = NULL;
4467  SigMatch *sm = NULL;
4468  DetectContentData *cd = NULL;
4469  DetectByteExtractData *bed1 = NULL;
4470  DetectIsdataatData *isdd = NULL;
4471 
4472  de_ctx = DetectEngineCtxInit();
4473  if (de_ctx == NULL)
4474  goto end;
4475 
4476  de_ctx->flags |= DE_QUIET;
4477  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4478  "(msg:\"Testing bytejump_body\"; "
4479  "content:\"one\"; "
4480  "byte_extract:4,0,two,string,hex,relative; "
4481  "uricontent: \"three\"; "
4482  "byte_extract:4,0,four,string,hex,relative; "
4483  "isdataat: four, relative; "
4484  "sid:1;)");
4485  if (de_ctx->sig_list == NULL) {
4486  result = 0;
4487  goto end;
4488  }
4489 
4490  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4491  result = 0;
4492  goto end;
4493  }
4494 
4495  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4496  if (sm->type != DETECT_CONTENT) {
4497  result = 0;
4498  goto end;
4499  }
4500  cd = (DetectContentData *)sm->ctx;
4501  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4502  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4503  cd->flags & DETECT_CONTENT_NOCASE ||
4504  cd->flags & DETECT_CONTENT_WITHIN ||
4505  cd->flags & DETECT_CONTENT_DISTANCE ||
4506  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4507  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4508  cd->flags & DETECT_CONTENT_NEGATED ) {
4509  printf("one failed\n");
4510  result = 0;
4511  goto end;
4512  }
4513 
4514  sm = sm->next;
4515  if (sm->type != DETECT_BYTE_EXTRACT) {
4516  result = 0;
4517  goto end;
4518  }
4519  bed1 = (DetectByteExtractData *)sm->ctx;
4520  if (bed1->nbytes != 4 ||
4521  bed1->offset != 0 ||
4522  strcmp(bed1->name, "two") != 0 ||
4523  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4524  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4525  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4526  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4527  bed1->align_value != 0 ||
4528  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4529  goto end;
4530  }
4531  if (bed1->local_id != 0) {
4532  result = 0;
4533  goto end;
4534  }
4535 
4536  if (sm->next != NULL)
4537  goto end;
4538 
4539  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4540  result = 0;
4541  goto end;
4542  }
4543 
4544  sm = s->sm_lists[g_http_uri_buffer_id];
4545  if (sm->type != DETECT_CONTENT) {
4546  result = 0;
4547  goto end;
4548  }
4549  cd = (DetectContentData *)sm->ctx;
4550  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4551  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4552  printf("one failed\n");
4553  result = 0;
4554  goto end;
4555  }
4556 
4557  sm = sm->next;
4558  if (sm->type != DETECT_BYTE_EXTRACT) {
4559  result = 0;
4560  goto end;
4561  }
4562  bed1 = (DetectByteExtractData *)sm->ctx;
4563  if (bed1->nbytes != 4 ||
4564  bed1->offset != 0 ||
4565  strcmp(bed1->name, "four") != 0 ||
4566  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4567  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4568  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4569  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4570  bed1->align_value != 0 ||
4571  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4572  goto end;
4573  }
4574  if (bed1->local_id != 0) {
4575  result = 0;
4576  goto end;
4577  }
4578 
4579  sm = sm->next;
4580  if (sm->type != DETECT_ISDATAAT) {
4581  result = 0;
4582  goto end;
4583  }
4584  isdd = (DetectIsdataatData *)sm->ctx;
4585  if (isdd->flags != (ISDATAAT_OFFSET_BE |
4586  ISDATAAT_RELATIVE) ||
4587  isdd->dataat != bed1->local_id) {
4588  printf("isdataat failed\n");
4589  result = 0;
4590  goto end;
4591  }
4592 
4593  if (sm->next != NULL)
4594  goto end;
4595 
4596  result = 1;
4597 
4598  end:
4599  SigGroupCleanup(de_ctx);
4600  SigCleanSignatures(de_ctx);
4601  DetectEngineCtxFree(de_ctx);
4602 
4603  return result;
4604 }
4605 
4606 static int DetectByteExtractTest62(void)
4607 {
4608  DetectEngineCtx *de_ctx = NULL;
4609  int result = 0;
4610  Signature *s = NULL;
4611  SigMatch *sm = NULL;
4612  DetectByteExtractData *bed = NULL;
4613 
4614  de_ctx = DetectEngineCtxInit();
4615  if (de_ctx == NULL)
4616  goto end;
4617 
4618  de_ctx->flags |= DE_QUIET;
4619  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4620  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4621  "sid:1;)");
4622  if (de_ctx->sig_list == NULL) {
4623  goto end;
4624  }
4625 
4626  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
4627  goto end;
4628  }
4629 
4630  sm = s->sm_lists[g_file_data_buffer_id];
4631  if (sm->type != DETECT_BYTE_EXTRACT) {
4632  result = 0;
4633  goto end;
4634  }
4635  bed = (DetectByteExtractData *)sm->ctx;
4636  if (bed->nbytes != 4 ||
4637  bed->offset != 2 ||
4638  strncmp(bed->name, "two", 3) != 0 ||
4639  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4640  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4641  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4642  bed->align_value != 0 ||
4643  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4644  goto end;
4645  }
4646 
4647  result = 1;
4648 
4649  end:
4650  SigGroupCleanup(de_ctx);
4651  SigCleanSignatures(de_ctx);
4652  DetectEngineCtxFree(de_ctx);
4653 
4654  return result;
4655 }
4656 
4657 static int DetectByteExtractTest63(void)
4658 {
4659  int result = 0;
4660 
4661  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4662  if (bed == NULL)
4663  goto end;
4664 
4665  if (bed->nbytes != 4 ||
4666  bed->offset != -2 ||
4667  strcmp(bed->name, "one") != 0 ||
4668  bed->flags != 0 ||
4669  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4670  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4671  bed->align_value != 0 ||
4672  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4673  goto end;
4674  }
4675 
4676  result = 1;
4677  end:
4678  if (bed != NULL)
4679  DetectByteExtractFree(NULL, bed);
4680  return result;
4681 }
4682 
4683 static int DetectByteExtractTestParseNoBase(void)
4684 {
4685  int result = 0;
4686 
4687  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4688  if (bed == NULL)
4689  goto end;
4690 
4691  if (bed->nbytes != 4) {
4692  goto end;
4693  }
4694  if (bed->offset != 2) {
4695  goto end;
4696  }
4697  if (strcmp(bed->name, "one") != 0) {
4698  goto end;
4699  }
4700  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4701  goto end;
4702  }
4703  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4704  goto end;
4705  }
4706  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4707  goto end;
4708  }
4709  if (bed->align_value != 0) {
4710  goto end;
4711  }
4712  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4713  goto end;
4714  }
4715 
4716  result = 1;
4717  end:
4718  if (bed != NULL)
4719  DetectByteExtractFree(NULL, bed);
4720  return result;
4721 }
4722 
4723 #endif /* UNITTESTS */
4724 
4725 static void DetectByteExtractRegisterTests(void)
4726 {
4727 #ifdef UNITTESTS
4728  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4729  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4730 
4731  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4732  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4733  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4734  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4735  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4736  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4737  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4738  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4739  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4740  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4741  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4742  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4743  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4744  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4745  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4746  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4747  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4748  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4749  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4750  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4751  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4752  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4753  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4754  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4755  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4756  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4757  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4758  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4759  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4760  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4761  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4762  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4763  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4764  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4765  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4766  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4767  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4768  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4769  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4770  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4771  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4772  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4773 
4774  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4775  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4776 
4777  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4778  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4779 
4780  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4781  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4782 
4783  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4784  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4785 
4786  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4787  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4788 
4789  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4790  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4791 
4792  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4793  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4794  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4795 
4796  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4797  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4798  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4799  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4800  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4801  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4802 
4803  UtRegisterTest("DetectByteExtractTestParseNoBase",
4804  DetectByteExtractTestParseNoBase);
4805 #endif /* UNITTESTS */
4806 
4807  return;
4808 }
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:100
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1468
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1040
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DETECT_CONTENT_DISTANCE_BE
#define DETECT_CONTENT_DISTANCE_BE
Definition: detect-content.h:47
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:76
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1209
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:102
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:59
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:331
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:58
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:328
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:43
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:48
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:876
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:540
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:72
decode.h
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:53
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:65
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:504
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:60
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
Signature_::flags
uint32_t flags
Definition: detect.h:528
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
DETECT_CONTENT_WITHIN_BE
#define DETECT_CONTENT_WITHIN_BE
Definition: detect-content.h:48
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:645
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:857
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
DETECT_BYTEJUMP_OFFSET_BE
#define DETECT_BYTEJUMP_OFFSET_BE
Definition: detect-bytejump.h:41
DETECT_BYTETEST_VALUE_BE
#define DETECT_BYTETEST_VALUE_BE
Definition: detect-bytetest.h:49
SigMatch_::type
uint8_t type
Definition: detect.h:320
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:57
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:73
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:101
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
ISDATAAT_OFFSET_BE
#define ISDATAAT_OFFSET_BE
Definition: detect-isdataat.h:30
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DETECT_BYTETEST_OFFSET_BE
#define DETECT_BYTETEST_OFFSET_BE
Definition: detect-bytetest.h:50
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DETECT_CONTENT_DEPTH_BE
#define DETECT_CONTENT_DEPTH_BE
Definition: detect-content.h:46
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:622
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:165
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:111
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:78
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_CONTENT_OFFSET_BE
#define DETECT_CONTENT_OFFSET_BE
Definition: detect-content.h:45
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:67
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:36
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:98
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:234
DetectPcreData_
Definition: detect-pcre.h:39
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:78
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
DetectBytejumpData_::flags
uint8_t flags
Definition: detect-bytejump.h:46
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:68
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:74
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:519
detect-bytetest.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171