suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 #include "detect-engine-build.h"
40 
41 #include "app-layer-protos.h"
42 
43 #include "flow.h"
44 #include "flow-var.h"
45 #include "flow-util.h"
46 
47 #include "util-byte.h"
48 #include "util-debug.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-spm.h"
52 
53 /* the default value of endianess to be used, if none's specified */
54 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
55 
56 /* the base to be used if string mode is specified. These options would be
57  * specified in DetectByteParseData->base */
58 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
59 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
60 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
61 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
62 
63 /* the default value for multiplier. Either ways we always store a
64  * multiplier, 1 or otherwise, so that we can always multiply the extracted
65  * value and store it, instead of checking if a multiplier is set or not */
66 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
67 /* the min/max limit for multiplier */
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
69 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
70 
71 /* the max no of bytes that can be extracted in string mode - (string, hex)
72  * (string, oct) or (string, dec) */
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
75 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
76 /* the max no of bytes that can be extraced in non-string mode */
77 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
78 
79 #define PARSE_REGEX "^" \
80  "\\s*([0-9]+)\\s*" \
81  ",\\s*(-?[0-9]+)\\s*" \
82  ",\\s*([^\\s,]+)\\s*" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
88  "$"
89 
90 static DetectParseRegex parse_regex;
91 
92 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
93 #ifdef UNITTESTS
94 static void DetectByteExtractRegisterTests(void);
95 #endif
96 static void DetectByteExtractFree(DetectEngineCtx *, void *);
97 
98 /**
99  * \brief Registers the keyword handlers for the "byte_extract" keyword.
100  */
101 void DetectByteExtractRegister(void)
102 {
103  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
104  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
105  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
106  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
107  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
108  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
109 #ifdef UNITTESTS
110  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
111 #endif
112  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
113 }
114 
115 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
116  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
117  uint8_t endian)
118 {
119  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
120  const uint8_t *ptr = NULL;
121  int32_t len = 0;
122  uint64_t val = 0;
123  int extbytes;
124 
125  if (payload_len == 0) {
126  return 0;
127  }
128 
129  /* Calculate the ptr value for the bytetest and length remaining in
130  * the packet from that point.
131  */
132  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
133  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
134  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
135 
136  ptr = payload + det_ctx->buffer_offset;
137  len = payload_len - det_ctx->buffer_offset;
138 
139  ptr += data->offset;
140  len -= data->offset;
141 
142  /* No match if there is no relative base */
143  if (len <= 0) {
144  return 0;
145  }
146  //PrintRawDataFp(stdout,ptr,len);
147  } else {
148  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
149 
150  ptr = payload + data->offset;
151  len = payload_len - data->offset;
152  }
153 
154  /* Validate that the to-be-extracted is within the packet */
155  if (ptr < payload || data->nbytes > len) {
156  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
157  payload, ptr, len, data->nbytes);
158  return 0;
159  }
160 
161  /* Extract the byte data */
162  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
163  extbytes = ByteExtractStringUint64(&val, data->base,
164  data->nbytes, (const char *)ptr);
165  if (extbytes <= 0) {
166  /* strtoull() return 0 if there is no numeric value in data string */
167  if (val == 0) {
168  SCLogDebug("No Numeric value");
169  return 0;
170  } else {
171  SCLogDebug("error extracting %d bytes of string data: %d",
172  data->nbytes, extbytes);
173  return -1;
174  }
175  }
176  } else {
177  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
178  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
179  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
180  if (extbytes != data->nbytes) {
181  SCLogDebug("error extracting %d bytes of numeric data: %d",
182  data->nbytes, extbytes);
183  return 0;
184  }
185  }
186 
187  /* Adjust the jump value based on flags */
188  val *= data->multiplier_value;
189  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
190  if ((val % data->align_value) != 0) {
191  val += data->align_value - (val % data->align_value);
192  }
193  }
194 
195  ptr += extbytes;
196 
197  det_ctx->buffer_offset = ptr - payload;
198 
199  *value = val;
200  SCLogDebug("extracted value is %"PRIu64, val);
201  return 1;
202 }
203 
204 /**
205  * \internal
206  * \brief Used to parse byte_extract arg.
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \arg The argument to parse.
210  *
211  * \param bed On success an instance containing the parsed data.
212  * On failure, NULL.
213  */
214 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
215 {
216  DetectByteExtractData *bed = NULL;
217  int ret = 0, res = 0;
218  size_t pcre2len;
219  int i = 0;
220 
221  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0);
222  if (ret < 3 || ret > 19) {
223  SCLogError("parse error, ret %" PRId32 ", string \"%s\"", ret, arg);
224  SCLogError("Invalid arg to byte_extract : %s "
225  "for byte_extract",
226  arg);
227  goto error;
228  }
229 
230  bed = SCMalloc(sizeof(DetectByteExtractData));
231  if (unlikely(bed == NULL))
232  goto error;
233  memset(bed, 0, sizeof(DetectByteExtractData));
234 
235  /* no of bytes to extract */
236  char nbytes_str[64] = "";
237  pcre2len = sizeof(nbytes_str);
238  res = pcre2_substring_copy_bynumber(
239  parse_regex.match, 1, (PCRE2_UCHAR8 *)nbytes_str, &pcre2len);
240  if (res < 0) {
241  SCLogError("pcre2_substring_copy_bynumber failed "
242  "for arg 1 for byte_extract");
243  goto error;
244  }
245  if (StringParseUint8(&bed->nbytes, 10, 0,
246  (const char *)nbytes_str) < 0) {
247  SCLogError("Invalid value for number of bytes"
248  " to be extracted: \"%s\".",
249  nbytes_str);
250  goto error;
251  }
252 
253  /* offset */
254  char offset_str[64] = "";
255  pcre2len = sizeof(offset_str);
256  res = pcre2_substring_copy_bynumber(
257  parse_regex.match, 2, (PCRE2_UCHAR8 *)offset_str, &pcre2len);
258  if (res < 0) {
259  SCLogError("pcre2_substring_copy_bynumber failed "
260  "for arg 2 for byte_extract");
261  goto error;
262  }
263  int32_t offset;
264  if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
265  SCLogError("Invalid value for offset: \"%s\".", offset_str);
266  goto error;
267  }
268  bed->offset = offset;
269 
270  /* var name */
271  char varname_str[256] = "";
272  pcre2len = sizeof(varname_str);
273  res = pcre2_substring_copy_bynumber(
274  parse_regex.match, 3, (PCRE2_UCHAR8 *)varname_str, &pcre2len);
275  if (res < 0) {
276  SCLogError("pcre2_substring_copy_bynumber failed "
277  "for arg 3 for byte_extract");
278  goto error;
279  }
280  bed->name = SCStrdup(varname_str);
281  if (bed->name == NULL)
282  goto error;
283 
284  /* check out other optional args */
285  for (i = 4; i < ret; i++) {
286  char opt_str[64] = "";
287  pcre2len = sizeof(opt_str);
288  res = SC_Pcre2SubstringCopy(parse_regex.match, i, (PCRE2_UCHAR8 *)opt_str, &pcre2len);
289  if (res < 0) {
290  SCLogError("pcre2_substring_copy_bynumber failed "
291  "for arg %d for byte_extract with %d",
292  i, res);
293  goto error;
294  }
295 
296  if (strcmp("relative", opt_str) == 0) {
297  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
298  SCLogError("relative specified more "
299  "than once for byte_extract");
300  goto error;
301  }
302  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
303  } else if (strcmp("multiplier", opt_str) == 0) {
304  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
305  SCLogError("multiplier specified more "
306  "than once for byte_extract");
307  goto error;
308  }
309  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
310  i++;
311 
312  char multiplier_str[16] = "";
313  pcre2len = sizeof(multiplier_str);
314  res = pcre2_substring_copy_bynumber(
315  parse_regex.match, i, (PCRE2_UCHAR8 *)multiplier_str, &pcre2len);
316  if (res < 0) {
317  SCLogError("pcre2_substring_copy_bynumber failed "
318  "for arg %d for byte_extract",
319  i);
320  goto error;
321  }
322  uint16_t multiplier;
323  if (StringParseU16RangeCheck(&multiplier, 10, 0, (const char *)multiplier_str,
324  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
325  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) < 0) {
326  SCLogError("Invalid value for"
327  "multiplier: \"%s\".",
328  multiplier_str);
329  goto error;
330  }
331  bed->multiplier_value = multiplier;
332  } else if (strcmp("big", opt_str) == 0) {
333  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
334  SCLogError("endian option specified "
335  "more than once for byte_extract");
336  goto error;
337  }
338  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
339  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
340  } else if (strcmp("little", opt_str) == 0) {
341  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
342  SCLogError("endian option specified "
343  "more than once for byte_extract");
344  goto error;
345  }
346  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
347  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
348  } else if (strcmp("dce", opt_str) == 0) {
349  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
350  SCLogError("endian option specified "
351  "more than once for byte_extract");
352  goto error;
353  }
354  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
355  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
356  } else if (strcmp("string", opt_str) == 0) {
357  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
358  SCLogError("string specified more "
359  "than once for byte_extract");
360  goto error;
361  }
362  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
363  SCLogError("The right way to specify "
364  "base is (string, base) and not (base, string) "
365  "for byte_extract");
366  goto error;
367  }
368  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
369  } else if (strcmp("hex", opt_str) == 0) {
370  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
371  SCLogError("Base(hex) specified "
372  "without specifying string. The right way is "
373  "(string, base) and not (base, string)");
374  goto error;
375  }
376  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
377  SCLogError("More than one base "
378  "specified for byte_extract");
379  goto error;
380  }
381  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
382  } else if (strcmp("oct", opt_str) == 0) {
383  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
384  SCLogError("Base(oct) specified "
385  "without specifying string. The right way is "
386  "(string, base) and not (base, string)");
387  goto error;
388  }
389  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
390  SCLogError("More than one base "
391  "specified for byte_extract");
392  goto error;
393  }
394  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
395  } else if (strcmp("dec", opt_str) == 0) {
396  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
397  SCLogError("Base(dec) specified "
398  "without specifying string. The right way is "
399  "(string, base) and not (base, string)");
400  goto error;
401  }
402  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
403  SCLogError("More than one base "
404  "specified for byte_extract");
405  goto error;
406  }
407  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
408  } else if (strcmp("align", opt_str) == 0) {
409  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
410  SCLogError("Align specified more "
411  "than once for byte_extract");
412  goto error;
413  }
414  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
415  i++;
416 
417  char align_str[16] = "";
418  pcre2len = sizeof(align_str);
419  res = pcre2_substring_copy_bynumber(
420  parse_regex.match, i, (PCRE2_UCHAR8 *)align_str, &pcre2len);
421  if (res < 0) {
422  SCLogError("pcre2_substring_copy_bynumber failed "
423  "for arg %d in byte_extract",
424  i);
425  goto error;
426  }
427  if (StringParseUint8(&bed->align_value, 10, 0,
428  (const char *)align_str) < 0) {
429  SCLogError("Invalid align_value: "
430  "\"%s\".",
431  align_str);
432  goto error;
433  }
434  if (!(bed->align_value == 2 || bed->align_value == 4)) {
435  SCLogError("Invalid align_value for "
436  "byte_extract - \"%d\"",
437  bed->align_value);
438  goto error;
439  }
440  } else if (strcmp("", opt_str) == 0) {
441  ;
442  } else {
443  SCLogError("Invalid option - \"%s\" "
444  "specified in byte_extract",
445  opt_str);
446  goto error;
447  }
448  } /* for (i = 4; i < ret; i++) */
449 
450  /* validation */
451  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
452  /* default value */
453  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
454  }
455 
456  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
457  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
458  /* Default to decimal if base not specified. */
459  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
460  }
461  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
462  SCLogError("byte_extract can't have "
463  "endian \"big\" or \"little\" specified along with "
464  "\"string\"");
465  goto error;
466  }
467  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
468  /* if are dealing with octal nos, the max no that can fit in a 8
469  * byte value is 01777777777777777777777 */
470  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
471  SCLogError("byte_extract can't process "
472  "more than %d bytes in \"string\" extraction",
473  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
474  goto error;
475  }
476  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
477  /* if are dealing with decimal nos, the max no that can fit in a 8
478  * byte value is 18446744073709551615 */
479  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
480  SCLogError("byte_extract can't process "
481  "more than %d bytes in \"string\" extraction",
482  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
483  goto error;
484  }
485  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
486  /* if are dealing with hex nos, the max no that can fit in a 8
487  * byte value is 0xFFFFFFFFFFFFFFFF */
488  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
489  SCLogError("byte_extract can't process "
490  "more than %d bytes in \"string\" extraction",
491  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
492  goto error;
493  }
494  } else {
495  ; // just a placeholder. we won't reach here.
496  }
497  } else {
498  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
499  SCLogError("byte_extract can't process "
500  "more than %d bytes in \"non-string\" extraction",
501  NO_STRING_MAX_BYTES_TO_EXTRACT);
502  goto error;
503  }
504  /* if string has not been specified and no endian option has been
505  * specified, then set the default endian level of BIG */
506  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
507  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
508  }
509 
510  return bed;
511  error:
512  if (bed != NULL)
513  DetectByteExtractFree(de_ctx, bed);
514  return NULL;
515 }
516 
517 /**
518  * \brief The setup function for the byte_extract keyword for a signature.
519  *
520  * \param de_ctx Pointer to the detection engine context.
521  * \param s Pointer to signature for the current Signature being parsed
522  * from the rules.
523  * \param m Pointer to the head of the SigMatch for the current rule
524  * being parsed.
525  * \param arg Pointer to the string holding the keyword value.
526  *
527  * \retval 0 On success.
528  * \retval -1 On failure.
529  */
530 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
531 {
532  SigMatch *sm = NULL;
533  SigMatch *prev_pm = NULL;
534  DetectByteExtractData *data = NULL;
535  int ret = -1;
536 
537  data = DetectByteExtractParse(de_ctx, arg);
538  if (data == NULL)
539  goto error;
540 
541  int sm_list;
542  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
543  sm_list = s->init_data->list;
544 
545  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
546  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
547  }
548  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
549  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
550  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
551  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
552  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
553  if (prev_pm == NULL) {
554  sm_list = DETECT_SM_LIST_PMATCH;
555  } else {
556  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
557  if (sm_list < 0)
558  goto error;
559  }
560  } else {
561  sm_list = DETECT_SM_LIST_PMATCH;
562  }
563 
564  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
565  goto error;
566  s->flags |= SIG_FLAG_APPLAYER;
567 
568  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
569  prev_pm = DetectGetLastSMFromLists(s,
570  DETECT_CONTENT, DETECT_PCRE,
571  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
572  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
573  if (prev_pm == NULL) {
574  sm_list = DETECT_SM_LIST_PMATCH;
575  } else {
576  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
577  if (sm_list < 0)
578  goto error;
579  if (sm_list != DETECT_SM_LIST_PMATCH)
580  s->flags |= SIG_FLAG_APPLAYER;
581  }
582 
583  } else {
584  sm_list = DETECT_SM_LIST_PMATCH;
585  }
586 
587  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
588  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
589  goto error;
590 
591  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
592  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
593  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
594  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
595  SCLogError("Invalid option. "
596  "A byte_jump keyword with dce holds other invalid modifiers.");
597  goto error;
598  }
599  }
600 
601  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
602  DETECT_BYTE_EXTRACT, -1);
603  if (prev_bed_sm == NULL)
604  data->local_id = 0;
605  else
606  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
607  if (data->local_id > de_ctx->byte_extract_max_local_id)
608  de_ctx->byte_extract_max_local_id = data->local_id;
609 
610 
611  sm = SigMatchAlloc();
612  if (sm == NULL)
613  goto error;
614  sm->type = DETECT_BYTE_EXTRACT;
615  sm->ctx = (void *)data;
616  SigMatchAppendSMToList(s, sm, sm_list);
617 
618 
619  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
620  goto okay;
621 
622  if (prev_pm == NULL)
623  goto okay;
624 
625  if (prev_pm->type == DETECT_CONTENT) {
626  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
627  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
628  } else if (prev_pm->type == DETECT_PCRE) {
629  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
630  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
631  }
632 
633  okay:
634  ret = 0;
635  return ret;
636  error:
637  DetectByteExtractFree(de_ctx, data);
638  return ret;
639 }
640 
641 /**
642  * \brief Used to free instances of DetectByteExtractData.
643  *
644  * \param ptr Instance of DetectByteExtractData to be freed.
645  */
646 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
647 {
648  if (ptr != NULL) {
649  DetectByteExtractData *bed = ptr;
650  if (bed->name != NULL)
651  SCFree((void *)bed->name);
652  SCFree(bed);
653  }
654 
655  return;
656 }
657 
658 /**
659  * \brief Lookup the SigMatch for a named byte_extract variable.
660  *
661  * \param arg The name of the byte_extract variable to lookup.
662  * \param s Pointer the signature to look in.
663  *
664  * \retval A pointer to the SigMatch if found, otherwise NULL.
665  */
666 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
667 {
668  const int nlists = s->init_data->smlists_array_size;
669  for (int list = 0; list < nlists; list++) {
670  SigMatch *sm = s->init_data->smlists[list];
671  while (sm != NULL) {
672  if (sm->type == DETECT_BYTE_EXTRACT) {
673  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
674  if (strcmp(bed->name, arg) == 0) {
675  return sm;
676  }
677  }
678  sm = sm->next;
679  }
680  }
681 
682  return NULL;
683 }
684 
685 /*************************************Unittests********************************/
686 
687 #ifdef UNITTESTS
688 
689 static int g_file_data_buffer_id = 0;
690 static int g_http_uri_buffer_id = 0;
691 
692 static int DetectByteExtractTest01(void)
693 {
694  int result = 0;
695 
696  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
697  if (bed == NULL)
698  goto end;
699 
700  if (bed->nbytes != 4 ||
701  bed->offset != 2 ||
702  strcmp(bed->name, "one") != 0 ||
703  bed->flags != 0 ||
704  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
705  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
706  bed->align_value != 0 ||
707  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
708  goto end;
709  }
710 
711  result = 1;
712  end:
713  if (bed != NULL)
714  DetectByteExtractFree(NULL, bed);
715  return result;
716 }
717 
718 static int DetectByteExtractTest02(void)
719 {
720  int result = 0;
721 
722  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
723  if (bed == NULL)
724  goto end;
725 
726  if (bed->nbytes != 4 ||
727  bed->offset != 2 ||
728  strcmp(bed->name, "one") != 0 ||
729  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
730  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
731  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
732  bed->align_value != 0 ||
733  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
734  goto end;
735  }
736 
737  result = 1;
738  end:
739  if (bed != NULL)
740  DetectByteExtractFree(NULL, bed);
741  return result;
742 }
743 
744 static int DetectByteExtractTest03(void)
745 {
746  int result = 0;
747 
748  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
749  if (bed == NULL)
750  goto end;
751 
752  if (bed->nbytes != 4 ||
753  bed->offset != 2 ||
754  strcmp(bed->name, "one") != 0 ||
755  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
756  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
757  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
758  bed->align_value != 0 ||
759  bed->multiplier_value != 10) {
760  goto end;
761  }
762 
763  result = 1;
764  end:
765  if (bed != NULL)
766  DetectByteExtractFree(NULL, bed);
767  return result;
768 }
769 
770 static int DetectByteExtractTest04(void)
771 {
772  int result = 0;
773 
774  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
775  if (bed == NULL)
776  goto end;
777 
778  if (bed->nbytes != 4 ||
779  bed->offset != 2 ||
780  strcmp(bed->name, "one") != 0 ||
781  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
782  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
783  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
784  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
785  bed->align_value != 0 ||
786  bed->multiplier_value != 10) {
787  goto end;
788  }
789 
790  result = 1;
791  end:
792  if (bed != NULL)
793  DetectByteExtractFree(NULL, bed);
794  return result;
795 }
796 
797 static int DetectByteExtractTest05(void)
798 {
799  int result = 0;
800 
801  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
802  if (bed == NULL)
803  goto end;
804 
805  if (bed->nbytes != 4 ||
806  bed->offset != 2 ||
807  strcmp(bed->name, "one") != 0 ||
808  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
809  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
810  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
811  bed->align_value != 0 ||
812  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
813  goto end;
814  }
815 
816  result = 1;
817  end:
818  if (bed != NULL)
819  DetectByteExtractFree(NULL, bed);
820  return result;
821 }
822 
823 static int DetectByteExtractTest06(void)
824 {
825  int result = 0;
826 
827  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
828  if (bed == NULL)
829  goto end;
830 
831  if (bed->nbytes != 4 ||
832  bed->offset != 2 ||
833  strcmp(bed->name, "one") != 0 ||
834  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
835  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
836  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
837  bed->align_value != 0 ||
838  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
839  goto end;
840  }
841 
842  result = 1;
843  end:
844  if (bed != NULL)
845  DetectByteExtractFree(NULL, bed);
846  return result;
847 }
848 
849 static int DetectByteExtractTest07(void)
850 {
851  int result = 0;
852 
853  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
854  if (bed == NULL)
855  goto end;
856 
857  if (bed->nbytes != 4 ||
858  bed->offset != 2 ||
859  strcmp(bed->name, "one") != 0 ||
860  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
861  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
862  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
863  bed->align_value != 0 ||
864  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
865  goto end;
866  }
867 
868  result = 1;
869  end:
870  if (bed != NULL)
871  DetectByteExtractFree(NULL, bed);
872  return result;
873 }
874 
875 static int DetectByteExtractTest08(void)
876 {
877  int result = 0;
878 
879  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
880  if (bed == NULL)
881  goto end;
882 
883  if (bed->nbytes != 4 ||
884  bed->offset != 2 ||
885  strcmp(bed->name, "one") != 0 ||
886  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
887  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
888  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
889  bed->align_value != 0 ||
890  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
891  goto end;
892  }
893 
894  result = 1;
895  end:
896  if (bed != NULL)
897  DetectByteExtractFree(NULL, bed);
898  return result;
899 }
900 
901 static int DetectByteExtractTest09(void)
902 {
903  int result = 0;
904 
905  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
906  if (bed == NULL)
907  goto end;
908 
909  if (bed->nbytes != 4 ||
910  bed->offset != 2 ||
911  strcmp(bed->name, "one") != 0 ||
912  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
913  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
914  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
915  bed->align_value != 0 ||
916  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
917  goto end;
918  }
919 
920  result = 1;
921  end:
922  if (bed != NULL)
923  DetectByteExtractFree(NULL, bed);
924  return result;
925 }
926 
927 static int DetectByteExtractTest10(void)
928 {
929  int result = 0;
930 
931  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
932  if (bed == NULL)
933  goto end;
934 
935  if (bed->nbytes != 4 ||
936  bed->offset != 2 ||
937  strcmp(bed->name, "one") != 0 ||
938  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
939  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
940  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
941  bed->align_value != 0 ||
942  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
943  goto end;
944  }
945 
946  result = 1;
947  end:
948  if (bed != NULL)
949  DetectByteExtractFree(NULL, bed);
950  return result;
951 }
952 
953 static int DetectByteExtractTest11(void)
954 {
955  int result = 0;
956 
957  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
958  if (bed == NULL)
959  goto end;
960 
961  if (bed->nbytes != 4 ||
962  bed->offset != 2 ||
963  strcmp(bed->name, "one") != 0 ||
964  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
965  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
966  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
967  bed->align_value != 4 ||
968  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
969  goto end;
970  }
971 
972  result = 1;
973  end:
974  if (bed != NULL)
975  DetectByteExtractFree(NULL, bed);
976  return result;
977 }
978 
979 static int DetectByteExtractTest12(void)
980 {
981  int result = 0;
982 
983  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
984  if (bed == NULL)
985  goto end;
986 
987  if (bed->nbytes != 4 ||
988  bed->offset != 2 ||
989  strcmp(bed->name, "one") != 0 ||
990  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
991  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
992  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
993  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
994  bed->align_value != 4 ||
995  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
996  goto end;
997  }
998 
999  result = 1;
1000  end:
1001  if (bed != NULL)
1002  DetectByteExtractFree(NULL, bed);
1003  return result;
1004 }
1005 
1006 static int DetectByteExtractTest13(void)
1007 {
1008  int result = 0;
1009 
1010  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
1011  if (bed == NULL)
1012  goto end;
1013 
1014  if (bed->nbytes != 4 ||
1015  bed->offset != 2 ||
1016  strcmp(bed->name, "one") != 0 ||
1017  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1018  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1019  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1020  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
1021  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1022  bed->align_value != 4 ||
1023  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1024  goto end;
1025  }
1026 
1027  result = 1;
1028  end:
1029  if (bed != NULL)
1030  DetectByteExtractFree(NULL, bed);
1031  return result;
1032 }
1033 
1034 static int DetectByteExtractTest14(void)
1035 {
1036  int result = 0;
1037 
1038  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1039  if (bed == NULL)
1040  goto end;
1041 
1042  if (bed->nbytes != 4 ||
1043  bed->offset != 2 ||
1044  strcmp(bed->name, "one") != 0 ||
1045  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1046  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1047  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1048  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1049  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1050  bed->align_value != 4 ||
1051  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1052  goto end;
1053  }
1054 
1055  result = 1;
1056  end:
1057  if (bed != NULL)
1058  DetectByteExtractFree(NULL, bed);
1059  return result;
1060 }
1061 
1062 static int DetectByteExtractTest15(void)
1063 {
1064  int result = 0;
1065 
1066  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1067  if (bed == NULL)
1068  goto end;
1069 
1070  if (bed->nbytes != 4 ||
1071  bed->offset != 2 ||
1072  strcmp(bed->name, "one") != 0 ||
1073  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1074  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1075  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1076  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1077  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1078  bed->align_value != 4 ||
1079  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1080  goto end;
1081  }
1082 
1083  result = 1;
1084  end:
1085  if (bed != NULL)
1086  DetectByteExtractFree(NULL, bed);
1087  return result;
1088 }
1089 
1090 static int DetectByteExtractTest16(void)
1091 {
1092  int result = 0;
1093 
1094  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1095  if (bed == NULL)
1096  goto end;
1097 
1098  if (bed->nbytes != 4 ||
1099  bed->offset != 2 ||
1100  strcmp(bed->name, "one") != 0 ||
1101  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1102  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1103  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1104  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1105  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1106  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1107  bed->align_value != 4 ||
1108  bed->multiplier_value != 2) {
1109  goto end;
1110  }
1111 
1112  result = 1;
1113  end:
1114  if (bed != NULL)
1115  DetectByteExtractFree(NULL, bed);
1116  return result;
1117 }
1118 
1119 static int DetectByteExtractTest17(void)
1120 {
1121  int result = 0;
1122 
1123  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1124  "relative, little, "
1125  "multiplier 2, string hex");
1126  if (bed != NULL)
1127  goto end;
1128 
1129  result = 1;
1130  end:
1131  if (bed != NULL)
1132  DetectByteExtractFree(NULL, bed);
1133  return result;
1134 }
1135 
1136 static int DetectByteExtractTest18(void)
1137 {
1138  int result = 0;
1139 
1140  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1141  "relative, little, "
1142  "multiplier 2, "
1143  "relative");
1144  if (bed != NULL)
1145  goto end;
1146 
1147  result = 1;
1148  end:
1149  if (bed != NULL)
1150  DetectByteExtractFree(NULL, bed);
1151  return result;
1152 }
1153 
1154 static int DetectByteExtractTest19(void)
1155 {
1156  int result = 0;
1157 
1158  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1159  "relative, little, "
1160  "multiplier 2, "
1161  "little");
1162  if (bed != NULL)
1163  goto end;
1164 
1165  result = 1;
1166  end:
1167  if (bed != NULL)
1168  DetectByteExtractFree(NULL, bed);
1169  return result;
1170 }
1171 
1172 static int DetectByteExtractTest20(void)
1173 {
1174  int result = 0;
1175 
1176  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1177  "relative, "
1178  "multiplier 2, "
1179  "align 2");
1180  if (bed != NULL)
1181  goto end;
1182 
1183  result = 1;
1184  end:
1185  if (bed != NULL)
1186  DetectByteExtractFree(NULL, bed);
1187  return result;
1188 }
1189 
1190 static int DetectByteExtractTest21(void)
1191 {
1192  int result = 0;
1193 
1194  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1195  "multiplier 2, "
1196  "relative, "
1197  "multiplier 2");
1198  if (bed != NULL)
1199  goto end;
1200 
1201  result = 1;
1202  end:
1203  if (bed != NULL)
1204  DetectByteExtractFree(NULL, bed);
1205  return result;
1206 }
1207 
1208 static int DetectByteExtractTest22(void)
1209 {
1210  int result = 0;
1211 
1212  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1213  "string hex, "
1214  "relative, "
1215  "string hex");
1216  if (bed != NULL)
1217  goto end;
1218 
1219  result = 1;
1220  end:
1221  if (bed != NULL)
1222  DetectByteExtractFree(NULL, bed);
1223  return result;
1224 }
1225 
1226 static int DetectByteExtractTest23(void)
1227 {
1228  int result = 0;
1229 
1230  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1231  "string hex, "
1232  "relative, "
1233  "string oct");
1234  if (bed != NULL)
1235  goto end;
1236 
1237  result = 1;
1238  end:
1239  if (bed != NULL)
1240  DetectByteExtractFree(NULL, bed);
1241  return result;
1242 }
1243 
1244 static int DetectByteExtractTest24(void)
1245 {
1246  int result = 0;
1247 
1248  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1249  "string hex, "
1250  "relative");
1251  if (bed != NULL)
1252  goto end;
1253 
1254  result = 1;
1255  end:
1256  if (bed != NULL)
1257  DetectByteExtractFree(NULL, bed);
1258  return result;
1259 }
1260 
1261 static int DetectByteExtractTest25(void)
1262 {
1263  int result = 0;
1264 
1265  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1266  "little, "
1267  "relative");
1268  if (bed != NULL)
1269  goto end;
1270 
1271  result = 1;
1272  end:
1273  if (bed != NULL)
1274  DetectByteExtractFree(NULL, bed);
1275  return result;
1276 }
1277 
1278 static int DetectByteExtractTest26(void)
1279 {
1280  int result = 0;
1281 
1282  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1283  "little, "
1284  "relative, "
1285  "multiplier 65536");
1286  if (bed != NULL)
1287  goto end;
1288 
1289  result = 1;
1290  end:
1291  if (bed != NULL)
1292  DetectByteExtractFree(NULL, bed);
1293  return result;
1294 }
1295 
1296 static int DetectByteExtractTest27(void)
1297 {
1298  int result = 0;
1299 
1300  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1301  "little, "
1302  "relative, "
1303  "multiplier 0");
1304  if (bed != NULL)
1305  goto end;
1306 
1307  result = 1;
1308  end:
1309  if (bed != NULL)
1310  DetectByteExtractFree(NULL, bed);
1311  return result;
1312 }
1313 
1314 static int DetectByteExtractTest28(void)
1315 {
1316  int result = 0;
1317 
1318  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1319  if (bed == NULL)
1320  goto end;
1321 
1322  result = 1;
1323  end:
1324  if (bed != NULL)
1325  DetectByteExtractFree(NULL, bed);
1326  return result;
1327 }
1328 
1329 static int DetectByteExtractTest29(void)
1330 {
1331  int result = 0;
1332 
1333  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1334  if (bed != NULL)
1335  goto end;
1336 
1337  result = 1;
1338  end:
1339  if (bed != NULL)
1340  DetectByteExtractFree(NULL, bed);
1341  return result;
1342 }
1343 
1344 static int DetectByteExtractTest30(void)
1345 {
1346  int result = 0;
1347 
1348  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1349  if (bed == NULL)
1350  goto end;
1351 
1352  result = 1;
1353  end:
1354  if (bed != NULL)
1355  DetectByteExtractFree(NULL, bed);
1356  return result;
1357 }
1358 
1359 static int DetectByteExtractTest31(void)
1360 {
1361  int result = 0;
1362 
1363  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1364  if (bed != NULL)
1365  goto end;
1366 
1367  result = 1;
1368  end:
1369  if (bed != NULL)
1370  DetectByteExtractFree(NULL, bed);
1371  return result;
1372 }
1373 
1374 static int DetectByteExtractTest32(void)
1375 {
1376  int result = 0;
1377 
1378  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1379  if (bed == NULL)
1380  goto end;
1381 
1382  result = 1;
1383  end:
1384  if (bed != NULL)
1385  DetectByteExtractFree(NULL, bed);
1386  return result;
1387 }
1388 
1389 static int DetectByteExtractTest33(void)
1390 {
1391  int result = 0;
1392 
1393  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1394  if (bed != NULL)
1395  goto end;
1396 
1397  result = 1;
1398  end:
1399  if (bed != NULL)
1400  DetectByteExtractFree(NULL, bed);
1401  return result;
1402 }
1403 
1404 static int DetectByteExtractTest34(void)
1405 {
1406  DetectEngineCtx *de_ctx = NULL;
1407  int result = 0;
1408  Signature *s = NULL;
1409  SigMatch *sm = NULL;
1410  DetectContentData *cd = NULL;
1411  DetectByteExtractData *bed = NULL;
1412 
1413  de_ctx = DetectEngineCtxInit();
1414  if (de_ctx == NULL)
1415  goto end;
1416 
1417  de_ctx->flags |= DE_QUIET;
1418  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1419  "(msg:\"Testing bytejump_body\"; "
1420  "content:\"one\"; "
1421  "byte_extract:4,2,two,relative,string,hex; "
1422  "sid:1;)");
1423  if (de_ctx->sig_list == NULL) {
1424  result = 0;
1425  goto end;
1426  }
1427 
1428  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1429  result = 0;
1430  goto end;
1431  }
1432 
1433  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1434  if (sm->type != DETECT_CONTENT) {
1435  result = 0;
1436  goto end;
1437  }
1438  cd = (DetectContentData *)sm->ctx;
1439  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1440  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1441  cd->flags & DETECT_CONTENT_NOCASE ||
1442  cd->flags & DETECT_CONTENT_WITHIN ||
1443  cd->flags & DETECT_CONTENT_DISTANCE ||
1444  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1445  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1446  cd->flags & DETECT_CONTENT_NEGATED ) {
1447  printf("one failed\n");
1448  result = 0;
1449  goto end;
1450  }
1451 
1452  sm = sm->next;
1453  if (sm->type != DETECT_BYTE_EXTRACT) {
1454  result = 0;
1455  goto end;
1456  }
1457  bed = (DetectByteExtractData *)sm->ctx;
1458  if (bed->nbytes != 4 ||
1459  bed->offset != 2 ||
1460  strncmp(bed->name, "two", cd->content_len) != 0 ||
1461  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1462  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1463  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1464  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1465  bed->align_value != 0 ||
1466  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1467  goto end;
1468  }
1469 
1470  result = 1;
1471 
1472  end:
1473  SigGroupCleanup(de_ctx);
1474  SigCleanSignatures(de_ctx);
1475  DetectEngineCtxFree(de_ctx);
1476 
1477  return result;
1478 }
1479 
1480 static int DetectByteExtractTest35(void)
1481 {
1482  DetectEngineCtx *de_ctx = NULL;
1483  int result = 0;
1484  Signature *s = NULL;
1485  SigMatch *sm = NULL;
1486  DetectContentData *cd = NULL;
1487  DetectPcreData *pd = NULL;
1488  DetectByteExtractData *bed = NULL;
1489 
1490  de_ctx = DetectEngineCtxInit();
1491  if (de_ctx == NULL)
1492  goto end;
1493 
1494  de_ctx->flags |= DE_QUIET;
1495  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1496  "(msg:\"Testing bytejump_body\"; "
1497  "content:\"one\"; pcre:/asf/; "
1498  "byte_extract:4,0,two,relative,string,hex; "
1499  "sid:1;)");
1500  if (de_ctx->sig_list == NULL) {
1501  result = 0;
1502  goto end;
1503  }
1504 
1505  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1506  result = 0;
1507  goto end;
1508  }
1509 
1510  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1511  if (sm->type != DETECT_CONTENT) {
1512  result = 0;
1513  goto end;
1514  }
1515  cd = (DetectContentData *)sm->ctx;
1516  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1517  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1518  cd->flags & DETECT_CONTENT_NOCASE ||
1519  cd->flags & DETECT_CONTENT_WITHIN ||
1520  cd->flags & DETECT_CONTENT_DISTANCE ||
1521  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1522  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1523  cd->flags & DETECT_CONTENT_NEGATED ) {
1524  printf("one failed\n");
1525  result = 0;
1526  goto end;
1527  }
1528 
1529  sm = sm->next;
1530  if (sm->type != DETECT_PCRE) {
1531  result = 0;
1532  goto end;
1533  }
1534  pd = (DetectPcreData *)sm->ctx;
1535  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1536  result = 0;
1537  goto end;
1538  }
1539 
1540  sm = sm->next;
1541  if (sm->type != DETECT_BYTE_EXTRACT) {
1542  result = 0;
1543  goto end;
1544  }
1545  bed = (DetectByteExtractData *)sm->ctx;
1546  if (bed->nbytes != 4 ||
1547  bed->offset != 0 ||
1548  strcmp(bed->name, "two") != 0 ||
1549  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1550  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1551  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1552  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1553  bed->align_value != 0 ||
1554  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1555  goto end;
1556  }
1557 
1558  result = 1;
1559 
1560  end:
1561  SigGroupCleanup(de_ctx);
1562  SigCleanSignatures(de_ctx);
1563  DetectEngineCtxFree(de_ctx);
1564 
1565  return result;
1566 }
1567 
1568 static int DetectByteExtractTest36(void)
1569 {
1570  DetectEngineCtx *de_ctx = NULL;
1571  int result = 0;
1572  Signature *s = NULL;
1573  SigMatch *sm = NULL;
1574  DetectContentData *cd = NULL;
1575  DetectBytejumpData *bjd = NULL;
1576  DetectByteExtractData *bed = NULL;
1577 
1578  de_ctx = DetectEngineCtxInit();
1579  if (de_ctx == NULL)
1580  goto end;
1581 
1582  de_ctx->flags |= DE_QUIET;
1583  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1584  "(msg:\"Testing bytejump_body\"; "
1585  "content:\"one\"; byte_jump:1,13; "
1586  "byte_extract:4,0,two,relative,string,hex; "
1587  "sid:1;)");
1588  if (de_ctx->sig_list == NULL) {
1589  result = 0;
1590  goto end;
1591  }
1592 
1593  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1594  result = 0;
1595  goto end;
1596  }
1597 
1598  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1599  if (sm->type != DETECT_CONTENT) {
1600  result = 0;
1601  goto end;
1602  }
1603  cd = (DetectContentData *)sm->ctx;
1604  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1605  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1606  cd->flags & DETECT_CONTENT_NOCASE ||
1607  cd->flags & DETECT_CONTENT_WITHIN ||
1608  cd->flags & DETECT_CONTENT_DISTANCE ||
1609  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1610  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1611  cd->flags & DETECT_CONTENT_NEGATED ) {
1612  printf("one failed\n");
1613  result = 0;
1614  goto end;
1615  }
1616 
1617  sm = sm->next;
1618  if (sm->type != DETECT_BYTEJUMP) {
1619  result = 0;
1620  goto end;
1621  }
1622  bjd = (DetectBytejumpData *)sm->ctx;
1623  if (bjd->flags != 0) {
1624  result = 0;
1625  goto end;
1626  }
1627 
1628  sm = sm->next;
1629  if (sm->type != DETECT_BYTE_EXTRACT) {
1630  result = 0;
1631  goto end;
1632  }
1633  bed = (DetectByteExtractData *)sm->ctx;
1634  if (bed->nbytes != 4 ||
1635  bed->offset != 0 ||
1636  strcmp(bed->name, "two") != 0 ||
1637  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1638  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1639  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1640  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1641  bed->align_value != 0 ||
1642  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1643  goto end;
1644  }
1645 
1646  result = 1;
1647 
1648  end:
1649  SigGroupCleanup(de_ctx);
1650  SigCleanSignatures(de_ctx);
1651  DetectEngineCtxFree(de_ctx);
1652 
1653  return result;
1654 }
1655 
1656 static int DetectByteExtractTest37(void)
1657 {
1658  DetectEngineCtx *de_ctx = NULL;
1659  int result = 0;
1660  Signature *s = NULL;
1661  SigMatch *sm = NULL;
1662  DetectContentData *cd = NULL;
1663  DetectContentData *ud = NULL;
1664  DetectByteExtractData *bed = NULL;
1665 
1666  de_ctx = DetectEngineCtxInit();
1667  if (de_ctx == NULL)
1668  goto end;
1669 
1670  de_ctx->flags |= DE_QUIET;
1671  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1672  "(msg:\"Testing bytejump_body\"; "
1673  "content:\"one\"; uricontent:\"two\"; "
1674  "byte_extract:4,0,two,relative,string,hex; "
1675  "sid:1;)");
1676  if (de_ctx->sig_list == NULL) {
1677  result = 0;
1678  goto end;
1679  }
1680 
1681  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1682  result = 0;
1683  goto end;
1684  }
1685 
1686  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1687  if (sm->type != DETECT_CONTENT) {
1688  result = 0;
1689  goto end;
1690  }
1691  cd = (DetectContentData *)sm->ctx;
1692  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1693  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1694  cd->flags & DETECT_CONTENT_NOCASE ||
1695  cd->flags & DETECT_CONTENT_WITHIN ||
1696  cd->flags & DETECT_CONTENT_DISTANCE ||
1697  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1698  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1699  cd->flags & DETECT_CONTENT_NEGATED ) {
1700  printf("one failed\n");
1701  result = 0;
1702  goto end;
1703  }
1704 
1705  if (sm->next != NULL) {
1706  result = 0;
1707  goto end;
1708  }
1709 
1710  sm = s->sm_lists[g_http_uri_buffer_id];
1711  if (sm->type != DETECT_CONTENT) {
1712  result = 0;
1713  goto end;
1714  }
1715  ud = (DetectContentData *)sm->ctx;
1716  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1717  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1718  ud->flags & DETECT_CONTENT_NOCASE ||
1719  ud->flags & DETECT_CONTENT_WITHIN ||
1720  ud->flags & DETECT_CONTENT_DISTANCE ||
1721  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1722  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1723  ud->flags & DETECT_CONTENT_NEGATED ) {
1724  printf("two failed\n");
1725  result = 0;
1726  goto end;
1727  }
1728 
1729  sm = sm->next;
1730  if (sm->type != DETECT_BYTE_EXTRACT) {
1731  result = 0;
1732  goto end;
1733  }
1734  bed = (DetectByteExtractData *)sm->ctx;
1735  if (bed->nbytes != 4 ||
1736  bed->offset != 0 ||
1737  strcmp(bed->name, "two") != 0 ||
1738  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1739  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1740  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1741  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1742  bed->align_value != 0 ||
1743  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1744  goto end;
1745  }
1746 
1747  result = 1;
1748 
1749  end:
1750  SigGroupCleanup(de_ctx);
1751  SigCleanSignatures(de_ctx);
1752  DetectEngineCtxFree(de_ctx);
1753 
1754  return result;
1755 }
1756 
1757 static int DetectByteExtractTest38(void)
1758 {
1759  DetectEngineCtx *de_ctx = NULL;
1760  int result = 0;
1761  Signature *s = NULL;
1762  SigMatch *sm = NULL;
1763  DetectContentData *cd = NULL;
1764  DetectContentData *ud = NULL;
1765  DetectByteExtractData *bed = NULL;
1766 
1767  de_ctx = DetectEngineCtxInit();
1768  if (de_ctx == NULL)
1769  goto end;
1770 
1771  de_ctx->flags |= DE_QUIET;
1772  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1773  "(msg:\"Testing bytejump_body\"; "
1774  "content:\"one\"; uricontent:\"two\"; "
1775  "byte_extract:4,0,two,string,hex; "
1776  "sid:1;)");
1777  if (de_ctx->sig_list == NULL) {
1778  result = 0;
1779  goto end;
1780  }
1781 
1782  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1783  result = 0;
1784  goto end;
1785  }
1786 
1787  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1788  if (sm->type != DETECT_CONTENT) {
1789  result = 0;
1790  goto end;
1791  }
1792  cd = (DetectContentData *)sm->ctx;
1793  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1794  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1795  cd->flags & DETECT_CONTENT_NOCASE ||
1796  cd->flags & DETECT_CONTENT_WITHIN ||
1797  cd->flags & DETECT_CONTENT_DISTANCE ||
1798  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1799  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1800  cd->flags & DETECT_CONTENT_NEGATED ) {
1801  printf("one failed\n");
1802  result = 0;
1803  goto end;
1804  }
1805 
1806  sm = sm->next;
1807  if (sm->type != DETECT_BYTE_EXTRACT) {
1808  result = 0;
1809  goto end;
1810  }
1811  bed = (DetectByteExtractData *)sm->ctx;
1812  if (bed->nbytes != 4 ||
1813  bed->offset != 0 ||
1814  strcmp(bed->name, "two") != 0 ||
1815  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1816  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1817  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1818  bed->align_value != 0 ||
1819  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1820  goto end;
1821  }
1822 
1823  sm = s->sm_lists[g_http_uri_buffer_id];
1824  if (sm->type != DETECT_CONTENT) {
1825  result = 0;
1826  goto end;
1827  }
1828  ud = (DetectContentData *)sm->ctx;
1829  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1830  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1831  ud->flags & DETECT_CONTENT_NOCASE ||
1832  ud->flags & DETECT_CONTENT_WITHIN ||
1833  ud->flags & DETECT_CONTENT_DISTANCE ||
1834  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1835  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1836  ud->flags & DETECT_CONTENT_NEGATED ) {
1837  printf("two failed\n");
1838  result = 0;
1839  goto end;
1840  }
1841 
1842  if (sm->next != NULL) {
1843  result = 0;
1844  goto end;
1845  }
1846 
1847  result = 1;
1848 
1849  end:
1850  SigGroupCleanup(de_ctx);
1851  SigCleanSignatures(de_ctx);
1852  DetectEngineCtxFree(de_ctx);
1853 
1854  return result;
1855 }
1856 
1857 static int DetectByteExtractTest39(void)
1858 {
1859  DetectEngineCtx *de_ctx = NULL;
1860  int result = 0;
1861  Signature *s = NULL;
1862  SigMatch *sm = NULL;
1863  DetectContentData *cd = NULL;
1864  DetectContentData *ud = NULL;
1865  DetectByteExtractData *bed = NULL;
1866 
1867  de_ctx = DetectEngineCtxInit();
1868  if (de_ctx == NULL)
1869  goto end;
1870 
1871  de_ctx->flags |= DE_QUIET;
1872  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1873  "(msg:\"Testing bytejump_body\"; "
1874  "content:\"one\"; content:\"two\"; http_uri; "
1875  "byte_extract:4,0,two,relative,string,hex; "
1876  "sid:1;)");
1877  if (de_ctx->sig_list == NULL) {
1878  result = 0;
1879  goto end;
1880  }
1881 
1882  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1883  result = 0;
1884  goto end;
1885  }
1886 
1887  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1888  if (sm->type != DETECT_CONTENT) {
1889  result = 0;
1890  goto end;
1891  }
1892  cd = (DetectContentData *)sm->ctx;
1893  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1894  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1895  cd->flags & DETECT_CONTENT_NOCASE ||
1896  cd->flags & DETECT_CONTENT_WITHIN ||
1897  cd->flags & DETECT_CONTENT_DISTANCE ||
1898  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1899  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1900  cd->flags & DETECT_CONTENT_NEGATED ) {
1901  printf("one failed\n");
1902  result = 0;
1903  goto end;
1904  }
1905 
1906  if (sm->next != NULL) {
1907  result = 0;
1908  goto end;
1909  }
1910 
1911  sm = s->sm_lists[g_http_uri_buffer_id];
1912  if (sm->type != DETECT_CONTENT) {
1913  result = 0;
1914  goto end;
1915  }
1916  ud = (DetectContentData *)sm->ctx;
1917  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1918  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1919  ud->flags & DETECT_CONTENT_NOCASE ||
1920  ud->flags & DETECT_CONTENT_WITHIN ||
1921  ud->flags & DETECT_CONTENT_DISTANCE ||
1922  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1923  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1924  ud->flags & DETECT_CONTENT_NEGATED ) {
1925  printf("two failed\n");
1926  result = 0;
1927  goto end;
1928  }
1929 
1930  sm = sm->next;
1931  if (sm->type != DETECT_BYTE_EXTRACT) {
1932  result = 0;
1933  goto end;
1934  }
1935  bed = (DetectByteExtractData *)sm->ctx;
1936  if (bed->nbytes != 4 ||
1937  bed->offset != 0 ||
1938  strcmp(bed->name, "two") != 0 ||
1939  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1940  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1941  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1942  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1943  bed->align_value != 0 ||
1944  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1945  goto end;
1946  }
1947 
1948  result = 1;
1949 
1950  end:
1951  SigGroupCleanup(de_ctx);
1952  SigCleanSignatures(de_ctx);
1953  DetectEngineCtxFree(de_ctx);
1954 
1955  return result;
1956 }
1957 
1958 static int DetectByteExtractTest40(void)
1959 {
1960  DetectEngineCtx *de_ctx = NULL;
1961  int result = 0;
1962  Signature *s = NULL;
1963  SigMatch *sm = NULL;
1964  DetectContentData *cd = NULL;
1965  DetectContentData *ud = NULL;
1966  DetectByteExtractData *bed = NULL;
1967 
1968  de_ctx = DetectEngineCtxInit();
1969  if (de_ctx == NULL)
1970  goto end;
1971 
1972  de_ctx->flags |= DE_QUIET;
1973  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1974  "(msg:\"Testing bytejump_body\"; "
1975  "content:\"one\"; content:\"two\"; http_uri; "
1976  "byte_extract:4,0,two,string,hex; "
1977  "sid:1;)");
1978  if (de_ctx->sig_list == NULL) {
1979  result = 0;
1980  goto end;
1981  }
1982 
1983  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1984  result = 0;
1985  goto end;
1986  }
1987 
1988  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1989  if (sm->type != DETECT_CONTENT) {
1990  result = 0;
1991  goto end;
1992  }
1993  cd = (DetectContentData *)sm->ctx;
1994  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1995  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1996  cd->flags & DETECT_CONTENT_NOCASE ||
1997  cd->flags & DETECT_CONTENT_WITHIN ||
1998  cd->flags & DETECT_CONTENT_DISTANCE ||
1999  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2000  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2001  cd->flags & DETECT_CONTENT_NEGATED ) {
2002  printf("one failed\n");
2003  result = 0;
2004  goto end;
2005  }
2006 
2007  sm = sm->next;
2008  if (sm->type != DETECT_BYTE_EXTRACT) {
2009  result = 0;
2010  goto end;
2011  }
2012  bed = (DetectByteExtractData *)sm->ctx;
2013  if (bed->nbytes != 4 ||
2014  bed->offset != 0 ||
2015  strcmp(bed->name, "two") != 0 ||
2016  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
2017  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2018  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2019  bed->align_value != 0 ||
2020  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2021  goto end;
2022  }
2023 
2024  sm = s->sm_lists[g_http_uri_buffer_id];
2025  if (sm->type != DETECT_CONTENT) {
2026  result = 0;
2027  goto end;
2028  }
2029  ud = (DetectContentData *)sm->ctx;
2030  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2031  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2032  ud->flags & DETECT_CONTENT_NOCASE ||
2033  ud->flags & DETECT_CONTENT_WITHIN ||
2034  ud->flags & DETECT_CONTENT_DISTANCE ||
2035  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2036  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2037  ud->flags & DETECT_CONTENT_NEGATED ) {
2038  printf("two failed\n");
2039  result = 0;
2040  goto end;
2041  }
2042 
2043  if (sm->next != NULL) {
2044  result = 0;
2045  goto end;
2046  }
2047 
2048  result = 1;
2049 
2050  end:
2051  SigGroupCleanup(de_ctx);
2052  SigCleanSignatures(de_ctx);
2053  DetectEngineCtxFree(de_ctx);
2054 
2055  return result;
2056 }
2057 
2058 static int DetectByteExtractTest41(void)
2059 {
2060  DetectEngineCtx *de_ctx = NULL;
2061  int result = 0;
2062  Signature *s = NULL;
2063  SigMatch *sm = NULL;
2064  DetectContentData *cd = NULL;
2065  DetectByteExtractData *bed = NULL;
2066 
2067  de_ctx = DetectEngineCtxInit();
2068  if (de_ctx == NULL)
2069  goto end;
2070 
2071  de_ctx->flags |= DE_QUIET;
2072  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2073  "(msg:\"Testing bytejump_body\"; "
2074  "content:\"one\"; "
2075  "byte_extract:4,0,two,string,hex; "
2076  "byte_extract:4,0,three,string,hex; "
2077  "sid:1;)");
2078  if (de_ctx->sig_list == NULL) {
2079  result = 0;
2080  goto end;
2081  }
2082 
2083  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2084  result = 0;
2085  goto end;
2086  }
2087 
2088  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2089  if (sm->type != DETECT_CONTENT) {
2090  result = 0;
2091  goto end;
2092  }
2093  cd = (DetectContentData *)sm->ctx;
2094  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2095  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2096  cd->flags & DETECT_CONTENT_NOCASE ||
2097  cd->flags & DETECT_CONTENT_WITHIN ||
2098  cd->flags & DETECT_CONTENT_DISTANCE ||
2099  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2100  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2101  cd->flags & DETECT_CONTENT_NEGATED ) {
2102  printf("one failed\n");
2103  result = 0;
2104  goto end;
2105  }
2106 
2107  sm = sm->next;
2108  if (sm->type != DETECT_BYTE_EXTRACT) {
2109  result = 0;
2110  goto end;
2111  }
2112  bed = (DetectByteExtractData *)sm->ctx;
2113  if (bed->nbytes != 4 ||
2114  bed->offset != 0 ||
2115  strcmp(bed->name, "two") != 0 ||
2116  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2117  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2118  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2119  bed->align_value != 0 ||
2120  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2121  goto end;
2122  }
2123  if (bed->local_id != 0) {
2124  result = 0;
2125  goto end;
2126  }
2127 
2128  sm = sm->next;
2129  if (sm->type != DETECT_BYTE_EXTRACT) {
2130  result = 0;
2131  goto end;
2132  }
2133  bed = (DetectByteExtractData *)sm->ctx;
2134  if (bed->nbytes != 4 ||
2135  bed->offset != 0 ||
2136  strcmp(bed->name, "three") != 0 ||
2137  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2138  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2139  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2140  bed->align_value != 0 ||
2141  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2142  goto end;
2143  }
2144  if (bed->local_id != 1) {
2145  result = 0;
2146  goto end;
2147  }
2148 
2149  result = 1;
2150 
2151  end:
2152  SigGroupCleanup(de_ctx);
2153  SigCleanSignatures(de_ctx);
2154  DetectEngineCtxFree(de_ctx);
2155 
2156  return result;
2157 }
2158 
2159 static int DetectByteExtractTest42(void)
2160 {
2161  DetectEngineCtx *de_ctx = NULL;
2162  int result = 0;
2163  Signature *s = NULL;
2164  SigMatch *sm = NULL;
2165  DetectContentData *cd = NULL;
2166  DetectContentData *ud = NULL;
2167  DetectByteExtractData *bed = NULL;
2168 
2169  de_ctx = DetectEngineCtxInit();
2170  if (de_ctx == NULL)
2171  goto end;
2172 
2173  de_ctx->flags |= DE_QUIET;
2174  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2175  "(msg:\"Testing bytejump_body\"; "
2176  "content:\"one\"; "
2177  "byte_extract:4,0,two,string,hex; "
2178  "uricontent: \"three\"; "
2179  "byte_extract:4,0,four,string,hex,relative; "
2180  "byte_extract:4,0,five,string,hex; "
2181  "sid:1;)");
2182  if (de_ctx->sig_list == NULL) {
2183  result = 0;
2184  goto end;
2185  }
2186 
2187  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2188  result = 0;
2189  goto end;
2190  }
2191 
2192  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2193  if (sm->type != DETECT_CONTENT) {
2194  result = 0;
2195  goto end;
2196  }
2197  cd = (DetectContentData *)sm->ctx;
2198  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2199  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2200  cd->flags & DETECT_CONTENT_NOCASE ||
2201  cd->flags & DETECT_CONTENT_WITHIN ||
2202  cd->flags & DETECT_CONTENT_DISTANCE ||
2203  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2204  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2205  cd->flags & DETECT_CONTENT_NEGATED ) {
2206  printf("one failed\n");
2207  result = 0;
2208  goto end;
2209  }
2210 
2211  sm = sm->next;
2212  if (sm->type != DETECT_BYTE_EXTRACT) {
2213  result = 0;
2214  goto end;
2215  }
2216  bed = (DetectByteExtractData *)sm->ctx;
2217  if (bed->nbytes != 4 ||
2218  bed->offset != 0 ||
2219  strcmp(bed->name, "two") != 0 ||
2220  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2221  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2222  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2223  bed->align_value != 0 ||
2224  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2225  goto end;
2226  }
2227  if (bed->local_id != 0) {
2228  result = 0;
2229  goto end;
2230  }
2231 
2232  sm = sm->next;
2233  if (sm->type != DETECT_BYTE_EXTRACT) {
2234  result = 0;
2235  goto end;
2236  }
2237  bed = (DetectByteExtractData *)sm->ctx;
2238  if (bed->nbytes != 4 ||
2239  bed->offset != 0 ||
2240  strcmp(bed->name, "five") != 0 ||
2241  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2242  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2243  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2244  bed->align_value != 0 ||
2245  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2246  goto end;
2247  }
2248  if (bed->local_id != 1) {
2249  result = 0;
2250  goto end;
2251  }
2252 
2253  if (sm->next != NULL)
2254  goto end;
2255 
2256  sm = s->sm_lists[g_http_uri_buffer_id];
2257  if (sm->type != DETECT_CONTENT) {
2258  result = 0;
2259  goto end;
2260  }
2261  ud = (DetectContentData *)sm->ctx;
2262  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2263  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2264  ud->flags & DETECT_CONTENT_NOCASE ||
2265  ud->flags & DETECT_CONTENT_WITHIN ||
2266  ud->flags & DETECT_CONTENT_DISTANCE ||
2267  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2268  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2269  ud->flags & DETECT_CONTENT_NEGATED ) {
2270  printf("two failed\n");
2271  result = 0;
2272  goto end;
2273  }
2274 
2275  sm = sm->next;
2276  if (sm->type != DETECT_BYTE_EXTRACT) {
2277  result = 0;
2278  goto end;
2279  }
2280  bed = (DetectByteExtractData *)sm->ctx;
2281  if (bed->nbytes != 4 ||
2282  bed->offset != 0 ||
2283  strcmp(bed->name, "four") != 0 ||
2284  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2285  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2286  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2287  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2288  bed->align_value != 0 ||
2289  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2290  goto end;
2291  }
2292  if (bed->local_id != 0) {
2293  result = 0;
2294  goto end;
2295  }
2296 
2297  if (sm->next != NULL)
2298  goto end;
2299 
2300  result = 1;
2301 
2302  end:
2303  SigGroupCleanup(de_ctx);
2304  SigCleanSignatures(de_ctx);
2305  DetectEngineCtxFree(de_ctx);
2306 
2307  return result;
2308 }
2309 
2310 static int DetectByteExtractTest43(void)
2311 {
2312  DetectEngineCtx *de_ctx = NULL;
2313  int result = 0;
2314  Signature *s = NULL;
2315  SigMatch *sm = NULL;
2316  DetectContentData *cd = NULL;
2317  DetectByteExtractData *bed = NULL;
2318 
2319  de_ctx = DetectEngineCtxInit();
2320  if (de_ctx == NULL)
2321  goto end;
2322 
2323  de_ctx->flags |= DE_QUIET;
2324  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2325  "(msg:\"Testing bytejump_body\"; "
2326  "content:\"one\"; "
2327  "byte_extract:4,0,two,string,hex; "
2328  "content: \"three\"; offset:two; "
2329  "sid:1;)");
2330  if (de_ctx->sig_list == NULL) {
2331  result = 0;
2332  goto end;
2333  }
2334 
2335  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2336  result = 0;
2337  goto end;
2338  }
2339 
2340  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2341  if (sm->type != DETECT_CONTENT) {
2342  result = 0;
2343  goto end;
2344  }
2345  cd = (DetectContentData *)sm->ctx;
2346  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2347  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2348  cd->flags & DETECT_CONTENT_NOCASE ||
2349  cd->flags & DETECT_CONTENT_WITHIN ||
2350  cd->flags & DETECT_CONTENT_DISTANCE ||
2351  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2352  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2353  cd->flags & DETECT_CONTENT_NEGATED ) {
2354  printf("one failed\n");
2355  result = 0;
2356  goto end;
2357  }
2358 
2359  sm = sm->next;
2360  if (sm->type != DETECT_BYTE_EXTRACT) {
2361  result = 0;
2362  goto end;
2363  }
2364  bed = (DetectByteExtractData *)sm->ctx;
2365  if (bed->nbytes != 4 ||
2366  bed->offset != 0 ||
2367  strcmp(bed->name, "two") != 0 ||
2368  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2369  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2370  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2371  bed->align_value != 0 ||
2372  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2373  goto end;
2374  }
2375  if (bed->local_id != 0) {
2376  result = 0;
2377  goto end;
2378  }
2379 
2380  sm = sm->next;
2381  if (sm->type != DETECT_CONTENT) {
2382  result = 0;
2383  goto end;
2384  }
2385  cd = (DetectContentData *)sm->ctx;
2386  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2387  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2388  DETECT_CONTENT_OFFSET) ||
2389  cd->offset != bed->local_id) {
2390  printf("three failed\n");
2391  result = 0;
2392  goto end;
2393  }
2394 
2395  if (sm->next != NULL)
2396  goto end;
2397 
2398  result = 1;
2399 
2400  end:
2401  SigGroupCleanup(de_ctx);
2402  SigCleanSignatures(de_ctx);
2403  DetectEngineCtxFree(de_ctx);
2404 
2405  return result;
2406 }
2407 
2408 static int DetectByteExtractTest44(void)
2409 {
2410  DetectEngineCtx *de_ctx = NULL;
2411  int result = 0;
2412  Signature *s = NULL;
2413  SigMatch *sm = NULL;
2414  DetectContentData *cd = NULL;
2415  DetectByteExtractData *bed1 = NULL;
2416  DetectByteExtractData *bed2 = NULL;
2417 
2418  de_ctx = DetectEngineCtxInit();
2419  if (de_ctx == NULL)
2420  goto end;
2421 
2422  de_ctx->flags |= DE_QUIET;
2423  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2424  "(msg:\"Testing bytejump_body\"; "
2425  "content:\"one\"; "
2426  "byte_extract:4,0,two,string,hex; "
2427  "byte_extract:4,0,three,string,hex; "
2428  "content: \"four\"; offset:two; "
2429  "content: \"five\"; offset:three; "
2430  "sid:1;)");
2431  if (de_ctx->sig_list == NULL) {
2432  result = 0;
2433  goto end;
2434  }
2435 
2436  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2437  result = 0;
2438  goto end;
2439  }
2440 
2441  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2442  if (sm->type != DETECT_CONTENT) {
2443  result = 0;
2444  goto end;
2445  }
2446  cd = (DetectContentData *)sm->ctx;
2447  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2448  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2449  cd->flags & DETECT_CONTENT_NOCASE ||
2450  cd->flags & DETECT_CONTENT_WITHIN ||
2451  cd->flags & DETECT_CONTENT_DISTANCE ||
2452  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2453  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2454  cd->flags & DETECT_CONTENT_NEGATED ) {
2455  printf("one failed\n");
2456  result = 0;
2457  goto end;
2458  }
2459 
2460  sm = sm->next;
2461  if (sm->type != DETECT_BYTE_EXTRACT) {
2462  result = 0;
2463  goto end;
2464  }
2465  bed1 = (DetectByteExtractData *)sm->ctx;
2466  if (bed1->nbytes != 4 ||
2467  bed1->offset != 0 ||
2468  strcmp(bed1->name, "two") != 0 ||
2469  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2470  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2471  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2472  bed1->align_value != 0 ||
2473  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2474  goto end;
2475  }
2476  if (bed1->local_id != 0) {
2477  result = 0;
2478  goto end;
2479  }
2480 
2481  sm = sm->next;
2482  if (sm->type != DETECT_BYTE_EXTRACT) {
2483  result = 0;
2484  goto end;
2485  }
2486  bed2 = (DetectByteExtractData *)sm->ctx;
2487 
2488  sm = sm->next;
2489  if (sm->type != DETECT_CONTENT) {
2490  result = 0;
2491  goto end;
2492  }
2493  cd = (DetectContentData *)sm->ctx;
2494  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2495  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2496  DETECT_CONTENT_OFFSET) ||
2497  cd->offset != bed1->local_id) {
2498  printf("four failed\n");
2499  result = 0;
2500  goto end;
2501  }
2502 
2503  sm = sm->next;
2504  if (sm->type != DETECT_CONTENT) {
2505  result = 0;
2506  goto end;
2507  }
2508  cd = (DetectContentData *)sm->ctx;
2509  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2510  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2511  DETECT_CONTENT_OFFSET) ||
2512  cd->offset != bed2->local_id) {
2513  printf("five failed\n");
2514  result = 0;
2515  goto end;
2516  }
2517 
2518  if (sm->next != NULL)
2519  goto end;
2520 
2521  result = 1;
2522 
2523  end:
2524  SigGroupCleanup(de_ctx);
2525  SigCleanSignatures(de_ctx);
2526  DetectEngineCtxFree(de_ctx);
2527 
2528  return result;
2529 }
2530 
2531 static int DetectByteExtractTest45(void)
2532 {
2533  DetectEngineCtx *de_ctx = NULL;
2534  int result = 0;
2535  Signature *s = NULL;
2536  SigMatch *sm = NULL;
2537  DetectContentData *cd = NULL;
2538  DetectByteExtractData *bed = NULL;
2539 
2540  de_ctx = DetectEngineCtxInit();
2541  if (de_ctx == NULL)
2542  goto end;
2543 
2544  de_ctx->flags |= DE_QUIET;
2545  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2546  "(msg:\"Testing bytejump_body\"; "
2547  "content:\"one\"; "
2548  "byte_extract:4,0,two,string,hex; "
2549  "content: \"three\"; depth:two; "
2550  "sid:1;)");
2551  if (de_ctx->sig_list == NULL) {
2552  result = 0;
2553  goto end;
2554  }
2555 
2556  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2557  result = 0;
2558  goto end;
2559  }
2560 
2561  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2562  if (sm->type != DETECT_CONTENT) {
2563  result = 0;
2564  goto end;
2565  }
2566  cd = (DetectContentData *)sm->ctx;
2567  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2568  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2569  cd->flags & DETECT_CONTENT_NOCASE ||
2570  cd->flags & DETECT_CONTENT_WITHIN ||
2571  cd->flags & DETECT_CONTENT_DISTANCE ||
2572  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2573  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2574  cd->flags & DETECT_CONTENT_NEGATED ) {
2575  printf("one failed\n");
2576  result = 0;
2577  goto end;
2578  }
2579 
2580  sm = sm->next;
2581  if (sm->type != DETECT_BYTE_EXTRACT) {
2582  result = 0;
2583  goto end;
2584  }
2585  bed = (DetectByteExtractData *)sm->ctx;
2586  if (bed->nbytes != 4 ||
2587  bed->offset != 0 ||
2588  strcmp(bed->name, "two") != 0 ||
2589  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2590  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2591  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2592  bed->align_value != 0 ||
2593  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2594  goto end;
2595  }
2596  if (bed->local_id != 0) {
2597  result = 0;
2598  goto end;
2599  }
2600 
2601  sm = sm->next;
2602  if (sm->type != DETECT_CONTENT) {
2603  result = 0;
2604  goto end;
2605  }
2606  cd = (DetectContentData *)sm->ctx;
2607  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2608  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2609  DETECT_CONTENT_DEPTH) ||
2610  cd->depth != bed->local_id ||
2611  cd->offset != 0) {
2612  printf("three failed\n");
2613  result = 0;
2614  goto end;
2615  }
2616 
2617  if (sm->next != NULL)
2618  goto end;
2619 
2620  result = 1;
2621 
2622  end:
2623  SigGroupCleanup(de_ctx);
2624  SigCleanSignatures(de_ctx);
2625  DetectEngineCtxFree(de_ctx);
2626 
2627  return result;
2628 }
2629 
2630 static int DetectByteExtractTest46(void)
2631 {
2632  DetectEngineCtx *de_ctx = NULL;
2633  int result = 0;
2634  Signature *s = NULL;
2635  SigMatch *sm = NULL;
2636  DetectContentData *cd = NULL;
2637  DetectByteExtractData *bed1 = NULL;
2638  DetectByteExtractData *bed2 = NULL;
2639 
2640  de_ctx = DetectEngineCtxInit();
2641  if (de_ctx == NULL)
2642  goto end;
2643 
2644  de_ctx->flags |= DE_QUIET;
2645  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2646  "(msg:\"Testing bytejump_body\"; "
2647  "content:\"one\"; "
2648  "byte_extract:4,0,two,string,hex; "
2649  "byte_extract:4,0,three,string,hex; "
2650  "content: \"four\"; depth:two; "
2651  "content: \"five\"; depth:three; "
2652  "sid:1;)");
2653  if (de_ctx->sig_list == NULL) {
2654  result = 0;
2655  goto end;
2656  }
2657 
2658  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2659  result = 0;
2660  goto end;
2661  }
2662 
2663  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2664  if (sm->type != DETECT_CONTENT) {
2665  result = 0;
2666  goto end;
2667  }
2668  cd = (DetectContentData *)sm->ctx;
2669  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2670  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2671  cd->flags & DETECT_CONTENT_NOCASE ||
2672  cd->flags & DETECT_CONTENT_WITHIN ||
2673  cd->flags & DETECT_CONTENT_DISTANCE ||
2674  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2675  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2676  cd->flags & DETECT_CONTENT_NEGATED ) {
2677  printf("one failed\n");
2678  result = 0;
2679  goto end;
2680  }
2681 
2682  sm = sm->next;
2683  if (sm->type != DETECT_BYTE_EXTRACT) {
2684  result = 0;
2685  goto end;
2686  }
2687  bed1 = (DetectByteExtractData *)sm->ctx;
2688  if (bed1->nbytes != 4 ||
2689  bed1->offset != 0 ||
2690  strcmp(bed1->name, "two") != 0 ||
2691  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2692  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2693  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2694  bed1->align_value != 0 ||
2695  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2696  goto end;
2697  }
2698  if (bed1->local_id != 0) {
2699  result = 0;
2700  goto end;
2701  }
2702 
2703  sm = sm->next;
2704  if (sm->type != DETECT_BYTE_EXTRACT) {
2705  result = 0;
2706  goto end;
2707  }
2708  bed2 = (DetectByteExtractData *)sm->ctx;
2709 
2710  sm = sm->next;
2711  if (sm->type != DETECT_CONTENT) {
2712  result = 0;
2713  goto end;
2714  }
2715  cd = (DetectContentData *)sm->ctx;
2716  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2717  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2718  DETECT_CONTENT_DEPTH) ||
2719  cd->depth != bed1->local_id) {
2720  printf("four failed\n");
2721  result = 0;
2722  goto end;
2723  }
2724 
2725  sm = sm->next;
2726  if (sm->type != DETECT_CONTENT) {
2727  result = 0;
2728  goto end;
2729  }
2730  cd = (DetectContentData *)sm->ctx;
2731  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2732  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2733  DETECT_CONTENT_DEPTH) ||
2734  cd->depth != bed2->local_id) {
2735  printf("five failed\n");
2736  result = 0;
2737  goto end;
2738  }
2739 
2740  if (sm->next != NULL)
2741  goto end;
2742 
2743  result = 1;
2744 
2745  end:
2746  SigGroupCleanup(de_ctx);
2747  SigCleanSignatures(de_ctx);
2748  DetectEngineCtxFree(de_ctx);
2749 
2750  return result;
2751 }
2752 
2753 static int DetectByteExtractTest47(void)
2754 {
2755  DetectEngineCtx *de_ctx = NULL;
2756  int result = 0;
2757  Signature *s = NULL;
2758  SigMatch *sm = NULL;
2759  DetectContentData *cd = NULL;
2760  DetectByteExtractData *bed = NULL;
2761 
2762  de_ctx = DetectEngineCtxInit();
2763  if (de_ctx == NULL)
2764  goto end;
2765 
2766  de_ctx->flags |= DE_QUIET;
2767  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2768  "(msg:\"Testing bytejump_body\"; "
2769  "content:\"one\"; "
2770  "byte_extract:4,0,two,string,hex; "
2771  "content: \"three\"; distance:two; "
2772  "sid:1;)");
2773  if (de_ctx->sig_list == NULL) {
2774  result = 0;
2775  goto end;
2776  }
2777 
2778  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2779  result = 0;
2780  goto end;
2781  }
2782 
2783  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2784  if (sm->type != DETECT_CONTENT) {
2785  result = 0;
2786  goto end;
2787  }
2788  cd = (DetectContentData *)sm->ctx;
2789  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2790  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2791  cd->flags & DETECT_CONTENT_NOCASE ||
2792  cd->flags & DETECT_CONTENT_WITHIN ||
2793  cd->flags & DETECT_CONTENT_DISTANCE ||
2794  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2795  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2796  cd->flags & DETECT_CONTENT_NEGATED ) {
2797  printf("one failed\n");
2798  result = 0;
2799  goto end;
2800  }
2801 
2802  sm = sm->next;
2803  if (sm->type != DETECT_BYTE_EXTRACT) {
2804  result = 0;
2805  goto end;
2806  }
2807  bed = (DetectByteExtractData *)sm->ctx;
2808  if (bed->nbytes != 4 ||
2809  bed->offset != 0 ||
2810  strcmp(bed->name, "two") != 0 ||
2811  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2812  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2813  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2814  bed->align_value != 0 ||
2815  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2816  goto end;
2817  }
2818  if (bed->local_id != 0) {
2819  result = 0;
2820  goto end;
2821  }
2822 
2823  sm = sm->next;
2824  if (sm->type != DETECT_CONTENT) {
2825  result = 0;
2826  goto end;
2827  }
2828  cd = (DetectContentData *)sm->ctx;
2829  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2830  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2831  DETECT_CONTENT_DISTANCE) ||
2832  cd->distance != bed->local_id ||
2833  cd->offset != 0 ||
2834  cd->depth != 0) {
2835  printf("three failed\n");
2836  result = 0;
2837  goto end;
2838  }
2839 
2840  if (sm->next != NULL)
2841  goto end;
2842 
2843  result = 1;
2844 
2845  end:
2846  SigGroupCleanup(de_ctx);
2847  SigCleanSignatures(de_ctx);
2848  DetectEngineCtxFree(de_ctx);
2849 
2850  return result;
2851 }
2852 
2853 static int DetectByteExtractTest48(void)
2854 {
2855  DetectEngineCtx *de_ctx = NULL;
2856  int result = 0;
2857  Signature *s = NULL;
2858  SigMatch *sm = NULL;
2859  DetectContentData *cd = NULL;
2860  DetectByteExtractData *bed1 = NULL;
2861  DetectByteExtractData *bed2 = NULL;
2862 
2863  de_ctx = DetectEngineCtxInit();
2864  if (de_ctx == NULL)
2865  goto end;
2866 
2867  de_ctx->flags |= DE_QUIET;
2868  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2869  "(msg:\"Testing bytejump_body\"; "
2870  "content:\"one\"; "
2871  "byte_extract:4,0,two,string,hex; "
2872  "byte_extract:4,0,three,string,hex; "
2873  "content: \"four\"; distance:two; "
2874  "content: \"five\"; distance:three; "
2875  "sid:1;)");
2876  if (de_ctx->sig_list == NULL) {
2877  result = 0;
2878  goto end;
2879  }
2880 
2881  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2882  result = 0;
2883  goto end;
2884  }
2885 
2886  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2887  if (sm->type != DETECT_CONTENT) {
2888  result = 0;
2889  goto end;
2890  }
2891  cd = (DetectContentData *)sm->ctx;
2892  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2893  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2894  cd->flags & DETECT_CONTENT_NOCASE ||
2895  cd->flags & DETECT_CONTENT_WITHIN ||
2896  cd->flags & DETECT_CONTENT_DISTANCE ||
2897  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2898  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2899  cd->flags & DETECT_CONTENT_NEGATED ) {
2900  printf("one failed\n");
2901  result = 0;
2902  goto end;
2903  }
2904 
2905  sm = sm->next;
2906  if (sm->type != DETECT_BYTE_EXTRACT) {
2907  result = 0;
2908  goto end;
2909  }
2910  bed1 = (DetectByteExtractData *)sm->ctx;
2911  if (bed1->nbytes != 4 ||
2912  bed1->offset != 0 ||
2913  strcmp(bed1->name, "two") != 0 ||
2914  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2915  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2916  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2917  bed1->align_value != 0 ||
2918  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2919  goto end;
2920  }
2921  if (bed1->local_id != 0) {
2922  result = 0;
2923  goto end;
2924  }
2925 
2926  sm = sm->next;
2927  if (sm->type != DETECT_BYTE_EXTRACT) {
2928  result = 0;
2929  goto end;
2930  }
2931  bed2 = (DetectByteExtractData *)sm->ctx;
2932 
2933  sm = sm->next;
2934  if (sm->type != DETECT_CONTENT) {
2935  result = 0;
2936  goto end;
2937  }
2938  cd = (DetectContentData *)sm->ctx;
2939  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2940  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2941  DETECT_CONTENT_DISTANCE |
2942  DETECT_CONTENT_DISTANCE_NEXT) ||
2943  cd->distance != bed1->local_id ||
2944  cd->depth != 0 ||
2945  cd->offset != 0) {
2946  printf("four failed\n");
2947  result = 0;
2948  goto end;
2949  }
2950 
2951  sm = sm->next;
2952  if (sm->type != DETECT_CONTENT) {
2953  result = 0;
2954  goto end;
2955  }
2956  cd = (DetectContentData *)sm->ctx;
2957  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2958  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2959  DETECT_CONTENT_DISTANCE) ||
2960  cd->distance != bed2->local_id ||
2961  cd->depth != 0 ||
2962  cd->offset != 0) {
2963  printf("five failed\n");
2964  result = 0;
2965  goto end;
2966  }
2967 
2968  if (sm->next != NULL)
2969  goto end;
2970 
2971  result = 1;
2972 
2973  end:
2974  SigGroupCleanup(de_ctx);
2975  SigCleanSignatures(de_ctx);
2976  DetectEngineCtxFree(de_ctx);
2977 
2978  return result;
2979 }
2980 
2981 static int DetectByteExtractTest49(void)
2982 {
2983  DetectEngineCtx *de_ctx = NULL;
2984  int result = 0;
2985  Signature *s = NULL;
2986  SigMatch *sm = NULL;
2987  DetectContentData *cd = NULL;
2988  DetectByteExtractData *bed = NULL;
2989 
2990  de_ctx = DetectEngineCtxInit();
2991  if (de_ctx == NULL)
2992  goto end;
2993 
2994  de_ctx->flags |= DE_QUIET;
2995  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2996  "(msg:\"Testing bytejump_body\"; "
2997  "content:\"one\"; "
2998  "byte_extract:4,0,two,string,hex; "
2999  "content: \"three\"; within:two; "
3000  "sid:1;)");
3001  if (de_ctx->sig_list == NULL) {
3002  result = 0;
3003  goto end;
3004  }
3005 
3006  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3007  result = 0;
3008  goto end;
3009  }
3010 
3011  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3012  if (sm->type != DETECT_CONTENT) {
3013  result = 0;
3014  goto end;
3015  }
3016  cd = (DetectContentData *)sm->ctx;
3017  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3018  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3019  cd->flags & DETECT_CONTENT_NOCASE ||
3020  cd->flags & DETECT_CONTENT_WITHIN ||
3021  cd->flags & DETECT_CONTENT_DISTANCE ||
3022  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3023  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3024  cd->flags & DETECT_CONTENT_NEGATED ) {
3025  printf("one failed\n");
3026  result = 0;
3027  goto end;
3028  }
3029 
3030  sm = sm->next;
3031  if (sm->type != DETECT_BYTE_EXTRACT) {
3032  result = 0;
3033  goto end;
3034  }
3035  bed = (DetectByteExtractData *)sm->ctx;
3036  if (bed->nbytes != 4 ||
3037  bed->offset != 0 ||
3038  strcmp(bed->name, "two") != 0 ||
3039  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3040  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3041  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3042  bed->align_value != 0 ||
3043  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3044  goto end;
3045  }
3046  if (bed->local_id != 0) {
3047  result = 0;
3048  goto end;
3049  }
3050 
3051  sm = sm->next;
3052  if (sm->type != DETECT_CONTENT) {
3053  result = 0;
3054  goto end;
3055  }
3056  cd = (DetectContentData *)sm->ctx;
3057  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3058  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3059  DETECT_CONTENT_WITHIN) ||
3060  cd->within != bed->local_id ||
3061  cd->offset != 0 ||
3062  cd->depth != 0 ||
3063  cd->distance != 0) {
3064  printf("three failed\n");
3065  result = 0;
3066  goto end;
3067  }
3068 
3069  if (sm->next != NULL)
3070  goto end;
3071 
3072  result = 1;
3073 
3074  end:
3075  SigGroupCleanup(de_ctx);
3076  SigCleanSignatures(de_ctx);
3077  DetectEngineCtxFree(de_ctx);
3078 
3079  return result;
3080 }
3081 
3082 static int DetectByteExtractTest50(void)
3083 {
3084  DetectEngineCtx *de_ctx = NULL;
3085  int result = 0;
3086  Signature *s = NULL;
3087  SigMatch *sm = NULL;
3088  DetectContentData *cd = NULL;
3089  DetectByteExtractData *bed1 = NULL;
3090  DetectByteExtractData *bed2 = NULL;
3091 
3092  de_ctx = DetectEngineCtxInit();
3093  if (de_ctx == NULL)
3094  goto end;
3095 
3096  de_ctx->flags |= DE_QUIET;
3097  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3098  "(msg:\"Testing bytejump_body\"; "
3099  "content:\"one\"; "
3100  "byte_extract:4,0,two,string,hex; "
3101  "byte_extract:4,0,three,string,hex; "
3102  "content: \"four\"; within:two; "
3103  "content: \"five\"; within:three; "
3104  "sid:1;)");
3105  if (de_ctx->sig_list == NULL) {
3106  result = 0;
3107  goto end;
3108  }
3109 
3110  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3111  result = 0;
3112  goto end;
3113  }
3114 
3115  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3116  if (sm->type != DETECT_CONTENT) {
3117  result = 0;
3118  goto end;
3119  }
3120  cd = (DetectContentData *)sm->ctx;
3121  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3122  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3123  cd->flags & DETECT_CONTENT_NOCASE ||
3124  cd->flags & DETECT_CONTENT_WITHIN ||
3125  cd->flags & DETECT_CONTENT_DISTANCE ||
3126  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3127  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3128  cd->flags & DETECT_CONTENT_NEGATED ) {
3129  printf("one failed\n");
3130  result = 0;
3131  goto end;
3132  }
3133 
3134  sm = sm->next;
3135  if (sm->type != DETECT_BYTE_EXTRACT) {
3136  result = 0;
3137  goto end;
3138  }
3139  bed1 = (DetectByteExtractData *)sm->ctx;
3140  if (bed1->nbytes != 4 ||
3141  bed1->offset != 0 ||
3142  strcmp(bed1->name, "two") != 0 ||
3143  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3144  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3145  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3146  bed1->align_value != 0 ||
3147  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3148  goto end;
3149  }
3150  if (bed1->local_id != 0) {
3151  result = 0;
3152  goto end;
3153  }
3154 
3155  sm = sm->next;
3156  if (sm->type != DETECT_BYTE_EXTRACT) {
3157  result = 0;
3158  goto end;
3159  }
3160  bed2 = (DetectByteExtractData *)sm->ctx;
3161 
3162  sm = sm->next;
3163  if (sm->type != DETECT_CONTENT) {
3164  result = 0;
3165  goto end;
3166  }
3167  cd = (DetectContentData *)sm->ctx;
3168  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3169  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3170  DETECT_CONTENT_WITHIN|
3171  DETECT_CONTENT_WITHIN_NEXT) ||
3172  cd->within != bed1->local_id ||
3173  cd->depth != 0 ||
3174  cd->offset != 0 ||
3175  cd->distance != 0) {
3176  printf("four failed\n");
3177  result = 0;
3178  goto end;
3179  }
3180 
3181  sm = sm->next;
3182  if (sm->type != DETECT_CONTENT) {
3183  result = 0;
3184  goto end;
3185  }
3186  cd = (DetectContentData *)sm->ctx;
3187  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3188  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3189  DETECT_CONTENT_WITHIN) ||
3190  cd->within != bed2->local_id ||
3191  cd->depth != 0 ||
3192  cd->offset != 0 ||
3193  cd->distance != 0) {
3194  printf("five failed\n");
3195  result = 0;
3196  goto end;
3197  }
3198 
3199  if (sm->next != NULL)
3200  goto end;
3201 
3202  result = 1;
3203 
3204  end:
3205  SigGroupCleanup(de_ctx);
3206  SigCleanSignatures(de_ctx);
3207  DetectEngineCtxFree(de_ctx);
3208 
3209  return result;
3210 }
3211 
3212 static int DetectByteExtractTest51(void)
3213 {
3214  DetectEngineCtx *de_ctx = NULL;
3215  int result = 0;
3216  Signature *s = NULL;
3217  SigMatch *sm = NULL;
3218  DetectContentData *cd = NULL;
3219  DetectByteExtractData *bed = NULL;
3220  DetectBytetestData *btd = NULL;
3221 
3222  de_ctx = DetectEngineCtxInit();
3223  if (de_ctx == NULL)
3224  goto end;
3225 
3226  de_ctx->flags |= DE_QUIET;
3227  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3228  "(msg:\"Testing bytejump_body\"; "
3229  "content:\"one\"; "
3230  "byte_extract:4,0,two,string,hex; "
3231  "byte_test: 2,=,10, two; "
3232  "sid:1;)");
3233  if (de_ctx->sig_list == NULL) {
3234  result = 0;
3235  goto end;
3236  }
3237 
3238  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3239  result = 0;
3240  goto end;
3241  }
3242 
3243  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3244  if (sm->type != DETECT_CONTENT) {
3245  result = 0;
3246  goto end;
3247  }
3248  cd = (DetectContentData *)sm->ctx;
3249  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3250  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3251  cd->flags & DETECT_CONTENT_NOCASE ||
3252  cd->flags & DETECT_CONTENT_WITHIN ||
3253  cd->flags & DETECT_CONTENT_DISTANCE ||
3254  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3255  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3256  cd->flags & DETECT_CONTENT_NEGATED ) {
3257  printf("one failed\n");
3258  result = 0;
3259  goto end;
3260  }
3261 
3262  sm = sm->next;
3263  if (sm->type != DETECT_BYTE_EXTRACT) {
3264  result = 0;
3265  goto end;
3266  }
3267  bed = (DetectByteExtractData *)sm->ctx;
3268  if (bed->nbytes != 4 ||
3269  bed->offset != 0 ||
3270  strcmp(bed->name, "two") != 0 ||
3271  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3272  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3273  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3274  bed->align_value != 0 ||
3275  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3276  goto end;
3277  }
3278  if (bed->local_id != 0) {
3279  result = 0;
3280  goto end;
3281  }
3282 
3283  sm = sm->next;
3284  if (sm->type != DETECT_BYTETEST) {
3285  result = 0;
3286  goto end;
3287  }
3288  btd = (DetectBytetestData *)sm->ctx;
3289  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3290  btd->value != 10 ||
3291  btd->offset != 0) {
3292  printf("three failed\n");
3293  result = 0;
3294  goto end;
3295  }
3296 
3297  if (sm->next != NULL)
3298  goto end;
3299 
3300  result = 1;
3301 
3302  end:
3303  SigGroupCleanup(de_ctx);
3304  SigCleanSignatures(de_ctx);
3305  DetectEngineCtxFree(de_ctx);
3306 
3307  return result;
3308 }
3309 
3310 static int DetectByteExtractTest52(void)
3311 {
3312  DetectEngineCtx *de_ctx = NULL;
3313  int result = 0;
3314  Signature *s = NULL;
3315  SigMatch *sm = NULL;
3316  DetectContentData *cd = NULL;
3317  DetectByteExtractData *bed1 = NULL;
3318  DetectBytetestData *btd = NULL;
3319 
3320  de_ctx = DetectEngineCtxInit();
3321  if (de_ctx == NULL)
3322  goto end;
3323 
3324  de_ctx->flags |= DE_QUIET;
3325  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3326  "(msg:\"Testing bytejump_body\"; "
3327  "content:\"one\"; "
3328  "byte_extract:4,0,two,string,hex; "
3329  "byte_extract:4,0,three,string,hex; "
3330  "byte_test: 2,=,two,three; "
3331  "byte_test: 3,=,10,three; "
3332  "sid:1;)");
3333  if (de_ctx->sig_list == NULL) {
3334  result = 0;
3335  goto end;
3336  }
3337 
3338  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3339  result = 0;
3340  goto end;
3341  }
3342 
3343  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3344  if (sm->type != DETECT_CONTENT) {
3345  result = 0;
3346  goto end;
3347  }
3348  cd = (DetectContentData *)sm->ctx;
3349  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3350  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3351  cd->flags & DETECT_CONTENT_NOCASE ||
3352  cd->flags & DETECT_CONTENT_WITHIN ||
3353  cd->flags & DETECT_CONTENT_DISTANCE ||
3354  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3355  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3356  cd->flags & DETECT_CONTENT_NEGATED ) {
3357  printf("one failed\n");
3358  result = 0;
3359  goto end;
3360  }
3361 
3362  sm = sm->next;
3363  if (sm->type != DETECT_BYTE_EXTRACT) {
3364  result = 0;
3365  goto end;
3366  }
3367  bed1 = (DetectByteExtractData *)sm->ctx;
3368  if (bed1->nbytes != 4 ||
3369  bed1->offset != 0 ||
3370  strcmp(bed1->name, "two") != 0 ||
3371  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3372  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3373  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3374  bed1->align_value != 0 ||
3375  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3376  goto end;
3377  }
3378  if (bed1->local_id != 0) {
3379  result = 0;
3380  goto end;
3381  }
3382 
3383  sm = sm->next;
3384  if (sm->type != DETECT_BYTE_EXTRACT) {
3385  result = 0;
3386  goto end;
3387  }
3388 
3389  sm = sm->next;
3390  if (sm->type != DETECT_BYTETEST) {
3391  result = 0;
3392  goto end;
3393  }
3394  btd = (DetectBytetestData *)sm->ctx;
3395  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
3396  DETECT_BYTETEST_VALUE_VAR) ||
3397  btd->value != 0 ||
3398  btd->offset != 1) {
3399  printf("three failed\n");
3400  result = 0;
3401  goto end;
3402  }
3403 
3404  sm = sm->next;
3405  if (sm->type != DETECT_BYTETEST) {
3406  result = 0;
3407  goto end;
3408  }
3409  btd = (DetectBytetestData *)sm->ctx;
3410  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3411  btd->value != 10 ||
3412  btd->offset != 1) {
3413  printf("four failed\n");
3414  result = 0;
3415  goto end;
3416  }
3417 
3418  if (sm->next != NULL)
3419  goto end;
3420 
3421  result = 1;
3422 
3423  end:
3424  SigGroupCleanup(de_ctx);
3425  SigCleanSignatures(de_ctx);
3426  DetectEngineCtxFree(de_ctx);
3427 
3428  return result;
3429 }
3430 
3431 static int DetectByteExtractTest53(void)
3432 {
3433  DetectEngineCtx *de_ctx = NULL;
3434  int result = 0;
3435  Signature *s = NULL;
3436  SigMatch *sm = NULL;
3437  DetectContentData *cd = NULL;
3438  DetectByteExtractData *bed = NULL;
3439  DetectBytejumpData *bjd = NULL;
3440 
3441  de_ctx = DetectEngineCtxInit();
3442  if (de_ctx == NULL)
3443  goto end;
3444 
3445  de_ctx->flags |= DE_QUIET;
3446  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3447  "(msg:\"Testing bytejump_body\"; "
3448  "content:\"one\"; "
3449  "byte_extract:4,0,two,string,hex; "
3450  "byte_jump: 2,two; "
3451  "sid:1;)");
3452  if (de_ctx->sig_list == NULL) {
3453  result = 0;
3454  goto end;
3455  }
3456 
3457  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3458  result = 0;
3459  goto end;
3460  }
3461 
3462  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3463  if (sm->type != DETECT_CONTENT) {
3464  result = 0;
3465  goto end;
3466  }
3467  cd = (DetectContentData *)sm->ctx;
3468  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3469  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3470  cd->flags & DETECT_CONTENT_NOCASE ||
3471  cd->flags & DETECT_CONTENT_WITHIN ||
3472  cd->flags & DETECT_CONTENT_DISTANCE ||
3473  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3474  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3475  cd->flags & DETECT_CONTENT_NEGATED ) {
3476  printf("one failed\n");
3477  result = 0;
3478  goto end;
3479  }
3480 
3481  sm = sm->next;
3482  if (sm->type != DETECT_BYTE_EXTRACT) {
3483  result = 0;
3484  goto end;
3485  }
3486  bed = (DetectByteExtractData *)sm->ctx;
3487  if (bed->nbytes != 4 ||
3488  bed->offset != 0 ||
3489  strcmp(bed->name, "two") != 0 ||
3490  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3491  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3492  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3493  bed->align_value != 0 ||
3494  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3495  goto end;
3496  }
3497  if (bed->local_id != 0) {
3498  result = 0;
3499  goto end;
3500  }
3501 
3502  sm = sm->next;
3503  if (sm->type != DETECT_BYTEJUMP) {
3504  result = 0;
3505  goto end;
3506  }
3507  bjd = (DetectBytejumpData *)sm->ctx;
3508  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3509  bjd->offset != 0) {
3510  printf("three failed\n");
3511  result = 0;
3512  goto end;
3513  }
3514 
3515  if (sm->next != NULL)
3516  goto end;
3517 
3518  result = 1;
3519 
3520  end:
3521  SigGroupCleanup(de_ctx);
3522  SigCleanSignatures(de_ctx);
3523  DetectEngineCtxFree(de_ctx);
3524 
3525  return result;
3526 }
3527 
3528 static int DetectByteExtractTest54(void)
3529 {
3530  DetectEngineCtx *de_ctx = NULL;
3531  int result = 0;
3532  Signature *s = NULL;
3533  SigMatch *sm = NULL;
3534  DetectContentData *cd = NULL;
3535  DetectByteExtractData *bed1 = NULL;
3536  DetectBytejumpData *bjd = NULL;
3537 
3538  de_ctx = DetectEngineCtxInit();
3539  if (de_ctx == NULL)
3540  goto end;
3541 
3542  de_ctx->flags |= DE_QUIET;
3543  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3544  "(msg:\"Testing bytejump_body\"; "
3545  "content:\"one\"; "
3546  "byte_extract:4,0,two,string,hex; "
3547  "byte_extract:4,0,three,string,hex; "
3548  "byte_jump: 2,two; "
3549  "byte_jump: 3,three; "
3550  "sid:1;)");
3551  if (de_ctx->sig_list == NULL) {
3552  result = 0;
3553  goto end;
3554  }
3555 
3556  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3557  result = 0;
3558  goto end;
3559  }
3560 
3561  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3562  if (sm->type != DETECT_CONTENT) {
3563  result = 0;
3564  goto end;
3565  }
3566  cd = (DetectContentData *)sm->ctx;
3567  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3568  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3569  cd->flags & DETECT_CONTENT_NOCASE ||
3570  cd->flags & DETECT_CONTENT_WITHIN ||
3571  cd->flags & DETECT_CONTENT_DISTANCE ||
3572  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3573  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3574  cd->flags & DETECT_CONTENT_NEGATED ) {
3575  printf("one failed\n");
3576  result = 0;
3577  goto end;
3578  }
3579 
3580  sm = sm->next;
3581  if (sm->type != DETECT_BYTE_EXTRACT) {
3582  result = 0;
3583  goto end;
3584  }
3585  bed1 = (DetectByteExtractData *)sm->ctx;
3586  if (bed1->nbytes != 4 ||
3587  bed1->offset != 0 ||
3588  strcmp(bed1->name, "two") != 0 ||
3589  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3590  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3591  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3592  bed1->align_value != 0 ||
3593  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3594  goto end;
3595  }
3596  if (bed1->local_id != 0) {
3597  result = 0;
3598  goto end;
3599  }
3600 
3601  sm = sm->next;
3602  if (sm->type != DETECT_BYTE_EXTRACT) {
3603  result = 0;
3604  goto end;
3605  }
3606 
3607  sm = sm->next;
3608  if (sm->type != DETECT_BYTEJUMP) {
3609  result = 0;
3610  goto end;
3611  }
3612  bjd = (DetectBytejumpData *)sm->ctx;
3613  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3614  bjd->offset != 0) {
3615  printf("three failed\n");
3616  result = 0;
3617  goto end;
3618  }
3619 
3620  sm = sm->next;
3621  if (sm->type != DETECT_BYTEJUMP) {
3622  result = 0;
3623  goto end;
3624  }
3625  bjd = (DetectBytejumpData *)sm->ctx;
3626  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3627  bjd->offset != 1) {
3628  printf("four failed\n");
3629  result = 0;
3630  goto end;
3631  }
3632 
3633  if (sm->next != NULL)
3634  goto end;
3635 
3636  result = 1;
3637 
3638  end:
3639  SigGroupCleanup(de_ctx);
3640  SigCleanSignatures(de_ctx);
3641  DetectEngineCtxFree(de_ctx);
3642 
3643  return result;
3644 }
3645 
3646 static int DetectByteExtractTest55(void)
3647 {
3648  DetectEngineCtx *de_ctx = NULL;
3649  int result = 0;
3650  Signature *s = NULL;
3651  SigMatch *sm = NULL;
3652  DetectContentData *cd = NULL;
3653  DetectByteExtractData *bed1 = NULL;
3654  DetectByteExtractData *bed2 = NULL;
3655 
3656  de_ctx = DetectEngineCtxInit();
3657  if (de_ctx == NULL)
3658  goto end;
3659 
3660  de_ctx->flags |= DE_QUIET;
3661  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3662  "(msg:\"Testing byte_extract\"; "
3663  "content:\"one\"; "
3664  "byte_extract:4,0,two,string,hex; "
3665  "byte_extract:4,0,three,string,hex; "
3666  "byte_extract:4,0,four,string,hex; "
3667  "byte_extract:4,0,five,string,hex; "
3668  "content: \"four\"; within:two; distance:three; "
3669  "sid:1;)");
3670  if (de_ctx->sig_list == NULL) {
3671  goto end;
3672  }
3673 
3674  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3675  goto end;
3676  }
3677 
3678  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3679  if (sm->type != DETECT_CONTENT) {
3680  goto end;
3681  }
3682  cd = (DetectContentData *)sm->ctx;
3683  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3684  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3685  cd->flags & DETECT_CONTENT_NOCASE ||
3686  cd->flags & DETECT_CONTENT_WITHIN ||
3687  cd->flags & DETECT_CONTENT_DISTANCE ||
3688  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3689  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3690  cd->flags & DETECT_CONTENT_NEGATED ) {
3691  printf("one failed: ");
3692  goto end;
3693  }
3694 
3695  sm = sm->next;
3696  if (sm->type != DETECT_BYTE_EXTRACT) {
3697  goto end;
3698  }
3699  bed1 = (DetectByteExtractData *)sm->ctx;
3700  if (bed1->nbytes != 4 ||
3701  bed1->offset != 0 ||
3702  strcmp(bed1->name, "two") != 0 ||
3703  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3704  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3705  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3706  bed1->align_value != 0 ||
3707  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3708  goto end;
3709  }
3710  if (bed1->local_id != 0) {
3711  goto end;
3712  }
3713 
3714  sm = sm->next;
3715  if (sm->type != DETECT_BYTE_EXTRACT) {
3716  goto end;
3717  }
3718  bed2 = (DetectByteExtractData *)sm->ctx;
3719 
3720  sm = sm->next;
3721  if (sm->type != DETECT_BYTE_EXTRACT) {
3722  goto end;
3723  }
3724 
3725  sm = sm->next;
3726  if (sm->type != DETECT_BYTE_EXTRACT) {
3727  goto end;
3728  }
3729 
3730  sm = sm->next;
3731  if (sm->type != DETECT_CONTENT) {
3732  goto end;
3733  }
3734  cd = (DetectContentData *)sm->ctx;
3735  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3736  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3737  DETECT_CONTENT_WITHIN_VAR |
3738  DETECT_CONTENT_DISTANCE |
3739  DETECT_CONTENT_WITHIN) ||
3740  cd->within != bed1->local_id ||
3741  cd->distance != bed2->local_id) {
3742  printf("four failed: ");
3743  goto end;
3744  }
3745 
3746  if (sm->next != NULL) {
3747  goto end;
3748  }
3749 
3750  result = 1;
3751 
3752  end:
3753  SigGroupCleanup(de_ctx);
3754  SigCleanSignatures(de_ctx);
3755  DetectEngineCtxFree(de_ctx);
3756 
3757  return result;
3758 }
3759 
3760 static int DetectByteExtractTest56(void)
3761 {
3762  DetectEngineCtx *de_ctx = NULL;
3763  int result = 0;
3764  Signature *s = NULL;
3765  SigMatch *sm = NULL;
3766  DetectContentData *cd = NULL;
3767  DetectByteExtractData *bed1 = NULL;
3768  DetectByteExtractData *bed2 = NULL;
3769 
3770  de_ctx = DetectEngineCtxInit();
3771  if (de_ctx == NULL)
3772  goto end;
3773 
3774  de_ctx->flags |= DE_QUIET;
3775  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3776  "(msg:\"Testing bytejump_body\"; "
3777  "uricontent:\"urione\"; "
3778  "content:\"one\"; "
3779  "byte_extract:4,0,two,string,hex; "
3780  "byte_extract:4,0,three,string,hex; "
3781  "byte_extract:4,0,four,string,hex; "
3782  "byte_extract:4,0,five,string,hex; "
3783  "content: \"four\"; within:two; distance:three; "
3784  "sid:1;)");
3785  if (de_ctx->sig_list == NULL) {
3786  result = 0;
3787  goto end;
3788  }
3789 
3790  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3791  result = 0;
3792  goto end;
3793  }
3794 
3795  sm = s->sm_lists[g_http_uri_buffer_id];
3796  if (sm->type != DETECT_CONTENT) {
3797  result = 0;
3798  goto end;
3799  }
3800  cd = (DetectContentData *)sm->ctx;
3801  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3802  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3803  cd->flags & DETECT_CONTENT_NOCASE ||
3804  cd->flags & DETECT_CONTENT_WITHIN ||
3805  cd->flags & DETECT_CONTENT_DISTANCE ||
3806  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3807  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3808  cd->flags & DETECT_CONTENT_NEGATED ) {
3809  printf("one failed\n");
3810  result = 0;
3811  goto end;
3812  }
3813 
3814  if (sm->next != NULL)
3815  goto end;
3816 
3817  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3818  if (sm->type != DETECT_CONTENT) {
3819  result = 0;
3820  goto end;
3821  }
3822  cd = (DetectContentData *)sm->ctx;
3823  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3824  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3825  cd->flags & DETECT_CONTENT_NOCASE ||
3826  cd->flags & DETECT_CONTENT_WITHIN ||
3827  cd->flags & DETECT_CONTENT_DISTANCE ||
3828  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3829  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3830  cd->flags & DETECT_CONTENT_NEGATED ) {
3831  printf("one failed\n");
3832  result = 0;
3833  goto end;
3834  }
3835 
3836  sm = sm->next;
3837  if (sm->type != DETECT_BYTE_EXTRACT) {
3838  result = 0;
3839  goto end;
3840  }
3841  bed1 = (DetectByteExtractData *)sm->ctx;
3842  if (bed1->nbytes != 4 ||
3843  bed1->offset != 0 ||
3844  strcmp(bed1->name, "two") != 0 ||
3845  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3846  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3847  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3848  bed1->align_value != 0 ||
3849  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3850  goto end;
3851  }
3852  if (bed1->local_id != 0) {
3853  result = 0;
3854  goto end;
3855  }
3856 
3857  sm = sm->next;
3858  if (sm->type != DETECT_BYTE_EXTRACT) {
3859  result = 0;
3860  goto end;
3861  }
3862  bed2 = (DetectByteExtractData *)sm->ctx;
3863 
3864  sm = sm->next;
3865  if (sm->type != DETECT_BYTE_EXTRACT) {
3866  result = 0;
3867  goto end;
3868  }
3869 
3870  sm = sm->next;
3871  if (sm->type != DETECT_BYTE_EXTRACT) {
3872  result = 0;
3873  goto end;
3874  }
3875 
3876  sm = sm->next;
3877  if (sm->type != DETECT_CONTENT) {
3878  result = 0;
3879  goto end;
3880  }
3881  cd = (DetectContentData *)sm->ctx;
3882  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3883  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3884  DETECT_CONTENT_WITHIN_VAR |
3885  DETECT_CONTENT_DISTANCE |
3886  DETECT_CONTENT_WITHIN) ||
3887  cd->within != bed1->local_id ||
3888  cd->distance != bed2->local_id ) {
3889  printf("four failed\n");
3890  result = 0;
3891  goto end;
3892  }
3893 
3894  if (sm->next != NULL) {
3895  goto end;
3896  }
3897 
3898  result = 1;
3899 
3900  end:
3901  SigGroupCleanup(de_ctx);
3902  SigCleanSignatures(de_ctx);
3903  DetectEngineCtxFree(de_ctx);
3904 
3905  return result;
3906 }
3907 
3908 static int DetectByteExtractTest57(void)
3909 {
3910  DetectEngineCtx *de_ctx = NULL;
3911  int result = 0;
3912  Signature *s = NULL;
3913  SigMatch *sm = NULL;
3914  DetectContentData *cd = NULL;
3915  DetectByteExtractData *bed1 = NULL;
3916  DetectByteExtractData *bed2 = NULL;
3917  DetectByteExtractData *bed3 = NULL;
3918  DetectByteExtractData *bed4 = NULL;
3919 
3920  de_ctx = DetectEngineCtxInit();
3921  if (de_ctx == NULL)
3922  goto end;
3923 
3924  de_ctx->flags |= DE_QUIET;
3925  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3926  "(msg:\"Testing bytejump_body\"; "
3927  "content:\"one\"; "
3928  "uricontent: \"urione\"; "
3929  "byte_extract:4,0,two,string,hex,relative; "
3930  "byte_extract:4,0,three,string,hex,relative; "
3931  "byte_extract:4,0,four,string,hex,relative; "
3932  "byte_extract:4,0,five,string,hex,relative; "
3933  "uricontent: \"four\"; within:two; distance:three; "
3934  "sid:1;)");
3935  if (de_ctx->sig_list == NULL) {
3936  result = 0;
3937  goto end;
3938  }
3939 
3940  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3941  result = 0;
3942  goto end;
3943  }
3944 
3945  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3946  if (sm->type != DETECT_CONTENT) {
3947  result = 0;
3948  goto end;
3949  }
3950  cd = (DetectContentData *)sm->ctx;
3951  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3952  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3953  cd->flags & DETECT_CONTENT_NOCASE ||
3954  cd->flags & DETECT_CONTENT_WITHIN ||
3955  cd->flags & DETECT_CONTENT_DISTANCE ||
3956  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3957  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3958  cd->flags & DETECT_CONTENT_NEGATED ) {
3959  printf("one failed\n");
3960  result = 0;
3961  goto end;
3962  }
3963 
3964  if (sm->next != NULL)
3965  goto end;
3966 
3967  sm = s->sm_lists[g_http_uri_buffer_id];
3968  if (sm->type != DETECT_CONTENT) {
3969  result = 0;
3970  goto end;
3971  }
3972  cd = (DetectContentData *)sm->ctx;
3973  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3974  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3975  cd->flags & DETECT_CONTENT_NOCASE ||
3976  cd->flags & DETECT_CONTENT_WITHIN ||
3977  cd->flags & DETECT_CONTENT_DISTANCE ||
3978  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3979  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3980  cd->flags & DETECT_CONTENT_NEGATED ) {
3981  printf("one failed\n");
3982  result = 0;
3983  goto end;
3984  }
3985 
3986  sm = sm->next;
3987  if (sm->type != DETECT_BYTE_EXTRACT) {
3988  result = 0;
3989  goto end;
3990  }
3991  bed1 = (DetectByteExtractData *)sm->ctx;
3992  if (bed1->nbytes != 4 ||
3993  bed1->offset != 0 ||
3994  strcmp(bed1->name, "two") != 0 ||
3995  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
3996  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3997  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3998  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3999  bed1->align_value != 0 ||
4000  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4001  goto end;
4002  }
4003  if (bed1->local_id != 0) {
4004  result = 0;
4005  goto end;
4006  }
4007 
4008  sm = sm->next;
4009  if (sm->type != DETECT_BYTE_EXTRACT) {
4010  result = 0;
4011  goto end;
4012  }
4013  bed2 = (DetectByteExtractData *)sm->ctx;
4014  if (bed2->local_id != 1) {
4015  result = 0;
4016  goto end;
4017  }
4018 
4019  sm = sm->next;
4020  if (sm->type != DETECT_BYTE_EXTRACT) {
4021  result = 0;
4022  goto end;
4023  }
4024  bed3 = (DetectByteExtractData *)sm->ctx;
4025  if (bed3->local_id != 2) {
4026  result = 0;
4027  goto end;
4028  }
4029 
4030  sm = sm->next;
4031  if (sm->type != DETECT_BYTE_EXTRACT) {
4032  result = 0;
4033  goto end;
4034  }
4035  bed4 = (DetectByteExtractData *)sm->ctx;
4036  if (bed4->local_id != 3) {
4037  result = 0;
4038  goto end;
4039  }
4040 
4041  sm = sm->next;
4042  if (sm->type != DETECT_CONTENT) {
4043  result = 0;
4044  goto end;
4045  }
4046  cd = (DetectContentData *)sm->ctx;
4047  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4048  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
4049  DETECT_CONTENT_WITHIN_VAR |
4050  DETECT_CONTENT_DISTANCE |
4051  DETECT_CONTENT_WITHIN) ||
4052  cd->within != bed1->local_id ||
4053  cd->distance != bed2->local_id) {
4054  printf("four failed\n");
4055  result = 0;
4056  goto end;
4057  }
4058 
4059  if (sm->next != NULL) {
4060  goto end;
4061  }
4062 
4063  result = 1;
4064 
4065  end:
4066  SigGroupCleanup(de_ctx);
4067  SigCleanSignatures(de_ctx);
4068  DetectEngineCtxFree(de_ctx);
4069 
4070  return result;
4071 }
4072 
4073 static int DetectByteExtractTest58(void)
4074 {
4075  DetectEngineCtx *de_ctx = NULL;
4076  int result = 0;
4077  Signature *s = NULL;
4078  SigMatch *sm = NULL;
4079  DetectContentData *cd = NULL;
4080  DetectByteExtractData *bed1 = NULL;
4081  DetectBytejumpData *bjd = NULL;
4082  DetectIsdataatData *isdd = NULL;
4083 
4084  de_ctx = DetectEngineCtxInit();
4085  if (de_ctx == NULL)
4086  goto end;
4087 
4088  de_ctx->flags |= DE_QUIET;
4089  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4090  "(msg:\"Testing bytejump_body\"; "
4091  "content:\"one\"; "
4092  "byte_extract:4,0,two,string,hex; "
4093  "byte_extract:4,0,three,string,hex; "
4094  "byte_jump: 2,two; "
4095  "byte_jump: 3,three; "
4096  "isdataat: three; "
4097  "sid:1;)");
4098  if (de_ctx->sig_list == NULL) {
4099  result = 0;
4100  goto end;
4101  }
4102 
4103  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4104  result = 0;
4105  goto end;
4106  }
4107 
4108  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4109  if (sm->type != DETECT_CONTENT) {
4110  result = 0;
4111  goto end;
4112  }
4113  cd = (DetectContentData *)sm->ctx;
4114  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4115  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4116  cd->flags & DETECT_CONTENT_NOCASE ||
4117  cd->flags & DETECT_CONTENT_WITHIN ||
4118  cd->flags & DETECT_CONTENT_DISTANCE ||
4119  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4120  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4121  cd->flags & DETECT_CONTENT_NEGATED ) {
4122  printf("one failed\n");
4123  result = 0;
4124  goto end;
4125  }
4126 
4127  sm = sm->next;
4128  if (sm->type != DETECT_BYTE_EXTRACT) {
4129  result = 0;
4130  goto end;
4131  }
4132  bed1 = (DetectByteExtractData *)sm->ctx;
4133  if (bed1->nbytes != 4 ||
4134  bed1->offset != 0 ||
4135  strcmp(bed1->name, "two") != 0 ||
4136  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4137  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4138  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4139  bed1->align_value != 0 ||
4140  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4141  goto end;
4142  }
4143  if (bed1->local_id != 0) {
4144  result = 0;
4145  goto end;
4146  }
4147 
4148  sm = sm->next;
4149  if (sm->type != DETECT_BYTE_EXTRACT) {
4150  result = 0;
4151  goto end;
4152  }
4153 
4154  sm = sm->next;
4155  if (sm->type != DETECT_BYTEJUMP) {
4156  result = 0;
4157  goto end;
4158  }
4159  bjd = (DetectBytejumpData *)sm->ctx;
4160  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4161  bjd->offset != 0) {
4162  printf("three failed\n");
4163  result = 0;
4164  goto end;
4165  }
4166 
4167  sm = sm->next;
4168  if (sm->type != DETECT_BYTEJUMP) {
4169  result = 0;
4170  goto end;
4171  }
4172  bjd = (DetectBytejumpData *)sm->ctx;
4173  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4174  bjd->offset != 1) {
4175  printf("four failed\n");
4176  result = 0;
4177  goto end;
4178  }
4179 
4180  sm = sm->next;
4181  if (sm->type != DETECT_ISDATAAT) {
4182  result = 0;
4183  goto end;
4184  }
4185  isdd = (DetectIsdataatData *)sm->ctx;
4186  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
4187  isdd->dataat != 1) {
4188  printf("isdataat failed\n");
4189  result = 0;
4190  goto end;
4191  }
4192 
4193  if (sm->next != NULL)
4194  goto end;
4195 
4196  result = 1;
4197 
4198  end:
4199  SigGroupCleanup(de_ctx);
4200  SigCleanSignatures(de_ctx);
4201  DetectEngineCtxFree(de_ctx);
4202 
4203  return result;
4204 }
4205 
4206 static int DetectByteExtractTest59(void)
4207 {
4208  DetectEngineCtx *de_ctx = NULL;
4209  int result = 0;
4210  Signature *s = NULL;
4211  SigMatch *sm = NULL;
4212  DetectContentData *cd = NULL;
4213  DetectByteExtractData *bed1 = NULL;
4214  DetectBytejumpData *bjd = NULL;
4215  DetectIsdataatData *isdd = NULL;
4216 
4217  de_ctx = DetectEngineCtxInit();
4218  if (de_ctx == NULL)
4219  goto end;
4220 
4221  de_ctx->flags |= DE_QUIET;
4222  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4223  "(msg:\"Testing bytejump_body\"; "
4224  "content:\"one\"; "
4225  "byte_extract:4,0,two,string,hex; "
4226  "byte_extract:4,0,three,string,hex; "
4227  "byte_jump: 2,two; "
4228  "byte_jump: 3,three; "
4229  "isdataat: three,relative; "
4230  "sid:1;)");
4231  if (de_ctx->sig_list == NULL) {
4232  result = 0;
4233  goto end;
4234  }
4235 
4236  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4237  result = 0;
4238  goto end;
4239  }
4240 
4241  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4242  if (sm->type != DETECT_CONTENT) {
4243  result = 0;
4244  goto end;
4245  }
4246  cd = (DetectContentData *)sm->ctx;
4247  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4248  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4249  cd->flags & DETECT_CONTENT_NOCASE ||
4250  cd->flags & DETECT_CONTENT_WITHIN ||
4251  cd->flags & DETECT_CONTENT_DISTANCE ||
4252  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4253  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4254  cd->flags & DETECT_CONTENT_NEGATED ) {
4255  printf("one failed\n");
4256  result = 0;
4257  goto end;
4258  }
4259 
4260  sm = sm->next;
4261  if (sm->type != DETECT_BYTE_EXTRACT) {
4262  result = 0;
4263  goto end;
4264  }
4265  bed1 = (DetectByteExtractData *)sm->ctx;
4266  if (bed1->nbytes != 4 ||
4267  bed1->offset != 0 ||
4268  strcmp(bed1->name, "two") != 0 ||
4269  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4270  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4271  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4272  bed1->align_value != 0 ||
4273  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4274  goto end;
4275  }
4276  if (bed1->local_id != 0) {
4277  result = 0;
4278  goto end;
4279  }
4280 
4281  sm = sm->next;
4282  if (sm->type != DETECT_BYTE_EXTRACT) {
4283  result = 0;
4284  goto end;
4285  }
4286 
4287  sm = sm->next;
4288  if (sm->type != DETECT_BYTEJUMP) {
4289  result = 0;
4290  goto end;
4291  }
4292  bjd = (DetectBytejumpData *)sm->ctx;
4293  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4294  bjd->offset != 0) {
4295  printf("three failed\n");
4296  result = 0;
4297  goto end;
4298  }
4299 
4300  sm = sm->next;
4301  if (sm->type != DETECT_BYTEJUMP) {
4302  result = 0;
4303  goto end;
4304  }
4305  bjd = (DetectBytejumpData *)sm->ctx;
4306  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4307  bjd->offset != 1) {
4308  printf("four failed\n");
4309  result = 0;
4310  goto end;
4311  }
4312 
4313  sm = sm->next;
4314  if (sm->type != DETECT_ISDATAAT) {
4315  result = 0;
4316  goto end;
4317  }
4318  isdd = (DetectIsdataatData *)sm->ctx;
4319  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4320  ISDATAAT_RELATIVE) ||
4321  isdd->dataat != 1) {
4322  printf("isdataat failed\n");
4323  result = 0;
4324  goto end;
4325  }
4326 
4327  if (sm->next != NULL)
4328  goto end;
4329 
4330  result = 1;
4331 
4332  end:
4333  SigGroupCleanup(de_ctx);
4334  SigCleanSignatures(de_ctx);
4335  DetectEngineCtxFree(de_ctx);
4336 
4337  return result;
4338 }
4339 
4340 static int DetectByteExtractTest60(void)
4341 {
4342  DetectEngineCtx *de_ctx = NULL;
4343  int result = 0;
4344  Signature *s = NULL;
4345  SigMatch *sm = NULL;
4346  DetectContentData *cd = NULL;
4347  DetectByteExtractData *bed1 = NULL;
4348  DetectIsdataatData *isdd = NULL;
4349 
4350  de_ctx = DetectEngineCtxInit();
4351  if (de_ctx == NULL)
4352  goto end;
4353 
4354  de_ctx->flags |= DE_QUIET;
4355  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4356  "(msg:\"Testing bytejump_body\"; "
4357  "content:\"one\"; "
4358  "byte_extract:4,0,two,string,hex,relative; "
4359  "uricontent: \"three\"; "
4360  "byte_extract:4,0,four,string,hex,relative; "
4361  "isdataat: two; "
4362  "sid:1;)");
4363  if (de_ctx->sig_list == NULL) {
4364  result = 0;
4365  goto end;
4366  }
4367 
4368  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4369  result = 0;
4370  goto end;
4371  }
4372 
4373  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4374  if (sm->type != DETECT_CONTENT) {
4375  result = 0;
4376  goto end;
4377  }
4378  cd = (DetectContentData *)sm->ctx;
4379  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4380  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4381  cd->flags & DETECT_CONTENT_NOCASE ||
4382  cd->flags & DETECT_CONTENT_WITHIN ||
4383  cd->flags & DETECT_CONTENT_DISTANCE ||
4384  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4385  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4386  cd->flags & DETECT_CONTENT_NEGATED ) {
4387  printf("one failed\n");
4388  result = 0;
4389  goto end;
4390  }
4391 
4392  sm = sm->next;
4393  if (sm->type != DETECT_BYTE_EXTRACT) {
4394  result = 0;
4395  goto end;
4396  }
4397  bed1 = (DetectByteExtractData *)sm->ctx;
4398  if (bed1->nbytes != 4 ||
4399  bed1->offset != 0 ||
4400  strcmp(bed1->name, "two") != 0 ||
4401  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4402  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4403  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4404  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4405  bed1->align_value != 0 ||
4406  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4407  goto end;
4408  }
4409  if (bed1->local_id != 0) {
4410  result = 0;
4411  goto end;
4412  }
4413 
4414  sm = sm->next;
4415  if (sm->type != DETECT_ISDATAAT) {
4416  result = 0;
4417  goto end;
4418  }
4419  isdd = (DetectIsdataatData *)sm->ctx;
4420  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
4421  isdd->dataat != bed1->local_id) {
4422  printf("isdataat failed\n");
4423  result = 0;
4424  goto end;
4425  }
4426 
4427  if (sm->next != NULL)
4428  goto end;
4429 
4430  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4431  result = 0;
4432  goto end;
4433  }
4434 
4435  sm = s->sm_lists[g_http_uri_buffer_id];
4436  if (sm->type != DETECT_CONTENT) {
4437  result = 0;
4438  goto end;
4439  }
4440  cd = (DetectContentData *)sm->ctx;
4441  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4442  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4443  printf("one failed\n");
4444  result = 0;
4445  goto end;
4446  }
4447 
4448  sm = sm->next;
4449  if (sm->type != DETECT_BYTE_EXTRACT) {
4450  result = 0;
4451  goto end;
4452  }
4453  bed1 = (DetectByteExtractData *)sm->ctx;
4454  if (bed1->nbytes != 4 ||
4455  bed1->offset != 0 ||
4456  strcmp(bed1->name, "four") != 0 ||
4457  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4458  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4459  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4460  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4461  bed1->align_value != 0 ||
4462  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4463  goto end;
4464  }
4465  if (bed1->local_id != 0) {
4466  result = 0;
4467  goto end;
4468  }
4469 
4470  if (sm->next != NULL)
4471  goto end;
4472 
4473  result = 1;
4474 
4475  end:
4476  SigGroupCleanup(de_ctx);
4477  SigCleanSignatures(de_ctx);
4478  DetectEngineCtxFree(de_ctx);
4479 
4480  return result;
4481 }
4482 
4483 static int DetectByteExtractTest61(void)
4484 {
4485  DetectEngineCtx *de_ctx = NULL;
4486  int result = 0;
4487  Signature *s = NULL;
4488  SigMatch *sm = NULL;
4489  DetectContentData *cd = NULL;
4490  DetectByteExtractData *bed1 = NULL;
4491  DetectIsdataatData *isdd = NULL;
4492 
4493  de_ctx = DetectEngineCtxInit();
4494  if (de_ctx == NULL)
4495  goto end;
4496 
4497  de_ctx->flags |= DE_QUIET;
4498  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4499  "(msg:\"Testing bytejump_body\"; "
4500  "content:\"one\"; "
4501  "byte_extract:4,0,two,string,hex,relative; "
4502  "uricontent: \"three\"; "
4503  "byte_extract:4,0,four,string,hex,relative; "
4504  "isdataat: four, relative; "
4505  "sid:1;)");
4506  if (de_ctx->sig_list == NULL) {
4507  result = 0;
4508  goto end;
4509  }
4510 
4511  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4512  result = 0;
4513  goto end;
4514  }
4515 
4516  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4517  if (sm->type != DETECT_CONTENT) {
4518  result = 0;
4519  goto end;
4520  }
4521  cd = (DetectContentData *)sm->ctx;
4522  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4523  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4524  cd->flags & DETECT_CONTENT_NOCASE ||
4525  cd->flags & DETECT_CONTENT_WITHIN ||
4526  cd->flags & DETECT_CONTENT_DISTANCE ||
4527  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4528  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4529  cd->flags & DETECT_CONTENT_NEGATED ) {
4530  printf("one failed\n");
4531  result = 0;
4532  goto end;
4533  }
4534 
4535  sm = sm->next;
4536  if (sm->type != DETECT_BYTE_EXTRACT) {
4537  result = 0;
4538  goto end;
4539  }
4540  bed1 = (DetectByteExtractData *)sm->ctx;
4541  if (bed1->nbytes != 4 ||
4542  bed1->offset != 0 ||
4543  strcmp(bed1->name, "two") != 0 ||
4544  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4545  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4546  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4547  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4548  bed1->align_value != 0 ||
4549  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4550  goto end;
4551  }
4552  if (bed1->local_id != 0) {
4553  result = 0;
4554  goto end;
4555  }
4556 
4557  if (sm->next != NULL)
4558  goto end;
4559 
4560  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4561  result = 0;
4562  goto end;
4563  }
4564 
4565  sm = s->sm_lists[g_http_uri_buffer_id];
4566  if (sm->type != DETECT_CONTENT) {
4567  result = 0;
4568  goto end;
4569  }
4570  cd = (DetectContentData *)sm->ctx;
4571  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4572  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4573  printf("one failed\n");
4574  result = 0;
4575  goto end;
4576  }
4577 
4578  sm = sm->next;
4579  if (sm->type != DETECT_BYTE_EXTRACT) {
4580  result = 0;
4581  goto end;
4582  }
4583  bed1 = (DetectByteExtractData *)sm->ctx;
4584  if (bed1->nbytes != 4 ||
4585  bed1->offset != 0 ||
4586  strcmp(bed1->name, "four") != 0 ||
4587  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4588  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4589  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4590  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4591  bed1->align_value != 0 ||
4592  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4593  goto end;
4594  }
4595  if (bed1->local_id != 0) {
4596  result = 0;
4597  goto end;
4598  }
4599 
4600  sm = sm->next;
4601  if (sm->type != DETECT_ISDATAAT) {
4602  result = 0;
4603  goto end;
4604  }
4605  isdd = (DetectIsdataatData *)sm->ctx;
4606  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4607  ISDATAAT_RELATIVE) ||
4608  isdd->dataat != bed1->local_id) {
4609  printf("isdataat failed\n");
4610  result = 0;
4611  goto end;
4612  }
4613 
4614  if (sm->next != NULL)
4615  goto end;
4616 
4617  result = 1;
4618 
4619  end:
4620  SigGroupCleanup(de_ctx);
4621  SigCleanSignatures(de_ctx);
4622  DetectEngineCtxFree(de_ctx);
4623 
4624  return result;
4625 }
4626 
4627 static int DetectByteExtractTest62(void)
4628 {
4629  DetectEngineCtx *de_ctx = NULL;
4630  int result = 0;
4631  Signature *s = NULL;
4632  SigMatch *sm = NULL;
4633  DetectByteExtractData *bed = NULL;
4634 
4635  de_ctx = DetectEngineCtxInit();
4636  if (de_ctx == NULL)
4637  goto end;
4638 
4639  de_ctx->flags |= DE_QUIET;
4640  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4641  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4642  "sid:1;)");
4643  if (de_ctx->sig_list == NULL) {
4644  goto end;
4645  }
4646 
4647  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
4648  goto end;
4649  }
4650 
4651  sm = s->sm_lists[g_file_data_buffer_id];
4652  if (sm->type != DETECT_BYTE_EXTRACT) {
4653  result = 0;
4654  goto end;
4655  }
4656  bed = (DetectByteExtractData *)sm->ctx;
4657  if (bed->nbytes != 4 ||
4658  bed->offset != 2 ||
4659  strncmp(bed->name, "two", 3) != 0 ||
4660  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4661  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4662  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4663  bed->align_value != 0 ||
4664  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4665  goto end;
4666  }
4667 
4668  result = 1;
4669 
4670  end:
4671  SigGroupCleanup(de_ctx);
4672  SigCleanSignatures(de_ctx);
4673  DetectEngineCtxFree(de_ctx);
4674 
4675  return result;
4676 }
4677 
4678 static int DetectByteExtractTest63(void)
4679 {
4680  int result = 0;
4681 
4682  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4683  if (bed == NULL)
4684  goto end;
4685 
4686  if (bed->nbytes != 4 ||
4687  bed->offset != -2 ||
4688  strcmp(bed->name, "one") != 0 ||
4689  bed->flags != 0 ||
4690  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4691  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4692  bed->align_value != 0 ||
4693  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4694  goto end;
4695  }
4696 
4697  result = 1;
4698  end:
4699  if (bed != NULL)
4700  DetectByteExtractFree(NULL, bed);
4701  return result;
4702 }
4703 
4704 static int DetectByteExtractTestParseNoBase(void)
4705 {
4706  int result = 0;
4707 
4708  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4709  if (bed == NULL)
4710  goto end;
4711 
4712  if (bed->nbytes != 4) {
4713  goto end;
4714  }
4715  if (bed->offset != 2) {
4716  goto end;
4717  }
4718  if (strcmp(bed->name, "one") != 0) {
4719  goto end;
4720  }
4721  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4722  goto end;
4723  }
4724  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4725  goto end;
4726  }
4727  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4728  goto end;
4729  }
4730  if (bed->align_value != 0) {
4731  goto end;
4732  }
4733  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4734  goto end;
4735  }
4736 
4737  result = 1;
4738  end:
4739  if (bed != NULL)
4740  DetectByteExtractFree(NULL, bed);
4741  return result;
4742 }
4743 
4744 static void DetectByteExtractRegisterTests(void)
4745 {
4746  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4747  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4748 
4749  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4750  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4751  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4752  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4753  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4754  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4755  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4756  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4757  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4758  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4759  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4760  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4761  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4762  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4763  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4764  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4765  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4766  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4767  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4768  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4769  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4770  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4771  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4772  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4773  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4774  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4775  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4776  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4777  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4778  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4779  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4780  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4781  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4782  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4783  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4784  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4785  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4786  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4787  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4788  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4789  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4790  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4791 
4792  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4793  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4794 
4795  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4796  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4797 
4798  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4799  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4800 
4801  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4802  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4803 
4804  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4805  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4806 
4807  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4808  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4809 
4810  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4811  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4812  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4813 
4814  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4815  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4816  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4817  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4818  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4819  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4820 
4821  UtRegisterTest("DetectByteExtractTestParseNoBase",
4822  DetectByteExtractTestParseNoBase);
4823 }
4824 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:100
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1241
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1498
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
SigTableElmt_::desc
const char * desc
Definition: detect.h:1240
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:77
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1228
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
flow-util.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1238
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:102
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:60
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
threads.h
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:59
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:47
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:322
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1223
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:49
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:207
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:546
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:115
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:73
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
decode.h
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:54
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:66
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
StringParseI32RangeCheck
int StringParseI32RangeCheck(int32_t *res, int base, size_t len, const char *str, int32_t min, int32_t max)
Definition: util-byte.c:716
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2609
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:517
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
StringParseU16RangeCheck
int StringParseU16RangeCheck(uint16_t *res, int base, size_t len, const char *str, uint16_t min, uint16_t max)
Definition: util-byte.c:433
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:61
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
Signature_::flags
uint32_t flags
Definition: detect.h:541
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
detect-engine-build.h
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1206
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:666
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:877
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:239
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:104
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:58
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:74
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:101
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:631
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:178
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:68
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:36
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:101
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2585
DetectPcreData_
Definition: detect-pcre.h:42
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:79
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:77
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:474
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:69
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:354
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:75
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1230
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:532
detect-bytetest.h