suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 
40 #include "app-layer-protos.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-byte.h"
47 #include "util-debug.h"
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 #include "util-spm.h"
51 
52 /* the default value of endianess to be used, if none's specified */
53 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
54 
55 /* the base to be used if string mode is specified. These options would be
56  * specified in DetectByteParseData->base */
57 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
58 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
59 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
60 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
61 
62 /* the default value for multiplier. Either ways we always store a
63  * multiplier, 1 or otherwise, so that we can always multiply the extracted
64  * value and store it, instead of checking if a multiplier is set or not */
65 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
66 /* the min/max limit for multiplier */
67 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
69 
70 /* the max no of bytes that can be extracted in string mode - (string, hex)
71  * (string, oct) or (string, dec) */
72 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
75 /* the max no of bytes that can be extraced in non-string mode */
76 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
77 
78 #define PARSE_REGEX "^" \
79  "\\s*([0-9]+)\\s*" \
80  ",\\s*(-?[0-9]+)\\s*" \
81  ",\\s*([^\\s,]+)\\s*" \
82  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "$"
88 
89 static DetectParseRegex parse_regex;
90 
91 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
92 #ifdef UNITTESTS
93 static void DetectByteExtractRegisterTests(void);
94 #endif
95 static void DetectByteExtractFree(DetectEngineCtx *, void *);
96 
97 /**
98  * \brief Registers the keyword handlers for the "byte_extract" keyword.
99  */
100 void DetectByteExtractRegister(void)
101 {
102  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
103  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
104  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
105  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
106  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
107  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
108 #ifdef UNITTESTS
109  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
110 #endif
111  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
112 }
113 
114 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
115  const Signature *s, const uint8_t *payload,
116  uint16_t payload_len, uint64_t *value,
117  uint8_t endian)
118 {
119  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
120  const uint8_t *ptr = NULL;
121  int32_t len = 0;
122  uint64_t val = 0;
123  int extbytes;
124 
125  if (payload_len == 0) {
126  return 0;
127  }
128 
129  /* Calculate the ptr value for the bytetest and length remaining in
130  * the packet from that point.
131  */
132  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
133  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
134  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
135 
136  ptr = payload + det_ctx->buffer_offset;
137  len = payload_len - det_ctx->buffer_offset;
138 
139  ptr += data->offset;
140  len -= data->offset;
141 
142  /* No match if there is no relative base */
143  if (len <= 0) {
144  return 0;
145  }
146  //PrintRawDataFp(stdout,ptr,len);
147  } else {
148  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
149 
150  ptr = payload + data->offset;
151  len = payload_len - data->offset;
152  }
153 
154  /* Validate that the to-be-extracted is within the packet */
155  if (ptr < payload || data->nbytes > len) {
156  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
157  payload, ptr, len, data->nbytes);
158  return 0;
159  }
160 
161  /* Extract the byte data */
162  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
163  extbytes = ByteExtractStringUint64(&val, data->base,
164  data->nbytes, (const char *)ptr);
165  if (extbytes <= 0) {
166  /* strtoull() return 0 if there is no numeric value in data string */
167  if (val == 0) {
168  SCLogDebug("No Numeric value");
169  return 0;
170  } else {
171  SCLogDebug("error extracting %d bytes of string data: %d",
172  data->nbytes, extbytes);
173  return -1;
174  }
175  }
176  } else {
177  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
178  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
179  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
180  if (extbytes != data->nbytes) {
181  SCLogDebug("error extracting %d bytes of numeric data: %d",
182  data->nbytes, extbytes);
183  return 0;
184  }
185  }
186 
187  /* Adjust the jump value based on flags */
188  val *= data->multiplier_value;
189  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
190  if ((val % data->align_value) != 0) {
191  val += data->align_value - (val % data->align_value);
192  }
193  }
194 
195  ptr += extbytes;
196 
197  det_ctx->buffer_offset = ptr - payload;
198 
199  *value = val;
200  SCLogDebug("extracted value is %"PRIu64, val);
201  return 1;
202 }
203 
204 /**
205  * \internal
206  * \brief Used to parse byte_extract arg.
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \arg The argument to parse.
210  *
211  * \param bed On success an instance containing the parsed data.
212  * On failure, NULL.
213  */
214 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
215 {
216  DetectByteExtractData *bed = NULL;
217  int ret = 0, res = 0;
218  size_t pcre2len;
219  int i = 0;
220 
221  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0);
222  if (ret < 3 || ret > 19) {
223  SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
224  ", string \"%s\"", ret, arg);
225  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg to byte_extract : %s "
226  "for byte_extract", arg);
227  goto error;
228  }
229 
230  bed = SCMalloc(sizeof(DetectByteExtractData));
231  if (unlikely(bed == NULL))
232  goto error;
233  memset(bed, 0, sizeof(DetectByteExtractData));
234 
235  /* no of bytes to extract */
236  char nbytes_str[64] = "";
237  pcre2len = sizeof(nbytes_str);
238  res = pcre2_substring_copy_bynumber(
239  parse_regex.match, 1, (PCRE2_UCHAR8 *)nbytes_str, &pcre2len);
240  if (res < 0) {
241  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed "
242  "for arg 1 for byte_extract");
243  goto error;
244  }
245  if (StringParseUint8(&bed->nbytes, 10, 0,
246  (const char *)nbytes_str) < 0) {
247  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid value for number of bytes"
248  " to be extracted: \"%s\".", nbytes_str);
249  goto error;
250  }
251 
252  /* offset */
253  char offset_str[64] = "";
254  pcre2len = sizeof(offset_str);
255  res = pcre2_substring_copy_bynumber(
256  parse_regex.match, 2, (PCRE2_UCHAR8 *)offset_str, &pcre2len);
257  if (res < 0) {
258  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed "
259  "for arg 2 for byte_extract");
260  goto error;
261  }
262  int32_t offset;
263  if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
264  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid value for offset: \"%s\".", offset_str);
265  goto error;
266  }
267  bed->offset = offset;
268 
269  /* var name */
270  char varname_str[256] = "";
271  pcre2len = sizeof(varname_str);
272  res = pcre2_substring_copy_bynumber(
273  parse_regex.match, 3, (PCRE2_UCHAR8 *)varname_str, &pcre2len);
274  if (res < 0) {
275  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_copy_bynumber failed "
276  "for arg 3 for byte_extract");
277  goto error;
278  }
279  bed->name = SCStrdup(varname_str);
280  if (bed->name == NULL)
281  goto error;
282 
283  /* check out other optional args */
284  for (i = 4; i < ret; i++) {
285  char opt_str[64] = "";
286  pcre2len = sizeof(opt_str);
287  res = SC_Pcre2SubstringCopy(parse_regex.match, i, (PCRE2_UCHAR8 *)opt_str, &pcre2len);
288  if (res < 0) {
289  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,
290  "pcre2_substring_copy_bynumber failed "
291  "for arg %d for byte_extract with %d",
292  i, res);
293  goto error;
294  }
295 
296  if (strcmp("relative", opt_str) == 0) {
297  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
298  SCLogError(SC_ERR_INVALID_SIGNATURE, "relative specified more "
299  "than once for byte_extract");
300  goto error;
301  }
302  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
303  } else if (strcmp("multiplier", opt_str) == 0) {
304  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
305  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiplier specified more "
306  "than once for byte_extract");
307  goto error;
308  }
309  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
310  i++;
311 
312  char multiplier_str[16] = "";
313  pcre2len = sizeof(multiplier_str);
314  res = pcre2_substring_copy_bynumber(
315  parse_regex.match, i, (PCRE2_UCHAR8 *)multiplier_str, &pcre2len);
316  if (res < 0) {
317  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,
318  "pcre2_substring_copy_bynumber failed "
319  "for arg %d for byte_extract",
320  i);
321  goto error;
322  }
323  int32_t multiplier;
324  if (StringParseI32RangeCheck(&multiplier, 10, 0,
325  (const char *)multiplier_str,
326  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
327  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) < 0) {
328  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid value for"
329  "multiplier: \"%s\".", multiplier_str);
330  goto error;
331  }
332  bed->multiplier_value = multiplier;
333  } else if (strcmp("big", opt_str) == 0) {
334  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
335  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
336  "more than once for byte_extract");
337  goto error;
338  }
339  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
340  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
341  } else if (strcmp("little", opt_str) == 0) {
342  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
343  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
344  "more than once for byte_extract");
345  goto error;
346  }
347  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
348  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
349  } else if (strcmp("dce", opt_str) == 0) {
350  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
351  SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
352  "more than once for byte_extract");
353  goto error;
354  }
355  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
356  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
357  } else if (strcmp("string", opt_str) == 0) {
358  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
359  SCLogError(SC_ERR_INVALID_SIGNATURE, "string specified more "
360  "than once for byte_extract");
361  goto error;
362  }
363  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
364  SCLogError(SC_ERR_INVALID_SIGNATURE, "The right way to specify "
365  "base is (string, base) and not (base, string) "
366  "for byte_extract");
367  goto error;
368  }
369  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
370  } else if (strcmp("hex", opt_str) == 0) {
371  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
372  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(hex) specified "
373  "without specifying string. The right way is "
374  "(string, base) and not (base, string)");
375  goto error;
376  }
377  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
378  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
379  "specified for byte_extract");
380  goto error;
381  }
382  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
383  } else if (strcmp("oct", opt_str) == 0) {
384  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
385  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(oct) specified "
386  "without specifying string. The right way is "
387  "(string, base) and not (base, string)");
388  goto error;
389  }
390  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
391  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
392  "specified for byte_extract");
393  goto error;
394  }
395  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
396  } else if (strcmp("dec", opt_str) == 0) {
397  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
398  SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(dec) specified "
399  "without specifying string. The right way is "
400  "(string, base) and not (base, string)");
401  goto error;
402  }
403  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
404  SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
405  "specified for byte_extract");
406  goto error;
407  }
408  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
409  } else if (strcmp("align", opt_str) == 0) {
410  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
411  SCLogError(SC_ERR_INVALID_SIGNATURE, "Align specified more "
412  "than once for byte_extract");
413  goto error;
414  }
415  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
416  i++;
417 
418  char align_str[16] = "";
419  pcre2len = sizeof(align_str);
420  res = pcre2_substring_copy_bynumber(
421  parse_regex.match, i, (PCRE2_UCHAR8 *)align_str, &pcre2len);
422  if (res < 0) {
423  SCLogError(SC_ERR_PCRE_GET_SUBSTRING,
424  "pcre2_substring_copy_bynumber failed "
425  "for arg %d in byte_extract",
426  i);
427  goto error;
428  }
429  if (StringParseUint8(&bed->align_value, 10, 0,
430  (const char *)align_str) < 0) {
431  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value: "
432  "\"%s\".", align_str);
433  goto error;
434  }
435  if (!(bed->align_value == 2 || bed->align_value == 4)) {
436  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value for "
437  "byte_extract - \"%d\"", bed->align_value);
438  goto error;
439  }
440  } else if (strcmp("", opt_str) == 0) {
441  ;
442  } else {
443  SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid option - \"%s\" "
444  "specified in byte_extract", opt_str);
445  goto error;
446  }
447  } /* for (i = 4; i < ret; i++) */
448 
449  /* validation */
450  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
451  /* default value */
452  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
453  }
454 
455  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
456  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
457  /* Default to decimal if base not specified. */
458  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
459  }
460  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
461  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't have "
462  "endian \"big\" or \"little\" specified along with "
463  "\"string\"");
464  goto error;
465  }
466  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
467  /* if are dealing with octal nos, the max no that can fit in a 8
468  * byte value is 01777777777777777777777 */
469  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
470  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
471  "more than %d bytes in \"string\" extraction",
472  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
473  goto error;
474  }
475  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
476  /* if are dealing with decimal nos, the max no that can fit in a 8
477  * byte value is 18446744073709551615 */
478  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
479  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
480  "more than %d bytes in \"string\" extraction",
481  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
482  goto error;
483  }
484  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
485  /* if are dealing with hex nos, the max no that can fit in a 8
486  * byte value is 0xFFFFFFFFFFFFFFFF */
487  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
488  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
489  "more than %d bytes in \"string\" extraction",
490  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
491  goto error;
492  }
493  } else {
494  ; // just a placeholder. we won't reach here.
495  }
496  } else {
497  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
498  SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
499  "more than %d bytes in \"non-string\" extraction",
500  NO_STRING_MAX_BYTES_TO_EXTRACT);
501  goto error;
502  }
503  /* if string has not been specified and no endian option has been
504  * specified, then set the default endian level of BIG */
505  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
506  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
507  }
508 
509  return bed;
510  error:
511  if (bed != NULL)
512  DetectByteExtractFree(de_ctx, bed);
513  return NULL;
514 }
515 
516 /**
517  * \brief The setup function for the byte_extract keyword for a signature.
518  *
519  * \param de_ctx Pointer to the detection engine context.
520  * \param s Pointer to signature for the current Signature being parsed
521  * from the rules.
522  * \param m Pointer to the head of the SigMatch for the current rule
523  * being parsed.
524  * \param arg Pointer to the string holding the keyword value.
525  *
526  * \retval 0 On success.
527  * \retval -1 On failure.
528  */
529 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
530 {
531  SigMatch *sm = NULL;
532  SigMatch *prev_pm = NULL;
533  DetectByteExtractData *data = NULL;
534  int ret = -1;
535 
536  data = DetectByteExtractParse(de_ctx, arg);
537  if (data == NULL)
538  goto error;
539 
540  int sm_list;
541  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
542  sm_list = s->init_data->list;
543 
544  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
545  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
546  }
547  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
548  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
549  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
550  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
551  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
552  if (prev_pm == NULL) {
553  sm_list = DETECT_SM_LIST_PMATCH;
554  } else {
555  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
556  if (sm_list < 0)
557  goto error;
558  }
559  } else {
560  sm_list = DETECT_SM_LIST_PMATCH;
561  }
562 
563  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
564  goto error;
565  s->flags |= SIG_FLAG_APPLAYER;
566 
567  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
568  prev_pm = DetectGetLastSMFromLists(s,
569  DETECT_CONTENT, DETECT_PCRE,
570  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
571  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
572  if (prev_pm == NULL) {
573  sm_list = DETECT_SM_LIST_PMATCH;
574  } else {
575  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
576  if (sm_list < 0)
577  goto error;
578  if (sm_list != DETECT_SM_LIST_PMATCH)
579  s->flags |= SIG_FLAG_APPLAYER;
580  }
581 
582  } else {
583  sm_list = DETECT_SM_LIST_PMATCH;
584  }
585 
586  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
587  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
588  goto error;
589 
590  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
591  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
592  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
593  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
594  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
595  "A byte_jump keyword with dce holds other invalid modifiers.");
596  goto error;
597  }
598  }
599 
600  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
601  DETECT_BYTE_EXTRACT, -1);
602  if (prev_bed_sm == NULL)
603  data->local_id = 0;
604  else
605  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
606  if (data->local_id > de_ctx->byte_extract_max_local_id)
607  de_ctx->byte_extract_max_local_id = data->local_id;
608 
609 
610  sm = SigMatchAlloc();
611  if (sm == NULL)
612  goto error;
613  sm->type = DETECT_BYTE_EXTRACT;
614  sm->ctx = (void *)data;
615  SigMatchAppendSMToList(s, sm, sm_list);
616 
617 
618  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
619  goto okay;
620 
621  if (prev_pm == NULL)
622  goto okay;
623 
624  if (prev_pm->type == DETECT_CONTENT) {
625  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
626  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
627  } else if (prev_pm->type == DETECT_PCRE) {
628  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
629  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
630  }
631 
632  okay:
633  ret = 0;
634  return ret;
635  error:
636  DetectByteExtractFree(de_ctx, data);
637  return ret;
638 }
639 
640 /**
641  * \brief Used to free instances of DetectByteExtractData.
642  *
643  * \param ptr Instance of DetectByteExtractData to be freed.
644  */
645 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
646 {
647  if (ptr != NULL) {
648  DetectByteExtractData *bed = ptr;
649  if (bed->name != NULL)
650  SCFree((void *)bed->name);
651  SCFree(bed);
652  }
653 
654  return;
655 }
656 
657 /**
658  * \brief Lookup the SigMatch for a named byte_extract variable.
659  *
660  * \param arg The name of the byte_extract variable to lookup.
661  * \param s Pointer the signature to look in.
662  *
663  * \retval A pointer to the SigMatch if found, otherwise NULL.
664  */
665 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
666 {
667  const int nlists = s->init_data->smlists_array_size;
668  for (int list = 0; list < nlists; list++) {
669  SigMatch *sm = s->init_data->smlists[list];
670  while (sm != NULL) {
671  if (sm->type == DETECT_BYTE_EXTRACT) {
672  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
673  if (strcmp(bed->name, arg) == 0) {
674  return sm;
675  }
676  }
677  sm = sm->next;
678  }
679  }
680 
681  return NULL;
682 }
683 
684 /*************************************Unittests********************************/
685 
686 #ifdef UNITTESTS
687 
688 static int g_file_data_buffer_id = 0;
689 static int g_http_uri_buffer_id = 0;
690 
691 static int DetectByteExtractTest01(void)
692 {
693  int result = 0;
694 
695  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
696  if (bed == NULL)
697  goto end;
698 
699  if (bed->nbytes != 4 ||
700  bed->offset != 2 ||
701  strcmp(bed->name, "one") != 0 ||
702  bed->flags != 0 ||
703  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
704  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
705  bed->align_value != 0 ||
706  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
707  goto end;
708  }
709 
710  result = 1;
711  end:
712  if (bed != NULL)
713  DetectByteExtractFree(NULL, bed);
714  return result;
715 }
716 
717 static int DetectByteExtractTest02(void)
718 {
719  int result = 0;
720 
721  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
722  if (bed == NULL)
723  goto end;
724 
725  if (bed->nbytes != 4 ||
726  bed->offset != 2 ||
727  strcmp(bed->name, "one") != 0 ||
728  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
729  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
730  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
731  bed->align_value != 0 ||
732  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
733  goto end;
734  }
735 
736  result = 1;
737  end:
738  if (bed != NULL)
739  DetectByteExtractFree(NULL, bed);
740  return result;
741 }
742 
743 static int DetectByteExtractTest03(void)
744 {
745  int result = 0;
746 
747  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
748  if (bed == NULL)
749  goto end;
750 
751  if (bed->nbytes != 4 ||
752  bed->offset != 2 ||
753  strcmp(bed->name, "one") != 0 ||
754  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
755  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
756  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
757  bed->align_value != 0 ||
758  bed->multiplier_value != 10) {
759  goto end;
760  }
761 
762  result = 1;
763  end:
764  if (bed != NULL)
765  DetectByteExtractFree(NULL, bed);
766  return result;
767 }
768 
769 static int DetectByteExtractTest04(void)
770 {
771  int result = 0;
772 
773  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
774  if (bed == NULL)
775  goto end;
776 
777  if (bed->nbytes != 4 ||
778  bed->offset != 2 ||
779  strcmp(bed->name, "one") != 0 ||
780  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
781  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
782  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
783  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
784  bed->align_value != 0 ||
785  bed->multiplier_value != 10) {
786  goto end;
787  }
788 
789  result = 1;
790  end:
791  if (bed != NULL)
792  DetectByteExtractFree(NULL, bed);
793  return result;
794 }
795 
796 static int DetectByteExtractTest05(void)
797 {
798  int result = 0;
799 
800  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
801  if (bed == NULL)
802  goto end;
803 
804  if (bed->nbytes != 4 ||
805  bed->offset != 2 ||
806  strcmp(bed->name, "one") != 0 ||
807  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
808  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
809  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
810  bed->align_value != 0 ||
811  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
812  goto end;
813  }
814 
815  result = 1;
816  end:
817  if (bed != NULL)
818  DetectByteExtractFree(NULL, bed);
819  return result;
820 }
821 
822 static int DetectByteExtractTest06(void)
823 {
824  int result = 0;
825 
826  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
827  if (bed == NULL)
828  goto end;
829 
830  if (bed->nbytes != 4 ||
831  bed->offset != 2 ||
832  strcmp(bed->name, "one") != 0 ||
833  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
834  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
835  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
836  bed->align_value != 0 ||
837  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
838  goto end;
839  }
840 
841  result = 1;
842  end:
843  if (bed != NULL)
844  DetectByteExtractFree(NULL, bed);
845  return result;
846 }
847 
848 static int DetectByteExtractTest07(void)
849 {
850  int result = 0;
851 
852  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
853  if (bed == NULL)
854  goto end;
855 
856  if (bed->nbytes != 4 ||
857  bed->offset != 2 ||
858  strcmp(bed->name, "one") != 0 ||
859  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
860  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
861  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
862  bed->align_value != 0 ||
863  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
864  goto end;
865  }
866 
867  result = 1;
868  end:
869  if (bed != NULL)
870  DetectByteExtractFree(NULL, bed);
871  return result;
872 }
873 
874 static int DetectByteExtractTest08(void)
875 {
876  int result = 0;
877 
878  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
879  if (bed == NULL)
880  goto end;
881 
882  if (bed->nbytes != 4 ||
883  bed->offset != 2 ||
884  strcmp(bed->name, "one") != 0 ||
885  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
886  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
887  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
888  bed->align_value != 0 ||
889  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
890  goto end;
891  }
892 
893  result = 1;
894  end:
895  if (bed != NULL)
896  DetectByteExtractFree(NULL, bed);
897  return result;
898 }
899 
900 static int DetectByteExtractTest09(void)
901 {
902  int result = 0;
903 
904  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
905  if (bed == NULL)
906  goto end;
907 
908  if (bed->nbytes != 4 ||
909  bed->offset != 2 ||
910  strcmp(bed->name, "one") != 0 ||
911  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
912  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
913  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
914  bed->align_value != 0 ||
915  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
916  goto end;
917  }
918 
919  result = 1;
920  end:
921  if (bed != NULL)
922  DetectByteExtractFree(NULL, bed);
923  return result;
924 }
925 
926 static int DetectByteExtractTest10(void)
927 {
928  int result = 0;
929 
930  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
931  if (bed == NULL)
932  goto end;
933 
934  if (bed->nbytes != 4 ||
935  bed->offset != 2 ||
936  strcmp(bed->name, "one") != 0 ||
937  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
938  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
939  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
940  bed->align_value != 0 ||
941  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
942  goto end;
943  }
944 
945  result = 1;
946  end:
947  if (bed != NULL)
948  DetectByteExtractFree(NULL, bed);
949  return result;
950 }
951 
952 static int DetectByteExtractTest11(void)
953 {
954  int result = 0;
955 
956  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
957  if (bed == NULL)
958  goto end;
959 
960  if (bed->nbytes != 4 ||
961  bed->offset != 2 ||
962  strcmp(bed->name, "one") != 0 ||
963  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
964  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
965  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
966  bed->align_value != 4 ||
967  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
968  goto end;
969  }
970 
971  result = 1;
972  end:
973  if (bed != NULL)
974  DetectByteExtractFree(NULL, bed);
975  return result;
976 }
977 
978 static int DetectByteExtractTest12(void)
979 {
980  int result = 0;
981 
982  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
983  if (bed == NULL)
984  goto end;
985 
986  if (bed->nbytes != 4 ||
987  bed->offset != 2 ||
988  strcmp(bed->name, "one") != 0 ||
989  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
990  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
991  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
992  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
993  bed->align_value != 4 ||
994  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
995  goto end;
996  }
997 
998  result = 1;
999  end:
1000  if (bed != NULL)
1001  DetectByteExtractFree(NULL, bed);
1002  return result;
1003 }
1004 
1005 static int DetectByteExtractTest13(void)
1006 {
1007  int result = 0;
1008 
1009  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
1010  if (bed == NULL)
1011  goto end;
1012 
1013  if (bed->nbytes != 4 ||
1014  bed->offset != 2 ||
1015  strcmp(bed->name, "one") != 0 ||
1016  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1017  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1018  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1019  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
1020  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1021  bed->align_value != 4 ||
1022  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1023  goto end;
1024  }
1025 
1026  result = 1;
1027  end:
1028  if (bed != NULL)
1029  DetectByteExtractFree(NULL, bed);
1030  return result;
1031 }
1032 
1033 static int DetectByteExtractTest14(void)
1034 {
1035  int result = 0;
1036 
1037  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1038  if (bed == NULL)
1039  goto end;
1040 
1041  if (bed->nbytes != 4 ||
1042  bed->offset != 2 ||
1043  strcmp(bed->name, "one") != 0 ||
1044  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1045  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1046  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1047  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1048  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1049  bed->align_value != 4 ||
1050  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1051  goto end;
1052  }
1053 
1054  result = 1;
1055  end:
1056  if (bed != NULL)
1057  DetectByteExtractFree(NULL, bed);
1058  return result;
1059 }
1060 
1061 static int DetectByteExtractTest15(void)
1062 {
1063  int result = 0;
1064 
1065  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1066  if (bed == NULL)
1067  goto end;
1068 
1069  if (bed->nbytes != 4 ||
1070  bed->offset != 2 ||
1071  strcmp(bed->name, "one") != 0 ||
1072  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1073  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1074  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1075  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1076  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1077  bed->align_value != 4 ||
1078  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1079  goto end;
1080  }
1081 
1082  result = 1;
1083  end:
1084  if (bed != NULL)
1085  DetectByteExtractFree(NULL, bed);
1086  return result;
1087 }
1088 
1089 static int DetectByteExtractTest16(void)
1090 {
1091  int result = 0;
1092 
1093  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1094  if (bed == NULL)
1095  goto end;
1096 
1097  if (bed->nbytes != 4 ||
1098  bed->offset != 2 ||
1099  strcmp(bed->name, "one") != 0 ||
1100  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1101  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1102  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1103  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1104  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1105  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1106  bed->align_value != 4 ||
1107  bed->multiplier_value != 2) {
1108  goto end;
1109  }
1110 
1111  result = 1;
1112  end:
1113  if (bed != NULL)
1114  DetectByteExtractFree(NULL, bed);
1115  return result;
1116 }
1117 
1118 static int DetectByteExtractTest17(void)
1119 {
1120  int result = 0;
1121 
1122  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1123  "relative, little, "
1124  "multiplier 2, string hex");
1125  if (bed != NULL)
1126  goto end;
1127 
1128  result = 1;
1129  end:
1130  if (bed != NULL)
1131  DetectByteExtractFree(NULL, bed);
1132  return result;
1133 }
1134 
1135 static int DetectByteExtractTest18(void)
1136 {
1137  int result = 0;
1138 
1139  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1140  "relative, little, "
1141  "multiplier 2, "
1142  "relative");
1143  if (bed != NULL)
1144  goto end;
1145 
1146  result = 1;
1147  end:
1148  if (bed != NULL)
1149  DetectByteExtractFree(NULL, bed);
1150  return result;
1151 }
1152 
1153 static int DetectByteExtractTest19(void)
1154 {
1155  int result = 0;
1156 
1157  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1158  "relative, little, "
1159  "multiplier 2, "
1160  "little");
1161  if (bed != NULL)
1162  goto end;
1163 
1164  result = 1;
1165  end:
1166  if (bed != NULL)
1167  DetectByteExtractFree(NULL, bed);
1168  return result;
1169 }
1170 
1171 static int DetectByteExtractTest20(void)
1172 {
1173  int result = 0;
1174 
1175  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1176  "relative, "
1177  "multiplier 2, "
1178  "align 2");
1179  if (bed != NULL)
1180  goto end;
1181 
1182  result = 1;
1183  end:
1184  if (bed != NULL)
1185  DetectByteExtractFree(NULL, bed);
1186  return result;
1187 }
1188 
1189 static int DetectByteExtractTest21(void)
1190 {
1191  int result = 0;
1192 
1193  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1194  "multiplier 2, "
1195  "relative, "
1196  "multiplier 2");
1197  if (bed != NULL)
1198  goto end;
1199 
1200  result = 1;
1201  end:
1202  if (bed != NULL)
1203  DetectByteExtractFree(NULL, bed);
1204  return result;
1205 }
1206 
1207 static int DetectByteExtractTest22(void)
1208 {
1209  int result = 0;
1210 
1211  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1212  "string hex, "
1213  "relative, "
1214  "string hex");
1215  if (bed != NULL)
1216  goto end;
1217 
1218  result = 1;
1219  end:
1220  if (bed != NULL)
1221  DetectByteExtractFree(NULL, bed);
1222  return result;
1223 }
1224 
1225 static int DetectByteExtractTest23(void)
1226 {
1227  int result = 0;
1228 
1229  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1230  "string hex, "
1231  "relative, "
1232  "string oct");
1233  if (bed != NULL)
1234  goto end;
1235 
1236  result = 1;
1237  end:
1238  if (bed != NULL)
1239  DetectByteExtractFree(NULL, bed);
1240  return result;
1241 }
1242 
1243 static int DetectByteExtractTest24(void)
1244 {
1245  int result = 0;
1246 
1247  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1248  "string hex, "
1249  "relative");
1250  if (bed != NULL)
1251  goto end;
1252 
1253  result = 1;
1254  end:
1255  if (bed != NULL)
1256  DetectByteExtractFree(NULL, bed);
1257  return result;
1258 }
1259 
1260 static int DetectByteExtractTest25(void)
1261 {
1262  int result = 0;
1263 
1264  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1265  "little, "
1266  "relative");
1267  if (bed != NULL)
1268  goto end;
1269 
1270  result = 1;
1271  end:
1272  if (bed != NULL)
1273  DetectByteExtractFree(NULL, bed);
1274  return result;
1275 }
1276 
1277 static int DetectByteExtractTest26(void)
1278 {
1279  int result = 0;
1280 
1281  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1282  "little, "
1283  "relative, "
1284  "multiplier 65536");
1285  if (bed != NULL)
1286  goto end;
1287 
1288  result = 1;
1289  end:
1290  if (bed != NULL)
1291  DetectByteExtractFree(NULL, bed);
1292  return result;
1293 }
1294 
1295 static int DetectByteExtractTest27(void)
1296 {
1297  int result = 0;
1298 
1299  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1300  "little, "
1301  "relative, "
1302  "multiplier 0");
1303  if (bed != NULL)
1304  goto end;
1305 
1306  result = 1;
1307  end:
1308  if (bed != NULL)
1309  DetectByteExtractFree(NULL, bed);
1310  return result;
1311 }
1312 
1313 static int DetectByteExtractTest28(void)
1314 {
1315  int result = 0;
1316 
1317  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1318  if (bed == NULL)
1319  goto end;
1320 
1321  result = 1;
1322  end:
1323  if (bed != NULL)
1324  DetectByteExtractFree(NULL, bed);
1325  return result;
1326 }
1327 
1328 static int DetectByteExtractTest29(void)
1329 {
1330  int result = 0;
1331 
1332  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1333  if (bed != NULL)
1334  goto end;
1335 
1336  result = 1;
1337  end:
1338  if (bed != NULL)
1339  DetectByteExtractFree(NULL, bed);
1340  return result;
1341 }
1342 
1343 static int DetectByteExtractTest30(void)
1344 {
1345  int result = 0;
1346 
1347  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1348  if (bed == NULL)
1349  goto end;
1350 
1351  result = 1;
1352  end:
1353  if (bed != NULL)
1354  DetectByteExtractFree(NULL, bed);
1355  return result;
1356 }
1357 
1358 static int DetectByteExtractTest31(void)
1359 {
1360  int result = 0;
1361 
1362  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1363  if (bed != NULL)
1364  goto end;
1365 
1366  result = 1;
1367  end:
1368  if (bed != NULL)
1369  DetectByteExtractFree(NULL, bed);
1370  return result;
1371 }
1372 
1373 static int DetectByteExtractTest32(void)
1374 {
1375  int result = 0;
1376 
1377  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1378  if (bed == NULL)
1379  goto end;
1380 
1381  result = 1;
1382  end:
1383  if (bed != NULL)
1384  DetectByteExtractFree(NULL, bed);
1385  return result;
1386 }
1387 
1388 static int DetectByteExtractTest33(void)
1389 {
1390  int result = 0;
1391 
1392  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1393  if (bed != NULL)
1394  goto end;
1395 
1396  result = 1;
1397  end:
1398  if (bed != NULL)
1399  DetectByteExtractFree(NULL, bed);
1400  return result;
1401 }
1402 
1403 static int DetectByteExtractTest34(void)
1404 {
1405  DetectEngineCtx *de_ctx = NULL;
1406  int result = 0;
1407  Signature *s = NULL;
1408  SigMatch *sm = NULL;
1409  DetectContentData *cd = NULL;
1410  DetectByteExtractData *bed = NULL;
1411 
1412  de_ctx = DetectEngineCtxInit();
1413  if (de_ctx == NULL)
1414  goto end;
1415 
1416  de_ctx->flags |= DE_QUIET;
1417  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1418  "(msg:\"Testing bytejump_body\"; "
1419  "content:\"one\"; "
1420  "byte_extract:4,2,two,relative,string,hex; "
1421  "sid:1;)");
1422  if (de_ctx->sig_list == NULL) {
1423  result = 0;
1424  goto end;
1425  }
1426 
1427  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1428  result = 0;
1429  goto end;
1430  }
1431 
1432  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1433  if (sm->type != DETECT_CONTENT) {
1434  result = 0;
1435  goto end;
1436  }
1437  cd = (DetectContentData *)sm->ctx;
1438  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1439  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1440  cd->flags & DETECT_CONTENT_NOCASE ||
1441  cd->flags & DETECT_CONTENT_WITHIN ||
1442  cd->flags & DETECT_CONTENT_DISTANCE ||
1443  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1444  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1445  cd->flags & DETECT_CONTENT_NEGATED ) {
1446  printf("one failed\n");
1447  result = 0;
1448  goto end;
1449  }
1450 
1451  sm = sm->next;
1452  if (sm->type != DETECT_BYTE_EXTRACT) {
1453  result = 0;
1454  goto end;
1455  }
1456  bed = (DetectByteExtractData *)sm->ctx;
1457  if (bed->nbytes != 4 ||
1458  bed->offset != 2 ||
1459  strncmp(bed->name, "two", cd->content_len) != 0 ||
1460  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1461  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1462  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1463  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1464  bed->align_value != 0 ||
1465  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1466  goto end;
1467  }
1468 
1469  result = 1;
1470 
1471  end:
1472  SigGroupCleanup(de_ctx);
1473  SigCleanSignatures(de_ctx);
1474  DetectEngineCtxFree(de_ctx);
1475 
1476  return result;
1477 }
1478 
1479 static int DetectByteExtractTest35(void)
1480 {
1481  DetectEngineCtx *de_ctx = NULL;
1482  int result = 0;
1483  Signature *s = NULL;
1484  SigMatch *sm = NULL;
1485  DetectContentData *cd = NULL;
1486  DetectPcreData *pd = NULL;
1487  DetectByteExtractData *bed = NULL;
1488 
1489  de_ctx = DetectEngineCtxInit();
1490  if (de_ctx == NULL)
1491  goto end;
1492 
1493  de_ctx->flags |= DE_QUIET;
1494  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1495  "(msg:\"Testing bytejump_body\"; "
1496  "content:\"one\"; pcre:/asf/; "
1497  "byte_extract:4,0,two,relative,string,hex; "
1498  "sid:1;)");
1499  if (de_ctx->sig_list == NULL) {
1500  result = 0;
1501  goto end;
1502  }
1503 
1504  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1505  result = 0;
1506  goto end;
1507  }
1508 
1509  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1510  if (sm->type != DETECT_CONTENT) {
1511  result = 0;
1512  goto end;
1513  }
1514  cd = (DetectContentData *)sm->ctx;
1515  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1516  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1517  cd->flags & DETECT_CONTENT_NOCASE ||
1518  cd->flags & DETECT_CONTENT_WITHIN ||
1519  cd->flags & DETECT_CONTENT_DISTANCE ||
1520  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1521  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1522  cd->flags & DETECT_CONTENT_NEGATED ) {
1523  printf("one failed\n");
1524  result = 0;
1525  goto end;
1526  }
1527 
1528  sm = sm->next;
1529  if (sm->type != DETECT_PCRE) {
1530  result = 0;
1531  goto end;
1532  }
1533  pd = (DetectPcreData *)sm->ctx;
1534  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1535  result = 0;
1536  goto end;
1537  }
1538 
1539  sm = sm->next;
1540  if (sm->type != DETECT_BYTE_EXTRACT) {
1541  result = 0;
1542  goto end;
1543  }
1544  bed = (DetectByteExtractData *)sm->ctx;
1545  if (bed->nbytes != 4 ||
1546  bed->offset != 0 ||
1547  strcmp(bed->name, "two") != 0 ||
1548  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1549  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1550  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1551  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1552  bed->align_value != 0 ||
1553  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1554  goto end;
1555  }
1556 
1557  result = 1;
1558 
1559  end:
1560  SigGroupCleanup(de_ctx);
1561  SigCleanSignatures(de_ctx);
1562  DetectEngineCtxFree(de_ctx);
1563 
1564  return result;
1565 }
1566 
1567 static int DetectByteExtractTest36(void)
1568 {
1569  DetectEngineCtx *de_ctx = NULL;
1570  int result = 0;
1571  Signature *s = NULL;
1572  SigMatch *sm = NULL;
1573  DetectContentData *cd = NULL;
1574  DetectBytejumpData *bjd = NULL;
1575  DetectByteExtractData *bed = NULL;
1576 
1577  de_ctx = DetectEngineCtxInit();
1578  if (de_ctx == NULL)
1579  goto end;
1580 
1581  de_ctx->flags |= DE_QUIET;
1582  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1583  "(msg:\"Testing bytejump_body\"; "
1584  "content:\"one\"; byte_jump:1,13; "
1585  "byte_extract:4,0,two,relative,string,hex; "
1586  "sid:1;)");
1587  if (de_ctx->sig_list == NULL) {
1588  result = 0;
1589  goto end;
1590  }
1591 
1592  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1593  result = 0;
1594  goto end;
1595  }
1596 
1597  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1598  if (sm->type != DETECT_CONTENT) {
1599  result = 0;
1600  goto end;
1601  }
1602  cd = (DetectContentData *)sm->ctx;
1603  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1604  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1605  cd->flags & DETECT_CONTENT_NOCASE ||
1606  cd->flags & DETECT_CONTENT_WITHIN ||
1607  cd->flags & DETECT_CONTENT_DISTANCE ||
1608  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1609  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1610  cd->flags & DETECT_CONTENT_NEGATED ) {
1611  printf("one failed\n");
1612  result = 0;
1613  goto end;
1614  }
1615 
1616  sm = sm->next;
1617  if (sm->type != DETECT_BYTEJUMP) {
1618  result = 0;
1619  goto end;
1620  }
1621  bjd = (DetectBytejumpData *)sm->ctx;
1622  if (bjd->flags != 0) {
1623  result = 0;
1624  goto end;
1625  }
1626 
1627  sm = sm->next;
1628  if (sm->type != DETECT_BYTE_EXTRACT) {
1629  result = 0;
1630  goto end;
1631  }
1632  bed = (DetectByteExtractData *)sm->ctx;
1633  if (bed->nbytes != 4 ||
1634  bed->offset != 0 ||
1635  strcmp(bed->name, "two") != 0 ||
1636  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1637  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1638  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1639  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1640  bed->align_value != 0 ||
1641  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1642  goto end;
1643  }
1644 
1645  result = 1;
1646 
1647  end:
1648  SigGroupCleanup(de_ctx);
1649  SigCleanSignatures(de_ctx);
1650  DetectEngineCtxFree(de_ctx);
1651 
1652  return result;
1653 }
1654 
1655 static int DetectByteExtractTest37(void)
1656 {
1657  DetectEngineCtx *de_ctx = NULL;
1658  int result = 0;
1659  Signature *s = NULL;
1660  SigMatch *sm = NULL;
1661  DetectContentData *cd = NULL;
1662  DetectContentData *ud = NULL;
1663  DetectByteExtractData *bed = NULL;
1664 
1665  de_ctx = DetectEngineCtxInit();
1666  if (de_ctx == NULL)
1667  goto end;
1668 
1669  de_ctx->flags |= DE_QUIET;
1670  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1671  "(msg:\"Testing bytejump_body\"; "
1672  "content:\"one\"; uricontent:\"two\"; "
1673  "byte_extract:4,0,two,relative,string,hex; "
1674  "sid:1;)");
1675  if (de_ctx->sig_list == NULL) {
1676  result = 0;
1677  goto end;
1678  }
1679 
1680  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1681  result = 0;
1682  goto end;
1683  }
1684 
1685  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1686  if (sm->type != DETECT_CONTENT) {
1687  result = 0;
1688  goto end;
1689  }
1690  cd = (DetectContentData *)sm->ctx;
1691  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1692  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1693  cd->flags & DETECT_CONTENT_NOCASE ||
1694  cd->flags & DETECT_CONTENT_WITHIN ||
1695  cd->flags & DETECT_CONTENT_DISTANCE ||
1696  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1697  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1698  cd->flags & DETECT_CONTENT_NEGATED ) {
1699  printf("one failed\n");
1700  result = 0;
1701  goto end;
1702  }
1703 
1704  if (sm->next != NULL) {
1705  result = 0;
1706  goto end;
1707  }
1708 
1709  sm = s->sm_lists[g_http_uri_buffer_id];
1710  if (sm->type != DETECT_CONTENT) {
1711  result = 0;
1712  goto end;
1713  }
1714  ud = (DetectContentData *)sm->ctx;
1715  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1716  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1717  ud->flags & DETECT_CONTENT_NOCASE ||
1718  ud->flags & DETECT_CONTENT_WITHIN ||
1719  ud->flags & DETECT_CONTENT_DISTANCE ||
1720  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1721  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1722  ud->flags & DETECT_CONTENT_NEGATED ) {
1723  printf("two failed\n");
1724  result = 0;
1725  goto end;
1726  }
1727 
1728  sm = sm->next;
1729  if (sm->type != DETECT_BYTE_EXTRACT) {
1730  result = 0;
1731  goto end;
1732  }
1733  bed = (DetectByteExtractData *)sm->ctx;
1734  if (bed->nbytes != 4 ||
1735  bed->offset != 0 ||
1736  strcmp(bed->name, "two") != 0 ||
1737  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1738  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1739  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1740  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1741  bed->align_value != 0 ||
1742  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1743  goto end;
1744  }
1745 
1746  result = 1;
1747 
1748  end:
1749  SigGroupCleanup(de_ctx);
1750  SigCleanSignatures(de_ctx);
1751  DetectEngineCtxFree(de_ctx);
1752 
1753  return result;
1754 }
1755 
1756 static int DetectByteExtractTest38(void)
1757 {
1758  DetectEngineCtx *de_ctx = NULL;
1759  int result = 0;
1760  Signature *s = NULL;
1761  SigMatch *sm = NULL;
1762  DetectContentData *cd = NULL;
1763  DetectContentData *ud = NULL;
1764  DetectByteExtractData *bed = NULL;
1765 
1766  de_ctx = DetectEngineCtxInit();
1767  if (de_ctx == NULL)
1768  goto end;
1769 
1770  de_ctx->flags |= DE_QUIET;
1771  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1772  "(msg:\"Testing bytejump_body\"; "
1773  "content:\"one\"; uricontent:\"two\"; "
1774  "byte_extract:4,0,two,string,hex; "
1775  "sid:1;)");
1776  if (de_ctx->sig_list == NULL) {
1777  result = 0;
1778  goto end;
1779  }
1780 
1781  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1782  result = 0;
1783  goto end;
1784  }
1785 
1786  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1787  if (sm->type != DETECT_CONTENT) {
1788  result = 0;
1789  goto end;
1790  }
1791  cd = (DetectContentData *)sm->ctx;
1792  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1793  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1794  cd->flags & DETECT_CONTENT_NOCASE ||
1795  cd->flags & DETECT_CONTENT_WITHIN ||
1796  cd->flags & DETECT_CONTENT_DISTANCE ||
1797  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1798  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1799  cd->flags & DETECT_CONTENT_NEGATED ) {
1800  printf("one failed\n");
1801  result = 0;
1802  goto end;
1803  }
1804 
1805  sm = sm->next;
1806  if (sm->type != DETECT_BYTE_EXTRACT) {
1807  result = 0;
1808  goto end;
1809  }
1810  bed = (DetectByteExtractData *)sm->ctx;
1811  if (bed->nbytes != 4 ||
1812  bed->offset != 0 ||
1813  strcmp(bed->name, "two") != 0 ||
1814  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1815  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1816  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1817  bed->align_value != 0 ||
1818  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1819  goto end;
1820  }
1821 
1822  sm = s->sm_lists[g_http_uri_buffer_id];
1823  if (sm->type != DETECT_CONTENT) {
1824  result = 0;
1825  goto end;
1826  }
1827  ud = (DetectContentData *)sm->ctx;
1828  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1829  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1830  ud->flags & DETECT_CONTENT_NOCASE ||
1831  ud->flags & DETECT_CONTENT_WITHIN ||
1832  ud->flags & DETECT_CONTENT_DISTANCE ||
1833  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1834  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1835  ud->flags & DETECT_CONTENT_NEGATED ) {
1836  printf("two failed\n");
1837  result = 0;
1838  goto end;
1839  }
1840 
1841  if (sm->next != NULL) {
1842  result = 0;
1843  goto end;
1844  }
1845 
1846  result = 1;
1847 
1848  end:
1849  SigGroupCleanup(de_ctx);
1850  SigCleanSignatures(de_ctx);
1851  DetectEngineCtxFree(de_ctx);
1852 
1853  return result;
1854 }
1855 
1856 static int DetectByteExtractTest39(void)
1857 {
1858  DetectEngineCtx *de_ctx = NULL;
1859  int result = 0;
1860  Signature *s = NULL;
1861  SigMatch *sm = NULL;
1862  DetectContentData *cd = NULL;
1863  DetectContentData *ud = NULL;
1864  DetectByteExtractData *bed = NULL;
1865 
1866  de_ctx = DetectEngineCtxInit();
1867  if (de_ctx == NULL)
1868  goto end;
1869 
1870  de_ctx->flags |= DE_QUIET;
1871  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1872  "(msg:\"Testing bytejump_body\"; "
1873  "content:\"one\"; content:\"two\"; http_uri; "
1874  "byte_extract:4,0,two,relative,string,hex; "
1875  "sid:1;)");
1876  if (de_ctx->sig_list == NULL) {
1877  result = 0;
1878  goto end;
1879  }
1880 
1881  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1882  result = 0;
1883  goto end;
1884  }
1885 
1886  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1887  if (sm->type != DETECT_CONTENT) {
1888  result = 0;
1889  goto end;
1890  }
1891  cd = (DetectContentData *)sm->ctx;
1892  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1893  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1894  cd->flags & DETECT_CONTENT_NOCASE ||
1895  cd->flags & DETECT_CONTENT_WITHIN ||
1896  cd->flags & DETECT_CONTENT_DISTANCE ||
1897  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1898  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1899  cd->flags & DETECT_CONTENT_NEGATED ) {
1900  printf("one failed\n");
1901  result = 0;
1902  goto end;
1903  }
1904 
1905  if (sm->next != NULL) {
1906  result = 0;
1907  goto end;
1908  }
1909 
1910  sm = s->sm_lists[g_http_uri_buffer_id];
1911  if (sm->type != DETECT_CONTENT) {
1912  result = 0;
1913  goto end;
1914  }
1915  ud = (DetectContentData *)sm->ctx;
1916  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1917  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1918  ud->flags & DETECT_CONTENT_NOCASE ||
1919  ud->flags & DETECT_CONTENT_WITHIN ||
1920  ud->flags & DETECT_CONTENT_DISTANCE ||
1921  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1922  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1923  ud->flags & DETECT_CONTENT_NEGATED ) {
1924  printf("two failed\n");
1925  result = 0;
1926  goto end;
1927  }
1928 
1929  sm = sm->next;
1930  if (sm->type != DETECT_BYTE_EXTRACT) {
1931  result = 0;
1932  goto end;
1933  }
1934  bed = (DetectByteExtractData *)sm->ctx;
1935  if (bed->nbytes != 4 ||
1936  bed->offset != 0 ||
1937  strcmp(bed->name, "two") != 0 ||
1938  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1939  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1940  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1941  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1942  bed->align_value != 0 ||
1943  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1944  goto end;
1945  }
1946 
1947  result = 1;
1948 
1949  end:
1950  SigGroupCleanup(de_ctx);
1951  SigCleanSignatures(de_ctx);
1952  DetectEngineCtxFree(de_ctx);
1953 
1954  return result;
1955 }
1956 
1957 static int DetectByteExtractTest40(void)
1958 {
1959  DetectEngineCtx *de_ctx = NULL;
1960  int result = 0;
1961  Signature *s = NULL;
1962  SigMatch *sm = NULL;
1963  DetectContentData *cd = NULL;
1964  DetectContentData *ud = NULL;
1965  DetectByteExtractData *bed = NULL;
1966 
1967  de_ctx = DetectEngineCtxInit();
1968  if (de_ctx == NULL)
1969  goto end;
1970 
1971  de_ctx->flags |= DE_QUIET;
1972  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1973  "(msg:\"Testing bytejump_body\"; "
1974  "content:\"one\"; content:\"two\"; http_uri; "
1975  "byte_extract:4,0,two,string,hex; "
1976  "sid:1;)");
1977  if (de_ctx->sig_list == NULL) {
1978  result = 0;
1979  goto end;
1980  }
1981 
1982  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1983  result = 0;
1984  goto end;
1985  }
1986 
1987  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
1988  if (sm->type != DETECT_CONTENT) {
1989  result = 0;
1990  goto end;
1991  }
1992  cd = (DetectContentData *)sm->ctx;
1993  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1994  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1995  cd->flags & DETECT_CONTENT_NOCASE ||
1996  cd->flags & DETECT_CONTENT_WITHIN ||
1997  cd->flags & DETECT_CONTENT_DISTANCE ||
1998  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1999  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2000  cd->flags & DETECT_CONTENT_NEGATED ) {
2001  printf("one failed\n");
2002  result = 0;
2003  goto end;
2004  }
2005 
2006  sm = sm->next;
2007  if (sm->type != DETECT_BYTE_EXTRACT) {
2008  result = 0;
2009  goto end;
2010  }
2011  bed = (DetectByteExtractData *)sm->ctx;
2012  if (bed->nbytes != 4 ||
2013  bed->offset != 0 ||
2014  strcmp(bed->name, "two") != 0 ||
2015  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
2016  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2017  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2018  bed->align_value != 0 ||
2019  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2020  goto end;
2021  }
2022 
2023  sm = s->sm_lists[g_http_uri_buffer_id];
2024  if (sm->type != DETECT_CONTENT) {
2025  result = 0;
2026  goto end;
2027  }
2028  ud = (DetectContentData *)sm->ctx;
2029  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2030  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2031  ud->flags & DETECT_CONTENT_NOCASE ||
2032  ud->flags & DETECT_CONTENT_WITHIN ||
2033  ud->flags & DETECT_CONTENT_DISTANCE ||
2034  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2035  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2036  ud->flags & DETECT_CONTENT_NEGATED ) {
2037  printf("two failed\n");
2038  result = 0;
2039  goto end;
2040  }
2041 
2042  if (sm->next != NULL) {
2043  result = 0;
2044  goto end;
2045  }
2046 
2047  result = 1;
2048 
2049  end:
2050  SigGroupCleanup(de_ctx);
2051  SigCleanSignatures(de_ctx);
2052  DetectEngineCtxFree(de_ctx);
2053 
2054  return result;
2055 }
2056 
2057 static int DetectByteExtractTest41(void)
2058 {
2059  DetectEngineCtx *de_ctx = NULL;
2060  int result = 0;
2061  Signature *s = NULL;
2062  SigMatch *sm = NULL;
2063  DetectContentData *cd = NULL;
2064  DetectByteExtractData *bed = NULL;
2065 
2066  de_ctx = DetectEngineCtxInit();
2067  if (de_ctx == NULL)
2068  goto end;
2069 
2070  de_ctx->flags |= DE_QUIET;
2071  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2072  "(msg:\"Testing bytejump_body\"; "
2073  "content:\"one\"; "
2074  "byte_extract:4,0,two,string,hex; "
2075  "byte_extract:4,0,three,string,hex; "
2076  "sid:1;)");
2077  if (de_ctx->sig_list == NULL) {
2078  result = 0;
2079  goto end;
2080  }
2081 
2082  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2083  result = 0;
2084  goto end;
2085  }
2086 
2087  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2088  if (sm->type != DETECT_CONTENT) {
2089  result = 0;
2090  goto end;
2091  }
2092  cd = (DetectContentData *)sm->ctx;
2093  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2094  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2095  cd->flags & DETECT_CONTENT_NOCASE ||
2096  cd->flags & DETECT_CONTENT_WITHIN ||
2097  cd->flags & DETECT_CONTENT_DISTANCE ||
2098  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2099  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2100  cd->flags & DETECT_CONTENT_NEGATED ) {
2101  printf("one failed\n");
2102  result = 0;
2103  goto end;
2104  }
2105 
2106  sm = sm->next;
2107  if (sm->type != DETECT_BYTE_EXTRACT) {
2108  result = 0;
2109  goto end;
2110  }
2111  bed = (DetectByteExtractData *)sm->ctx;
2112  if (bed->nbytes != 4 ||
2113  bed->offset != 0 ||
2114  strcmp(bed->name, "two") != 0 ||
2115  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2116  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2117  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2118  bed->align_value != 0 ||
2119  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2120  goto end;
2121  }
2122  if (bed->local_id != 0) {
2123  result = 0;
2124  goto end;
2125  }
2126 
2127  sm = sm->next;
2128  if (sm->type != DETECT_BYTE_EXTRACT) {
2129  result = 0;
2130  goto end;
2131  }
2132  bed = (DetectByteExtractData *)sm->ctx;
2133  if (bed->nbytes != 4 ||
2134  bed->offset != 0 ||
2135  strcmp(bed->name, "three") != 0 ||
2136  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2137  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2138  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2139  bed->align_value != 0 ||
2140  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2141  goto end;
2142  }
2143  if (bed->local_id != 1) {
2144  result = 0;
2145  goto end;
2146  }
2147 
2148  result = 1;
2149 
2150  end:
2151  SigGroupCleanup(de_ctx);
2152  SigCleanSignatures(de_ctx);
2153  DetectEngineCtxFree(de_ctx);
2154 
2155  return result;
2156 }
2157 
2158 static int DetectByteExtractTest42(void)
2159 {
2160  DetectEngineCtx *de_ctx = NULL;
2161  int result = 0;
2162  Signature *s = NULL;
2163  SigMatch *sm = NULL;
2164  DetectContentData *cd = NULL;
2165  DetectContentData *ud = NULL;
2166  DetectByteExtractData *bed = NULL;
2167 
2168  de_ctx = DetectEngineCtxInit();
2169  if (de_ctx == NULL)
2170  goto end;
2171 
2172  de_ctx->flags |= DE_QUIET;
2173  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2174  "(msg:\"Testing bytejump_body\"; "
2175  "content:\"one\"; "
2176  "byte_extract:4,0,two,string,hex; "
2177  "uricontent: \"three\"; "
2178  "byte_extract:4,0,four,string,hex,relative; "
2179  "byte_extract:4,0,five,string,hex; "
2180  "sid:1;)");
2181  if (de_ctx->sig_list == NULL) {
2182  result = 0;
2183  goto end;
2184  }
2185 
2186  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2187  result = 0;
2188  goto end;
2189  }
2190 
2191  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2192  if (sm->type != DETECT_CONTENT) {
2193  result = 0;
2194  goto end;
2195  }
2196  cd = (DetectContentData *)sm->ctx;
2197  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2198  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2199  cd->flags & DETECT_CONTENT_NOCASE ||
2200  cd->flags & DETECT_CONTENT_WITHIN ||
2201  cd->flags & DETECT_CONTENT_DISTANCE ||
2202  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2203  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2204  cd->flags & DETECT_CONTENT_NEGATED ) {
2205  printf("one failed\n");
2206  result = 0;
2207  goto end;
2208  }
2209 
2210  sm = sm->next;
2211  if (sm->type != DETECT_BYTE_EXTRACT) {
2212  result = 0;
2213  goto end;
2214  }
2215  bed = (DetectByteExtractData *)sm->ctx;
2216  if (bed->nbytes != 4 ||
2217  bed->offset != 0 ||
2218  strcmp(bed->name, "two") != 0 ||
2219  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2220  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2221  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2222  bed->align_value != 0 ||
2223  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2224  goto end;
2225  }
2226  if (bed->local_id != 0) {
2227  result = 0;
2228  goto end;
2229  }
2230 
2231  sm = sm->next;
2232  if (sm->type != DETECT_BYTE_EXTRACT) {
2233  result = 0;
2234  goto end;
2235  }
2236  bed = (DetectByteExtractData *)sm->ctx;
2237  if (bed->nbytes != 4 ||
2238  bed->offset != 0 ||
2239  strcmp(bed->name, "five") != 0 ||
2240  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2241  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2242  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2243  bed->align_value != 0 ||
2244  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2245  goto end;
2246  }
2247  if (bed->local_id != 1) {
2248  result = 0;
2249  goto end;
2250  }
2251 
2252  if (sm->next != NULL)
2253  goto end;
2254 
2255  sm = s->sm_lists[g_http_uri_buffer_id];
2256  if (sm->type != DETECT_CONTENT) {
2257  result = 0;
2258  goto end;
2259  }
2260  ud = (DetectContentData *)sm->ctx;
2261  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2262  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2263  ud->flags & DETECT_CONTENT_NOCASE ||
2264  ud->flags & DETECT_CONTENT_WITHIN ||
2265  ud->flags & DETECT_CONTENT_DISTANCE ||
2266  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2267  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2268  ud->flags & DETECT_CONTENT_NEGATED ) {
2269  printf("two failed\n");
2270  result = 0;
2271  goto end;
2272  }
2273 
2274  sm = sm->next;
2275  if (sm->type != DETECT_BYTE_EXTRACT) {
2276  result = 0;
2277  goto end;
2278  }
2279  bed = (DetectByteExtractData *)sm->ctx;
2280  if (bed->nbytes != 4 ||
2281  bed->offset != 0 ||
2282  strcmp(bed->name, "four") != 0 ||
2283  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2284  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2285  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2286  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2287  bed->align_value != 0 ||
2288  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2289  goto end;
2290  }
2291  if (bed->local_id != 0) {
2292  result = 0;
2293  goto end;
2294  }
2295 
2296  if (sm->next != NULL)
2297  goto end;
2298 
2299  result = 1;
2300 
2301  end:
2302  SigGroupCleanup(de_ctx);
2303  SigCleanSignatures(de_ctx);
2304  DetectEngineCtxFree(de_ctx);
2305 
2306  return result;
2307 }
2308 
2309 static int DetectByteExtractTest43(void)
2310 {
2311  DetectEngineCtx *de_ctx = NULL;
2312  int result = 0;
2313  Signature *s = NULL;
2314  SigMatch *sm = NULL;
2315  DetectContentData *cd = NULL;
2316  DetectByteExtractData *bed = NULL;
2317 
2318  de_ctx = DetectEngineCtxInit();
2319  if (de_ctx == NULL)
2320  goto end;
2321 
2322  de_ctx->flags |= DE_QUIET;
2323  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2324  "(msg:\"Testing bytejump_body\"; "
2325  "content:\"one\"; "
2326  "byte_extract:4,0,two,string,hex; "
2327  "content: \"three\"; offset:two; "
2328  "sid:1;)");
2329  if (de_ctx->sig_list == NULL) {
2330  result = 0;
2331  goto end;
2332  }
2333 
2334  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2335  result = 0;
2336  goto end;
2337  }
2338 
2339  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2340  if (sm->type != DETECT_CONTENT) {
2341  result = 0;
2342  goto end;
2343  }
2344  cd = (DetectContentData *)sm->ctx;
2345  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2346  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2347  cd->flags & DETECT_CONTENT_NOCASE ||
2348  cd->flags & DETECT_CONTENT_WITHIN ||
2349  cd->flags & DETECT_CONTENT_DISTANCE ||
2350  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2351  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2352  cd->flags & DETECT_CONTENT_NEGATED ) {
2353  printf("one failed\n");
2354  result = 0;
2355  goto end;
2356  }
2357 
2358  sm = sm->next;
2359  if (sm->type != DETECT_BYTE_EXTRACT) {
2360  result = 0;
2361  goto end;
2362  }
2363  bed = (DetectByteExtractData *)sm->ctx;
2364  if (bed->nbytes != 4 ||
2365  bed->offset != 0 ||
2366  strcmp(bed->name, "two") != 0 ||
2367  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2368  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2369  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2370  bed->align_value != 0 ||
2371  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2372  goto end;
2373  }
2374  if (bed->local_id != 0) {
2375  result = 0;
2376  goto end;
2377  }
2378 
2379  sm = sm->next;
2380  if (sm->type != DETECT_CONTENT) {
2381  result = 0;
2382  goto end;
2383  }
2384  cd = (DetectContentData *)sm->ctx;
2385  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2386  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2387  DETECT_CONTENT_OFFSET) ||
2388  cd->offset != bed->local_id) {
2389  printf("three failed\n");
2390  result = 0;
2391  goto end;
2392  }
2393 
2394  if (sm->next != NULL)
2395  goto end;
2396 
2397  result = 1;
2398 
2399  end:
2400  SigGroupCleanup(de_ctx);
2401  SigCleanSignatures(de_ctx);
2402  DetectEngineCtxFree(de_ctx);
2403 
2404  return result;
2405 }
2406 
2407 static int DetectByteExtractTest44(void)
2408 {
2409  DetectEngineCtx *de_ctx = NULL;
2410  int result = 0;
2411  Signature *s = NULL;
2412  SigMatch *sm = NULL;
2413  DetectContentData *cd = NULL;
2414  DetectByteExtractData *bed1 = NULL;
2415  DetectByteExtractData *bed2 = NULL;
2416 
2417  de_ctx = DetectEngineCtxInit();
2418  if (de_ctx == NULL)
2419  goto end;
2420 
2421  de_ctx->flags |= DE_QUIET;
2422  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2423  "(msg:\"Testing bytejump_body\"; "
2424  "content:\"one\"; "
2425  "byte_extract:4,0,two,string,hex; "
2426  "byte_extract:4,0,three,string,hex; "
2427  "content: \"four\"; offset:two; "
2428  "content: \"five\"; offset:three; "
2429  "sid:1;)");
2430  if (de_ctx->sig_list == NULL) {
2431  result = 0;
2432  goto end;
2433  }
2434 
2435  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2436  result = 0;
2437  goto end;
2438  }
2439 
2440  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2441  if (sm->type != DETECT_CONTENT) {
2442  result = 0;
2443  goto end;
2444  }
2445  cd = (DetectContentData *)sm->ctx;
2446  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2447  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2448  cd->flags & DETECT_CONTENT_NOCASE ||
2449  cd->flags & DETECT_CONTENT_WITHIN ||
2450  cd->flags & DETECT_CONTENT_DISTANCE ||
2451  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2452  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2453  cd->flags & DETECT_CONTENT_NEGATED ) {
2454  printf("one failed\n");
2455  result = 0;
2456  goto end;
2457  }
2458 
2459  sm = sm->next;
2460  if (sm->type != DETECT_BYTE_EXTRACT) {
2461  result = 0;
2462  goto end;
2463  }
2464  bed1 = (DetectByteExtractData *)sm->ctx;
2465  if (bed1->nbytes != 4 ||
2466  bed1->offset != 0 ||
2467  strcmp(bed1->name, "two") != 0 ||
2468  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2469  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2470  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2471  bed1->align_value != 0 ||
2472  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2473  goto end;
2474  }
2475  if (bed1->local_id != 0) {
2476  result = 0;
2477  goto end;
2478  }
2479 
2480  sm = sm->next;
2481  if (sm->type != DETECT_BYTE_EXTRACT) {
2482  result = 0;
2483  goto end;
2484  }
2485  bed2 = (DetectByteExtractData *)sm->ctx;
2486 
2487  sm = sm->next;
2488  if (sm->type != DETECT_CONTENT) {
2489  result = 0;
2490  goto end;
2491  }
2492  cd = (DetectContentData *)sm->ctx;
2493  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2494  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2495  DETECT_CONTENT_OFFSET) ||
2496  cd->offset != bed1->local_id) {
2497  printf("four failed\n");
2498  result = 0;
2499  goto end;
2500  }
2501 
2502  sm = sm->next;
2503  if (sm->type != DETECT_CONTENT) {
2504  result = 0;
2505  goto end;
2506  }
2507  cd = (DetectContentData *)sm->ctx;
2508  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2509  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2510  DETECT_CONTENT_OFFSET) ||
2511  cd->offset != bed2->local_id) {
2512  printf("five failed\n");
2513  result = 0;
2514  goto end;
2515  }
2516 
2517  if (sm->next != NULL)
2518  goto end;
2519 
2520  result = 1;
2521 
2522  end:
2523  SigGroupCleanup(de_ctx);
2524  SigCleanSignatures(de_ctx);
2525  DetectEngineCtxFree(de_ctx);
2526 
2527  return result;
2528 }
2529 
2530 static int DetectByteExtractTest45(void)
2531 {
2532  DetectEngineCtx *de_ctx = NULL;
2533  int result = 0;
2534  Signature *s = NULL;
2535  SigMatch *sm = NULL;
2536  DetectContentData *cd = NULL;
2537  DetectByteExtractData *bed = NULL;
2538 
2539  de_ctx = DetectEngineCtxInit();
2540  if (de_ctx == NULL)
2541  goto end;
2542 
2543  de_ctx->flags |= DE_QUIET;
2544  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2545  "(msg:\"Testing bytejump_body\"; "
2546  "content:\"one\"; "
2547  "byte_extract:4,0,two,string,hex; "
2548  "content: \"three\"; depth:two; "
2549  "sid:1;)");
2550  if (de_ctx->sig_list == NULL) {
2551  result = 0;
2552  goto end;
2553  }
2554 
2555  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2556  result = 0;
2557  goto end;
2558  }
2559 
2560  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2561  if (sm->type != DETECT_CONTENT) {
2562  result = 0;
2563  goto end;
2564  }
2565  cd = (DetectContentData *)sm->ctx;
2566  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2567  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2568  cd->flags & DETECT_CONTENT_NOCASE ||
2569  cd->flags & DETECT_CONTENT_WITHIN ||
2570  cd->flags & DETECT_CONTENT_DISTANCE ||
2571  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2572  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2573  cd->flags & DETECT_CONTENT_NEGATED ) {
2574  printf("one failed\n");
2575  result = 0;
2576  goto end;
2577  }
2578 
2579  sm = sm->next;
2580  if (sm->type != DETECT_BYTE_EXTRACT) {
2581  result = 0;
2582  goto end;
2583  }
2584  bed = (DetectByteExtractData *)sm->ctx;
2585  if (bed->nbytes != 4 ||
2586  bed->offset != 0 ||
2587  strcmp(bed->name, "two") != 0 ||
2588  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2589  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2590  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2591  bed->align_value != 0 ||
2592  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2593  goto end;
2594  }
2595  if (bed->local_id != 0) {
2596  result = 0;
2597  goto end;
2598  }
2599 
2600  sm = sm->next;
2601  if (sm->type != DETECT_CONTENT) {
2602  result = 0;
2603  goto end;
2604  }
2605  cd = (DetectContentData *)sm->ctx;
2606  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2607  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2608  DETECT_CONTENT_DEPTH) ||
2609  cd->depth != bed->local_id ||
2610  cd->offset != 0) {
2611  printf("three failed\n");
2612  result = 0;
2613  goto end;
2614  }
2615 
2616  if (sm->next != NULL)
2617  goto end;
2618 
2619  result = 1;
2620 
2621  end:
2622  SigGroupCleanup(de_ctx);
2623  SigCleanSignatures(de_ctx);
2624  DetectEngineCtxFree(de_ctx);
2625 
2626  return result;
2627 }
2628 
2629 static int DetectByteExtractTest46(void)
2630 {
2631  DetectEngineCtx *de_ctx = NULL;
2632  int result = 0;
2633  Signature *s = NULL;
2634  SigMatch *sm = NULL;
2635  DetectContentData *cd = NULL;
2636  DetectByteExtractData *bed1 = NULL;
2637  DetectByteExtractData *bed2 = NULL;
2638 
2639  de_ctx = DetectEngineCtxInit();
2640  if (de_ctx == NULL)
2641  goto end;
2642 
2643  de_ctx->flags |= DE_QUIET;
2644  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2645  "(msg:\"Testing bytejump_body\"; "
2646  "content:\"one\"; "
2647  "byte_extract:4,0,two,string,hex; "
2648  "byte_extract:4,0,three,string,hex; "
2649  "content: \"four\"; depth:two; "
2650  "content: \"five\"; depth:three; "
2651  "sid:1;)");
2652  if (de_ctx->sig_list == NULL) {
2653  result = 0;
2654  goto end;
2655  }
2656 
2657  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2658  result = 0;
2659  goto end;
2660  }
2661 
2662  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2663  if (sm->type != DETECT_CONTENT) {
2664  result = 0;
2665  goto end;
2666  }
2667  cd = (DetectContentData *)sm->ctx;
2668  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2669  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2670  cd->flags & DETECT_CONTENT_NOCASE ||
2671  cd->flags & DETECT_CONTENT_WITHIN ||
2672  cd->flags & DETECT_CONTENT_DISTANCE ||
2673  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2674  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2675  cd->flags & DETECT_CONTENT_NEGATED ) {
2676  printf("one failed\n");
2677  result = 0;
2678  goto end;
2679  }
2680 
2681  sm = sm->next;
2682  if (sm->type != DETECT_BYTE_EXTRACT) {
2683  result = 0;
2684  goto end;
2685  }
2686  bed1 = (DetectByteExtractData *)sm->ctx;
2687  if (bed1->nbytes != 4 ||
2688  bed1->offset != 0 ||
2689  strcmp(bed1->name, "two") != 0 ||
2690  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2691  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2692  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2693  bed1->align_value != 0 ||
2694  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2695  goto end;
2696  }
2697  if (bed1->local_id != 0) {
2698  result = 0;
2699  goto end;
2700  }
2701 
2702  sm = sm->next;
2703  if (sm->type != DETECT_BYTE_EXTRACT) {
2704  result = 0;
2705  goto end;
2706  }
2707  bed2 = (DetectByteExtractData *)sm->ctx;
2708 
2709  sm = sm->next;
2710  if (sm->type != DETECT_CONTENT) {
2711  result = 0;
2712  goto end;
2713  }
2714  cd = (DetectContentData *)sm->ctx;
2715  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2716  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2717  DETECT_CONTENT_DEPTH) ||
2718  cd->depth != bed1->local_id) {
2719  printf("four failed\n");
2720  result = 0;
2721  goto end;
2722  }
2723 
2724  sm = sm->next;
2725  if (sm->type != DETECT_CONTENT) {
2726  result = 0;
2727  goto end;
2728  }
2729  cd = (DetectContentData *)sm->ctx;
2730  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2731  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2732  DETECT_CONTENT_DEPTH) ||
2733  cd->depth != bed2->local_id) {
2734  printf("five failed\n");
2735  result = 0;
2736  goto end;
2737  }
2738 
2739  if (sm->next != NULL)
2740  goto end;
2741 
2742  result = 1;
2743 
2744  end:
2745  SigGroupCleanup(de_ctx);
2746  SigCleanSignatures(de_ctx);
2747  DetectEngineCtxFree(de_ctx);
2748 
2749  return result;
2750 }
2751 
2752 static int DetectByteExtractTest47(void)
2753 {
2754  DetectEngineCtx *de_ctx = NULL;
2755  int result = 0;
2756  Signature *s = NULL;
2757  SigMatch *sm = NULL;
2758  DetectContentData *cd = NULL;
2759  DetectByteExtractData *bed = NULL;
2760 
2761  de_ctx = DetectEngineCtxInit();
2762  if (de_ctx == NULL)
2763  goto end;
2764 
2765  de_ctx->flags |= DE_QUIET;
2766  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2767  "(msg:\"Testing bytejump_body\"; "
2768  "content:\"one\"; "
2769  "byte_extract:4,0,two,string,hex; "
2770  "content: \"three\"; distance:two; "
2771  "sid:1;)");
2772  if (de_ctx->sig_list == NULL) {
2773  result = 0;
2774  goto end;
2775  }
2776 
2777  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2778  result = 0;
2779  goto end;
2780  }
2781 
2782  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2783  if (sm->type != DETECT_CONTENT) {
2784  result = 0;
2785  goto end;
2786  }
2787  cd = (DetectContentData *)sm->ctx;
2788  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2789  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2790  cd->flags & DETECT_CONTENT_NOCASE ||
2791  cd->flags & DETECT_CONTENT_WITHIN ||
2792  cd->flags & DETECT_CONTENT_DISTANCE ||
2793  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2794  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2795  cd->flags & DETECT_CONTENT_NEGATED ) {
2796  printf("one failed\n");
2797  result = 0;
2798  goto end;
2799  }
2800 
2801  sm = sm->next;
2802  if (sm->type != DETECT_BYTE_EXTRACT) {
2803  result = 0;
2804  goto end;
2805  }
2806  bed = (DetectByteExtractData *)sm->ctx;
2807  if (bed->nbytes != 4 ||
2808  bed->offset != 0 ||
2809  strcmp(bed->name, "two") != 0 ||
2810  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2811  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2812  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2813  bed->align_value != 0 ||
2814  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2815  goto end;
2816  }
2817  if (bed->local_id != 0) {
2818  result = 0;
2819  goto end;
2820  }
2821 
2822  sm = sm->next;
2823  if (sm->type != DETECT_CONTENT) {
2824  result = 0;
2825  goto end;
2826  }
2827  cd = (DetectContentData *)sm->ctx;
2828  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2829  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2830  DETECT_CONTENT_DISTANCE) ||
2831  cd->distance != bed->local_id ||
2832  cd->offset != 0 ||
2833  cd->depth != 0) {
2834  printf("three failed\n");
2835  result = 0;
2836  goto end;
2837  }
2838 
2839  if (sm->next != NULL)
2840  goto end;
2841 
2842  result = 1;
2843 
2844  end:
2845  SigGroupCleanup(de_ctx);
2846  SigCleanSignatures(de_ctx);
2847  DetectEngineCtxFree(de_ctx);
2848 
2849  return result;
2850 }
2851 
2852 static int DetectByteExtractTest48(void)
2853 {
2854  DetectEngineCtx *de_ctx = NULL;
2855  int result = 0;
2856  Signature *s = NULL;
2857  SigMatch *sm = NULL;
2858  DetectContentData *cd = NULL;
2859  DetectByteExtractData *bed1 = NULL;
2860  DetectByteExtractData *bed2 = NULL;
2861 
2862  de_ctx = DetectEngineCtxInit();
2863  if (de_ctx == NULL)
2864  goto end;
2865 
2866  de_ctx->flags |= DE_QUIET;
2867  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2868  "(msg:\"Testing bytejump_body\"; "
2869  "content:\"one\"; "
2870  "byte_extract:4,0,two,string,hex; "
2871  "byte_extract:4,0,three,string,hex; "
2872  "content: \"four\"; distance:two; "
2873  "content: \"five\"; distance:three; "
2874  "sid:1;)");
2875  if (de_ctx->sig_list == NULL) {
2876  result = 0;
2877  goto end;
2878  }
2879 
2880  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2881  result = 0;
2882  goto end;
2883  }
2884 
2885  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
2886  if (sm->type != DETECT_CONTENT) {
2887  result = 0;
2888  goto end;
2889  }
2890  cd = (DetectContentData *)sm->ctx;
2891  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2892  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2893  cd->flags & DETECT_CONTENT_NOCASE ||
2894  cd->flags & DETECT_CONTENT_WITHIN ||
2895  cd->flags & DETECT_CONTENT_DISTANCE ||
2896  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2897  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2898  cd->flags & DETECT_CONTENT_NEGATED ) {
2899  printf("one failed\n");
2900  result = 0;
2901  goto end;
2902  }
2903 
2904  sm = sm->next;
2905  if (sm->type != DETECT_BYTE_EXTRACT) {
2906  result = 0;
2907  goto end;
2908  }
2909  bed1 = (DetectByteExtractData *)sm->ctx;
2910  if (bed1->nbytes != 4 ||
2911  bed1->offset != 0 ||
2912  strcmp(bed1->name, "two") != 0 ||
2913  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2914  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2915  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2916  bed1->align_value != 0 ||
2917  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2918  goto end;
2919  }
2920  if (bed1->local_id != 0) {
2921  result = 0;
2922  goto end;
2923  }
2924 
2925  sm = sm->next;
2926  if (sm->type != DETECT_BYTE_EXTRACT) {
2927  result = 0;
2928  goto end;
2929  }
2930  bed2 = (DetectByteExtractData *)sm->ctx;
2931 
2932  sm = sm->next;
2933  if (sm->type != DETECT_CONTENT) {
2934  result = 0;
2935  goto end;
2936  }
2937  cd = (DetectContentData *)sm->ctx;
2938  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2939  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2940  DETECT_CONTENT_DISTANCE |
2941  DETECT_CONTENT_DISTANCE_NEXT) ||
2942  cd->distance != bed1->local_id ||
2943  cd->depth != 0 ||
2944  cd->offset != 0) {
2945  printf("four failed\n");
2946  result = 0;
2947  goto end;
2948  }
2949 
2950  sm = sm->next;
2951  if (sm->type != DETECT_CONTENT) {
2952  result = 0;
2953  goto end;
2954  }
2955  cd = (DetectContentData *)sm->ctx;
2956  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2957  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2958  DETECT_CONTENT_DISTANCE) ||
2959  cd->distance != bed2->local_id ||
2960  cd->depth != 0 ||
2961  cd->offset != 0) {
2962  printf("five failed\n");
2963  result = 0;
2964  goto end;
2965  }
2966 
2967  if (sm->next != NULL)
2968  goto end;
2969 
2970  result = 1;
2971 
2972  end:
2973  SigGroupCleanup(de_ctx);
2974  SigCleanSignatures(de_ctx);
2975  DetectEngineCtxFree(de_ctx);
2976 
2977  return result;
2978 }
2979 
2980 static int DetectByteExtractTest49(void)
2981 {
2982  DetectEngineCtx *de_ctx = NULL;
2983  int result = 0;
2984  Signature *s = NULL;
2985  SigMatch *sm = NULL;
2986  DetectContentData *cd = NULL;
2987  DetectByteExtractData *bed = NULL;
2988 
2989  de_ctx = DetectEngineCtxInit();
2990  if (de_ctx == NULL)
2991  goto end;
2992 
2993  de_ctx->flags |= DE_QUIET;
2994  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2995  "(msg:\"Testing bytejump_body\"; "
2996  "content:\"one\"; "
2997  "byte_extract:4,0,two,string,hex; "
2998  "content: \"three\"; within:two; "
2999  "sid:1;)");
3000  if (de_ctx->sig_list == NULL) {
3001  result = 0;
3002  goto end;
3003  }
3004 
3005  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3006  result = 0;
3007  goto end;
3008  }
3009 
3010  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3011  if (sm->type != DETECT_CONTENT) {
3012  result = 0;
3013  goto end;
3014  }
3015  cd = (DetectContentData *)sm->ctx;
3016  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3017  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3018  cd->flags & DETECT_CONTENT_NOCASE ||
3019  cd->flags & DETECT_CONTENT_WITHIN ||
3020  cd->flags & DETECT_CONTENT_DISTANCE ||
3021  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3022  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3023  cd->flags & DETECT_CONTENT_NEGATED ) {
3024  printf("one failed\n");
3025  result = 0;
3026  goto end;
3027  }
3028 
3029  sm = sm->next;
3030  if (sm->type != DETECT_BYTE_EXTRACT) {
3031  result = 0;
3032  goto end;
3033  }
3034  bed = (DetectByteExtractData *)sm->ctx;
3035  if (bed->nbytes != 4 ||
3036  bed->offset != 0 ||
3037  strcmp(bed->name, "two") != 0 ||
3038  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3039  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3040  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3041  bed->align_value != 0 ||
3042  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3043  goto end;
3044  }
3045  if (bed->local_id != 0) {
3046  result = 0;
3047  goto end;
3048  }
3049 
3050  sm = sm->next;
3051  if (sm->type != DETECT_CONTENT) {
3052  result = 0;
3053  goto end;
3054  }
3055  cd = (DetectContentData *)sm->ctx;
3056  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3057  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3058  DETECT_CONTENT_WITHIN) ||
3059  cd->within != bed->local_id ||
3060  cd->offset != 0 ||
3061  cd->depth != 0 ||
3062  cd->distance != 0) {
3063  printf("three failed\n");
3064  result = 0;
3065  goto end;
3066  }
3067 
3068  if (sm->next != NULL)
3069  goto end;
3070 
3071  result = 1;
3072 
3073  end:
3074  SigGroupCleanup(de_ctx);
3075  SigCleanSignatures(de_ctx);
3076  DetectEngineCtxFree(de_ctx);
3077 
3078  return result;
3079 }
3080 
3081 static int DetectByteExtractTest50(void)
3082 {
3083  DetectEngineCtx *de_ctx = NULL;
3084  int result = 0;
3085  Signature *s = NULL;
3086  SigMatch *sm = NULL;
3087  DetectContentData *cd = NULL;
3088  DetectByteExtractData *bed1 = NULL;
3089  DetectByteExtractData *bed2 = NULL;
3090 
3091  de_ctx = DetectEngineCtxInit();
3092  if (de_ctx == NULL)
3093  goto end;
3094 
3095  de_ctx->flags |= DE_QUIET;
3096  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3097  "(msg:\"Testing bytejump_body\"; "
3098  "content:\"one\"; "
3099  "byte_extract:4,0,two,string,hex; "
3100  "byte_extract:4,0,three,string,hex; "
3101  "content: \"four\"; within:two; "
3102  "content: \"five\"; within:three; "
3103  "sid:1;)");
3104  if (de_ctx->sig_list == NULL) {
3105  result = 0;
3106  goto end;
3107  }
3108 
3109  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3110  result = 0;
3111  goto end;
3112  }
3113 
3114  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3115  if (sm->type != DETECT_CONTENT) {
3116  result = 0;
3117  goto end;
3118  }
3119  cd = (DetectContentData *)sm->ctx;
3120  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3121  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3122  cd->flags & DETECT_CONTENT_NOCASE ||
3123  cd->flags & DETECT_CONTENT_WITHIN ||
3124  cd->flags & DETECT_CONTENT_DISTANCE ||
3125  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3126  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3127  cd->flags & DETECT_CONTENT_NEGATED ) {
3128  printf("one failed\n");
3129  result = 0;
3130  goto end;
3131  }
3132 
3133  sm = sm->next;
3134  if (sm->type != DETECT_BYTE_EXTRACT) {
3135  result = 0;
3136  goto end;
3137  }
3138  bed1 = (DetectByteExtractData *)sm->ctx;
3139  if (bed1->nbytes != 4 ||
3140  bed1->offset != 0 ||
3141  strcmp(bed1->name, "two") != 0 ||
3142  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3143  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3144  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3145  bed1->align_value != 0 ||
3146  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3147  goto end;
3148  }
3149  if (bed1->local_id != 0) {
3150  result = 0;
3151  goto end;
3152  }
3153 
3154  sm = sm->next;
3155  if (sm->type != DETECT_BYTE_EXTRACT) {
3156  result = 0;
3157  goto end;
3158  }
3159  bed2 = (DetectByteExtractData *)sm->ctx;
3160 
3161  sm = sm->next;
3162  if (sm->type != DETECT_CONTENT) {
3163  result = 0;
3164  goto end;
3165  }
3166  cd = (DetectContentData *)sm->ctx;
3167  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3168  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3169  DETECT_CONTENT_WITHIN|
3170  DETECT_CONTENT_WITHIN_NEXT) ||
3171  cd->within != bed1->local_id ||
3172  cd->depth != 0 ||
3173  cd->offset != 0 ||
3174  cd->distance != 0) {
3175  printf("four failed\n");
3176  result = 0;
3177  goto end;
3178  }
3179 
3180  sm = sm->next;
3181  if (sm->type != DETECT_CONTENT) {
3182  result = 0;
3183  goto end;
3184  }
3185  cd = (DetectContentData *)sm->ctx;
3186  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3187  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3188  DETECT_CONTENT_WITHIN) ||
3189  cd->within != bed2->local_id ||
3190  cd->depth != 0 ||
3191  cd->offset != 0 ||
3192  cd->distance != 0) {
3193  printf("five failed\n");
3194  result = 0;
3195  goto end;
3196  }
3197 
3198  if (sm->next != NULL)
3199  goto end;
3200 
3201  result = 1;
3202 
3203  end:
3204  SigGroupCleanup(de_ctx);
3205  SigCleanSignatures(de_ctx);
3206  DetectEngineCtxFree(de_ctx);
3207 
3208  return result;
3209 }
3210 
3211 static int DetectByteExtractTest51(void)
3212 {
3213  DetectEngineCtx *de_ctx = NULL;
3214  int result = 0;
3215  Signature *s = NULL;
3216  SigMatch *sm = NULL;
3217  DetectContentData *cd = NULL;
3218  DetectByteExtractData *bed = NULL;
3219  DetectBytetestData *btd = NULL;
3220 
3221  de_ctx = DetectEngineCtxInit();
3222  if (de_ctx == NULL)
3223  goto end;
3224 
3225  de_ctx->flags |= DE_QUIET;
3226  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3227  "(msg:\"Testing bytejump_body\"; "
3228  "content:\"one\"; "
3229  "byte_extract:4,0,two,string,hex; "
3230  "byte_test: 2,=,10, two; "
3231  "sid:1;)");
3232  if (de_ctx->sig_list == NULL) {
3233  result = 0;
3234  goto end;
3235  }
3236 
3237  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3238  result = 0;
3239  goto end;
3240  }
3241 
3242  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3243  if (sm->type != DETECT_CONTENT) {
3244  result = 0;
3245  goto end;
3246  }
3247  cd = (DetectContentData *)sm->ctx;
3248  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3249  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3250  cd->flags & DETECT_CONTENT_NOCASE ||
3251  cd->flags & DETECT_CONTENT_WITHIN ||
3252  cd->flags & DETECT_CONTENT_DISTANCE ||
3253  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3254  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3255  cd->flags & DETECT_CONTENT_NEGATED ) {
3256  printf("one failed\n");
3257  result = 0;
3258  goto end;
3259  }
3260 
3261  sm = sm->next;
3262  if (sm->type != DETECT_BYTE_EXTRACT) {
3263  result = 0;
3264  goto end;
3265  }
3266  bed = (DetectByteExtractData *)sm->ctx;
3267  if (bed->nbytes != 4 ||
3268  bed->offset != 0 ||
3269  strcmp(bed->name, "two") != 0 ||
3270  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3271  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3272  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3273  bed->align_value != 0 ||
3274  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3275  goto end;
3276  }
3277  if (bed->local_id != 0) {
3278  result = 0;
3279  goto end;
3280  }
3281 
3282  sm = sm->next;
3283  if (sm->type != DETECT_BYTETEST) {
3284  result = 0;
3285  goto end;
3286  }
3287  btd = (DetectBytetestData *)sm->ctx;
3288  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3289  btd->value != 10 ||
3290  btd->offset != 0) {
3291  printf("three failed\n");
3292  result = 0;
3293  goto end;
3294  }
3295 
3296  if (sm->next != NULL)
3297  goto end;
3298 
3299  result = 1;
3300 
3301  end:
3302  SigGroupCleanup(de_ctx);
3303  SigCleanSignatures(de_ctx);
3304  DetectEngineCtxFree(de_ctx);
3305 
3306  return result;
3307 }
3308 
3309 static int DetectByteExtractTest52(void)
3310 {
3311  DetectEngineCtx *de_ctx = NULL;
3312  int result = 0;
3313  Signature *s = NULL;
3314  SigMatch *sm = NULL;
3315  DetectContentData *cd = NULL;
3316  DetectByteExtractData *bed1 = NULL;
3317  DetectBytetestData *btd = NULL;
3318 
3319  de_ctx = DetectEngineCtxInit();
3320  if (de_ctx == NULL)
3321  goto end;
3322 
3323  de_ctx->flags |= DE_QUIET;
3324  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3325  "(msg:\"Testing bytejump_body\"; "
3326  "content:\"one\"; "
3327  "byte_extract:4,0,two,string,hex; "
3328  "byte_extract:4,0,three,string,hex; "
3329  "byte_test: 2,=,two,three; "
3330  "byte_test: 3,=,10,three; "
3331  "sid:1;)");
3332  if (de_ctx->sig_list == NULL) {
3333  result = 0;
3334  goto end;
3335  }
3336 
3337  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3338  result = 0;
3339  goto end;
3340  }
3341 
3342  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3343  if (sm->type != DETECT_CONTENT) {
3344  result = 0;
3345  goto end;
3346  }
3347  cd = (DetectContentData *)sm->ctx;
3348  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3349  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3350  cd->flags & DETECT_CONTENT_NOCASE ||
3351  cd->flags & DETECT_CONTENT_WITHIN ||
3352  cd->flags & DETECT_CONTENT_DISTANCE ||
3353  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3354  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3355  cd->flags & DETECT_CONTENT_NEGATED ) {
3356  printf("one failed\n");
3357  result = 0;
3358  goto end;
3359  }
3360 
3361  sm = sm->next;
3362  if (sm->type != DETECT_BYTE_EXTRACT) {
3363  result = 0;
3364  goto end;
3365  }
3366  bed1 = (DetectByteExtractData *)sm->ctx;
3367  if (bed1->nbytes != 4 ||
3368  bed1->offset != 0 ||
3369  strcmp(bed1->name, "two") != 0 ||
3370  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3371  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3372  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3373  bed1->align_value != 0 ||
3374  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3375  goto end;
3376  }
3377  if (bed1->local_id != 0) {
3378  result = 0;
3379  goto end;
3380  }
3381 
3382  sm = sm->next;
3383  if (sm->type != DETECT_BYTE_EXTRACT) {
3384  result = 0;
3385  goto end;
3386  }
3387 
3388  sm = sm->next;
3389  if (sm->type != DETECT_BYTETEST) {
3390  result = 0;
3391  goto end;
3392  }
3393  btd = (DetectBytetestData *)sm->ctx;
3394  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
3395  DETECT_BYTETEST_VALUE_VAR) ||
3396  btd->value != 0 ||
3397  btd->offset != 1) {
3398  printf("three failed\n");
3399  result = 0;
3400  goto end;
3401  }
3402 
3403  sm = sm->next;
3404  if (sm->type != DETECT_BYTETEST) {
3405  result = 0;
3406  goto end;
3407  }
3408  btd = (DetectBytetestData *)sm->ctx;
3409  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3410  btd->value != 10 ||
3411  btd->offset != 1) {
3412  printf("four failed\n");
3413  result = 0;
3414  goto end;
3415  }
3416 
3417  if (sm->next != NULL)
3418  goto end;
3419 
3420  result = 1;
3421 
3422  end:
3423  SigGroupCleanup(de_ctx);
3424  SigCleanSignatures(de_ctx);
3425  DetectEngineCtxFree(de_ctx);
3426 
3427  return result;
3428 }
3429 
3430 static int DetectByteExtractTest53(void)
3431 {
3432  DetectEngineCtx *de_ctx = NULL;
3433  int result = 0;
3434  Signature *s = NULL;
3435  SigMatch *sm = NULL;
3436  DetectContentData *cd = NULL;
3437  DetectByteExtractData *bed = NULL;
3438  DetectBytejumpData *bjd = NULL;
3439 
3440  de_ctx = DetectEngineCtxInit();
3441  if (de_ctx == NULL)
3442  goto end;
3443 
3444  de_ctx->flags |= DE_QUIET;
3445  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3446  "(msg:\"Testing bytejump_body\"; "
3447  "content:\"one\"; "
3448  "byte_extract:4,0,two,string,hex; "
3449  "byte_jump: 2,two; "
3450  "sid:1;)");
3451  if (de_ctx->sig_list == NULL) {
3452  result = 0;
3453  goto end;
3454  }
3455 
3456  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3457  result = 0;
3458  goto end;
3459  }
3460 
3461  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3462  if (sm->type != DETECT_CONTENT) {
3463  result = 0;
3464  goto end;
3465  }
3466  cd = (DetectContentData *)sm->ctx;
3467  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3468  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3469  cd->flags & DETECT_CONTENT_NOCASE ||
3470  cd->flags & DETECT_CONTENT_WITHIN ||
3471  cd->flags & DETECT_CONTENT_DISTANCE ||
3472  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3473  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3474  cd->flags & DETECT_CONTENT_NEGATED ) {
3475  printf("one failed\n");
3476  result = 0;
3477  goto end;
3478  }
3479 
3480  sm = sm->next;
3481  if (sm->type != DETECT_BYTE_EXTRACT) {
3482  result = 0;
3483  goto end;
3484  }
3485  bed = (DetectByteExtractData *)sm->ctx;
3486  if (bed->nbytes != 4 ||
3487  bed->offset != 0 ||
3488  strcmp(bed->name, "two") != 0 ||
3489  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3490  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3491  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3492  bed->align_value != 0 ||
3493  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3494  goto end;
3495  }
3496  if (bed->local_id != 0) {
3497  result = 0;
3498  goto end;
3499  }
3500 
3501  sm = sm->next;
3502  if (sm->type != DETECT_BYTEJUMP) {
3503  result = 0;
3504  goto end;
3505  }
3506  bjd = (DetectBytejumpData *)sm->ctx;
3507  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3508  bjd->offset != 0) {
3509  printf("three failed\n");
3510  result = 0;
3511  goto end;
3512  }
3513 
3514  if (sm->next != NULL)
3515  goto end;
3516 
3517  result = 1;
3518 
3519  end:
3520  SigGroupCleanup(de_ctx);
3521  SigCleanSignatures(de_ctx);
3522  DetectEngineCtxFree(de_ctx);
3523 
3524  return result;
3525 }
3526 
3527 static int DetectByteExtractTest54(void)
3528 {
3529  DetectEngineCtx *de_ctx = NULL;
3530  int result = 0;
3531  Signature *s = NULL;
3532  SigMatch *sm = NULL;
3533  DetectContentData *cd = NULL;
3534  DetectByteExtractData *bed1 = NULL;
3535  DetectBytejumpData *bjd = NULL;
3536 
3537  de_ctx = DetectEngineCtxInit();
3538  if (de_ctx == NULL)
3539  goto end;
3540 
3541  de_ctx->flags |= DE_QUIET;
3542  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3543  "(msg:\"Testing bytejump_body\"; "
3544  "content:\"one\"; "
3545  "byte_extract:4,0,two,string,hex; "
3546  "byte_extract:4,0,three,string,hex; "
3547  "byte_jump: 2,two; "
3548  "byte_jump: 3,three; "
3549  "sid:1;)");
3550  if (de_ctx->sig_list == NULL) {
3551  result = 0;
3552  goto end;
3553  }
3554 
3555  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3556  result = 0;
3557  goto end;
3558  }
3559 
3560  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3561  if (sm->type != DETECT_CONTENT) {
3562  result = 0;
3563  goto end;
3564  }
3565  cd = (DetectContentData *)sm->ctx;
3566  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3567  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3568  cd->flags & DETECT_CONTENT_NOCASE ||
3569  cd->flags & DETECT_CONTENT_WITHIN ||
3570  cd->flags & DETECT_CONTENT_DISTANCE ||
3571  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3572  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3573  cd->flags & DETECT_CONTENT_NEGATED ) {
3574  printf("one failed\n");
3575  result = 0;
3576  goto end;
3577  }
3578 
3579  sm = sm->next;
3580  if (sm->type != DETECT_BYTE_EXTRACT) {
3581  result = 0;
3582  goto end;
3583  }
3584  bed1 = (DetectByteExtractData *)sm->ctx;
3585  if (bed1->nbytes != 4 ||
3586  bed1->offset != 0 ||
3587  strcmp(bed1->name, "two") != 0 ||
3588  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3589  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3590  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3591  bed1->align_value != 0 ||
3592  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3593  goto end;
3594  }
3595  if (bed1->local_id != 0) {
3596  result = 0;
3597  goto end;
3598  }
3599 
3600  sm = sm->next;
3601  if (sm->type != DETECT_BYTE_EXTRACT) {
3602  result = 0;
3603  goto end;
3604  }
3605 
3606  sm = sm->next;
3607  if (sm->type != DETECT_BYTEJUMP) {
3608  result = 0;
3609  goto end;
3610  }
3611  bjd = (DetectBytejumpData *)sm->ctx;
3612  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3613  bjd->offset != 0) {
3614  printf("three failed\n");
3615  result = 0;
3616  goto end;
3617  }
3618 
3619  sm = sm->next;
3620  if (sm->type != DETECT_BYTEJUMP) {
3621  result = 0;
3622  goto end;
3623  }
3624  bjd = (DetectBytejumpData *)sm->ctx;
3625  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3626  bjd->offset != 1) {
3627  printf("four failed\n");
3628  result = 0;
3629  goto end;
3630  }
3631 
3632  if (sm->next != NULL)
3633  goto end;
3634 
3635  result = 1;
3636 
3637  end:
3638  SigGroupCleanup(de_ctx);
3639  SigCleanSignatures(de_ctx);
3640  DetectEngineCtxFree(de_ctx);
3641 
3642  return result;
3643 }
3644 
3645 static int DetectByteExtractTest55(void)
3646 {
3647  DetectEngineCtx *de_ctx = NULL;
3648  int result = 0;
3649  Signature *s = NULL;
3650  SigMatch *sm = NULL;
3651  DetectContentData *cd = NULL;
3652  DetectByteExtractData *bed1 = NULL;
3653  DetectByteExtractData *bed2 = NULL;
3654 
3655  de_ctx = DetectEngineCtxInit();
3656  if (de_ctx == NULL)
3657  goto end;
3658 
3659  de_ctx->flags |= DE_QUIET;
3660  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3661  "(msg:\"Testing byte_extract\"; "
3662  "content:\"one\"; "
3663  "byte_extract:4,0,two,string,hex; "
3664  "byte_extract:4,0,three,string,hex; "
3665  "byte_extract:4,0,four,string,hex; "
3666  "byte_extract:4,0,five,string,hex; "
3667  "content: \"four\"; within:two; distance:three; "
3668  "sid:1;)");
3669  if (de_ctx->sig_list == NULL) {
3670  goto end;
3671  }
3672 
3673  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3674  goto end;
3675  }
3676 
3677  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3678  if (sm->type != DETECT_CONTENT) {
3679  goto end;
3680  }
3681  cd = (DetectContentData *)sm->ctx;
3682  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3683  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3684  cd->flags & DETECT_CONTENT_NOCASE ||
3685  cd->flags & DETECT_CONTENT_WITHIN ||
3686  cd->flags & DETECT_CONTENT_DISTANCE ||
3687  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3688  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3689  cd->flags & DETECT_CONTENT_NEGATED ) {
3690  printf("one failed: ");
3691  goto end;
3692  }
3693 
3694  sm = sm->next;
3695  if (sm->type != DETECT_BYTE_EXTRACT) {
3696  goto end;
3697  }
3698  bed1 = (DetectByteExtractData *)sm->ctx;
3699  if (bed1->nbytes != 4 ||
3700  bed1->offset != 0 ||
3701  strcmp(bed1->name, "two") != 0 ||
3702  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3703  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3704  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3705  bed1->align_value != 0 ||
3706  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3707  goto end;
3708  }
3709  if (bed1->local_id != 0) {
3710  goto end;
3711  }
3712 
3713  sm = sm->next;
3714  if (sm->type != DETECT_BYTE_EXTRACT) {
3715  goto end;
3716  }
3717  bed2 = (DetectByteExtractData *)sm->ctx;
3718 
3719  sm = sm->next;
3720  if (sm->type != DETECT_BYTE_EXTRACT) {
3721  goto end;
3722  }
3723 
3724  sm = sm->next;
3725  if (sm->type != DETECT_BYTE_EXTRACT) {
3726  goto end;
3727  }
3728 
3729  sm = sm->next;
3730  if (sm->type != DETECT_CONTENT) {
3731  goto end;
3732  }
3733  cd = (DetectContentData *)sm->ctx;
3734  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3735  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3736  DETECT_CONTENT_WITHIN_VAR |
3737  DETECT_CONTENT_DISTANCE |
3738  DETECT_CONTENT_WITHIN) ||
3739  cd->within != bed1->local_id ||
3740  cd->distance != bed2->local_id) {
3741  printf("four failed: ");
3742  goto end;
3743  }
3744 
3745  if (sm->next != NULL) {
3746  goto end;
3747  }
3748 
3749  result = 1;
3750 
3751  end:
3752  SigGroupCleanup(de_ctx);
3753  SigCleanSignatures(de_ctx);
3754  DetectEngineCtxFree(de_ctx);
3755 
3756  return result;
3757 }
3758 
3759 static int DetectByteExtractTest56(void)
3760 {
3761  DetectEngineCtx *de_ctx = NULL;
3762  int result = 0;
3763  Signature *s = NULL;
3764  SigMatch *sm = NULL;
3765  DetectContentData *cd = NULL;
3766  DetectByteExtractData *bed1 = NULL;
3767  DetectByteExtractData *bed2 = NULL;
3768 
3769  de_ctx = DetectEngineCtxInit();
3770  if (de_ctx == NULL)
3771  goto end;
3772 
3773  de_ctx->flags |= DE_QUIET;
3774  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3775  "(msg:\"Testing bytejump_body\"; "
3776  "uricontent:\"urione\"; "
3777  "content:\"one\"; "
3778  "byte_extract:4,0,two,string,hex; "
3779  "byte_extract:4,0,three,string,hex; "
3780  "byte_extract:4,0,four,string,hex; "
3781  "byte_extract:4,0,five,string,hex; "
3782  "content: \"four\"; within:two; distance:three; "
3783  "sid:1;)");
3784  if (de_ctx->sig_list == NULL) {
3785  result = 0;
3786  goto end;
3787  }
3788 
3789  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3790  result = 0;
3791  goto end;
3792  }
3793 
3794  sm = s->sm_lists[g_http_uri_buffer_id];
3795  if (sm->type != DETECT_CONTENT) {
3796  result = 0;
3797  goto end;
3798  }
3799  cd = (DetectContentData *)sm->ctx;
3800  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3801  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3802  cd->flags & DETECT_CONTENT_NOCASE ||
3803  cd->flags & DETECT_CONTENT_WITHIN ||
3804  cd->flags & DETECT_CONTENT_DISTANCE ||
3805  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3806  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3807  cd->flags & DETECT_CONTENT_NEGATED ) {
3808  printf("one failed\n");
3809  result = 0;
3810  goto end;
3811  }
3812 
3813  if (sm->next != NULL)
3814  goto end;
3815 
3816  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3817  if (sm->type != DETECT_CONTENT) {
3818  result = 0;
3819  goto end;
3820  }
3821  cd = (DetectContentData *)sm->ctx;
3822  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3823  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3824  cd->flags & DETECT_CONTENT_NOCASE ||
3825  cd->flags & DETECT_CONTENT_WITHIN ||
3826  cd->flags & DETECT_CONTENT_DISTANCE ||
3827  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3828  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3829  cd->flags & DETECT_CONTENT_NEGATED ) {
3830  printf("one failed\n");
3831  result = 0;
3832  goto end;
3833  }
3834 
3835  sm = sm->next;
3836  if (sm->type != DETECT_BYTE_EXTRACT) {
3837  result = 0;
3838  goto end;
3839  }
3840  bed1 = (DetectByteExtractData *)sm->ctx;
3841  if (bed1->nbytes != 4 ||
3842  bed1->offset != 0 ||
3843  strcmp(bed1->name, "two") != 0 ||
3844  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3845  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3846  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3847  bed1->align_value != 0 ||
3848  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3849  goto end;
3850  }
3851  if (bed1->local_id != 0) {
3852  result = 0;
3853  goto end;
3854  }
3855 
3856  sm = sm->next;
3857  if (sm->type != DETECT_BYTE_EXTRACT) {
3858  result = 0;
3859  goto end;
3860  }
3861  bed2 = (DetectByteExtractData *)sm->ctx;
3862 
3863  sm = sm->next;
3864  if (sm->type != DETECT_BYTE_EXTRACT) {
3865  result = 0;
3866  goto end;
3867  }
3868 
3869  sm = sm->next;
3870  if (sm->type != DETECT_BYTE_EXTRACT) {
3871  result = 0;
3872  goto end;
3873  }
3874 
3875  sm = sm->next;
3876  if (sm->type != DETECT_CONTENT) {
3877  result = 0;
3878  goto end;
3879  }
3880  cd = (DetectContentData *)sm->ctx;
3881  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3882  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3883  DETECT_CONTENT_WITHIN_VAR |
3884  DETECT_CONTENT_DISTANCE |
3885  DETECT_CONTENT_WITHIN) ||
3886  cd->within != bed1->local_id ||
3887  cd->distance != bed2->local_id ) {
3888  printf("four failed\n");
3889  result = 0;
3890  goto end;
3891  }
3892 
3893  if (sm->next != NULL) {
3894  goto end;
3895  }
3896 
3897  result = 1;
3898 
3899  end:
3900  SigGroupCleanup(de_ctx);
3901  SigCleanSignatures(de_ctx);
3902  DetectEngineCtxFree(de_ctx);
3903 
3904  return result;
3905 }
3906 
3907 static int DetectByteExtractTest57(void)
3908 {
3909  DetectEngineCtx *de_ctx = NULL;
3910  int result = 0;
3911  Signature *s = NULL;
3912  SigMatch *sm = NULL;
3913  DetectContentData *cd = NULL;
3914  DetectByteExtractData *bed1 = NULL;
3915  DetectByteExtractData *bed2 = NULL;
3916  DetectByteExtractData *bed3 = NULL;
3917  DetectByteExtractData *bed4 = NULL;
3918 
3919  de_ctx = DetectEngineCtxInit();
3920  if (de_ctx == NULL)
3921  goto end;
3922 
3923  de_ctx->flags |= DE_QUIET;
3924  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3925  "(msg:\"Testing bytejump_body\"; "
3926  "content:\"one\"; "
3927  "uricontent: \"urione\"; "
3928  "byte_extract:4,0,two,string,hex,relative; "
3929  "byte_extract:4,0,three,string,hex,relative; "
3930  "byte_extract:4,0,four,string,hex,relative; "
3931  "byte_extract:4,0,five,string,hex,relative; "
3932  "uricontent: \"four\"; within:two; distance:three; "
3933  "sid:1;)");
3934  if (de_ctx->sig_list == NULL) {
3935  result = 0;
3936  goto end;
3937  }
3938 
3939  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3940  result = 0;
3941  goto end;
3942  }
3943 
3944  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
3945  if (sm->type != DETECT_CONTENT) {
3946  result = 0;
3947  goto end;
3948  }
3949  cd = (DetectContentData *)sm->ctx;
3950  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3951  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3952  cd->flags & DETECT_CONTENT_NOCASE ||
3953  cd->flags & DETECT_CONTENT_WITHIN ||
3954  cd->flags & DETECT_CONTENT_DISTANCE ||
3955  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3956  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3957  cd->flags & DETECT_CONTENT_NEGATED ) {
3958  printf("one failed\n");
3959  result = 0;
3960  goto end;
3961  }
3962 
3963  if (sm->next != NULL)
3964  goto end;
3965 
3966  sm = s->sm_lists[g_http_uri_buffer_id];
3967  if (sm->type != DETECT_CONTENT) {
3968  result = 0;
3969  goto end;
3970  }
3971  cd = (DetectContentData *)sm->ctx;
3972  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3973  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3974  cd->flags & DETECT_CONTENT_NOCASE ||
3975  cd->flags & DETECT_CONTENT_WITHIN ||
3976  cd->flags & DETECT_CONTENT_DISTANCE ||
3977  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3978  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3979  cd->flags & DETECT_CONTENT_NEGATED ) {
3980  printf("one failed\n");
3981  result = 0;
3982  goto end;
3983  }
3984 
3985  sm = sm->next;
3986  if (sm->type != DETECT_BYTE_EXTRACT) {
3987  result = 0;
3988  goto end;
3989  }
3990  bed1 = (DetectByteExtractData *)sm->ctx;
3991  if (bed1->nbytes != 4 ||
3992  bed1->offset != 0 ||
3993  strcmp(bed1->name, "two") != 0 ||
3994  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
3995  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3996  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3997  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3998  bed1->align_value != 0 ||
3999  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4000  goto end;
4001  }
4002  if (bed1->local_id != 0) {
4003  result = 0;
4004  goto end;
4005  }
4006 
4007  sm = sm->next;
4008  if (sm->type != DETECT_BYTE_EXTRACT) {
4009  result = 0;
4010  goto end;
4011  }
4012  bed2 = (DetectByteExtractData *)sm->ctx;
4013  if (bed2->local_id != 1) {
4014  result = 0;
4015  goto end;
4016  }
4017 
4018  sm = sm->next;
4019  if (sm->type != DETECT_BYTE_EXTRACT) {
4020  result = 0;
4021  goto end;
4022  }
4023  bed3 = (DetectByteExtractData *)sm->ctx;
4024  if (bed3->local_id != 2) {
4025  result = 0;
4026  goto end;
4027  }
4028 
4029  sm = sm->next;
4030  if (sm->type != DETECT_BYTE_EXTRACT) {
4031  result = 0;
4032  goto end;
4033  }
4034  bed4 = (DetectByteExtractData *)sm->ctx;
4035  if (bed4->local_id != 3) {
4036  result = 0;
4037  goto end;
4038  }
4039 
4040  sm = sm->next;
4041  if (sm->type != DETECT_CONTENT) {
4042  result = 0;
4043  goto end;
4044  }
4045  cd = (DetectContentData *)sm->ctx;
4046  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4047  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
4048  DETECT_CONTENT_WITHIN_VAR |
4049  DETECT_CONTENT_DISTANCE |
4050  DETECT_CONTENT_WITHIN) ||
4051  cd->within != bed1->local_id ||
4052  cd->distance != bed2->local_id) {
4053  printf("four failed\n");
4054  result = 0;
4055  goto end;
4056  }
4057 
4058  if (sm->next != NULL) {
4059  goto end;
4060  }
4061 
4062  result = 1;
4063 
4064  end:
4065  SigGroupCleanup(de_ctx);
4066  SigCleanSignatures(de_ctx);
4067  DetectEngineCtxFree(de_ctx);
4068 
4069  return result;
4070 }
4071 
4072 static int DetectByteExtractTest58(void)
4073 {
4074  DetectEngineCtx *de_ctx = NULL;
4075  int result = 0;
4076  Signature *s = NULL;
4077  SigMatch *sm = NULL;
4078  DetectContentData *cd = NULL;
4079  DetectByteExtractData *bed1 = NULL;
4080  DetectBytejumpData *bjd = NULL;
4081  DetectIsdataatData *isdd = NULL;
4082 
4083  de_ctx = DetectEngineCtxInit();
4084  if (de_ctx == NULL)
4085  goto end;
4086 
4087  de_ctx->flags |= DE_QUIET;
4088  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4089  "(msg:\"Testing bytejump_body\"; "
4090  "content:\"one\"; "
4091  "byte_extract:4,0,two,string,hex; "
4092  "byte_extract:4,0,three,string,hex; "
4093  "byte_jump: 2,two; "
4094  "byte_jump: 3,three; "
4095  "isdataat: three; "
4096  "sid:1;)");
4097  if (de_ctx->sig_list == NULL) {
4098  result = 0;
4099  goto end;
4100  }
4101 
4102  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4103  result = 0;
4104  goto end;
4105  }
4106 
4107  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4108  if (sm->type != DETECT_CONTENT) {
4109  result = 0;
4110  goto end;
4111  }
4112  cd = (DetectContentData *)sm->ctx;
4113  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4114  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4115  cd->flags & DETECT_CONTENT_NOCASE ||
4116  cd->flags & DETECT_CONTENT_WITHIN ||
4117  cd->flags & DETECT_CONTENT_DISTANCE ||
4118  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4119  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4120  cd->flags & DETECT_CONTENT_NEGATED ) {
4121  printf("one failed\n");
4122  result = 0;
4123  goto end;
4124  }
4125 
4126  sm = sm->next;
4127  if (sm->type != DETECT_BYTE_EXTRACT) {
4128  result = 0;
4129  goto end;
4130  }
4131  bed1 = (DetectByteExtractData *)sm->ctx;
4132  if (bed1->nbytes != 4 ||
4133  bed1->offset != 0 ||
4134  strcmp(bed1->name, "two") != 0 ||
4135  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4136  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4137  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4138  bed1->align_value != 0 ||
4139  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4140  goto end;
4141  }
4142  if (bed1->local_id != 0) {
4143  result = 0;
4144  goto end;
4145  }
4146 
4147  sm = sm->next;
4148  if (sm->type != DETECT_BYTE_EXTRACT) {
4149  result = 0;
4150  goto end;
4151  }
4152 
4153  sm = sm->next;
4154  if (sm->type != DETECT_BYTEJUMP) {
4155  result = 0;
4156  goto end;
4157  }
4158  bjd = (DetectBytejumpData *)sm->ctx;
4159  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4160  bjd->offset != 0) {
4161  printf("three failed\n");
4162  result = 0;
4163  goto end;
4164  }
4165 
4166  sm = sm->next;
4167  if (sm->type != DETECT_BYTEJUMP) {
4168  result = 0;
4169  goto end;
4170  }
4171  bjd = (DetectBytejumpData *)sm->ctx;
4172  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4173  bjd->offset != 1) {
4174  printf("four failed\n");
4175  result = 0;
4176  goto end;
4177  }
4178 
4179  sm = sm->next;
4180  if (sm->type != DETECT_ISDATAAT) {
4181  result = 0;
4182  goto end;
4183  }
4184  isdd = (DetectIsdataatData *)sm->ctx;
4185  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
4186  isdd->dataat != 1) {
4187  printf("isdataat failed\n");
4188  result = 0;
4189  goto end;
4190  }
4191 
4192  if (sm->next != NULL)
4193  goto end;
4194 
4195  result = 1;
4196 
4197  end:
4198  SigGroupCleanup(de_ctx);
4199  SigCleanSignatures(de_ctx);
4200  DetectEngineCtxFree(de_ctx);
4201 
4202  return result;
4203 }
4204 
4205 static int DetectByteExtractTest59(void)
4206 {
4207  DetectEngineCtx *de_ctx = NULL;
4208  int result = 0;
4209  Signature *s = NULL;
4210  SigMatch *sm = NULL;
4211  DetectContentData *cd = NULL;
4212  DetectByteExtractData *bed1 = NULL;
4213  DetectBytejumpData *bjd = NULL;
4214  DetectIsdataatData *isdd = NULL;
4215 
4216  de_ctx = DetectEngineCtxInit();
4217  if (de_ctx == NULL)
4218  goto end;
4219 
4220  de_ctx->flags |= DE_QUIET;
4221  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4222  "(msg:\"Testing bytejump_body\"; "
4223  "content:\"one\"; "
4224  "byte_extract:4,0,two,string,hex; "
4225  "byte_extract:4,0,three,string,hex; "
4226  "byte_jump: 2,two; "
4227  "byte_jump: 3,three; "
4228  "isdataat: three,relative; "
4229  "sid:1;)");
4230  if (de_ctx->sig_list == NULL) {
4231  result = 0;
4232  goto end;
4233  }
4234 
4235  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4236  result = 0;
4237  goto end;
4238  }
4239 
4240  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4241  if (sm->type != DETECT_CONTENT) {
4242  result = 0;
4243  goto end;
4244  }
4245  cd = (DetectContentData *)sm->ctx;
4246  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4247  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4248  cd->flags & DETECT_CONTENT_NOCASE ||
4249  cd->flags & DETECT_CONTENT_WITHIN ||
4250  cd->flags & DETECT_CONTENT_DISTANCE ||
4251  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4252  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4253  cd->flags & DETECT_CONTENT_NEGATED ) {
4254  printf("one failed\n");
4255  result = 0;
4256  goto end;
4257  }
4258 
4259  sm = sm->next;
4260  if (sm->type != DETECT_BYTE_EXTRACT) {
4261  result = 0;
4262  goto end;
4263  }
4264  bed1 = (DetectByteExtractData *)sm->ctx;
4265  if (bed1->nbytes != 4 ||
4266  bed1->offset != 0 ||
4267  strcmp(bed1->name, "two") != 0 ||
4268  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4269  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4270  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4271  bed1->align_value != 0 ||
4272  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4273  goto end;
4274  }
4275  if (bed1->local_id != 0) {
4276  result = 0;
4277  goto end;
4278  }
4279 
4280  sm = sm->next;
4281  if (sm->type != DETECT_BYTE_EXTRACT) {
4282  result = 0;
4283  goto end;
4284  }
4285 
4286  sm = sm->next;
4287  if (sm->type != DETECT_BYTEJUMP) {
4288  result = 0;
4289  goto end;
4290  }
4291  bjd = (DetectBytejumpData *)sm->ctx;
4292  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4293  bjd->offset != 0) {
4294  printf("three failed\n");
4295  result = 0;
4296  goto end;
4297  }
4298 
4299  sm = sm->next;
4300  if (sm->type != DETECT_BYTEJUMP) {
4301  result = 0;
4302  goto end;
4303  }
4304  bjd = (DetectBytejumpData *)sm->ctx;
4305  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4306  bjd->offset != 1) {
4307  printf("four failed\n");
4308  result = 0;
4309  goto end;
4310  }
4311 
4312  sm = sm->next;
4313  if (sm->type != DETECT_ISDATAAT) {
4314  result = 0;
4315  goto end;
4316  }
4317  isdd = (DetectIsdataatData *)sm->ctx;
4318  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4319  ISDATAAT_RELATIVE) ||
4320  isdd->dataat != 1) {
4321  printf("isdataat failed\n");
4322  result = 0;
4323  goto end;
4324  }
4325 
4326  if (sm->next != NULL)
4327  goto end;
4328 
4329  result = 1;
4330 
4331  end:
4332  SigGroupCleanup(de_ctx);
4333  SigCleanSignatures(de_ctx);
4334  DetectEngineCtxFree(de_ctx);
4335 
4336  return result;
4337 }
4338 
4339 static int DetectByteExtractTest60(void)
4340 {
4341  DetectEngineCtx *de_ctx = NULL;
4342  int result = 0;
4343  Signature *s = NULL;
4344  SigMatch *sm = NULL;
4345  DetectContentData *cd = NULL;
4346  DetectByteExtractData *bed1 = NULL;
4347  DetectIsdataatData *isdd = NULL;
4348 
4349  de_ctx = DetectEngineCtxInit();
4350  if (de_ctx == NULL)
4351  goto end;
4352 
4353  de_ctx->flags |= DE_QUIET;
4354  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4355  "(msg:\"Testing bytejump_body\"; "
4356  "content:\"one\"; "
4357  "byte_extract:4,0,two,string,hex,relative; "
4358  "uricontent: \"three\"; "
4359  "byte_extract:4,0,four,string,hex,relative; "
4360  "isdataat: two; "
4361  "sid:1;)");
4362  if (de_ctx->sig_list == NULL) {
4363  result = 0;
4364  goto end;
4365  }
4366 
4367  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4368  result = 0;
4369  goto end;
4370  }
4371 
4372  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4373  if (sm->type != DETECT_CONTENT) {
4374  result = 0;
4375  goto end;
4376  }
4377  cd = (DetectContentData *)sm->ctx;
4378  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4379  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4380  cd->flags & DETECT_CONTENT_NOCASE ||
4381  cd->flags & DETECT_CONTENT_WITHIN ||
4382  cd->flags & DETECT_CONTENT_DISTANCE ||
4383  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4384  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4385  cd->flags & DETECT_CONTENT_NEGATED ) {
4386  printf("one failed\n");
4387  result = 0;
4388  goto end;
4389  }
4390 
4391  sm = sm->next;
4392  if (sm->type != DETECT_BYTE_EXTRACT) {
4393  result = 0;
4394  goto end;
4395  }
4396  bed1 = (DetectByteExtractData *)sm->ctx;
4397  if (bed1->nbytes != 4 ||
4398  bed1->offset != 0 ||
4399  strcmp(bed1->name, "two") != 0 ||
4400  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4401  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4402  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4403  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4404  bed1->align_value != 0 ||
4405  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4406  goto end;
4407  }
4408  if (bed1->local_id != 0) {
4409  result = 0;
4410  goto end;
4411  }
4412 
4413  sm = sm->next;
4414  if (sm->type != DETECT_ISDATAAT) {
4415  result = 0;
4416  goto end;
4417  }
4418  isdd = (DetectIsdataatData *)sm->ctx;
4419  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
4420  isdd->dataat != bed1->local_id) {
4421  printf("isdataat failed\n");
4422  result = 0;
4423  goto end;
4424  }
4425 
4426  if (sm->next != NULL)
4427  goto end;
4428 
4429  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4430  result = 0;
4431  goto end;
4432  }
4433 
4434  sm = s->sm_lists[g_http_uri_buffer_id];
4435  if (sm->type != DETECT_CONTENT) {
4436  result = 0;
4437  goto end;
4438  }
4439  cd = (DetectContentData *)sm->ctx;
4440  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4441  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4442  printf("one failed\n");
4443  result = 0;
4444  goto end;
4445  }
4446 
4447  sm = sm->next;
4448  if (sm->type != DETECT_BYTE_EXTRACT) {
4449  result = 0;
4450  goto end;
4451  }
4452  bed1 = (DetectByteExtractData *)sm->ctx;
4453  if (bed1->nbytes != 4 ||
4454  bed1->offset != 0 ||
4455  strcmp(bed1->name, "four") != 0 ||
4456  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4457  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4458  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4459  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4460  bed1->align_value != 0 ||
4461  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4462  goto end;
4463  }
4464  if (bed1->local_id != 0) {
4465  result = 0;
4466  goto end;
4467  }
4468 
4469  if (sm->next != NULL)
4470  goto end;
4471 
4472  result = 1;
4473 
4474  end:
4475  SigGroupCleanup(de_ctx);
4476  SigCleanSignatures(de_ctx);
4477  DetectEngineCtxFree(de_ctx);
4478 
4479  return result;
4480 }
4481 
4482 static int DetectByteExtractTest61(void)
4483 {
4484  DetectEngineCtx *de_ctx = NULL;
4485  int result = 0;
4486  Signature *s = NULL;
4487  SigMatch *sm = NULL;
4488  DetectContentData *cd = NULL;
4489  DetectByteExtractData *bed1 = NULL;
4490  DetectIsdataatData *isdd = NULL;
4491 
4492  de_ctx = DetectEngineCtxInit();
4493  if (de_ctx == NULL)
4494  goto end;
4495 
4496  de_ctx->flags |= DE_QUIET;
4497  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4498  "(msg:\"Testing bytejump_body\"; "
4499  "content:\"one\"; "
4500  "byte_extract:4,0,two,string,hex,relative; "
4501  "uricontent: \"three\"; "
4502  "byte_extract:4,0,four,string,hex,relative; "
4503  "isdataat: four, relative; "
4504  "sid:1;)");
4505  if (de_ctx->sig_list == NULL) {
4506  result = 0;
4507  goto end;
4508  }
4509 
4510  if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4511  result = 0;
4512  goto end;
4513  }
4514 
4515  sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
4516  if (sm->type != DETECT_CONTENT) {
4517  result = 0;
4518  goto end;
4519  }
4520  cd = (DetectContentData *)sm->ctx;
4521  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4522  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4523  cd->flags & DETECT_CONTENT_NOCASE ||
4524  cd->flags & DETECT_CONTENT_WITHIN ||
4525  cd->flags & DETECT_CONTENT_DISTANCE ||
4526  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4527  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4528  cd->flags & DETECT_CONTENT_NEGATED ) {
4529  printf("one failed\n");
4530  result = 0;
4531  goto end;
4532  }
4533 
4534  sm = sm->next;
4535  if (sm->type != DETECT_BYTE_EXTRACT) {
4536  result = 0;
4537  goto end;
4538  }
4539  bed1 = (DetectByteExtractData *)sm->ctx;
4540  if (bed1->nbytes != 4 ||
4541  bed1->offset != 0 ||
4542  strcmp(bed1->name, "two") != 0 ||
4543  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4544  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4545  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4546  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4547  bed1->align_value != 0 ||
4548  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4549  goto end;
4550  }
4551  if (bed1->local_id != 0) {
4552  result = 0;
4553  goto end;
4554  }
4555 
4556  if (sm->next != NULL)
4557  goto end;
4558 
4559  if (s->sm_lists_tail[g_http_uri_buffer_id] == NULL) {
4560  result = 0;
4561  goto end;
4562  }
4563 
4564  sm = s->sm_lists[g_http_uri_buffer_id];
4565  if (sm->type != DETECT_CONTENT) {
4566  result = 0;
4567  goto end;
4568  }
4569  cd = (DetectContentData *)sm->ctx;
4570  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4571  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4572  printf("one failed\n");
4573  result = 0;
4574  goto end;
4575  }
4576 
4577  sm = sm->next;
4578  if (sm->type != DETECT_BYTE_EXTRACT) {
4579  result = 0;
4580  goto end;
4581  }
4582  bed1 = (DetectByteExtractData *)sm->ctx;
4583  if (bed1->nbytes != 4 ||
4584  bed1->offset != 0 ||
4585  strcmp(bed1->name, "four") != 0 ||
4586  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4587  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4588  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4589  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4590  bed1->align_value != 0 ||
4591  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4592  goto end;
4593  }
4594  if (bed1->local_id != 0) {
4595  result = 0;
4596  goto end;
4597  }
4598 
4599  sm = sm->next;
4600  if (sm->type != DETECT_ISDATAAT) {
4601  result = 0;
4602  goto end;
4603  }
4604  isdd = (DetectIsdataatData *)sm->ctx;
4605  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4606  ISDATAAT_RELATIVE) ||
4607  isdd->dataat != bed1->local_id) {
4608  printf("isdataat failed\n");
4609  result = 0;
4610  goto end;
4611  }
4612 
4613  if (sm->next != NULL)
4614  goto end;
4615 
4616  result = 1;
4617 
4618  end:
4619  SigGroupCleanup(de_ctx);
4620  SigCleanSignatures(de_ctx);
4621  DetectEngineCtxFree(de_ctx);
4622 
4623  return result;
4624 }
4625 
4626 static int DetectByteExtractTest62(void)
4627 {
4628  DetectEngineCtx *de_ctx = NULL;
4629  int result = 0;
4630  Signature *s = NULL;
4631  SigMatch *sm = NULL;
4632  DetectByteExtractData *bed = NULL;
4633 
4634  de_ctx = DetectEngineCtxInit();
4635  if (de_ctx == NULL)
4636  goto end;
4637 
4638  de_ctx->flags |= DE_QUIET;
4639  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4640  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4641  "sid:1;)");
4642  if (de_ctx->sig_list == NULL) {
4643  goto end;
4644  }
4645 
4646  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
4647  goto end;
4648  }
4649 
4650  sm = s->sm_lists[g_file_data_buffer_id];
4651  if (sm->type != DETECT_BYTE_EXTRACT) {
4652  result = 0;
4653  goto end;
4654  }
4655  bed = (DetectByteExtractData *)sm->ctx;
4656  if (bed->nbytes != 4 ||
4657  bed->offset != 2 ||
4658  strncmp(bed->name, "two", 3) != 0 ||
4659  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4660  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4661  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4662  bed->align_value != 0 ||
4663  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4664  goto end;
4665  }
4666 
4667  result = 1;
4668 
4669  end:
4670  SigGroupCleanup(de_ctx);
4671  SigCleanSignatures(de_ctx);
4672  DetectEngineCtxFree(de_ctx);
4673 
4674  return result;
4675 }
4676 
4677 static int DetectByteExtractTest63(void)
4678 {
4679  int result = 0;
4680 
4681  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4682  if (bed == NULL)
4683  goto end;
4684 
4685  if (bed->nbytes != 4 ||
4686  bed->offset != -2 ||
4687  strcmp(bed->name, "one") != 0 ||
4688  bed->flags != 0 ||
4689  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4690  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4691  bed->align_value != 0 ||
4692  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4693  goto end;
4694  }
4695 
4696  result = 1;
4697  end:
4698  if (bed != NULL)
4699  DetectByteExtractFree(NULL, bed);
4700  return result;
4701 }
4702 
4703 static int DetectByteExtractTestParseNoBase(void)
4704 {
4705  int result = 0;
4706 
4707  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4708  if (bed == NULL)
4709  goto end;
4710 
4711  if (bed->nbytes != 4) {
4712  goto end;
4713  }
4714  if (bed->offset != 2) {
4715  goto end;
4716  }
4717  if (strcmp(bed->name, "one") != 0) {
4718  goto end;
4719  }
4720  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4721  goto end;
4722  }
4723  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4724  goto end;
4725  }
4726  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4727  goto end;
4728  }
4729  if (bed->align_value != 0) {
4730  goto end;
4731  }
4732  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4733  goto end;
4734  }
4735 
4736  result = 1;
4737  end:
4738  if (bed != NULL)
4739  DetectByteExtractFree(NULL, bed);
4740  return result;
4741 }
4742 
4743 static void DetectByteExtractRegisterTests(void)
4744 {
4745  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4746  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4747 
4748  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4749  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4750  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4751  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4752  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4753  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4754  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4755  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4756  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4757  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4758  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4759  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4760  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4761  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4762  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4763  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4764  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4765  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4766  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4767  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4768  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4769  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4770  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4771  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4772  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4773  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4774  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4775  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4776  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4777  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4778  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4779  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4780  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4781  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4782  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4783  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4784  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4785  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4786  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4787  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4788  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4789  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4790 
4791  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4792  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4793 
4794  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4795  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4796 
4797  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4798  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4799 
4800  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4801  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4802 
4803  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4804  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4805 
4806  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4807  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4808 
4809  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4810  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4811  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4812 
4813  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4814  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4815  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4816  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4817  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4818  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4819 
4820  UtRegisterTest("DetectByteExtractTestParseNoBase",
4821  DetectByteExtractTestParseNoBase);
4822 }
4823 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:100
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1270
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1490
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1088
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:76
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
flow-util.h
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:74
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:102
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:59
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:333
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:58
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:44
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:330
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:49
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:218
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1077
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:540
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:72
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:359
decode.h
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:53
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:65
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
StringParseI32RangeCheck
int StringParseI32RangeCheck(int32_t *res, int base, size_t len, const char *str, int32_t min, int32_t max)
Definition: util-byte.c:704
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:525
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:60
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:325
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
Signature_::flags
uint32_t flags
Definition: detect.h:549
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:99
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:542
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:665
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:903
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:62
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:73
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:57
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:322
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:73
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:101
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:625
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:173
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint16_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:114
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:67
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:36
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:100
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2573
DetectPcreData_
Definition: detect-pcre.h:39
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:78
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:75
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:68
flow-var.h
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:74
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
SignatureInitData_::smlists_array_size
uint32_t smlists_array_size
Definition: detect.h:540
detect-bytetest.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171