suricata
detect-byte-extract.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "threads.h"
26 #include "decode.h"
27 
28 #include "detect.h"
29 #include "detect-parse.h"
30 #include "detect-engine.h"
31 #include "detect-engine-mpm.h"
32 #include "detect-engine-state.h"
33 #include "detect-content.h"
34 #include "detect-pcre.h"
35 #include "detect-bytejump.h"
36 #include "detect-bytetest.h"
37 #include "detect-byte-extract.h"
38 #include "detect-isdataat.h"
39 #include "detect-engine-build.h"
40 
41 #include "app-layer-protos.h"
42 
43 #include "flow.h"
44 #include "flow-var.h"
45 #include "flow-util.h"
46 
47 #include "util-byte.h"
48 #include "util-debug.h"
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 #include "util-spm.h"
52 
53 /* the default value of endianness to be used, if none's specified */
54 #define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
55 
56 /* the base to be used if string mode is specified. These options would be
57  * specified in DetectByteParseData->base */
58 #define DETECT_BYTE_EXTRACT_BASE_NONE 0
59 #define DETECT_BYTE_EXTRACT_BASE_HEX 16
60 #define DETECT_BYTE_EXTRACT_BASE_DEC 10
61 #define DETECT_BYTE_EXTRACT_BASE_OCT 8
62 
63 /* the default value for multiplier. Either ways we always store a
64  * multiplier, 1 or otherwise, so that we can always multiply the extracted
65  * value and store it, instead of checking if a multiplier is set or not */
66 #define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
67 /* the min/max limit for multiplier */
68 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
69 #define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
70 
71 /* the max no of bytes that can be extracted in string mode - (string, hex)
72  * (string, oct) or (string, dec) */
73 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
74 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
75 #define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
76 /* the max no of bytes that can be extracted in non-string mode */
77 #define NO_STRING_MAX_BYTES_TO_EXTRACT 8
78 
79 #define PARSE_REGEX "^" \
80  "\\s*([0-9]+)\\s*" \
81  ",\\s*(-?[0-9]+)\\s*" \
82  ",\\s*([^\\s,]+)\\s*" \
83  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
84  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
85  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
86  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
87  "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
88  "$"
89 
90 static DetectParseRegex parse_regex;
91 
92 static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
93 #ifdef UNITTESTS
94 static void DetectByteExtractRegisterTests(void);
95 #endif
96 static void DetectByteExtractFree(DetectEngineCtx *, void *);
97 
98 /**
99  * \brief Registers the keyword handlers for the "byte_extract" keyword.
100  */
101 void DetectByteExtractRegister(void)
102 {
103  sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
104  sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
105  sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
106  sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
107  sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
108  sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
109 #ifdef UNITTESTS
110  sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
111 #endif
112  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
113 }
114 
115 int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
116  const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
117  uint8_t endian)
118 {
119  DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
120  const uint8_t *ptr = NULL;
121  int32_t len = 0;
122  uint64_t val = 0;
123  int extbytes;
124 
125  if (payload_len == 0) {
126  return 0;
127  }
128 
129  /* Calculate the ptr value for the bytetest and length remaining in
130  * the packet from that point.
131  */
132  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
133  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
134  "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
135 
136  ptr = payload + det_ctx->buffer_offset;
137  len = payload_len - det_ctx->buffer_offset;
138 
139  ptr += data->offset;
140  len -= data->offset;
141 
142  /* No match if there is no relative base */
143  if (len <= 0) {
144  return 0;
145  }
146  //PrintRawDataFp(stdout,ptr,len);
147  } else {
148  SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
149 
150  ptr = payload + data->offset;
151  len = payload_len - data->offset;
152  }
153 
154  /* Validate that the to-be-extracted is within the packet */
155  if (ptr < payload || data->nbytes > len) {
156  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
157  payload, ptr, len, data->nbytes);
158  return 0;
159  }
160 
161  /* Extract the byte data */
162  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
163  extbytes = ByteExtractStringUint64(&val, data->base,
164  data->nbytes, (const char *)ptr);
165  if (extbytes <= 0) {
166  /* strtoull() return 0 if there is no numeric value in data string */
167  if (val == 0) {
168  SCLogDebug("No Numeric value");
169  return 0;
170  } else {
171  SCLogDebug("error extracting %d bytes of string data: %d",
172  data->nbytes, extbytes);
173  return -1;
174  }
175  }
176  } else {
177  int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
178  BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
179  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
180  if (extbytes != data->nbytes) {
181  SCLogDebug("error extracting %d bytes of numeric data: %d",
182  data->nbytes, extbytes);
183  return 0;
184  }
185  }
186 
187  /* Adjust the jump value based on flags */
188  val *= data->multiplier_value;
189  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
190  if ((val % data->align_value) != 0) {
191  val += data->align_value - (val % data->align_value);
192  }
193  }
194 
195  ptr += extbytes;
196 
197  det_ctx->buffer_offset = ptr - payload;
198 
199  *value = val;
200  SCLogDebug("extracted value is %"PRIu64, val);
201  return 1;
202 }
203 
204 /**
205  * \internal
206  * \brief Used to parse byte_extract arg.
207  *
208  * \param de_ctx Pointer to the detection engine context
209  * \arg The argument to parse.
210  *
211  * \param bed On success an instance containing the parsed data.
212  * On failure, NULL.
213  */
214 static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
215 {
216  DetectByteExtractData *bed = NULL;
217  int ret = 0, res = 0;
218  size_t pcre2len;
219  int i = 0;
220 
221  ret = DetectParsePcreExec(&parse_regex, arg, 0, 0);
222  if (ret < 3 || ret > 19) {
223  SCLogError("parse error, ret %" PRId32 ", string \"%s\"", ret, arg);
224  SCLogError("Invalid arg to byte_extract : %s "
225  "for byte_extract",
226  arg);
227  goto error;
228  }
229 
230  bed = SCMalloc(sizeof(DetectByteExtractData));
231  if (unlikely(bed == NULL))
232  goto error;
233  memset(bed, 0, sizeof(DetectByteExtractData));
234 
235  /* no of bytes to extract */
236  char nbytes_str[64] = "";
237  pcre2len = sizeof(nbytes_str);
238  res = pcre2_substring_copy_bynumber(
239  parse_regex.match, 1, (PCRE2_UCHAR8 *)nbytes_str, &pcre2len);
240  if (res < 0) {
241  SCLogError("pcre2_substring_copy_bynumber failed "
242  "for arg 1 for byte_extract");
243  goto error;
244  }
245  if (StringParseUint8(&bed->nbytes, 10, 0,
246  (const char *)nbytes_str) < 0) {
247  SCLogError("Invalid value for number of bytes"
248  " to be extracted: \"%s\".",
249  nbytes_str);
250  goto error;
251  }
252 
253  /* offset */
254  char offset_str[64] = "";
255  pcre2len = sizeof(offset_str);
256  res = pcre2_substring_copy_bynumber(
257  parse_regex.match, 2, (PCRE2_UCHAR8 *)offset_str, &pcre2len);
258  if (res < 0) {
259  SCLogError("pcre2_substring_copy_bynumber failed "
260  "for arg 2 for byte_extract");
261  goto error;
262  }
263  int32_t offset;
264  if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
265  SCLogError("Invalid value for offset: \"%s\".", offset_str);
266  goto error;
267  }
268  bed->offset = offset;
269 
270  /* var name */
271  char varname_str[256] = "";
272  pcre2len = sizeof(varname_str);
273  res = pcre2_substring_copy_bynumber(
274  parse_regex.match, 3, (PCRE2_UCHAR8 *)varname_str, &pcre2len);
275  if (res < 0) {
276  SCLogError("pcre2_substring_copy_bynumber failed "
277  "for arg 3 for byte_extract");
278  goto error;
279  }
280  bed->name = SCStrdup(varname_str);
281  if (bed->name == NULL)
282  goto error;
283 
284  /* check out other optional args */
285  for (i = 4; i < ret; i++) {
286  char opt_str[64] = "";
287  pcre2len = sizeof(opt_str);
288  res = SC_Pcre2SubstringCopy(parse_regex.match, i, (PCRE2_UCHAR8 *)opt_str, &pcre2len);
289  if (res < 0) {
290  SCLogError("pcre2_substring_copy_bynumber failed "
291  "for arg %d for byte_extract with %d",
292  i, res);
293  goto error;
294  }
295 
296  if (strcmp("relative", opt_str) == 0) {
297  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
298  SCLogError("relative specified more "
299  "than once for byte_extract");
300  goto error;
301  }
302  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
303  } else if (strcmp("multiplier", opt_str) == 0) {
304  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
305  SCLogError("multiplier specified more "
306  "than once for byte_extract");
307  goto error;
308  }
309  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
310  i++;
311 
312  char multiplier_str[16] = "";
313  pcre2len = sizeof(multiplier_str);
314  res = pcre2_substring_copy_bynumber(
315  parse_regex.match, i, (PCRE2_UCHAR8 *)multiplier_str, &pcre2len);
316  if (res < 0) {
317  SCLogError("pcre2_substring_copy_bynumber failed "
318  "for arg %d for byte_extract",
319  i);
320  goto error;
321  }
322  uint16_t multiplier;
323  if (StringParseU16RangeCheck(&multiplier, 10, 0, (const char *)multiplier_str,
324  DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
325  DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) < 0) {
326  SCLogError("Invalid value for"
327  "multiplier: \"%s\".",
328  multiplier_str);
329  goto error;
330  }
331  bed->multiplier_value = multiplier;
332  } else if (strcmp("big", opt_str) == 0) {
333  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
334  SCLogError("endian option specified "
335  "more than once for byte_extract");
336  goto error;
337  }
338  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
339  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
340  } else if (strcmp("little", opt_str) == 0) {
341  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
342  SCLogError("endian option specified "
343  "more than once for byte_extract");
344  goto error;
345  }
346  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
347  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
348  } else if (strcmp("dce", opt_str) == 0) {
349  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
350  SCLogError("endian option specified "
351  "more than once for byte_extract");
352  goto error;
353  }
354  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
355  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
356  } else if (strcmp("string", opt_str) == 0) {
357  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
358  SCLogError("string specified more "
359  "than once for byte_extract");
360  goto error;
361  }
362  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
363  SCLogError("The right way to specify "
364  "base is (string, base) and not (base, string) "
365  "for byte_extract");
366  goto error;
367  }
368  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
369  } else if (strcmp("hex", opt_str) == 0) {
370  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
371  SCLogError("Base(hex) specified "
372  "without specifying string. The right way is "
373  "(string, base) and not (base, string)");
374  goto error;
375  }
376  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
377  SCLogError("More than one base "
378  "specified for byte_extract");
379  goto error;
380  }
381  bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
382  } else if (strcmp("oct", opt_str) == 0) {
383  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
384  SCLogError("Base(oct) specified "
385  "without specifying string. The right way is "
386  "(string, base) and not (base, string)");
387  goto error;
388  }
389  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
390  SCLogError("More than one base "
391  "specified for byte_extract");
392  goto error;
393  }
394  bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
395  } else if (strcmp("dec", opt_str) == 0) {
396  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
397  SCLogError("Base(dec) specified "
398  "without specifying string. The right way is "
399  "(string, base) and not (base, string)");
400  goto error;
401  }
402  if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
403  SCLogError("More than one base "
404  "specified for byte_extract");
405  goto error;
406  }
407  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
408  } else if (strcmp("align", opt_str) == 0) {
409  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
410  SCLogError("Align specified more "
411  "than once for byte_extract");
412  goto error;
413  }
414  bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
415  i++;
416 
417  char align_str[16] = "";
418  pcre2len = sizeof(align_str);
419  res = pcre2_substring_copy_bynumber(
420  parse_regex.match, i, (PCRE2_UCHAR8 *)align_str, &pcre2len);
421  if (res < 0) {
422  SCLogError("pcre2_substring_copy_bynumber failed "
423  "for arg %d in byte_extract",
424  i);
425  goto error;
426  }
427  if (StringParseUint8(&bed->align_value, 10, 0,
428  (const char *)align_str) < 0) {
429  SCLogError("Invalid align_value: "
430  "\"%s\".",
431  align_str);
432  goto error;
433  }
434  if (!(bed->align_value == 2 || bed->align_value == 4)) {
435  SCLogError("Invalid align_value for "
436  "byte_extract - \"%d\"",
437  bed->align_value);
438  goto error;
439  }
440  } else if (strcmp("", opt_str) == 0) {
441  ;
442  } else {
443  SCLogError("Invalid option - \"%s\" "
444  "specified in byte_extract",
445  opt_str);
446  goto error;
447  }
448  } /* for (i = 4; i < ret; i++) */
449 
450  /* validation */
451  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
452  /* default value */
453  bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
454  }
455 
456  if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
457  if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
458  /* Default to decimal if base not specified. */
459  bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
460  }
461  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
462  SCLogError("byte_extract can't have "
463  "endian \"big\" or \"little\" specified along with "
464  "\"string\"");
465  goto error;
466  }
467  if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
468  /* if are dealing with octal nos, the max no that can fit in a 8
469  * byte value is 01777777777777777777777 */
470  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
471  SCLogError("byte_extract can't process "
472  "more than %d bytes in \"string\" extraction",
473  STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
474  goto error;
475  }
476  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
477  /* if are dealing with decimal nos, the max no that can fit in a 8
478  * byte value is 18446744073709551615 */
479  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
480  SCLogError("byte_extract can't process "
481  "more than %d bytes in \"string\" extraction",
482  STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
483  goto error;
484  }
485  } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
486  /* if are dealing with hex nos, the max no that can fit in a 8
487  * byte value is 0xFFFFFFFFFFFFFFFF */
488  if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
489  SCLogError("byte_extract can't process "
490  "more than %d bytes in \"string\" extraction",
491  STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
492  goto error;
493  }
494  } else {
495  ; // just a placeholder. we won't reach here.
496  }
497  } else {
498  if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
499  SCLogError("byte_extract can't process "
500  "more than %d bytes in \"non-string\" extraction",
501  NO_STRING_MAX_BYTES_TO_EXTRACT);
502  goto error;
503  }
504  /* if string has not been specified and no endian option has been
505  * specified, then set the default endian level of BIG */
506  if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
507  bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
508  }
509 
510  return bed;
511  error:
512  if (bed != NULL)
513  DetectByteExtractFree(de_ctx, bed);
514  return NULL;
515 }
516 
517 /**
518  * \brief The setup function for the byte_extract keyword for a signature.
519  *
520  * \param de_ctx Pointer to the detection engine context.
521  * \param s Pointer to signature for the current Signature being parsed
522  * from the rules.
523  * \param m Pointer to the head of the SigMatch for the current rule
524  * being parsed.
525  * \param arg Pointer to the string holding the keyword value.
526  *
527  * \retval 0 On success.
528  * \retval -1 On failure.
529  */
530 static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
531 {
532  SigMatch *sm = NULL;
533  SigMatch *prev_pm = NULL;
534  DetectByteExtractData *data = NULL;
535  int ret = -1;
536 
537  data = DetectByteExtractParse(de_ctx, arg);
538  if (data == NULL)
539  goto error;
540 
541  int sm_list;
542  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
543  sm_list = s->init_data->list;
544 
545  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
546  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
547  }
548  } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
549  if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
550  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
551  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
552  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
553  if (prev_pm == NULL) {
554  sm_list = DETECT_SM_LIST_PMATCH;
555  } else {
556  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
557  if (sm_list < 0)
558  goto error;
559  }
560  } else {
561  sm_list = DETECT_SM_LIST_PMATCH;
562  }
563 
564  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
565  goto error;
566  s->flags |= SIG_FLAG_APPLAYER;
567 
568  } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
569  prev_pm = DetectGetLastSMFromLists(s,
570  DETECT_CONTENT, DETECT_PCRE,
571  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
572  DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
573  if (prev_pm == NULL) {
574  sm_list = DETECT_SM_LIST_PMATCH;
575  } else {
576  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
577  if (sm_list < 0)
578  goto error;
579  if (sm_list != DETECT_SM_LIST_PMATCH)
580  s->flags |= SIG_FLAG_APPLAYER;
581  }
582 
583  } else {
584  sm_list = DETECT_SM_LIST_PMATCH;
585  }
586 
587  if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
588  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
589  goto error;
590 
591  if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
592  (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
593  (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
594  (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
595  SCLogError("Invalid option. "
596  "A byte_jump keyword with dce holds other invalid modifiers.");
597  goto error;
598  }
599  }
600 
601  SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
602  DETECT_BYTE_EXTRACT, -1);
603  if (prev_bed_sm == NULL)
604  data->local_id = 0;
605  else
606  data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
607  if (data->local_id > de_ctx->byte_extract_max_local_id)
608  de_ctx->byte_extract_max_local_id = data->local_id;
609 
610 
611  sm = SigMatchAlloc();
612  if (sm == NULL)
613  goto error;
614  sm->type = DETECT_BYTE_EXTRACT;
615  sm->ctx = (void *)data;
616  SigMatchAppendSMToList(s, sm, sm_list);
617 
618 
619  if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
620  goto okay;
621 
622  if (prev_pm == NULL)
623  goto okay;
624 
625  if (prev_pm->type == DETECT_CONTENT) {
626  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
627  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
628  } else if (prev_pm->type == DETECT_PCRE) {
629  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
630  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
631  }
632 
633  okay:
634  ret = 0;
635  return ret;
636  error:
637  DetectByteExtractFree(de_ctx, data);
638  return ret;
639 }
640 
641 /**
642  * \brief Used to free instances of DetectByteExtractData.
643  *
644  * \param ptr Instance of DetectByteExtractData to be freed.
645  */
646 static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
647 {
648  if (ptr != NULL) {
649  DetectByteExtractData *bed = ptr;
650  if (bed->name != NULL)
651  SCFree((void *)bed->name);
652  SCFree(bed);
653  }
654 
655  return;
656 }
657 
658 /**
659  * \brief Lookup the SigMatch for a named byte_extract variable.
660  *
661  * \param arg The name of the byte_extract variable to lookup.
662  * \param s Pointer the signature to look in.
663  *
664  * \retval A pointer to the SigMatch if found, otherwise NULL.
665  */
666 SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
667 {
668  for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
669  SigMatch *sm = s->init_data->buffers[x].head;
670  while (sm != NULL) {
671  if (sm->type == DETECT_BYTE_EXTRACT) {
672  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
673  if (strcmp(bed->name, arg) == 0) {
674  return sm;
675  }
676  }
677  sm = sm->next;
678  }
679  }
680 
681  for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
682  SigMatch *sm = s->init_data->smlists[list];
683  while (sm != NULL) {
684  if (sm->type == DETECT_BYTE_EXTRACT) {
685  const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
686  if (strcmp(bed->name, arg) == 0) {
687  return sm;
688  }
689  }
690  sm = sm->next;
691  }
692  }
693 
694  return NULL;
695 }
696 
697 /*************************************Unittests********************************/
698 
699 #ifdef UNITTESTS
700 
701 static int g_file_data_buffer_id = 0;
702 static int g_http_uri_buffer_id = 0;
703 
704 static int DetectByteExtractTest01(void)
705 {
706  int result = 0;
707 
708  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
709  if (bed == NULL)
710  goto end;
711 
712  if (bed->nbytes != 4 ||
713  bed->offset != 2 ||
714  strcmp(bed->name, "one") != 0 ||
715  bed->flags != 0 ||
716  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
717  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
718  bed->align_value != 0 ||
719  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
720  goto end;
721  }
722 
723  result = 1;
724  end:
725  if (bed != NULL)
726  DetectByteExtractFree(NULL, bed);
727  return result;
728 }
729 
730 static int DetectByteExtractTest02(void)
731 {
732  int result = 0;
733 
734  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
735  if (bed == NULL)
736  goto end;
737 
738  if (bed->nbytes != 4 ||
739  bed->offset != 2 ||
740  strcmp(bed->name, "one") != 0 ||
741  bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
742  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
743  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
744  bed->align_value != 0 ||
745  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
746  goto end;
747  }
748 
749  result = 1;
750  end:
751  if (bed != NULL)
752  DetectByteExtractFree(NULL, bed);
753  return result;
754 }
755 
756 static int DetectByteExtractTest03(void)
757 {
758  int result = 0;
759 
760  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
761  if (bed == NULL)
762  goto end;
763 
764  if (bed->nbytes != 4 ||
765  bed->offset != 2 ||
766  strcmp(bed->name, "one") != 0 ||
767  bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
768  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
769  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
770  bed->align_value != 0 ||
771  bed->multiplier_value != 10) {
772  goto end;
773  }
774 
775  result = 1;
776  end:
777  if (bed != NULL)
778  DetectByteExtractFree(NULL, bed);
779  return result;
780 }
781 
782 static int DetectByteExtractTest04(void)
783 {
784  int result = 0;
785 
786  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
787  if (bed == NULL)
788  goto end;
789 
790  if (bed->nbytes != 4 ||
791  bed->offset != 2 ||
792  strcmp(bed->name, "one") != 0 ||
793  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
794  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
795  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
796  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
797  bed->align_value != 0 ||
798  bed->multiplier_value != 10) {
799  goto end;
800  }
801 
802  result = 1;
803  end:
804  if (bed != NULL)
805  DetectByteExtractFree(NULL, bed);
806  return result;
807 }
808 
809 static int DetectByteExtractTest05(void)
810 {
811  int result = 0;
812 
813  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
814  if (bed == NULL)
815  goto end;
816 
817  if (bed->nbytes != 4 ||
818  bed->offset != 2 ||
819  strcmp(bed->name, "one") != 0 ||
820  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
821  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
822  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
823  bed->align_value != 0 ||
824  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
825  goto end;
826  }
827 
828  result = 1;
829  end:
830  if (bed != NULL)
831  DetectByteExtractFree(NULL, bed);
832  return result;
833 }
834 
835 static int DetectByteExtractTest06(void)
836 {
837  int result = 0;
838 
839  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
840  if (bed == NULL)
841  goto end;
842 
843  if (bed->nbytes != 4 ||
844  bed->offset != 2 ||
845  strcmp(bed->name, "one") != 0 ||
846  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
847  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
848  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
849  bed->align_value != 0 ||
850  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
851  goto end;
852  }
853 
854  result = 1;
855  end:
856  if (bed != NULL)
857  DetectByteExtractFree(NULL, bed);
858  return result;
859 }
860 
861 static int DetectByteExtractTest07(void)
862 {
863  int result = 0;
864 
865  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
866  if (bed == NULL)
867  goto end;
868 
869  if (bed->nbytes != 4 ||
870  bed->offset != 2 ||
871  strcmp(bed->name, "one") != 0 ||
872  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
873  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
874  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
875  bed->align_value != 0 ||
876  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
877  goto end;
878  }
879 
880  result = 1;
881  end:
882  if (bed != NULL)
883  DetectByteExtractFree(NULL, bed);
884  return result;
885 }
886 
887 static int DetectByteExtractTest08(void)
888 {
889  int result = 0;
890 
891  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
892  if (bed == NULL)
893  goto end;
894 
895  if (bed->nbytes != 4 ||
896  bed->offset != 2 ||
897  strcmp(bed->name, "one") != 0 ||
898  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
899  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
900  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
901  bed->align_value != 0 ||
902  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
903  goto end;
904  }
905 
906  result = 1;
907  end:
908  if (bed != NULL)
909  DetectByteExtractFree(NULL, bed);
910  return result;
911 }
912 
913 static int DetectByteExtractTest09(void)
914 {
915  int result = 0;
916 
917  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
918  if (bed == NULL)
919  goto end;
920 
921  if (bed->nbytes != 4 ||
922  bed->offset != 2 ||
923  strcmp(bed->name, "one") != 0 ||
924  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
925  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
926  bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
927  bed->align_value != 0 ||
928  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
929  goto end;
930  }
931 
932  result = 1;
933  end:
934  if (bed != NULL)
935  DetectByteExtractFree(NULL, bed);
936  return result;
937 }
938 
939 static int DetectByteExtractTest10(void)
940 {
941  int result = 0;
942 
943  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
944  if (bed == NULL)
945  goto end;
946 
947  if (bed->nbytes != 4 ||
948  bed->offset != 2 ||
949  strcmp(bed->name, "one") != 0 ||
950  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
951  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
952  bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
953  bed->align_value != 0 ||
954  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
955  goto end;
956  }
957 
958  result = 1;
959  end:
960  if (bed != NULL)
961  DetectByteExtractFree(NULL, bed);
962  return result;
963 }
964 
965 static int DetectByteExtractTest11(void)
966 {
967  int result = 0;
968 
969  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
970  if (bed == NULL)
971  goto end;
972 
973  if (bed->nbytes != 4 ||
974  bed->offset != 2 ||
975  strcmp(bed->name, "one") != 0 ||
976  bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
977  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
978  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
979  bed->align_value != 4 ||
980  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
981  goto end;
982  }
983 
984  result = 1;
985  end:
986  if (bed != NULL)
987  DetectByteExtractFree(NULL, bed);
988  return result;
989 }
990 
991 static int DetectByteExtractTest12(void)
992 {
993  int result = 0;
994 
995  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
996  if (bed == NULL)
997  goto end;
998 
999  if (bed->nbytes != 4 ||
1000  bed->offset != 2 ||
1001  strcmp(bed->name, "one") != 0 ||
1002  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1003  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1004  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
1005  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1006  bed->align_value != 4 ||
1007  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1008  goto end;
1009  }
1010 
1011  result = 1;
1012  end:
1013  if (bed != NULL)
1014  DetectByteExtractFree(NULL, bed);
1015  return result;
1016 }
1017 
1018 static int DetectByteExtractTest13(void)
1019 {
1020  int result = 0;
1021 
1022  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
1023  if (bed == NULL)
1024  goto end;
1025 
1026  if (bed->nbytes != 4 ||
1027  bed->offset != 2 ||
1028  strcmp(bed->name, "one") != 0 ||
1029  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1030  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1031  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1032  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
1033  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1034  bed->align_value != 4 ||
1035  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1036  goto end;
1037  }
1038 
1039  result = 1;
1040  end:
1041  if (bed != NULL)
1042  DetectByteExtractFree(NULL, bed);
1043  return result;
1044 }
1045 
1046 static int DetectByteExtractTest14(void)
1047 {
1048  int result = 0;
1049 
1050  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
1051  if (bed == NULL)
1052  goto end;
1053 
1054  if (bed->nbytes != 4 ||
1055  bed->offset != 2 ||
1056  strcmp(bed->name, "one") != 0 ||
1057  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1058  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1059  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1060  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
1061  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1062  bed->align_value != 4 ||
1063  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1064  goto end;
1065  }
1066 
1067  result = 1;
1068  end:
1069  if (bed != NULL)
1070  DetectByteExtractFree(NULL, bed);
1071  return result;
1072 }
1073 
1074 static int DetectByteExtractTest15(void)
1075 {
1076  int result = 0;
1077 
1078  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
1079  if (bed == NULL)
1080  goto end;
1081 
1082  if (bed->nbytes != 4 ||
1083  bed->offset != 2 ||
1084  strcmp(bed->name, "one") != 0 ||
1085  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1086  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1087  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
1088  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1089  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1090  bed->align_value != 4 ||
1091  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1092  goto end;
1093  }
1094 
1095  result = 1;
1096  end:
1097  if (bed != NULL)
1098  DetectByteExtractFree(NULL, bed);
1099  return result;
1100 }
1101 
1102 static int DetectByteExtractTest16(void)
1103 {
1104  int result = 0;
1105 
1106  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
1107  if (bed == NULL)
1108  goto end;
1109 
1110  if (bed->nbytes != 4 ||
1111  bed->offset != 2 ||
1112  strcmp(bed->name, "one") != 0 ||
1113  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
1114  DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1115  DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
1116  DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
1117  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
1118  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
1119  bed->align_value != 4 ||
1120  bed->multiplier_value != 2) {
1121  goto end;
1122  }
1123 
1124  result = 1;
1125  end:
1126  if (bed != NULL)
1127  DetectByteExtractFree(NULL, bed);
1128  return result;
1129 }
1130 
1131 static int DetectByteExtractTest17(void)
1132 {
1133  int result = 0;
1134 
1135  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1136  "relative, little, "
1137  "multiplier 2, string hex");
1138  if (bed != NULL)
1139  goto end;
1140 
1141  result = 1;
1142  end:
1143  if (bed != NULL)
1144  DetectByteExtractFree(NULL, bed);
1145  return result;
1146 }
1147 
1148 static int DetectByteExtractTest18(void)
1149 {
1150  int result = 0;
1151 
1152  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1153  "relative, little, "
1154  "multiplier 2, "
1155  "relative");
1156  if (bed != NULL)
1157  goto end;
1158 
1159  result = 1;
1160  end:
1161  if (bed != NULL)
1162  DetectByteExtractFree(NULL, bed);
1163  return result;
1164 }
1165 
1166 static int DetectByteExtractTest19(void)
1167 {
1168  int result = 0;
1169 
1170  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1171  "relative, little, "
1172  "multiplier 2, "
1173  "little");
1174  if (bed != NULL)
1175  goto end;
1176 
1177  result = 1;
1178  end:
1179  if (bed != NULL)
1180  DetectByteExtractFree(NULL, bed);
1181  return result;
1182 }
1183 
1184 static int DetectByteExtractTest20(void)
1185 {
1186  int result = 0;
1187 
1188  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1189  "relative, "
1190  "multiplier 2, "
1191  "align 2");
1192  if (bed != NULL)
1193  goto end;
1194 
1195  result = 1;
1196  end:
1197  if (bed != NULL)
1198  DetectByteExtractFree(NULL, bed);
1199  return result;
1200 }
1201 
1202 static int DetectByteExtractTest21(void)
1203 {
1204  int result = 0;
1205 
1206  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1207  "multiplier 2, "
1208  "relative, "
1209  "multiplier 2");
1210  if (bed != NULL)
1211  goto end;
1212 
1213  result = 1;
1214  end:
1215  if (bed != NULL)
1216  DetectByteExtractFree(NULL, bed);
1217  return result;
1218 }
1219 
1220 static int DetectByteExtractTest22(void)
1221 {
1222  int result = 0;
1223 
1224  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1225  "string hex, "
1226  "relative, "
1227  "string hex");
1228  if (bed != NULL)
1229  goto end;
1230 
1231  result = 1;
1232  end:
1233  if (bed != NULL)
1234  DetectByteExtractFree(NULL, bed);
1235  return result;
1236 }
1237 
1238 static int DetectByteExtractTest23(void)
1239 {
1240  int result = 0;
1241 
1242  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1243  "string hex, "
1244  "relative, "
1245  "string oct");
1246  if (bed != NULL)
1247  goto end;
1248 
1249  result = 1;
1250  end:
1251  if (bed != NULL)
1252  DetectByteExtractFree(NULL, bed);
1253  return result;
1254 }
1255 
1256 static int DetectByteExtractTest24(void)
1257 {
1258  int result = 0;
1259 
1260  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
1261  "string hex, "
1262  "relative");
1263  if (bed != NULL)
1264  goto end;
1265 
1266  result = 1;
1267  end:
1268  if (bed != NULL)
1269  DetectByteExtractFree(NULL, bed);
1270  return result;
1271 }
1272 
1273 static int DetectByteExtractTest25(void)
1274 {
1275  int result = 0;
1276 
1277  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
1278  "little, "
1279  "relative");
1280  if (bed != NULL)
1281  goto end;
1282 
1283  result = 1;
1284  end:
1285  if (bed != NULL)
1286  DetectByteExtractFree(NULL, bed);
1287  return result;
1288 }
1289 
1290 static int DetectByteExtractTest26(void)
1291 {
1292  int result = 0;
1293 
1294  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1295  "little, "
1296  "relative, "
1297  "multiplier 65536");
1298  if (bed != NULL)
1299  goto end;
1300 
1301  result = 1;
1302  end:
1303  if (bed != NULL)
1304  DetectByteExtractFree(NULL, bed);
1305  return result;
1306 }
1307 
1308 static int DetectByteExtractTest27(void)
1309 {
1310  int result = 0;
1311 
1312  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
1313  "little, "
1314  "relative, "
1315  "multiplier 0");
1316  if (bed != NULL)
1317  goto end;
1318 
1319  result = 1;
1320  end:
1321  if (bed != NULL)
1322  DetectByteExtractFree(NULL, bed);
1323  return result;
1324 }
1325 
1326 static int DetectByteExtractTest28(void)
1327 {
1328  int result = 0;
1329 
1330  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
1331  if (bed == NULL)
1332  goto end;
1333 
1334  result = 1;
1335  end:
1336  if (bed != NULL)
1337  DetectByteExtractFree(NULL, bed);
1338  return result;
1339 }
1340 
1341 static int DetectByteExtractTest29(void)
1342 {
1343  int result = 0;
1344 
1345  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
1346  if (bed != NULL)
1347  goto end;
1348 
1349  result = 1;
1350  end:
1351  if (bed != NULL)
1352  DetectByteExtractFree(NULL, bed);
1353  return result;
1354 }
1355 
1356 static int DetectByteExtractTest30(void)
1357 {
1358  int result = 0;
1359 
1360  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1361  if (bed == NULL)
1362  goto end;
1363 
1364  result = 1;
1365  end:
1366  if (bed != NULL)
1367  DetectByteExtractFree(NULL, bed);
1368  return result;
1369 }
1370 
1371 static int DetectByteExtractTest31(void)
1372 {
1373  int result = 0;
1374 
1375  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1376  if (bed != NULL)
1377  goto end;
1378 
1379  result = 1;
1380  end:
1381  if (bed != NULL)
1382  DetectByteExtractFree(NULL, bed);
1383  return result;
1384 }
1385 
1386 static int DetectByteExtractTest32(void)
1387 {
1388  int result = 0;
1389 
1390  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1391  if (bed == NULL)
1392  goto end;
1393 
1394  result = 1;
1395  end:
1396  if (bed != NULL)
1397  DetectByteExtractFree(NULL, bed);
1398  return result;
1399 }
1400 
1401 static int DetectByteExtractTest33(void)
1402 {
1403  int result = 0;
1404 
1405  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1406  if (bed != NULL)
1407  goto end;
1408 
1409  result = 1;
1410  end:
1411  if (bed != NULL)
1412  DetectByteExtractFree(NULL, bed);
1413  return result;
1414 }
1415 
1416 static int DetectByteExtractTest34(void)
1417 {
1418  DetectEngineCtx *de_ctx = NULL;
1419  int result = 0;
1420  Signature *s = NULL;
1421  SigMatch *sm = NULL;
1422  DetectContentData *cd = NULL;
1423  DetectByteExtractData *bed = NULL;
1424 
1425  de_ctx = DetectEngineCtxInit();
1426  if (de_ctx == NULL)
1427  goto end;
1428 
1429  de_ctx->flags |= DE_QUIET;
1430  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1431  "(msg:\"Testing bytejump_body\"; "
1432  "content:\"one\"; "
1433  "byte_extract:4,2,two,relative,string,hex; "
1434  "sid:1;)");
1435  if (de_ctx->sig_list == NULL) {
1436  result = 0;
1437  goto end;
1438  }
1439 
1440  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1441  result = 0;
1442  goto end;
1443  }
1444 
1445  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1446  if (sm->type != DETECT_CONTENT) {
1447  result = 0;
1448  goto end;
1449  }
1450  cd = (DetectContentData *)sm->ctx;
1451  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1452  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1453  cd->flags & DETECT_CONTENT_NOCASE ||
1454  cd->flags & DETECT_CONTENT_WITHIN ||
1455  cd->flags & DETECT_CONTENT_DISTANCE ||
1456  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1457  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1458  cd->flags & DETECT_CONTENT_NEGATED ) {
1459  printf("one failed\n");
1460  result = 0;
1461  goto end;
1462  }
1463 
1464  sm = sm->next;
1465  if (sm->type != DETECT_BYTE_EXTRACT) {
1466  result = 0;
1467  goto end;
1468  }
1469  bed = (DetectByteExtractData *)sm->ctx;
1470  if (bed->nbytes != 4 ||
1471  bed->offset != 2 ||
1472  strncmp(bed->name, "two", cd->content_len) != 0 ||
1473  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1474  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1475  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1476  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1477  bed->align_value != 0 ||
1478  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1479  goto end;
1480  }
1481 
1482  result = 1;
1483 
1484  end:
1485  SigGroupCleanup(de_ctx);
1486  SigCleanSignatures(de_ctx);
1487  DetectEngineCtxFree(de_ctx);
1488 
1489  return result;
1490 }
1491 
1492 static int DetectByteExtractTest35(void)
1493 {
1494  DetectEngineCtx *de_ctx = NULL;
1495  int result = 0;
1496  Signature *s = NULL;
1497  SigMatch *sm = NULL;
1498  DetectContentData *cd = NULL;
1499  DetectPcreData *pd = NULL;
1500  DetectByteExtractData *bed = NULL;
1501 
1502  de_ctx = DetectEngineCtxInit();
1503  if (de_ctx == NULL)
1504  goto end;
1505 
1506  de_ctx->flags |= DE_QUIET;
1507  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1508  "(msg:\"Testing bytejump_body\"; "
1509  "content:\"one\"; pcre:/asf/; "
1510  "byte_extract:4,0,two,relative,string,hex; "
1511  "sid:1;)");
1512  if (de_ctx->sig_list == NULL) {
1513  result = 0;
1514  goto end;
1515  }
1516 
1517  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1518  result = 0;
1519  goto end;
1520  }
1521 
1522  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1523  if (sm->type != DETECT_CONTENT) {
1524  result = 0;
1525  goto end;
1526  }
1527  cd = (DetectContentData *)sm->ctx;
1528  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1529  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1530  cd->flags & DETECT_CONTENT_NOCASE ||
1531  cd->flags & DETECT_CONTENT_WITHIN ||
1532  cd->flags & DETECT_CONTENT_DISTANCE ||
1533  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1534  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1535  cd->flags & DETECT_CONTENT_NEGATED ) {
1536  printf("one failed\n");
1537  result = 0;
1538  goto end;
1539  }
1540 
1541  sm = sm->next;
1542  if (sm->type != DETECT_PCRE) {
1543  result = 0;
1544  goto end;
1545  }
1546  pd = (DetectPcreData *)sm->ctx;
1547  if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1548  result = 0;
1549  goto end;
1550  }
1551 
1552  sm = sm->next;
1553  if (sm->type != DETECT_BYTE_EXTRACT) {
1554  result = 0;
1555  goto end;
1556  }
1557  bed = (DetectByteExtractData *)sm->ctx;
1558  if (bed->nbytes != 4 ||
1559  bed->offset != 0 ||
1560  strcmp(bed->name, "two") != 0 ||
1561  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1562  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1563  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1564  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1565  bed->align_value != 0 ||
1566  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1567  goto end;
1568  }
1569 
1570  result = 1;
1571 
1572  end:
1573  SigGroupCleanup(de_ctx);
1574  SigCleanSignatures(de_ctx);
1575  DetectEngineCtxFree(de_ctx);
1576 
1577  return result;
1578 }
1579 
1580 static int DetectByteExtractTest36(void)
1581 {
1582  DetectEngineCtx *de_ctx = NULL;
1583  int result = 0;
1584  Signature *s = NULL;
1585  SigMatch *sm = NULL;
1586  DetectContentData *cd = NULL;
1587  DetectBytejumpData *bjd = NULL;
1588  DetectByteExtractData *bed = NULL;
1589 
1590  de_ctx = DetectEngineCtxInit();
1591  if (de_ctx == NULL)
1592  goto end;
1593 
1594  de_ctx->flags |= DE_QUIET;
1595  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1596  "(msg:\"Testing bytejump_body\"; "
1597  "content:\"one\"; byte_jump:1,13; "
1598  "byte_extract:4,0,two,relative,string,hex; "
1599  "sid:1;)");
1600  if (de_ctx->sig_list == NULL) {
1601  result = 0;
1602  goto end;
1603  }
1604 
1605  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1606  result = 0;
1607  goto end;
1608  }
1609 
1610  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1611  if (sm->type != DETECT_CONTENT) {
1612  result = 0;
1613  goto end;
1614  }
1615  cd = (DetectContentData *)sm->ctx;
1616  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1617  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1618  cd->flags & DETECT_CONTENT_NOCASE ||
1619  cd->flags & DETECT_CONTENT_WITHIN ||
1620  cd->flags & DETECT_CONTENT_DISTANCE ||
1621  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1622  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1623  cd->flags & DETECT_CONTENT_NEGATED ) {
1624  printf("one failed\n");
1625  result = 0;
1626  goto end;
1627  }
1628 
1629  sm = sm->next;
1630  if (sm->type != DETECT_BYTEJUMP) {
1631  result = 0;
1632  goto end;
1633  }
1634  bjd = (DetectBytejumpData *)sm->ctx;
1635  if (bjd->flags != 0) {
1636  result = 0;
1637  goto end;
1638  }
1639 
1640  sm = sm->next;
1641  if (sm->type != DETECT_BYTE_EXTRACT) {
1642  result = 0;
1643  goto end;
1644  }
1645  bed = (DetectByteExtractData *)sm->ctx;
1646  if (bed->nbytes != 4 ||
1647  bed->offset != 0 ||
1648  strcmp(bed->name, "two") != 0 ||
1649  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1650  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1651  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1652  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1653  bed->align_value != 0 ||
1654  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1655  goto end;
1656  }
1657 
1658  result = 1;
1659 
1660  end:
1661  SigGroupCleanup(de_ctx);
1662  SigCleanSignatures(de_ctx);
1663  DetectEngineCtxFree(de_ctx);
1664 
1665  return result;
1666 }
1667 
1668 static int DetectByteExtractTest37(void)
1669 {
1670  DetectEngineCtx *de_ctx = NULL;
1671  int result = 0;
1672  Signature *s = NULL;
1673  SigMatch *sm = NULL;
1674  DetectContentData *cd = NULL;
1675  DetectContentData *ud = NULL;
1676  DetectByteExtractData *bed = NULL;
1677 
1678  de_ctx = DetectEngineCtxInit();
1679  if (de_ctx == NULL)
1680  goto end;
1681 
1682  de_ctx->flags |= DE_QUIET;
1683  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1684  "(msg:\"Testing bytejump_body\"; "
1685  "content:\"one\"; uricontent:\"two\"; "
1686  "byte_extract:4,0,two,relative,string,hex; "
1687  "sid:1;)");
1688  if (de_ctx->sig_list == NULL) {
1689  result = 0;
1690  goto end;
1691  }
1692 
1693  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1694  result = 0;
1695  goto end;
1696  }
1697 
1698  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1699  if (sm->type != DETECT_CONTENT) {
1700  result = 0;
1701  goto end;
1702  }
1703  cd = (DetectContentData *)sm->ctx;
1704  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1705  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1706  cd->flags & DETECT_CONTENT_NOCASE ||
1707  cd->flags & DETECT_CONTENT_WITHIN ||
1708  cd->flags & DETECT_CONTENT_DISTANCE ||
1709  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1710  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1711  cd->flags & DETECT_CONTENT_NEGATED ) {
1712  printf("one failed\n");
1713  result = 0;
1714  goto end;
1715  }
1716 
1717  if (sm->next != NULL) {
1718  result = 0;
1719  goto end;
1720  }
1721 
1722  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1723  if (sm->type != DETECT_CONTENT) {
1724  result = 0;
1725  goto end;
1726  }
1727  ud = (DetectContentData *)sm->ctx;
1728  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1729  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1730  ud->flags & DETECT_CONTENT_NOCASE ||
1731  ud->flags & DETECT_CONTENT_WITHIN ||
1732  ud->flags & DETECT_CONTENT_DISTANCE ||
1733  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1734  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1735  ud->flags & DETECT_CONTENT_NEGATED ) {
1736  printf("two failed\n");
1737  result = 0;
1738  goto end;
1739  }
1740 
1741  sm = sm->next;
1742  if (sm->type != DETECT_BYTE_EXTRACT) {
1743  result = 0;
1744  goto end;
1745  }
1746  bed = (DetectByteExtractData *)sm->ctx;
1747  if (bed->nbytes != 4 ||
1748  bed->offset != 0 ||
1749  strcmp(bed->name, "two") != 0 ||
1750  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1751  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1752  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1753  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1754  bed->align_value != 0 ||
1755  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1756  goto end;
1757  }
1758 
1759  result = 1;
1760 
1761  end:
1762  SigGroupCleanup(de_ctx);
1763  SigCleanSignatures(de_ctx);
1764  DetectEngineCtxFree(de_ctx);
1765 
1766  return result;
1767 }
1768 
1769 static int DetectByteExtractTest38(void)
1770 {
1771  DetectEngineCtx *de_ctx = NULL;
1772  int result = 0;
1773  Signature *s = NULL;
1774  SigMatch *sm = NULL;
1775  DetectContentData *cd = NULL;
1776  DetectContentData *ud = NULL;
1777  DetectByteExtractData *bed = NULL;
1778 
1779  de_ctx = DetectEngineCtxInit();
1780  if (de_ctx == NULL)
1781  goto end;
1782 
1783  de_ctx->flags |= DE_QUIET;
1784  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1785  "(msg:\"Testing bytejump_body\"; "
1786  "content:\"one\"; uricontent:\"two\"; "
1787  "byte_extract:4,0,two,string,hex; "
1788  "sid:1;)");
1789  if (de_ctx->sig_list == NULL) {
1790  result = 0;
1791  goto end;
1792  }
1793 
1794  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1795  result = 0;
1796  goto end;
1797  }
1798 
1799  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1800  if (sm->type != DETECT_CONTENT) {
1801  result = 0;
1802  goto end;
1803  }
1804  cd = (DetectContentData *)sm->ctx;
1805  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1806  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1807  cd->flags & DETECT_CONTENT_NOCASE ||
1808  cd->flags & DETECT_CONTENT_WITHIN ||
1809  cd->flags & DETECT_CONTENT_DISTANCE ||
1810  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1811  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1812  cd->flags & DETECT_CONTENT_NEGATED ) {
1813  printf("one failed\n");
1814  result = 0;
1815  goto end;
1816  }
1817 
1818  sm = sm->next;
1819  if (sm->type != DETECT_BYTE_EXTRACT) {
1820  result = 0;
1821  goto end;
1822  }
1823  bed = (DetectByteExtractData *)sm->ctx;
1824  if (bed->nbytes != 4 ||
1825  bed->offset != 0 ||
1826  strcmp(bed->name, "two") != 0 ||
1827  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
1828  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1829  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1830  bed->align_value != 0 ||
1831  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1832  goto end;
1833  }
1834 
1835  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1836  if (sm->type != DETECT_CONTENT) {
1837  result = 0;
1838  goto end;
1839  }
1840  ud = (DetectContentData *)sm->ctx;
1841  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1842  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1843  ud->flags & DETECT_CONTENT_NOCASE ||
1844  ud->flags & DETECT_CONTENT_WITHIN ||
1845  ud->flags & DETECT_CONTENT_DISTANCE ||
1846  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1847  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1848  ud->flags & DETECT_CONTENT_NEGATED ) {
1849  printf("two failed\n");
1850  result = 0;
1851  goto end;
1852  }
1853 
1854  if (sm->next != NULL) {
1855  result = 0;
1856  goto end;
1857  }
1858 
1859  result = 1;
1860 
1861  end:
1862  SigGroupCleanup(de_ctx);
1863  SigCleanSignatures(de_ctx);
1864  DetectEngineCtxFree(de_ctx);
1865 
1866  return result;
1867 }
1868 
1869 static int DetectByteExtractTest39(void)
1870 {
1871  DetectEngineCtx *de_ctx = NULL;
1872  int result = 0;
1873  Signature *s = NULL;
1874  SigMatch *sm = NULL;
1875  DetectContentData *cd = NULL;
1876  DetectContentData *ud = NULL;
1877  DetectByteExtractData *bed = NULL;
1878 
1879  de_ctx = DetectEngineCtxInit();
1880  if (de_ctx == NULL)
1881  goto end;
1882 
1883  de_ctx->flags |= DE_QUIET;
1884  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1885  "(msg:\"Testing bytejump_body\"; "
1886  "content:\"one\"; content:\"two\"; http_uri; "
1887  "byte_extract:4,0,two,relative,string,hex; "
1888  "sid:1;)");
1889  if (de_ctx->sig_list == NULL) {
1890  result = 0;
1891  goto end;
1892  }
1893 
1894  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1895  result = 0;
1896  goto end;
1897  }
1898 
1899  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1900  if (sm->type != DETECT_CONTENT) {
1901  result = 0;
1902  goto end;
1903  }
1904  cd = (DetectContentData *)sm->ctx;
1905  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1906  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1907  cd->flags & DETECT_CONTENT_NOCASE ||
1908  cd->flags & DETECT_CONTENT_WITHIN ||
1909  cd->flags & DETECT_CONTENT_DISTANCE ||
1910  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1911  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1912  cd->flags & DETECT_CONTENT_NEGATED ) {
1913  printf("one failed\n");
1914  result = 0;
1915  goto end;
1916  }
1917 
1918  if (sm->next != NULL) {
1919  result = 0;
1920  goto end;
1921  }
1922 
1923  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1924  if (sm->type != DETECT_CONTENT) {
1925  result = 0;
1926  goto end;
1927  }
1928  ud = (DetectContentData *)sm->ctx;
1929  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1930  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1931  ud->flags & DETECT_CONTENT_NOCASE ||
1932  ud->flags & DETECT_CONTENT_WITHIN ||
1933  ud->flags & DETECT_CONTENT_DISTANCE ||
1934  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1935  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1936  ud->flags & DETECT_CONTENT_NEGATED ) {
1937  printf("two failed\n");
1938  result = 0;
1939  goto end;
1940  }
1941 
1942  sm = sm->next;
1943  if (sm->type != DETECT_BYTE_EXTRACT) {
1944  result = 0;
1945  goto end;
1946  }
1947  bed = (DetectByteExtractData *)sm->ctx;
1948  if (bed->nbytes != 4 ||
1949  bed->offset != 0 ||
1950  strcmp(bed->name, "two") != 0 ||
1951  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
1952  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1953  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
1954  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
1955  bed->align_value != 0 ||
1956  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1957  goto end;
1958  }
1959 
1960  result = 1;
1961 
1962  end:
1963  SigGroupCleanup(de_ctx);
1964  SigCleanSignatures(de_ctx);
1965  DetectEngineCtxFree(de_ctx);
1966 
1967  return result;
1968 }
1969 
1970 static int DetectByteExtractTest40(void)
1971 {
1972  DetectEngineCtx *de_ctx = NULL;
1973  int result = 0;
1974  Signature *s = NULL;
1975  SigMatch *sm = NULL;
1976  DetectContentData *cd = NULL;
1977  DetectContentData *ud = NULL;
1978  DetectByteExtractData *bed = NULL;
1979 
1980  de_ctx = DetectEngineCtxInit();
1981  if (de_ctx == NULL)
1982  goto end;
1983 
1984  de_ctx->flags |= DE_QUIET;
1985  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1986  "(msg:\"Testing bytejump_body\"; "
1987  "content:\"one\"; content:\"two\"; http_uri; "
1988  "byte_extract:4,0,two,string,hex; "
1989  "sid:1;)");
1990  if (de_ctx->sig_list == NULL) {
1991  result = 0;
1992  goto end;
1993  }
1994 
1995  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1996  result = 0;
1997  goto end;
1998  }
1999 
2000  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2001  if (sm->type != DETECT_CONTENT) {
2002  result = 0;
2003  goto end;
2004  }
2005  cd = (DetectContentData *)sm->ctx;
2006  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2007  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2008  cd->flags & DETECT_CONTENT_NOCASE ||
2009  cd->flags & DETECT_CONTENT_WITHIN ||
2010  cd->flags & DETECT_CONTENT_DISTANCE ||
2011  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2012  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2013  cd->flags & DETECT_CONTENT_NEGATED ) {
2014  printf("one failed\n");
2015  result = 0;
2016  goto end;
2017  }
2018 
2019  sm = sm->next;
2020  if (sm->type != DETECT_BYTE_EXTRACT) {
2021  result = 0;
2022  goto end;
2023  }
2024  bed = (DetectByteExtractData *)sm->ctx;
2025  if (bed->nbytes != 4 ||
2026  bed->offset != 0 ||
2027  strcmp(bed->name, "two") != 0 ||
2028  bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
2029  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2030  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2031  bed->align_value != 0 ||
2032  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2033  goto end;
2034  }
2035 
2036  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
2037  if (sm->type != DETECT_CONTENT) {
2038  result = 0;
2039  goto end;
2040  }
2041  ud = (DetectContentData *)sm->ctx;
2042  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2043  strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
2044  ud->flags & DETECT_CONTENT_NOCASE ||
2045  ud->flags & DETECT_CONTENT_WITHIN ||
2046  ud->flags & DETECT_CONTENT_DISTANCE ||
2047  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2048  ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2049  ud->flags & DETECT_CONTENT_NEGATED ) {
2050  printf("two failed\n");
2051  result = 0;
2052  goto end;
2053  }
2054 
2055  if (sm->next != NULL) {
2056  result = 0;
2057  goto end;
2058  }
2059 
2060  result = 1;
2061 
2062  end:
2063  SigGroupCleanup(de_ctx);
2064  SigCleanSignatures(de_ctx);
2065  DetectEngineCtxFree(de_ctx);
2066 
2067  return result;
2068 }
2069 
2070 static int DetectByteExtractTest41(void)
2071 {
2072  DetectEngineCtx *de_ctx = NULL;
2073  int result = 0;
2074  Signature *s = NULL;
2075  SigMatch *sm = NULL;
2076  DetectContentData *cd = NULL;
2077  DetectByteExtractData *bed = NULL;
2078 
2079  de_ctx = DetectEngineCtxInit();
2080  if (de_ctx == NULL)
2081  goto end;
2082 
2083  de_ctx->flags |= DE_QUIET;
2084  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2085  "(msg:\"Testing bytejump_body\"; "
2086  "content:\"one\"; "
2087  "byte_extract:4,0,two,string,hex; "
2088  "byte_extract:4,0,three,string,hex; "
2089  "sid:1;)");
2090  if (de_ctx->sig_list == NULL) {
2091  result = 0;
2092  goto end;
2093  }
2094 
2095  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2096  result = 0;
2097  goto end;
2098  }
2099 
2100  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2101  if (sm->type != DETECT_CONTENT) {
2102  result = 0;
2103  goto end;
2104  }
2105  cd = (DetectContentData *)sm->ctx;
2106  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2107  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2108  cd->flags & DETECT_CONTENT_NOCASE ||
2109  cd->flags & DETECT_CONTENT_WITHIN ||
2110  cd->flags & DETECT_CONTENT_DISTANCE ||
2111  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2112  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2113  cd->flags & DETECT_CONTENT_NEGATED ) {
2114  printf("one failed\n");
2115  result = 0;
2116  goto end;
2117  }
2118 
2119  sm = sm->next;
2120  if (sm->type != DETECT_BYTE_EXTRACT) {
2121  result = 0;
2122  goto end;
2123  }
2124  bed = (DetectByteExtractData *)sm->ctx;
2125  if (bed->nbytes != 4 ||
2126  bed->offset != 0 ||
2127  strcmp(bed->name, "two") != 0 ||
2128  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2129  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2130  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2131  bed->align_value != 0 ||
2132  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2133  goto end;
2134  }
2135  if (bed->local_id != 0) {
2136  result = 0;
2137  goto end;
2138  }
2139 
2140  sm = sm->next;
2141  if (sm->type != DETECT_BYTE_EXTRACT) {
2142  result = 0;
2143  goto end;
2144  }
2145  bed = (DetectByteExtractData *)sm->ctx;
2146  if (bed->nbytes != 4 ||
2147  bed->offset != 0 ||
2148  strcmp(bed->name, "three") != 0 ||
2149  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2150  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2151  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2152  bed->align_value != 0 ||
2153  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2154  goto end;
2155  }
2156  if (bed->local_id != 1) {
2157  result = 0;
2158  goto end;
2159  }
2160 
2161  result = 1;
2162 
2163  end:
2164  SigGroupCleanup(de_ctx);
2165  SigCleanSignatures(de_ctx);
2166  DetectEngineCtxFree(de_ctx);
2167 
2168  return result;
2169 }
2170 
2171 static int DetectByteExtractTest42(void)
2172 {
2173  DetectEngineCtx *de_ctx = NULL;
2174  int result = 0;
2175  Signature *s = NULL;
2176  SigMatch *sm = NULL;
2177  DetectContentData *cd = NULL;
2178  DetectContentData *ud = NULL;
2179  DetectByteExtractData *bed = NULL;
2180 
2181  de_ctx = DetectEngineCtxInit();
2182  if (de_ctx == NULL)
2183  goto end;
2184 
2185  de_ctx->flags |= DE_QUIET;
2186  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2187  "(msg:\"Testing bytejump_body\"; "
2188  "content:\"one\"; "
2189  "byte_extract:4,0,two,string,hex; "
2190  "uricontent: \"three\"; "
2191  "byte_extract:4,0,four,string,hex,relative; "
2192  "byte_extract:4,0,five,string,hex; "
2193  "sid:1;)");
2194  if (de_ctx->sig_list == NULL) {
2195  result = 0;
2196  goto end;
2197  }
2198 
2199  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2200  result = 0;
2201  goto end;
2202  }
2203 
2204  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2205  if (sm->type != DETECT_CONTENT) {
2206  result = 0;
2207  goto end;
2208  }
2209  cd = (DetectContentData *)sm->ctx;
2210  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2211  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2212  cd->flags & DETECT_CONTENT_NOCASE ||
2213  cd->flags & DETECT_CONTENT_WITHIN ||
2214  cd->flags & DETECT_CONTENT_DISTANCE ||
2215  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2216  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2217  cd->flags & DETECT_CONTENT_NEGATED ) {
2218  printf("one failed\n");
2219  result = 0;
2220  goto end;
2221  }
2222 
2223  sm = sm->next;
2224  if (sm->type != DETECT_BYTE_EXTRACT) {
2225  result = 0;
2226  goto end;
2227  }
2228  bed = (DetectByteExtractData *)sm->ctx;
2229  if (bed->nbytes != 4 ||
2230  bed->offset != 0 ||
2231  strcmp(bed->name, "two") != 0 ||
2232  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2233  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2234  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2235  bed->align_value != 0 ||
2236  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2237  goto end;
2238  }
2239  if (bed->local_id != 0) {
2240  result = 0;
2241  goto end;
2242  }
2243 
2244  sm = sm->next;
2245  if (sm->type != DETECT_BYTE_EXTRACT) {
2246  result = 0;
2247  goto end;
2248  }
2249  bed = (DetectByteExtractData *)sm->ctx;
2250  if (bed->nbytes != 4 ||
2251  bed->offset != 0 ||
2252  strcmp(bed->name, "five") != 0 ||
2253  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2254  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2255  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2256  bed->align_value != 0 ||
2257  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2258  goto end;
2259  }
2260  if (bed->local_id != 1) {
2261  result = 0;
2262  goto end;
2263  }
2264 
2265  if (sm->next != NULL)
2266  goto end;
2267 
2268  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
2269  if (sm->type != DETECT_CONTENT) {
2270  result = 0;
2271  goto end;
2272  }
2273  ud = (DetectContentData *)sm->ctx;
2274  if (ud->flags & DETECT_CONTENT_RAWBYTES ||
2275  strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
2276  ud->flags & DETECT_CONTENT_NOCASE ||
2277  ud->flags & DETECT_CONTENT_WITHIN ||
2278  ud->flags & DETECT_CONTENT_DISTANCE ||
2279  ud->flags & DETECT_CONTENT_FAST_PATTERN ||
2280  !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2281  ud->flags & DETECT_CONTENT_NEGATED ) {
2282  printf("two failed\n");
2283  result = 0;
2284  goto end;
2285  }
2286 
2287  sm = sm->next;
2288  if (sm->type != DETECT_BYTE_EXTRACT) {
2289  result = 0;
2290  goto end;
2291  }
2292  bed = (DetectByteExtractData *)sm->ctx;
2293  if (bed->nbytes != 4 ||
2294  bed->offset != 0 ||
2295  strcmp(bed->name, "four") != 0 ||
2296  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
2297  DETECT_BYTE_EXTRACT_FLAG_STRING) ||
2298  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2299  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2300  bed->align_value != 0 ||
2301  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2302  goto end;
2303  }
2304  if (bed->local_id != 0) {
2305  result = 0;
2306  goto end;
2307  }
2308 
2309  if (sm->next != NULL)
2310  goto end;
2311 
2312  result = 1;
2313 
2314  end:
2315  SigGroupCleanup(de_ctx);
2316  SigCleanSignatures(de_ctx);
2317  DetectEngineCtxFree(de_ctx);
2318 
2319  return result;
2320 }
2321 
2322 static int DetectByteExtractTest43(void)
2323 {
2324  DetectEngineCtx *de_ctx = NULL;
2325  int result = 0;
2326  Signature *s = NULL;
2327  SigMatch *sm = NULL;
2328  DetectContentData *cd = NULL;
2329  DetectByteExtractData *bed = NULL;
2330 
2331  de_ctx = DetectEngineCtxInit();
2332  if (de_ctx == NULL)
2333  goto end;
2334 
2335  de_ctx->flags |= DE_QUIET;
2336  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2337  "(msg:\"Testing bytejump_body\"; "
2338  "content:\"one\"; "
2339  "byte_extract:4,0,two,string,hex; "
2340  "content: \"three\"; offset:two; "
2341  "sid:1;)");
2342  if (de_ctx->sig_list == NULL) {
2343  result = 0;
2344  goto end;
2345  }
2346 
2347  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2348  result = 0;
2349  goto end;
2350  }
2351 
2352  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2353  if (sm->type != DETECT_CONTENT) {
2354  result = 0;
2355  goto end;
2356  }
2357  cd = (DetectContentData *)sm->ctx;
2358  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2359  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2360  cd->flags & DETECT_CONTENT_NOCASE ||
2361  cd->flags & DETECT_CONTENT_WITHIN ||
2362  cd->flags & DETECT_CONTENT_DISTANCE ||
2363  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2364  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2365  cd->flags & DETECT_CONTENT_NEGATED ) {
2366  printf("one failed\n");
2367  result = 0;
2368  goto end;
2369  }
2370 
2371  sm = sm->next;
2372  if (sm->type != DETECT_BYTE_EXTRACT) {
2373  result = 0;
2374  goto end;
2375  }
2376  bed = (DetectByteExtractData *)sm->ctx;
2377  if (bed->nbytes != 4 ||
2378  bed->offset != 0 ||
2379  strcmp(bed->name, "two") != 0 ||
2380  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2381  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2382  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2383  bed->align_value != 0 ||
2384  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2385  goto end;
2386  }
2387  if (bed->local_id != 0) {
2388  result = 0;
2389  goto end;
2390  }
2391 
2392  sm = sm->next;
2393  if (sm->type != DETECT_CONTENT) {
2394  result = 0;
2395  goto end;
2396  }
2397  cd = (DetectContentData *)sm->ctx;
2398  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2399  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2400  DETECT_CONTENT_OFFSET) ||
2401  cd->offset != bed->local_id) {
2402  printf("three failed\n");
2403  result = 0;
2404  goto end;
2405  }
2406 
2407  if (sm->next != NULL)
2408  goto end;
2409 
2410  result = 1;
2411 
2412  end:
2413  SigGroupCleanup(de_ctx);
2414  SigCleanSignatures(de_ctx);
2415  DetectEngineCtxFree(de_ctx);
2416 
2417  return result;
2418 }
2419 
2420 static int DetectByteExtractTest44(void)
2421 {
2422  DetectEngineCtx *de_ctx = NULL;
2423  int result = 0;
2424  Signature *s = NULL;
2425  SigMatch *sm = NULL;
2426  DetectContentData *cd = NULL;
2427  DetectByteExtractData *bed1 = NULL;
2428  DetectByteExtractData *bed2 = NULL;
2429 
2430  de_ctx = DetectEngineCtxInit();
2431  if (de_ctx == NULL)
2432  goto end;
2433 
2434  de_ctx->flags |= DE_QUIET;
2435  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2436  "(msg:\"Testing bytejump_body\"; "
2437  "content:\"one\"; "
2438  "byte_extract:4,0,two,string,hex; "
2439  "byte_extract:4,0,three,string,hex; "
2440  "content: \"four\"; offset:two; "
2441  "content: \"five\"; offset:three; "
2442  "sid:1;)");
2443  if (de_ctx->sig_list == NULL) {
2444  result = 0;
2445  goto end;
2446  }
2447 
2448  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2449  result = 0;
2450  goto end;
2451  }
2452 
2453  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2454  if (sm->type != DETECT_CONTENT) {
2455  result = 0;
2456  goto end;
2457  }
2458  cd = (DetectContentData *)sm->ctx;
2459  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2460  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2461  cd->flags & DETECT_CONTENT_NOCASE ||
2462  cd->flags & DETECT_CONTENT_WITHIN ||
2463  cd->flags & DETECT_CONTENT_DISTANCE ||
2464  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2465  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2466  cd->flags & DETECT_CONTENT_NEGATED ) {
2467  printf("one failed\n");
2468  result = 0;
2469  goto end;
2470  }
2471 
2472  sm = sm->next;
2473  if (sm->type != DETECT_BYTE_EXTRACT) {
2474  result = 0;
2475  goto end;
2476  }
2477  bed1 = (DetectByteExtractData *)sm->ctx;
2478  if (bed1->nbytes != 4 ||
2479  bed1->offset != 0 ||
2480  strcmp(bed1->name, "two") != 0 ||
2481  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2482  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2483  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2484  bed1->align_value != 0 ||
2485  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2486  goto end;
2487  }
2488  if (bed1->local_id != 0) {
2489  result = 0;
2490  goto end;
2491  }
2492 
2493  sm = sm->next;
2494  if (sm->type != DETECT_BYTE_EXTRACT) {
2495  result = 0;
2496  goto end;
2497  }
2498  bed2 = (DetectByteExtractData *)sm->ctx;
2499 
2500  sm = sm->next;
2501  if (sm->type != DETECT_CONTENT) {
2502  result = 0;
2503  goto end;
2504  }
2505  cd = (DetectContentData *)sm->ctx;
2506  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2507  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2508  DETECT_CONTENT_OFFSET) ||
2509  cd->offset != bed1->local_id) {
2510  printf("four failed\n");
2511  result = 0;
2512  goto end;
2513  }
2514 
2515  sm = sm->next;
2516  if (sm->type != DETECT_CONTENT) {
2517  result = 0;
2518  goto end;
2519  }
2520  cd = (DetectContentData *)sm->ctx;
2521  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2522  cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2523  DETECT_CONTENT_OFFSET) ||
2524  cd->offset != bed2->local_id) {
2525  printf("five failed\n");
2526  result = 0;
2527  goto end;
2528  }
2529 
2530  if (sm->next != NULL)
2531  goto end;
2532 
2533  result = 1;
2534 
2535  end:
2536  SigGroupCleanup(de_ctx);
2537  SigCleanSignatures(de_ctx);
2538  DetectEngineCtxFree(de_ctx);
2539 
2540  return result;
2541 }
2542 
2543 static int DetectByteExtractTest45(void)
2544 {
2545  DetectEngineCtx *de_ctx = NULL;
2546  int result = 0;
2547  Signature *s = NULL;
2548  SigMatch *sm = NULL;
2549  DetectContentData *cd = NULL;
2550  DetectByteExtractData *bed = NULL;
2551 
2552  de_ctx = DetectEngineCtxInit();
2553  if (de_ctx == NULL)
2554  goto end;
2555 
2556  de_ctx->flags |= DE_QUIET;
2557  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2558  "(msg:\"Testing bytejump_body\"; "
2559  "content:\"one\"; "
2560  "byte_extract:4,0,two,string,hex; "
2561  "content: \"three\"; depth:two; "
2562  "sid:1;)");
2563  if (de_ctx->sig_list == NULL) {
2564  result = 0;
2565  goto end;
2566  }
2567 
2568  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2569  result = 0;
2570  goto end;
2571  }
2572 
2573  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2574  if (sm->type != DETECT_CONTENT) {
2575  result = 0;
2576  goto end;
2577  }
2578  cd = (DetectContentData *)sm->ctx;
2579  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2580  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2581  cd->flags & DETECT_CONTENT_NOCASE ||
2582  cd->flags & DETECT_CONTENT_WITHIN ||
2583  cd->flags & DETECT_CONTENT_DISTANCE ||
2584  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2585  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2586  cd->flags & DETECT_CONTENT_NEGATED ) {
2587  printf("one failed\n");
2588  result = 0;
2589  goto end;
2590  }
2591 
2592  sm = sm->next;
2593  if (sm->type != DETECT_BYTE_EXTRACT) {
2594  result = 0;
2595  goto end;
2596  }
2597  bed = (DetectByteExtractData *)sm->ctx;
2598  if (bed->nbytes != 4 ||
2599  bed->offset != 0 ||
2600  strcmp(bed->name, "two") != 0 ||
2601  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2602  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2603  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2604  bed->align_value != 0 ||
2605  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2606  goto end;
2607  }
2608  if (bed->local_id != 0) {
2609  result = 0;
2610  goto end;
2611  }
2612 
2613  sm = sm->next;
2614  if (sm->type != DETECT_CONTENT) {
2615  result = 0;
2616  goto end;
2617  }
2618  cd = (DetectContentData *)sm->ctx;
2619  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2620  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2621  DETECT_CONTENT_DEPTH) ||
2622  cd->depth != bed->local_id ||
2623  cd->offset != 0) {
2624  printf("three failed\n");
2625  result = 0;
2626  goto end;
2627  }
2628 
2629  if (sm->next != NULL)
2630  goto end;
2631 
2632  result = 1;
2633 
2634  end:
2635  SigGroupCleanup(de_ctx);
2636  SigCleanSignatures(de_ctx);
2637  DetectEngineCtxFree(de_ctx);
2638 
2639  return result;
2640 }
2641 
2642 static int DetectByteExtractTest46(void)
2643 {
2644  DetectEngineCtx *de_ctx = NULL;
2645  int result = 0;
2646  Signature *s = NULL;
2647  SigMatch *sm = NULL;
2648  DetectContentData *cd = NULL;
2649  DetectByteExtractData *bed1 = NULL;
2650  DetectByteExtractData *bed2 = NULL;
2651 
2652  de_ctx = DetectEngineCtxInit();
2653  if (de_ctx == NULL)
2654  goto end;
2655 
2656  de_ctx->flags |= DE_QUIET;
2657  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2658  "(msg:\"Testing bytejump_body\"; "
2659  "content:\"one\"; "
2660  "byte_extract:4,0,two,string,hex; "
2661  "byte_extract:4,0,three,string,hex; "
2662  "content: \"four\"; depth:two; "
2663  "content: \"five\"; depth:three; "
2664  "sid:1;)");
2665  if (de_ctx->sig_list == NULL) {
2666  result = 0;
2667  goto end;
2668  }
2669 
2670  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2671  result = 0;
2672  goto end;
2673  }
2674 
2675  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2676  if (sm->type != DETECT_CONTENT) {
2677  result = 0;
2678  goto end;
2679  }
2680  cd = (DetectContentData *)sm->ctx;
2681  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2682  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2683  cd->flags & DETECT_CONTENT_NOCASE ||
2684  cd->flags & DETECT_CONTENT_WITHIN ||
2685  cd->flags & DETECT_CONTENT_DISTANCE ||
2686  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2687  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2688  cd->flags & DETECT_CONTENT_NEGATED ) {
2689  printf("one failed\n");
2690  result = 0;
2691  goto end;
2692  }
2693 
2694  sm = sm->next;
2695  if (sm->type != DETECT_BYTE_EXTRACT) {
2696  result = 0;
2697  goto end;
2698  }
2699  bed1 = (DetectByteExtractData *)sm->ctx;
2700  if (bed1->nbytes != 4 ||
2701  bed1->offset != 0 ||
2702  strcmp(bed1->name, "two") != 0 ||
2703  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2704  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2705  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2706  bed1->align_value != 0 ||
2707  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2708  goto end;
2709  }
2710  if (bed1->local_id != 0) {
2711  result = 0;
2712  goto end;
2713  }
2714 
2715  sm = sm->next;
2716  if (sm->type != DETECT_BYTE_EXTRACT) {
2717  result = 0;
2718  goto end;
2719  }
2720  bed2 = (DetectByteExtractData *)sm->ctx;
2721 
2722  sm = sm->next;
2723  if (sm->type != DETECT_CONTENT) {
2724  result = 0;
2725  goto end;
2726  }
2727  cd = (DetectContentData *)sm->ctx;
2728  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2729  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2730  DETECT_CONTENT_DEPTH) ||
2731  cd->depth != bed1->local_id) {
2732  printf("four failed\n");
2733  result = 0;
2734  goto end;
2735  }
2736 
2737  sm = sm->next;
2738  if (sm->type != DETECT_CONTENT) {
2739  result = 0;
2740  goto end;
2741  }
2742  cd = (DetectContentData *)sm->ctx;
2743  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2744  cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2745  DETECT_CONTENT_DEPTH) ||
2746  cd->depth != bed2->local_id) {
2747  printf("five failed\n");
2748  result = 0;
2749  goto end;
2750  }
2751 
2752  if (sm->next != NULL)
2753  goto end;
2754 
2755  result = 1;
2756 
2757  end:
2758  SigGroupCleanup(de_ctx);
2759  SigCleanSignatures(de_ctx);
2760  DetectEngineCtxFree(de_ctx);
2761 
2762  return result;
2763 }
2764 
2765 static int DetectByteExtractTest47(void)
2766 {
2767  DetectEngineCtx *de_ctx = NULL;
2768  int result = 0;
2769  Signature *s = NULL;
2770  SigMatch *sm = NULL;
2771  DetectContentData *cd = NULL;
2772  DetectByteExtractData *bed = NULL;
2773 
2774  de_ctx = DetectEngineCtxInit();
2775  if (de_ctx == NULL)
2776  goto end;
2777 
2778  de_ctx->flags |= DE_QUIET;
2779  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2780  "(msg:\"Testing bytejump_body\"; "
2781  "content:\"one\"; "
2782  "byte_extract:4,0,two,string,hex; "
2783  "content: \"three\"; distance:two; "
2784  "sid:1;)");
2785  if (de_ctx->sig_list == NULL) {
2786  result = 0;
2787  goto end;
2788  }
2789 
2790  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2791  result = 0;
2792  goto end;
2793  }
2794 
2795  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2796  if (sm->type != DETECT_CONTENT) {
2797  result = 0;
2798  goto end;
2799  }
2800  cd = (DetectContentData *)sm->ctx;
2801  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2802  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2803  cd->flags & DETECT_CONTENT_NOCASE ||
2804  cd->flags & DETECT_CONTENT_WITHIN ||
2805  cd->flags & DETECT_CONTENT_DISTANCE ||
2806  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2807  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2808  cd->flags & DETECT_CONTENT_NEGATED ) {
2809  printf("one failed\n");
2810  result = 0;
2811  goto end;
2812  }
2813 
2814  sm = sm->next;
2815  if (sm->type != DETECT_BYTE_EXTRACT) {
2816  result = 0;
2817  goto end;
2818  }
2819  bed = (DetectByteExtractData *)sm->ctx;
2820  if (bed->nbytes != 4 ||
2821  bed->offset != 0 ||
2822  strcmp(bed->name, "two") != 0 ||
2823  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2824  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2825  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2826  bed->align_value != 0 ||
2827  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2828  goto end;
2829  }
2830  if (bed->local_id != 0) {
2831  result = 0;
2832  goto end;
2833  }
2834 
2835  sm = sm->next;
2836  if (sm->type != DETECT_CONTENT) {
2837  result = 0;
2838  goto end;
2839  }
2840  cd = (DetectContentData *)sm->ctx;
2841  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2842  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2843  DETECT_CONTENT_DISTANCE) ||
2844  cd->distance != bed->local_id ||
2845  cd->offset != 0 ||
2846  cd->depth != 0) {
2847  printf("three failed\n");
2848  result = 0;
2849  goto end;
2850  }
2851 
2852  if (sm->next != NULL)
2853  goto end;
2854 
2855  result = 1;
2856 
2857  end:
2858  SigGroupCleanup(de_ctx);
2859  SigCleanSignatures(de_ctx);
2860  DetectEngineCtxFree(de_ctx);
2861 
2862  return result;
2863 }
2864 
2865 static int DetectByteExtractTest48(void)
2866 {
2867  DetectEngineCtx *de_ctx = NULL;
2868  int result = 0;
2869  Signature *s = NULL;
2870  SigMatch *sm = NULL;
2871  DetectContentData *cd = NULL;
2872  DetectByteExtractData *bed1 = NULL;
2873  DetectByteExtractData *bed2 = NULL;
2874 
2875  de_ctx = DetectEngineCtxInit();
2876  if (de_ctx == NULL)
2877  goto end;
2878 
2879  de_ctx->flags |= DE_QUIET;
2880  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2881  "(msg:\"Testing bytejump_body\"; "
2882  "content:\"one\"; "
2883  "byte_extract:4,0,two,string,hex; "
2884  "byte_extract:4,0,three,string,hex; "
2885  "content: \"four\"; distance:two; "
2886  "content: \"five\"; distance:three; "
2887  "sid:1;)");
2888  if (de_ctx->sig_list == NULL) {
2889  result = 0;
2890  goto end;
2891  }
2892 
2893  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2894  result = 0;
2895  goto end;
2896  }
2897 
2898  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2899  if (sm->type != DETECT_CONTENT) {
2900  result = 0;
2901  goto end;
2902  }
2903  cd = (DetectContentData *)sm->ctx;
2904  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2905  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2906  cd->flags & DETECT_CONTENT_NOCASE ||
2907  cd->flags & DETECT_CONTENT_WITHIN ||
2908  cd->flags & DETECT_CONTENT_DISTANCE ||
2909  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2910  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2911  cd->flags & DETECT_CONTENT_NEGATED ) {
2912  printf("one failed\n");
2913  result = 0;
2914  goto end;
2915  }
2916 
2917  sm = sm->next;
2918  if (sm->type != DETECT_BYTE_EXTRACT) {
2919  result = 0;
2920  goto end;
2921  }
2922  bed1 = (DetectByteExtractData *)sm->ctx;
2923  if (bed1->nbytes != 4 ||
2924  bed1->offset != 0 ||
2925  strcmp(bed1->name, "two") != 0 ||
2926  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
2927  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
2928  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
2929  bed1->align_value != 0 ||
2930  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2931  goto end;
2932  }
2933  if (bed1->local_id != 0) {
2934  result = 0;
2935  goto end;
2936  }
2937 
2938  sm = sm->next;
2939  if (sm->type != DETECT_BYTE_EXTRACT) {
2940  result = 0;
2941  goto end;
2942  }
2943  bed2 = (DetectByteExtractData *)sm->ctx;
2944 
2945  sm = sm->next;
2946  if (sm->type != DETECT_CONTENT) {
2947  result = 0;
2948  goto end;
2949  }
2950  cd = (DetectContentData *)sm->ctx;
2951  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2952  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2953  DETECT_CONTENT_DISTANCE |
2954  DETECT_CONTENT_DISTANCE_NEXT) ||
2955  cd->distance != bed1->local_id ||
2956  cd->depth != 0 ||
2957  cd->offset != 0) {
2958  printf("four failed\n");
2959  result = 0;
2960  goto end;
2961  }
2962 
2963  sm = sm->next;
2964  if (sm->type != DETECT_CONTENT) {
2965  result = 0;
2966  goto end;
2967  }
2968  cd = (DetectContentData *)sm->ctx;
2969  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2970  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2971  DETECT_CONTENT_DISTANCE) ||
2972  cd->distance != bed2->local_id ||
2973  cd->depth != 0 ||
2974  cd->offset != 0) {
2975  printf("five failed\n");
2976  result = 0;
2977  goto end;
2978  }
2979 
2980  if (sm->next != NULL)
2981  goto end;
2982 
2983  result = 1;
2984 
2985  end:
2986  SigGroupCleanup(de_ctx);
2987  SigCleanSignatures(de_ctx);
2988  DetectEngineCtxFree(de_ctx);
2989 
2990  return result;
2991 }
2992 
2993 static int DetectByteExtractTest49(void)
2994 {
2995  DetectEngineCtx *de_ctx = NULL;
2996  int result = 0;
2997  Signature *s = NULL;
2998  SigMatch *sm = NULL;
2999  DetectContentData *cd = NULL;
3000  DetectByteExtractData *bed = NULL;
3001 
3002  de_ctx = DetectEngineCtxInit();
3003  if (de_ctx == NULL)
3004  goto end;
3005 
3006  de_ctx->flags |= DE_QUIET;
3007  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3008  "(msg:\"Testing bytejump_body\"; "
3009  "content:\"one\"; "
3010  "byte_extract:4,0,two,string,hex; "
3011  "content: \"three\"; within:two; "
3012  "sid:1;)");
3013  if (de_ctx->sig_list == NULL) {
3014  result = 0;
3015  goto end;
3016  }
3017 
3018  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3019  result = 0;
3020  goto end;
3021  }
3022 
3023  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3024  if (sm->type != DETECT_CONTENT) {
3025  result = 0;
3026  goto end;
3027  }
3028  cd = (DetectContentData *)sm->ctx;
3029  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3030  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3031  cd->flags & DETECT_CONTENT_NOCASE ||
3032  cd->flags & DETECT_CONTENT_WITHIN ||
3033  cd->flags & DETECT_CONTENT_DISTANCE ||
3034  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3035  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3036  cd->flags & DETECT_CONTENT_NEGATED ) {
3037  printf("one failed\n");
3038  result = 0;
3039  goto end;
3040  }
3041 
3042  sm = sm->next;
3043  if (sm->type != DETECT_BYTE_EXTRACT) {
3044  result = 0;
3045  goto end;
3046  }
3047  bed = (DetectByteExtractData *)sm->ctx;
3048  if (bed->nbytes != 4 ||
3049  bed->offset != 0 ||
3050  strcmp(bed->name, "two") != 0 ||
3051  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3052  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3053  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3054  bed->align_value != 0 ||
3055  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3056  goto end;
3057  }
3058  if (bed->local_id != 0) {
3059  result = 0;
3060  goto end;
3061  }
3062 
3063  sm = sm->next;
3064  if (sm->type != DETECT_CONTENT) {
3065  result = 0;
3066  goto end;
3067  }
3068  cd = (DetectContentData *)sm->ctx;
3069  if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
3070  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3071  DETECT_CONTENT_WITHIN) ||
3072  cd->within != bed->local_id ||
3073  cd->offset != 0 ||
3074  cd->depth != 0 ||
3075  cd->distance != 0) {
3076  printf("three failed\n");
3077  result = 0;
3078  goto end;
3079  }
3080 
3081  if (sm->next != NULL)
3082  goto end;
3083 
3084  result = 1;
3085 
3086  end:
3087  SigGroupCleanup(de_ctx);
3088  SigCleanSignatures(de_ctx);
3089  DetectEngineCtxFree(de_ctx);
3090 
3091  return result;
3092 }
3093 
3094 static int DetectByteExtractTest50(void)
3095 {
3096  DetectEngineCtx *de_ctx = NULL;
3097  int result = 0;
3098  Signature *s = NULL;
3099  SigMatch *sm = NULL;
3100  DetectContentData *cd = NULL;
3101  DetectByteExtractData *bed1 = NULL;
3102  DetectByteExtractData *bed2 = NULL;
3103 
3104  de_ctx = DetectEngineCtxInit();
3105  if (de_ctx == NULL)
3106  goto end;
3107 
3108  de_ctx->flags |= DE_QUIET;
3109  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3110  "(msg:\"Testing bytejump_body\"; "
3111  "content:\"one\"; "
3112  "byte_extract:4,0,two,string,hex; "
3113  "byte_extract:4,0,three,string,hex; "
3114  "content: \"four\"; within:two; "
3115  "content: \"five\"; within:three; "
3116  "sid:1;)");
3117  if (de_ctx->sig_list == NULL) {
3118  result = 0;
3119  goto end;
3120  }
3121 
3122  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3123  result = 0;
3124  goto end;
3125  }
3126 
3127  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3128  if (sm->type != DETECT_CONTENT) {
3129  result = 0;
3130  goto end;
3131  }
3132  cd = (DetectContentData *)sm->ctx;
3133  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3134  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3135  cd->flags & DETECT_CONTENT_NOCASE ||
3136  cd->flags & DETECT_CONTENT_WITHIN ||
3137  cd->flags & DETECT_CONTENT_DISTANCE ||
3138  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3139  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3140  cd->flags & DETECT_CONTENT_NEGATED ) {
3141  printf("one failed\n");
3142  result = 0;
3143  goto end;
3144  }
3145 
3146  sm = sm->next;
3147  if (sm->type != DETECT_BYTE_EXTRACT) {
3148  result = 0;
3149  goto end;
3150  }
3151  bed1 = (DetectByteExtractData *)sm->ctx;
3152  if (bed1->nbytes != 4 ||
3153  bed1->offset != 0 ||
3154  strcmp(bed1->name, "two") != 0 ||
3155  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3156  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3157  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3158  bed1->align_value != 0 ||
3159  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3160  goto end;
3161  }
3162  if (bed1->local_id != 0) {
3163  result = 0;
3164  goto end;
3165  }
3166 
3167  sm = sm->next;
3168  if (sm->type != DETECT_BYTE_EXTRACT) {
3169  result = 0;
3170  goto end;
3171  }
3172  bed2 = (DetectByteExtractData *)sm->ctx;
3173 
3174  sm = sm->next;
3175  if (sm->type != DETECT_CONTENT) {
3176  result = 0;
3177  goto end;
3178  }
3179  cd = (DetectContentData *)sm->ctx;
3180  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3181  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3182  DETECT_CONTENT_WITHIN|
3183  DETECT_CONTENT_WITHIN_NEXT) ||
3184  cd->within != bed1->local_id ||
3185  cd->depth != 0 ||
3186  cd->offset != 0 ||
3187  cd->distance != 0) {
3188  printf("four failed\n");
3189  result = 0;
3190  goto end;
3191  }
3192 
3193  sm = sm->next;
3194  if (sm->type != DETECT_CONTENT) {
3195  result = 0;
3196  goto end;
3197  }
3198  cd = (DetectContentData *)sm->ctx;
3199  if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
3200  cd->flags != (DETECT_CONTENT_WITHIN_VAR |
3201  DETECT_CONTENT_WITHIN) ||
3202  cd->within != bed2->local_id ||
3203  cd->depth != 0 ||
3204  cd->offset != 0 ||
3205  cd->distance != 0) {
3206  printf("five failed\n");
3207  result = 0;
3208  goto end;
3209  }
3210 
3211  if (sm->next != NULL)
3212  goto end;
3213 
3214  result = 1;
3215 
3216  end:
3217  SigGroupCleanup(de_ctx);
3218  SigCleanSignatures(de_ctx);
3219  DetectEngineCtxFree(de_ctx);
3220 
3221  return result;
3222 }
3223 
3224 static int DetectByteExtractTest51(void)
3225 {
3226  DetectEngineCtx *de_ctx = NULL;
3227  int result = 0;
3228  Signature *s = NULL;
3229  SigMatch *sm = NULL;
3230  DetectContentData *cd = NULL;
3231  DetectByteExtractData *bed = NULL;
3232  DetectBytetestData *btd = NULL;
3233 
3234  de_ctx = DetectEngineCtxInit();
3235  if (de_ctx == NULL)
3236  goto end;
3237 
3238  de_ctx->flags |= DE_QUIET;
3239  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3240  "(msg:\"Testing bytejump_body\"; "
3241  "content:\"one\"; "
3242  "byte_extract:4,0,two,string,hex; "
3243  "byte_test: 2,=,10, two; "
3244  "sid:1;)");
3245  if (de_ctx->sig_list == NULL) {
3246  result = 0;
3247  goto end;
3248  }
3249 
3250  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3251  result = 0;
3252  goto end;
3253  }
3254 
3255  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3256  if (sm->type != DETECT_CONTENT) {
3257  result = 0;
3258  goto end;
3259  }
3260  cd = (DetectContentData *)sm->ctx;
3261  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3262  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3263  cd->flags & DETECT_CONTENT_NOCASE ||
3264  cd->flags & DETECT_CONTENT_WITHIN ||
3265  cd->flags & DETECT_CONTENT_DISTANCE ||
3266  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3267  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3268  cd->flags & DETECT_CONTENT_NEGATED ) {
3269  printf("one failed\n");
3270  result = 0;
3271  goto end;
3272  }
3273 
3274  sm = sm->next;
3275  if (sm->type != DETECT_BYTE_EXTRACT) {
3276  result = 0;
3277  goto end;
3278  }
3279  bed = (DetectByteExtractData *)sm->ctx;
3280  if (bed->nbytes != 4 ||
3281  bed->offset != 0 ||
3282  strcmp(bed->name, "two") != 0 ||
3283  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3284  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3285  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3286  bed->align_value != 0 ||
3287  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3288  goto end;
3289  }
3290  if (bed->local_id != 0) {
3291  result = 0;
3292  goto end;
3293  }
3294 
3295  sm = sm->next;
3296  if (sm->type != DETECT_BYTETEST) {
3297  result = 0;
3298  goto end;
3299  }
3300  btd = (DetectBytetestData *)sm->ctx;
3301  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3302  btd->value != 10 ||
3303  btd->offset != 0) {
3304  printf("three failed\n");
3305  result = 0;
3306  goto end;
3307  }
3308 
3309  if (sm->next != NULL)
3310  goto end;
3311 
3312  result = 1;
3313 
3314  end:
3315  SigGroupCleanup(de_ctx);
3316  SigCleanSignatures(de_ctx);
3317  DetectEngineCtxFree(de_ctx);
3318 
3319  return result;
3320 }
3321 
3322 static int DetectByteExtractTest52(void)
3323 {
3324  DetectEngineCtx *de_ctx = NULL;
3325  int result = 0;
3326  Signature *s = NULL;
3327  SigMatch *sm = NULL;
3328  DetectContentData *cd = NULL;
3329  DetectByteExtractData *bed1 = NULL;
3330  DetectBytetestData *btd = NULL;
3331 
3332  de_ctx = DetectEngineCtxInit();
3333  if (de_ctx == NULL)
3334  goto end;
3335 
3336  de_ctx->flags |= DE_QUIET;
3337  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3338  "(msg:\"Testing bytejump_body\"; "
3339  "content:\"one\"; "
3340  "byte_extract:4,0,two,string,hex; "
3341  "byte_extract:4,0,three,string,hex; "
3342  "byte_test: 2,=,two,three; "
3343  "byte_test: 3,=,10,three; "
3344  "sid:1;)");
3345  if (de_ctx->sig_list == NULL) {
3346  result = 0;
3347  goto end;
3348  }
3349 
3350  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3351  result = 0;
3352  goto end;
3353  }
3354 
3355  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3356  if (sm->type != DETECT_CONTENT) {
3357  result = 0;
3358  goto end;
3359  }
3360  cd = (DetectContentData *)sm->ctx;
3361  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3362  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3363  cd->flags & DETECT_CONTENT_NOCASE ||
3364  cd->flags & DETECT_CONTENT_WITHIN ||
3365  cd->flags & DETECT_CONTENT_DISTANCE ||
3366  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3367  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3368  cd->flags & DETECT_CONTENT_NEGATED ) {
3369  printf("one failed\n");
3370  result = 0;
3371  goto end;
3372  }
3373 
3374  sm = sm->next;
3375  if (sm->type != DETECT_BYTE_EXTRACT) {
3376  result = 0;
3377  goto end;
3378  }
3379  bed1 = (DetectByteExtractData *)sm->ctx;
3380  if (bed1->nbytes != 4 ||
3381  bed1->offset != 0 ||
3382  strcmp(bed1->name, "two") != 0 ||
3383  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3384  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3385  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3386  bed1->align_value != 0 ||
3387  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3388  goto end;
3389  }
3390  if (bed1->local_id != 0) {
3391  result = 0;
3392  goto end;
3393  }
3394 
3395  sm = sm->next;
3396  if (sm->type != DETECT_BYTE_EXTRACT) {
3397  result = 0;
3398  goto end;
3399  }
3400 
3401  sm = sm->next;
3402  if (sm->type != DETECT_BYTETEST) {
3403  result = 0;
3404  goto end;
3405  }
3406  btd = (DetectBytetestData *)sm->ctx;
3407  if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
3408  DETECT_BYTETEST_VALUE_VAR) ||
3409  btd->value != 0 ||
3410  btd->offset != 1) {
3411  printf("three failed\n");
3412  result = 0;
3413  goto end;
3414  }
3415 
3416  sm = sm->next;
3417  if (sm->type != DETECT_BYTETEST) {
3418  result = 0;
3419  goto end;
3420  }
3421  btd = (DetectBytetestData *)sm->ctx;
3422  if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
3423  btd->value != 10 ||
3424  btd->offset != 1) {
3425  printf("four failed\n");
3426  result = 0;
3427  goto end;
3428  }
3429 
3430  if (sm->next != NULL)
3431  goto end;
3432 
3433  result = 1;
3434 
3435  end:
3436  SigGroupCleanup(de_ctx);
3437  SigCleanSignatures(de_ctx);
3438  DetectEngineCtxFree(de_ctx);
3439 
3440  return result;
3441 }
3442 
3443 static int DetectByteExtractTest53(void)
3444 {
3445  DetectEngineCtx *de_ctx = NULL;
3446  int result = 0;
3447  Signature *s = NULL;
3448  SigMatch *sm = NULL;
3449  DetectContentData *cd = NULL;
3450  DetectByteExtractData *bed = NULL;
3451  DetectBytejumpData *bjd = NULL;
3452 
3453  de_ctx = DetectEngineCtxInit();
3454  if (de_ctx == NULL)
3455  goto end;
3456 
3457  de_ctx->flags |= DE_QUIET;
3458  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3459  "(msg:\"Testing bytejump_body\"; "
3460  "content:\"one\"; "
3461  "byte_extract:4,0,two,string,hex; "
3462  "byte_jump: 2,two; "
3463  "sid:1;)");
3464  if (de_ctx->sig_list == NULL) {
3465  result = 0;
3466  goto end;
3467  }
3468 
3469  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3470  result = 0;
3471  goto end;
3472  }
3473 
3474  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3475  if (sm->type != DETECT_CONTENT) {
3476  result = 0;
3477  goto end;
3478  }
3479  cd = (DetectContentData *)sm->ctx;
3480  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3481  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3482  cd->flags & DETECT_CONTENT_NOCASE ||
3483  cd->flags & DETECT_CONTENT_WITHIN ||
3484  cd->flags & DETECT_CONTENT_DISTANCE ||
3485  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3486  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3487  cd->flags & DETECT_CONTENT_NEGATED ) {
3488  printf("one failed\n");
3489  result = 0;
3490  goto end;
3491  }
3492 
3493  sm = sm->next;
3494  if (sm->type != DETECT_BYTE_EXTRACT) {
3495  result = 0;
3496  goto end;
3497  }
3498  bed = (DetectByteExtractData *)sm->ctx;
3499  if (bed->nbytes != 4 ||
3500  bed->offset != 0 ||
3501  strcmp(bed->name, "two") != 0 ||
3502  bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3503  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3504  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3505  bed->align_value != 0 ||
3506  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3507  goto end;
3508  }
3509  if (bed->local_id != 0) {
3510  result = 0;
3511  goto end;
3512  }
3513 
3514  sm = sm->next;
3515  if (sm->type != DETECT_BYTEJUMP) {
3516  result = 0;
3517  goto end;
3518  }
3519  bjd = (DetectBytejumpData *)sm->ctx;
3520  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3521  bjd->offset != 0) {
3522  printf("three failed\n");
3523  result = 0;
3524  goto end;
3525  }
3526 
3527  if (sm->next != NULL)
3528  goto end;
3529 
3530  result = 1;
3531 
3532  end:
3533  SigGroupCleanup(de_ctx);
3534  SigCleanSignatures(de_ctx);
3535  DetectEngineCtxFree(de_ctx);
3536 
3537  return result;
3538 }
3539 
3540 static int DetectByteExtractTest54(void)
3541 {
3542  DetectEngineCtx *de_ctx = NULL;
3543  int result = 0;
3544  Signature *s = NULL;
3545  SigMatch *sm = NULL;
3546  DetectContentData *cd = NULL;
3547  DetectByteExtractData *bed1 = NULL;
3548  DetectBytejumpData *bjd = NULL;
3549 
3550  de_ctx = DetectEngineCtxInit();
3551  if (de_ctx == NULL)
3552  goto end;
3553 
3554  de_ctx->flags |= DE_QUIET;
3555  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3556  "(msg:\"Testing bytejump_body\"; "
3557  "content:\"one\"; "
3558  "byte_extract:4,0,two,string,hex; "
3559  "byte_extract:4,0,three,string,hex; "
3560  "byte_jump: 2,two; "
3561  "byte_jump: 3,three; "
3562  "sid:1;)");
3563  if (de_ctx->sig_list == NULL) {
3564  result = 0;
3565  goto end;
3566  }
3567 
3568  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3569  result = 0;
3570  goto end;
3571  }
3572 
3573  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3574  if (sm->type != DETECT_CONTENT) {
3575  result = 0;
3576  goto end;
3577  }
3578  cd = (DetectContentData *)sm->ctx;
3579  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3580  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3581  cd->flags & DETECT_CONTENT_NOCASE ||
3582  cd->flags & DETECT_CONTENT_WITHIN ||
3583  cd->flags & DETECT_CONTENT_DISTANCE ||
3584  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3585  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3586  cd->flags & DETECT_CONTENT_NEGATED ) {
3587  printf("one failed\n");
3588  result = 0;
3589  goto end;
3590  }
3591 
3592  sm = sm->next;
3593  if (sm->type != DETECT_BYTE_EXTRACT) {
3594  result = 0;
3595  goto end;
3596  }
3597  bed1 = (DetectByteExtractData *)sm->ctx;
3598  if (bed1->nbytes != 4 ||
3599  bed1->offset != 0 ||
3600  strcmp(bed1->name, "two") != 0 ||
3601  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3602  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3603  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3604  bed1->align_value != 0 ||
3605  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3606  goto end;
3607  }
3608  if (bed1->local_id != 0) {
3609  result = 0;
3610  goto end;
3611  }
3612 
3613  sm = sm->next;
3614  if (sm->type != DETECT_BYTE_EXTRACT) {
3615  result = 0;
3616  goto end;
3617  }
3618 
3619  sm = sm->next;
3620  if (sm->type != DETECT_BYTEJUMP) {
3621  result = 0;
3622  goto end;
3623  }
3624  bjd = (DetectBytejumpData *)sm->ctx;
3625  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3626  bjd->offset != 0) {
3627  printf("three failed\n");
3628  result = 0;
3629  goto end;
3630  }
3631 
3632  sm = sm->next;
3633  if (sm->type != DETECT_BYTEJUMP) {
3634  result = 0;
3635  goto end;
3636  }
3637  bjd = (DetectBytejumpData *)sm->ctx;
3638  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
3639  bjd->offset != 1) {
3640  printf("four failed\n");
3641  result = 0;
3642  goto end;
3643  }
3644 
3645  if (sm->next != NULL)
3646  goto end;
3647 
3648  result = 1;
3649 
3650  end:
3651  SigGroupCleanup(de_ctx);
3652  SigCleanSignatures(de_ctx);
3653  DetectEngineCtxFree(de_ctx);
3654 
3655  return result;
3656 }
3657 
3658 static int DetectByteExtractTest55(void)
3659 {
3660  DetectEngineCtx *de_ctx = NULL;
3661  int result = 0;
3662  Signature *s = NULL;
3663  SigMatch *sm = NULL;
3664  DetectContentData *cd = NULL;
3665  DetectByteExtractData *bed1 = NULL;
3666  DetectByteExtractData *bed2 = NULL;
3667 
3668  de_ctx = DetectEngineCtxInit();
3669  if (de_ctx == NULL)
3670  goto end;
3671 
3672  de_ctx->flags |= DE_QUIET;
3673  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3674  "(msg:\"Testing byte_extract\"; "
3675  "content:\"one\"; "
3676  "byte_extract:4,0,two,string,hex; "
3677  "byte_extract:4,0,three,string,hex; "
3678  "byte_extract:4,0,four,string,hex; "
3679  "byte_extract:4,0,five,string,hex; "
3680  "content: \"four\"; within:two; distance:three; "
3681  "sid:1;)");
3682  if (de_ctx->sig_list == NULL) {
3683  goto end;
3684  }
3685 
3686  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3687  goto end;
3688  }
3689 
3690  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3691  if (sm->type != DETECT_CONTENT) {
3692  goto end;
3693  }
3694  cd = (DetectContentData *)sm->ctx;
3695  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3696  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3697  cd->flags & DETECT_CONTENT_NOCASE ||
3698  cd->flags & DETECT_CONTENT_WITHIN ||
3699  cd->flags & DETECT_CONTENT_DISTANCE ||
3700  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3701  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3702  cd->flags & DETECT_CONTENT_NEGATED ) {
3703  printf("one failed: ");
3704  goto end;
3705  }
3706 
3707  sm = sm->next;
3708  if (sm->type != DETECT_BYTE_EXTRACT) {
3709  goto end;
3710  }
3711  bed1 = (DetectByteExtractData *)sm->ctx;
3712  if (bed1->nbytes != 4 ||
3713  bed1->offset != 0 ||
3714  strcmp(bed1->name, "two") != 0 ||
3715  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3716  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3717  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3718  bed1->align_value != 0 ||
3719  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3720  goto end;
3721  }
3722  if (bed1->local_id != 0) {
3723  goto end;
3724  }
3725 
3726  sm = sm->next;
3727  if (sm->type != DETECT_BYTE_EXTRACT) {
3728  goto end;
3729  }
3730  bed2 = (DetectByteExtractData *)sm->ctx;
3731 
3732  sm = sm->next;
3733  if (sm->type != DETECT_BYTE_EXTRACT) {
3734  goto end;
3735  }
3736 
3737  sm = sm->next;
3738  if (sm->type != DETECT_BYTE_EXTRACT) {
3739  goto end;
3740  }
3741 
3742  sm = sm->next;
3743  if (sm->type != DETECT_CONTENT) {
3744  goto end;
3745  }
3746  cd = (DetectContentData *)sm->ctx;
3747  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3748  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3749  DETECT_CONTENT_WITHIN_VAR |
3750  DETECT_CONTENT_DISTANCE |
3751  DETECT_CONTENT_WITHIN) ||
3752  cd->within != bed1->local_id ||
3753  cd->distance != bed2->local_id) {
3754  printf("four failed: ");
3755  goto end;
3756  }
3757 
3758  if (sm->next != NULL) {
3759  goto end;
3760  }
3761 
3762  result = 1;
3763 
3764  end:
3765  SigGroupCleanup(de_ctx);
3766  SigCleanSignatures(de_ctx);
3767  DetectEngineCtxFree(de_ctx);
3768 
3769  return result;
3770 }
3771 
3772 static int DetectByteExtractTest56(void)
3773 {
3774  DetectEngineCtx *de_ctx = NULL;
3775  int result = 0;
3776  Signature *s = NULL;
3777  SigMatch *sm = NULL;
3778  DetectContentData *cd = NULL;
3779  DetectByteExtractData *bed1 = NULL;
3780  DetectByteExtractData *bed2 = NULL;
3781 
3782  de_ctx = DetectEngineCtxInit();
3783  if (de_ctx == NULL)
3784  goto end;
3785 
3786  de_ctx->flags |= DE_QUIET;
3787  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3788  "(msg:\"Testing bytejump_body\"; "
3789  "uricontent:\"urione\"; "
3790  "content:\"one\"; "
3791  "byte_extract:4,0,two,string,hex; "
3792  "byte_extract:4,0,three,string,hex; "
3793  "byte_extract:4,0,four,string,hex; "
3794  "byte_extract:4,0,five,string,hex; "
3795  "content: \"four\"; within:two; distance:three; "
3796  "sid:1;)");
3797  if (de_ctx->sig_list == NULL) {
3798  result = 0;
3799  goto end;
3800  }
3801 
3802  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3803  result = 0;
3804  goto end;
3805  }
3806 
3807  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3808  if (sm->type != DETECT_CONTENT) {
3809  result = 0;
3810  goto end;
3811  }
3812  cd = (DetectContentData *)sm->ctx;
3813  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3814  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3815  cd->flags & DETECT_CONTENT_NOCASE ||
3816  cd->flags & DETECT_CONTENT_WITHIN ||
3817  cd->flags & DETECT_CONTENT_DISTANCE ||
3818  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3819  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3820  cd->flags & DETECT_CONTENT_NEGATED ) {
3821  printf("one failed\n");
3822  result = 0;
3823  goto end;
3824  }
3825 
3826  if (sm->next != NULL)
3827  goto end;
3828 
3829  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3830  if (sm->type != DETECT_CONTENT) {
3831  result = 0;
3832  goto end;
3833  }
3834  cd = (DetectContentData *)sm->ctx;
3835  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3836  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3837  cd->flags & DETECT_CONTENT_NOCASE ||
3838  cd->flags & DETECT_CONTENT_WITHIN ||
3839  cd->flags & DETECT_CONTENT_DISTANCE ||
3840  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3841  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3842  cd->flags & DETECT_CONTENT_NEGATED ) {
3843  printf("one failed\n");
3844  result = 0;
3845  goto end;
3846  }
3847 
3848  sm = sm->next;
3849  if (sm->type != DETECT_BYTE_EXTRACT) {
3850  result = 0;
3851  goto end;
3852  }
3853  bed1 = (DetectByteExtractData *)sm->ctx;
3854  if (bed1->nbytes != 4 ||
3855  bed1->offset != 0 ||
3856  strcmp(bed1->name, "two") != 0 ||
3857  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
3858  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
3859  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
3860  bed1->align_value != 0 ||
3861  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3862  goto end;
3863  }
3864  if (bed1->local_id != 0) {
3865  result = 0;
3866  goto end;
3867  }
3868 
3869  sm = sm->next;
3870  if (sm->type != DETECT_BYTE_EXTRACT) {
3871  result = 0;
3872  goto end;
3873  }
3874  bed2 = (DetectByteExtractData *)sm->ctx;
3875 
3876  sm = sm->next;
3877  if (sm->type != DETECT_BYTE_EXTRACT) {
3878  result = 0;
3879  goto end;
3880  }
3881 
3882  sm = sm->next;
3883  if (sm->type != DETECT_BYTE_EXTRACT) {
3884  result = 0;
3885  goto end;
3886  }
3887 
3888  sm = sm->next;
3889  if (sm->type != DETECT_CONTENT) {
3890  result = 0;
3891  goto end;
3892  }
3893  cd = (DetectContentData *)sm->ctx;
3894  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3895  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3896  DETECT_CONTENT_WITHIN_VAR |
3897  DETECT_CONTENT_DISTANCE |
3898  DETECT_CONTENT_WITHIN) ||
3899  cd->within != bed1->local_id ||
3900  cd->distance != bed2->local_id ) {
3901  printf("four failed\n");
3902  result = 0;
3903  goto end;
3904  }
3905 
3906  if (sm->next != NULL) {
3907  goto end;
3908  }
3909 
3910  result = 1;
3911 
3912  end:
3913  SigGroupCleanup(de_ctx);
3914  SigCleanSignatures(de_ctx);
3915  DetectEngineCtxFree(de_ctx);
3916 
3917  return result;
3918 }
3919 
3920 static int DetectByteExtractTest57(void)
3921 {
3922  DetectEngineCtx *de_ctx = NULL;
3923  int result = 0;
3924  Signature *s = NULL;
3925  SigMatch *sm = NULL;
3926  DetectContentData *cd = NULL;
3927  DetectByteExtractData *bed1 = NULL;
3928  DetectByteExtractData *bed2 = NULL;
3929  DetectByteExtractData *bed3 = NULL;
3930  DetectByteExtractData *bed4 = NULL;
3931 
3932  de_ctx = DetectEngineCtxInit();
3933  if (de_ctx == NULL)
3934  goto end;
3935 
3936  de_ctx->flags |= DE_QUIET;
3937  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3938  "(msg:\"Testing bytejump_body\"; "
3939  "content:\"one\"; "
3940  "uricontent: \"urione\"; "
3941  "byte_extract:4,0,two,string,hex,relative; "
3942  "byte_extract:4,0,three,string,hex,relative; "
3943  "byte_extract:4,0,four,string,hex,relative; "
3944  "byte_extract:4,0,five,string,hex,relative; "
3945  "uricontent: \"four\"; within:two; distance:three; "
3946  "sid:1;)");
3947  if (de_ctx->sig_list == NULL) {
3948  result = 0;
3949  goto end;
3950  }
3951 
3952  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3953  result = 0;
3954  goto end;
3955  }
3956 
3957  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3958  if (sm->type != DETECT_CONTENT) {
3959  result = 0;
3960  goto end;
3961  }
3962  cd = (DetectContentData *)sm->ctx;
3963  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3964  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3965  cd->flags & DETECT_CONTENT_NOCASE ||
3966  cd->flags & DETECT_CONTENT_WITHIN ||
3967  cd->flags & DETECT_CONTENT_DISTANCE ||
3968  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3969  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3970  cd->flags & DETECT_CONTENT_NEGATED ) {
3971  printf("one failed\n");
3972  result = 0;
3973  goto end;
3974  }
3975 
3976  if (sm->next != NULL)
3977  goto end;
3978 
3979  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3980  if (sm->type != DETECT_CONTENT) {
3981  result = 0;
3982  goto end;
3983  }
3984  cd = (DetectContentData *)sm->ctx;
3985  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3986  strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3987  cd->flags & DETECT_CONTENT_NOCASE ||
3988  cd->flags & DETECT_CONTENT_WITHIN ||
3989  cd->flags & DETECT_CONTENT_DISTANCE ||
3990  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3991  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3992  cd->flags & DETECT_CONTENT_NEGATED ) {
3993  printf("one failed\n");
3994  result = 0;
3995  goto end;
3996  }
3997 
3998  sm = sm->next;
3999  if (sm->type != DETECT_BYTE_EXTRACT) {
4000  result = 0;
4001  goto end;
4002  }
4003  bed1 = (DetectByteExtractData *)sm->ctx;
4004  if (bed1->nbytes != 4 ||
4005  bed1->offset != 0 ||
4006  strcmp(bed1->name, "two") != 0 ||
4007  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4008  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4009  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4010  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4011  bed1->align_value != 0 ||
4012  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4013  goto end;
4014  }
4015  if (bed1->local_id != 0) {
4016  result = 0;
4017  goto end;
4018  }
4019 
4020  sm = sm->next;
4021  if (sm->type != DETECT_BYTE_EXTRACT) {
4022  result = 0;
4023  goto end;
4024  }
4025  bed2 = (DetectByteExtractData *)sm->ctx;
4026  if (bed2->local_id != 1) {
4027  result = 0;
4028  goto end;
4029  }
4030 
4031  sm = sm->next;
4032  if (sm->type != DETECT_BYTE_EXTRACT) {
4033  result = 0;
4034  goto end;
4035  }
4036  bed3 = (DetectByteExtractData *)sm->ctx;
4037  if (bed3->local_id != 2) {
4038  result = 0;
4039  goto end;
4040  }
4041 
4042  sm = sm->next;
4043  if (sm->type != DETECT_BYTE_EXTRACT) {
4044  result = 0;
4045  goto end;
4046  }
4047  bed4 = (DetectByteExtractData *)sm->ctx;
4048  if (bed4->local_id != 3) {
4049  result = 0;
4050  goto end;
4051  }
4052 
4053  sm = sm->next;
4054  if (sm->type != DETECT_CONTENT) {
4055  result = 0;
4056  goto end;
4057  }
4058  cd = (DetectContentData *)sm->ctx;
4059  if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
4060  cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
4061  DETECT_CONTENT_WITHIN_VAR |
4062  DETECT_CONTENT_DISTANCE |
4063  DETECT_CONTENT_WITHIN) ||
4064  cd->within != bed1->local_id ||
4065  cd->distance != bed2->local_id) {
4066  printf("four failed\n");
4067  result = 0;
4068  goto end;
4069  }
4070 
4071  if (sm->next != NULL) {
4072  goto end;
4073  }
4074 
4075  result = 1;
4076 
4077  end:
4078  SigGroupCleanup(de_ctx);
4079  SigCleanSignatures(de_ctx);
4080  DetectEngineCtxFree(de_ctx);
4081 
4082  return result;
4083 }
4084 
4085 static int DetectByteExtractTest58(void)
4086 {
4087  DetectEngineCtx *de_ctx = NULL;
4088  int result = 0;
4089  Signature *s = NULL;
4090  SigMatch *sm = NULL;
4091  DetectContentData *cd = NULL;
4092  DetectByteExtractData *bed1 = NULL;
4093  DetectBytejumpData *bjd = NULL;
4094  DetectIsdataatData *isdd = NULL;
4095 
4096  de_ctx = DetectEngineCtxInit();
4097  if (de_ctx == NULL)
4098  goto end;
4099 
4100  de_ctx->flags |= DE_QUIET;
4101  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4102  "(msg:\"Testing bytejump_body\"; "
4103  "content:\"one\"; "
4104  "byte_extract:4,0,two,string,hex; "
4105  "byte_extract:4,0,three,string,hex; "
4106  "byte_jump: 2,two; "
4107  "byte_jump: 3,three; "
4108  "isdataat: three; "
4109  "sid:1;)");
4110  if (de_ctx->sig_list == NULL) {
4111  result = 0;
4112  goto end;
4113  }
4114 
4115  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4116  result = 0;
4117  goto end;
4118  }
4119 
4120  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4121  if (sm->type != DETECT_CONTENT) {
4122  result = 0;
4123  goto end;
4124  }
4125  cd = (DetectContentData *)sm->ctx;
4126  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4127  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4128  cd->flags & DETECT_CONTENT_NOCASE ||
4129  cd->flags & DETECT_CONTENT_WITHIN ||
4130  cd->flags & DETECT_CONTENT_DISTANCE ||
4131  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4132  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4133  cd->flags & DETECT_CONTENT_NEGATED ) {
4134  printf("one failed\n");
4135  result = 0;
4136  goto end;
4137  }
4138 
4139  sm = sm->next;
4140  if (sm->type != DETECT_BYTE_EXTRACT) {
4141  result = 0;
4142  goto end;
4143  }
4144  bed1 = (DetectByteExtractData *)sm->ctx;
4145  if (bed1->nbytes != 4 ||
4146  bed1->offset != 0 ||
4147  strcmp(bed1->name, "two") != 0 ||
4148  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4149  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4150  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4151  bed1->align_value != 0 ||
4152  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4153  goto end;
4154  }
4155  if (bed1->local_id != 0) {
4156  result = 0;
4157  goto end;
4158  }
4159 
4160  sm = sm->next;
4161  if (sm->type != DETECT_BYTE_EXTRACT) {
4162  result = 0;
4163  goto end;
4164  }
4165 
4166  sm = sm->next;
4167  if (sm->type != DETECT_BYTEJUMP) {
4168  result = 0;
4169  goto end;
4170  }
4171  bjd = (DetectBytejumpData *)sm->ctx;
4172  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4173  bjd->offset != 0) {
4174  printf("three failed\n");
4175  result = 0;
4176  goto end;
4177  }
4178 
4179  sm = sm->next;
4180  if (sm->type != DETECT_BYTEJUMP) {
4181  result = 0;
4182  goto end;
4183  }
4184  bjd = (DetectBytejumpData *)sm->ctx;
4185  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4186  bjd->offset != 1) {
4187  printf("four failed\n");
4188  result = 0;
4189  goto end;
4190  }
4191 
4192  sm = sm->next;
4193  if (sm->type != DETECT_ISDATAAT) {
4194  result = 0;
4195  goto end;
4196  }
4197  isdd = (DetectIsdataatData *)sm->ctx;
4198  if (isdd->flags != ISDATAAT_OFFSET_VAR ||
4199  isdd->dataat != 1) {
4200  printf("isdataat failed\n");
4201  result = 0;
4202  goto end;
4203  }
4204 
4205  if (sm->next != NULL)
4206  goto end;
4207 
4208  result = 1;
4209 
4210  end:
4211  SigGroupCleanup(de_ctx);
4212  SigCleanSignatures(de_ctx);
4213  DetectEngineCtxFree(de_ctx);
4214 
4215  return result;
4216 }
4217 
4218 static int DetectByteExtractTest59(void)
4219 {
4220  DetectEngineCtx *de_ctx = NULL;
4221  int result = 0;
4222  Signature *s = NULL;
4223  SigMatch *sm = NULL;
4224  DetectContentData *cd = NULL;
4225  DetectByteExtractData *bed1 = NULL;
4226  DetectBytejumpData *bjd = NULL;
4227  DetectIsdataatData *isdd = NULL;
4228 
4229  de_ctx = DetectEngineCtxInit();
4230  if (de_ctx == NULL)
4231  goto end;
4232 
4233  de_ctx->flags |= DE_QUIET;
4234  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4235  "(msg:\"Testing bytejump_body\"; "
4236  "content:\"one\"; "
4237  "byte_extract:4,0,two,string,hex; "
4238  "byte_extract:4,0,three,string,hex; "
4239  "byte_jump: 2,two; "
4240  "byte_jump: 3,three; "
4241  "isdataat: three,relative; "
4242  "sid:1;)");
4243  if (de_ctx->sig_list == NULL) {
4244  result = 0;
4245  goto end;
4246  }
4247 
4248  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4249  result = 0;
4250  goto end;
4251  }
4252 
4253  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4254  if (sm->type != DETECT_CONTENT) {
4255  result = 0;
4256  goto end;
4257  }
4258  cd = (DetectContentData *)sm->ctx;
4259  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4260  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4261  cd->flags & DETECT_CONTENT_NOCASE ||
4262  cd->flags & DETECT_CONTENT_WITHIN ||
4263  cd->flags & DETECT_CONTENT_DISTANCE ||
4264  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4265  cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
4266  cd->flags & DETECT_CONTENT_NEGATED ) {
4267  printf("one failed\n");
4268  result = 0;
4269  goto end;
4270  }
4271 
4272  sm = sm->next;
4273  if (sm->type != DETECT_BYTE_EXTRACT) {
4274  result = 0;
4275  goto end;
4276  }
4277  bed1 = (DetectByteExtractData *)sm->ctx;
4278  if (bed1->nbytes != 4 ||
4279  bed1->offset != 0 ||
4280  strcmp(bed1->name, "two") != 0 ||
4281  bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
4282  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4283  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4284  bed1->align_value != 0 ||
4285  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4286  goto end;
4287  }
4288  if (bed1->local_id != 0) {
4289  result = 0;
4290  goto end;
4291  }
4292 
4293  sm = sm->next;
4294  if (sm->type != DETECT_BYTE_EXTRACT) {
4295  result = 0;
4296  goto end;
4297  }
4298 
4299  sm = sm->next;
4300  if (sm->type != DETECT_BYTEJUMP) {
4301  result = 0;
4302  goto end;
4303  }
4304  bjd = (DetectBytejumpData *)sm->ctx;
4305  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4306  bjd->offset != 0) {
4307  printf("three failed\n");
4308  result = 0;
4309  goto end;
4310  }
4311 
4312  sm = sm->next;
4313  if (sm->type != DETECT_BYTEJUMP) {
4314  result = 0;
4315  goto end;
4316  }
4317  bjd = (DetectBytejumpData *)sm->ctx;
4318  if (bjd->flags != DETECT_CONTENT_OFFSET_VAR ||
4319  bjd->offset != 1) {
4320  printf("four failed\n");
4321  result = 0;
4322  goto end;
4323  }
4324 
4325  sm = sm->next;
4326  if (sm->type != DETECT_ISDATAAT) {
4327  result = 0;
4328  goto end;
4329  }
4330  isdd = (DetectIsdataatData *)sm->ctx;
4331  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4332  ISDATAAT_RELATIVE) ||
4333  isdd->dataat != 1) {
4334  printf("isdataat failed\n");
4335  result = 0;
4336  goto end;
4337  }
4338 
4339  if (sm->next != NULL)
4340  goto end;
4341 
4342  result = 1;
4343 
4344  end:
4345  SigGroupCleanup(de_ctx);
4346  SigCleanSignatures(de_ctx);
4347  DetectEngineCtxFree(de_ctx);
4348 
4349  return result;
4350 }
4351 
4352 static int DetectByteExtractTest60(void)
4353 {
4354  DetectEngineCtx *de_ctx = NULL;
4355  int result = 0;
4356  Signature *s = NULL;
4357  SigMatch *sm = NULL;
4358  DetectContentData *cd = NULL;
4359  DetectByteExtractData *bed1 = NULL;
4360  DetectIsdataatData *isdd = NULL;
4361 
4362  de_ctx = DetectEngineCtxInit();
4363  if (de_ctx == NULL)
4364  goto end;
4365 
4366  de_ctx->flags |= DE_QUIET;
4367  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4368  "(msg:\"Testing bytejump_body\"; "
4369  "content:\"one\"; "
4370  "byte_extract:4,0,two,string,hex,relative; "
4371  "uricontent: \"three\"; "
4372  "byte_extract:4,0,four,string,hex,relative; "
4373  "isdataat: two; "
4374  "sid:1;)");
4375  if (de_ctx->sig_list == NULL) {
4376  result = 0;
4377  goto end;
4378  }
4379 
4380  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4381  result = 0;
4382  goto end;
4383  }
4384 
4385  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4386  if (sm->type != DETECT_CONTENT) {
4387  result = 0;
4388  goto end;
4389  }
4390  cd = (DetectContentData *)sm->ctx;
4391  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4392  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4393  cd->flags & DETECT_CONTENT_NOCASE ||
4394  cd->flags & DETECT_CONTENT_WITHIN ||
4395  cd->flags & DETECT_CONTENT_DISTANCE ||
4396  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4397  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4398  cd->flags & DETECT_CONTENT_NEGATED ) {
4399  printf("one failed\n");
4400  result = 0;
4401  goto end;
4402  }
4403 
4404  sm = sm->next;
4405  if (sm->type != DETECT_BYTE_EXTRACT) {
4406  result = 0;
4407  goto end;
4408  }
4409  bed1 = (DetectByteExtractData *)sm->ctx;
4410  if (bed1->nbytes != 4 ||
4411  bed1->offset != 0 ||
4412  strcmp(bed1->name, "two") != 0 ||
4413  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4414  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4415  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4416  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4417  bed1->align_value != 0 ||
4418  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4419  goto end;
4420  }
4421  if (bed1->local_id != 0) {
4422  result = 0;
4423  goto end;
4424  }
4425 
4426  sm = sm->next;
4427  if (sm->type != DETECT_ISDATAAT) {
4428  result = 0;
4429  goto end;
4430  }
4431  isdd = (DetectIsdataatData *)sm->ctx;
4432  if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
4433  isdd->dataat != bed1->local_id) {
4434  printf("isdataat failed\n");
4435  result = 0;
4436  goto end;
4437  }
4438 
4439  if (sm->next != NULL)
4440  goto end;
4441 
4442  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
4443  if (sm == NULL) {
4444  result = 0;
4445  goto end;
4446  }
4447  if (sm->type != DETECT_CONTENT) {
4448  result = 0;
4449  goto end;
4450  }
4451  cd = (DetectContentData *)sm->ctx;
4452  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4453  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4454  printf("one failed\n");
4455  result = 0;
4456  goto end;
4457  }
4458 
4459  sm = sm->next;
4460  if (sm->type != DETECT_BYTE_EXTRACT) {
4461  result = 0;
4462  goto end;
4463  }
4464  bed1 = (DetectByteExtractData *)sm->ctx;
4465  if (bed1->nbytes != 4 ||
4466  bed1->offset != 0 ||
4467  strcmp(bed1->name, "four") != 0 ||
4468  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4469  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4470  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4471  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4472  bed1->align_value != 0 ||
4473  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4474  goto end;
4475  }
4476  if (bed1->local_id != 0) {
4477  result = 0;
4478  goto end;
4479  }
4480 
4481  if (sm->next != NULL)
4482  goto end;
4483 
4484  result = 1;
4485 
4486  end:
4487  SigGroupCleanup(de_ctx);
4488  SigCleanSignatures(de_ctx);
4489  DetectEngineCtxFree(de_ctx);
4490 
4491  return result;
4492 }
4493 
4494 static int DetectByteExtractTest61(void)
4495 {
4496  DetectEngineCtx *de_ctx = NULL;
4497  int result = 0;
4498  Signature *s = NULL;
4499  SigMatch *sm = NULL;
4500  DetectContentData *cd = NULL;
4501  DetectByteExtractData *bed1 = NULL;
4502  DetectIsdataatData *isdd = NULL;
4503 
4504  de_ctx = DetectEngineCtxInit();
4505  if (de_ctx == NULL)
4506  goto end;
4507 
4508  de_ctx->flags |= DE_QUIET;
4509  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4510  "(msg:\"Testing bytejump_body\"; "
4511  "content:\"one\"; "
4512  "byte_extract:4,0,two,string,hex,relative; "
4513  "uricontent: \"three\"; "
4514  "byte_extract:4,0,four,string,hex,relative; "
4515  "isdataat: four, relative; "
4516  "sid:1;)");
4517  if (de_ctx->sig_list == NULL) {
4518  result = 0;
4519  goto end;
4520  }
4521 
4522  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
4523  result = 0;
4524  goto end;
4525  }
4526 
4527  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
4528  if (sm->type != DETECT_CONTENT) {
4529  result = 0;
4530  goto end;
4531  }
4532  cd = (DetectContentData *)sm->ctx;
4533  if (cd->flags & DETECT_CONTENT_RAWBYTES ||
4534  strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
4535  cd->flags & DETECT_CONTENT_NOCASE ||
4536  cd->flags & DETECT_CONTENT_WITHIN ||
4537  cd->flags & DETECT_CONTENT_DISTANCE ||
4538  cd->flags & DETECT_CONTENT_FAST_PATTERN ||
4539  !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
4540  cd->flags & DETECT_CONTENT_NEGATED ) {
4541  printf("one failed\n");
4542  result = 0;
4543  goto end;
4544  }
4545 
4546  sm = sm->next;
4547  if (sm->type != DETECT_BYTE_EXTRACT) {
4548  result = 0;
4549  goto end;
4550  }
4551  bed1 = (DetectByteExtractData *)sm->ctx;
4552  if (bed1->nbytes != 4 ||
4553  bed1->offset != 0 ||
4554  strcmp(bed1->name, "two") != 0 ||
4555  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4556  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4557  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4558  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4559  bed1->align_value != 0 ||
4560  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4561  goto end;
4562  }
4563  if (bed1->local_id != 0) {
4564  result = 0;
4565  goto end;
4566  }
4567 
4568  if (sm->next != NULL)
4569  goto end;
4570 
4571  sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
4572  if (sm == NULL) {
4573  result = 0;
4574  goto end;
4575  }
4576  if (sm->type != DETECT_CONTENT) {
4577  result = 0;
4578  goto end;
4579  }
4580  cd = (DetectContentData *)sm->ctx;
4581  if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
4582  strncmp((char *)cd->content, "three", cd->content_len) != 0) {
4583  printf("one failed\n");
4584  result = 0;
4585  goto end;
4586  }
4587 
4588  sm = sm->next;
4589  if (sm->type != DETECT_BYTE_EXTRACT) {
4590  result = 0;
4591  goto end;
4592  }
4593  bed1 = (DetectByteExtractData *)sm->ctx;
4594  if (bed1->nbytes != 4 ||
4595  bed1->offset != 0 ||
4596  strcmp(bed1->name, "four") != 0 ||
4597  bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
4598  DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4599  bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4600  bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4601  bed1->align_value != 0 ||
4602  bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4603  goto end;
4604  }
4605  if (bed1->local_id != 0) {
4606  result = 0;
4607  goto end;
4608  }
4609 
4610  sm = sm->next;
4611  if (sm->type != DETECT_ISDATAAT) {
4612  result = 0;
4613  goto end;
4614  }
4615  isdd = (DetectIsdataatData *)sm->ctx;
4616  if (isdd->flags != (ISDATAAT_OFFSET_VAR |
4617  ISDATAAT_RELATIVE) ||
4618  isdd->dataat != bed1->local_id) {
4619  printf("isdataat failed\n");
4620  result = 0;
4621  goto end;
4622  }
4623 
4624  if (sm->next != NULL)
4625  goto end;
4626 
4627  result = 1;
4628 
4629  end:
4630  SigGroupCleanup(de_ctx);
4631  SigCleanSignatures(de_ctx);
4632  DetectEngineCtxFree(de_ctx);
4633 
4634  return result;
4635 }
4636 
4637 static int DetectByteExtractTest62(void)
4638 {
4639  DetectEngineCtx *de_ctx = NULL;
4640  int result = 0;
4641  Signature *s = NULL;
4642  SigMatch *sm = NULL;
4643  DetectByteExtractData *bed = NULL;
4644 
4645  de_ctx = DetectEngineCtxInit();
4646  if (de_ctx == NULL)
4647  goto end;
4648 
4649  de_ctx->flags |= DE_QUIET;
4650  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4651  "(file_data; byte_extract:4,2,two,relative,string,hex; "
4652  "sid:1;)");
4653  if (de_ctx->sig_list == NULL) {
4654  goto end;
4655  }
4656 
4657  sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4658  if (sm == NULL) {
4659  goto end;
4660  }
4661  if (sm->type != DETECT_BYTE_EXTRACT) {
4662  goto end;
4663  }
4664  bed = (DetectByteExtractData *)sm->ctx;
4665  if (bed->nbytes != 4 ||
4666  bed->offset != 2 ||
4667  strncmp(bed->name, "two", 3) != 0 ||
4668  bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4669  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
4670  bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
4671  bed->align_value != 0 ||
4672  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4673  goto end;
4674  }
4675 
4676  result = 1;
4677 
4678  end:
4679  SigGroupCleanup(de_ctx);
4680  SigCleanSignatures(de_ctx);
4681  DetectEngineCtxFree(de_ctx);
4682 
4683  return result;
4684 }
4685 
4686 static int DetectByteExtractTest63(void)
4687 {
4688  int result = 0;
4689 
4690  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4691  if (bed == NULL)
4692  goto end;
4693 
4694  if (bed->nbytes != 4 ||
4695  bed->offset != -2 ||
4696  strcmp(bed->name, "one") != 0 ||
4697  bed->flags != 0 ||
4698  bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
4699  bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
4700  bed->align_value != 0 ||
4701  bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4702  goto end;
4703  }
4704 
4705  result = 1;
4706  end:
4707  if (bed != NULL)
4708  DetectByteExtractFree(NULL, bed);
4709  return result;
4710 }
4711 
4712 static int DetectByteExtractTestParseNoBase(void)
4713 {
4714  int result = 0;
4715 
4716  DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4717  if (bed == NULL)
4718  goto end;
4719 
4720  if (bed->nbytes != 4) {
4721  goto end;
4722  }
4723  if (bed->offset != 2) {
4724  goto end;
4725  }
4726  if (strcmp(bed->name, "one") != 0) {
4727  goto end;
4728  }
4729  if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4730  goto end;
4731  }
4732  if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
4733  goto end;
4734  }
4735  if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4736  goto end;
4737  }
4738  if (bed->align_value != 0) {
4739  goto end;
4740  }
4741  if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4742  goto end;
4743  }
4744 
4745  result = 1;
4746  end:
4747  if (bed != NULL)
4748  DetectByteExtractFree(NULL, bed);
4749  return result;
4750 }
4751 
4752 static void DetectByteExtractRegisterTests(void)
4753 {
4754  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4755  g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4756 
4757  UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4758  UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4759  UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4760  UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4761  UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4762  UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4763  UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4764  UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4765  UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4766  UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4767  UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4768  UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4769  UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4770  UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4771  UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4772  UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4773  UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4774  UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4775  UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4776  UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4777  UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4778  UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4779  UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4780  UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4781  UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4782  UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4783  UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4784  UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4785  UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4786  UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4787  UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4788  UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4789  UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4790  UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4791  UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4792  UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4793  UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4794  UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4795  UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4796  UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4797  UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4798  UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4799 
4800  UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4801  UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4802 
4803  UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4804  UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4805 
4806  UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4807  UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4808 
4809  UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4810  UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4811 
4812  UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4813  UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4814 
4815  UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4816  UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4817 
4818  UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4819  UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4820  UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4821 
4822  UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4823  UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4824  UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4825  UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4826  UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4827  UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4828 
4829  UtRegisterTest("DetectByteExtractTestParseNoBase",
4830  DetectByteExtractTestParseNoBase);
4831 }
4832 #endif /* UNITTESTS */
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DetectContentData_::offset
uint16_t offset
Definition: detect-content.h:107
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1271
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1627
SignatureInitDataBuffer_::head
SigMatch * head
Definition: detect.h:519
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DETECT_BYTE_EXTRACT_ENDIAN_DCE
#define DETECT_BYTE_EXTRACT_ENDIAN_DCE
Definition: detect-byte-extract.h:38
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1086
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:111
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:382
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:567
SigTableElmt_::desc
const char * desc
Definition: detect.h:1270
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2547
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition: detect-byte-extract.c:77
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1258
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition: detect-content.h:47
flow-util.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1268
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition: detect.h:569
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition: detect-isdataat.h:30
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectContentData_::within
int32_t within
Definition: detect-content.h:109
DETECT_BYTE_EXTRACT_FLAG_STRING
#define DETECT_BYTE_EXTRACT_FLAG_STRING
Definition: detect-byte-extract.h:30
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:34
DetectByteExtractData_::local_id
uint8_t local_id
Definition: detect-byte-extract.h:45
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
detect-isdataat.h
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition: detect-byte-extract.c:60
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:353
threads.h
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:827
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2612
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition: detect-content.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:315
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition: detect-byte-extract.c:59
DetectIsdataatData_
Definition: detect-isdataat.h:32
DetectContentData_
Definition: detect-content.h:93
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:234
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectByteExtractData_::nbytes
uint8_t nbytes
Definition: detect-byte-extract.h:47
SigMatchData_
Data needed for Match()
Definition: detect.h:350
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1253
detect-pcre.h
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
DetectBytejumpData_::offset
int32_t offset
Definition: detect-bytejump.h:49
util-unittest-helper.h
SIG_FLAG_APPLAYER
#define SIG_FLAG_APPLAYER
Definition: detect.h:239
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1147
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition: detect-parse.c:625
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition: detect-byte-extract.c:115
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition: detect-byte-extract.c:73
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
decode.h
util-debug.h
DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT
Definition: detect-byte-extract.c:54
DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT
Definition: detect-byte-extract.c:66
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1058
StringParseI32RangeCheck
int StringParseI32RangeCheck(int32_t *res, int base, size_t len, const char *str, int32_t min, int32_t max)
Definition: util-byte.c:716
DetectByteExtractData_::offset
int32_t offset
Definition: detect-byte-extract.h:49
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2668
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition: detect-content.h:33
SignatureInitData_::list
int list
Definition: detect.h:551
DETECT_BYTE_EXTRACT_ENDIAN_BIG
#define DETECT_BYTE_EXTRACT_ENDIAN_BIG
Definition: detect-byte-extract.h:36
detect-engine-mpm.h
detect.h
StringParseU16RangeCheck
int StringParseU16RangeCheck(uint16_t *res, int base, size_t len, const char *str, uint16_t min, uint16_t max)
Definition: util-byte.c:433
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition: detect-byte-extract.c:61
DetectByteExtractData_::align_value
uint8_t align_value
Definition: detect-byte-extract.h:54
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:345
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2188
DetectByteExtractData_::endian
uint8_t endian
Definition: detect-byte-extract.h:52
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:344
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2043
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
Signature_::flags
uint32_t flags
Definition: detect.h:583
DetectContentData_::depth
uint16_t depth
Definition: detect-content.h:106
detect-engine-build.h
DETECT_BYTE_EXTRACT_FLAG_RELATIVE
#define DETECT_BYTE_EXTRACT_FLAG_RELATIVE
Definition: detect-byte-extract.h:28
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:654
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition: detect-content.h:58
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1236
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:666
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition: detect.h:907
DetectByteExtractData_::base
uint8_t base
Definition: detect-byte-extract.h:53
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:267
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition: detect-content.h:48
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:136
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DETECT_BYTE_EXTRACT_BASE_NONE
#define DETECT_BYTE_EXTRACT_BASE_NONE
Definition: detect-byte-extract.c:58
DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
#define DETECT_BYTE_EXTRACT_ENDIAN_LITTLE
Definition: detect-byte-extract.h:37
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:342
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition: detect-byte-extract.c:74
detect-byte-extract.h
DetectContentData_::distance
int32_t distance
Definition: detect-content.h:108
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:77
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine.c:1379
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition: detect-content.h:57
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:832
DETECT_BYTE_EXTRACT_FLAG_ALIGN
#define DETECT_BYTE_EXTRACT_FLAG_ALIGN
Definition: detect-byte-extract.h:31
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition: detect.h:572
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
DetectByteExtractData_::name
const char * name
Definition: detect-byte-extract.h:50
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:732
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectByteExtractData_::multiplier_value
uint16_t multiplier_value
Definition: detect-byte-extract.h:56
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition: detect-content.h:32
DETECT_BYTE_EXTRACT_ENDIAN_NONE
#define DETECT_BYTE_EXTRACT_ENDIAN_NONE
Definition: detect-byte-extract.h:35
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:178
DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
#define DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
Definition: detect-byte-extract.h:29
detect-parse.h
Signature_
Signature container.
Definition: detect.h:582
SigMatch_
a single match condition for a signature
Definition: detect.h:341
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition: detect.h:127
DetectByteExtractData_::flags
uint8_t flags
Definition: detect-byte-extract.h:51
DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT
Definition: detect-byte-extract.c:68
DETECT_BYTE_EXTRACT_FLAG_ENDIAN
#define DETECT_BYTE_EXTRACT_FLAG_ENDIAN
Definition: detect-byte-extract.h:32
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectIsdataatData_::dataat
uint16_t dataat
Definition: detect-isdataat.h:33
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2573
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition: detect-byte-extract.c:101
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:35
app-layer-protos.h
SC_Pcre2SubstringCopy
int SC_Pcre2SubstringCopy(pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
Definition: detect-parse.c:2644
DetectPcreData_
Definition: detect-pcre.h:43
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-byte-extract.c:79
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:77
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:531
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:874
flow.h
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT
Definition: detect-byte-extract.c:69
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition: detect.h:573
flow-var.h
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition: detect-byte-extract.c:75
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1260
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition: detect-content.h:45
detect-bytetest.h