57 #define VALID_KW "relative|big|little|string|oct|dec|hex|dce|bitmask"
58 #define PARSE_REGEX "^\\s*" \
59 "([^\\s,]+)\\s*,\\s*" \
60 "(\\!?\\s*[^\\s,]*)" \
61 "\\s*,\\s*([^\\s,]+\\s*,\\s*[^\\s,]+)" \
62 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
63 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
64 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
65 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
66 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
67 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
75 static void DetectBytetestRegisterTests(
void);
81 sigmatch_table[
DETECT_BYTETEST].
desc =
"extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>";
100 static inline bool DetectBytetestValidateNbytesOnly(
const DetectBytetestData *data, int32_t nbytes)
105 static bool DetectBytetestValidateNbytes(
108 if (!DetectBytetestValidateNbytesOnly(data, nbytes)) {
118 SCLogError(
"Cannot test more than 23 bytes with \"string\": %s", optstr);
122 SCLogError(
"Cannot test more than 8 bytes without \"string\": %s", optstr);
125 SCLogError(
"Cannot use a base without \"string\": %s", optstr);
135 SCLogError(
"Cannot use a base without \"string\": %s", optstr);
157 int32_t
offset, int32_t nbytes, uint64_t value)
167 if (!DetectBytetestValidateNbytesOnly(data, nbytes)) {
168 SCLogDebug(
"Invalid byte_test nbytes seen in byte_test - %d", nbytes);
173 const uint8_t *ptr = NULL;
184 SCLogDebug(
"relative, working with det_ctx->buffer_offset %"PRIu32
", "
194 if (ptr == NULL ||
len <= 0) {
208 if (ptr < payload || nbytes >
len) {
209 SCLogDebug(
"Data not within payload pkt=%p, ptr=%p, len=%" PRIu32
", nbytes=%d", payload,
226 "bytes of string data: %d",
232 SCLogDebug(
"comparing base %d string 0x%" PRIx64
" %s%u 0x%" PRIx64,
233 data->
base, val, (neg ?
"!" :
""), data->
op, data->
value);
239 if (extbytes != nbytes) {
241 "of numeric data: %d",
246 SCLogDebug(
"comparing numeric 0x%" PRIx64
" %s%u 0x%" PRIx64,
247 val, (neg ?
"!" :
""), data->
op, data->
value);
304 if ((!neg && match) || (neg && !match)) {
305 SCLogDebug(
"MATCH [bt] extracted value is %"PRIu64, val);
315 const char *optstr,
char **value,
char **
offset,
char **nbytes_str)
319 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
322 char *test_value = NULL;
323 char *data_offset = NULL;
328 const char *str_ptr = NULL;
329 pcre2_match_data *match = NULL;
333 if (ret < 4 || ret > 9) {
334 SCLogError(
"parse error, ret %" PRId32
", string %s", ret, optstr);
339 for (i = 0; i < (ret - 1); i++) {
340 res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
342 SCLogError(
"pcre2_substring_get_bynumber failed "
349 test_value = (
char *) str_ptr;
350 data_offset =
SCStrdup((
char *) str_ptr);
351 if (data_offset == NULL) {
355 args[i] = (
char *)str_ptr;
378 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
379 if (nbytes_str == NULL) {
381 "var name for nbytes. \"value\" argument supplied to "
382 "this function has to be non-NULL");
386 if (*nbytes_str == NULL)
391 SCLogError(
"Malformed number of bytes: %s", str_ptr);
398 if (args[1] != NULL) {
401 if (args[1][op_offset] ==
'!') {
403 op_ptr = &args[1][1];
404 while (isspace((
char)*op_ptr) || (*op_ptr ==
',')) op_ptr++;
405 op_offset = (uint32_t)(op_ptr - &args[1][0]);
409 op_ptr = args[1] + op_offset;
410 if ((strcmp(
"=", op_ptr) == 0) || (data->
neg_op
411 && strcmp(
"", op_ptr) == 0)) {
413 }
else if (strcmp(
"<", op_ptr) == 0) {
415 }
else if (strcmp(
">", op_ptr) == 0) {
417 }
else if (strcmp(
"&", op_ptr) == 0) {
419 }
else if (strcmp(
"^", op_ptr) == 0) {
421 }
else if (strcmp(
">=", op_ptr) == 0) {
423 }
else if (strcmp(
"<=", op_ptr) == 0) {
437 char *end_ptr = test_value;
438 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
','))) end_ptr++;
441 if (test_value[0] !=
'-' && isalpha((
unsigned char)test_value[0])) {
444 "var name for value. \"value\" argument supplied to "
445 "this function has to be non-NULL");
453 SCLogError(
"Malformed value: %s", test_value);
461 char *end_ptr = data_offset;
462 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
','))) end_ptr++;
464 while (isspace((
unsigned char)*str_ptr) || (*str_ptr ==
',')) str_ptr++;
465 end_ptr = (
char *)str_ptr;
466 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
',')) && (*end_ptr !=
'\0'))
468 memmove(data_offset, str_ptr, end_ptr - str_ptr);
469 data_offset[end_ptr-str_ptr] =
'\0';
470 if (data_offset[0] !=
'-' && isalpha((
unsigned char)data_offset[0])) {
471 if (data_offset == NULL) {
473 "var name for offset. \"offset\" argument supplied to "
474 "this function has to be non-NULL");
482 SCLogError(
"Malformed offset: %s", data_offset);
490 int bitmask_index = -1;
491 for (i = 3; i < (ret - 1); i++) {
492 if (args[i] != NULL) {
493 if (strcmp(
"relative", args[i]) == 0) {
495 }
else if (strcasecmp(
"string", args[i]) == 0) {
497 }
else if (strcasecmp(
"dec", args[i]) == 0) {
499 }
else if (strcasecmp(
"hex", args[i]) == 0) {
501 }
else if (strcasecmp(
"oct", args[i]) == 0) {
503 }
else if (strcasecmp(
"big", args[i]) == 0) {
508 }
else if (strcasecmp(
"little", args[i]) == 0) {
510 }
else if (strcasecmp(
"dce", args[i]) == 0) {
512 }
else if (strncasecmp(
"bitmask", args[i], strlen(
"bitmask")) == 0) {
523 if (!DetectBytetestValidateNbytes(data, nbytes, optstr)) {
528 data->
nbytes = (uint8_t)nbytes;
533 SCLogError(
"Malformed bitmask value: %s", args[bitmask_index] + strlen(
"bitmask"));
541 uint32_t bmask = data->
bitmask;
542 while (!(bmask & 0x1)){
549 for (i = 0; i < (ret - 1); i++){
551 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
553 if (data_offset)
SCFree(data_offset);
555 pcre2_substring_free((PCRE2_UCHAR8 *)test_value);
556 pcre2_match_data_free(match);
560 for (i = 0; i < (ret - 1); i++){
562 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
564 if (data_offset)
SCFree(data_offset);
566 pcre2_substring_free((PCRE2_UCHAR8 *)test_value);
569 pcre2_match_data_free(match);
603 if (prev_pm == NULL) {
622 if (prev_pm == NULL) {
642 "A byte_test keyword with dce holds other invalid modifiers.");
651 "seen in byte_test - %s",
665 "seen in byte_test - %s",
675 if (nbytes != NULL) {
679 "seen in byte_test - %s",
717 DetectBytetestFree(
de_ctx, data);
741 static int g_file_data_buffer_id = 0;
742 static int g_dce_stub_data_buffer_id = 0;
748 static int DetectBytetestTestParse01(
void)
751 data = DetectBytetestParse(
"4, =, 1 , 0", NULL, NULL, NULL);
753 DetectBytetestFree(NULL, data);
760 static int DetectBytetestTestParse02(
void)
763 data = DetectBytetestParse(
"4, !=, 1, 0", NULL, NULL, NULL);
772 DetectBytetestFree(NULL, data);
779 static int DetectBytetestTestParse03(
void)
782 data = DetectBytetestParse(
"4, !=, 1, 0, relative", NULL, NULL, NULL);
792 DetectBytetestFree(NULL, data);
799 static int DetectBytetestTestParse04(
void)
802 data = DetectBytetestParse(
"4, !=, 1, 0, string, oct", NULL, NULL, NULL);
811 DetectBytetestFree(NULL, data);
818 static int DetectBytetestTestParse05(
void)
821 data = DetectBytetestParse(
"4, =, 1, 0, string, dec", NULL, NULL, NULL);
829 DetectBytetestFree(NULL, data);
836 static int DetectBytetestTestParse06(
void)
839 data = DetectBytetestParse(
"4, >, 1, 0, string, hex", NULL, NULL, NULL);
847 DetectBytetestFree(NULL, data);
854 static int DetectBytetestTestParse07(
void)
857 data = DetectBytetestParse(
"4, <, 5, 0, big", NULL, NULL, NULL);
865 DetectBytetestFree(NULL, data);
872 static int DetectBytetestTestParse08(
void)
875 data = DetectBytetestParse(
"4, <, 5, 0, little", NULL, NULL, NULL);
884 DetectBytetestFree(NULL, data);
891 static int DetectBytetestTestParse09(
void)
894 data = DetectBytetestParse(
"4, !, 5, 0", NULL, NULL, NULL);
902 DetectBytetestFree(NULL, data);
909 static int DetectBytetestTestParse10(
void)
912 data = DetectBytetestParse(
" 4 , ! &, 5 , 0 , little ", NULL, NULL, NULL);
922 DetectBytetestFree(NULL, data);
929 static int DetectBytetestTestParse11(
void)
932 data = DetectBytetestParse(
"4,!^,5,0,little,string,relative,hex", NULL, NULL, NULL);
943 DetectBytetestFree(NULL, data);
950 static int DetectBytetestTestParse12(
void)
953 data = DetectBytetestParse(
"4, =, 1, 0, hex", NULL, NULL, NULL);
962 static int DetectBytetestTestParse13(
void)
965 data = DetectBytetestParse(
"9, =, 1, 0", NULL, NULL, NULL);
973 static int DetectBytetestTestParse14(
void)
976 data = DetectBytetestParse(
"23,=,0xffffffffffffffffULL,0,string,oct", NULL, NULL, NULL);
985 DetectBytetestFree(NULL, data);
992 static int DetectBytetestTestParse15(
void)
995 data = DetectBytetestParse(
"24, =, 0xffffffffffffffffULL, 0, string", NULL, NULL, NULL);
1004 static int DetectBytetestTestParse16(
void)
1007 data = DetectBytetestParse(
"4,=,0,0xffffffffffffffffULL", NULL, NULL, NULL);
1016 static int DetectBytetestTestParse17(
void)
1019 data = DetectBytetestParse(
"4, <, 5, 0, dce", NULL, NULL, NULL);
1027 DetectBytetestFree(NULL, data);
1034 static int DetectBytetestTestParse18(
void)
1037 data = DetectBytetestParse(
"4, <, 5, 0", NULL, NULL, NULL);
1045 DetectBytetestFree(NULL, data);
1052 static int DetectBytetestTestParse19(
void)
1059 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,dce") == 0);
1060 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,string,dce") == -1);
1061 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,big,dce") == -1);
1062 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,little,dce") == -1);
1063 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,hex,dce") == -1);
1064 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,oct,dce") == -1);
1065 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,dec,dce") == -1);
1074 static int DetectBytetestTestParse20(
void)
1085 "(msg:\"Testing bytetest_body\"; "
1086 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1088 "content:\"one\"; distance:0; "
1089 "byte_test:1,=,1,6,relative,dce; sid:1;)");
1108 "(msg:\"Testing bytetest_body\"; "
1109 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1111 "content:\"one\"; distance:0; "
1112 "byte_test:1,=,1,6,relative,dce; sid:1;)");
1130 "(msg:\"Testing bytetest_body\"; "
1131 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1133 "content:\"one\"; distance:0; "
1134 "byte_test:1,=,1,6,relative; sid:1;)");
1160 static int DetectBytetestTestParse21(
void)
1170 "(msg:\"Testing bytetest_body\"; "
1171 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1172 "content:\"one\"; byte_test:1,=,1,6,string,dce; sid:1;)");
1176 "(msg:\"Testing bytetest_body\"; "
1177 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1178 "content:\"one\"; byte_test:1,=,1,6,big,dce; sid:1;)");
1182 "(msg:\"Testing bytetest_body\"; "
1183 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1184 "content:\"one\"; byte_test:1,=,1,6,little,dce; sid:1;)");
1188 "(msg:\"Testing bytetest_body\"; "
1189 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1190 "content:\"one\"; byte_test:1,=,1,6,hex,dce; sid:1;)");
1194 "(msg:\"Testing bytetest_body\"; "
1195 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1196 "content:\"one\"; byte_test:1,=,1,6,dec,dce; sid:1;)");
1200 "(msg:\"Testing bytetest_body\"; "
1201 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1202 "content:\"one\"; byte_test:1,=,1,6,oct,dce; sid:1;)");
1206 "(msg:\"Testing bytetest_body\"; "
1207 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1208 "content:\"one\"; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
1212 "(msg:\"Testing bytetest_body\"; "
1213 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1214 "content:\"one\"; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
1218 "(msg:\"Testing bytetest_body\"; "
1219 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1220 "content:\"one\"; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
1224 "(msg:\"Testing bytetest_body\"; "
1225 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1226 "content:\"one\"; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
1230 "(msg:\"Testing bytetest_body\"; "
1231 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1232 "content:\"one\"; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
1245 static int DetectBytetestTestParse22(
void)
1256 "(file_data; byte_test:1,=,1,6,relative; sid:1;)");
1281 static int DetectBytetestTestParse23(
void)
1284 data = DetectBytetestParse(
"4, <, 5, 0, bitmask 0xf8", NULL, NULL, NULL);
1295 DetectBytetestFree(NULL, data);
1303 static int DetectBytetestTestParse24(
void)
1306 data = DetectBytetestParse(
1307 "4, !<, 5, 0, relative,string,hex, big, bitmask 0xf8", NULL, NULL, NULL);
1321 DetectBytetestFree(NULL, data);
1329 static void DetectBytetestRegisterTests(
void)
1334 UtRegisterTest(
"DetectBytetestTestParse01", DetectBytetestTestParse01);
1335 UtRegisterTest(
"DetectBytetestTestParse02", DetectBytetestTestParse02);
1336 UtRegisterTest(
"DetectBytetestTestParse03", DetectBytetestTestParse03);
1337 UtRegisterTest(
"DetectBytetestTestParse04", DetectBytetestTestParse04);
1338 UtRegisterTest(
"DetectBytetestTestParse05", DetectBytetestTestParse05);
1339 UtRegisterTest(
"DetectBytetestTestParse06", DetectBytetestTestParse06);
1340 UtRegisterTest(
"DetectBytetestTestParse07", DetectBytetestTestParse07);
1341 UtRegisterTest(
"DetectBytetestTestParse08", DetectBytetestTestParse08);
1342 UtRegisterTest(
"DetectBytetestTestParse09", DetectBytetestTestParse09);
1343 UtRegisterTest(
"DetectBytetestTestParse10", DetectBytetestTestParse10);
1344 UtRegisterTest(
"DetectBytetestTestParse11", DetectBytetestTestParse11);
1345 UtRegisterTest(
"DetectBytetestTestParse12", DetectBytetestTestParse12);
1346 UtRegisterTest(
"DetectBytetestTestParse13", DetectBytetestTestParse13);
1347 UtRegisterTest(
"DetectBytetestTestParse14", DetectBytetestTestParse14);
1348 UtRegisterTest(
"DetectBytetestTestParse15", DetectBytetestTestParse15);
1349 UtRegisterTest(
"DetectBytetestTestParse16", DetectBytetestTestParse16);
1350 UtRegisterTest(
"DetectBytetestTestParse17", DetectBytetestTestParse17);
1351 UtRegisterTest(
"DetectBytetestTestParse18", DetectBytetestTestParse18);
1352 UtRegisterTest(
"DetectBytetestTestParse19", DetectBytetestTestParse19);
1353 UtRegisterTest(
"DetectBytetestTestParse20", DetectBytetestTestParse20);
1354 UtRegisterTest(
"DetectBytetestTestParse21", DetectBytetestTestParse21);
1355 UtRegisterTest(
"DetectBytetestTestParse22", DetectBytetestTestParse22);
1356 UtRegisterTest(
"DetectBytetestTestParse23", DetectBytetestTestParse23);
1357 UtRegisterTest(
"DetectBytetestTestParse24", DetectBytetestTestParse24);