57 #define VALID_KW "relative|big|little|string|oct|dec|hex|dce|bitmask"
58 #define PARSE_REGEX "^\\s*" \
59 "([^\\s,]+)\\s*,\\s*" \
60 "(\\!?\\s*[^\\s,]*)" \
61 "\\s*,\\s*([^\\s,]+\\s*,\\s*[^\\s,]+)" \
62 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
63 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
64 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
65 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
66 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
67 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
75 static void DetectBytetestRegisterTests(
void);
81 sigmatch_table[
DETECT_BYTETEST].
desc =
"extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>";
100 static inline bool DetectBytetestValidateNbytesOnly(
const DetectBytetestData *data, int32_t nbytes)
105 static bool DetectBytetestValidateNbytes(
108 if (!DetectBytetestValidateNbytesOnly(data, nbytes)) {
118 SCLogError(
"Cannot test more than 23 bytes with \"string\": %s", optstr);
122 SCLogError(
"Cannot test more than 8 bytes without \"string\": %s", optstr);
125 SCLogError(
"Cannot use a base without \"string\": %s", optstr);
135 SCLogError(
"Cannot use a base without \"string\": %s", optstr);
157 int32_t
offset, int32_t nbytes, uint64_t value)
167 if (!DetectBytetestValidateNbytesOnly(data, nbytes)) {
168 SCLogDebug(
"Invalid byte_test nbytes seen in byte_test - %d", nbytes);
173 const uint8_t *ptr = NULL;
184 SCLogDebug(
"relative, working with det_ctx->buffer_offset %"PRIu32
", "
194 if (ptr == NULL ||
len <= 0) {
208 if (ptr < payload || nbytes >
len) {
209 SCLogDebug(
"Data not within payload pkt=%p, ptr=%p, len=%" PRIu32
", nbytes=%d", payload,
226 "bytes of string data: %d",
232 SCLogDebug(
"comparing base %d string 0x%" PRIx64
" %s%u 0x%" PRIx64,
233 data->
base, val, (neg ?
"!" :
""), data->
op, data->
value);
239 if (extbytes != nbytes) {
241 "of numeric data: %d",
246 SCLogDebug(
"comparing numeric 0x%" PRIx64
" %s%u 0x%" PRIx64,
247 val, (neg ?
"!" :
""), data->
op, data->
value);
304 if ((!neg && match) || (neg && !match)) {
305 SCLogDebug(
"MATCH [bt] extracted value is %"PRIu64, val);
315 const char *optstr,
char **value,
char **
offset,
char **nbytes_str)
319 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
322 char *test_value = NULL;
323 char *data_offset = NULL;
328 const char *str_ptr = NULL;
329 pcre2_match_data *match = NULL;
333 if (ret < 4 || ret > 9) {
334 SCLogError(
"parse error, ret %" PRId32
", string %s", ret, optstr);
339 for (i = 0; i < (ret - 1); i++) {
340 res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
342 SCLogError(
"pcre2_substring_get_bynumber failed "
349 test_value = (
char *) str_ptr;
350 data_offset =
SCStrdup((
char *) str_ptr);
351 if (data_offset == NULL) {
355 args[i] = (
char *)str_ptr;
378 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
379 if (nbytes_str == NULL) {
381 "var name for nbytes. \"value\" argument supplied to "
382 "this function has to be non-NULL");
386 if (*nbytes_str == NULL)
391 SCLogError(
"Malformed number of bytes: %s", str_ptr);
398 if (args[1] != NULL) {
401 if (args[1][op_offset] ==
'!') {
403 op_ptr = &args[1][1];
404 while (isspace((
char)*op_ptr) || (*op_ptr ==
',')) op_ptr++;
405 op_offset = (uint32_t)(op_ptr - &args[1][0]);
409 op_ptr = args[1] + op_offset;
410 if ((strcmp(
"=", op_ptr) == 0) || (data->
neg_op
411 && strcmp(
"", op_ptr) == 0)) {
413 }
else if (strcmp(
"<", op_ptr) == 0) {
415 }
else if (strcmp(
">", op_ptr) == 0) {
417 }
else if (strcmp(
"&", op_ptr) == 0) {
419 }
else if (strcmp(
"^", op_ptr) == 0) {
421 }
else if (strcmp(
">=", op_ptr) == 0) {
423 }
else if (strcmp(
"<=", op_ptr) == 0) {
437 char *end_ptr = test_value;
438 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
','))) end_ptr++;
441 if (test_value[0] !=
'-' && isalpha((
unsigned char)test_value[0])) {
444 "var name for value. \"value\" argument supplied to "
445 "this function has to be non-NULL");
453 SCLogError(
"Malformed value: %s", test_value);
461 char *end_ptr = data_offset;
462 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
','))) end_ptr++;
464 while (isspace((
unsigned char)*str_ptr) || (*str_ptr ==
',')) str_ptr++;
465 end_ptr = (
char *)str_ptr;
466 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
',')) && (*end_ptr !=
'\0'))
468 memmove(data_offset, str_ptr, end_ptr - str_ptr);
469 data_offset[end_ptr-str_ptr] =
'\0';
470 if (data_offset[0] !=
'-' && isalpha((
unsigned char)data_offset[0])) {
471 if (data_offset == NULL) {
473 "var name for offset. \"offset\" argument supplied to "
474 "this function has to be non-NULL");
482 SCLogError(
"Malformed offset: %s", data_offset);
490 int bitmask_index = -1;
491 for (i = 3; i < (ret - 1); i++) {
492 if (args[i] != NULL) {
493 if (strcmp(
"relative", args[i]) == 0) {
495 }
else if (strcasecmp(
"string", args[i]) == 0) {
497 }
else if (strcasecmp(
"dec", args[i]) == 0) {
499 }
else if (strcasecmp(
"hex", args[i]) == 0) {
501 }
else if (strcasecmp(
"oct", args[i]) == 0) {
503 }
else if (strcasecmp(
"big", args[i]) == 0) {
508 }
else if (strcasecmp(
"little", args[i]) == 0) {
510 }
else if (strcasecmp(
"dce", args[i]) == 0) {
512 }
else if (strncasecmp(
"bitmask", args[i], strlen(
"bitmask")) == 0) {
523 if (!DetectBytetestValidateNbytes(data, nbytes, optstr)) {
528 data->
nbytes = (uint8_t)nbytes;
533 SCLogError(
"Malformed bitmask value: %s", args[bitmask_index] + strlen(
"bitmask"));
541 uint32_t bmask = data->
bitmask;
542 while (!(bmask & 0x1)){
549 for (i = 0; i < (ret - 1); i++){
551 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
553 if (data_offset)
SCFree(data_offset);
555 pcre2_substring_free((PCRE2_UCHAR8 *)test_value);
556 pcre2_match_data_free(match);
560 for (i = 0; i < (ret - 1); i++){
562 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
564 if (data_offset)
SCFree(data_offset);
566 pcre2_substring_free((PCRE2_UCHAR8 *)test_value);
569 pcre2_match_data_free(match);
603 if (prev_pm == NULL) {
622 if (prev_pm == NULL) {
642 "A byte_test keyword with dce holds other invalid modifiers.");
651 "seen in byte_test - %s",
665 "seen in byte_test - %s",
675 if (nbytes != NULL) {
679 "seen in byte_test - %s",
716 DetectBytetestFree(
de_ctx, data);
740 static int g_file_data_buffer_id = 0;
741 static int g_dce_stub_data_buffer_id = 0;
747 static int DetectBytetestTestParse01(
void)
750 data = DetectBytetestParse(
"4, =, 1 , 0", NULL, NULL, NULL);
752 DetectBytetestFree(NULL, data);
759 static int DetectBytetestTestParse02(
void)
762 data = DetectBytetestParse(
"4, !=, 1, 0", NULL, NULL, NULL);
771 DetectBytetestFree(NULL, data);
778 static int DetectBytetestTestParse03(
void)
781 data = DetectBytetestParse(
"4, !=, 1, 0, relative", NULL, NULL, NULL);
791 DetectBytetestFree(NULL, data);
798 static int DetectBytetestTestParse04(
void)
801 data = DetectBytetestParse(
"4, !=, 1, 0, string, oct", NULL, NULL, NULL);
810 DetectBytetestFree(NULL, data);
817 static int DetectBytetestTestParse05(
void)
820 data = DetectBytetestParse(
"4, =, 1, 0, string, dec", NULL, NULL, NULL);
828 DetectBytetestFree(NULL, data);
835 static int DetectBytetestTestParse06(
void)
838 data = DetectBytetestParse(
"4, >, 1, 0, string, hex", NULL, NULL, NULL);
846 DetectBytetestFree(NULL, data);
853 static int DetectBytetestTestParse07(
void)
856 data = DetectBytetestParse(
"4, <, 5, 0, big", NULL, NULL, NULL);
864 DetectBytetestFree(NULL, data);
871 static int DetectBytetestTestParse08(
void)
874 data = DetectBytetestParse(
"4, <, 5, 0, little", NULL, NULL, NULL);
883 DetectBytetestFree(NULL, data);
890 static int DetectBytetestTestParse09(
void)
893 data = DetectBytetestParse(
"4, !, 5, 0", NULL, NULL, NULL);
901 DetectBytetestFree(NULL, data);
908 static int DetectBytetestTestParse10(
void)
911 data = DetectBytetestParse(
" 4 , ! &, 5 , 0 , little ", NULL, NULL, NULL);
921 DetectBytetestFree(NULL, data);
928 static int DetectBytetestTestParse11(
void)
931 data = DetectBytetestParse(
"4,!^,5,0,little,string,relative,hex", NULL, NULL, NULL);
942 DetectBytetestFree(NULL, data);
949 static int DetectBytetestTestParse12(
void)
952 data = DetectBytetestParse(
"4, =, 1, 0, hex", NULL, NULL, NULL);
961 static int DetectBytetestTestParse13(
void)
964 data = DetectBytetestParse(
"9, =, 1, 0", NULL, NULL, NULL);
972 static int DetectBytetestTestParse14(
void)
975 data = DetectBytetestParse(
"23,=,0xffffffffffffffffULL,0,string,oct", NULL, NULL, NULL);
984 DetectBytetestFree(NULL, data);
991 static int DetectBytetestTestParse15(
void)
994 data = DetectBytetestParse(
"24, =, 0xffffffffffffffffULL, 0, string", NULL, NULL, NULL);
1003 static int DetectBytetestTestParse16(
void)
1006 data = DetectBytetestParse(
"4,=,0,0xffffffffffffffffULL", NULL, NULL, NULL);
1015 static int DetectBytetestTestParse17(
void)
1018 data = DetectBytetestParse(
"4, <, 5, 0, dce", NULL, NULL, NULL);
1026 DetectBytetestFree(NULL, data);
1033 static int DetectBytetestTestParse18(
void)
1036 data = DetectBytetestParse(
"4, <, 5, 0", NULL, NULL, NULL);
1044 DetectBytetestFree(NULL, data);
1051 static int DetectBytetestTestParse19(
void)
1058 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,dce") == 0);
1059 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,string,dce") == -1);
1060 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,big,dce") == -1);
1061 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,little,dce") == -1);
1062 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,hex,dce") == -1);
1063 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,oct,dce") == -1);
1064 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,dec,dce") == -1);
1073 static int DetectBytetestTestParse20(
void)
1084 "(msg:\"Testing bytetest_body\"; "
1085 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1087 "content:\"one\"; distance:0; "
1088 "byte_test:1,=,1,6,relative,dce; sid:1;)");
1107 "(msg:\"Testing bytetest_body\"; "
1108 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1110 "content:\"one\"; distance:0; "
1111 "byte_test:1,=,1,6,relative,dce; sid:1;)");
1129 "(msg:\"Testing bytetest_body\"; "
1130 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1132 "content:\"one\"; distance:0; "
1133 "byte_test:1,=,1,6,relative; sid:1;)");
1159 static int DetectBytetestTestParse21(
void)
1169 "(msg:\"Testing bytetest_body\"; "
1170 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1171 "content:\"one\"; byte_test:1,=,1,6,string,dce; sid:1;)");
1175 "(msg:\"Testing bytetest_body\"; "
1176 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1177 "content:\"one\"; byte_test:1,=,1,6,big,dce; sid:1;)");
1181 "(msg:\"Testing bytetest_body\"; "
1182 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1183 "content:\"one\"; byte_test:1,=,1,6,little,dce; sid:1;)");
1187 "(msg:\"Testing bytetest_body\"; "
1188 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1189 "content:\"one\"; byte_test:1,=,1,6,hex,dce; sid:1;)");
1193 "(msg:\"Testing bytetest_body\"; "
1194 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1195 "content:\"one\"; byte_test:1,=,1,6,dec,dce; sid:1;)");
1199 "(msg:\"Testing bytetest_body\"; "
1200 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1201 "content:\"one\"; byte_test:1,=,1,6,oct,dce; sid:1;)");
1205 "(msg:\"Testing bytetest_body\"; "
1206 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1207 "content:\"one\"; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
1211 "(msg:\"Testing bytetest_body\"; "
1212 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1213 "content:\"one\"; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
1217 "(msg:\"Testing bytetest_body\"; "
1218 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1219 "content:\"one\"; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
1223 "(msg:\"Testing bytetest_body\"; "
1224 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1225 "content:\"one\"; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
1229 "(msg:\"Testing bytetest_body\"; "
1230 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1231 "content:\"one\"; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
1244 static int DetectBytetestTestParse22(
void)
1255 "(file_data; byte_test:1,=,1,6,relative; sid:1;)");
1280 static int DetectBytetestTestParse23(
void)
1283 data = DetectBytetestParse(
"4, <, 5, 0, bitmask 0xf8", NULL, NULL, NULL);
1294 DetectBytetestFree(NULL, data);
1302 static int DetectBytetestTestParse24(
void)
1305 data = DetectBytetestParse(
1306 "4, !<, 5, 0, relative,string,hex, big, bitmask 0xf8", NULL, NULL, NULL);
1320 DetectBytetestFree(NULL, data);
1328 static void DetectBytetestRegisterTests(
void)
1333 UtRegisterTest(
"DetectBytetestTestParse01", DetectBytetestTestParse01);
1334 UtRegisterTest(
"DetectBytetestTestParse02", DetectBytetestTestParse02);
1335 UtRegisterTest(
"DetectBytetestTestParse03", DetectBytetestTestParse03);
1336 UtRegisterTest(
"DetectBytetestTestParse04", DetectBytetestTestParse04);
1337 UtRegisterTest(
"DetectBytetestTestParse05", DetectBytetestTestParse05);
1338 UtRegisterTest(
"DetectBytetestTestParse06", DetectBytetestTestParse06);
1339 UtRegisterTest(
"DetectBytetestTestParse07", DetectBytetestTestParse07);
1340 UtRegisterTest(
"DetectBytetestTestParse08", DetectBytetestTestParse08);
1341 UtRegisterTest(
"DetectBytetestTestParse09", DetectBytetestTestParse09);
1342 UtRegisterTest(
"DetectBytetestTestParse10", DetectBytetestTestParse10);
1343 UtRegisterTest(
"DetectBytetestTestParse11", DetectBytetestTestParse11);
1344 UtRegisterTest(
"DetectBytetestTestParse12", DetectBytetestTestParse12);
1345 UtRegisterTest(
"DetectBytetestTestParse13", DetectBytetestTestParse13);
1346 UtRegisterTest(
"DetectBytetestTestParse14", DetectBytetestTestParse14);
1347 UtRegisterTest(
"DetectBytetestTestParse15", DetectBytetestTestParse15);
1348 UtRegisterTest(
"DetectBytetestTestParse16", DetectBytetestTestParse16);
1349 UtRegisterTest(
"DetectBytetestTestParse17", DetectBytetestTestParse17);
1350 UtRegisterTest(
"DetectBytetestTestParse18", DetectBytetestTestParse18);
1351 UtRegisterTest(
"DetectBytetestTestParse19", DetectBytetestTestParse19);
1352 UtRegisterTest(
"DetectBytetestTestParse20", DetectBytetestTestParse20);
1353 UtRegisterTest(
"DetectBytetestTestParse21", DetectBytetestTestParse21);
1354 UtRegisterTest(
"DetectBytetestTestParse22", DetectBytetestTestParse22);
1355 UtRegisterTest(
"DetectBytetestTestParse23", DetectBytetestTestParse23);
1356 UtRegisterTest(
"DetectBytetestTestParse24", DetectBytetestTestParse24);