suricata
detect-bytetest.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  * \author Jeff Lucovsky <jeff@lucovsky.org>
23  *
24  * Implements byte_test keyword.
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 #include "detect-engine.h"
32 #include "detect-parse.h"
33 
34 #include "detect-content.h"
35 #include "detect-uricontent.h"
36 #include "detect-bytetest.h"
37 #include "detect-bytejump.h"
38 #include "detect-byte-extract.h"
39 #include "app-layer.h"
40 
41 #include "util-byte.h"
42 #include "util-unittest.h"
43 #include "util-debug.h"
44 #include "detect-pcre.h"
45 
46 
47 /**
48  * \brief Regex for parsing our options
49  */
50 /** \todo We probably just need a simple tokenizer here */
51 
52 /* PCRE supports 9 substrings so the 2nd and 3rd (negation, operator) and
53  * 4th and 5th (test value, offset) are combined
54  */
55 #define VALID_KW "relative|big|little|string|oct|dec|hex|dce|bitmask"
56 #define PARSE_REGEX "^\\s*" \
57  "([^\\s,]+)\\s*,\\s*" \
58  "(\\!?\\s*[^\\s,]*)" \
59  "\\s*,\\s*([^\\s,]+\\s*,\\s*[^\\s,]+)" \
60  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
61  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
62  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
63  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
64  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
65  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
66  "\\s*$"
67 
68 static DetectParseRegex parse_regex;
69 
70 static int DetectBytetestMatch(DetectEngineThreadCtx *det_ctx,
71  Packet *p, const Signature *s, const SigMatchCtx *ctx);
72 static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr);
73 static void DetectBytetestFree(DetectEngineCtx *, void *ptr);
74 static void DetectBytetestRegisterTests(void);
75 
76 void DetectBytetestRegister (void)
77 {
78  sigmatch_table[DETECT_BYTETEST].name = "byte_test";
79  sigmatch_table[DETECT_BYTETEST].desc = "extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>";
80  sigmatch_table[DETECT_BYTETEST].url = "/rules/payload-keywords.html#byte-test";
81  sigmatch_table[DETECT_BYTETEST].Match = DetectBytetestMatch;
82  sigmatch_table[DETECT_BYTETEST].Setup = DetectBytetestSetup;
83  sigmatch_table[DETECT_BYTETEST].Free = DetectBytetestFree;
84  sigmatch_table[DETECT_BYTETEST].RegisterTests = DetectBytetestRegisterTests;
85 
86  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
87 }
88 
89 /** \brief Bytetest detection code
90  *
91  * Byte test works on the packet payload.
92  *
93  * \param det_ctx thread de ctx
94  * \param s signature
95  * \param m sigmatch for this bytettest
96  * \param payload ptr to the start of the buffer to inspect
97  * \param payload_len length of the payload
98  * \retval 1 match
99  * \retval 0 no match
100  */
101 int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx,
102  const Signature *s, const SigMatchCtx *ctx,
103  const uint8_t *payload, uint32_t payload_len,
104  uint8_t flags, int32_t offset, uint64_t value)
105 {
106  SCEnter();
107 
108  const DetectBytetestData *data = (const DetectBytetestData *)ctx;
109  const uint8_t *ptr = NULL;
110  int32_t len = 0;
111  uint64_t val = 0;
112  int extbytes;
113  int neg;
114  int match;
115 
116  if (payload_len == 0) {
117  SCReturnInt(0);
118  }
119 
120  /* Calculate the ptr value for the bytetest and length remaining in
121  * the packet from that point.
122  */
123  if (flags & DETECT_BYTETEST_RELATIVE) {
124  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
125  "data->offset %"PRIi32"", det_ctx->buffer_offset, data->offset);
126 
127  ptr = payload + det_ctx->buffer_offset;
128  len = payload_len - det_ctx->buffer_offset;
129 
130  ptr += offset;
131  len -= offset;
132 
133  /* No match if there is no relative base */
134  if (ptr == NULL || len <= 0) {
135  SCReturnInt(0);
136  }
137  }
138  else {
139  SCLogDebug("absolute, data->offset %"PRIi32"", data->offset);
140 
141  ptr = payload + offset;
142  len = payload_len - offset;
143  }
144 
145  /* Validate that the to-be-extracted is within the packet
146  * \todo Should this validate it is in the *payload*?
147  */
148  if (ptr < payload || data->nbytes > len) {
149  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
150  payload, ptr, len, data->nbytes);
151  SCReturnInt(0);
152  }
153 
154  neg = data->neg_op;
155 
156  /* Extract the byte data */
157  if (flags & DETECT_BYTETEST_STRING) {
158  extbytes = ByteExtractStringUint64(&val, data->base,
159  data->nbytes, (const char *)ptr);
160  if (extbytes <= 0) {
161  /* ByteExtractStringUint64() returns 0 if there is no numeric value in data string */
162  if (val == 0) {
163  SCLogDebug("No Numeric value");
164  SCReturnInt(0);
165  } else {
166  SCLogDebug("error extracting %d "
167  "bytes of string data: %d", data->nbytes, extbytes);
168  SCReturnInt(-1);
169  }
170  }
171 
172  SCLogDebug("comparing base %d string 0x%" PRIx64 " %s%u 0x%" PRIx64,
173  data->base, val, (neg ? "!" : ""), data->op, data->value);
174  }
175  else {
176  int endianness = (flags & DETECT_BYTETEST_LITTLE) ?
177  BYTE_LITTLE_ENDIAN : BYTE_BIG_ENDIAN;
178  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
179  if (extbytes != data->nbytes) {
180  SCLogDebug("error extracting %d bytes "
181  "of numeric data: %d", data->nbytes, extbytes);
182  SCReturnInt(-1);
183  }
184 
185  SCLogDebug("comparing numeric 0x%" PRIx64 " %s%u 0x%" PRIx64,
186  val, (neg ? "!" : ""), data->op, data->value);
187  }
188 
189  /* apply bitmask, if any and then right-shift 1 bit for each trailing 0 in
190  * the bitmask. Note that it's one right shift for each trailing zero (not bit).
191  */
192  if (flags & DETECT_BYTETEST_BITMASK) {
193  val &= data->bitmask;
194  if (val && data->bitmask_shift_count) {
195  val = val >> data->bitmask_shift_count;
196  }
197  }
198 
199  /* Compare using the configured operator */
200  match = 0;
201  switch (data->op) {
202  case DETECT_BYTETEST_OP_EQ:
203  if (val == value) {
204  match = 1;
205  }
206  break;
207  case DETECT_BYTETEST_OP_LT:
208  if (val < value) {
209  match = 1;
210  }
211  break;
212  case DETECT_BYTETEST_OP_GT:
213  if (val > value) {
214  match = 1;
215  }
216  break;
217  case DETECT_BYTETEST_OP_AND:
218  if (val & value) {
219  match = 1;
220  }
221  break;
222  case DETECT_BYTETEST_OP_OR:
223  if (val ^ value) {
224  match = 1;
225  }
226  break;
227  case DETECT_BYTETEST_OP_GE:
228  if (val >= value) {
229  match = 1;
230  }
231  break;
232  case DETECT_BYTETEST_OP_LE:
233  if (val <= value) {
234  match = 1;
235  }
236  break;
237  default:
238  /* Should never get here as we handle this in parsing. */
239  SCReturnInt(-1);
240  }
241 
242  /* A successful match depends on negation */
243  if ((!neg && match) || (neg && !match)) {
244  SCLogDebug("MATCH");
245  SCReturnInt(1);
246  }
247 
248  SCLogDebug("NO MATCH");
249  SCReturnInt(0);
250 
251 }
252 
253 static int DetectBytetestMatch(DetectEngineThreadCtx *det_ctx,
254  Packet *p, const Signature *s, const SigMatchCtx *ctx)
255 {
256  return DetectBytetestDoMatch(det_ctx, s, ctx, p->payload, p->payload_len,
257  ((DetectBytetestData *)ctx)->flags, 0, 0);
258 }
259 
260 static DetectBytetestData *DetectBytetestParse(const char *optstr, char **value, char **offset)
261 {
262  DetectBytetestData *data = NULL;
263  char *args[9] = {
264  NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
265  NULL
266  };
267  char *test_value = NULL;
268  char *data_offset = NULL;
269  int ret = 0, res = 0;
270  int ov[MAX_SUBSTRINGS];
271  int i;
272  uint32_t nbytes;
273  const char *str_ptr = NULL;
274 
275  /* Execute the regex and populate args with captures. */
276  ret = DetectParsePcreExec(&parse_regex, optstr, 0, 0, ov, MAX_SUBSTRINGS);
277  if (ret < 4 || ret > 9) {
278  SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
279  ", string %s", ret, optstr);
280  goto error;
281  }
282 
283  /* Subtract two since two values are conjoined */
284  for (i = 0; i < (ret - 1); i++) {
285  res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS,
286  i + 1, &str_ptr);
287  if (res < 0) {
288  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed "
289  "for arg %d", i + 1);
290  goto error;
291  }
292  /* args[2] is comma separated test value, offset */
293  if (i == 2) {
294  test_value = (char *) str_ptr;
295  data_offset = SCStrdup((char *) str_ptr);
296  if (data_offset == NULL) {
297  goto error;
298  }
299  } else {
300  args[i] = (char *)str_ptr;
301  }
302  }
303 
304  /* Initialize the data */
305  data = SCMalloc(sizeof(DetectBytetestData));
306  if (unlikely(data == NULL))
307  goto error;
308  data->base = DETECT_BYTETEST_BASE_UNSET;
309  data->flags = 0;
310 
311  /*
312  * The first four options are required and positional. The
313  * remaining arguments are flags and are not positional.
314  *
315  * The first four options have been collected into three
316  * arguments:
317  * - #1 -- byte count
318  * - #2 -- operator, including optional negation (!)
319  * - #3 -- test value and offset, comma separated
320  */
321 
322  /* Number of bytes */
323  if (StringParseUint32(&nbytes, 10, 0, args[0]) <= 0) {
324  SCLogError(SC_ERR_INVALID_VALUE, "Malformed number of bytes: %s", str_ptr);
325  goto error;
326  }
327 
328  /* The operator is the next arg; it may contain a negation ! as the first char */
329  data->op = 0;
330  if (args[1] != NULL) {
331  int op_offset = 0;
332  char *op_ptr;
333  if (args[1][op_offset] == '!') {
334  data->neg_op = true;
335  op_ptr = &args[1][1];
336  while (isspace((char)*op_ptr) || (*op_ptr == ',')) op_ptr++;
337  op_offset = op_ptr - &args[1][0];
338  } else {
339  data->neg_op = false;
340  }
341  op_ptr = args[1] + op_offset;
342  if ((strcmp("=", op_ptr) == 0) || (data->neg_op
343  && strcmp("", op_ptr) == 0)) {
344  data->op |= DETECT_BYTETEST_OP_EQ;
345  } else if (strcmp("<", op_ptr) == 0) {
346  data->op |= DETECT_BYTETEST_OP_LT;
347  } else if (strcmp(">", op_ptr) == 0) {
348  data->op |= DETECT_BYTETEST_OP_GT;
349  } else if (strcmp("&", op_ptr) == 0) {
350  data->op |= DETECT_BYTETEST_OP_AND;
351  } else if (strcmp("^", op_ptr) == 0) {
352  data->op |= DETECT_BYTETEST_OP_OR;
353  } else if (strcmp(">=", op_ptr) == 0) {
354  data->op |= DETECT_BYTETEST_OP_GE;
355  } else if (strcmp("<=", op_ptr) == 0) {
356  data->op |= DETECT_BYTETEST_OP_LE;
357  } else {
358  SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator");
359  goto error;
360  }
361  }
362 
363  if (test_value) {
364  /*
365  * test_value was created while fetching strings and contains the test value and offset, comma separated. The
366  * values was allocated by test_value (pcre_get_substring) and data_offset (SCStrdup), respectively; e.g.,
367  * test_value,offset
368  */
369  char *end_ptr = test_value;
370  while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ','))) end_ptr++;
371  *end_ptr = '\0';
372 
373  if (test_value[0] != '-' && isalpha((unsigned char)test_value[0])) {
374  if (value == NULL) {
375  SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_test supplied with "
376  "var name for value. \"value\" argument supplied to "
377  "this function has to be non-NULL");
378  goto error;
379  }
380  *value = SCStrdup(test_value);
381  if (*value == NULL)
382  goto error;
383  } else {
384  if (StringParseUint64(&data->value, 0, 0, test_value) <= 0) {
385  SCLogError(SC_ERR_INVALID_VALUE, "Malformed value: %s", test_value);
386  goto error;
387  }
388  }
389  }
390 
391  /* Offset -- note that this *also* contains test_value, offset so parse accordingly */
392  if (data_offset) {
393  char *end_ptr = data_offset;
394  while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ','))) end_ptr++;
395  str_ptr = ++end_ptr;
396  while (isspace((unsigned char)*str_ptr) || (*str_ptr == ',')) str_ptr++;
397  end_ptr = (char *)str_ptr;
398  while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ',')) && (*end_ptr != '\0'))
399  end_ptr++;
400  memmove(data_offset, str_ptr, end_ptr - str_ptr);
401  data_offset[end_ptr-str_ptr] = '\0';
402  if (data_offset[0] != '-' && isalpha((unsigned char)data_offset[0])) {
403  if (data_offset == NULL) {
404  SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_test supplied with "
405  "var name for offset. \"offset\" argument supplied to "
406  "this function has to be non-NULL");
407  goto error;
408  }
409  *offset = SCStrdup(data_offset);
410  if (*offset == NULL)
411  goto error;
412  } else {
413  if (StringParseInt32(&data->offset, 0, 0, data_offset) <= 0) {
414  SCLogError(SC_ERR_INVALID_VALUE, "Malformed offset: %s", data_offset);
415  goto error;
416  }
417  }
418  }
419 
420  /* The remaining options are flags. */
421  /** \todo Error on dups? */
422  int bitmask_index = -1;
423  for (i = 3; i < (ret - 1); i++) {
424  if (args[i] != NULL) {
425  if (strcmp("relative", args[i]) == 0) {
426  data->flags |= DETECT_BYTETEST_RELATIVE;
427  } else if (strcasecmp("string", args[i]) == 0) {
428  data->flags |= DETECT_BYTETEST_STRING;
429  } else if (strcasecmp("dec", args[i]) == 0) {
430  data->base |= DETECT_BYTETEST_BASE_DEC;
431  } else if (strcasecmp("hex", args[i]) == 0) {
432  data->base |= DETECT_BYTETEST_BASE_HEX;
433  } else if (strcasecmp("oct", args[i]) == 0) {
434  data->base |= DETECT_BYTETEST_BASE_OCT;
435  } else if (strcasecmp("big", args[i]) == 0) {
436  if (data->flags & DETECT_BYTETEST_LITTLE) {
437  data->flags ^= DETECT_BYTETEST_LITTLE;
438  }
439  data->flags |= DETECT_BYTETEST_BIG;
440  } else if (strcasecmp("little", args[i]) == 0) {
441  data->flags |= DETECT_BYTETEST_LITTLE;
442  } else if (strcasecmp("dce", args[i]) == 0) {
443  data->flags |= DETECT_BYTETEST_DCE;
444  } else if (strncasecmp("bitmask", args[i], strlen("bitmask")) == 0) {
445  data->flags |= DETECT_BYTETEST_BITMASK;
446  bitmask_index = i;
447  } else {
448  SCLogError(SC_ERR_UNKNOWN_VALUE, "Unknown value: \"%s\"",
449  args[i]);
450  goto error;
451  }
452  }
453  }
454 
455  if (data->flags & DETECT_BYTETEST_STRING) {
456  /* 23 - This is the largest string (octal, with a zero prefix) that
457  * will not overflow uint64_t. The only way this length
458  * could be over 23 and still not overflow is if it were zero
459  * prefixed and we only support 1 byte of zero prefix for octal.
460  *
461  * "01777777777777777777777" = 0xffffffffffffffff
462  */
463  if (nbytes > 23) {
464  SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 23 bytes with \"string\": %s",
465  optstr);
466  goto error;
467  }
468  } else {
469  if (nbytes > 8) {
470  SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 8 bytes without \"string\": %s",
471  optstr);
472  goto error;
473  }
474  if (data->base != DETECT_BYTETEST_BASE_UNSET) {
475  SCLogError(SC_ERR_INVALID_VALUE, "Cannot use a base without \"string\": %s", optstr);
476  goto error;
477  }
478  }
479 
480  /* This is max 23 so it will fit in a byte (see above) */
481  data->nbytes = (uint8_t)nbytes;
482 
483  if (bitmask_index != -1 && data->flags & DETECT_BYTETEST_BITMASK) {
484  if (ByteExtractStringUint32(&data->bitmask, 0, 0, args[bitmask_index]+strlen("bitmask")) <= 0) {
485  SCLogError(SC_ERR_INVALID_VALUE, "Malformed bitmask value: %s", args[bitmask_index]+strlen("bitmask"));
486  goto error;
487  }
488  /* determine how many trailing 0's are in the bitmask. This will be used
489  * to rshift the value after applying the bitmask
490  */
491  data->bitmask_shift_count = 0;
492  if (data->bitmask) {
493  uint32_t bmask = data->bitmask;
494  while (!(bmask & 0x1)){
495  bmask = bmask >> 1;
496  data->bitmask_shift_count++;
497  }
498  }
499  }
500 
501  for (i = 0; i < (ret - 1); i++){
502  if (args[i] != NULL) SCFree(args[i]);
503  }
504  if (data_offset) SCFree(data_offset);
505  if (test_value) SCFree(test_value);
506  return data;
507 
508 error:
509  for (i = 0; i < (ret - 1); i++){
510  if (args[i] != NULL) SCFree(args[i]);
511  }
512  if (data_offset) SCFree(data_offset);
513  if (test_value) SCFree(test_value);
514  if (data) SCFree(data);
515  return NULL;
516 }
517 
518 static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
519 {
520  SigMatch *sm = NULL;
521  SigMatch *prev_pm = NULL;
522  char *value = NULL;
523  char *offset = NULL;
524  int ret = -1;
525 
526  DetectBytetestData *data = DetectBytetestParse(optstr, &value, &offset);
527  if (data == NULL)
528  goto error;
529 
530  int sm_list;
531  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
532  if (DetectBufferGetActiveList(de_ctx, s) == -1)
533  goto error;
534 
535  sm_list = s->init_data->list;
536 
537  if (data->flags & DETECT_BYTETEST_RELATIVE) {
538  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
539  }
540 
541  } else if (data->flags & DETECT_BYTETEST_DCE) {
542  if (data->flags & DETECT_BYTETEST_RELATIVE) {
543  prev_pm = DetectGetLastSMFromLists(s,
544  DETECT_CONTENT, DETECT_PCRE,
545  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
546  DETECT_ISDATAAT, -1);
547  if (prev_pm == NULL) {
548  sm_list = DETECT_SM_LIST_PMATCH;
549  } else {
550  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
551  if (sm_list < 0)
552  goto error;
553  }
554  } else {
555  sm_list = DETECT_SM_LIST_PMATCH;
556  }
557 
558  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
559  goto error;
560 
561  } else if (data->flags & DETECT_BYTETEST_RELATIVE) {
562  prev_pm = DetectGetLastSMFromLists(s,
563  DETECT_CONTENT, DETECT_PCRE,
564  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
565  DETECT_ISDATAAT, -1);
566  if (prev_pm == NULL) {
567  sm_list = DETECT_SM_LIST_PMATCH;
568  } else {
569  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
570  if (sm_list < 0)
571  goto error;
572  }
573 
574  } else {
575  sm_list = DETECT_SM_LIST_PMATCH;
576  }
577 
578  if (data->flags & DETECT_BYTETEST_DCE) {
579  if ((data->flags & DETECT_BYTETEST_STRING) ||
580  (data->flags & DETECT_BYTETEST_LITTLE) ||
581  (data->flags & DETECT_BYTETEST_BIG) ||
582  (data->base == DETECT_BYTETEST_BASE_DEC) ||
583  (data->base == DETECT_BYTETEST_BASE_HEX) ||
584  (data->base == DETECT_BYTETEST_BASE_OCT) ) {
585  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
586  "A byte_test keyword with dce holds other invalid modifiers.");
587  goto error;
588  }
589  }
590 
591  if (value != NULL) {
592  SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(value, s);
593  if (bed_sm == NULL) {
594  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
595  "seen in byte_test - %s\n", value);
596  goto error;
597  }
598  data->value = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
599  data->flags |= DETECT_BYTETEST_VALUE_BE;
600  SCFree(value);
601  value = NULL;
602  }
603 
604  if (offset != NULL) {
605  SigMatch *bed_sm = DetectByteExtractRetrieveSMVar(offset, s);
606  if (bed_sm == NULL) {
607  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
608  "seen in byte_test - %s\n", offset);
609  goto error;
610  }
611  data->offset = ((DetectByteExtractData *)bed_sm->ctx)->local_id;
612  data->flags |= DETECT_BYTETEST_OFFSET_BE;
613  SCFree(offset);
614  offset = NULL;
615  }
616 
617  sm = SigMatchAlloc();
618  if (sm == NULL)
619  goto error;
620  sm->type = DETECT_BYTETEST;
621  sm->ctx = (SigMatchCtx *)data;
622  SigMatchAppendSMToList(s, sm, sm_list);
623 
624  if (!(data->flags & DETECT_BYTETEST_RELATIVE))
625  goto okay;
626 
627  if (prev_pm == NULL)
628  goto okay;
629  if (prev_pm->type == DETECT_CONTENT) {
630  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
631  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
632  } else if (prev_pm->type == DETECT_PCRE) {
633  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
634  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
635  }
636 
637  okay:
638  ret = 0;
639  return ret;
640  error:
641  if (offset)
642  SCFree(offset);
643  if (value)
644  SCFree(value);
645  DetectBytetestFree(de_ctx, data);
646  return ret;
647 }
648 
649 /**
650  * \brief this function will free memory associated with DetectBytetestData
651  *
652  * \param data pointer to DetectBytetestData
653  */
654 static void DetectBytetestFree(DetectEngineCtx *de_ctx, void *ptr)
655 {
656  if (ptr == NULL)
657  return;
658 
659  DetectBytetestData *data = (DetectBytetestData *)ptr;
660  SCFree(data);
661 }
662 
663 
664 /* UNITTESTS */
665 #ifdef UNITTESTS
666 #include "util-unittest-helper.h"
667 #include "app-layer-parser.h"
668 #include "flow-util.h"
669 static int g_file_data_buffer_id = 0;
670 static int g_dce_stub_data_buffer_id = 0;
671 
672 /**
673  * \test DetectBytetestTestParse01 is a test to make sure that we return "something"
674  * when given valid bytetest opt
675  */
676 static int DetectBytetestTestParse01(void)
677 {
678  int result = 0;
679  DetectBytetestData *data = NULL;
680  data = DetectBytetestParse("4, =, 1 , 0", NULL, NULL);
681  if (data != NULL) {
682  DetectBytetestFree(NULL, data);
683  result = 1;
684  }
685 
686  return result;
687 }
688 
689 /**
690  * \test DetectBytetestTestParse02 is a test for setting the required opts
691  */
692 static int DetectBytetestTestParse02(void)
693 {
694  int result = 0;
695  DetectBytetestData *data = NULL;
696  data = DetectBytetestParse("4, !=, 1, 0", NULL, NULL);
697  if (data != NULL) {
698  if ( (data->op == DETECT_BYTETEST_OP_EQ)
699  && (data->nbytes == 4)
700  && (data->value == 1)
701  && (data->offset == 0)
702  && (data->neg_op)
703  && (data->base == DETECT_BYTETEST_BASE_UNSET))
704  {
705  result = 1;
706  }
707  DetectBytetestFree(NULL, data);
708  }
709 
710  return result;
711 }
712 
713 /**
714  * \test DetectBytetestTestParse03 is a test for setting the relative flag
715  */
716 static int DetectBytetestTestParse03(void)
717 {
718  int result = 0;
719  DetectBytetestData *data = NULL;
720  data = DetectBytetestParse("4, !=, 1, 0, relative", NULL, NULL);
721  if (data != NULL) {
722  if ( (data->op == DETECT_BYTETEST_OP_EQ)
723  && (data->nbytes == 4)
724  && (data->value == 1)
725  && (data->offset == 0)
726  && (data->neg_op)
727  && (data->flags == DETECT_BYTETEST_RELATIVE)
728  && (data->base == DETECT_BYTETEST_BASE_UNSET))
729  {
730  result = 1;
731  }
732  DetectBytetestFree(NULL, data);
733  }
734 
735  return result;
736 }
737 
738 /**
739  * \test DetectBytetestTestParse04 is a test for setting the string/oct flags
740  */
741 static int DetectBytetestTestParse04(void)
742 {
743  int result = 0;
744  DetectBytetestData *data = NULL;
745  data = DetectBytetestParse("4, !=, 1, 0, string, oct", NULL, NULL);
746  if (data != NULL) {
747  if ( (data->op == DETECT_BYTETEST_OP_EQ)
748  && (data->nbytes == 4)
749  && (data->value == 1)
750  && (data->offset == 0)
751  && (data->neg_op)
752  && (data->flags == DETECT_BYTETEST_STRING)
753  && (data->base == DETECT_BYTETEST_BASE_OCT))
754  {
755  result = 1;
756  }
757  DetectBytetestFree(NULL, data);
758  }
759 
760  return result;
761 }
762 
763 /**
764  * \test DetectBytetestTestParse05 is a test for setting the string/dec flags
765  */
766 static int DetectBytetestTestParse05(void)
767 {
768  int result = 0;
769  DetectBytetestData *data = NULL;
770  data = DetectBytetestParse("4, =, 1, 0, string, dec", NULL, NULL);
771  if (data != NULL) {
772  if ( (data->op == DETECT_BYTETEST_OP_EQ)
773  && (data->nbytes == 4)
774  && (data->value == 1)
775  && (data->offset == 0)
776  && (data->flags == DETECT_BYTETEST_STRING)
777  && (data->base == DETECT_BYTETEST_BASE_DEC))
778  {
779  result = 1;
780  }
781  DetectBytetestFree(NULL, data);
782  }
783 
784  return result;
785 }
786 
787 /**
788  * \test DetectBytetestTestParse06 is a test for setting the string/hex flags
789  */
790 static int DetectBytetestTestParse06(void)
791 {
792  int result = 0;
793  DetectBytetestData *data = NULL;
794  data = DetectBytetestParse("4, >, 1, 0, string, hex", NULL, NULL);
795  if (data != NULL) {
796  if ( (data->op == DETECT_BYTETEST_OP_GT)
797  && (data->nbytes == 4)
798  && (data->value == 1)
799  && (data->offset == 0)
800  && (data->flags == DETECT_BYTETEST_STRING)
801  && (data->base == DETECT_BYTETEST_BASE_HEX))
802  {
803  result = 1;
804  }
805  DetectBytetestFree(NULL, data);
806  }
807 
808  return result;
809 }
810 
811 /**
812  * \test DetectBytetestTestParse07 is a test for setting the big flag
813  */
814 static int DetectBytetestTestParse07(void)
815 {
816  int result = 0;
817  DetectBytetestData *data = NULL;
818  data = DetectBytetestParse("4, <, 5, 0, big", NULL, NULL);
819  if (data != NULL) {
820  if ( (data->op == DETECT_BYTETEST_OP_LT)
821  && (data->nbytes == 4)
822  && (data->value == 5)
823  && (data->offset == 0)
824  && (data->flags & DETECT_BYTETEST_BIG)
825  && (data->base == DETECT_BYTETEST_BASE_UNSET))
826  {
827  result = 1;
828  }
829  DetectBytetestFree(NULL, data);
830  }
831 
832  return result;
833 }
834 
835 /**
836  * \test DetectBytetestTestParse08 is a test for setting the little flag
837  */
838 static int DetectBytetestTestParse08(void)
839 {
840  int result = 0;
841  DetectBytetestData *data = NULL;
842  data = DetectBytetestParse("4, <, 5, 0, little", NULL, NULL);
843  if (data != NULL) {
844  if ( (data->op == DETECT_BYTETEST_OP_LT)
845  && (data->nbytes == 4)
846  && (data->value == 5)
847  && (data->offset == 0)
848  && (data->flags == DETECT_BYTETEST_LITTLE)
849  && (data->base == DETECT_BYTETEST_BASE_UNSET))
850  {
851  result = 1;
852  }
853  DetectBytetestFree(NULL, data);
854  }
855 
856  return result;
857 }
858 
859 /**
860  * \test DetectBytetestTestParse09 is a test for neg operator only
861  */
862 static int DetectBytetestTestParse09(void)
863 {
864  int result = 0;
865  DetectBytetestData *data = NULL;
866  data = DetectBytetestParse("4, !, 5, 0", NULL, NULL);
867  if (data != NULL) {
868  if ( (data->op == DETECT_BYTETEST_OP_EQ)
869  && (data->nbytes == 4)
870  && (data->value == 5)
871  && (data->offset == 0)
872  && (data->neg_op)
873  && (data->base == DETECT_BYTETEST_BASE_UNSET))
874  {
875  result = 1;
876  }
877  DetectBytetestFree(NULL, data);
878  }
879 
880  return result;
881 }
882 
883 /**
884  * \test DetectBytetestTestParse10 is a test for whitespace
885  */
886 static int DetectBytetestTestParse10(void)
887 {
888  int result = 0;
889  DetectBytetestData *data = NULL;
890  data = DetectBytetestParse(" 4 , ! &, 5 , 0 , little ", NULL, NULL);
891  if (data != NULL) {
892  if ( (data->op == DETECT_BYTETEST_OP_AND)
893  && (data->nbytes == 4)
894  && (data->value == 5)
895  && (data->offset == 0)
896  && (data->neg_op)
897  && (data->flags == DETECT_BYTETEST_LITTLE)
898  && (data->base == DETECT_BYTETEST_BASE_UNSET))
899  {
900  result = 1;
901  }
902  DetectBytetestFree(NULL, data);
903  }
904 
905  return result;
906 }
907 
908 /**
909  * \test DetectBytetestTestParse11 is a test for whitespace
910  */
911 static int DetectBytetestTestParse11(void)
912 {
913  int result = 0;
914  DetectBytetestData *data = NULL;
915  data = DetectBytetestParse("4,!^,5,0,little,string,relative,hex", NULL, NULL);
916  if (data != NULL) {
917  if ( (data->op == DETECT_BYTETEST_OP_OR)
918  && (data->nbytes == 4)
919  && (data->value == 5)
920  && (data->offset == 0)
921  && (data->neg_op)
922  && (data->flags == (DETECT_BYTETEST_LITTLE
923  |DETECT_BYTETEST_STRING
924  |DETECT_BYTETEST_RELATIVE))
925  && (data->base == DETECT_BYTETEST_BASE_HEX))
926  {
927  result = 1;
928  }
929  DetectBytetestFree(NULL, data);
930  }
931 
932  return result;
933 }
934 
935 /**
936  * \test DetectBytetestTestParse12 is a test for hex w/o string
937  */
938 static int DetectBytetestTestParse12(void)
939 {
940  int result = 0;
941  DetectBytetestData *data = NULL;
942  data = DetectBytetestParse("4, =, 1, 0, hex", NULL, NULL);
943  if (data == NULL) {
944  result = 1;
945  }
946 
947  return result;
948 }
949 
950 /**
951  * \test DetectBytetestTestParse13 is a test for too many bytes to extract
952  */
953 static int DetectBytetestTestParse13(void)
954 {
955  int result = 0;
956  DetectBytetestData *data = NULL;
957  data = DetectBytetestParse("9, =, 1, 0", NULL, NULL);
958  if (data == NULL) {
959  result = 1;
960  }
961 
962  return result;
963 }
964 
965 /**
966  * \test DetectBytetestTestParse14 is a test for large string extraction
967  */
968 static int DetectBytetestTestParse14(void)
969 {
970  int result = 0;
971  DetectBytetestData *data = NULL;
972  data = DetectBytetestParse("23,=,0xffffffffffffffffULL,0,string,oct", NULL, NULL);
973  if (data != NULL) {
974  if ( (data->op == DETECT_BYTETEST_OP_EQ)
975  && (data->nbytes == 23)
976  && (data->value == 0xffffffffffffffffULL)
977  && (data->offset == 0)
978  && (data->flags == DETECT_BYTETEST_STRING)
979  && (data->base == DETECT_BYTETEST_BASE_OCT))
980  {
981  result = 1;
982  }
983  DetectBytetestFree(NULL, data);
984  }
985 
986  return result;
987 }
988 
989 /**
990  * \test DetectBytetestTestParse15 is a test for too many bytes to extract (string)
991  */
992 static int DetectBytetestTestParse15(void)
993 {
994  int result = 0;
995  DetectBytetestData *data = NULL;
996  data = DetectBytetestParse("24, =, 0xffffffffffffffffULL, 0, string", NULL, NULL);
997  if (data == NULL) {
998  result = 1;
999  }
1000 
1001  return result;
1002 }
1003 
1004 /**
1005  * \test DetectBytetestTestParse16 is a test for offset too big
1006  */
1007 static int DetectBytetestTestParse16(void)
1008 {
1009  int result = 0;
1010  DetectBytetestData *data = NULL;
1011  data = DetectBytetestParse("4,=,0,0xffffffffffffffffULL", NULL, NULL);
1012  if (data == NULL) {
1013  result = 1;
1014  }
1015 
1016  return result;
1017 }
1018 
1019 /**
1020  * \test Test dce option.
1021  */
1022 static int DetectBytetestTestParse17(void)
1023 {
1024  int result = 0;
1025  DetectBytetestData *data = NULL;
1026  data = DetectBytetestParse("4, <, 5, 0, dce", NULL, NULL);
1027  if (data != NULL) {
1028  if ( (data->op == DETECT_BYTETEST_OP_LT) &&
1029  (data->nbytes == 4) &&
1030  (data->value == 5) &&
1031  (data->offset == 0) &&
1032  (data->flags & DETECT_BYTETEST_DCE) ) {
1033  result = 1;
1034  }
1035  DetectBytetestFree(NULL, data);
1036  }
1037 
1038  return result;
1039 }
1040 
1041 /**
1042  * \test Test dce option.
1043  */
1044 static int DetectBytetestTestParse18(void)
1045 {
1046  int result = 0;
1047  DetectBytetestData *data = NULL;
1048  data = DetectBytetestParse("4, <, 5, 0", NULL, NULL);
1049  if (data != NULL) {
1050  if ( (data->op == DETECT_BYTETEST_OP_LT) &&
1051  (data->nbytes == 4) &&
1052  (data->value == 5) &&
1053  (data->offset == 0) &&
1054  !(data->flags & DETECT_BYTETEST_DCE) ) {
1055  result = 1;
1056  }
1057  DetectBytetestFree(NULL, data);
1058  }
1059 
1060  return result;
1061 }
1062 
1063 /**
1064  * \test Test dce option.
1065  */
1066 static int DetectBytetestTestParse19(void)
1067 {
1068  Signature *s = SigAlloc();
1069  if (s == NULL)
1070  return 0;
1071 
1072  int result = 1;
1073 
1074  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0) {
1075  SigFree(NULL, s);
1076  return 0;
1077  }
1078 
1079  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dce") == 0);
1080  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,string,dce") == -1);
1081  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,big,dce") == -1);
1082  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,little,dce") == -1);
1083  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,hex,dce") == -1);
1084  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,oct,dce") == -1);
1085  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dec,dce") == -1);
1086 
1087  SigFree(NULL, s);
1088  return result;
1089 }
1090 
1091 /**
1092  * \test Test dce option.
1093  */
1094 static int DetectBytetestTestParse20(void)
1095 {
1096  DetectEngineCtx *de_ctx = NULL;
1097  int result = 1;
1098  Signature *s = NULL;
1099  DetectBytetestData *bd = NULL;
1100 
1101  de_ctx = DetectEngineCtxInit();
1102  if (de_ctx == NULL)
1103  goto end;
1104 
1105  de_ctx->flags |= DE_QUIET;
1106  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1107  "(msg:\"Testing bytetest_body\"; "
1108  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1109  "dce_stub_data; "
1110  "content:\"one\"; distance:0; "
1111  "byte_test:1,=,1,6,relative,dce; sid:1;)");
1112  if (de_ctx->sig_list == NULL) {
1113  result = 0;
1114  goto end;
1115  }
1116  s = de_ctx->sig_list;
1117  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1118  result = 0;
1119  goto end;
1120  }
1121  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
1122  bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1123  if (!(bd->flags & DETECT_BYTETEST_DCE) &&
1124  !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
1125  (bd->flags & DETECT_BYTETEST_STRING) &&
1126  (bd->flags & DETECT_BYTETEST_BIG) &&
1127  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1128  (bd->neg_op) ) {
1129  result = 0;
1130  goto end;
1131  }
1132 
1133  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
1134  "(msg:\"Testing bytetest_body\"; "
1135  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1136  "dce_stub_data; "
1137  "content:\"one\"; distance:0; "
1138  "byte_test:1,=,1,6,relative,dce; sid:1;)");
1139  if (s->next == NULL) {
1140  result = 0;
1141  goto end;
1142  }
1143  s = s->next;
1144  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1145  result = 0;
1146  goto end;
1147  }
1148  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
1149  bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1150  if (!(bd->flags & DETECT_BYTETEST_DCE) &&
1151  !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
1152  (bd->flags & DETECT_BYTETEST_STRING) &&
1153  (bd->flags & DETECT_BYTETEST_BIG) &&
1154  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1155  (bd->neg_op) ) {
1156  result = 0;
1157  goto end;
1158  }
1159 
1160  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
1161  "(msg:\"Testing bytetest_body\"; "
1162  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1163  "dce_stub_data; "
1164  "content:\"one\"; distance:0; "
1165  "byte_test:1,=,1,6,relative; sid:1;)");
1166  if (s->next == NULL) {
1167  result = 0;
1168  goto end;
1169  }
1170  s = s->next;
1171  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1172  result = 0;
1173  goto end;
1174  }
1175  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
1176  bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1177  if ((bd->flags & DETECT_BYTETEST_DCE) &&
1178  !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
1179  (bd->flags & DETECT_BYTETEST_STRING) &&
1180  (bd->flags & DETECT_BYTETEST_BIG) &&
1181  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1182  (bd->neg_op) ) {
1183  result = 0;
1184  goto end;
1185  }
1186 
1187  end:
1188  SigGroupCleanup(de_ctx);
1189  SigCleanSignatures(de_ctx);
1190  DetectEngineCtxFree(de_ctx);
1191 
1192  return result;
1193 }
1194 
1195 /**
1196  * \test Test dce option.
1197  */
1198 static int DetectBytetestTestParse21(void)
1199 {
1200  DetectEngineCtx *de_ctx = NULL;
1201  int result = 1;
1202  Signature *s = NULL;
1203 
1204  de_ctx = DetectEngineCtxInit();
1205  if (de_ctx == NULL)
1206  goto end;
1207 
1208  de_ctx->flags |= DE_QUIET;
1209  s = SigInit(de_ctx, "alert tcp any any -> any any "
1210  "(msg:\"Testing bytetest_body\"; "
1211  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1212  "content:\"one\"; byte_test:1,=,1,6,string,dce; sid:1;)");
1213  if (s != NULL) {
1214  result = 0;
1215  goto end;
1216  }
1217 
1218  s = SigInit(de_ctx, "alert tcp any any -> any any "
1219  "(msg:\"Testing bytetest_body\"; "
1220  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1221  "content:\"one\"; byte_test:1,=,1,6,big,dce; sid:1;)");
1222  if (s != NULL) {
1223  result = 0;
1224  goto end;
1225  }
1226 
1227  s = SigInit(de_ctx, "alert tcp any any -> any any "
1228  "(msg:\"Testing bytetest_body\"; "
1229  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1230  "content:\"one\"; byte_test:1,=,1,6,little,dce; sid:1;)");
1231  if (s != NULL) {
1232  result = 0;
1233  goto end;
1234  }
1235 
1236  s = SigInit(de_ctx, "alert tcp any any -> any any "
1237  "(msg:\"Testing bytetest_body\"; "
1238  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1239  "content:\"one\"; byte_test:1,=,1,6,hex,dce; sid:1;)");
1240  if (s != NULL) {
1241  result = 0;
1242  goto end;
1243  }
1244 
1245  s = SigInit(de_ctx, "alert tcp any any -> any any "
1246  "(msg:\"Testing bytetest_body\"; "
1247  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1248  "content:\"one\"; byte_test:1,=,1,6,dec,dce; sid:1;)");
1249  if (s != NULL) {
1250  result = 0;
1251  goto end;
1252  }
1253 
1254  s = SigInit(de_ctx, "alert tcp any any -> any any "
1255  "(msg:\"Testing bytetest_body\"; "
1256  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1257  "content:\"one\"; byte_test:1,=,1,6,oct,dce; sid:1;)");
1258  if (s != NULL) {
1259  result = 0;
1260  goto end;
1261  }
1262 
1263  s = SigInit(de_ctx, "alert tcp any any -> any any "
1264  "(msg:\"Testing bytetest_body\"; "
1265  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1266  "content:\"one\"; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
1267  if (s != NULL) {
1268  result = 0;
1269  goto end;
1270  }
1271 
1272  s = SigInit(de_ctx, "alert tcp any any -> any any "
1273  "(msg:\"Testing bytetest_body\"; "
1274  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1275  "content:\"one\"; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
1276  if (s != NULL) {
1277  result = 0;
1278  goto end;
1279  }
1280 
1281  s = SigInit(de_ctx, "alert tcp any any -> any any "
1282  "(msg:\"Testing bytetest_body\"; "
1283  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1284  "content:\"one\"; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
1285  if (s != NULL) {
1286  result = 0;
1287  goto end;
1288  }
1289 
1290  s = SigInit(de_ctx, "alert tcp any any -> any any "
1291  "(msg:\"Testing bytetest_body\"; "
1292  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1293  "content:\"one\"; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
1294  if (s != NULL) {
1295  result = 0;
1296  goto end;
1297  }
1298 
1299  s = SigInit(de_ctx, "alert tcp any any -> any any "
1300  "(msg:\"Testing bytetest_body\"; "
1301  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1302  "content:\"one\"; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
1303  if (s != NULL) {
1304  result = 0;
1305  goto end;
1306  }
1307 
1308  end:
1309  SigGroupCleanup(de_ctx);
1310  SigCleanSignatures(de_ctx);
1311  DetectEngineCtxFree(de_ctx);
1312 
1313  return result;
1314 }
1315 
1316 /**
1317  * \test Test file_data
1318  */
1319 static int DetectBytetestTestParse22(void)
1320 {
1321  DetectEngineCtx *de_ctx = NULL;
1322  int result = 0;
1323  Signature *s = NULL;
1324  DetectBytetestData *bd = NULL;
1325 
1326  de_ctx = DetectEngineCtxInit();
1327  if (de_ctx == NULL)
1328  goto end;
1329 
1330  de_ctx->flags |= DE_QUIET;
1331  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1332  "(file_data; byte_test:1,=,1,6,relative; sid:1;)");
1333  if (de_ctx->sig_list == NULL) {
1334  printf("sig parse failed: ");
1335  goto end;
1336  }
1337 
1338  s = de_ctx->sig_list;
1339  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
1340  printf("empty server body list: ");
1341  goto end;
1342  }
1343 
1344  if (s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_BYTETEST) {
1345  printf("bytetest not last sm in server body list: ");
1346  goto end;
1347  }
1348 
1349  bd = (DetectBytetestData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1350  if (bd->flags & DETECT_BYTETEST_DCE &&
1351  bd->flags & DETECT_BYTETEST_RELATIVE &&
1352  (bd->flags & DETECT_BYTETEST_STRING) &&
1353  (bd->flags & DETECT_BYTETEST_BIG) &&
1354  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1355  (bd->neg_op) ) {
1356  printf("wrong flags: ");
1357  goto end;
1358  }
1359 
1360  result = 1;
1361  end:
1362  SigGroupCleanup(de_ctx);
1363  SigCleanSignatures(de_ctx);
1364  DetectEngineCtxFree(de_ctx);
1365 
1366  return result;
1367 }
1368 
1369 /**
1370  * \test Test bitmask option.
1371  */
1372 static int DetectBytetestTestParse23(void)
1373 {
1374  DetectBytetestData *data;
1375  data = DetectBytetestParse("4, <, 5, 0, bitmask 0xf8", NULL, NULL);
1376 
1377  FAIL_IF_NULL(data);
1378  FAIL_IF_NOT(data->op == DETECT_BYTETEST_OP_LT);
1379  FAIL_IF_NOT(data->nbytes == 4);
1380  FAIL_IF_NOT(data->value == 5);
1381  FAIL_IF_NOT(data->offset == 0);
1382  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_BITMASK);
1383  FAIL_IF_NOT(data->bitmask == 0xf8);
1384  FAIL_IF_NOT(data->bitmask_shift_count == 3);
1385 
1386  DetectBytetestFree(NULL, data);
1387 
1388  PASS;
1389 }
1390 
1391 /**
1392  * \test Test all options
1393  */
1394 static int DetectBytetestTestParse24(void)
1395 {
1396  DetectBytetestData *data;
1397  data = DetectBytetestParse("4, !<, 5, 0, relative,string,hex, big, bitmask 0xf8", NULL, NULL);
1398  FAIL_IF_NULL(data);
1399  FAIL_IF_NOT(data->op == DETECT_BYTETEST_OP_LT);
1400  FAIL_IF_NOT(data->nbytes == 4);
1401  FAIL_IF_NOT(data->value == 5);
1402  FAIL_IF_NOT(data->offset == 0);
1403  FAIL_IF_NOT(data->base == DETECT_BYTETEST_BASE_HEX);
1404  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_BIG);
1405  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_RELATIVE);
1406  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_STRING);
1407  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_BITMASK);
1408  FAIL_IF_NOT(data->bitmask == 0xf8);
1409  FAIL_IF_NOT(data->bitmask_shift_count == 3);
1410 
1411  DetectBytetestFree(NULL, data);
1412 
1413  PASS;
1414 }
1415 
1416 
1417 /**
1418  * \test DetectByteTestTestPacket01 is a test to check matches of
1419  * byte_test and byte_test relative works if the previous keyword is pcre
1420  * (bug 142)
1421  */
1422 static int DetectByteTestTestPacket01 (void)
1423 {
1424  int result = 0;
1425  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1426  "User-Agent: Wget/1.11.4"
1427  "Accept: */*"
1428  "Host: www.google.com"
1429  "Connection: Keep-Alive"
1430  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1431  uint16_t buflen = strlen((char *)buf);
1432  Packet *p;
1433  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1434 
1435  if (p == NULL)
1436  goto end;
1437 
1438  char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
1439  "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_test:1,=,1"
1440  ",6,relative,string,dec; sid:126; rev:1;)";
1441 
1442  result = UTHPacketMatchSig(p, sig);
1443 
1444  UTHFreePacket(p);
1445 end:
1446  return result;
1447 }
1448 
1449 /**
1450  * \test DetectByteTestTestPacket02 is a test to check matches of
1451  * byte_test and byte_test relative works if the previous keyword is byte_jump
1452  * (bug 158)
1453  */
1454 static int DetectByteTestTestPacket02 (void)
1455 {
1456  int result = 0;
1457  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1458  "User-Agent: Wget/1.11.4"
1459  "Accept: */*"
1460  "Host: www.google.com"
1461  "Connection: Keep-Alive"
1462  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1463  uint16_t buflen = strlen((char *)buf);
1464  Packet *p;
1465  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1466 
1467  if (p == NULL)
1468  goto end;
1469 
1470  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test + "
1471  "relative\"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,"
1472  "dec; sid:777; rev:1;)";
1473 
1474  result = UTHPacketMatchSig(p, sig);
1475 
1476  UTHFreePacket(p);
1477 end:
1478  return result;
1479 }
1480 
1481 static int DetectByteTestTestPacket03(void)
1482 {
1483  int result = 0;
1484  uint8_t *buf = NULL;
1485  uint16_t buflen = 0;
1486  buf = SCMalloc(4);
1487  if (unlikely(buf == NULL)) {
1488  printf("malloc failed\n");
1489  exit(EXIT_FAILURE);
1490  }
1491  memcpy(buf, "boom", 4);
1492  buflen = 4;
1493 
1494  Packet *p;
1495  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1496 
1497  if (p == NULL)
1498  goto end;
1499 
1500  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test\"; "
1501  "byte_test:1,=,65,214748364; sid:1; rev:1;)";
1502 
1503  result = !UTHPacketMatchSig(p, sig);
1504 
1505  UTHFreePacket(p);
1506 
1507 end:
1508  SCFree(buf);
1509  return result;
1510 }
1511 
1512 /** \test Test the byte_test signature matching with operator <= */
1513 static int DetectByteTestTestPacket04(void)
1514 {
1515  int result = 0;
1516  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1517  "User-Agent: Wget/1.11.4"
1518  "Accept: */*"
1519  "Host: www.google.com"
1520  "Connection: Keep-Alive"
1521  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1522  uint16_t buflen = strlen((char *)buf);
1523 
1524  Packet *p;
1525  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1526 
1527  if (p == NULL)
1528  goto end;
1529 
1530  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
1531  "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
1532  "byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
1533 
1534  result = UTHPacketMatchSig(p, sig);
1535 
1536  UTHFreePacket(p);
1537 
1538 end:
1539  return result;
1540 }
1541 
1542 /** \test Test the byte_test signature matching with operator >= */
1543 static int DetectByteTestTestPacket05(void)
1544 {
1545  int result = 0;
1546  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1547  "User-Agent: Wget/1.11.4"
1548  "Accept: */*"
1549  "Host: www.google.com"
1550  "Connection: Keep-Alive"
1551  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1552  uint16_t buflen = strlen((char *)buf);
1553 
1554  Packet *p;
1555  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1556 
1557  if (p == NULL)
1558  goto end;
1559 
1560  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
1561  "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
1562  "byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
1563 
1564  result = UTHPacketMatchSig(p, sig);
1565 
1566  UTHFreePacket(p);
1567 
1568 end:
1569  return result;
1570 }
1571 /** \test simple dns match on first byte */
1572 static int DetectByteTestTestPacket06(void)
1573 {
1574  uint8_t buf[] = { 0x38, 0x35, 0x01, 0x00, 0x00, 0x01,
1575  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576  0x00, 0x00, 0x001, 0x00, 0x01, 0x00,};
1577  Flow f;
1578  Packet *p = NULL;
1579  Signature *s = NULL;
1580  ThreadVars tv;
1581  DetectEngineThreadCtx *det_ctx = NULL;
1582  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1583 
1584  FAIL_IF_NULL(alp_tctx);
1585 
1586  memset(&tv, 0, sizeof(ThreadVars));
1587  memset(&f, 0, sizeof(Flow));
1588 
1589  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
1590  "192.168.1.5", "192.168.1.1",
1591  41424, 53);
1592 
1593  FLOW_INITIALIZE(&f);
1594  f.flags |= FLOW_IPV4;
1595  f.proto = IPPROTO_UDP;
1596  f.protomap = FlowGetProtoMapping(f.proto);
1597 
1598  p->flow = &f;
1599  p->flags |= PKT_HAS_FLOW;
1600  p->flowflags |= FLOW_PKT_TOSERVER;
1601  f.alproto = ALPROTO_DNS;
1602 
1603  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1604  FAIL_IF_NULL(de_ctx);
1605 
1606  de_ctx->mpm_matcher = mpm_default_matcher;
1607  de_ctx->flags |= DE_QUIET;
1608 
1609  /*
1610  * Check first byte
1611  * (0x38 & 0xF8) --> 0x38
1612  * 0x38 >> 3 --> 0x7
1613  * 0x7 = 0x07
1614  */
1615  /* this rule should alert */
1616  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
1617  "(msg:\"Byte test against first byte\"; "
1618  "byte_test:1,=,0x07,0,bitmask 0xF8;"
1619  "sid:1;)");
1620  FAIL_IF_NULL(s);
1621 
1622  /* this rule should not alert */
1623  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
1624  "(msg:\"Test dns_query option\"; "
1625  "byte_test:1,=,0x07,0,bitmask 0xFF;"
1626  "sid:2;)");
1627  FAIL_IF_NULL(s);
1628 
1629  /*
1630  * Check 3rd byte
1631  * (0x01 & 0xFF) --> 0x01
1632  * 0x01 >> 0 --> 0x1
1633  * 0x1 = 0x01
1634  */
1635  /* this rule should alert */
1636  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
1637  "(msg:\"Test dns_query option\"; "
1638  "byte_test:3,=,0x01,0,bitmask 0xFF;"
1639  "sid:3;)");
1640  FAIL_IF_NULL(s);
1641 
1642  SigGroupBuild(de_ctx);
1643  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1644  FAIL_IF_NULL(det_ctx);
1645 
1646  FAIL_IF_NOT(0 == AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
1647  STREAM_TOSERVER, buf, sizeof(buf)));
1648 
1649  FAIL_IF_NULL(f.alstate);
1650 
1651  /* do detect */
1652  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1653 
1654  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1655 
1656  FAIL_IF(PacketAlertCheck(p, 2));
1657 
1658  FAIL_IF_NOT(PacketAlertCheck(p, 3));
1659 
1660  AppLayerParserThreadCtxFree(alp_tctx);
1661  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1662  SigGroupCleanup(de_ctx);
1663  DetectEngineCtxFree(de_ctx);
1664 
1665  FLOW_DESTROY(&f);
1666  UTHFreePacket(p);
1667  PASS;
1668 }
1669 
1670 #endif /* UNITTESTS */
1671 
1672 
1673 /**
1674  * \brief this function registers unit tests for DetectBytetest
1675  */
1676 static void DetectBytetestRegisterTests(void)
1677 {
1678 #ifdef UNITTESTS
1679  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
1680  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
1681 
1682  UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01);
1683  UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02);
1684  UtRegisterTest("DetectBytetestTestParse03", DetectBytetestTestParse03);
1685  UtRegisterTest("DetectBytetestTestParse04", DetectBytetestTestParse04);
1686  UtRegisterTest("DetectBytetestTestParse05", DetectBytetestTestParse05);
1687  UtRegisterTest("DetectBytetestTestParse06", DetectBytetestTestParse06);
1688  UtRegisterTest("DetectBytetestTestParse07", DetectBytetestTestParse07);
1689  UtRegisterTest("DetectBytetestTestParse08", DetectBytetestTestParse08);
1690  UtRegisterTest("DetectBytetestTestParse09", DetectBytetestTestParse09);
1691  UtRegisterTest("DetectBytetestTestParse10", DetectBytetestTestParse10);
1692  UtRegisterTest("DetectBytetestTestParse11", DetectBytetestTestParse11);
1693  UtRegisterTest("DetectBytetestTestParse12", DetectBytetestTestParse12);
1694  UtRegisterTest("DetectBytetestTestParse13", DetectBytetestTestParse13);
1695  UtRegisterTest("DetectBytetestTestParse14", DetectBytetestTestParse14);
1696  UtRegisterTest("DetectBytetestTestParse15", DetectBytetestTestParse15);
1697  UtRegisterTest("DetectBytetestTestParse16", DetectBytetestTestParse16);
1698  UtRegisterTest("DetectBytetestTestParse17", DetectBytetestTestParse17);
1699  UtRegisterTest("DetectBytetestTestParse18", DetectBytetestTestParse18);
1700  UtRegisterTest("DetectBytetestTestParse19", DetectBytetestTestParse19);
1701  UtRegisterTest("DetectBytetestTestParse20", DetectBytetestTestParse20);
1702  UtRegisterTest("DetectBytetestTestParse21", DetectBytetestTestParse21);
1703  UtRegisterTest("DetectBytetestTestParse22", DetectBytetestTestParse22);
1704  UtRegisterTest("DetectBytetestTestParse23", DetectBytetestTestParse23);
1705  UtRegisterTest("DetectBytetestTestParse24", DetectBytetestTestParse24);
1706 
1707  UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01);
1708  UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02);
1709  UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03);
1710  UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04);
1711  UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05);
1712  UtRegisterTest("DetectByteTestTestPacket06", DetectByteTestTestPacket06);
1713 #endif /* UNITTESTS */
1714 }
1715 
util-byte.h
DETECT_BYTETEST_OP_GE
#define DETECT_BYTETEST_OP_GE
Definition: detect-bytetest.h:33
SigTableElmt_::url
const char * url
Definition: detect.h:1212
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1468
DetectBytetestData_::bitmask_shift_count
uint8_t bitmask_shift_count
Definition: detect-bytetest.h:56
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1040
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_BYTETEST_BITMASK
#define DETECT_BYTETEST_BITMASK
Definition: detect-bytetest.h:48
SigTableElmt_::desc
const char * desc
Definition: detect.h:1211
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
SigTableElmt_::name
const char * name
Definition: detect.h:1209
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1369
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectBytetestData_::neg_op
bool neg_op
Definition: detect-bytetest.h:58
DETECT_BYTETEST_BASE_HEX
#define DETECT_BYTETEST_BASE_HEX
Definition: detect-bytetest.h:40
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
Flow_::proto
uint8_t proto
Definition: flow.h:361
DetectByteExtractData_
Holds data related to byte_extract keyword.
Definition: detect-byte-extract.h:43
Packet_::payload
uint8_t * payload
Definition: decode.h:543
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
Flow_
Flow data structure.
Definition: flow.h:343
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2033
Flow_::protomap
uint8_t protomap
Definition: flow.h:420
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
StringParseInt32
int StringParseInt32(int32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:613
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DETECT_BYTETEST_OP_GT
#define DETECT_BYTETEST_OP_GT
Definition: detect-bytetest.h:29
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
DetectBytetestData_::bitmask
uint32_t bitmask
Definition: detect-bytetest.h:60
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
UTHPacketMatchSig
int UTHPacketMatchSig(Packet *p, const char *sig)
Definition: util-unittest-helper.c:881
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DetectBytetestData_::nbytes
uint8_t nbytes
Definition: detect-bytetest.h:53
DetectBytetestData_
Definition: detect-bytetest.h:52
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1001
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:241
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:815
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:544
DETECT_BYTETEST_OP_AND
#define DETECT_BYTETEST_OP_AND
Definition: detect-bytetest.h:31
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-bytetest.c:56
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:876
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
Signature_::next
struct Signature_ * next
Definition: detect.h:599
DETECT_BYTETEST_OP_LT
#define DETECT_BYTETEST_OP_LT
Definition: detect-bytetest.h:28
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
DETECT_BYTETEST_BASE_UNSET
#define DETECT_BYTETEST_BASE_UNSET
Definition: detect-bytetest.h:37
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DETECT_BYTETEST_BASE_DEC
#define DETECT_BYTETEST_BASE_DEC
Definition: detect-bytetest.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2456
SignatureInitData_::list
int list
Definition: detect.h:504
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_BYTETEST_OP_LE
#define DETECT_BYTETEST_OP_LE
Definition: detect-bytetest.h:34
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
DetectBytetestData_::op
uint8_t op
Definition: detect-bytetest.h:54
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2388
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:411
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
DetectBytetestRegister
void DetectBytetestRegister(void)
Definition: detect-bytetest.c:76
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
StringParseUint64
int StringParseUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:308
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition: detect-byte-extract.c:645
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
DETECT_BYTETEST_VALUE_BE
#define DETECT_BYTETEST_VALUE_BE
Definition: detect-bytetest.h:49
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:320
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2326
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
SC_ERR_INVALID_OPERATOR
@ SC_ERR_INVALID_OPERATOR
Definition: util-error.h:162
flags
uint8_t flags
Definition: decode-gre.h:0
DETECT_BYTETEST_OP_OR
#define DETECT_BYTETEST_OP_OR
Definition: detect-bytetest.h:32
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
detect-byte-extract.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
DetectBytetestDoMatch
int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *payload, uint32_t payload_len, uint8_t flags, int32_t offset, uint64_t value)
Bytetest detection code.
Definition: detect-bytetest.c:101
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
DETECT_BYTETEST_OFFSET_BE
#define DETECT_BYTETEST_OFFSET_BE
Definition: detect-bytetest.h:50
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DETECT_BYTETEST_BASE_OCT
#define DETECT_BYTETEST_BASE_OCT
Definition: detect-bytetest.h:38
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:622
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
Flow_::alstate
void * alstate
Definition: flow.h:454
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.c:49
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:165
Flow_::flags
uint32_t flags
Definition: flow.h:396
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:78
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:234
DETECT_BYTETEST_OP_EQ
#define DETECT_BYTETEST_OP_EQ
Definition: detect-bytetest.h:30
DetectPcreData_
Definition: detect-pcre.h:39
detect-uricontent.h
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1246
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DetectBytetestData_::base
uint8_t base
Definition: detect-bytetest.h:55
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1201
app-layer.h
detect-bytetest.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171