suricata
detect-bytetest.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  * \author Jeff Lucovsky <jeff@lucovsky.org>
23  *
24  * Implements byte_test keyword.
25  */
26 
27 #include "suricata-common.h"
28 #include "debug.h"
29 #include "decode.h"
30 #include "detect.h"
31 #include "detect-engine.h"
32 #include "detect-parse.h"
33 
34 #include "detect-content.h"
35 #include "detect-uricontent.h"
36 #include "detect-byte.h"
37 #include "detect-bytetest.h"
38 #include "detect-bytejump.h"
39 #include "detect-byte-extract.h"
40 #include "app-layer.h"
41 
42 #include "util-byte.h"
43 #include "util-unittest.h"
44 #include "util-debug.h"
45 #include "detect-pcre.h"
46 
47 
48 /**
49  * \brief Regex for parsing our options
50  */
51 /** \todo We probably just need a simple tokenizer here */
52 
53 /* PCRE supports 9 substrings so the 2nd and 3rd (negation, operator) and
54  * 4th and 5th (test value, offset) are combined
55  */
56 #define VALID_KW "relative|big|little|string|oct|dec|hex|dce|bitmask"
57 #define PARSE_REGEX "^\\s*" \
58  "([^\\s,]+)\\s*,\\s*" \
59  "(\\!?\\s*[^\\s,]*)" \
60  "\\s*,\\s*([^\\s,]+\\s*,\\s*[^\\s,]+)" \
61  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
62  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
63  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
64  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
65  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
66  "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
67  "\\s*$"
68 
69 static DetectParseRegex parse_regex;
70 
71 static int DetectBytetestMatch(DetectEngineThreadCtx *det_ctx,
72  Packet *p, const Signature *s, const SigMatchCtx *ctx);
73 static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr);
74 static void DetectBytetestFree(DetectEngineCtx *, void *ptr);
75 #ifdef UNITTESTS
76 static void DetectBytetestRegisterTests(void);
77 #endif
78 
79 void DetectBytetestRegister (void)
80 {
81  sigmatch_table[DETECT_BYTETEST].name = "byte_test";
82  sigmatch_table[DETECT_BYTETEST].desc = "extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>";
83  sigmatch_table[DETECT_BYTETEST].url = "/rules/payload-keywords.html#byte-test";
84  sigmatch_table[DETECT_BYTETEST].Match = DetectBytetestMatch;
85  sigmatch_table[DETECT_BYTETEST].Setup = DetectBytetestSetup;
86  sigmatch_table[DETECT_BYTETEST].Free = DetectBytetestFree;
87 #ifdef UNITTESTS
88  sigmatch_table[DETECT_BYTETEST].RegisterTests = DetectBytetestRegisterTests;
89 #endif
90  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
91 }
92 
93 /** \brief Bytetest detection code
94  *
95  * Byte test works on the packet payload.
96  *
97  * \param det_ctx thread de ctx
98  * \param s signature
99  * \param m sigmatch for this bytettest
100  * \param payload ptr to the start of the buffer to inspect
101  * \param payload_len length of the payload
102  * \retval 1 match
103  * \retval 0 no match
104  */
105 int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx,
106  const Signature *s, const SigMatchCtx *ctx,
107  const uint8_t *payload, uint32_t payload_len,
108  uint8_t flags, int32_t offset, uint64_t value)
109 {
110  SCEnter();
111 
112  const DetectBytetestData *data = (const DetectBytetestData *)ctx;
113  const uint8_t *ptr = NULL;
114  int32_t len = 0;
115  uint64_t val = 0;
116  int extbytes;
117  int neg;
118  int match;
119 
120  if (payload_len == 0) {
121  SCReturnInt(0);
122  }
123 
124  /* Calculate the ptr value for the bytetest and length remaining in
125  * the packet from that point.
126  */
127  if (flags & DETECT_BYTETEST_RELATIVE) {
128  SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
129  "data->offset %"PRIi32"", det_ctx->buffer_offset, data->offset);
130 
131  ptr = payload + det_ctx->buffer_offset;
132  len = payload_len - det_ctx->buffer_offset;
133 
134  ptr += offset;
135  len -= offset;
136 
137  /* No match if there is no relative base */
138  if (ptr == NULL || len <= 0) {
139  SCReturnInt(0);
140  }
141  }
142  else {
143  SCLogDebug("absolute, data->offset %"PRIi32"", data->offset);
144 
145  ptr = payload + offset;
146  len = payload_len - offset;
147  }
148 
149  /* Validate that the to-be-extracted is within the packet
150  * \todo Should this validate it is in the *payload*?
151  */
152  if (ptr < payload || data->nbytes > len) {
153  SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
154  payload, ptr, len, data->nbytes);
155  SCReturnInt(0);
156  }
157 
158  neg = data->neg_op;
159 
160  /* Extract the byte data */
161  if (flags & DETECT_BYTETEST_STRING) {
162  extbytes = ByteExtractStringUint64(&val, data->base,
163  data->nbytes, (const char *)ptr);
164  if (extbytes <= 0) {
165  /* ByteExtractStringUint64() returns 0 if there is no numeric value in data string */
166  if (val == 0) {
167  SCLogDebug("No Numeric value");
168  SCReturnInt(0);
169  } else {
170  SCLogDebug("error extracting %d "
171  "bytes of string data: %d", data->nbytes, extbytes);
172  SCReturnInt(-1);
173  }
174  }
175 
176  SCLogDebug("comparing base %d string 0x%" PRIx64 " %s%u 0x%" PRIx64,
177  data->base, val, (neg ? "!" : ""), data->op, data->value);
178  }
179  else {
180  int endianness = (flags & DETECT_BYTETEST_LITTLE) ?
181  BYTE_LITTLE_ENDIAN : BYTE_BIG_ENDIAN;
182  extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
183  if (extbytes != data->nbytes) {
184  SCLogDebug("error extracting %d bytes "
185  "of numeric data: %d", data->nbytes, extbytes);
186  SCReturnInt(-1);
187  }
188 
189  SCLogDebug("comparing numeric 0x%" PRIx64 " %s%u 0x%" PRIx64,
190  val, (neg ? "!" : ""), data->op, data->value);
191  }
192 
193  /* apply bitmask, if any and then right-shift 1 bit for each trailing 0 in
194  * the bitmask. Note that it's one right shift for each trailing zero (not bit).
195  */
196  if (flags & DETECT_BYTETEST_BITMASK) {
197  val &= data->bitmask;
198  if (val && data->bitmask_shift_count) {
199  val = val >> data->bitmask_shift_count;
200  }
201  }
202 
203  /* Compare using the configured operator */
204  match = 0;
205  switch (data->op) {
206  case DETECT_BYTETEST_OP_EQ:
207  if (val == value) {
208  match = 1;
209  }
210  break;
211  case DETECT_BYTETEST_OP_LT:
212  if (val < value) {
213  match = 1;
214  }
215  break;
216  case DETECT_BYTETEST_OP_GT:
217  if (val > value) {
218  match = 1;
219  }
220  break;
221  case DETECT_BYTETEST_OP_AND:
222  if (val & value) {
223  match = 1;
224  }
225  break;
226  case DETECT_BYTETEST_OP_OR:
227  if (val ^ value) {
228  match = 1;
229  }
230  break;
231  case DETECT_BYTETEST_OP_GE:
232  if (val >= value) {
233  match = 1;
234  }
235  break;
236  case DETECT_BYTETEST_OP_LE:
237  if (val <= value) {
238  match = 1;
239  }
240  break;
241  default:
242  /* Should never get here as we handle this in parsing. */
243  SCReturnInt(-1);
244  }
245 
246  /* A successful match depends on negation */
247  if ((!neg && match) || (neg && !match)) {
248  SCLogDebug("MATCH [bt] extracted value is %"PRIu64, val);
249  SCReturnInt(1);
250  }
251 
252  SCLogDebug("NO MATCH");
253  SCReturnInt(0);
254 
255 }
256 
257 static int DetectBytetestMatch(DetectEngineThreadCtx *det_ctx,
258  Packet *p, const Signature *s, const SigMatchCtx *ctx)
259 {
260  return DetectBytetestDoMatch(det_ctx, s, ctx, p->payload, p->payload_len,
261  ((DetectBytetestData *)ctx)->flags, 0, 0);
262 }
263 
264 static DetectBytetestData *DetectBytetestParse(const char *optstr, char **value, char **offset)
265 {
266  DetectBytetestData *data = NULL;
267  char *args[9] = {
268  NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
269  NULL
270  };
271  char *test_value = NULL;
272  char *data_offset = NULL;
273  int ret = 0, res = 0;
274  int ov[MAX_SUBSTRINGS];
275  int i;
276  uint32_t nbytes;
277  const char *str_ptr = NULL;
278 
279  /* Execute the regex and populate args with captures. */
280  ret = DetectParsePcreExec(&parse_regex, optstr, 0, 0, ov, MAX_SUBSTRINGS);
281  if (ret < 4 || ret > 9) {
282  SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
283  ", string %s", ret, optstr);
284  goto error;
285  }
286 
287  /* Subtract two since two values are conjoined */
288  for (i = 0; i < (ret - 1); i++) {
289  res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS,
290  i + 1, &str_ptr);
291  if (res < 0) {
292  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed "
293  "for arg %d", i + 1);
294  goto error;
295  }
296  /* args[2] is comma separated test value, offset */
297  if (i == 2) {
298  test_value = (char *) str_ptr;
299  data_offset = SCStrdup((char *) str_ptr);
300  if (data_offset == NULL) {
301  goto error;
302  }
303  } else {
304  args[i] = (char *)str_ptr;
305  }
306  }
307 
308  /* Initialize the data */
309  data = SCMalloc(sizeof(DetectBytetestData));
310  if (unlikely(data == NULL))
311  goto error;
312  data->base = DETECT_BYTETEST_BASE_UNSET;
313  data->flags = 0;
314 
315  /*
316  * The first four options are required and positional. The
317  * remaining arguments are flags and are not positional.
318  *
319  * The first four options have been collected into three
320  * arguments:
321  * - #1 -- byte count
322  * - #2 -- operator, including optional negation (!)
323  * - #3 -- test value and offset, comma separated
324  */
325 
326  /* Number of bytes */
327  if (StringParseUint32(&nbytes, 10, 0, args[0]) <= 0) {
328  SCLogError(SC_ERR_INVALID_VALUE, "Malformed number of bytes: %s", str_ptr);
329  goto error;
330  }
331 
332  /* The operator is the next arg; it may contain a negation ! as the first char */
333  data->op = 0;
334  if (args[1] != NULL) {
335  int op_offset = 0;
336  char *op_ptr;
337  if (args[1][op_offset] == '!') {
338  data->neg_op = true;
339  op_ptr = &args[1][1];
340  while (isspace((char)*op_ptr) || (*op_ptr == ',')) op_ptr++;
341  op_offset = op_ptr - &args[1][0];
342  } else {
343  data->neg_op = false;
344  }
345  op_ptr = args[1] + op_offset;
346  if ((strcmp("=", op_ptr) == 0) || (data->neg_op
347  && strcmp("", op_ptr) == 0)) {
348  data->op |= DETECT_BYTETEST_OP_EQ;
349  } else if (strcmp("<", op_ptr) == 0) {
350  data->op |= DETECT_BYTETEST_OP_LT;
351  } else if (strcmp(">", op_ptr) == 0) {
352  data->op |= DETECT_BYTETEST_OP_GT;
353  } else if (strcmp("&", op_ptr) == 0) {
354  data->op |= DETECT_BYTETEST_OP_AND;
355  } else if (strcmp("^", op_ptr) == 0) {
356  data->op |= DETECT_BYTETEST_OP_OR;
357  } else if (strcmp(">=", op_ptr) == 0) {
358  data->op |= DETECT_BYTETEST_OP_GE;
359  } else if (strcmp("<=", op_ptr) == 0) {
360  data->op |= DETECT_BYTETEST_OP_LE;
361  } else {
362  SCLogError(SC_ERR_INVALID_OPERATOR, "Invalid operator");
363  goto error;
364  }
365  }
366 
367  if (test_value) {
368  /*
369  * test_value was created while fetching strings and contains the test value and offset, comma separated. The
370  * values was allocated by test_value (pcre_get_substring) and data_offset (SCStrdup), respectively; e.g.,
371  * test_value,offset
372  */
373  char *end_ptr = test_value;
374  while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ','))) end_ptr++;
375  *end_ptr = '\0';
376 
377  if (test_value[0] != '-' && isalpha((unsigned char)test_value[0])) {
378  if (value == NULL) {
379  SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_test supplied with "
380  "var name for value. \"value\" argument supplied to "
381  "this function has to be non-NULL");
382  goto error;
383  }
384  *value = SCStrdup(test_value);
385  if (*value == NULL)
386  goto error;
387  } else {
388  if (ByteExtractStringUint64(&data->value, 0, 0, test_value) <= 0) {
389  SCLogError(SC_ERR_INVALID_VALUE, "Malformed value: %s", test_value);
390  goto error;
391  }
392  }
393  }
394 
395  /* Offset -- note that this *also* contains test_value, offset so parse accordingly */
396  if (data_offset) {
397  char *end_ptr = data_offset;
398  while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ','))) end_ptr++;
399  str_ptr = ++end_ptr;
400  while (isspace((unsigned char)*str_ptr) || (*str_ptr == ',')) str_ptr++;
401  end_ptr = (char *)str_ptr;
402  while (!(isspace((unsigned char)*end_ptr) || (*end_ptr == ',')) && (*end_ptr != '\0'))
403  end_ptr++;
404  memmove(data_offset, str_ptr, end_ptr - str_ptr);
405  data_offset[end_ptr-str_ptr] = '\0';
406  if (data_offset[0] != '-' && isalpha((unsigned char)data_offset[0])) {
407  if (data_offset == NULL) {
408  SCLogError(SC_ERR_INVALID_ARGUMENT, "byte_test supplied with "
409  "var name for offset. \"offset\" argument supplied to "
410  "this function has to be non-NULL");
411  goto error;
412  }
413  *offset = SCStrdup(data_offset);
414  if (*offset == NULL)
415  goto error;
416  } else {
417  if (StringParseInt32(&data->offset, 0, 0, data_offset) <= 0) {
418  SCLogError(SC_ERR_INVALID_VALUE, "Malformed offset: %s", data_offset);
419  goto error;
420  }
421  }
422  }
423 
424  /* The remaining options are flags. */
425  /** \todo Error on dups? */
426  int bitmask_index = -1;
427  for (i = 3; i < (ret - 1); i++) {
428  if (args[i] != NULL) {
429  if (strcmp("relative", args[i]) == 0) {
430  data->flags |= DETECT_BYTETEST_RELATIVE;
431  } else if (strcasecmp("string", args[i]) == 0) {
432  data->flags |= DETECT_BYTETEST_STRING;
433  } else if (strcasecmp("dec", args[i]) == 0) {
434  data->base |= DETECT_BYTETEST_BASE_DEC;
435  } else if (strcasecmp("hex", args[i]) == 0) {
436  data->base |= DETECT_BYTETEST_BASE_HEX;
437  } else if (strcasecmp("oct", args[i]) == 0) {
438  data->base |= DETECT_BYTETEST_BASE_OCT;
439  } else if (strcasecmp("big", args[i]) == 0) {
440  if (data->flags & DETECT_BYTETEST_LITTLE) {
441  data->flags ^= DETECT_BYTETEST_LITTLE;
442  }
443  data->flags |= DETECT_BYTETEST_BIG;
444  } else if (strcasecmp("little", args[i]) == 0) {
445  data->flags |= DETECT_BYTETEST_LITTLE;
446  } else if (strcasecmp("dce", args[i]) == 0) {
447  data->flags |= DETECT_BYTETEST_DCE;
448  } else if (strncasecmp("bitmask", args[i], strlen("bitmask")) == 0) {
449  data->flags |= DETECT_BYTETEST_BITMASK;
450  bitmask_index = i;
451  } else {
452  SCLogError(SC_ERR_UNKNOWN_VALUE, "Unknown value: \"%s\"",
453  args[i]);
454  goto error;
455  }
456  }
457  }
458 
459  if (data->flags & DETECT_BYTETEST_STRING) {
460  /* 23 - This is the largest string (octal, with a zero prefix) that
461  * will not overflow uint64_t. The only way this length
462  * could be over 23 and still not overflow is if it were zero
463  * prefixed and we only support 1 byte of zero prefix for octal.
464  *
465  * "01777777777777777777777" = 0xffffffffffffffff
466  */
467  if (nbytes > 23) {
468  SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 23 bytes with \"string\": %s",
469  optstr);
470  goto error;
471  }
472  } else {
473  if (nbytes > 8) {
474  SCLogError(SC_ERR_INVALID_VALUE, "Cannot test more than 8 bytes without \"string\": %s",
475  optstr);
476  goto error;
477  }
478  if (data->base != DETECT_BYTETEST_BASE_UNSET) {
479  SCLogError(SC_ERR_INVALID_VALUE, "Cannot use a base without \"string\": %s", optstr);
480  goto error;
481  }
482  }
483 
484  /* This is max 23 so it will fit in a byte (see above) */
485  data->nbytes = (uint8_t)nbytes;
486 
487  if (bitmask_index != -1 && data->flags & DETECT_BYTETEST_BITMASK) {
488  if (ByteExtractStringUint32(&data->bitmask, 0, 0, args[bitmask_index]+strlen("bitmask")) <= 0) {
489  SCLogError(SC_ERR_INVALID_VALUE, "Malformed bitmask value: %s", args[bitmask_index]+strlen("bitmask"));
490  goto error;
491  }
492  /* determine how many trailing 0's are in the bitmask. This will be used
493  * to rshift the value after applying the bitmask
494  */
495  data->bitmask_shift_count = 0;
496  if (data->bitmask) {
497  uint32_t bmask = data->bitmask;
498  while (!(bmask & 0x1)){
499  bmask = bmask >> 1;
500  data->bitmask_shift_count++;
501  }
502  }
503  }
504 
505  for (i = 0; i < (ret - 1); i++){
506  if (args[i] != NULL) SCFree(args[i]);
507  }
508  if (data_offset) SCFree(data_offset);
509  if (test_value) SCFree(test_value);
510  return data;
511 
512 error:
513  for (i = 0; i < (ret - 1); i++){
514  if (args[i] != NULL) SCFree(args[i]);
515  }
516  if (data_offset) SCFree(data_offset);
517  if (test_value) SCFree(test_value);
518  if (data) SCFree(data);
519  return NULL;
520 }
521 
522 static int DetectBytetestSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
523 {
524  SigMatch *sm = NULL;
525  SigMatch *prev_pm = NULL;
526  char *value = NULL;
527  char *offset = NULL;
528  int ret = -1;
529 
530  DetectBytetestData *data = DetectBytetestParse(optstr, &value, &offset);
531  if (data == NULL)
532  goto error;
533 
534  int sm_list;
535  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
536  if (DetectBufferGetActiveList(de_ctx, s) == -1)
537  goto error;
538 
539  sm_list = s->init_data->list;
540 
541  if (data->flags & DETECT_BYTETEST_RELATIVE) {
542  prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
543  }
544 
545  } else if (data->flags & DETECT_BYTETEST_DCE) {
546  if (data->flags & DETECT_BYTETEST_RELATIVE) {
547  prev_pm = DetectGetLastSMFromLists(s,
548  DETECT_CONTENT, DETECT_PCRE,
549  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
550  DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
551  if (prev_pm == NULL) {
552  sm_list = DETECT_SM_LIST_PMATCH;
553  } else {
554  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
555  if (sm_list < 0)
556  goto error;
557  }
558  } else {
559  sm_list = DETECT_SM_LIST_PMATCH;
560  }
561 
562  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
563  goto error;
564 
565  } else if (data->flags & DETECT_BYTETEST_RELATIVE) {
566  prev_pm = DetectGetLastSMFromLists(s,
567  DETECT_CONTENT, DETECT_PCRE,
568  DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
569  DETECT_ISDATAAT, DETECT_BYTEMATH, -1);
570  if (prev_pm == NULL) {
571  sm_list = DETECT_SM_LIST_PMATCH;
572  } else {
573  sm_list = SigMatchListSMBelongsTo(s, prev_pm);
574  if (sm_list < 0)
575  goto error;
576  }
577 
578  } else {
579  sm_list = DETECT_SM_LIST_PMATCH;
580  }
581 
582  if (data->flags & DETECT_BYTETEST_DCE) {
583  if ((data->flags & DETECT_BYTETEST_STRING) ||
584  (data->flags & DETECT_BYTETEST_LITTLE) ||
585  (data->flags & DETECT_BYTETEST_BIG) ||
586  (data->base == DETECT_BYTETEST_BASE_DEC) ||
587  (data->base == DETECT_BYTETEST_BASE_HEX) ||
588  (data->base == DETECT_BYTETEST_BASE_OCT) ) {
589  SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
590  "A byte_test keyword with dce holds other invalid modifiers.");
591  goto error;
592  }
593  }
594 
595  if (value != NULL) {
596  DetectByteIndexType index;
597  if (!DetectByteRetrieveSMVar(value, s, &index)) {
598  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
599  "seen in byte_test - %s\n", value);
600  goto error;
601  }
602  data->value = index;
603  data->flags |= DETECT_BYTETEST_VALUE_VAR;
604  SCFree(value);
605  value = NULL;
606  }
607 
608  if (offset != NULL) {
609  DetectByteIndexType index;
610  if (!DetectByteRetrieveSMVar(offset, s, &index)) {
611  SCLogError(SC_ERR_INVALID_SIGNATURE, "Unknown byte_extract var "
612  "seen in byte_test - %s\n", offset);
613  goto error;
614  }
615  data->offset = index;
616  data->flags |= DETECT_BYTETEST_OFFSET_VAR;
617  SCFree(offset);
618  offset = NULL;
619  }
620 
621  sm = SigMatchAlloc();
622  if (sm == NULL)
623  goto error;
624  sm->type = DETECT_BYTETEST;
625  sm->ctx = (SigMatchCtx *)data;
626  SigMatchAppendSMToList(s, sm, sm_list);
627 
628  if (!(data->flags & DETECT_BYTETEST_RELATIVE))
629  goto okay;
630 
631  if (prev_pm == NULL)
632  goto okay;
633  if (prev_pm->type == DETECT_CONTENT) {
634  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
635  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
636  } else if (prev_pm->type == DETECT_PCRE) {
637  DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
638  pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
639  }
640 
641  okay:
642  ret = 0;
643  return ret;
644  error:
645  if (offset)
646  SCFree(offset);
647  if (value)
648  SCFree(value);
649  DetectBytetestFree(de_ctx, data);
650  return ret;
651 }
652 
653 /**
654  * \brief this function will free memory associated with DetectBytetestData
655  *
656  * \param data pointer to DetectBytetestData
657  */
658 static void DetectBytetestFree(DetectEngineCtx *de_ctx, void *ptr)
659 {
660  if (ptr == NULL)
661  return;
662 
663  DetectBytetestData *data = (DetectBytetestData *)ptr;
664  SCFree(data);
665 }
666 
667 
668 /* UNITTESTS */
669 #ifdef UNITTESTS
670 #include "util-unittest-helper.h"
671 #include "app-layer-parser.h"
672 #include "flow-util.h"
673 static int g_file_data_buffer_id = 0;
674 static int g_dce_stub_data_buffer_id = 0;
675 
676 /**
677  * \test DetectBytetestTestParse01 is a test to make sure that we return "something"
678  * when given valid bytetest opt
679  */
680 static int DetectBytetestTestParse01(void)
681 {
682  int result = 0;
683  DetectBytetestData *data = NULL;
684  data = DetectBytetestParse("4, =, 1 , 0", NULL, NULL);
685  if (data != NULL) {
686  DetectBytetestFree(NULL, data);
687  result = 1;
688  }
689 
690  return result;
691 }
692 
693 /**
694  * \test DetectBytetestTestParse02 is a test for setting the required opts
695  */
696 static int DetectBytetestTestParse02(void)
697 {
698  int result = 0;
699  DetectBytetestData *data = NULL;
700  data = DetectBytetestParse("4, !=, 1, 0", NULL, NULL);
701  if (data != NULL) {
702  if ( (data->op == DETECT_BYTETEST_OP_EQ)
703  && (data->nbytes == 4)
704  && (data->value == 1)
705  && (data->offset == 0)
706  && (data->neg_op)
707  && (data->base == DETECT_BYTETEST_BASE_UNSET))
708  {
709  result = 1;
710  }
711  DetectBytetestFree(NULL, data);
712  }
713 
714  return result;
715 }
716 
717 /**
718  * \test DetectBytetestTestParse03 is a test for setting the relative flag
719  */
720 static int DetectBytetestTestParse03(void)
721 {
722  int result = 0;
723  DetectBytetestData *data = NULL;
724  data = DetectBytetestParse("4, !=, 1, 0, relative", NULL, NULL);
725  if (data != NULL) {
726  if ( (data->op == DETECT_BYTETEST_OP_EQ)
727  && (data->nbytes == 4)
728  && (data->value == 1)
729  && (data->offset == 0)
730  && (data->neg_op)
731  && (data->flags == DETECT_BYTETEST_RELATIVE)
732  && (data->base == DETECT_BYTETEST_BASE_UNSET))
733  {
734  result = 1;
735  }
736  DetectBytetestFree(NULL, data);
737  }
738 
739  return result;
740 }
741 
742 /**
743  * \test DetectBytetestTestParse04 is a test for setting the string/oct flags
744  */
745 static int DetectBytetestTestParse04(void)
746 {
747  int result = 0;
748  DetectBytetestData *data = NULL;
749  data = DetectBytetestParse("4, !=, 1, 0, string, oct", NULL, NULL);
750  if (data != NULL) {
751  if ( (data->op == DETECT_BYTETEST_OP_EQ)
752  && (data->nbytes == 4)
753  && (data->value == 1)
754  && (data->offset == 0)
755  && (data->neg_op)
756  && (data->flags == DETECT_BYTETEST_STRING)
757  && (data->base == DETECT_BYTETEST_BASE_OCT))
758  {
759  result = 1;
760  }
761  DetectBytetestFree(NULL, data);
762  }
763 
764  return result;
765 }
766 
767 /**
768  * \test DetectBytetestTestParse05 is a test for setting the string/dec flags
769  */
770 static int DetectBytetestTestParse05(void)
771 {
772  int result = 0;
773  DetectBytetestData *data = NULL;
774  data = DetectBytetestParse("4, =, 1, 0, string, dec", NULL, NULL);
775  if (data != NULL) {
776  if ( (data->op == DETECT_BYTETEST_OP_EQ)
777  && (data->nbytes == 4)
778  && (data->value == 1)
779  && (data->offset == 0)
780  && (data->flags == DETECT_BYTETEST_STRING)
781  && (data->base == DETECT_BYTETEST_BASE_DEC))
782  {
783  result = 1;
784  }
785  DetectBytetestFree(NULL, data);
786  }
787 
788  return result;
789 }
790 
791 /**
792  * \test DetectBytetestTestParse06 is a test for setting the string/hex flags
793  */
794 static int DetectBytetestTestParse06(void)
795 {
796  int result = 0;
797  DetectBytetestData *data = NULL;
798  data = DetectBytetestParse("4, >, 1, 0, string, hex", NULL, NULL);
799  if (data != NULL) {
800  if ( (data->op == DETECT_BYTETEST_OP_GT)
801  && (data->nbytes == 4)
802  && (data->value == 1)
803  && (data->offset == 0)
804  && (data->flags == DETECT_BYTETEST_STRING)
805  && (data->base == DETECT_BYTETEST_BASE_HEX))
806  {
807  result = 1;
808  }
809  DetectBytetestFree(NULL, data);
810  }
811 
812  return result;
813 }
814 
815 /**
816  * \test DetectBytetestTestParse07 is a test for setting the big flag
817  */
818 static int DetectBytetestTestParse07(void)
819 {
820  int result = 0;
821  DetectBytetestData *data = NULL;
822  data = DetectBytetestParse("4, <, 5, 0, big", NULL, NULL);
823  if (data != NULL) {
824  if ( (data->op == DETECT_BYTETEST_OP_LT)
825  && (data->nbytes == 4)
826  && (data->value == 5)
827  && (data->offset == 0)
828  && (data->flags & DETECT_BYTETEST_BIG)
829  && (data->base == DETECT_BYTETEST_BASE_UNSET))
830  {
831  result = 1;
832  }
833  DetectBytetestFree(NULL, data);
834  }
835 
836  return result;
837 }
838 
839 /**
840  * \test DetectBytetestTestParse08 is a test for setting the little flag
841  */
842 static int DetectBytetestTestParse08(void)
843 {
844  int result = 0;
845  DetectBytetestData *data = NULL;
846  data = DetectBytetestParse("4, <, 5, 0, little", NULL, NULL);
847  if (data != NULL) {
848  if ( (data->op == DETECT_BYTETEST_OP_LT)
849  && (data->nbytes == 4)
850  && (data->value == 5)
851  && (data->offset == 0)
852  && (data->flags == DETECT_BYTETEST_LITTLE)
853  && (data->base == DETECT_BYTETEST_BASE_UNSET))
854  {
855  result = 1;
856  }
857  DetectBytetestFree(NULL, data);
858  }
859 
860  return result;
861 }
862 
863 /**
864  * \test DetectBytetestTestParse09 is a test for neg operator only
865  */
866 static int DetectBytetestTestParse09(void)
867 {
868  int result = 0;
869  DetectBytetestData *data = NULL;
870  data = DetectBytetestParse("4, !, 5, 0", NULL, NULL);
871  if (data != NULL) {
872  if ( (data->op == DETECT_BYTETEST_OP_EQ)
873  && (data->nbytes == 4)
874  && (data->value == 5)
875  && (data->offset == 0)
876  && (data->neg_op)
877  && (data->base == DETECT_BYTETEST_BASE_UNSET))
878  {
879  result = 1;
880  }
881  DetectBytetestFree(NULL, data);
882  }
883 
884  return result;
885 }
886 
887 /**
888  * \test DetectBytetestTestParse10 is a test for whitespace
889  */
890 static int DetectBytetestTestParse10(void)
891 {
892  int result = 0;
893  DetectBytetestData *data = NULL;
894  data = DetectBytetestParse(" 4 , ! &, 5 , 0 , little ", NULL, NULL);
895  if (data != NULL) {
896  if ( (data->op == DETECT_BYTETEST_OP_AND)
897  && (data->nbytes == 4)
898  && (data->value == 5)
899  && (data->offset == 0)
900  && (data->neg_op)
901  && (data->flags == DETECT_BYTETEST_LITTLE)
902  && (data->base == DETECT_BYTETEST_BASE_UNSET))
903  {
904  result = 1;
905  }
906  DetectBytetestFree(NULL, data);
907  }
908 
909  return result;
910 }
911 
912 /**
913  * \test DetectBytetestTestParse11 is a test for whitespace
914  */
915 static int DetectBytetestTestParse11(void)
916 {
917  int result = 0;
918  DetectBytetestData *data = NULL;
919  data = DetectBytetestParse("4,!^,5,0,little,string,relative,hex", NULL, NULL);
920  if (data != NULL) {
921  if ( (data->op == DETECT_BYTETEST_OP_OR)
922  && (data->nbytes == 4)
923  && (data->value == 5)
924  && (data->offset == 0)
925  && (data->neg_op)
926  && (data->flags == (DETECT_BYTETEST_LITTLE
927  |DETECT_BYTETEST_STRING
928  |DETECT_BYTETEST_RELATIVE))
929  && (data->base == DETECT_BYTETEST_BASE_HEX))
930  {
931  result = 1;
932  }
933  DetectBytetestFree(NULL, data);
934  }
935 
936  return result;
937 }
938 
939 /**
940  * \test DetectBytetestTestParse12 is a test for hex w/o string
941  */
942 static int DetectBytetestTestParse12(void)
943 {
944  int result = 0;
945  DetectBytetestData *data = NULL;
946  data = DetectBytetestParse("4, =, 1, 0, hex", NULL, NULL);
947  if (data == NULL) {
948  result = 1;
949  }
950 
951  return result;
952 }
953 
954 /**
955  * \test DetectBytetestTestParse13 is a test for too many bytes to extract
956  */
957 static int DetectBytetestTestParse13(void)
958 {
959  int result = 0;
960  DetectBytetestData *data = NULL;
961  data = DetectBytetestParse("9, =, 1, 0", NULL, NULL);
962  if (data == NULL) {
963  result = 1;
964  }
965 
966  return result;
967 }
968 
969 /**
970  * \test DetectBytetestTestParse14 is a test for large string extraction
971  */
972 static int DetectBytetestTestParse14(void)
973 {
974  int result = 0;
975  DetectBytetestData *data = NULL;
976  data = DetectBytetestParse("23,=,0xffffffffffffffffULL,0,string,oct", NULL, NULL);
977  if (data != NULL) {
978  if ( (data->op == DETECT_BYTETEST_OP_EQ)
979  && (data->nbytes == 23)
980  && (data->value == 0xffffffffffffffffULL)
981  && (data->offset == 0)
982  && (data->flags == DETECT_BYTETEST_STRING)
983  && (data->base == DETECT_BYTETEST_BASE_OCT))
984  {
985  result = 1;
986  }
987  DetectBytetestFree(NULL, data);
988  }
989 
990  return result;
991 }
992 
993 /**
994  * \test DetectBytetestTestParse15 is a test for too many bytes to extract (string)
995  */
996 static int DetectBytetestTestParse15(void)
997 {
998  int result = 0;
999  DetectBytetestData *data = NULL;
1000  data = DetectBytetestParse("24, =, 0xffffffffffffffffULL, 0, string", NULL, NULL);
1001  if (data == NULL) {
1002  result = 1;
1003  }
1004 
1005  return result;
1006 }
1007 
1008 /**
1009  * \test DetectBytetestTestParse16 is a test for offset too big
1010  */
1011 static int DetectBytetestTestParse16(void)
1012 {
1013  int result = 0;
1014  DetectBytetestData *data = NULL;
1015  data = DetectBytetestParse("4,=,0,0xffffffffffffffffULL", NULL, NULL);
1016  if (data == NULL) {
1017  result = 1;
1018  }
1019 
1020  return result;
1021 }
1022 
1023 /**
1024  * \test Test dce option.
1025  */
1026 static int DetectBytetestTestParse17(void)
1027 {
1028  int result = 0;
1029  DetectBytetestData *data = NULL;
1030  data = DetectBytetestParse("4, <, 5, 0, dce", NULL, NULL);
1031  if (data != NULL) {
1032  if ( (data->op == DETECT_BYTETEST_OP_LT) &&
1033  (data->nbytes == 4) &&
1034  (data->value == 5) &&
1035  (data->offset == 0) &&
1036  (data->flags & DETECT_BYTETEST_DCE) ) {
1037  result = 1;
1038  }
1039  DetectBytetestFree(NULL, data);
1040  }
1041 
1042  return result;
1043 }
1044 
1045 /**
1046  * \test Test dce option.
1047  */
1048 static int DetectBytetestTestParse18(void)
1049 {
1050  int result = 0;
1051  DetectBytetestData *data = NULL;
1052  data = DetectBytetestParse("4, <, 5, 0", NULL, NULL);
1053  if (data != NULL) {
1054  if ( (data->op == DETECT_BYTETEST_OP_LT) &&
1055  (data->nbytes == 4) &&
1056  (data->value == 5) &&
1057  (data->offset == 0) &&
1058  !(data->flags & DETECT_BYTETEST_DCE) ) {
1059  result = 1;
1060  }
1061  DetectBytetestFree(NULL, data);
1062  }
1063 
1064  return result;
1065 }
1066 
1067 /**
1068  * \test Test dce option.
1069  */
1070 static int DetectBytetestTestParse19(void)
1071 {
1072  Signature *s = SigAlloc();
1073  if (s == NULL)
1074  return 0;
1075 
1076  int result = 1;
1077 
1078  if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0) {
1079  SigFree(NULL, s);
1080  return 0;
1081  }
1082 
1083  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dce") == 0);
1084  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,string,dce") == -1);
1085  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,big,dce") == -1);
1086  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,little,dce") == -1);
1087  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,hex,dce") == -1);
1088  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,oct,dce") == -1);
1089  result &= (DetectBytetestSetup(NULL, s, "1,=,1,6,dec,dce") == -1);
1090 
1091  SigFree(NULL, s);
1092  return result;
1093 }
1094 
1095 /**
1096  * \test Test dce option.
1097  */
1098 static int DetectBytetestTestParse20(void)
1099 {
1100  DetectEngineCtx *de_ctx = NULL;
1101  int result = 1;
1102  Signature *s = NULL;
1103  DetectBytetestData *bd = NULL;
1104 
1105  de_ctx = DetectEngineCtxInit();
1106  if (de_ctx == NULL)
1107  goto end;
1108 
1109  de_ctx->flags |= DE_QUIET;
1110  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1111  "(msg:\"Testing bytetest_body\"; "
1112  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1113  "dce_stub_data; "
1114  "content:\"one\"; distance:0; "
1115  "byte_test:1,=,1,6,relative,dce; sid:1;)");
1116  if (de_ctx->sig_list == NULL) {
1117  result = 0;
1118  goto end;
1119  }
1120  s = de_ctx->sig_list;
1121  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1122  result = 0;
1123  goto end;
1124  }
1125  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
1126  bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1127  if (!(bd->flags & DETECT_BYTETEST_DCE) &&
1128  !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
1129  (bd->flags & DETECT_BYTETEST_STRING) &&
1130  (bd->flags & DETECT_BYTETEST_BIG) &&
1131  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1132  (bd->neg_op) ) {
1133  result = 0;
1134  goto end;
1135  }
1136 
1137  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
1138  "(msg:\"Testing bytetest_body\"; "
1139  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1140  "dce_stub_data; "
1141  "content:\"one\"; distance:0; "
1142  "byte_test:1,=,1,6,relative,dce; sid:1;)");
1143  if (s->next == NULL) {
1144  result = 0;
1145  goto end;
1146  }
1147  s = s->next;
1148  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1149  result = 0;
1150  goto end;
1151  }
1152  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
1153  bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1154  if (!(bd->flags & DETECT_BYTETEST_DCE) &&
1155  !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
1156  (bd->flags & DETECT_BYTETEST_STRING) &&
1157  (bd->flags & DETECT_BYTETEST_BIG) &&
1158  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1159  (bd->neg_op) ) {
1160  result = 0;
1161  goto end;
1162  }
1163 
1164  s->next = SigInit(de_ctx, "alert tcp any any -> any any "
1165  "(msg:\"Testing bytetest_body\"; "
1166  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1167  "dce_stub_data; "
1168  "content:\"one\"; distance:0; "
1169  "byte_test:1,=,1,6,relative; sid:1;)");
1170  if (s->next == NULL) {
1171  result = 0;
1172  goto end;
1173  }
1174  s = s->next;
1175  if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1176  result = 0;
1177  goto end;
1178  }
1179  result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type == DETECT_BYTETEST);
1180  bd = (DetectBytetestData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1181  if ((bd->flags & DETECT_BYTETEST_DCE) &&
1182  !(bd->flags & DETECT_BYTETEST_RELATIVE) &&
1183  (bd->flags & DETECT_BYTETEST_STRING) &&
1184  (bd->flags & DETECT_BYTETEST_BIG) &&
1185  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1186  (bd->neg_op) ) {
1187  result = 0;
1188  goto end;
1189  }
1190 
1191  end:
1192  SigGroupCleanup(de_ctx);
1193  SigCleanSignatures(de_ctx);
1194  DetectEngineCtxFree(de_ctx);
1195 
1196  return result;
1197 }
1198 
1199 /**
1200  * \test Test dce option.
1201  */
1202 static int DetectBytetestTestParse21(void)
1203 {
1204  DetectEngineCtx *de_ctx = NULL;
1205  int result = 1;
1206  Signature *s = NULL;
1207 
1208  de_ctx = DetectEngineCtxInit();
1209  if (de_ctx == NULL)
1210  goto end;
1211 
1212  de_ctx->flags |= DE_QUIET;
1213  s = SigInit(de_ctx, "alert tcp any any -> any any "
1214  "(msg:\"Testing bytetest_body\"; "
1215  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1216  "content:\"one\"; byte_test:1,=,1,6,string,dce; sid:1;)");
1217  if (s != NULL) {
1218  result = 0;
1219  goto end;
1220  }
1221 
1222  s = SigInit(de_ctx, "alert tcp any any -> any any "
1223  "(msg:\"Testing bytetest_body\"; "
1224  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1225  "content:\"one\"; byte_test:1,=,1,6,big,dce; sid:1;)");
1226  if (s != NULL) {
1227  result = 0;
1228  goto end;
1229  }
1230 
1231  s = SigInit(de_ctx, "alert tcp any any -> any any "
1232  "(msg:\"Testing bytetest_body\"; "
1233  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1234  "content:\"one\"; byte_test:1,=,1,6,little,dce; sid:1;)");
1235  if (s != NULL) {
1236  result = 0;
1237  goto end;
1238  }
1239 
1240  s = SigInit(de_ctx, "alert tcp any any -> any any "
1241  "(msg:\"Testing bytetest_body\"; "
1242  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1243  "content:\"one\"; byte_test:1,=,1,6,hex,dce; sid:1;)");
1244  if (s != NULL) {
1245  result = 0;
1246  goto end;
1247  }
1248 
1249  s = SigInit(de_ctx, "alert tcp any any -> any any "
1250  "(msg:\"Testing bytetest_body\"; "
1251  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1252  "content:\"one\"; byte_test:1,=,1,6,dec,dce; sid:1;)");
1253  if (s != NULL) {
1254  result = 0;
1255  goto end;
1256  }
1257 
1258  s = SigInit(de_ctx, "alert tcp any any -> any any "
1259  "(msg:\"Testing bytetest_body\"; "
1260  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1261  "content:\"one\"; byte_test:1,=,1,6,oct,dce; sid:1;)");
1262  if (s != NULL) {
1263  result = 0;
1264  goto end;
1265  }
1266 
1267  s = SigInit(de_ctx, "alert tcp any any -> any any "
1268  "(msg:\"Testing bytetest_body\"; "
1269  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1270  "content:\"one\"; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
1271  if (s != NULL) {
1272  result = 0;
1273  goto end;
1274  }
1275 
1276  s = SigInit(de_ctx, "alert tcp any any -> any any "
1277  "(msg:\"Testing bytetest_body\"; "
1278  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1279  "content:\"one\"; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
1280  if (s != NULL) {
1281  result = 0;
1282  goto end;
1283  }
1284 
1285  s = SigInit(de_ctx, "alert tcp any any -> any any "
1286  "(msg:\"Testing bytetest_body\"; "
1287  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1288  "content:\"one\"; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
1289  if (s != NULL) {
1290  result = 0;
1291  goto end;
1292  }
1293 
1294  s = SigInit(de_ctx, "alert tcp any any -> any any "
1295  "(msg:\"Testing bytetest_body\"; "
1296  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1297  "content:\"one\"; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
1298  if (s != NULL) {
1299  result = 0;
1300  goto end;
1301  }
1302 
1303  s = SigInit(de_ctx, "alert tcp any any -> any any "
1304  "(msg:\"Testing bytetest_body\"; "
1305  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1306  "content:\"one\"; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
1307  if (s != NULL) {
1308  result = 0;
1309  goto end;
1310  }
1311 
1312  end:
1313  SigGroupCleanup(de_ctx);
1314  SigCleanSignatures(de_ctx);
1315  DetectEngineCtxFree(de_ctx);
1316 
1317  return result;
1318 }
1319 
1320 /**
1321  * \test Test file_data
1322  */
1323 static int DetectBytetestTestParse22(void)
1324 {
1325  DetectEngineCtx *de_ctx = NULL;
1326  int result = 0;
1327  Signature *s = NULL;
1328  DetectBytetestData *bd = NULL;
1329 
1330  de_ctx = DetectEngineCtxInit();
1331  if (de_ctx == NULL)
1332  goto end;
1333 
1334  de_ctx->flags |= DE_QUIET;
1335  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1336  "(file_data; byte_test:1,=,1,6,relative; sid:1;)");
1337  if (de_ctx->sig_list == NULL) {
1338  printf("sig parse failed: ");
1339  goto end;
1340  }
1341 
1342  s = de_ctx->sig_list;
1343  if (s->sm_lists_tail[g_file_data_buffer_id] == NULL) {
1344  printf("empty server body list: ");
1345  goto end;
1346  }
1347 
1348  if (s->sm_lists_tail[g_file_data_buffer_id]->type != DETECT_BYTETEST) {
1349  printf("bytetest not last sm in server body list: ");
1350  goto end;
1351  }
1352 
1353  bd = (DetectBytetestData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1354  if (bd->flags & DETECT_BYTETEST_DCE &&
1355  bd->flags & DETECT_BYTETEST_RELATIVE &&
1356  (bd->flags & DETECT_BYTETEST_STRING) &&
1357  (bd->flags & DETECT_BYTETEST_BIG) &&
1358  (bd->flags & DETECT_BYTETEST_LITTLE) &&
1359  (bd->neg_op) ) {
1360  printf("wrong flags: ");
1361  goto end;
1362  }
1363 
1364  result = 1;
1365  end:
1366  SigGroupCleanup(de_ctx);
1367  SigCleanSignatures(de_ctx);
1368  DetectEngineCtxFree(de_ctx);
1369 
1370  return result;
1371 }
1372 
1373 /**
1374  * \test Test bitmask option.
1375  */
1376 static int DetectBytetestTestParse23(void)
1377 {
1378  DetectBytetestData *data;
1379  data = DetectBytetestParse("4, <, 5, 0, bitmask 0xf8", NULL, NULL);
1380 
1381  FAIL_IF_NULL(data);
1382  FAIL_IF_NOT(data->op == DETECT_BYTETEST_OP_LT);
1383  FAIL_IF_NOT(data->nbytes == 4);
1384  FAIL_IF_NOT(data->value == 5);
1385  FAIL_IF_NOT(data->offset == 0);
1386  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_BITMASK);
1387  FAIL_IF_NOT(data->bitmask == 0xf8);
1388  FAIL_IF_NOT(data->bitmask_shift_count == 3);
1389 
1390  DetectBytetestFree(NULL, data);
1391 
1392  PASS;
1393 }
1394 
1395 /**
1396  * \test Test all options
1397  */
1398 static int DetectBytetestTestParse24(void)
1399 {
1400  DetectBytetestData *data;
1401  data = DetectBytetestParse("4, !<, 5, 0, relative,string,hex, big, bitmask 0xf8", NULL, NULL);
1402  FAIL_IF_NULL(data);
1403  FAIL_IF_NOT(data->op == DETECT_BYTETEST_OP_LT);
1404  FAIL_IF_NOT(data->nbytes == 4);
1405  FAIL_IF_NOT(data->value == 5);
1406  FAIL_IF_NOT(data->offset == 0);
1407  FAIL_IF_NOT(data->base == DETECT_BYTETEST_BASE_HEX);
1408  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_BIG);
1409  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_RELATIVE);
1410  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_STRING);
1411  FAIL_IF_NOT(data->flags & DETECT_BYTETEST_BITMASK);
1412  FAIL_IF_NOT(data->bitmask == 0xf8);
1413  FAIL_IF_NOT(data->bitmask_shift_count == 3);
1414 
1415  DetectBytetestFree(NULL, data);
1416 
1417  PASS;
1418 }
1419 
1420 
1421 /**
1422  * \test DetectByteTestTestPacket01 is a test to check matches of
1423  * byte_test and byte_test relative works if the previous keyword is pcre
1424  * (bug 142)
1425  */
1426 static int DetectByteTestTestPacket01 (void)
1427 {
1428  int result = 0;
1429  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1430  "User-Agent: Wget/1.11.4"
1431  "Accept: */*"
1432  "Host: www.google.com"
1433  "Connection: Keep-Alive"
1434  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1435  uint16_t buflen = strlen((char *)buf);
1436  Packet *p;
1437  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1438 
1439  if (p == NULL)
1440  goto end;
1441 
1442  char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
1443  "relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_test:1,=,1"
1444  ",6,relative,string,dec; sid:126; rev:1;)";
1445 
1446  result = UTHPacketMatchSig(p, sig);
1447 
1448  UTHFreePacket(p);
1449 end:
1450  return result;
1451 }
1452 
1453 /**
1454  * \test DetectByteTestTestPacket02 is a test to check matches of
1455  * byte_test and byte_test relative works if the previous keyword is byte_jump
1456  * (bug 158)
1457  */
1458 static int DetectByteTestTestPacket02 (void)
1459 {
1460  int result = 0;
1461  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1462  "User-Agent: Wget/1.11.4"
1463  "Accept: */*"
1464  "Host: www.google.com"
1465  "Connection: Keep-Alive"
1466  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1467  uint16_t buflen = strlen((char *)buf);
1468  Packet *p;
1469  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1470 
1471  if (p == NULL)
1472  goto end;
1473 
1474  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test + "
1475  "relative\"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,"
1476  "dec; sid:777; rev:1;)";
1477 
1478  result = UTHPacketMatchSig(p, sig);
1479 
1480  UTHFreePacket(p);
1481 end:
1482  return result;
1483 }
1484 
1485 static int DetectByteTestTestPacket03(void)
1486 {
1487  int result = 0;
1488  uint8_t *buf = NULL;
1489  uint16_t buflen = 0;
1490  buf = SCMalloc(4);
1491  if (unlikely(buf == NULL)) {
1492  printf("malloc failed\n");
1493  exit(EXIT_FAILURE);
1494  }
1495  memcpy(buf, "boom", 4);
1496  buflen = 4;
1497 
1498  Packet *p;
1499  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1500 
1501  if (p == NULL)
1502  goto end;
1503 
1504  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test\"; "
1505  "byte_test:1,=,65,214748364; sid:1; rev:1;)";
1506 
1507  result = !UTHPacketMatchSig(p, sig);
1508 
1509  UTHFreePacket(p);
1510 
1511 end:
1512  SCFree(buf);
1513  return result;
1514 }
1515 
1516 /** \test Test the byte_test signature matching with operator <= */
1517 static int DetectByteTestTestPacket04(void)
1518 {
1519  int result = 0;
1520  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1521  "User-Agent: Wget/1.11.4"
1522  "Accept: */*"
1523  "Host: www.google.com"
1524  "Connection: Keep-Alive"
1525  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1526  uint16_t buflen = strlen((char *)buf);
1527 
1528  Packet *p;
1529  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1530 
1531  if (p == NULL)
1532  goto end;
1533 
1534  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
1535  "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
1536  "byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
1537 
1538  result = UTHPacketMatchSig(p, sig);
1539 
1540  UTHFreePacket(p);
1541 
1542 end:
1543  return result;
1544 }
1545 
1546 /** \test Test the byte_test signature matching with operator >= */
1547 static int DetectByteTestTestPacket05(void)
1548 {
1549  int result = 0;
1550  uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
1551  "User-Agent: Wget/1.11.4"
1552  "Accept: */*"
1553  "Host: www.google.com"
1554  "Connection: Keep-Alive"
1555  "Date: Mon, 04 Jan 2010 17:29:39 GMT";
1556  uint16_t buflen = strlen((char *)buf);
1557 
1558  Packet *p;
1559  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1560 
1561  if (p == NULL)
1562  goto end;
1563 
1564  char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
1565  "relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
1566  "byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
1567 
1568  result = UTHPacketMatchSig(p, sig);
1569 
1570  UTHFreePacket(p);
1571 
1572 end:
1573  return result;
1574 }
1575 /** \test simple dns match on first byte */
1576 static int DetectByteTestTestPacket06(void)
1577 {
1578  uint8_t buf[] = { 0x38, 0x35, 0x01, 0x00, 0x00, 0x01,
1579  0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1580  0x00, 0x00, 0x001, 0x00, 0x01, 0x00,};
1581  Flow f;
1582  Packet *p = NULL;
1583  Signature *s = NULL;
1584  ThreadVars tv;
1585  DetectEngineThreadCtx *det_ctx = NULL;
1586  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1587 
1588  FAIL_IF_NULL(alp_tctx);
1589 
1590  memset(&tv, 0, sizeof(ThreadVars));
1591  memset(&f, 0, sizeof(Flow));
1592 
1593  p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
1594  "192.168.1.5", "192.168.1.1",
1595  41424, 53);
1596 
1597  FLOW_INITIALIZE(&f);
1598  f.flags |= FLOW_IPV4;
1599  f.proto = IPPROTO_UDP;
1600  f.protomap = FlowGetProtoMapping(f.proto);
1601 
1602  p->flow = &f;
1603  p->flags |= PKT_HAS_FLOW;
1604  p->flowflags |= FLOW_PKT_TOSERVER;
1605  f.alproto = ALPROTO_DNS;
1606 
1607  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1608  FAIL_IF_NULL(de_ctx);
1609 
1610  de_ctx->mpm_matcher = mpm_default_matcher;
1611  de_ctx->flags |= DE_QUIET;
1612 
1613  /*
1614  * Check first byte
1615  * (0x38 & 0xF8) --> 0x38
1616  * 0x38 >> 3 --> 0x7
1617  * 0x7 = 0x07
1618  */
1619  /* this rule should alert */
1620  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
1621  "(msg:\"Byte test against first byte\"; "
1622  "byte_test:1,=,0x07,0,bitmask 0xF8;"
1623  "sid:1;)");
1624  FAIL_IF_NULL(s);
1625 
1626  /* this rule should not alert */
1627  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
1628  "(msg:\"Test dns_query option\"; "
1629  "byte_test:1,=,0x07,0,bitmask 0xFF;"
1630  "sid:2;)");
1631  FAIL_IF_NULL(s);
1632 
1633  /*
1634  * Check 3rd byte
1635  * (0x01 & 0xFF) --> 0x01
1636  * 0x01 >> 0 --> 0x1
1637  * 0x1 = 0x01
1638  */
1639  /* this rule should alert */
1640  s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
1641  "(msg:\"Test dns_query option\"; "
1642  "byte_test:3,=,0x01,0,bitmask 0xFF;"
1643  "sid:3;)");
1644  FAIL_IF_NULL(s);
1645 
1646  SigGroupBuild(de_ctx);
1647  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1648  FAIL_IF_NULL(det_ctx);
1649 
1650  FAIL_IF_NOT(0 == AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
1651  STREAM_TOSERVER, buf, sizeof(buf)));
1652 
1653  FAIL_IF_NULL(f.alstate);
1654 
1655  /* do detect */
1656  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1657 
1658  FAIL_IF_NOT(PacketAlertCheck(p, 1));
1659 
1660  FAIL_IF(PacketAlertCheck(p, 2));
1661 
1662  FAIL_IF_NOT(PacketAlertCheck(p, 3));
1663 
1664  AppLayerParserThreadCtxFree(alp_tctx);
1665  DetectEngineThreadCtxDeinit(&tv, det_ctx);
1666  SigGroupCleanup(de_ctx);
1667  DetectEngineCtxFree(de_ctx);
1668 
1669  FLOW_DESTROY(&f);
1670  UTHFreePacket(p);
1671  PASS;
1672 }
1673 
1674 /**
1675  * \brief this function registers unit tests for DetectBytetest
1676  */
1677 static void DetectBytetestRegisterTests(void)
1678 {
1679  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
1680  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
1681 
1682  UtRegisterTest("DetectBytetestTestParse01", DetectBytetestTestParse01);
1683  UtRegisterTest("DetectBytetestTestParse02", DetectBytetestTestParse02);
1684  UtRegisterTest("DetectBytetestTestParse03", DetectBytetestTestParse03);
1685  UtRegisterTest("DetectBytetestTestParse04", DetectBytetestTestParse04);
1686  UtRegisterTest("DetectBytetestTestParse05", DetectBytetestTestParse05);
1687  UtRegisterTest("DetectBytetestTestParse06", DetectBytetestTestParse06);
1688  UtRegisterTest("DetectBytetestTestParse07", DetectBytetestTestParse07);
1689  UtRegisterTest("DetectBytetestTestParse08", DetectBytetestTestParse08);
1690  UtRegisterTest("DetectBytetestTestParse09", DetectBytetestTestParse09);
1691  UtRegisterTest("DetectBytetestTestParse10", DetectBytetestTestParse10);
1692  UtRegisterTest("DetectBytetestTestParse11", DetectBytetestTestParse11);
1693  UtRegisterTest("DetectBytetestTestParse12", DetectBytetestTestParse12);
1694  UtRegisterTest("DetectBytetestTestParse13", DetectBytetestTestParse13);
1695  UtRegisterTest("DetectBytetestTestParse14", DetectBytetestTestParse14);
1696  UtRegisterTest("DetectBytetestTestParse15", DetectBytetestTestParse15);
1697  UtRegisterTest("DetectBytetestTestParse16", DetectBytetestTestParse16);
1698  UtRegisterTest("DetectBytetestTestParse17", DetectBytetestTestParse17);
1699  UtRegisterTest("DetectBytetestTestParse18", DetectBytetestTestParse18);
1700  UtRegisterTest("DetectBytetestTestParse19", DetectBytetestTestParse19);
1701  UtRegisterTest("DetectBytetestTestParse20", DetectBytetestTestParse20);
1702  UtRegisterTest("DetectBytetestTestParse21", DetectBytetestTestParse21);
1703  UtRegisterTest("DetectBytetestTestParse22", DetectBytetestTestParse22);
1704  UtRegisterTest("DetectBytetestTestParse23", DetectBytetestTestParse23);
1705  UtRegisterTest("DetectBytetestTestParse24", DetectBytetestTestParse24);
1706 
1707  UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01);
1708  UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02);
1709  UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03);
1710  UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04);
1711  UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05);
1712  UtRegisterTest("DetectByteTestTestPacket06", DetectByteTestTestPacket06);
1713 }
1714 #endif /* UNITTESTS */
util-byte.h
DETECT_BYTETEST_OP_GE
#define DETECT_BYTETEST_OP_GE
Definition: detect-bytetest.h:33
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition: detect-bytetest.h:49
SigTableElmt_::url
const char * url
Definition: detect.h:1214
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectSignatureSetAppProto
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:1480
DetectBytetestData_::bitmask_shift_count
uint8_t bitmask_shift_count
Definition: detect-bytetest.h:56
detect-content.h
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1041
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_BYTETEST_BITMASK
#define DETECT_BYTETEST_BITMASK
Definition: detect-bytetest.h:48
SigTableElmt_::desc
const char * desc
Definition: detect.h:1213
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition: util-byte.c:122
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1109
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1201
flow-util.h
ALPROTO_DNS
@ ALPROTO_DNS
Definition: app-layer-protos.h:41
SigTableElmt_::name
const char * name
Definition: detect.h:1211
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1381
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
DetectBytetestData_::neg_op
bool neg_op
Definition: detect-bytetest.h:58
DETECT_BYTETEST_BASE_HEX
#define DETECT_BYTETEST_BASE_HEX
Definition: detect-bytetest.h:40
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
Flow_::proto
uint8_t proto
Definition: flow.h:365
Packet_::payload
uint8_t * payload
Definition: decode.h:549
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:449
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2051
Flow_::protomap
uint8_t protomap
Definition: flow.h:445
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
StringParseInt32
int StringParseInt32(int32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:613
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DETECT_BYTETEST_OP_GT
#define DETECT_BYTETEST_OP_GT
Definition: detect-bytetest.h:29
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
DetectBytetestData_::bitmask
uint32_t bitmask
Definition: detect-bytetest.h:60
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:278
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
UTHPacketMatchSig
int UTHPacketMatchSig(Packet *p, const char *sig)
Definition: util-unittest-helper.c:882
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DetectBytetestData_::nbytes
uint8_t nbytes
Definition: detect-bytetest.h:53
DetectBytetestData_
Definition: detect-bytetest.h:52
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine.c:1005
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1196
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:816
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:95
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:550
DetectByteIndexType
uint8_t DetectByteIndexType
Definition: detect-byte.h:26
DETECT_BYTETEST_OP_AND
#define DETECT_BYTETEST_OP_AND
Definition: detect-bytetest.h:31
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-bytetest.c:57
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:880
SC_ERR_PCRE_PARSE
@ SC_ERR_PCRE_PARSE
Definition: util-error.h:37
Signature_::next
struct Signature_ * next
Definition: detect.h:600
DETECT_BYTETEST_OP_LT
#define DETECT_BYTETEST_OP_LT
Definition: detect-bytetest.h:28
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1010
DETECT_BYTETEST_BASE_UNSET
#define DETECT_BYTETEST_BASE_UNSET
Definition: detect-bytetest.h:37
SC_ERR_UNKNOWN_VALUE
@ SC_ERR_UNKNOWN_VALUE
Definition: util-error.h:159
DETECT_BYTETEST_BASE_DEC
#define DETECT_BYTETEST_BASE_DEC
Definition: detect-bytetest.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2488
SignatureInitData_::list
int list
Definition: detect.h:505
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DETECT_BYTETEST_OP_LE
#define DETECT_BYTETEST_OP_LE
Definition: detect-bytetest.h:34
SC_ERR_INVALID_ARGUMENT
@ SC_ERR_INVALID_ARGUMENT
Definition: util-error.h:43
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition: util-byte.h:29
DetectBytetestData_::op
uint8_t op
Definition: detect-bytetest.h:54
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1949
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition: detect-bytetest.h:50
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2418
FlowGetProtoMapping
uint8_t FlowGetProtoMapping(uint8_t proto)
Function to map the protocol to the defined FLOW_PROTO_* enumeration.
Definition: flow-util.c:95
Packet_
Definition: decode.h:414
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
DetectBytetestRegister
void DetectBytetestRegister(void)
Definition: detect-bytetest.c:79
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
ByteExtractStringUint32
int ByteExtractStringUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:239
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1179
detect-byte.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1884
SigMatch_::type
uint8_t type
Definition: detect.h:321
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:252
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:115
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition: util-byte.h:30
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2356
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectByteRetrieveSMVar
bool DetectByteRetrieveSMVar(const char *arg, const Signature *s, DetectByteIndexType *index)
Used to retrieve args from BM.
Definition: detect-byte.c:39
SC_ERR_INVALID_OPERATOR
@ SC_ERR_INVALID_OPERATOR
Definition: util-error.h:162
flags
uint8_t flags
Definition: decode-gre.h:0
DETECT_BYTETEST_OP_OR
#define DETECT_BYTETEST_OP_OR
Definition: detect-bytetest.h:32
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1178
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
detect-byte-extract.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
DetectBytetestDoMatch
int DetectBytetestDoMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchCtx *ctx, const uint8_t *payload, uint32_t payload_len, uint8_t flags, int32_t offset, uint64_t value)
Bytetest detection code.
Definition: detect-bytetest.c:105
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DETECT_BYTETEST_BASE_OCT
#define DETECT_BYTETEST_BASE_OCT
Definition: detect-bytetest.h:38
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:625
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:476
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.c:49
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition: detect-engine-register.h:170
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:79
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
DetectBytetestData_::offset
int32_t offset
Definition: detect-bytetest.h:59
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:234
DETECT_BYTETEST_OP_EQ
#define DETECT_BYTETEST_OP_EQ
Definition: detect-bytetest.h:30
DetectPcreData_
Definition: detect-pcre.h:39
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition: detect-engine-register.h:74
detect-uricontent.h
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1257
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DetectBytetestData_::base
uint8_t base
Definition: detect-bytetest.h:55
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
DetectBytetestData_::value
uint64_t value
Definition: detect-bytetest.h:61
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1203
app-layer.h
detect-bytetest.h
SC_ERR_CONFLICTING_RULE_KEYWORDS
@ SC_ERR_CONFLICTING_RULE_KEYWORDS
Definition: util-error.h:171