57 #define VALID_KW "relative|big|little|string|oct|dec|hex|dce|bitmask"
58 #define PARSE_REGEX "^\\s*" \
59 "([^\\s,]+)\\s*,\\s*" \
60 "(\\!?\\s*[^\\s,]*)" \
61 "\\s*,\\s*([^\\s,]+\\s*,\\s*[^\\s,]+)" \
62 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
63 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
64 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
65 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
66 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
67 "(?:\\s*,\\s*((?:"VALID_KW")\\s+[^\\s,]+|["VALID_KW"]+))?" \
75 static void DetectBytetestRegisterTests(
void);
81 sigmatch_table[
DETECT_BYTETEST].
desc =
"extract <num of bytes> and perform an operation selected with <operator> against the value in <test value> at a particular <offset>";
100 static inline bool DetectBytetestValidateNbytesOnly(
const DetectBytetestData *data, int32_t nbytes)
105 static bool DetectBytetestValidateNbytes(
108 if (!DetectBytetestValidateNbytesOnly(data, nbytes)) {
118 SCLogError(
"Cannot test more than 23 bytes with \"string\": %s", optstr);
122 SCLogError(
"Cannot test more than 8 bytes without \"string\": %s", optstr);
125 SCLogError(
"Cannot use a base without \"string\": %s", optstr);
135 SCLogError(
"Cannot use a base without \"string\": %s", optstr);
157 int32_t
offset, int32_t nbytes, uint64_t value)
167 if (!DetectBytetestValidateNbytesOnly(data, nbytes)) {
168 SCLogDebug(
"Invalid byte_test nbytes seen in byte_test - %d", nbytes);
173 const uint8_t *ptr = NULL;
184 SCLogDebug(
"relative, working with det_ctx->buffer_offset %"PRIu32
", "
194 if (ptr == NULL ||
len <= 0) {
208 if (ptr < payload || nbytes >
len) {
209 SCLogDebug(
"Data not within payload pkt=%p, ptr=%p, len=%" PRIu32
", nbytes=%d", payload,
226 "bytes of string data: %d",
232 SCLogDebug(
"comparing base %d string 0x%" PRIx64
" %s%u 0x%" PRIx64,
233 data->
base, val, (neg ?
"!" :
""), data->
op, data->
value);
239 if (extbytes != nbytes) {
241 "of numeric data: %d",
246 SCLogDebug(
"comparing numeric 0x%" PRIx64
" %s%u 0x%" PRIx64,
247 val, (neg ?
"!" :
""), data->
op, data->
value);
304 if ((!neg && match) || (neg && !match)) {
305 SCLogDebug(
"MATCH [bt] extracted value is %"PRIu64, val);
315 const char *optstr,
char **value,
char **
offset,
char **nbytes_str)
319 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
322 char *test_value = NULL;
323 char *data_offset = NULL;
328 const char *str_ptr = NULL;
329 pcre2_match_data *match = NULL;
333 if (ret < 4 || ret > 9) {
334 SCLogError(
"parse error, ret %" PRId32
", string %s", ret, optstr);
339 for (i = 0; i < (ret - 1); i++) {
340 res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
342 SCLogError(
"pcre2_substring_get_bynumber failed "
349 test_value = (
char *) str_ptr;
350 data_offset =
SCStrdup((
char *) str_ptr);
351 if (data_offset == NULL) {
355 args[i] = (
char *)str_ptr;
378 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
379 if (nbytes_str == NULL) {
381 "var name for nbytes. \"value\" argument supplied to "
382 "this function has to be non-NULL");
386 if (*nbytes_str == NULL)
391 SCLogError(
"Malformed number of bytes: %s", str_ptr);
398 if (args[1] != NULL) {
401 if (args[1][op_offset] ==
'!') {
403 op_ptr = &args[1][1];
404 while (isspace((
char)*op_ptr) || (*op_ptr ==
',')) op_ptr++;
405 op_offset = (uint32_t)(op_ptr - &args[1][0]);
409 op_ptr = args[1] + op_offset;
410 if ((strcmp(
"=", op_ptr) == 0) || (data->
neg_op
411 && strcmp(
"", op_ptr) == 0)) {
413 }
else if (strcmp(
"<", op_ptr) == 0) {
415 }
else if (strcmp(
">", op_ptr) == 0) {
417 }
else if (strcmp(
"&", op_ptr) == 0) {
419 }
else if (strcmp(
"^", op_ptr) == 0) {
421 }
else if (strcmp(
">=", op_ptr) == 0) {
423 }
else if (strcmp(
"<=", op_ptr) == 0) {
437 char *end_ptr = test_value;
438 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
','))) end_ptr++;
441 if (test_value[0] !=
'-' && isalpha((
unsigned char)test_value[0])) {
444 "var name for value. \"value\" argument supplied to "
445 "this function has to be non-NULL");
453 SCLogError(
"Malformed value: %s", test_value);
461 char *end_ptr = data_offset;
462 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
','))) end_ptr++;
464 while (isspace((
unsigned char)*str_ptr) || (*str_ptr ==
',')) str_ptr++;
465 end_ptr = (
char *)str_ptr;
466 while (!(isspace((
unsigned char)*end_ptr) || (*end_ptr ==
',')) && (*end_ptr !=
'\0'))
468 memmove(data_offset, str_ptr, end_ptr - str_ptr);
469 data_offset[end_ptr-str_ptr] =
'\0';
470 if (data_offset[0] !=
'-' && isalpha((
unsigned char)data_offset[0])) {
476 SCLogError(
"Malformed offset: %s", data_offset);
484 int bitmask_index = -1;
485 for (i = 3; i < (ret - 1); i++) {
486 if (args[i] != NULL) {
487 if (strcmp(
"relative", args[i]) == 0) {
489 }
else if (strcasecmp(
"string", args[i]) == 0) {
491 }
else if (strcasecmp(
"dec", args[i]) == 0) {
493 }
else if (strcasecmp(
"hex", args[i]) == 0) {
495 }
else if (strcasecmp(
"oct", args[i]) == 0) {
497 }
else if (strcasecmp(
"big", args[i]) == 0) {
502 }
else if (strcasecmp(
"little", args[i]) == 0) {
504 }
else if (strcasecmp(
"dce", args[i]) == 0) {
506 }
else if (strncasecmp(
"bitmask", args[i], strlen(
"bitmask")) == 0) {
517 if (!DetectBytetestValidateNbytes(data, nbytes, optstr)) {
522 data->
nbytes = (uint8_t)nbytes;
527 SCLogError(
"Malformed bitmask value: %s", args[bitmask_index] + strlen(
"bitmask"));
535 uint32_t bmask = data->
bitmask;
536 while (!(bmask & 0x1)){
543 for (i = 0; i < (ret - 1); i++){
545 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
547 if (data_offset)
SCFree(data_offset);
549 pcre2_substring_free((PCRE2_UCHAR8 *)test_value);
550 pcre2_match_data_free(match);
554 for (i = 0; i < (ret - 1); i++){
556 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
558 if (data_offset)
SCFree(data_offset);
560 pcre2_substring_free((PCRE2_UCHAR8 *)test_value);
563 pcre2_match_data_free(match);
597 if (prev_pm == NULL) {
616 if (prev_pm == NULL) {
636 "A byte_test keyword with dce holds other invalid modifiers.");
645 "seen in byte_test - %s",
659 "seen in byte_test - %s",
669 if (nbytes != NULL) {
673 "seen in byte_test - %s",
711 DetectBytetestFree(
de_ctx, data);
735 static int g_file_data_buffer_id = 0;
736 static int g_dce_stub_data_buffer_id = 0;
742 static int DetectBytetestTestParse01(
void)
745 data = DetectBytetestParse(
"4, =, 1 , 0", NULL, NULL, NULL);
747 DetectBytetestFree(NULL, data);
754 static int DetectBytetestTestParse02(
void)
757 data = DetectBytetestParse(
"4, !=, 1, 0", NULL, NULL, NULL);
766 DetectBytetestFree(NULL, data);
773 static int DetectBytetestTestParse03(
void)
776 data = DetectBytetestParse(
"4, !=, 1, 0, relative", NULL, NULL, NULL);
786 DetectBytetestFree(NULL, data);
793 static int DetectBytetestTestParse04(
void)
796 data = DetectBytetestParse(
"4, !=, 1, 0, string, oct", NULL, NULL, NULL);
805 DetectBytetestFree(NULL, data);
812 static int DetectBytetestTestParse05(
void)
815 data = DetectBytetestParse(
"4, =, 1, 0, string, dec", NULL, NULL, NULL);
823 DetectBytetestFree(NULL, data);
830 static int DetectBytetestTestParse06(
void)
833 data = DetectBytetestParse(
"4, >, 1, 0, string, hex", NULL, NULL, NULL);
841 DetectBytetestFree(NULL, data);
848 static int DetectBytetestTestParse07(
void)
851 data = DetectBytetestParse(
"4, <, 5, 0, big", NULL, NULL, NULL);
859 DetectBytetestFree(NULL, data);
866 static int DetectBytetestTestParse08(
void)
869 data = DetectBytetestParse(
"4, <, 5, 0, little", NULL, NULL, NULL);
878 DetectBytetestFree(NULL, data);
885 static int DetectBytetestTestParse09(
void)
888 data = DetectBytetestParse(
"4, !, 5, 0", NULL, NULL, NULL);
896 DetectBytetestFree(NULL, data);
903 static int DetectBytetestTestParse10(
void)
906 data = DetectBytetestParse(
" 4 , ! &, 5 , 0 , little ", NULL, NULL, NULL);
916 DetectBytetestFree(NULL, data);
923 static int DetectBytetestTestParse11(
void)
926 data = DetectBytetestParse(
"4,!^,5,0,little,string,relative,hex", NULL, NULL, NULL);
937 DetectBytetestFree(NULL, data);
944 static int DetectBytetestTestParse12(
void)
947 data = DetectBytetestParse(
"4, =, 1, 0, hex", NULL, NULL, NULL);
956 static int DetectBytetestTestParse13(
void)
959 data = DetectBytetestParse(
"9, =, 1, 0", NULL, NULL, NULL);
967 static int DetectBytetestTestParse14(
void)
970 data = DetectBytetestParse(
"23,=,0xffffffffffffffffULL,0,string,oct", NULL, NULL, NULL);
979 DetectBytetestFree(NULL, data);
986 static int DetectBytetestTestParse15(
void)
989 data = DetectBytetestParse(
"24, =, 0xffffffffffffffffULL, 0, string", NULL, NULL, NULL);
998 static int DetectBytetestTestParse16(
void)
1001 data = DetectBytetestParse(
"4,=,0,0xffffffffffffffffULL", NULL, NULL, NULL);
1010 static int DetectBytetestTestParse17(
void)
1013 data = DetectBytetestParse(
"4, <, 5, 0, dce", NULL, NULL, NULL);
1021 DetectBytetestFree(NULL, data);
1028 static int DetectBytetestTestParse18(
void)
1031 data = DetectBytetestParse(
"4, <, 5, 0", NULL, NULL, NULL);
1039 DetectBytetestFree(NULL, data);
1046 static int DetectBytetestTestParse19(
void)
1053 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,dce") == 0);
1054 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,string,dce") == -1);
1055 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,big,dce") == -1);
1056 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,little,dce") == -1);
1057 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,hex,dce") == -1);
1058 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,oct,dce") == -1);
1059 FAIL_IF_NOT(DetectBytetestSetup(NULL, s,
"1,=,1,6,dec,dce") == -1);
1068 static int DetectBytetestTestParse20(
void)
1079 "(msg:\"Testing bytetest_body\"; "
1080 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1082 "content:\"one\"; distance:0; "
1083 "byte_test:1,=,1,6,relative,dce; sid:1;)");
1102 "(msg:\"Testing bytetest_body\"; "
1103 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1105 "content:\"one\"; distance:0; "
1106 "byte_test:1,=,1,6,relative,dce; sid:1;)");
1124 "(msg:\"Testing bytetest_body\"; "
1125 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1127 "content:\"one\"; distance:0; "
1128 "byte_test:1,=,1,6,relative; sid:1;)");
1154 static int DetectBytetestTestParse21(
void)
1164 "(msg:\"Testing bytetest_body\"; "
1165 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1166 "content:\"one\"; byte_test:1,=,1,6,string,dce; sid:1;)");
1170 "(msg:\"Testing bytetest_body\"; "
1171 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1172 "content:\"one\"; byte_test:1,=,1,6,big,dce; sid:1;)");
1176 "(msg:\"Testing bytetest_body\"; "
1177 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1178 "content:\"one\"; byte_test:1,=,1,6,little,dce; sid:1;)");
1182 "(msg:\"Testing bytetest_body\"; "
1183 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1184 "content:\"one\"; byte_test:1,=,1,6,hex,dce; sid:1;)");
1188 "(msg:\"Testing bytetest_body\"; "
1189 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1190 "content:\"one\"; byte_test:1,=,1,6,dec,dce; sid:1;)");
1194 "(msg:\"Testing bytetest_body\"; "
1195 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1196 "content:\"one\"; byte_test:1,=,1,6,oct,dce; sid:1;)");
1200 "(msg:\"Testing bytetest_body\"; "
1201 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1202 "content:\"one\"; byte_test:1,=,1,6,string,hex,dce; sid:1;)");
1206 "(msg:\"Testing bytetest_body\"; "
1207 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1208 "content:\"one\"; byte_test:1,=,1,6,big,string,hex,dce; sid:1;)");
1212 "(msg:\"Testing bytetest_body\"; "
1213 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1214 "content:\"one\"; byte_test:1,=,1,6,big,string,oct,dce; sid:1;)");
1218 "(msg:\"Testing bytetest_body\"; "
1219 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1220 "content:\"one\"; byte_test:1,=,1,6,little,string,hex,dce; sid:1;)");
1224 "(msg:\"Testing bytetest_body\"; "
1225 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1226 "content:\"one\"; byte_test:1,=,1,6,big,string,dec,dce; sid:1;)");
1239 static int DetectBytetestTestParse22(
void)
1250 "(file_data; byte_test:1,=,1,6,relative; sid:1;)");
1275 static int DetectBytetestTestParse23(
void)
1278 data = DetectBytetestParse(
"4, <, 5, 0, bitmask 0xf8", NULL, NULL, NULL);
1289 DetectBytetestFree(NULL, data);
1297 static int DetectBytetestTestParse24(
void)
1300 data = DetectBytetestParse(
1301 "4, !<, 5, 0, relative,string,hex, big, bitmask 0xf8", NULL, NULL, NULL);
1315 DetectBytetestFree(NULL, data);
1323 static void DetectBytetestRegisterTests(
void)
1328 UtRegisterTest(
"DetectBytetestTestParse01", DetectBytetestTestParse01);
1329 UtRegisterTest(
"DetectBytetestTestParse02", DetectBytetestTestParse02);
1330 UtRegisterTest(
"DetectBytetestTestParse03", DetectBytetestTestParse03);
1331 UtRegisterTest(
"DetectBytetestTestParse04", DetectBytetestTestParse04);
1332 UtRegisterTest(
"DetectBytetestTestParse05", DetectBytetestTestParse05);
1333 UtRegisterTest(
"DetectBytetestTestParse06", DetectBytetestTestParse06);
1334 UtRegisterTest(
"DetectBytetestTestParse07", DetectBytetestTestParse07);
1335 UtRegisterTest(
"DetectBytetestTestParse08", DetectBytetestTestParse08);
1336 UtRegisterTest(
"DetectBytetestTestParse09", DetectBytetestTestParse09);
1337 UtRegisterTest(
"DetectBytetestTestParse10", DetectBytetestTestParse10);
1338 UtRegisterTest(
"DetectBytetestTestParse11", DetectBytetestTestParse11);
1339 UtRegisterTest(
"DetectBytetestTestParse12", DetectBytetestTestParse12);
1340 UtRegisterTest(
"DetectBytetestTestParse13", DetectBytetestTestParse13);
1341 UtRegisterTest(
"DetectBytetestTestParse14", DetectBytetestTestParse14);
1342 UtRegisterTest(
"DetectBytetestTestParse15", DetectBytetestTestParse15);
1343 UtRegisterTest(
"DetectBytetestTestParse16", DetectBytetestTestParse16);
1344 UtRegisterTest(
"DetectBytetestTestParse17", DetectBytetestTestParse17);
1345 UtRegisterTest(
"DetectBytetestTestParse18", DetectBytetestTestParse18);
1346 UtRegisterTest(
"DetectBytetestTestParse19", DetectBytetestTestParse19);
1347 UtRegisterTest(
"DetectBytetestTestParse20", DetectBytetestTestParse20);
1348 UtRegisterTest(
"DetectBytetestTestParse21", DetectBytetestTestParse21);
1349 UtRegisterTest(
"DetectBytetestTestParse22", DetectBytetestTestParse22);
1350 UtRegisterTest(
"DetectBytetestTestParse23", DetectBytetestTestParse23);
1351 UtRegisterTest(
"DetectBytetestTestParse24", DetectBytetestTestParse24);