56 static void DetectContentRegisterTests(
void);
86 uint8_t **pstr, uint16_t *plen)
91 slen = strlen(contentstr);
95 uint8_t buffer[slen + 1];
96 strlcpy((
char *)&buffer, contentstr, slen + 1);
108 uint8_t binstr[3] =
"";
110 uint16_t bin_count = 0;
112 for (i = 0, x = 0; i < slen; i++) {
118 SCLogError(
"Incomplete hex code in content - %s. Invalidating signature.",
126 }
else if(!escape &&
str[i] ==
'\\') {
130 if (isdigit((
unsigned char)
str[i]) ||
131 str[i] ==
'A' ||
str[i] ==
'a' ||
132 str[i] ==
'B' ||
str[i] ==
'b' ||
133 str[i] ==
'C' ||
str[i] ==
'c' ||
134 str[i] ==
'D' ||
str[i] ==
'd' ||
135 str[i] ==
'E' ||
str[i] ==
'e' ||
136 str[i] ==
'F' ||
str[i] ==
'f')
140 binstr[binpos] = (char)
str[i];
144 uint8_t c = strtol((
char *)binstr, (
char **) NULL, 16) & 0xFF;
150 }
else if (
str[i] ==
' ') {
153 else if (
str[i] !=
',') {
155 "content - %s, hex %c. Invalidating signature.",
173 }
else if (
str[i] ==
'"') {
174 SCLogError(
"Invalid unescaped double quote within content section.");
183 if (bin_count % 2 != 0) {
185 "%s - %s. Invalidating signature.",
186 keyword, contentstr);
200 memcpy(ptr,
str, slen);
202 *plen = (uint16_t)slen;
214 const char *contentstr)
217 uint8_t *content = NULL;
238 spm_global_thread_ctx);
256 const char *contentstr)
268 SCLogDebug(
"DetectContentData \"cd\" is NULL");
272 if (tmpstr != NULL) {
301 if (tmprstr != NULL) {
353 SCLogError(
"content string \"%s\" incompatible with %s transform", contentstr, tstr);
413 int max_offset = 0, total_len = 0;
415 for (; sm != NULL; sm = sm->
next) {
421 SCLogDebug(
"content_len %d; negated: %s; distance: %d, offset: %d, depth: %d",
433 if (max_size < (uint64_t)check) {
444 max_offset =
MAX(max_offset, cd->
offset);
462 uint16_t max_right_edge_i;
466 uint32_t max_right_edge = max_right_edge_i;
469 if (min_dsize_required >= 0) {
470 SCLogDebug(
"min_dsize %d; max_right_edge %d", min_dsize_required, max_right_edge);
471 if ((uint32_t)min_dsize_required > max_right_edge) {
472 SCLogError(
"signature can't match as required content length %d exceeds dsize value %d",
473 min_dsize_required, max_right_edge);
496 #define VALIDATE(e) \
501 uint16_t offset_plus_pat = 0;
503 bool has_active_depth_chain =
false;
505 bool has_depth =
false;
506 bool has_ends_with =
false;
507 uint16_t ends_with_depth = 0;
509 for (
SigMatch *sm = sm_head; sm != NULL; sm = sm->
next) {
518 has_active_depth_chain =
false;
521 if (sm->prev == NULL) {
546 has_active_depth_chain =
false;
552 has_active_depth_chain =
true;
555 SCLogDebug(
"sm %p depth %u offset %u distance %d within %d", sm, cd->
depth,
564 has_active_depth_chain =
false;
568 SCLogDebug(
"no distance, reset offset_plus_pat & offset");
569 offset_plus_pat =
offset = 0;
572 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u "
573 "has_active_depth_chain %s",
574 offset, depth, offset_plus_pat, has_active_depth_chain ?
"true" :
"false");
582 if (abs(cd->
distance) > offset_plus_pat)
591 if (has_active_depth_chain) {
593 if (depth && depth > offset_plus_pat) {
598 "distance to add: %u. depth + dist %u", dist, depth + dist);
602 depth + cd->
within + dist <= UINT16_MAX);
603 depth = cd->
depth = (uint16_t)(depth + cd->
within + dist);
612 if (cd->
depth == 0 && depth != 0) {
617 offset_plus_pat + cd->
distance <= UINT16_MAX);
623 depth + cd->
within <= UINT16_MAX);
624 depth = cd->
depth = (uint16_t)(cd->
within + depth);
628 has_ends_with =
true;
629 if (ends_with_depth == 0)
630 ends_with_depth = depth;
631 ends_with_depth =
MIN(ends_with_depth, depth);
639 cd->
offset = offset_plus_pat;
668 has_ends_with =
true;
669 if (ends_with_depth == 0)
670 ends_with_depth = depth;
671 ends_with_depth =
MIN(ends_with_depth, depth);
675 has_active_depth_chain =
false;
686 SCLogDebug(
"non-anchored PCRE not supported, reset offset_plus_pat & offset");
687 offset_plus_pat =
offset = depth = 0;
689 has_active_depth_chain =
false;
693 SCLogDebug(
"keyword not supported, reset offset_plus_pat & offset");
694 offset_plus_pat =
offset = depth = 0;
695 has_active_depth_chain =
false;
700 if (has_depth && has_ends_with) {
701 for (
SigMatch *sm = sm_head; sm != NULL; sm = sm->
next) {
706 cd->
depth = ends_with_depth;
726 static inline bool NeedsAsHex(uint8_t c)
750 if (NeedsAsHex(cd->
content[i])) {
752 snprintf(hex_str,
sizeof(hex_str),
"%s%02X", !hex ?
"|" :
" ", cd->
content[i]);
757 snprintf(p_str,
sizeof(p_str),
"%s%c", hex ?
"|" :
"", cd->
content[i]);
770 SCLogError(
"can't use multiple nocase modifiers with the same content");
794 static bool TestLastContent(
const Signature *s, uint16_t o, uint16_t d)
810 if (d != cd->
depth) {
817 #define TEST_RUN(sig, o, d) \
819 SCLogDebug("TEST_RUN start: '%s'", (sig)); \
820 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
821 FAIL_IF_NULL(de_ctx); \
822 de_ctx->flags |= DE_QUIET; \
824 snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
825 Signature *s = DetectEngineAppendSig(de_ctx, rule); \
827 SigPrepareStage1(de_ctx); \
828 bool res = TestLastContent(s, (o), (d)); \
830 DetectEngineCtxFree(de_ctx); \
837 static int DetectContentDepthTest01(
void)
840 TEST_RUN(
"content:\"abc\"; offset:1; depth:3;", 1, 4);
842 TEST_RUN(
"dsize:10; content:\"abc\";", 0, 10);
843 TEST_RUN(
"dsize:<10; content:\"abc\";", 0, 10);
844 TEST_RUN(
"dsize:5<>10; content:\"abc\";", 0, 10);
847 TEST_RUN(
"content:\"abc\"; depth:3; content:\"xyz\"; distance:0; within:3; ", 3, 6);
849 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
850 TEST_RUN(
"content:\"abc\"; depth:6; content:\"xyz\"; distance:0; within:3; ", 3, 9);
853 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; within:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
855 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; content:\"xyz\"; distance:0; within:3; ", 3, 0);
857 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/; content:\"xyz\"; distance:0; within:3; ", 0, 0);
859 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 3, 0);
860 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 6, 0);
862 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; ", 0, 9);
864 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; content:\"xyz\"; distance:0; ", 6, 0);
867 TEST_RUN(
"content:\"abc\"; depth:6; isdataat:!1,relative; content:\"klm\";", 0, 6);
868 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; isdataat:!1,relative; content:\"def\"; ", 0, 9);
870 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1;", 5, 6);
871 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1; content:\"Cookie|3a|\"; distance:5; within:7;", 11, 18);
873 TEST_RUN(
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; content:\"string\"; within:8;", 0, 0);
875 TEST_RUN(
"dsize:<80; content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 80);
876 TEST_RUN(
"content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 0);
878 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0;", 4, 0);
879 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0; content:\"xploit.class\"; distance:2; within:18;", 11, 0);
881 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0;", 2, 0);
882 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14;", 6, 0);
883 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14; content:\".app\";", 0, 0);
885 TEST_RUN(
"content:\"=\"; offset:4; depth:9;", 4, 13);
888 TEST_RUN(
"content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
891 TEST_RUN(
"content:\"0123456789\"; content:\"abcdef\"; distance:1048576;", 0, 0);
894 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2;", 11, 18);
895 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
896 "00 00|\"; distance:0;",
898 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
899 "00 00|\"; distance:0; content:\"|0c 00|\"; distance:19; within:2;",
901 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
902 "00 00|\"; distance:0; content:\"|0c 00|\"; distance:19; within:2; content:\"|15 00 "
903 "00 00|\"; distance:20; within:4;",
914 static void DetectContentPrintAll(
SigMatch *sm)
926 for (; first_sm != NULL; first_sm = first_sm->
next) {
928 SCLogDebug(
"Printing SigMatch DETECT_CONTENT %d", ++i);
936 static int g_file_data_buffer_id = 0;
937 static int g_dce_stub_data_buffer_id = 0;
942 static int DetectContentParseTest01 (
void)
946 const char *teststring =
"abc\\:def";
947 const char *teststringparsed =
"abc:def";
951 FAIL_IF(spm_global_thread_ctx == NULL);
955 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
956 SCLogDebug(
"expected %s got ", teststringparsed);
963 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
973 static int DetectContentParseTest02 (
void)
977 const char *teststring =
"abc\\;def";
978 const char *teststringparsed =
"abc;def";
982 FAIL_IF(spm_global_thread_ctx == NULL);
986 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
987 SCLogDebug(
"expected %s got ", teststringparsed);
994 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1004 static int DetectContentParseTest03 (
void)
1008 const char *teststring =
"abc\\\"def";
1009 const char *teststringparsed =
"abc\"def";
1013 FAIL_IF(spm_global_thread_ctx == NULL);
1017 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
1018 SCLogDebug(
"expected %s got ", teststringparsed);
1025 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1035 static int DetectContentParseTest04 (
void)
1039 const char *teststring =
"abc\\\\def";
1040 const char *teststringparsed =
"abc\\def";
1044 FAIL_IF(spm_global_thread_ctx == NULL);
1049 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
1050 SCLogDebug(
"expected %s got ", teststringparsed);
1057 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1067 static int DetectContentParseTest05 (
void)
1071 const char *teststring =
"abc\\def";
1075 FAIL_IF(spm_global_thread_ctx == NULL);
1092 static int DetectContentParseTest06 (
void)
1096 const char *teststring =
"a|42|c|44|e|46|";
1097 const char *teststringparsed =
"abcdef";
1101 FAIL_IF(spm_global_thread_ctx == NULL);
1106 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
1107 SCLogDebug(
"expected %s got ", teststringparsed);
1114 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1124 static int DetectContentParseTest07 (
void)
1128 const char *teststring =
"";
1132 FAIL_IF(spm_global_thread_ctx == NULL);
1147 static int DetectContentParseTest08 (
void)
1151 const char *teststring =
"";
1155 FAIL_IF(spm_global_thread_ctx == NULL);
1176 static int DetectContentLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize,
const char *sig,
1186 memset(&th_v, 0,
sizeof(th_v));
1205 SCLogDebug(
"---DetectContentLongPatternMatchTest---");
1225 static int DetectContentLongPatternMatchTestWrp(
const char *sig, uint32_t sid)
1232 uint8_t raw_eth_pkt[] = {
1233 0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,
1234 0x00,0x00,0x00,0x00,0x08,0x00,0x45,0x00,
1235 0x00,0x85,0x00,0x01,0x00,0x00,0x40,0x06,
1236 0x7c,0x70,0x7f,0x00,0x00,0x01,0x7f,0x00,
1237 0x00,0x01,0x00,0x14,0x00,0x50,0x00,0x00,
1238 0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x02,
1239 0x20,0x00,0xc9,0xad,0x00,0x00,0x48,0x69,
1240 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
1241 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
1242 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
1243 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
1244 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
1245 0x74,0x63,0x68,0x65,0x73,0x20,0x6f,0x66,
1246 0x20,0x73,0x70,0x6c,0x69,0x74,0x74,0x65,
1247 0x64,0x20,0x70,0x61,0x74,0x74,0x65,0x72,
1248 0x6e,0x73,0x20,0x62,0x65,0x74,0x77,0x65,
1249 0x65,0x6e,0x20,0x6d,0x75,0x6c,0x74,0x69,
1250 0x70,0x6c,0x65,0x20,0x63,0x68,0x75,0x6e,
1253 return DetectContentLongPatternMatchTest(raw_eth_pkt, (uint16_t)
sizeof(raw_eth_pkt),
1260 static int DetectContentLongPatternMatchTest01(
void)
1262 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1263 " content:\"Hi, this is a big test\"; sid:1;)";
1264 return DetectContentLongPatternMatchTestWrp(sig, 1);
1270 static int DetectContentLongPatternMatchTest02(
void)
1272 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1273 " content:\"Hi, this is a big test to check content matches of"
1274 " splitted patterns between multiple chunks!\"; sid:1;)";
1275 return DetectContentLongPatternMatchTestWrp(sig, 1);
1282 static int DetectContentLongPatternMatchTest03(
void)
1285 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1286 " content:\"Hi, this is a big test to check content matches of"
1287 " splitted patterns between multiple splitted chunks!\"; sid:1;)";
1288 return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
1294 static int DetectContentLongPatternMatchTest04(
void)
1296 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1297 " content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; "
1298 " within:15; content:\"to check content matches of\"; "
1299 " within:30; content:\"splitted patterns\"; distance:1; "
1302 return DetectContentLongPatternMatchTestWrp(sig, 1);
1310 static int DetectContentLongPatternMatchTest05(
void)
1312 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1313 " content:\"Hi, this is a big\"; depth:17; "
1314 " isdataat:30, relative; "
1315 " content:\"test\"; within: 5; distance:1; "
1316 " isdataat:15, relative; "
1317 " content:\"of splitted\"; within:37; distance:15; "
1318 " isdataat:20,relative; "
1319 " content:\"patterns\"; within:9; distance:1; "
1320 " isdataat:10, relative; "
1322 return DetectContentLongPatternMatchTestWrp(sig, 1);
1330 static int DetectContentLongPatternMatchTest06(
void)
1332 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1333 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1334 " content:\"ent matches\"; within:11; distance:0; "
1335 " content:\"of splitted patterns between multiple\"; "
1336 " within:38; distance:1; "
1337 " content:\"chunks!\"; within: 8; distance:1; "
1339 return DetectContentLongPatternMatchTestWrp(sig, 1);
1346 static int DetectContentLongPatternMatchTest07(
void)
1348 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1349 " content:\"chunks!\"; "
1350 " content:\"content matches\"; offset:32; depth:47; "
1351 " content:\"of splitted patterns between multiple\"; "
1352 " content:\"Hi, this is a big\"; offset:0; depth:17; "
1354 return DetectContentLongPatternMatchTestWrp(sig, 1);
1361 static int DetectContentLongPatternMatchTest08(
void)
1363 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1364 " content:\"ent matches\"; "
1365 " content:\"of splitted patterns between multiple\"; "
1366 " within:38; distance:1; "
1367 " content:\"chunks!\"; within: 8; distance:1; "
1368 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1370 return DetectContentLongPatternMatchTestWrp(sig, 1);
1377 static int DetectContentLongPatternMatchTest09(
void)
1379 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1380 " content:\"ent matches\"; "
1381 " content:\"of splitted patterns between multiple\"; "
1382 " offset:47; depth:85; "
1383 " content:\"chunks!\"; within: 8; distance:1; "
1384 " content:\"Hi, this is a big test to chec\"; depth:36;"
1385 " content:\"k cont\"; distance:0; within:6;"
1387 return DetectContentLongPatternMatchTestWrp(sig, 1);
1393 static int DetectContentLongPatternMatchTest10(
void)
1395 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1396 " content:\"Hi, this is a big test to check \"; "
1397 " content:\"con\"; "
1399 return DetectContentLongPatternMatchTestWrp(sig, 1);
1405 static int DetectContentLongPatternMatchTest11(
void)
1407 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1411 return DetectContentLongPatternMatchTestWrp(sig, 1);
1414 static int DetectContentParseTest09(
void)
1417 const char *teststring =
"boo";
1421 FAIL_IF(spm_global_thread_ctx == NULL);
1434 static int DetectContentParseTest17(
void)
1437 const char *sigstr =
"alert tcp any any -> any any (msg:\"Dummy\"; "
1438 "content:\"one\"; content:\"two\"; within:2; sid:1;)";
1460 static int DetectContentParseTest18(
void)
1488 static int DetectContentParseTest19(
void)
1497 "(msg:\"Testing dce iface, stub_data with content\"; "
1498 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1500 "content:\"one\"; distance:0; sid:1;)");
1512 "alert tcp any any -> any any "
1513 "(msg:\"Testing dce iface, stub_data with contents & distance, within\"; "
1514 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1516 "content:\"one\"; distance:0; content:\"two\"; within:10; sid:2;)");
1531 "alert tcp any any -> any any "
1532 "(msg:\"Testing dce iface, stub with contents, distance, within\"; "
1533 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1535 "content:\"one\"; distance:0; "
1536 "content:\"two\"; within:10; distance:2; sid:3;)");
1551 "(msg:\"Testing content\"; "
1552 "content:\"one\"; sid:4;)");
1564 static int DetectContentParseTest20(
void)
1575 "alert udp any any -> any any "
1576 "(msg:\"test\"; content:\"\"; sid:238012;)");
1593 static int DetectContentParseTest21(
void)
1604 "alert udp any any -> any any "
1605 "(msg:\"test\"; content:\"; sid:238012;)");
1622 static int DetectContentParseTest22(
void)
1633 "alert udp any any -> any any "
1634 "(msg:\"test\"; content:\"boo; sid:238012;)");
1651 static int DetectContentParseTest23(
void)
1662 "alert udp any any -> any any "
1663 "(msg:\"test\"; content:boo\"; sid:238012;)");
1680 static int DetectContentParseTest24(
void)
1693 "alert udp any any -> any any "
1694 "(msg:\"test\"; content: !\"boo\"; sid:238012;)");
1696 printf(
"de_ctx->sig_list == NULL: ");
1703 printf(
"de_ctx->pmatch_tail == NULL || de_ctx->pmatch_tail->ctx == NULL: ");
1722 static int DetectContentParseTest25(
void)
1733 "alert udp any any -> any any "
1734 "(msg:\"test\"; content:\"|\"; sid:1;)");
1751 static int DetectContentParseTest26(
void)
1762 "alert udp any any -> any any "
1763 "(msg:\"test\"; content:\"|af\"; sid:1;)");
1780 static int DetectContentParseTest27(
void)
1791 "alert udp any any -> any any "
1792 "(msg:\"test\"; content:\"af|\"; sid:1;)");
1809 static int DetectContentParseTest28(
void)
1820 "alert udp any any -> any any "
1821 "(msg:\"test\"; content:\"|af|\"; sid:1;)");
1838 static int DetectContentParseTest29(
void)
1849 "alert udp any any -> any any "
1850 "(msg:\"test\"; content:\"aast|\"; sid:1;)");
1867 static int DetectContentParseTest30(
void)
1878 "alert udp any any -> any any "
1879 "(msg:\"test\"; content:\"aast|af\"; sid:1;)");
1896 static int DetectContentParseTest31(
void)
1907 "alert udp any any -> any any "
1908 "(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
1925 static int DetectContentParseTest32(
void)
1936 "alert udp any any -> any any "
1937 "(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
1954 static int DetectContentParseTest33(
void)
1965 "alert udp any any -> any any "
1966 "(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
1983 static int DetectContentParseTest34(
void)
1994 "alert udp any any -> any any "
1995 "(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
2012 static int DetectContentParseTest35(
void)
2023 "alert udp any any -> any any "
2024 "(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
2038 static int SigTestPositiveTestContent(
const char *rule, uint8_t *buf)
2040 uint16_t buflen = strlen((
char *)buf);
2044 memset(&th_v, 0,
sizeof(th_v));
2070 static int DetectContentParseTest41(
void)
2075 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2079 for (
int i = 0; i < patlen; idx++, i++) {
2080 teststring[idx] =
'a';
2082 teststring[idx++] =
'\0';
2086 FAIL_IF(spm_global_thread_ctx == NULL);
2103 static int DetectContentParseTest42(
void)
2108 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2112 for (
int i = 0; i < patlen; idx++, i++) {
2113 teststring[idx] =
'a';
2115 teststring[idx++] =
'\0';
2119 FAIL_IF(spm_global_thread_ctx == NULL);
2133 static int DetectContentParseTest43(
void)
2138 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2142 teststring[idx++] =
'|';
2143 teststring[idx++] =
'4';
2144 teststring[idx++] =
'6';
2145 teststring[idx++] =
'|';
2146 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2147 teststring[idx] =
'a';
2149 teststring[idx++] =
'\0';
2153 FAIL_IF(spm_global_thread_ctx == NULL);
2170 static int DetectContentParseTest44(
void)
2175 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2179 teststring[idx++] =
'|';
2180 teststring[idx++] =
'4';
2181 teststring[idx++] =
'6';
2182 teststring[idx++] =
'|';
2183 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2184 teststring[idx] =
'a';
2186 teststring[idx++] =
'\0';
2190 FAIL_IF(spm_global_thread_ctx == NULL);
2207 static int DetectContentParseTest45(
void)
2216 "alert tcp any any -> any any "
2217 "(msg:\"test\"; content:\"|ff|\" content:\"TEST\"; sid:1;)");
2225 static int SigTestNegativeTestContent(
const char *rule, uint8_t *buf)
2227 uint16_t buflen = strlen((
char *)buf);
2232 memset(&th_v, 0,
sizeof(th_v));
2257 if (det_ctx != NULL) {
2273 static int SigTest41TestNegatedContent(
void)
2275 return SigTestPositiveTestContent(
"alert tcp any any -> any any "
2276 "(msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)",
2278 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\n"
2279 "GET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2287 static int SigTest41aTestNegatedContent(
void)
2289 (void)SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2298 static int SigTest42TestNegatedContent(
void)
2300 return SigTestPositiveTestContent(
2301 "alert tcp any any -> any any (content:!\"eeeeeeeeeee\"; depth:22; offset:35; sid:1;)",
2302 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2312 static int SigTest43TestNegatedContent(
void)
2314 return SigTestNegativeTestContent(
2315 "alert tcp any any -> any any (content:!\"eeeeeeeeeee\"; depth:34; offset:23; sid:1;)",
2316 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2324 static int SigTest44TestNegatedContent(
void)
2326 return SigTestPositiveTestContent(
2327 "alert tcp any any -> any any (content:!\"eeeeeeeeeee\"; offset:40; depth:35; sid:1;)",
2328 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2335 static int SigTest45TestNegatedContent(
void)
2337 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:5; "
2338 "content:!\"eeeeeeeeeee\"; depth:23; sid:1;)",
2339 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2346 static int SigTest46TestNegatedContent(
void)
2348 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaaE\"; "
2349 "content:!\"eeeeeeeeeee\"; depth:23; sid:1;)",
2350 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2358 static int SigTest47TestNegatedContent(
void)
2360 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; offset:5; "
2361 "content:!\"eeeeeeeeeee\"; depth:23; sid:1;)",
2362 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2369 static int SigTest48TestNegatedContent(
void)
2371 return SigTestPositiveTestContent(
2372 "alert tcp any any -> any any (content:\"GET\"; content:!\"GES\"; within:26; sid:1;)",
2373 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2374 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2381 static int SigTest49TestNegatedContent(
void)
2383 return SigTestNegativeTestContent(
2384 "alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; within:26; sid:1;)",
2385 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2386 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2393 static int SigTest50TestNegatedContent(
void)
2395 return SigTestPositiveTestContent(
2396 "alert tcp any any -> any any (content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)",
2397 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2398 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2408 static int SigTest51TestNegatedContent(
void)
2410 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; distance:17; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2417 static int SigTest52TestNegatedContent(
void)
2419 return SigTestNegativeTestContent(
2420 "alert tcp any any -> any any (content:\"GES\"; content:!\"BOO\"; sid:1;)",
2421 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2422 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2429 static int SigTest53TestNegatedContent(
void)
2431 return SigTestNegativeTestContent(
2432 "alert tcp any any -> any any (content:\"aaa\"; content:!\"Ggggg\"; within:56; sid:1;)",
2433 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2440 static int SigTest54TestNegatedContent(
void)
2442 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2443 "content:!\"gggggg\"; within:20; sid:1;)",
2444 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff ggggggggg hhhhhhhh");
2451 static int SigTest55TestNegatedContent(
void)
2453 return SigTestNegativeTestContent(
2454 "alert tcp any any -> any any (content:!\"aaa\"; depth:5; sid:1;)",
2455 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2462 static int SigTest56TestNegatedContent(
void)
2464 return SigTestPositiveTestContent(
2465 "alert tcp any any -> any any (content:\"aaa\"; content:\"Ggggg\"; within:56; sid:1;)",
2466 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Gggggggg hhhhhhhh");
2473 static int SigTest57TestNegatedContent(
void)
2475 return SigTestNegativeTestContent(
2476 "alert tcp any any -> any any (content:\"aaa\"; content:!\"Ggggg\"; within:56; sid:1;)",
2477 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2484 static int SigTest58TestNegatedContent(
void)
2486 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2487 "content:!\"Ggggg\"; distance:57; sid:1;)",
2488 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2495 static int SigTest59TestNegatedContent(
void)
2497 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2498 "content:!\"Gggg\"; distance:30; sid:1;)",
2499 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2502 static int SigTest60TestNegatedContent(
void)
2504 return SigTestNegativeTestContent(
2505 "alert tcp any any -> any any (content:!\"aaa\"; content:\"Ggggg\"; sid:1;)",
2506 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2509 static int SigTest61TestNegatedContent(
void)
2511 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2512 "content:!\"Ggggg\"; within:30; sid:1;)",
2513 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2523 static int SigTest62TestNegatedContent(
void)
2525 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2526 "content:!\"Gggggg\"; within:49; sid:1;)",
2527 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2530 static int SigTest63TestNegatedContent(
void)
2532 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2533 "content:!\"Gggggg\"; within:56; sid:1;)",
2534 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2537 static int SigTest64TestNegatedContent(
void)
2539 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2540 "content:!\"Gggggg\"; within:30; sid:1;)",
2541 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2551 static int SigTest65TestNegatedContent(
void)
2553 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2554 "content:!\"Gggggg\"; distance:0; within:49; sid:1;)",
2555 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2558 static int SigTest66TestNegatedContent(
void)
2560 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2561 "content:!\"Gggggg\"; within:30; sid:1;)",
2562 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2565 static int SigTest67TestNegatedContent(
void)
2567 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2568 "content:!\"XXXX\"; within:56; sid:1;)",
2569 (uint8_t *)
"aaa bbbb cccc XXXXdddd eeeeeeeeeee ffffffffff XXXXggggg hhhhhhhh");
2572 static int SigTest68TestNegatedContent(
void)
2574 return SigTestPositiveTestContent(
2575 "alert tcp any any -> any any (content:\"aaa\"; depth:10; content:\"cccc\"; offset:8; "
2576 "content:!\"Gggggg\"; within:28; content:\"hhhhhhhh\"; sid:1;)",
2577 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2580 static int SigTest69TestNegatedContent(
void)
2582 return SigTestNegativeTestContent(
2583 "alert tcp any any -> any any (content:\"aaa\"; depth:10; content:\"cccc\"; offset:8; "
2584 "content:!\"Gggggg\"; within:48; content:\"hhhhhhhh\"; sid:1;)",
2585 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2588 static int SigTest70TestNegatedContent(
void)
2590 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2591 "content:!\"Gggggg\"; within:52; sid:1;)",
2592 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2596 static int SigTest71TestNegatedContent(
void)
2598 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2599 "content:!\"Gggggg\"; within:40; distance:43; sid:1;)",
2600 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2603 static int SigTest72TestNegatedContent(
void)
2605 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2606 "content:!\"Gggggg\"; within:49; distance:43; sid:1;)",
2607 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2610 static int SigTest73TestNegatedContent(
void)
2612 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:5; "
2613 "content:!\"eeeeeeeeeee\"; depth:35; sid:1;)",
2614 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff ggggggggg hhhhhhhh");
2617 static int SigTest74TestNegatedContent(
void)
2619 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)
"USER apple");
2622 static int SigTest75TestNegatedContent(
void)
2624 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)
"USER !PASS");
2627 static int SigTest76TestBug134(
void)
2629 uint8_t *buf = (uint8_t *)
"test detect ${IFS} in traffic";
2630 uint16_t buflen = strlen((
char *)buf);
2635 memset(&f, 0,
sizeof(
Flow));
2644 char sig[] =
"alert tcp any any -> any 515 "
2645 "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"
2646 " depth:50; offset:0; sid:900091; rev:1;)";
2661 static int SigTest77TestBug139(
void)
2664 0x12, 0x23, 0x34, 0x35, 0x52, 0x52, 0x24, 0x42, 0x22, 0x24,
2665 0x52, 0x24, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x34 };
2666 uint16_t buflen =
sizeof(buf);
2671 char sig[] =
"alert udp any any -> any 53 (msg:\"dns testing\";"
2672 " content:\"|00 00|\"; depth:5; offset:13; sid:9436601;"
2686 static int DetectLongContentTestCommon(
const char *sig, uint32_t sid)
2689 static uint8_t pkt[739] = {
2690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2691 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x45, 0x00,
2692 0x02, 0xd5, 0x4a, 0x18, 0x40, 0x00, 0x40, 0x06,
2693 0xd7, 0xd6, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10,
2694 0x01, 0x0a, 0xdb, 0x36, 0x00, 0x50, 0xca, 0xc5,
2695 0xcc, 0xd1, 0x95, 0x77, 0x0f, 0x7d, 0x80, 0x18,
2696 0x00, 0xe5, 0x77, 0x9d, 0x00, 0x00, 0x01, 0x01,
2697 0x08, 0x0a, 0x1d, 0xe0, 0x86, 0xc6, 0xfc, 0x73,
2698 0x49, 0xf3, 0x50, 0x4f, 0x53, 0x54, 0x20, 0x2f,
2699 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e,
2700 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2701 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x63,
2702 0x75, 0x72, 0x6c, 0x2f, 0x37, 0x2e, 0x33, 0x37,
2703 0x2e, 0x30, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74,
2704 0x3a, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x36, 0x2e,
2705 0x31, 0x2e, 0x31, 0x30, 0x0d, 0x0a, 0x41, 0x63,
2706 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f,
2707 0x2a, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65,
2708 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74,
2709 0x68, 0x3a, 0x20, 0x35, 0x32, 0x38, 0x0d, 0x0a,
2710 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
2711 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x61, 0x70,
2712 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
2713 0x6e, 0x2f, 0x78, 0x2d, 0x77, 0x77, 0x77, 0x2d,
2714 0x66, 0x6f, 0x72, 0x6d, 0x2d, 0x75, 0x72, 0x6c,
2715 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x65, 0x64, 0x0d,
2716 0x0a, 0x0d, 0x0a, 0x58, 0x58, 0x58, 0x58, 0x58,
2717 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41, 0x41,
2718 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2719 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2720 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2721 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2722 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2723 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2724 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2725 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2726 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2727 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2728 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2729 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2730 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2731 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2732 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2733 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2734 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2735 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2736 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2737 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2738 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2739 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2740 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2741 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2742 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2743 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2744 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2745 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2746 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2747 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2748 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2749 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2750 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2751 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2752 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2753 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2754 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2755 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2756 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2757 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2758 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2759 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2760 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2761 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2762 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2763 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2764 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2765 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2766 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2767 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2768 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2769 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2770 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2771 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2772 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2773 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2774 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2775 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2776 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2777 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2778 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2779 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2780 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2781 0x41, 0x41, 0x41, 0x58, 0x58, 0x58, 0x58, 0x58,
2785 return DetectContentLongPatternMatchTest(pkt, (uint16_t)
sizeof(pkt), sig,
2789 static int DetectLongContentTest1(
void)
2792 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2794 return DetectLongContentTestCommon(sig, 1);
2797 static int DetectLongContentTest2(
void)
2800 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2802 return DetectLongContentTestCommon(sig, 1);
2805 static int DetectLongContentTest3(
void)
2808 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2810 return !DetectLongContentTestCommon(sig, 1);
2813 static int DetectBadBinContent(
void)
2820 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|a|\"; sid:1;)"));
2822 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa b|\"; sid:1;)"));
2824 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa bz|\"; sid:1;)"));
2827 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|22 2 22|\"; sid:1;)"));
2835 static void DetectContentRegisterTests(
void)
2840 UtRegisterTest(
"DetectContentDepthTest01", DetectContentDepthTest01);
2842 UtRegisterTest(
"DetectContentParseTest01", DetectContentParseTest01);
2843 UtRegisterTest(
"DetectContentParseTest02", DetectContentParseTest02);
2844 UtRegisterTest(
"DetectContentParseTest03", DetectContentParseTest03);
2845 UtRegisterTest(
"DetectContentParseTest04", DetectContentParseTest04);
2846 UtRegisterTest(
"DetectContentParseTest05", DetectContentParseTest05);
2847 UtRegisterTest(
"DetectContentParseTest06", DetectContentParseTest06);
2848 UtRegisterTest(
"DetectContentParseTest07", DetectContentParseTest07);
2849 UtRegisterTest(
"DetectContentParseTest08", DetectContentParseTest08);
2850 UtRegisterTest(
"DetectContentParseTest09", DetectContentParseTest09);
2851 UtRegisterTest(
"DetectContentParseTest17", DetectContentParseTest17);
2852 UtRegisterTest(
"DetectContentParseTest18", DetectContentParseTest18);
2853 UtRegisterTest(
"DetectContentParseTest19", DetectContentParseTest19);
2854 UtRegisterTest(
"DetectContentParseTest20", DetectContentParseTest20);
2855 UtRegisterTest(
"DetectContentParseTest21", DetectContentParseTest21);
2856 UtRegisterTest(
"DetectContentParseTest22", DetectContentParseTest22);
2857 UtRegisterTest(
"DetectContentParseTest23", DetectContentParseTest23);
2858 UtRegisterTest(
"DetectContentParseTest24", DetectContentParseTest24);
2859 UtRegisterTest(
"DetectContentParseTest25", DetectContentParseTest25);
2860 UtRegisterTest(
"DetectContentParseTest26", DetectContentParseTest26);
2861 UtRegisterTest(
"DetectContentParseTest27", DetectContentParseTest27);
2862 UtRegisterTest(
"DetectContentParseTest28", DetectContentParseTest28);
2863 UtRegisterTest(
"DetectContentParseTest29", DetectContentParseTest29);
2864 UtRegisterTest(
"DetectContentParseTest30", DetectContentParseTest30);
2865 UtRegisterTest(
"DetectContentParseTest31", DetectContentParseTest31);
2866 UtRegisterTest(
"DetectContentParseTest32", DetectContentParseTest32);
2867 UtRegisterTest(
"DetectContentParseTest33", DetectContentParseTest33);
2868 UtRegisterTest(
"DetectContentParseTest34", DetectContentParseTest34);
2869 UtRegisterTest(
"DetectContentParseTest35", DetectContentParseTest35);
2870 UtRegisterTest(
"DetectContentParseTest41", DetectContentParseTest41);
2871 UtRegisterTest(
"DetectContentParseTest42", DetectContentParseTest42);
2872 UtRegisterTest(
"DetectContentParseTest43", DetectContentParseTest43);
2873 UtRegisterTest(
"DetectContentParseTest44", DetectContentParseTest44);
2874 UtRegisterTest(
"DetectContentParseTest45", DetectContentParseTest45);
2878 DetectContentLongPatternMatchTest01);
2880 DetectContentLongPatternMatchTest02);
2882 DetectContentLongPatternMatchTest03);
2884 DetectContentLongPatternMatchTest04);
2886 DetectContentLongPatternMatchTest05);
2888 DetectContentLongPatternMatchTest06);
2890 DetectContentLongPatternMatchTest07);
2892 DetectContentLongPatternMatchTest08);
2894 DetectContentLongPatternMatchTest09);
2896 DetectContentLongPatternMatchTest10);
2898 DetectContentLongPatternMatchTest11);
2901 UtRegisterTest(
"SigTest41TestNegatedContent", SigTest41TestNegatedContent);
2903 SigTest41aTestNegatedContent);
2904 UtRegisterTest(
"SigTest42TestNegatedContent", SigTest42TestNegatedContent);
2905 UtRegisterTest(
"SigTest43TestNegatedContent", SigTest43TestNegatedContent);
2906 UtRegisterTest(
"SigTest44TestNegatedContent", SigTest44TestNegatedContent);
2907 UtRegisterTest(
"SigTest45TestNegatedContent", SigTest45TestNegatedContent);
2908 UtRegisterTest(
"SigTest46TestNegatedContent", SigTest46TestNegatedContent);
2909 UtRegisterTest(
"SigTest47TestNegatedContent", SigTest47TestNegatedContent);
2910 UtRegisterTest(
"SigTest48TestNegatedContent", SigTest48TestNegatedContent);
2911 UtRegisterTest(
"SigTest49TestNegatedContent", SigTest49TestNegatedContent);
2912 UtRegisterTest(
"SigTest50TestNegatedContent", SigTest50TestNegatedContent);
2913 UtRegisterTest(
"SigTest51TestNegatedContent", SigTest51TestNegatedContent);
2914 UtRegisterTest(
"SigTest52TestNegatedContent", SigTest52TestNegatedContent);
2915 UtRegisterTest(
"SigTest53TestNegatedContent", SigTest53TestNegatedContent);
2916 UtRegisterTest(
"SigTest54TestNegatedContent", SigTest54TestNegatedContent);
2917 UtRegisterTest(
"SigTest55TestNegatedContent", SigTest55TestNegatedContent);
2918 UtRegisterTest(
"SigTest56TestNegatedContent", SigTest56TestNegatedContent);
2919 UtRegisterTest(
"SigTest57TestNegatedContent", SigTest57TestNegatedContent);
2920 UtRegisterTest(
"SigTest58TestNegatedContent", SigTest58TestNegatedContent);
2921 UtRegisterTest(
"SigTest59TestNegatedContent", SigTest59TestNegatedContent);
2922 UtRegisterTest(
"SigTest60TestNegatedContent", SigTest60TestNegatedContent);
2923 UtRegisterTest(
"SigTest61TestNegatedContent", SigTest61TestNegatedContent);
2924 UtRegisterTest(
"SigTest62TestNegatedContent", SigTest62TestNegatedContent);
2925 UtRegisterTest(
"SigTest63TestNegatedContent", SigTest63TestNegatedContent);
2926 UtRegisterTest(
"SigTest64TestNegatedContent", SigTest64TestNegatedContent);
2927 UtRegisterTest(
"SigTest65TestNegatedContent", SigTest65TestNegatedContent);
2928 UtRegisterTest(
"SigTest66TestNegatedContent", SigTest66TestNegatedContent);
2929 UtRegisterTest(
"SigTest67TestNegatedContent", SigTest67TestNegatedContent);
2930 UtRegisterTest(
"SigTest68TestNegatedContent", SigTest68TestNegatedContent);
2931 UtRegisterTest(
"SigTest69TestNegatedContent", SigTest69TestNegatedContent);
2932 UtRegisterTest(
"SigTest70TestNegatedContent", SigTest70TestNegatedContent);
2933 UtRegisterTest(
"SigTest71TestNegatedContent", SigTest71TestNegatedContent);
2934 UtRegisterTest(
"SigTest72TestNegatedContent", SigTest72TestNegatedContent);
2935 UtRegisterTest(
"SigTest73TestNegatedContent", SigTest73TestNegatedContent);
2936 UtRegisterTest(
"SigTest74TestNegatedContent", SigTest74TestNegatedContent);
2937 UtRegisterTest(
"SigTest75TestNegatedContent", SigTest75TestNegatedContent);
2942 UtRegisterTest(
"DetectLongContentTest1", DetectLongContentTest1);
2943 UtRegisterTest(
"DetectLongContentTest2", DetectLongContentTest2);
2944 UtRegisterTest(
"DetectLongContentTest3", DetectLongContentTest3);