55 static void DetectContentRegisterTests(
void);
84 uint8_t **pstr, uint16_t *plen)
89 slen = strlen(contentstr);
93 uint8_t buffer[slen + 1];
94 strlcpy((
char *)&buffer, contentstr, slen + 1);
106 uint8_t binstr[3] =
"";
108 uint16_t bin_count = 0;
110 for (i = 0, x = 0; i < slen; i++) {
116 SCLogError(
"Incomplete hex code in content - %s. Invalidating signature.",
124 }
else if(!escape &&
str[i] ==
'\\') {
128 if (isdigit((
unsigned char)
str[i]) ||
129 str[i] ==
'A' ||
str[i] ==
'a' ||
130 str[i] ==
'B' ||
str[i] ==
'b' ||
131 str[i] ==
'C' ||
str[i] ==
'c' ||
132 str[i] ==
'D' ||
str[i] ==
'd' ||
133 str[i] ==
'E' ||
str[i] ==
'e' ||
134 str[i] ==
'F' ||
str[i] ==
'f')
138 binstr[binpos] = (char)
str[i];
142 uint8_t c = strtol((
char *)binstr, (
char **) NULL, 16) & 0xFF;
148 }
else if (
str[i] ==
' ') {
151 else if (
str[i] !=
',') {
153 "content - %s, hex %c. Invalidating signature.",
171 }
else if (
str[i] ==
'"') {
172 SCLogError(
"Invalid unescaped double quote within content section.");
181 if (bin_count % 2 != 0) {
183 "%s - %s. Invalidating signature.",
184 keyword, contentstr);
198 memcpy(ptr,
str, slen);
200 *plen = (uint16_t)slen;
212 const char *contentstr)
215 uint8_t *content = NULL;
236 spm_global_thread_ctx);
254 const char *contentstr)
266 SCLogDebug(
"DetectContentData \"cd\" is NULL");
270 if (tmpstr != NULL) {
299 if (tmprstr != NULL) {
354 SCLogError(
"content string \"%s\" incompatible with %s transform", contentstr, tstr);
362 sm->
ctx = (
void *)cd;
422 int max_offset = 0, total_len = 0;
424 for (; sm != NULL; sm = sm->
next) {
430 SCLogDebug(
"content_len %d; negated: %s; distance: %d, offset: %d, depth: %d",
442 if (max_size < check) {
453 max_offset =
MAX(max_offset, cd->
offset);
472 if (max_right_edge_i < 0) {
476 uint32_t max_right_edge = (uint32_t)max_right_edge_i;
479 if (min_dsize_required >= 0) {
480 SCLogDebug(
"min_dsize %d; max_right_edge %d", min_dsize_required, max_right_edge);
481 if ((uint32_t)min_dsize_required > max_right_edge) {
482 SCLogError(
"signature can't match as required content length %d exceeds dsize value %d",
483 min_dsize_required, max_right_edge);
506 #define VALIDATE(e) \
515 uint16_t offset_plus_pat = 0;
517 bool has_active_depth_chain =
false;
519 bool has_depth =
false;
520 bool has_ends_with =
false;
521 uint16_t ends_with_depth = 0;
524 for ( ; sm != NULL; sm = sm->
next) {
532 has_active_depth_chain =
false;
539 has_active_depth_chain =
false;
545 has_active_depth_chain =
true;
549 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u",
offset, depth, offset_plus_pat);
555 has_active_depth_chain =
false;
559 SCLogDebug(
"no distance, reset offset_plus_pat & offset");
560 offset_plus_pat =
offset = 0;
563 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u "
564 "has_active_depth_chain %s",
565 offset, depth, offset_plus_pat,
566 has_active_depth_chain ?
"true" :
"false");
572 if (has_active_depth_chain) {
575 if (depth && depth > offset_plus_pat) {
579 SCLogDebug(
"distance to add: %u. depth + dist %u", dist,
584 depth + cd->
within + dist <= UINT16_MAX);
585 depth = cd->
depth = (uint16_t)(depth + cd->
within + dist);
589 depth + cd->
within <= UINT16_MAX);
594 if (cd->
depth == 0 && depth != 0) {
599 offset_plus_pat + cd->
distance <= UINT16_MAX);
605 depth + cd->
within <= UINT16_MAX);
606 depth = cd->
depth = (uint16_t)(cd->
within + depth);
610 has_ends_with =
true;
611 if (ends_with_depth == 0)
612 ends_with_depth = depth;
613 ends_with_depth =
MIN(ends_with_depth, depth);
621 cd->
offset = offset_plus_pat;
646 has_ends_with =
true;
647 if (ends_with_depth == 0)
648 ends_with_depth = depth;
649 ends_with_depth =
MIN(ends_with_depth, depth);
653 has_active_depth_chain =
false;
664 SCLogDebug(
"non-anchored PCRE not supported, reset offset_plus_pat & offset");
665 offset_plus_pat =
offset = depth = 0;
667 has_active_depth_chain =
false;
671 SCLogDebug(
"keyword not supported, reset offset_plus_pat & offset");
672 offset_plus_pat =
offset = depth = 0;
673 has_active_depth_chain =
false;
679 if (has_depth && has_ends_with) {
681 for ( ; sm != NULL; sm = sm->
next) {
686 cd->
depth = ends_with_depth;
699 static inline bool NeedsAsHex(uint8_t c)
723 if (NeedsAsHex(cd->
content[i])) {
725 snprintf(hex_str,
sizeof(hex_str),
"%s%02X", !hex ?
"|" :
" ", cd->
content[i]);
730 snprintf(p_str,
sizeof(p_str),
"%s%c", hex ?
"|" :
"", cd->
content[i]);
744 static bool TestLastContent(
const Signature *s, uint16_t o, uint16_t d)
760 if (d != cd->
depth) {
767 #define TEST_RUN(sig, o, d) \
769 SCLogDebug("TEST_RUN start: '%s'", (sig)); \
770 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
771 FAIL_IF_NULL(de_ctx); \
772 de_ctx->flags |= DE_QUIET; \
774 snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
775 Signature *s = DetectEngineAppendSig(de_ctx, rule); \
777 SigAddressPrepareStage1(de_ctx); \
778 bool res = TestLastContent(s, (o), (d)); \
779 FAIL_IF(res == false); \
780 DetectEngineCtxFree(de_ctx); \
787 static int DetectContentDepthTest01(
void)
790 TEST_RUN(
"content:\"abc\"; offset:1; depth:3;", 1, 4);
792 TEST_RUN(
"dsize:10; content:\"abc\";", 0, 10);
793 TEST_RUN(
"dsize:<10; content:\"abc\";", 0, 10);
794 TEST_RUN(
"dsize:5<>10; content:\"abc\";", 0, 10);
797 TEST_RUN(
"content:\"abc\"; depth:3; content:\"xyz\"; distance:0; within:3; ", 3, 6);
799 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
800 TEST_RUN(
"content:\"abc\"; depth:6; content:\"xyz\"; distance:0; within:3; ", 3, 9);
803 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; within:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
805 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; content:\"xyz\"; distance:0; within:3; ", 3, 0);
807 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/; content:\"xyz\"; distance:0; within:3; ", 0, 0);
809 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 3, 0);
810 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 6, 0);
812 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; ", 0, 9);
814 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; content:\"xyz\"; distance:0; ", 6, 0);
817 TEST_RUN(
"content:\"abc\"; depth:6; isdataat:!1,relative; content:\"klm\";", 0, 6);
818 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; isdataat:!1,relative; content:\"def\"; ", 0, 9);
820 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1;", 5, 6);
821 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1; content:\"Cookie|3a|\"; distance:5; within:7;", 11, 18);
823 TEST_RUN(
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; content:\"string\"; within:8;", 0, 0);
825 TEST_RUN(
"dsize:<80; content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 80);
826 TEST_RUN(
"content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 0);
828 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0;", 4, 0);
829 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0; content:\"xploit.class\"; distance:2; within:18;", 11, 0);
831 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0;", 2, 0);
832 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14;", 6, 0);
833 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14; content:\".app\";", 0, 0);
835 TEST_RUN(
"content:\"=\"; offset:4; depth:9;", 4, 13);
838 TEST_RUN(
"content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
841 TEST_RUN(
"content:\"0123456789\"; content:\"abcdef\"; distance:2147483647;", 0, 0);
844 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2;", 11, 18);
845 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
846 "00 00|\"; distance:0;",
848 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
849 "00 00|\"; distance:0; content:\"|0c 00|\"; distance:19; within:2;",
851 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
852 "00 00|\"; distance:0; content:\"|0c 00|\"; distance:19; within:2; content:\"|15 00 "
853 "00 00|\"; distance:20; within:4;",
864 static void DetectContentPrintAll(
SigMatch *sm)
876 for (; first_sm != NULL; first_sm = first_sm->
next) {
878 SCLogDebug(
"Printing SigMatch DETECT_CONTENT %d", ++i);
886 static int g_file_data_buffer_id = 0;
887 static int g_dce_stub_data_buffer_id = 0;
892 static int DetectContentParseTest01 (
void)
896 const char *teststring =
"abc\\:def";
897 const char *teststringparsed =
"abc:def";
901 FAIL_IF(spm_global_thread_ctx == NULL);
905 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
906 SCLogDebug(
"expected %s got ", teststringparsed);
913 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
923 static int DetectContentParseTest02 (
void)
927 const char *teststring =
"abc\\;def";
928 const char *teststringparsed =
"abc;def";
932 FAIL_IF(spm_global_thread_ctx == NULL);
936 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
937 SCLogDebug(
"expected %s got ", teststringparsed);
944 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
954 static int DetectContentParseTest03 (
void)
958 const char *teststring =
"abc\\\"def";
959 const char *teststringparsed =
"abc\"def";
963 FAIL_IF(spm_global_thread_ctx == NULL);
967 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
968 SCLogDebug(
"expected %s got ", teststringparsed);
975 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
985 static int DetectContentParseTest04 (
void)
989 const char *teststring =
"abc\\\\def";
990 const char *teststringparsed =
"abc\\def";
994 FAIL_IF(spm_global_thread_ctx == NULL);
999 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
1000 SCLogDebug(
"expected %s got ", teststringparsed);
1007 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1017 static int DetectContentParseTest05 (
void)
1021 const char *teststring =
"abc\\def";
1025 FAIL_IF(spm_global_thread_ctx == NULL);
1042 static int DetectContentParseTest06 (
void)
1046 const char *teststring =
"a|42|c|44|e|46|";
1047 const char *teststringparsed =
"abcdef";
1051 FAIL_IF(spm_global_thread_ctx == NULL);
1056 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
1057 SCLogDebug(
"expected %s got ", teststringparsed);
1064 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1074 static int DetectContentParseTest07 (
void)
1078 const char *teststring =
"";
1082 FAIL_IF(spm_global_thread_ctx == NULL);
1097 static int DetectContentParseTest08 (
void)
1101 const char *teststring =
"";
1105 FAIL_IF(spm_global_thread_ctx == NULL);
1126 static int DetectContentLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize,
const char *sig,
1140 memset(&th_v, 0,
sizeof(th_v));
1161 printf(
"relative next flag set on final match which is content: ");
1166 SCLogDebug(
"---DetectContentLongPatternMatchTest---");
1183 if (det_ctx != NULL)
1197 static int DetectContentLongPatternMatchTestWrp(
const char *sig, uint32_t sid)
1204 uint8_t raw_eth_pkt[] = {
1205 0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,
1206 0x00,0x00,0x00,0x00,0x08,0x00,0x45,0x00,
1207 0x00,0x85,0x00,0x01,0x00,0x00,0x40,0x06,
1208 0x7c,0x70,0x7f,0x00,0x00,0x01,0x7f,0x00,
1209 0x00,0x01,0x00,0x14,0x00,0x50,0x00,0x00,
1210 0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x02,
1211 0x20,0x00,0xc9,0xad,0x00,0x00,0x48,0x69,
1212 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
1213 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
1214 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
1215 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
1216 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
1217 0x74,0x63,0x68,0x65,0x73,0x20,0x6f,0x66,
1218 0x20,0x73,0x70,0x6c,0x69,0x74,0x74,0x65,
1219 0x64,0x20,0x70,0x61,0x74,0x74,0x65,0x72,
1220 0x6e,0x73,0x20,0x62,0x65,0x74,0x77,0x65,
1221 0x65,0x6e,0x20,0x6d,0x75,0x6c,0x74,0x69,
1222 0x70,0x6c,0x65,0x20,0x63,0x68,0x75,0x6e,
1225 return DetectContentLongPatternMatchTest(raw_eth_pkt, (uint16_t)
sizeof(raw_eth_pkt),
1232 static int DetectContentLongPatternMatchTest01(
void)
1234 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1235 " content:\"Hi, this is a big test\"; sid:1;)";
1236 return DetectContentLongPatternMatchTestWrp(sig, 1);
1242 static int DetectContentLongPatternMatchTest02(
void)
1244 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1245 " content:\"Hi, this is a big test to check content matches of"
1246 " splitted patterns between multiple chunks!\"; sid:1;)";
1247 return DetectContentLongPatternMatchTestWrp(sig, 1);
1254 static int DetectContentLongPatternMatchTest03(
void)
1257 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1258 " content:\"Hi, this is a big test to check content matches of"
1259 " splitted patterns between multiple splitted chunks!\"; sid:1;)";
1260 return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
1266 static int DetectContentLongPatternMatchTest04(
void)
1268 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1269 " content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; "
1270 " within:15; content:\"to check content matches of\"; "
1271 " within:30; content:\"splitted patterns\"; distance:1; "
1274 return DetectContentLongPatternMatchTestWrp(sig, 1);
1282 static int DetectContentLongPatternMatchTest05(
void)
1284 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1285 " content:\"Hi, this is a big\"; depth:17; "
1286 " isdataat:30, relative; "
1287 " content:\"test\"; within: 5; distance:1; "
1288 " isdataat:15, relative; "
1289 " content:\"of splitted\"; within:37; distance:15; "
1290 " isdataat:20,relative; "
1291 " content:\"patterns\"; within:9; distance:1; "
1292 " isdataat:10, relative; "
1294 return DetectContentLongPatternMatchTestWrp(sig, 1);
1302 static int DetectContentLongPatternMatchTest06(
void)
1304 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1305 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1306 " content:\"ent matches\"; within:11; distance:0; "
1307 " content:\"of splitted patterns between multiple\"; "
1308 " within:38; distance:1; "
1309 " content:\"chunks!\"; within: 8; distance:1; "
1311 return DetectContentLongPatternMatchTestWrp(sig, 1);
1318 static int DetectContentLongPatternMatchTest07(
void)
1320 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1321 " content:\"chunks!\"; "
1322 " content:\"content matches\"; offset:32; depth:47; "
1323 " content:\"of splitted patterns between multiple\"; "
1324 " content:\"Hi, this is a big\"; offset:0; depth:17; "
1326 return DetectContentLongPatternMatchTestWrp(sig, 1);
1333 static int DetectContentLongPatternMatchTest08(
void)
1335 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1336 " content:\"ent matches\"; "
1337 " content:\"of splitted patterns between multiple\"; "
1338 " within:38; distance:1; "
1339 " content:\"chunks!\"; within: 8; distance:1; "
1340 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1342 return DetectContentLongPatternMatchTestWrp(sig, 1);
1349 static int DetectContentLongPatternMatchTest09(
void)
1351 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1352 " content:\"ent matches\"; "
1353 " content:\"of splitted patterns between multiple\"; "
1354 " offset:47; depth:85; "
1355 " content:\"chunks!\"; within: 8; distance:1; "
1356 " content:\"Hi, this is a big test to chec\"; depth:36;"
1357 " content:\"k cont\"; distance:0; within:6;"
1359 return DetectContentLongPatternMatchTestWrp(sig, 1);
1365 static int DetectContentLongPatternMatchTest10(
void)
1367 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1368 " content:\"Hi, this is a big test to check \"; "
1369 " content:\"con\"; "
1371 return DetectContentLongPatternMatchTestWrp(sig, 1);
1377 static int DetectContentLongPatternMatchTest11(
void)
1379 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1383 return DetectContentLongPatternMatchTestWrp(sig, 1);
1386 static int DetectContentParseTest09(
void)
1389 const char *teststring =
"boo";
1393 FAIL_IF(spm_global_thread_ctx == NULL);
1406 static int DetectContentParseTest17(
void)
1409 const char *sigstr =
"alert tcp any any -> any any (msg:\"Dummy\"; "
1410 "content:\"one\"; content:\"two\"; within:2; sid:1;)";
1432 static int DetectContentParseTest18(
void)
1446 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
1455 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
1468 static int DetectContentParseTest19(
void)
1481 "(msg:\"Testing dce iface, stub_data with content\"; "
1482 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1484 "content:\"one\"; distance:0; sid:1;)");
1486 printf (
"failed dce iface, stub_data with content ");
1491 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1495 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1510 "(msg:\"Testing dce iface, stub_data with contents & distance, within\"; "
1511 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1513 "content:\"one\"; distance:0; content:\"two\"; within:10; sid:1;)");
1514 if (s->
next == NULL) {
1515 printf(
"failed dce iface, stub_data with content & distance, within");
1520 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1524 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1537 result &= (data->
within == 10);
1612 "(msg:\"Testing dce iface, stub with contents, distance, within\"; "
1613 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1615 "content:\"one\"; distance:0; "
1616 "content:\"two\"; within:10; distance:2; sid:1;)");
1617 if (s->
next == NULL) {
1622 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1626 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1732 "(msg:\"Testing content\"; "
1733 "content:\"one\"; sid:1;)");
1734 if (s->
next == NULL) {
1735 printf (
"failed testing content");
1740 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
1757 static int DetectContentParseTest20(
void)
1768 "alert udp any any -> any any "
1769 "(msg:\"test\"; content:\"\"; sid:238012;)");
1786 static int DetectContentParseTest21(
void)
1797 "alert udp any any -> any any "
1798 "(msg:\"test\"; content:\"; sid:238012;)");
1815 static int DetectContentParseTest22(
void)
1826 "alert udp any any -> any any "
1827 "(msg:\"test\"; content:\"boo; sid:238012;)");
1844 static int DetectContentParseTest23(
void)
1855 "alert udp any any -> any any "
1856 "(msg:\"test\"; content:boo\"; sid:238012;)");
1873 static int DetectContentParseTest24(
void)
1886 "alert udp any any -> any any "
1887 "(msg:\"test\"; content: !\"boo\"; sid:238012;)");
1889 printf(
"de_ctx->sig_list == NULL: ");
1895 printf(
"de_ctx->pmatch_tail == NULL || de_ctx->pmatch_tail->ctx == NULL: ");
1914 static int DetectContentParseTest25(
void)
1925 "alert udp any any -> any any "
1926 "(msg:\"test\"; content:\"|\"; sid:1;)");
1943 static int DetectContentParseTest26(
void)
1954 "alert udp any any -> any any "
1955 "(msg:\"test\"; content:\"|af\"; sid:1;)");
1972 static int DetectContentParseTest27(
void)
1983 "alert udp any any -> any any "
1984 "(msg:\"test\"; content:\"af|\"; sid:1;)");
2001 static int DetectContentParseTest28(
void)
2012 "alert udp any any -> any any "
2013 "(msg:\"test\"; content:\"|af|\"; sid:1;)");
2030 static int DetectContentParseTest29(
void)
2041 "alert udp any any -> any any "
2042 "(msg:\"test\"; content:\"aast|\"; sid:1;)");
2059 static int DetectContentParseTest30(
void)
2070 "alert udp any any -> any any "
2071 "(msg:\"test\"; content:\"aast|af\"; sid:1;)");
2088 static int DetectContentParseTest31(
void)
2099 "alert udp any any -> any any "
2100 "(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
2117 static int DetectContentParseTest32(
void)
2128 "alert udp any any -> any any "
2129 "(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
2146 static int DetectContentParseTest33(
void)
2157 "alert udp any any -> any any "
2158 "(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
2175 static int DetectContentParseTest34(
void)
2186 "alert udp any any -> any any "
2187 "(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
2204 static int DetectContentParseTest35(
void)
2215 "alert udp any any -> any any "
2216 "(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
2233 static int DetectContentParseTest36(
void)
2244 "alert tcp any any -> any any "
2245 "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
2247 printf(
"sig parse failed: ");
2252 printf(
"content still in PMATCH list: ");
2257 printf(
"content not in FILEDATA list: ");
2273 static int DetectContentParseTest37(
void)
2284 "alert tcp any any -> any any "
2285 "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; sid:1;)");
2287 printf(
"sig parse failed: ");
2292 printf(
"content still in PMATCH list: ");
2297 printf(
"content not in FILEDATA list: ");
2313 static int DetectContentParseTest38(
void)
2324 "alert tcp any any -> any any "
2325 "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; within:8; sid:1;)");
2327 printf(
"sig parse failed: ");
2332 printf(
"content still in PMATCH list: ");
2337 printf(
"content not in FILEDATA list: ");
2350 static int SigTestPositiveTestContent(
const char *rule, uint8_t *buf)
2352 uint16_t buflen = strlen((
char *)buf);
2356 memset(&th_v, 0,
sizeof(th_v));
2385 static int DetectContentParseTest39(
void)
2396 "alert tcp any any -> any any "
2397 "(msg:\"test\"; file_data; content:\"abc\"; within:8; sid:1;)");
2399 printf(
"sig parse failed: ");
2404 printf(
"content still in PMATCH list: ");
2409 printf(
"content not in FILEDATA list: ");
2425 static int DetectContentParseTest40(
void)
2436 "alert tcp any any -> any any "
2437 "(msg:\"test\"; file_data; content:\"abc\"; distance:3; sid:1;)");
2439 printf(
"sig parse failed: ");
2444 printf(
"content still in PMATCH list: ");
2449 printf(
"content not in FILEDATA list: ");
2462 static int DetectContentParseTest41(
void)
2467 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2471 for (
int i = 0; i < patlen; idx++, i++) {
2472 teststring[idx] =
'a';
2474 teststring[idx++] =
'\0';
2478 FAIL_IF(spm_global_thread_ctx == NULL);
2495 static int DetectContentParseTest42(
void)
2500 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2504 for (
int i = 0; i < patlen; idx++, i++) {
2505 teststring[idx] =
'a';
2507 teststring[idx++] =
'\0';
2511 FAIL_IF(spm_global_thread_ctx == NULL);
2525 static int DetectContentParseTest43(
void)
2530 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2534 teststring[idx++] =
'|';
2535 teststring[idx++] =
'4';
2536 teststring[idx++] =
'6';
2537 teststring[idx++] =
'|';
2538 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2539 teststring[idx] =
'a';
2541 teststring[idx++] =
'\0';
2545 FAIL_IF(spm_global_thread_ctx == NULL);
2562 static int DetectContentParseTest44(
void)
2567 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2571 teststring[idx++] =
'|';
2572 teststring[idx++] =
'4';
2573 teststring[idx++] =
'6';
2574 teststring[idx++] =
'|';
2575 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2576 teststring[idx] =
'a';
2578 teststring[idx++] =
'\0';
2582 FAIL_IF(spm_global_thread_ctx == NULL);
2599 static int DetectContentParseTest45(
void)
2608 "alert tcp any any -> any any "
2609 "(msg:\"test\"; content:\"|ff|\" content:\"TEST\"; sid:1;)");
2617 static int SigTestNegativeTestContent(
const char *rule, uint8_t *buf)
2619 uint16_t buflen = strlen((
char *)buf);
2624 memset(&th_v, 0,
sizeof(th_v));
2649 if (det_ctx != NULL) {
2665 static int SigTest41TestNegatedContent(
void)
2667 return SigTestPositiveTestContent(
"alert tcp any any -> any any "
2668 "(msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)",
2670 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\n"
2671 "GET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2679 static int SigTest41aTestNegatedContent(
void)
2681 (void)SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2690 static int SigTest42TestNegatedContent(
void)
2692 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; depth:22; offset:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2702 static int SigTest43TestNegatedContent(
void)
2704 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:!\"twentythree\"; depth:34; offset:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2712 static int SigTest44TestNegatedContent(
void)
2714 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; offset:40; depth:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2721 static int SigTest45TestNegatedContent(
void)
2723 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2730 static int SigTest46TestNegatedContent(
void)
2732 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"onee\"; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2740 static int SigTest47TestNegatedContent(
void)
2742 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; offset:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2749 static int SigTest48TestNegatedContent(
void)
2751 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2758 static int SigTest49TestNegatedContent(
void)
2760 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"Host\"; within:26; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2767 static int SigTest50TestNegatedContent(
void)
2769 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2779 static int SigTest51TestNegatedContent(
void)
2781 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; distance:17; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2788 static int SigTest52TestNegatedContent(
void)
2790 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GES\"; content:!\"BOO\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2797 static int SigTest53TestNegatedContent(
void)
2799 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2806 static int SigTest54TestNegatedContent(
void)
2808 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:20; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2815 static int SigTest55TestNegatedContent(
void)
2817 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; depth:5; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2824 static int SigTest56TestNegatedContent(
void)
2826 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2833 static int SigTest57TestNegatedContent(
void)
2835 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2842 static int SigTest58TestNegatedContent(
void)
2844 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:57; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2851 static int SigTest59TestNegatedContent(
void)
2853 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2856 static int SigTest60TestNegatedContent(
void)
2858 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; content:\"fourty\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2861 static int SigTest61TestNegatedContent(
void)
2863 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2873 static int SigTest62TestNegatedContent(
void)
2875 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:49; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2878 static int SigTest63TestNegatedContent(
void)
2880 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:10; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2883 static int SigTest64TestNegatedContent(
void)
2885 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2895 static int SigTest65TestNegatedContent(
void)
2897 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; distance:0; within:49; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2900 static int SigTest66TestNegatedContent(
void)
2902 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2905 static int SigTest67TestNegatedContent(
void)
2907 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"four\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2910 static int SigTest68TestNegatedContent(
void)
2912 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2915 static int SigTest69TestNegatedContent(
void)
2917 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:48; content:\"fiftysix\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2920 static int SigTest70TestNegatedContent(
void)
2922 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:52; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2926 static int SigTest71TestNegatedContent(
void)
2928 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:40; distance:43; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2931 static int SigTest72TestNegatedContent(
void)
2933 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:49; distance:43; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2936 static int SigTest73TestNegatedContent(
void)
2938 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2941 static int SigTest74TestNegatedContent(
void)
2943 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)
"USER apple");
2946 static int SigTest75TestNegatedContent(
void)
2948 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)
"USER !PASS");
2951 static int SigTest76TestBug134(
void)
2953 uint8_t *buf = (uint8_t *)
"test detect ${IFS} in traffic";
2954 uint16_t buflen = strlen((
char *)buf);
2959 memset(&f, 0,
sizeof(
Flow));
2968 char sig[] =
"alert tcp any any -> any 515 "
2969 "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"
2970 " depth:50; offset:0; sid:900091; rev:1;)";
2985 static int SigTest77TestBug139(
void)
2988 0x12, 0x23, 0x34, 0x35, 0x52, 0x52, 0x24, 0x42, 0x22, 0x24,
2989 0x52, 0x24, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x34 };
2990 uint16_t buflen =
sizeof(buf);
2995 char sig[] =
"alert udp any any -> any 53 (msg:\"dns testing\";"
2996 " content:\"|00 00|\"; depth:5; offset:13; sid:9436601;"
3010 static int DetectLongContentTestCommon(
const char *sig, uint32_t sid)
3013 static uint8_t pkt[739] = {
3014 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3015 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x45, 0x00,
3016 0x02, 0xd5, 0x4a, 0x18, 0x40, 0x00, 0x40, 0x06,
3017 0xd7, 0xd6, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10,
3018 0x01, 0x0a, 0xdb, 0x36, 0x00, 0x50, 0xca, 0xc5,
3019 0xcc, 0xd1, 0x95, 0x77, 0x0f, 0x7d, 0x80, 0x18,
3020 0x00, 0xe5, 0x77, 0x9d, 0x00, 0x00, 0x01, 0x01,
3021 0x08, 0x0a, 0x1d, 0xe0, 0x86, 0xc6, 0xfc, 0x73,
3022 0x49, 0xf3, 0x50, 0x4f, 0x53, 0x54, 0x20, 0x2f,
3023 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e,
3024 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
3025 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x63,
3026 0x75, 0x72, 0x6c, 0x2f, 0x37, 0x2e, 0x33, 0x37,
3027 0x2e, 0x30, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74,
3028 0x3a, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x36, 0x2e,
3029 0x31, 0x2e, 0x31, 0x30, 0x0d, 0x0a, 0x41, 0x63,
3030 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f,
3031 0x2a, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65,
3032 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74,
3033 0x68, 0x3a, 0x20, 0x35, 0x32, 0x38, 0x0d, 0x0a,
3034 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
3035 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x61, 0x70,
3036 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
3037 0x6e, 0x2f, 0x78, 0x2d, 0x77, 0x77, 0x77, 0x2d,
3038 0x66, 0x6f, 0x72, 0x6d, 0x2d, 0x75, 0x72, 0x6c,
3039 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x65, 0x64, 0x0d,
3040 0x0a, 0x0d, 0x0a, 0x58, 0x58, 0x58, 0x58, 0x58,
3041 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41, 0x41,
3042 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3043 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3044 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3045 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3046 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3047 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3048 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3049 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3050 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3051 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3052 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3053 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3054 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3055 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3056 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3057 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3058 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3059 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3060 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3061 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3062 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3063 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3064 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3065 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3066 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3067 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3068 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3069 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3070 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3071 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3072 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3073 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3074 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3075 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3076 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3077 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3078 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3079 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3080 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3081 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3082 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3083 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3084 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3085 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3086 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3087 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3088 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3089 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3090 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3091 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3092 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3093 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3094 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3095 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3096 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3097 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3098 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3099 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3100 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3101 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3102 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3103 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3104 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3105 0x41, 0x41, 0x41, 0x58, 0x58, 0x58, 0x58, 0x58,
3109 return DetectContentLongPatternMatchTest(pkt, (uint16_t)
sizeof(pkt), sig,
3113 static int DetectLongContentTest1(
void)
3116 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
3118 return DetectLongContentTestCommon(sig, 1);
3121 static int DetectLongContentTest2(
void)
3124 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
3126 return DetectLongContentTestCommon(sig, 1);
3129 static int DetectLongContentTest3(
void)
3132 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
3134 return !DetectLongContentTestCommon(sig, 1);
3137 static int DetectBadBinContent(
void)
3144 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|a|\"; sid:1;)"));
3146 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa b|\"; sid:1;)"));
3148 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa bz|\"; sid:1;)"));
3151 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|22 2 22|\"; sid:1;)"));
3159 static void DetectContentRegisterTests(
void)
3164 UtRegisterTest(
"DetectContentDepthTest01", DetectContentDepthTest01);
3166 UtRegisterTest(
"DetectContentParseTest01", DetectContentParseTest01);
3167 UtRegisterTest(
"DetectContentParseTest02", DetectContentParseTest02);
3168 UtRegisterTest(
"DetectContentParseTest03", DetectContentParseTest03);
3169 UtRegisterTest(
"DetectContentParseTest04", DetectContentParseTest04);
3170 UtRegisterTest(
"DetectContentParseTest05", DetectContentParseTest05);
3171 UtRegisterTest(
"DetectContentParseTest06", DetectContentParseTest06);
3172 UtRegisterTest(
"DetectContentParseTest07", DetectContentParseTest07);
3173 UtRegisterTest(
"DetectContentParseTest08", DetectContentParseTest08);
3174 UtRegisterTest(
"DetectContentParseTest09", DetectContentParseTest09);
3175 UtRegisterTest(
"DetectContentParseTest17", DetectContentParseTest17);
3176 UtRegisterTest(
"DetectContentParseTest18", DetectContentParseTest18);
3177 UtRegisterTest(
"DetectContentParseTest19", DetectContentParseTest19);
3178 UtRegisterTest(
"DetectContentParseTest20", DetectContentParseTest20);
3179 UtRegisterTest(
"DetectContentParseTest21", DetectContentParseTest21);
3180 UtRegisterTest(
"DetectContentParseTest22", DetectContentParseTest22);
3181 UtRegisterTest(
"DetectContentParseTest23", DetectContentParseTest23);
3182 UtRegisterTest(
"DetectContentParseTest24", DetectContentParseTest24);
3183 UtRegisterTest(
"DetectContentParseTest25", DetectContentParseTest25);
3184 UtRegisterTest(
"DetectContentParseTest26", DetectContentParseTest26);
3185 UtRegisterTest(
"DetectContentParseTest27", DetectContentParseTest27);
3186 UtRegisterTest(
"DetectContentParseTest28", DetectContentParseTest28);
3187 UtRegisterTest(
"DetectContentParseTest29", DetectContentParseTest29);
3188 UtRegisterTest(
"DetectContentParseTest30", DetectContentParseTest30);
3189 UtRegisterTest(
"DetectContentParseTest31", DetectContentParseTest31);
3190 UtRegisterTest(
"DetectContentParseTest32", DetectContentParseTest32);
3191 UtRegisterTest(
"DetectContentParseTest33", DetectContentParseTest33);
3192 UtRegisterTest(
"DetectContentParseTest34", DetectContentParseTest34);
3193 UtRegisterTest(
"DetectContentParseTest35", DetectContentParseTest35);
3194 UtRegisterTest(
"DetectContentParseTest36", DetectContentParseTest36);
3195 UtRegisterTest(
"DetectContentParseTest37", DetectContentParseTest37);
3196 UtRegisterTest(
"DetectContentParseTest38", DetectContentParseTest38);
3197 UtRegisterTest(
"DetectContentParseTest39", DetectContentParseTest39);
3198 UtRegisterTest(
"DetectContentParseTest40", DetectContentParseTest40);
3199 UtRegisterTest(
"DetectContentParseTest41", DetectContentParseTest41);
3200 UtRegisterTest(
"DetectContentParseTest42", DetectContentParseTest42);
3201 UtRegisterTest(
"DetectContentParseTest43", DetectContentParseTest43);
3202 UtRegisterTest(
"DetectContentParseTest44", DetectContentParseTest44);
3203 UtRegisterTest(
"DetectContentParseTest45", DetectContentParseTest45);
3207 DetectContentLongPatternMatchTest01);
3209 DetectContentLongPatternMatchTest02);
3211 DetectContentLongPatternMatchTest03);
3213 DetectContentLongPatternMatchTest04);
3215 DetectContentLongPatternMatchTest05);
3217 DetectContentLongPatternMatchTest06);
3219 DetectContentLongPatternMatchTest07);
3221 DetectContentLongPatternMatchTest08);
3223 DetectContentLongPatternMatchTest09);
3225 DetectContentLongPatternMatchTest10);
3227 DetectContentLongPatternMatchTest11);
3230 UtRegisterTest(
"SigTest41TestNegatedContent", SigTest41TestNegatedContent);
3232 SigTest41aTestNegatedContent);
3233 UtRegisterTest(
"SigTest42TestNegatedContent", SigTest42TestNegatedContent);
3234 UtRegisterTest(
"SigTest43TestNegatedContent", SigTest43TestNegatedContent);
3235 UtRegisterTest(
"SigTest44TestNegatedContent", SigTest44TestNegatedContent);
3236 UtRegisterTest(
"SigTest45TestNegatedContent", SigTest45TestNegatedContent);
3237 UtRegisterTest(
"SigTest46TestNegatedContent", SigTest46TestNegatedContent);
3238 UtRegisterTest(
"SigTest47TestNegatedContent", SigTest47TestNegatedContent);
3239 UtRegisterTest(
"SigTest48TestNegatedContent", SigTest48TestNegatedContent);
3240 UtRegisterTest(
"SigTest49TestNegatedContent", SigTest49TestNegatedContent);
3241 UtRegisterTest(
"SigTest50TestNegatedContent", SigTest50TestNegatedContent);
3242 UtRegisterTest(
"SigTest51TestNegatedContent", SigTest51TestNegatedContent);
3243 UtRegisterTest(
"SigTest52TestNegatedContent", SigTest52TestNegatedContent);
3244 UtRegisterTest(
"SigTest53TestNegatedContent", SigTest53TestNegatedContent);
3245 UtRegisterTest(
"SigTest54TestNegatedContent", SigTest54TestNegatedContent);
3246 UtRegisterTest(
"SigTest55TestNegatedContent", SigTest55TestNegatedContent);
3247 UtRegisterTest(
"SigTest56TestNegatedContent", SigTest56TestNegatedContent);
3248 UtRegisterTest(
"SigTest57TestNegatedContent", SigTest57TestNegatedContent);
3249 UtRegisterTest(
"SigTest58TestNegatedContent", SigTest58TestNegatedContent);
3250 UtRegisterTest(
"SigTest59TestNegatedContent", SigTest59TestNegatedContent);
3251 UtRegisterTest(
"SigTest60TestNegatedContent", SigTest60TestNegatedContent);
3252 UtRegisterTest(
"SigTest61TestNegatedContent", SigTest61TestNegatedContent);
3253 UtRegisterTest(
"SigTest62TestNegatedContent", SigTest62TestNegatedContent);
3254 UtRegisterTest(
"SigTest63TestNegatedContent", SigTest63TestNegatedContent);
3255 UtRegisterTest(
"SigTest64TestNegatedContent", SigTest64TestNegatedContent);
3256 UtRegisterTest(
"SigTest65TestNegatedContent", SigTest65TestNegatedContent);
3257 UtRegisterTest(
"SigTest66TestNegatedContent", SigTest66TestNegatedContent);
3258 UtRegisterTest(
"SigTest67TestNegatedContent", SigTest67TestNegatedContent);
3259 UtRegisterTest(
"SigTest68TestNegatedContent", SigTest68TestNegatedContent);
3260 UtRegisterTest(
"SigTest69TestNegatedContent", SigTest69TestNegatedContent);
3261 UtRegisterTest(
"SigTest70TestNegatedContent", SigTest70TestNegatedContent);
3262 UtRegisterTest(
"SigTest71TestNegatedContent", SigTest71TestNegatedContent);
3263 UtRegisterTest(
"SigTest72TestNegatedContent", SigTest72TestNegatedContent);
3264 UtRegisterTest(
"SigTest73TestNegatedContent", SigTest73TestNegatedContent);
3265 UtRegisterTest(
"SigTest74TestNegatedContent", SigTest74TestNegatedContent);
3266 UtRegisterTest(
"SigTest75TestNegatedContent", SigTest75TestNegatedContent);
3271 UtRegisterTest(
"DetectLongContentTest1", DetectLongContentTest1);
3272 UtRegisterTest(
"DetectLongContentTest2", DetectLongContentTest2);
3273 UtRegisterTest(
"DetectLongContentTest3", DetectLongContentTest3);