55 static void DetectContentRegisterTests(
void);
85 uint8_t **pstr, uint16_t *plen)
90 slen = strlen(contentstr);
94 uint8_t buffer[slen + 1];
95 strlcpy((
char *)&buffer, contentstr, slen + 1);
107 uint8_t binstr[3] =
"";
109 uint16_t bin_count = 0;
111 for (i = 0, x = 0; i < slen; i++) {
117 SCLogError(
"Incomplete hex code in content - %s. Invalidating signature.",
125 }
else if(!escape &&
str[i] ==
'\\') {
129 if (isdigit((
unsigned char)
str[i]) ||
130 str[i] ==
'A' ||
str[i] ==
'a' ||
131 str[i] ==
'B' ||
str[i] ==
'b' ||
132 str[i] ==
'C' ||
str[i] ==
'c' ||
133 str[i] ==
'D' ||
str[i] ==
'd' ||
134 str[i] ==
'E' ||
str[i] ==
'e' ||
135 str[i] ==
'F' ||
str[i] ==
'f')
139 binstr[binpos] = (char)
str[i];
143 uint8_t c = strtol((
char *)binstr, (
char **) NULL, 16) & 0xFF;
149 }
else if (
str[i] ==
' ') {
152 else if (
str[i] !=
',') {
154 "content - %s, hex %c. Invalidating signature.",
172 }
else if (
str[i] ==
'"') {
173 SCLogError(
"Invalid unescaped double quote within content section.");
182 if (bin_count % 2 != 0) {
184 "%s - %s. Invalidating signature.",
185 keyword, contentstr);
199 memcpy(ptr,
str, slen);
201 *plen = (uint16_t)slen;
213 const char *contentstr)
216 uint8_t *content = NULL;
237 spm_global_thread_ctx);
255 const char *contentstr)
267 SCLogDebug(
"DetectContentData \"cd\" is NULL");
271 if (tmpstr != NULL) {
300 if (tmprstr != NULL) {
352 SCLogError(
"content string \"%s\" incompatible with %s transform", contentstr, tstr);
412 int max_offset = 0, total_len = 0;
414 for (; sm != NULL; sm = sm->
next) {
420 SCLogDebug(
"content_len %d; negated: %s; distance: %d, offset: %d, depth: %d",
432 if (max_size < check) {
443 max_offset =
MAX(max_offset, cd->
offset);
462 if (max_right_edge_i < 0) {
466 uint32_t max_right_edge = (uint32_t)max_right_edge_i;
469 if (min_dsize_required >= 0) {
470 SCLogDebug(
"min_dsize %d; max_right_edge %d", min_dsize_required, max_right_edge);
471 if ((uint32_t)min_dsize_required > max_right_edge) {
472 SCLogError(
"signature can't match as required content length %d exceeds dsize value %d",
473 min_dsize_required, max_right_edge);
496 #define VALIDATE(e) \
501 uint16_t offset_plus_pat = 0;
503 bool has_active_depth_chain =
false;
505 bool has_depth =
false;
506 bool has_ends_with =
false;
507 uint16_t ends_with_depth = 0;
509 for (
SigMatch *sm = sm_head; sm != NULL; sm = sm->
next) {
518 has_active_depth_chain =
false;
521 if (sm->prev == NULL) {
546 has_active_depth_chain =
false;
552 has_active_depth_chain =
true;
555 SCLogDebug(
"sm %p depth %u offset %u distance %d within %d", sm, cd->
depth,
564 has_active_depth_chain =
false;
568 SCLogDebug(
"no distance, reset offset_plus_pat & offset");
569 offset_plus_pat =
offset = 0;
572 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u "
573 "has_active_depth_chain %s",
574 offset, depth, offset_plus_pat, has_active_depth_chain ?
"true" :
"false");
582 if (abs(cd->
distance) > offset_plus_pat)
591 if (has_active_depth_chain) {
593 if (depth && depth > offset_plus_pat) {
598 "distance to add: %u. depth + dist %u", dist, depth + dist);
602 depth + cd->
within + dist <= UINT16_MAX);
603 depth = cd->
depth = (uint16_t)(depth + cd->
within + dist);
611 if (cd->
depth == 0 && depth != 0) {
616 offset_plus_pat + cd->
distance <= UINT16_MAX);
622 depth + cd->
within <= UINT16_MAX);
623 depth = cd->
depth = (uint16_t)(cd->
within + depth);
627 has_ends_with =
true;
628 if (ends_with_depth == 0)
629 ends_with_depth = depth;
630 ends_with_depth =
MIN(ends_with_depth, depth);
638 cd->
offset = offset_plus_pat;
667 has_ends_with =
true;
668 if (ends_with_depth == 0)
669 ends_with_depth = depth;
670 ends_with_depth =
MIN(ends_with_depth, depth);
674 has_active_depth_chain =
false;
685 SCLogDebug(
"non-anchored PCRE not supported, reset offset_plus_pat & offset");
686 offset_plus_pat =
offset = depth = 0;
688 has_active_depth_chain =
false;
692 SCLogDebug(
"keyword not supported, reset offset_plus_pat & offset");
693 offset_plus_pat =
offset = depth = 0;
694 has_active_depth_chain =
false;
699 if (has_depth && has_ends_with) {
700 for (
SigMatch *sm = sm_head; sm != NULL; sm = sm->
next) {
705 cd->
depth = ends_with_depth;
725 static inline bool NeedsAsHex(uint8_t c)
749 if (NeedsAsHex(cd->
content[i])) {
751 snprintf(hex_str,
sizeof(hex_str),
"%s%02X", !hex ?
"|" :
" ", cd->
content[i]);
756 snprintf(p_str,
sizeof(p_str),
"%s%c", hex ?
"|" :
"", cd->
content[i]);
769 SCLogError(
"can't use multiple nocase modifiers with the same content");
793 static bool TestLastContent(
const Signature *s, uint16_t o, uint16_t d)
809 if (d != cd->
depth) {
816 #define TEST_RUN(sig, o, d) \
818 SCLogDebug("TEST_RUN start: '%s'", (sig)); \
819 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
820 FAIL_IF_NULL(de_ctx); \
821 de_ctx->flags |= DE_QUIET; \
823 snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
824 Signature *s = DetectEngineAppendSig(de_ctx, rule); \
826 SigPrepareStage1(de_ctx); \
827 bool res = TestLastContent(s, (o), (d)); \
829 DetectEngineCtxFree(de_ctx); \
836 static int DetectContentDepthTest01(
void)
839 TEST_RUN(
"content:\"abc\"; offset:1; depth:3;", 1, 4);
841 TEST_RUN(
"dsize:10; content:\"abc\";", 0, 10);
842 TEST_RUN(
"dsize:<10; content:\"abc\";", 0, 10);
843 TEST_RUN(
"dsize:5<>10; content:\"abc\";", 0, 10);
846 TEST_RUN(
"content:\"abc\"; depth:3; content:\"xyz\"; distance:0; within:3; ", 3, 6);
848 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
849 TEST_RUN(
"content:\"abc\"; depth:6; content:\"xyz\"; distance:0; within:3; ", 3, 9);
852 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; within:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
854 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; content:\"xyz\"; distance:0; within:3; ", 3, 0);
856 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/; content:\"xyz\"; distance:0; within:3; ", 0, 0);
858 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 3, 0);
859 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 6, 0);
861 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; ", 0, 9);
863 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; content:\"xyz\"; distance:0; ", 6, 0);
866 TEST_RUN(
"content:\"abc\"; depth:6; isdataat:!1,relative; content:\"klm\";", 0, 6);
867 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; isdataat:!1,relative; content:\"def\"; ", 0, 9);
869 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1;", 5, 6);
870 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1; content:\"Cookie|3a|\"; distance:5; within:7;", 11, 18);
872 TEST_RUN(
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; content:\"string\"; within:8;", 0, 0);
874 TEST_RUN(
"dsize:<80; content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 80);
875 TEST_RUN(
"content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 0);
877 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0;", 4, 0);
878 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0; content:\"xploit.class\"; distance:2; within:18;", 11, 0);
880 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0;", 2, 0);
881 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14;", 6, 0);
882 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14; content:\".app\";", 0, 0);
884 TEST_RUN(
"content:\"=\"; offset:4; depth:9;", 4, 13);
887 TEST_RUN(
"content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
890 TEST_RUN(
"content:\"0123456789\"; content:\"abcdef\"; distance:1048576;", 0, 0);
893 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2;", 11, 18);
894 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
895 "00 00|\"; distance:0;",
897 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
898 "00 00|\"; distance:0; content:\"|0c 00|\"; distance:19; within:2;",
900 TEST_RUN(
"content:\"SMB\"; depth:8; content:\"|09 00|\"; distance:8; within:2; content:\"|05 "
901 "00 00|\"; distance:0; content:\"|0c 00|\"; distance:19; within:2; content:\"|15 00 "
902 "00 00|\"; distance:20; within:4;",
913 static void DetectContentPrintAll(
SigMatch *sm)
925 for (; first_sm != NULL; first_sm = first_sm->
next) {
927 SCLogDebug(
"Printing SigMatch DETECT_CONTENT %d", ++i);
935 static int g_file_data_buffer_id = 0;
936 static int g_dce_stub_data_buffer_id = 0;
941 static int DetectContentParseTest01 (
void)
945 const char *teststring =
"abc\\:def";
946 const char *teststringparsed =
"abc:def";
950 FAIL_IF(spm_global_thread_ctx == NULL);
954 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
955 SCLogDebug(
"expected %s got ", teststringparsed);
962 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
972 static int DetectContentParseTest02 (
void)
976 const char *teststring =
"abc\\;def";
977 const char *teststringparsed =
"abc;def";
981 FAIL_IF(spm_global_thread_ctx == NULL);
985 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
986 SCLogDebug(
"expected %s got ", teststringparsed);
993 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1003 static int DetectContentParseTest03 (
void)
1007 const char *teststring =
"abc\\\"def";
1008 const char *teststringparsed =
"abc\"def";
1012 FAIL_IF(spm_global_thread_ctx == NULL);
1016 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
1017 SCLogDebug(
"expected %s got ", teststringparsed);
1024 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1034 static int DetectContentParseTest04 (
void)
1038 const char *teststring =
"abc\\\\def";
1039 const char *teststringparsed =
"abc\\def";
1043 FAIL_IF(spm_global_thread_ctx == NULL);
1048 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
1049 SCLogDebug(
"expected %s got ", teststringparsed);
1056 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1066 static int DetectContentParseTest05 (
void)
1070 const char *teststring =
"abc\\def";
1074 FAIL_IF(spm_global_thread_ctx == NULL);
1091 static int DetectContentParseTest06 (
void)
1095 const char *teststring =
"a|42|c|44|e|46|";
1096 const char *teststringparsed =
"abcdef";
1100 FAIL_IF(spm_global_thread_ctx == NULL);
1105 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
1106 SCLogDebug(
"expected %s got ", teststringparsed);
1113 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
1123 static int DetectContentParseTest07 (
void)
1127 const char *teststring =
"";
1131 FAIL_IF(spm_global_thread_ctx == NULL);
1146 static int DetectContentParseTest08 (
void)
1150 const char *teststring =
"";
1154 FAIL_IF(spm_global_thread_ctx == NULL);
1175 static int DetectContentLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize,
const char *sig,
1185 memset(&th_v, 0,
sizeof(th_v));
1204 SCLogDebug(
"---DetectContentLongPatternMatchTest---");
1224 static int DetectContentLongPatternMatchTestWrp(
const char *sig, uint32_t sid)
1231 uint8_t raw_eth_pkt[] = {
1232 0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,
1233 0x00,0x00,0x00,0x00,0x08,0x00,0x45,0x00,
1234 0x00,0x85,0x00,0x01,0x00,0x00,0x40,0x06,
1235 0x7c,0x70,0x7f,0x00,0x00,0x01,0x7f,0x00,
1236 0x00,0x01,0x00,0x14,0x00,0x50,0x00,0x00,
1237 0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x02,
1238 0x20,0x00,0xc9,0xad,0x00,0x00,0x48,0x69,
1239 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
1240 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
1241 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
1242 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
1243 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
1244 0x74,0x63,0x68,0x65,0x73,0x20,0x6f,0x66,
1245 0x20,0x73,0x70,0x6c,0x69,0x74,0x74,0x65,
1246 0x64,0x20,0x70,0x61,0x74,0x74,0x65,0x72,
1247 0x6e,0x73,0x20,0x62,0x65,0x74,0x77,0x65,
1248 0x65,0x6e,0x20,0x6d,0x75,0x6c,0x74,0x69,
1249 0x70,0x6c,0x65,0x20,0x63,0x68,0x75,0x6e,
1252 return DetectContentLongPatternMatchTest(raw_eth_pkt, (uint16_t)
sizeof(raw_eth_pkt),
1259 static int DetectContentLongPatternMatchTest01(
void)
1261 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1262 " content:\"Hi, this is a big test\"; sid:1;)";
1263 return DetectContentLongPatternMatchTestWrp(sig, 1);
1269 static int DetectContentLongPatternMatchTest02(
void)
1271 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1272 " content:\"Hi, this is a big test to check content matches of"
1273 " splitted patterns between multiple chunks!\"; sid:1;)";
1274 return DetectContentLongPatternMatchTestWrp(sig, 1);
1281 static int DetectContentLongPatternMatchTest03(
void)
1284 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1285 " content:\"Hi, this is a big test to check content matches of"
1286 " splitted patterns between multiple splitted chunks!\"; sid:1;)";
1287 return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
1293 static int DetectContentLongPatternMatchTest04(
void)
1295 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1296 " content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; "
1297 " within:15; content:\"to check content matches of\"; "
1298 " within:30; content:\"splitted patterns\"; distance:1; "
1301 return DetectContentLongPatternMatchTestWrp(sig, 1);
1309 static int DetectContentLongPatternMatchTest05(
void)
1311 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1312 " content:\"Hi, this is a big\"; depth:17; "
1313 " isdataat:30, relative; "
1314 " content:\"test\"; within: 5; distance:1; "
1315 " isdataat:15, relative; "
1316 " content:\"of splitted\"; within:37; distance:15; "
1317 " isdataat:20,relative; "
1318 " content:\"patterns\"; within:9; distance:1; "
1319 " isdataat:10, relative; "
1321 return DetectContentLongPatternMatchTestWrp(sig, 1);
1329 static int DetectContentLongPatternMatchTest06(
void)
1331 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1332 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1333 " content:\"ent matches\"; within:11; distance:0; "
1334 " content:\"of splitted patterns between multiple\"; "
1335 " within:38; distance:1; "
1336 " content:\"chunks!\"; within: 8; distance:1; "
1338 return DetectContentLongPatternMatchTestWrp(sig, 1);
1345 static int DetectContentLongPatternMatchTest07(
void)
1347 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1348 " content:\"chunks!\"; "
1349 " content:\"content matches\"; offset:32; depth:47; "
1350 " content:\"of splitted patterns between multiple\"; "
1351 " content:\"Hi, this is a big\"; offset:0; depth:17; "
1353 return DetectContentLongPatternMatchTestWrp(sig, 1);
1360 static int DetectContentLongPatternMatchTest08(
void)
1362 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1363 " content:\"ent matches\"; "
1364 " content:\"of splitted patterns between multiple\"; "
1365 " within:38; distance:1; "
1366 " content:\"chunks!\"; within: 8; distance:1; "
1367 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1369 return DetectContentLongPatternMatchTestWrp(sig, 1);
1376 static int DetectContentLongPatternMatchTest09(
void)
1378 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1379 " content:\"ent matches\"; "
1380 " content:\"of splitted patterns between multiple\"; "
1381 " offset:47; depth:85; "
1382 " content:\"chunks!\"; within: 8; distance:1; "
1383 " content:\"Hi, this is a big test to chec\"; depth:36;"
1384 " content:\"k cont\"; distance:0; within:6;"
1386 return DetectContentLongPatternMatchTestWrp(sig, 1);
1392 static int DetectContentLongPatternMatchTest10(
void)
1394 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1395 " content:\"Hi, this is a big test to check \"; "
1396 " content:\"con\"; "
1398 return DetectContentLongPatternMatchTestWrp(sig, 1);
1404 static int DetectContentLongPatternMatchTest11(
void)
1406 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1410 return DetectContentLongPatternMatchTestWrp(sig, 1);
1413 static int DetectContentParseTest09(
void)
1416 const char *teststring =
"boo";
1420 FAIL_IF(spm_global_thread_ctx == NULL);
1433 static int DetectContentParseTest17(
void)
1436 const char *sigstr =
"alert tcp any any -> any any (msg:\"Dummy\"; "
1437 "content:\"one\"; content:\"two\"; within:2; sid:1;)";
1459 static int DetectContentParseTest18(
void)
1487 static int DetectContentParseTest19(
void)
1496 "(msg:\"Testing dce iface, stub_data with content\"; "
1497 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1499 "content:\"one\"; distance:0; sid:1;)");
1511 "alert tcp any any -> any any "
1512 "(msg:\"Testing dce iface, stub_data with contents & distance, within\"; "
1513 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1515 "content:\"one\"; distance:0; content:\"two\"; within:10; sid:2;)");
1530 "alert tcp any any -> any any "
1531 "(msg:\"Testing dce iface, stub with contents, distance, within\"; "
1532 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1534 "content:\"one\"; distance:0; "
1535 "content:\"two\"; within:10; distance:2; sid:3;)");
1550 "(msg:\"Testing content\"; "
1551 "content:\"one\"; sid:4;)");
1563 static int DetectContentParseTest20(
void)
1574 "alert udp any any -> any any "
1575 "(msg:\"test\"; content:\"\"; sid:238012;)");
1592 static int DetectContentParseTest21(
void)
1603 "alert udp any any -> any any "
1604 "(msg:\"test\"; content:\"; sid:238012;)");
1621 static int DetectContentParseTest22(
void)
1632 "alert udp any any -> any any "
1633 "(msg:\"test\"; content:\"boo; sid:238012;)");
1650 static int DetectContentParseTest23(
void)
1661 "alert udp any any -> any any "
1662 "(msg:\"test\"; content:boo\"; sid:238012;)");
1679 static int DetectContentParseTest24(
void)
1692 "alert udp any any -> any any "
1693 "(msg:\"test\"; content: !\"boo\"; sid:238012;)");
1695 printf(
"de_ctx->sig_list == NULL: ");
1702 printf(
"de_ctx->pmatch_tail == NULL || de_ctx->pmatch_tail->ctx == NULL: ");
1721 static int DetectContentParseTest25(
void)
1732 "alert udp any any -> any any "
1733 "(msg:\"test\"; content:\"|\"; sid:1;)");
1750 static int DetectContentParseTest26(
void)
1761 "alert udp any any -> any any "
1762 "(msg:\"test\"; content:\"|af\"; sid:1;)");
1779 static int DetectContentParseTest27(
void)
1790 "alert udp any any -> any any "
1791 "(msg:\"test\"; content:\"af|\"; sid:1;)");
1808 static int DetectContentParseTest28(
void)
1819 "alert udp any any -> any any "
1820 "(msg:\"test\"; content:\"|af|\"; sid:1;)");
1837 static int DetectContentParseTest29(
void)
1848 "alert udp any any -> any any "
1849 "(msg:\"test\"; content:\"aast|\"; sid:1;)");
1866 static int DetectContentParseTest30(
void)
1877 "alert udp any any -> any any "
1878 "(msg:\"test\"; content:\"aast|af\"; sid:1;)");
1895 static int DetectContentParseTest31(
void)
1906 "alert udp any any -> any any "
1907 "(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
1924 static int DetectContentParseTest32(
void)
1935 "alert udp any any -> any any "
1936 "(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
1953 static int DetectContentParseTest33(
void)
1964 "alert udp any any -> any any "
1965 "(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
1982 static int DetectContentParseTest34(
void)
1993 "alert udp any any -> any any "
1994 "(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
2011 static int DetectContentParseTest35(
void)
2022 "alert udp any any -> any any "
2023 "(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
2037 static int SigTestPositiveTestContent(
const char *rule, uint8_t *buf)
2039 uint16_t buflen = strlen((
char *)buf);
2043 memset(&th_v, 0,
sizeof(th_v));
2069 static int DetectContentParseTest41(
void)
2074 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2078 for (
int i = 0; i < patlen; idx++, i++) {
2079 teststring[idx] =
'a';
2081 teststring[idx++] =
'\0';
2085 FAIL_IF(spm_global_thread_ctx == NULL);
2102 static int DetectContentParseTest42(
void)
2107 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2111 for (
int i = 0; i < patlen; idx++, i++) {
2112 teststring[idx] =
'a';
2114 teststring[idx++] =
'\0';
2118 FAIL_IF(spm_global_thread_ctx == NULL);
2132 static int DetectContentParseTest43(
void)
2137 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2141 teststring[idx++] =
'|';
2142 teststring[idx++] =
'4';
2143 teststring[idx++] =
'6';
2144 teststring[idx++] =
'|';
2145 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2146 teststring[idx] =
'a';
2148 teststring[idx++] =
'\0';
2152 FAIL_IF(spm_global_thread_ctx == NULL);
2169 static int DetectContentParseTest44(
void)
2174 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2178 teststring[idx++] =
'|';
2179 teststring[idx++] =
'4';
2180 teststring[idx++] =
'6';
2181 teststring[idx++] =
'|';
2182 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2183 teststring[idx] =
'a';
2185 teststring[idx++] =
'\0';
2189 FAIL_IF(spm_global_thread_ctx == NULL);
2206 static int DetectContentParseTest45(
void)
2215 "alert tcp any any -> any any "
2216 "(msg:\"test\"; content:\"|ff|\" content:\"TEST\"; sid:1;)");
2224 static int SigTestNegativeTestContent(
const char *rule, uint8_t *buf)
2226 uint16_t buflen = strlen((
char *)buf);
2231 memset(&th_v, 0,
sizeof(th_v));
2256 if (det_ctx != NULL) {
2272 static int SigTest41TestNegatedContent(
void)
2274 return SigTestPositiveTestContent(
"alert tcp any any -> any any "
2275 "(msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)",
2277 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\n"
2278 "GET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2286 static int SigTest41aTestNegatedContent(
void)
2288 (void)SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2297 static int SigTest42TestNegatedContent(
void)
2299 return SigTestPositiveTestContent(
2300 "alert tcp any any -> any any (content:!\"eeeeeeeeeee\"; depth:22; offset:35; sid:1;)",
2301 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2311 static int SigTest43TestNegatedContent(
void)
2313 return SigTestNegativeTestContent(
2314 "alert tcp any any -> any any (content:!\"eeeeeeeeeee\"; depth:34; offset:23; sid:1;)",
2315 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2323 static int SigTest44TestNegatedContent(
void)
2325 return SigTestPositiveTestContent(
2326 "alert tcp any any -> any any (content:!\"eeeeeeeeeee\"; offset:40; depth:35; sid:1;)",
2327 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2334 static int SigTest45TestNegatedContent(
void)
2336 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:5; "
2337 "content:!\"eeeeeeeeeee\"; depth:23; sid:1;)",
2338 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2345 static int SigTest46TestNegatedContent(
void)
2347 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaaE\"; "
2348 "content:!\"eeeeeeeeeee\"; depth:23; sid:1;)",
2349 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2357 static int SigTest47TestNegatedContent(
void)
2359 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; offset:5; "
2360 "content:!\"eeeeeeeeeee\"; depth:23; sid:1;)",
2361 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2368 static int SigTest48TestNegatedContent(
void)
2370 return SigTestPositiveTestContent(
2371 "alert tcp any any -> any any (content:\"GET\"; content:!\"GES\"; within:26; sid:1;)",
2372 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2373 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2380 static int SigTest49TestNegatedContent(
void)
2382 return SigTestNegativeTestContent(
2383 "alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; within:26; sid:1;)",
2384 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2385 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2392 static int SigTest50TestNegatedContent(
void)
2394 return SigTestPositiveTestContent(
2395 "alert tcp any any -> any any (content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)",
2396 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2397 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2407 static int SigTest51TestNegatedContent(
void)
2409 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; distance:17; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2416 static int SigTest52TestNegatedContent(
void)
2418 return SigTestNegativeTestContent(
2419 "alert tcp any any -> any any (content:\"GES\"; content:!\"BOO\"; sid:1;)",
2420 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ "
2421 "HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2428 static int SigTest53TestNegatedContent(
void)
2430 return SigTestNegativeTestContent(
2431 "alert tcp any any -> any any (content:\"aaa\"; content:!\"Ggggg\"; within:56; sid:1;)",
2432 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2439 static int SigTest54TestNegatedContent(
void)
2441 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2442 "content:!\"gggggg\"; within:20; sid:1;)",
2443 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff ggggggggg hhhhhhhh");
2450 static int SigTest55TestNegatedContent(
void)
2452 return SigTestNegativeTestContent(
2453 "alert tcp any any -> any any (content:!\"aaa\"; depth:5; sid:1;)",
2454 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff gggggggg hhhhhhhh");
2461 static int SigTest56TestNegatedContent(
void)
2463 return SigTestPositiveTestContent(
2464 "alert tcp any any -> any any (content:\"aaa\"; content:\"Ggggg\"; within:56; sid:1;)",
2465 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Gggggggg hhhhhhhh");
2472 static int SigTest57TestNegatedContent(
void)
2474 return SigTestNegativeTestContent(
2475 "alert tcp any any -> any any (content:\"aaa\"; content:!\"Ggggg\"; within:56; sid:1;)",
2476 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2483 static int SigTest58TestNegatedContent(
void)
2485 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2486 "content:!\"Ggggg\"; distance:57; sid:1;)",
2487 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2494 static int SigTest59TestNegatedContent(
void)
2496 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2497 "content:!\"Gggg\"; distance:30; sid:1;)",
2498 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2501 static int SigTest60TestNegatedContent(
void)
2503 return SigTestNegativeTestContent(
2504 "alert tcp any any -> any any (content:!\"aaa\"; content:\"Ggggg\"; sid:1;)",
2505 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2508 static int SigTest61TestNegatedContent(
void)
2510 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2511 "content:!\"Ggggg\"; within:30; sid:1;)",
2512 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2522 static int SigTest62TestNegatedContent(
void)
2524 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2525 "content:!\"Gggggg\"; within:49; sid:1;)",
2526 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2529 static int SigTest63TestNegatedContent(
void)
2531 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2532 "content:!\"Gggggg\"; within:56; sid:1;)",
2533 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2536 static int SigTest64TestNegatedContent(
void)
2538 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2539 "content:!\"Gggggg\"; within:30; sid:1;)",
2540 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2550 static int SigTest65TestNegatedContent(
void)
2552 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2553 "content:!\"Gggggg\"; distance:0; within:49; sid:1;)",
2554 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2557 static int SigTest66TestNegatedContent(
void)
2559 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2560 "content:!\"Gggggg\"; within:30; sid:1;)",
2561 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2564 static int SigTest67TestNegatedContent(
void)
2566 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:10; "
2567 "content:!\"XXXX\"; within:56; sid:1;)",
2568 (uint8_t *)
"aaa bbbb cccc XXXXdddd eeeeeeeeeee ffffffffff XXXXggggg hhhhhhhh");
2571 static int SigTest68TestNegatedContent(
void)
2573 return SigTestPositiveTestContent(
2574 "alert tcp any any -> any any (content:\"aaa\"; depth:10; content:\"cccc\"; offset:8; "
2575 "content:!\"Gggggg\"; within:28; content:\"hhhhhhhh\"; sid:1;)",
2576 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2579 static int SigTest69TestNegatedContent(
void)
2581 return SigTestNegativeTestContent(
2582 "alert tcp any any -> any any (content:\"aaa\"; depth:10; content:\"cccc\"; offset:8; "
2583 "content:!\"Gggggg\"; within:48; content:\"hhhhhhhh\"; sid:1;)",
2584 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2587 static int SigTest70TestNegatedContent(
void)
2589 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2590 "content:!\"Gggggg\"; within:52; sid:1;)",
2591 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2595 static int SigTest71TestNegatedContent(
void)
2597 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2598 "content:!\"Gggggg\"; within:40; distance:43; sid:1;)",
2599 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2602 static int SigTest72TestNegatedContent(
void)
2604 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; "
2605 "content:!\"Gggggg\"; within:49; distance:43; sid:1;)",
2606 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff Ggggggggg hhhhhhhh");
2609 static int SigTest73TestNegatedContent(
void)
2611 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"aaa\"; depth:5; "
2612 "content:!\"eeeeeeeeeee\"; depth:35; sid:1;)",
2613 (uint8_t *)
"aaa bbbb cccc dddddddd eeeeeeeeeee ffffffffff ggggggggg hhhhhhhh");
2616 static int SigTest74TestNegatedContent(
void)
2618 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)
"USER apple");
2621 static int SigTest75TestNegatedContent(
void)
2623 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)
"USER !PASS");
2626 static int SigTest76TestBug134(
void)
2628 uint8_t *buf = (uint8_t *)
"test detect ${IFS} in traffic";
2629 uint16_t buflen = strlen((
char *)buf);
2634 memset(&f, 0,
sizeof(
Flow));
2643 char sig[] =
"alert tcp any any -> any 515 "
2644 "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"
2645 " depth:50; offset:0; sid:900091; rev:1;)";
2660 static int SigTest77TestBug139(
void)
2663 0x12, 0x23, 0x34, 0x35, 0x52, 0x52, 0x24, 0x42, 0x22, 0x24,
2664 0x52, 0x24, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x34 };
2665 uint16_t buflen =
sizeof(buf);
2670 char sig[] =
"alert udp any any -> any 53 (msg:\"dns testing\";"
2671 " content:\"|00 00|\"; depth:5; offset:13; sid:9436601;"
2685 static int DetectLongContentTestCommon(
const char *sig, uint32_t sid)
2688 static uint8_t pkt[739] = {
2689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2690 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x45, 0x00,
2691 0x02, 0xd5, 0x4a, 0x18, 0x40, 0x00, 0x40, 0x06,
2692 0xd7, 0xd6, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10,
2693 0x01, 0x0a, 0xdb, 0x36, 0x00, 0x50, 0xca, 0xc5,
2694 0xcc, 0xd1, 0x95, 0x77, 0x0f, 0x7d, 0x80, 0x18,
2695 0x00, 0xe5, 0x77, 0x9d, 0x00, 0x00, 0x01, 0x01,
2696 0x08, 0x0a, 0x1d, 0xe0, 0x86, 0xc6, 0xfc, 0x73,
2697 0x49, 0xf3, 0x50, 0x4f, 0x53, 0x54, 0x20, 0x2f,
2698 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e,
2699 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2700 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x63,
2701 0x75, 0x72, 0x6c, 0x2f, 0x37, 0x2e, 0x33, 0x37,
2702 0x2e, 0x30, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74,
2703 0x3a, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x36, 0x2e,
2704 0x31, 0x2e, 0x31, 0x30, 0x0d, 0x0a, 0x41, 0x63,
2705 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f,
2706 0x2a, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65,
2707 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74,
2708 0x68, 0x3a, 0x20, 0x35, 0x32, 0x38, 0x0d, 0x0a,
2709 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
2710 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x61, 0x70,
2711 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
2712 0x6e, 0x2f, 0x78, 0x2d, 0x77, 0x77, 0x77, 0x2d,
2713 0x66, 0x6f, 0x72, 0x6d, 0x2d, 0x75, 0x72, 0x6c,
2714 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x65, 0x64, 0x0d,
2715 0x0a, 0x0d, 0x0a, 0x58, 0x58, 0x58, 0x58, 0x58,
2716 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41, 0x41,
2717 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2718 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2719 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2720 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2721 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2722 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2723 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2724 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2725 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2726 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2727 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2728 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2729 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2730 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2731 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2732 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2733 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2734 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2735 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2736 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2737 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2738 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2739 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2740 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2741 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2742 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2743 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2744 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2745 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2746 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2747 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2748 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2749 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2750 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2751 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2752 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2753 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2754 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2755 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2756 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2757 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2758 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2759 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2760 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2761 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2762 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2763 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2764 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2765 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2766 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2767 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2768 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2769 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2770 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2771 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2772 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2773 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2774 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2775 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2776 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2777 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2778 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2779 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2780 0x41, 0x41, 0x41, 0x58, 0x58, 0x58, 0x58, 0x58,
2784 return DetectContentLongPatternMatchTest(pkt, (uint16_t)
sizeof(pkt), sig,
2788 static int DetectLongContentTest1(
void)
2791 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2793 return DetectLongContentTestCommon(sig, 1);
2796 static int DetectLongContentTest2(
void)
2799 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2801 return DetectLongContentTestCommon(sig, 1);
2804 static int DetectLongContentTest3(
void)
2807 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2809 return !DetectLongContentTestCommon(sig, 1);
2812 static int DetectBadBinContent(
void)
2819 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|a|\"; sid:1;)"));
2821 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa b|\"; sid:1;)"));
2823 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa bz|\"; sid:1;)"));
2826 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|22 2 22|\"; sid:1;)"));
2834 static void DetectContentRegisterTests(
void)
2839 UtRegisterTest(
"DetectContentDepthTest01", DetectContentDepthTest01);
2841 UtRegisterTest(
"DetectContentParseTest01", DetectContentParseTest01);
2842 UtRegisterTest(
"DetectContentParseTest02", DetectContentParseTest02);
2843 UtRegisterTest(
"DetectContentParseTest03", DetectContentParseTest03);
2844 UtRegisterTest(
"DetectContentParseTest04", DetectContentParseTest04);
2845 UtRegisterTest(
"DetectContentParseTest05", DetectContentParseTest05);
2846 UtRegisterTest(
"DetectContentParseTest06", DetectContentParseTest06);
2847 UtRegisterTest(
"DetectContentParseTest07", DetectContentParseTest07);
2848 UtRegisterTest(
"DetectContentParseTest08", DetectContentParseTest08);
2849 UtRegisterTest(
"DetectContentParseTest09", DetectContentParseTest09);
2850 UtRegisterTest(
"DetectContentParseTest17", DetectContentParseTest17);
2851 UtRegisterTest(
"DetectContentParseTest18", DetectContentParseTest18);
2852 UtRegisterTest(
"DetectContentParseTest19", DetectContentParseTest19);
2853 UtRegisterTest(
"DetectContentParseTest20", DetectContentParseTest20);
2854 UtRegisterTest(
"DetectContentParseTest21", DetectContentParseTest21);
2855 UtRegisterTest(
"DetectContentParseTest22", DetectContentParseTest22);
2856 UtRegisterTest(
"DetectContentParseTest23", DetectContentParseTest23);
2857 UtRegisterTest(
"DetectContentParseTest24", DetectContentParseTest24);
2858 UtRegisterTest(
"DetectContentParseTest25", DetectContentParseTest25);
2859 UtRegisterTest(
"DetectContentParseTest26", DetectContentParseTest26);
2860 UtRegisterTest(
"DetectContentParseTest27", DetectContentParseTest27);
2861 UtRegisterTest(
"DetectContentParseTest28", DetectContentParseTest28);
2862 UtRegisterTest(
"DetectContentParseTest29", DetectContentParseTest29);
2863 UtRegisterTest(
"DetectContentParseTest30", DetectContentParseTest30);
2864 UtRegisterTest(
"DetectContentParseTest31", DetectContentParseTest31);
2865 UtRegisterTest(
"DetectContentParseTest32", DetectContentParseTest32);
2866 UtRegisterTest(
"DetectContentParseTest33", DetectContentParseTest33);
2867 UtRegisterTest(
"DetectContentParseTest34", DetectContentParseTest34);
2868 UtRegisterTest(
"DetectContentParseTest35", DetectContentParseTest35);
2869 UtRegisterTest(
"DetectContentParseTest41", DetectContentParseTest41);
2870 UtRegisterTest(
"DetectContentParseTest42", DetectContentParseTest42);
2871 UtRegisterTest(
"DetectContentParseTest43", DetectContentParseTest43);
2872 UtRegisterTest(
"DetectContentParseTest44", DetectContentParseTest44);
2873 UtRegisterTest(
"DetectContentParseTest45", DetectContentParseTest45);
2877 DetectContentLongPatternMatchTest01);
2879 DetectContentLongPatternMatchTest02);
2881 DetectContentLongPatternMatchTest03);
2883 DetectContentLongPatternMatchTest04);
2885 DetectContentLongPatternMatchTest05);
2887 DetectContentLongPatternMatchTest06);
2889 DetectContentLongPatternMatchTest07);
2891 DetectContentLongPatternMatchTest08);
2893 DetectContentLongPatternMatchTest09);
2895 DetectContentLongPatternMatchTest10);
2897 DetectContentLongPatternMatchTest11);
2900 UtRegisterTest(
"SigTest41TestNegatedContent", SigTest41TestNegatedContent);
2902 SigTest41aTestNegatedContent);
2903 UtRegisterTest(
"SigTest42TestNegatedContent", SigTest42TestNegatedContent);
2904 UtRegisterTest(
"SigTest43TestNegatedContent", SigTest43TestNegatedContent);
2905 UtRegisterTest(
"SigTest44TestNegatedContent", SigTest44TestNegatedContent);
2906 UtRegisterTest(
"SigTest45TestNegatedContent", SigTest45TestNegatedContent);
2907 UtRegisterTest(
"SigTest46TestNegatedContent", SigTest46TestNegatedContent);
2908 UtRegisterTest(
"SigTest47TestNegatedContent", SigTest47TestNegatedContent);
2909 UtRegisterTest(
"SigTest48TestNegatedContent", SigTest48TestNegatedContent);
2910 UtRegisterTest(
"SigTest49TestNegatedContent", SigTest49TestNegatedContent);
2911 UtRegisterTest(
"SigTest50TestNegatedContent", SigTest50TestNegatedContent);
2912 UtRegisterTest(
"SigTest51TestNegatedContent", SigTest51TestNegatedContent);
2913 UtRegisterTest(
"SigTest52TestNegatedContent", SigTest52TestNegatedContent);
2914 UtRegisterTest(
"SigTest53TestNegatedContent", SigTest53TestNegatedContent);
2915 UtRegisterTest(
"SigTest54TestNegatedContent", SigTest54TestNegatedContent);
2916 UtRegisterTest(
"SigTest55TestNegatedContent", SigTest55TestNegatedContent);
2917 UtRegisterTest(
"SigTest56TestNegatedContent", SigTest56TestNegatedContent);
2918 UtRegisterTest(
"SigTest57TestNegatedContent", SigTest57TestNegatedContent);
2919 UtRegisterTest(
"SigTest58TestNegatedContent", SigTest58TestNegatedContent);
2920 UtRegisterTest(
"SigTest59TestNegatedContent", SigTest59TestNegatedContent);
2921 UtRegisterTest(
"SigTest60TestNegatedContent", SigTest60TestNegatedContent);
2922 UtRegisterTest(
"SigTest61TestNegatedContent", SigTest61TestNegatedContent);
2923 UtRegisterTest(
"SigTest62TestNegatedContent", SigTest62TestNegatedContent);
2924 UtRegisterTest(
"SigTest63TestNegatedContent", SigTest63TestNegatedContent);
2925 UtRegisterTest(
"SigTest64TestNegatedContent", SigTest64TestNegatedContent);
2926 UtRegisterTest(
"SigTest65TestNegatedContent", SigTest65TestNegatedContent);
2927 UtRegisterTest(
"SigTest66TestNegatedContent", SigTest66TestNegatedContent);
2928 UtRegisterTest(
"SigTest67TestNegatedContent", SigTest67TestNegatedContent);
2929 UtRegisterTest(
"SigTest68TestNegatedContent", SigTest68TestNegatedContent);
2930 UtRegisterTest(
"SigTest69TestNegatedContent", SigTest69TestNegatedContent);
2931 UtRegisterTest(
"SigTest70TestNegatedContent", SigTest70TestNegatedContent);
2932 UtRegisterTest(
"SigTest71TestNegatedContent", SigTest71TestNegatedContent);
2933 UtRegisterTest(
"SigTest72TestNegatedContent", SigTest72TestNegatedContent);
2934 UtRegisterTest(
"SigTest73TestNegatedContent", SigTest73TestNegatedContent);
2935 UtRegisterTest(
"SigTest74TestNegatedContent", SigTest74TestNegatedContent);
2936 UtRegisterTest(
"SigTest75TestNegatedContent", SigTest75TestNegatedContent);
2941 UtRegisterTest(
"DetectLongContentTest1", DetectLongContentTest1);
2942 UtRegisterTest(
"DetectLongContentTest2", DetectLongContentTest2);
2943 UtRegisterTest(
"DetectLongContentTest3", DetectLongContentTest3);