54 static void DetectContentRegisterTests(
void);
83 uint8_t **pstr, uint16_t *plen)
88 slen = strlen(contentstr);
92 uint8_t buffer[slen + 1];
93 strlcpy((
char *)&buffer, contentstr, slen + 1);
105 uint8_t binstr[3] =
"";
107 uint16_t bin_count = 0;
109 for (i = 0, x = 0; i < slen; i++) {
116 "Incomplete hex code in content - %s. Invalidating signature.",
124 }
else if(!escape &&
str[i] ==
'\\') {
128 if (isdigit((
unsigned char)
str[i]) ||
129 str[i] ==
'A' ||
str[i] ==
'a' ||
130 str[i] ==
'B' ||
str[i] ==
'b' ||
131 str[i] ==
'C' ||
str[i] ==
'c' ||
132 str[i] ==
'D' ||
str[i] ==
'd' ||
133 str[i] ==
'E' ||
str[i] ==
'e' ||
134 str[i] ==
'F' ||
str[i] ==
'f')
138 binstr[binpos] = (char)
str[i];
142 uint8_t c = strtol((
char *)binstr, (
char **) NULL, 16) & 0xFF;
148 }
else if (
str[i] ==
' ') {
151 else if (
str[i] !=
',') {
153 "content - %s, hex %c. Invalidating signature.",
str,
str[i]);
170 }
else if (
str[i] ==
'"') {
180 if (bin_count % 2 != 0) {
182 "%s - %s. Invalidating signature.", keyword, contentstr);
196 memcpy(ptr,
str, slen);
198 *plen = (uint16_t)slen;
210 const char *contentstr)
213 uint8_t *content = NULL;
236 spm_global_thread_ctx);
254 const char *contentstr)
266 SCLogDebug(
"DetectContentData \"cd\" is NULL");
270 if (tmpstr != NULL) {
299 if (tmprstr != NULL) {
355 "content string \"%s\" incompatible with %s transform",
364 sm->
ctx = (
void *)cd;
405 if (max_right_edge_i < 0) {
409 uint32_t max_right_edge = (uint32_t)max_right_edge_i;
412 for ( ; sm != NULL; sm = sm->
next) {
419 "signature can't match as content length %u is bigger than dsize %u.",
423 if (right_edge > max_right_edge) {
425 "signature can't match as content length %u with offset %u (=%u) is bigger than dsize %u.",
453 uint16_t offset_plus_pat = 0;
455 bool last_reset =
false;
457 bool has_depth =
false;
458 bool has_ends_with =
false;
459 uint16_t ends_with_depth = 0;
461 bool have_anchor =
false;
464 for ( ; sm != NULL; sm = sm->
next) {
492 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u",
offset, depth, offset_plus_pat);
501 SCLogDebug(
"no distance, reset offset_plus_pat & offset");
502 offset_plus_pat =
offset = 0;
505 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u",
offset, depth, offset_plus_pat);
508 if ((uint32_t)offset_plus_pat + cd->
distance <= UINT16_MAX) {
511 SCLogDebug(
"not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->
distance);
516 if (depth && depth > offset_plus_pat) {
520 SCLogDebug(
"distance to add: %u. depth + dist %u", dist, depth + dist);
530 if (cd->
depth == 0 && depth != 0) {
543 has_ends_with =
true;
544 if (ends_with_depth == 0)
545 ends_with_depth = depth;
546 ends_with_depth =
MIN(ends_with_depth, depth);
553 cd->
offset = offset_plus_pat;
562 if ((uint32_t)offset_plus_pat + cd->
distance <= UINT16_MAX) {
565 SCLogDebug(
"not updated content offset as it would overflow : %u + %d", offset_plus_pat, cd->
distance);
581 has_ends_with =
true;
582 if (ends_with_depth == 0)
583 ends_with_depth = depth;
584 ends_with_depth =
MIN(ends_with_depth, depth);
602 SCLogDebug(
"non-anchored PCRE not supported, reset offset_plus_pat & offset");
603 offset_plus_pat =
offset = depth = 0;
609 SCLogDebug(
"keyword not supported, reset offset_plus_pat & offset");
610 offset_plus_pat =
offset = depth = 0;
617 if (has_depth && has_ends_with) {
619 for ( ; sm != NULL; sm = sm->
next) {
624 cd->
depth = ends_with_depth;
636 static inline bool NeedsAsHex(uint8_t c)
660 if (NeedsAsHex(cd->
content[i])) {
662 snprintf(hex_str,
sizeof(hex_str),
"%s%02X", !hex ?
"|" :
" ", cd->
content[i]);
667 snprintf(p_str,
sizeof(p_str),
"%s%c", hex ?
"|" :
"", cd->
content[i]);
679 static bool TestLastContent(
const Signature *s, uint16_t o, uint16_t d)
695 if (d != cd->
depth) {
702 #define TEST_RUN(sig, o, d) \
704 SCLogDebug("TEST_RUN start: '%s'", (sig)); \
705 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
706 FAIL_IF_NULL(de_ctx); \
707 de_ctx->flags |= DE_QUIET; \
709 snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
710 Signature *s = DetectEngineAppendSig(de_ctx, rule); \
712 SigAddressPrepareStage1(de_ctx); \
713 bool res = TestLastContent(s, (o), (d)); \
714 FAIL_IF(res == false); \
715 DetectEngineCtxFree(de_ctx); \
722 static int DetectContentDepthTest01(
void)
725 TEST_RUN(
"content:\"abc\"; offset:1; depth:3;", 1, 4);
727 TEST_RUN(
"dsize:10; content:\"abc\";", 0, 10);
728 TEST_RUN(
"dsize:<10; content:\"abc\";", 0, 10);
729 TEST_RUN(
"dsize:5<>10; content:\"abc\";", 0, 10);
732 TEST_RUN(
"content:\"abc\"; depth:3; content:\"xyz\"; distance:0; within:3; ", 3, 6);
734 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
735 TEST_RUN(
"content:\"abc\"; depth:6; content:\"xyz\"; distance:0; within:3; ", 3, 9);
738 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; within:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
740 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; content:\"xyz\"; distance:0; within:3; ", 3, 0);
742 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/; content:\"xyz\"; distance:0; within:3; ", 0, 0);
744 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 3, 0);
745 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 6, 0);
747 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; ", 0, 9);
749 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; content:\"xyz\"; distance:0; ", 6, 0);
752 TEST_RUN(
"content:\"abc\"; depth:6; isdataat:!1,relative; content:\"klm\";", 0, 6);
753 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; isdataat:!1,relative; content:\"def\"; ", 0, 9);
755 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1;", 5, 6);
756 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1; content:\"Cookie|3a|\"; distance:5; within:7;", 11, 18);
758 TEST_RUN(
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; content:\"string\"; within:8;", 0, 0);
760 TEST_RUN(
"dsize:<80; content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 80);
761 TEST_RUN(
"content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 0);
763 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0;", 4, 0);
764 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0; content:\"xploit.class\"; distance:2; within:18;", 11, 0);
766 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0;", 2, 0);
767 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14;", 6, 0);
768 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14; content:\".app\";", 0, 0);
770 TEST_RUN(
"content:\"=\"; offset:4; depth:9;", 4, 13);
773 TEST_RUN(
"content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
775 TEST_RUN(
"content:\"0123456789\"; content:\"abcdef\"; distance:2147483647;", 10, 0);
785 static void DetectContentPrintAll(
SigMatch *sm)
797 for (; first_sm != NULL; first_sm = first_sm->
next) {
799 SCLogDebug(
"Printing SigMatch DETECT_CONTENT %d", ++i);
807 static int g_file_data_buffer_id = 0;
808 static int g_dce_stub_data_buffer_id = 0;
813 static int DetectContentParseTest01 (
void)
817 const char *teststring =
"abc\\:def";
818 const char *teststringparsed =
"abc:def";
822 FAIL_IF(spm_global_thread_ctx == NULL);
826 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
827 SCLogDebug(
"expected %s got ", teststringparsed);
834 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
844 static int DetectContentParseTest02 (
void)
848 const char *teststring =
"abc\\;def";
849 const char *teststringparsed =
"abc;def";
853 FAIL_IF(spm_global_thread_ctx == NULL);
857 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
858 SCLogDebug(
"expected %s got ", teststringparsed);
865 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
875 static int DetectContentParseTest03 (
void)
879 const char *teststring =
"abc\\\"def";
880 const char *teststringparsed =
"abc\"def";
884 FAIL_IF(spm_global_thread_ctx == NULL);
888 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
889 SCLogDebug(
"expected %s got ", teststringparsed);
896 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
906 static int DetectContentParseTest04 (
void)
910 const char *teststring =
"abc\\\\def";
911 const char *teststringparsed =
"abc\\def";
915 FAIL_IF(spm_global_thread_ctx == NULL);
920 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
921 SCLogDebug(
"expected %s got ", teststringparsed);
928 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
938 static int DetectContentParseTest05 (
void)
942 const char *teststring =
"abc\\def";
946 FAIL_IF(spm_global_thread_ctx == NULL);
963 static int DetectContentParseTest06 (
void)
967 const char *teststring =
"a|42|c|44|e|46|";
968 const char *teststringparsed =
"abcdef";
972 FAIL_IF(spm_global_thread_ctx == NULL);
977 if (memcmp(cd->
content, teststringparsed,
len) != 0) {
978 SCLogDebug(
"expected %s got ", teststringparsed);
985 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
995 static int DetectContentParseTest07 (
void)
999 const char *teststring =
"";
1003 FAIL_IF(spm_global_thread_ctx == NULL);
1018 static int DetectContentParseTest08 (
void)
1022 const char *teststring =
"";
1026 FAIL_IF(spm_global_thread_ctx == NULL);
1047 static int DetectContentLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize,
const char *sig,
1061 memset(&th_v, 0,
sizeof(th_v));
1082 printf(
"relative next flag set on final match which is content: ");
1087 SCLogDebug(
"---DetectContentLongPatternMatchTest---");
1104 if (det_ctx != NULL)
1118 static int DetectContentLongPatternMatchTestWrp(
const char *sig, uint32_t sid)
1125 uint8_t raw_eth_pkt[] = {
1126 0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,
1127 0x00,0x00,0x00,0x00,0x08,0x00,0x45,0x00,
1128 0x00,0x85,0x00,0x01,0x00,0x00,0x40,0x06,
1129 0x7c,0x70,0x7f,0x00,0x00,0x01,0x7f,0x00,
1130 0x00,0x01,0x00,0x14,0x00,0x50,0x00,0x00,
1131 0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x02,
1132 0x20,0x00,0xc9,0xad,0x00,0x00,0x48,0x69,
1133 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
1134 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
1135 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
1136 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
1137 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
1138 0x74,0x63,0x68,0x65,0x73,0x20,0x6f,0x66,
1139 0x20,0x73,0x70,0x6c,0x69,0x74,0x74,0x65,
1140 0x64,0x20,0x70,0x61,0x74,0x74,0x65,0x72,
1141 0x6e,0x73,0x20,0x62,0x65,0x74,0x77,0x65,
1142 0x65,0x6e,0x20,0x6d,0x75,0x6c,0x74,0x69,
1143 0x70,0x6c,0x65,0x20,0x63,0x68,0x75,0x6e,
1146 return DetectContentLongPatternMatchTest(raw_eth_pkt, (uint16_t)
sizeof(raw_eth_pkt),
1153 static int DetectContentLongPatternMatchTest01(
void)
1155 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1156 " content:\"Hi, this is a big test\"; sid:1;)";
1157 return DetectContentLongPatternMatchTestWrp(sig, 1);
1163 static int DetectContentLongPatternMatchTest02(
void)
1165 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1166 " content:\"Hi, this is a big test to check content matches of"
1167 " splitted patterns between multiple chunks!\"; sid:1;)";
1168 return DetectContentLongPatternMatchTestWrp(sig, 1);
1175 static int DetectContentLongPatternMatchTest03(
void)
1178 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";"
1179 " content:\"Hi, this is a big test to check content matches of"
1180 " splitted patterns between multiple splitted chunks!\"; sid:1;)";
1181 return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
1187 static int DetectContentLongPatternMatchTest04(
void)
1189 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1190 " content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; "
1191 " within:15; content:\"to check content matches of\"; "
1192 " within:30; content:\"splitted patterns\"; distance:1; "
1195 return DetectContentLongPatternMatchTestWrp(sig, 1);
1203 static int DetectContentLongPatternMatchTest05(
void)
1205 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1206 " content:\"Hi, this is a big\"; depth:17; "
1207 " isdataat:30, relative; "
1208 " content:\"test\"; within: 5; distance:1; "
1209 " isdataat:15, relative; "
1210 " content:\"of splitted\"; within:37; distance:15; "
1211 " isdataat:20,relative; "
1212 " content:\"patterns\"; within:9; distance:1; "
1213 " isdataat:10, relative; "
1215 return DetectContentLongPatternMatchTestWrp(sig, 1);
1223 static int DetectContentLongPatternMatchTest06(
void)
1225 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1226 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1227 " content:\"ent matches\"; within:11; distance:0; "
1228 " content:\"of splitted patterns between multiple\"; "
1229 " within:38; distance:1; "
1230 " content:\"chunks!\"; within: 8; distance:1; "
1232 return DetectContentLongPatternMatchTestWrp(sig, 1);
1239 static int DetectContentLongPatternMatchTest07(
void)
1241 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1242 " content:\"chunks!\"; "
1243 " content:\"content matches\"; offset:32; depth:47; "
1244 " content:\"of splitted patterns between multiple\"; "
1245 " content:\"Hi, this is a big\"; offset:0; depth:17; "
1247 return DetectContentLongPatternMatchTestWrp(sig, 1);
1254 static int DetectContentLongPatternMatchTest08(
void)
1256 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1257 " content:\"ent matches\"; "
1258 " content:\"of splitted patterns between multiple\"; "
1259 " within:38; distance:1; "
1260 " content:\"chunks!\"; within: 8; distance:1; "
1261 " content:\"Hi, this is a big test to check cont\"; depth:36;"
1263 return DetectContentLongPatternMatchTestWrp(sig, 1);
1270 static int DetectContentLongPatternMatchTest09(
void)
1272 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1273 " content:\"ent matches\"; "
1274 " content:\"of splitted patterns between multiple\"; "
1275 " offset:47; depth:85; "
1276 " content:\"chunks!\"; within: 8; distance:1; "
1277 " content:\"Hi, this is a big test to chec\"; depth:36;"
1278 " content:\"k cont\"; distance:0; within:6;"
1280 return DetectContentLongPatternMatchTestWrp(sig, 1);
1286 static int DetectContentLongPatternMatchTest10(
void)
1288 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1289 " content:\"Hi, this is a big test to check \"; "
1290 " content:\"con\"; "
1292 return DetectContentLongPatternMatchTestWrp(sig, 1);
1298 static int DetectContentLongPatternMatchTest11(
void)
1300 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; "
1304 return DetectContentLongPatternMatchTestWrp(sig, 1);
1307 static int DetectContentParseTest09(
void)
1310 const char *teststring =
"boo";
1314 FAIL_IF(spm_global_thread_ctx == NULL);
1327 static int DetectContentParseTest17(
void)
1330 const char *sigstr =
"alert tcp any any -> any any (msg:\"Dummy\"; "
1331 "content:\"one\"; content:\"two\"; within:2; sid:1;)";
1353 static int DetectContentParseTest18(
void)
1367 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
1376 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
1389 static int DetectContentParseTest19(
void)
1402 "(msg:\"Testing dce iface, stub_data with content\"; "
1403 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1405 "content:\"one\"; distance:0; sid:1;)");
1407 printf (
"failed dce iface, stub_data with content ");
1412 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1416 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1431 "(msg:\"Testing dce iface, stub_data with contents & distance, within\"; "
1432 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1434 "content:\"one\"; distance:0; content:\"two\"; within:10; sid:1;)");
1435 if (s->
next == NULL) {
1436 printf(
"failed dce iface, stub_data with content & distance, within");
1441 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1445 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1458 result &= (data->
within == 10);
1533 "(msg:\"Testing dce iface, stub with contents, distance, within\"; "
1534 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1536 "content:\"one\"; distance:0; "
1537 "content:\"two\"; within:10; distance:2; sid:1;)");
1538 if (s->
next == NULL) {
1543 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1547 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1653 "(msg:\"Testing content\"; "
1654 "content:\"one\"; sid:1;)");
1655 if (s->
next == NULL) {
1656 printf (
"failed testing content");
1661 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
1678 static int DetectContentParseTest20(
void)
1689 "alert udp any any -> any any "
1690 "(msg:\"test\"; content:\"\"; sid:238012;)");
1707 static int DetectContentParseTest21(
void)
1718 "alert udp any any -> any any "
1719 "(msg:\"test\"; content:\"; sid:238012;)");
1736 static int DetectContentParseTest22(
void)
1747 "alert udp any any -> any any "
1748 "(msg:\"test\"; content:\"boo; sid:238012;)");
1765 static int DetectContentParseTest23(
void)
1776 "alert udp any any -> any any "
1777 "(msg:\"test\"; content:boo\"; sid:238012;)");
1794 static int DetectContentParseTest24(
void)
1807 "alert udp any any -> any any "
1808 "(msg:\"test\"; content: !\"boo\"; sid:238012;)");
1810 printf(
"de_ctx->sig_list == NULL: ");
1816 printf(
"de_ctx->pmatch_tail == NULL || de_ctx->pmatch_tail->ctx == NULL: ");
1835 static int DetectContentParseTest25(
void)
1846 "alert udp any any -> any any "
1847 "(msg:\"test\"; content:\"|\"; sid:1;)");
1864 static int DetectContentParseTest26(
void)
1875 "alert udp any any -> any any "
1876 "(msg:\"test\"; content:\"|af\"; sid:1;)");
1893 static int DetectContentParseTest27(
void)
1904 "alert udp any any -> any any "
1905 "(msg:\"test\"; content:\"af|\"; sid:1;)");
1922 static int DetectContentParseTest28(
void)
1933 "alert udp any any -> any any "
1934 "(msg:\"test\"; content:\"|af|\"; sid:1;)");
1951 static int DetectContentParseTest29(
void)
1962 "alert udp any any -> any any "
1963 "(msg:\"test\"; content:\"aast|\"; sid:1;)");
1980 static int DetectContentParseTest30(
void)
1991 "alert udp any any -> any any "
1992 "(msg:\"test\"; content:\"aast|af\"; sid:1;)");
2009 static int DetectContentParseTest31(
void)
2020 "alert udp any any -> any any "
2021 "(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
2038 static int DetectContentParseTest32(
void)
2049 "alert udp any any -> any any "
2050 "(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
2067 static int DetectContentParseTest33(
void)
2078 "alert udp any any -> any any "
2079 "(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
2096 static int DetectContentParseTest34(
void)
2107 "alert udp any any -> any any "
2108 "(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
2125 static int DetectContentParseTest35(
void)
2136 "alert udp any any -> any any "
2137 "(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
2154 static int DetectContentParseTest36(
void)
2165 "alert tcp any any -> any any "
2166 "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
2168 printf(
"sig parse failed: ");
2173 printf(
"content still in PMATCH list: ");
2178 printf(
"content not in FILEDATA list: ");
2194 static int DetectContentParseTest37(
void)
2205 "alert tcp any any -> any any "
2206 "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; sid:1;)");
2208 printf(
"sig parse failed: ");
2213 printf(
"content still in PMATCH list: ");
2218 printf(
"content not in FILEDATA list: ");
2234 static int DetectContentParseTest38(
void)
2245 "alert tcp any any -> any any "
2246 "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; within:8; sid:1;)");
2248 printf(
"sig parse failed: ");
2253 printf(
"content still in PMATCH list: ");
2258 printf(
"content not in FILEDATA list: ");
2271 static int SigTestPositiveTestContent(
const char *rule, uint8_t *buf)
2273 uint16_t buflen = strlen((
char *)buf);
2277 memset(&th_v, 0,
sizeof(th_v));
2306 static int DetectContentParseTest39(
void)
2317 "alert tcp any any -> any any "
2318 "(msg:\"test\"; file_data; content:\"abc\"; within:8; sid:1;)");
2320 printf(
"sig parse failed: ");
2325 printf(
"content still in PMATCH list: ");
2330 printf(
"content not in FILEDATA list: ");
2346 static int DetectContentParseTest40(
void)
2357 "alert tcp any any -> any any "
2358 "(msg:\"test\"; file_data; content:\"abc\"; distance:3; sid:1;)");
2360 printf(
"sig parse failed: ");
2365 printf(
"content still in PMATCH list: ");
2370 printf(
"content not in FILEDATA list: ");
2383 static int DetectContentParseTest41(
void)
2388 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2392 for (
int i = 0; i < patlen; idx++, i++) {
2393 teststring[idx] =
'a';
2395 teststring[idx++] =
'\0';
2399 FAIL_IF(spm_global_thread_ctx == NULL);
2416 static int DetectContentParseTest42(
void)
2421 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2425 for (
int i = 0; i < patlen; idx++, i++) {
2426 teststring[idx] =
'a';
2428 teststring[idx++] =
'\0';
2432 FAIL_IF(spm_global_thread_ctx == NULL);
2446 static int DetectContentParseTest43(
void)
2451 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2455 teststring[idx++] =
'|';
2456 teststring[idx++] =
'4';
2457 teststring[idx++] =
'6';
2458 teststring[idx++] =
'|';
2459 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2460 teststring[idx] =
'a';
2462 teststring[idx++] =
'\0';
2466 FAIL_IF(spm_global_thread_ctx == NULL);
2483 static int DetectContentParseTest44(
void)
2488 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2492 teststring[idx++] =
'|';
2493 teststring[idx++] =
'4';
2494 teststring[idx++] =
'6';
2495 teststring[idx++] =
'|';
2496 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2497 teststring[idx] =
'a';
2499 teststring[idx++] =
'\0';
2503 FAIL_IF(spm_global_thread_ctx == NULL);
2520 static int DetectContentParseTest45(
void)
2529 "alert tcp any any -> any any "
2530 "(msg:\"test\"; content:\"|ff|\" content:\"TEST\"; sid:1;)");
2538 static int SigTestNegativeTestContent(
const char *rule, uint8_t *buf)
2540 uint16_t buflen = strlen((
char *)buf);
2545 memset(&th_v, 0,
sizeof(th_v));
2570 if (det_ctx != NULL) {
2586 static int SigTest41TestNegatedContent(
void)
2588 return SigTestPositiveTestContent(
"alert tcp any any -> any any "
2589 "(msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)",
2591 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\n"
2592 "GET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2600 static int SigTest41aTestNegatedContent(
void)
2602 (void)SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2611 static int SigTest42TestNegatedContent(
void)
2613 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; depth:22; offset:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2623 static int SigTest43TestNegatedContent(
void)
2625 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:!\"twentythree\"; depth:34; offset:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2633 static int SigTest44TestNegatedContent(
void)
2635 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; offset:40; depth:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2642 static int SigTest45TestNegatedContent(
void)
2644 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2651 static int SigTest46TestNegatedContent(
void)
2653 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"onee\"; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2661 static int SigTest47TestNegatedContent(
void)
2663 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; offset:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2670 static int SigTest48TestNegatedContent(
void)
2672 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2679 static int SigTest49TestNegatedContent(
void)
2681 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"Host\"; within:26; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2688 static int SigTest50TestNegatedContent(
void)
2690 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2700 static int SigTest51TestNegatedContent(
void)
2702 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; distance:17; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2709 static int SigTest52TestNegatedContent(
void)
2711 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GES\"; content:!\"BOO\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2718 static int SigTest53TestNegatedContent(
void)
2720 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2727 static int SigTest54TestNegatedContent(
void)
2729 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:20; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2736 static int SigTest55TestNegatedContent(
void)
2738 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; depth:5; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2745 static int SigTest56TestNegatedContent(
void)
2747 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2754 static int SigTest57TestNegatedContent(
void)
2756 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2763 static int SigTest58TestNegatedContent(
void)
2765 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:57; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2772 static int SigTest59TestNegatedContent(
void)
2774 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2777 static int SigTest60TestNegatedContent(
void)
2779 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; content:\"fourty\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2782 static int SigTest61TestNegatedContent(
void)
2784 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2794 static int SigTest62TestNegatedContent(
void)
2796 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:49; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2799 static int SigTest63TestNegatedContent(
void)
2801 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:10; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2804 static int SigTest64TestNegatedContent(
void)
2806 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2816 static int SigTest65TestNegatedContent(
void)
2818 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; distance:0; within:49; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2821 static int SigTest66TestNegatedContent(
void)
2823 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2826 static int SigTest67TestNegatedContent(
void)
2828 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"four\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2831 static int SigTest68TestNegatedContent(
void)
2833 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2836 static int SigTest69TestNegatedContent(
void)
2838 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:48; content:\"fiftysix\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2841 static int SigTest70TestNegatedContent(
void)
2843 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:52; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2847 static int SigTest71TestNegatedContent(
void)
2849 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:40; distance:43; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2852 static int SigTest72TestNegatedContent(
void)
2854 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:49; distance:43; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2857 static int SigTest73TestNegatedContent(
void)
2859 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2862 static int SigTest74TestNegatedContent(
void)
2864 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)
"USER apple");
2867 static int SigTest75TestNegatedContent(
void)
2869 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)
"USER !PASS");
2872 static int SigTest76TestBug134(
void)
2874 uint8_t *buf = (uint8_t *)
"test detect ${IFS} in traffic";
2875 uint16_t buflen = strlen((
char *)buf);
2880 memset(&f, 0,
sizeof(
Flow));
2889 char sig[] =
"alert tcp any any -> any 515 "
2890 "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"
2891 " depth:50; offset:0; sid:900091; rev:1;)";
2906 static int SigTest77TestBug139(
void)
2909 0x12, 0x23, 0x34, 0x35, 0x52, 0x52, 0x24, 0x42, 0x22, 0x24,
2910 0x52, 0x24, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x34 };
2911 uint16_t buflen =
sizeof(buf);
2916 char sig[] =
"alert udp any any -> any 53 (msg:\"dns testing\";"
2917 " content:\"|00 00|\"; depth:5; offset:13; sid:9436601;"
2931 static int DetectLongContentTestCommon(
const char *sig, uint32_t sid)
2934 static uint8_t pkt[739] = {
2935 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2936 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x45, 0x00,
2937 0x02, 0xd5, 0x4a, 0x18, 0x40, 0x00, 0x40, 0x06,
2938 0xd7, 0xd6, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10,
2939 0x01, 0x0a, 0xdb, 0x36, 0x00, 0x50, 0xca, 0xc5,
2940 0xcc, 0xd1, 0x95, 0x77, 0x0f, 0x7d, 0x80, 0x18,
2941 0x00, 0xe5, 0x77, 0x9d, 0x00, 0x00, 0x01, 0x01,
2942 0x08, 0x0a, 0x1d, 0xe0, 0x86, 0xc6, 0xfc, 0x73,
2943 0x49, 0xf3, 0x50, 0x4f, 0x53, 0x54, 0x20, 0x2f,
2944 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e,
2945 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2946 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x63,
2947 0x75, 0x72, 0x6c, 0x2f, 0x37, 0x2e, 0x33, 0x37,
2948 0x2e, 0x30, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74,
2949 0x3a, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x36, 0x2e,
2950 0x31, 0x2e, 0x31, 0x30, 0x0d, 0x0a, 0x41, 0x63,
2951 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f,
2952 0x2a, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65,
2953 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74,
2954 0x68, 0x3a, 0x20, 0x35, 0x32, 0x38, 0x0d, 0x0a,
2955 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
2956 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x61, 0x70,
2957 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
2958 0x6e, 0x2f, 0x78, 0x2d, 0x77, 0x77, 0x77, 0x2d,
2959 0x66, 0x6f, 0x72, 0x6d, 0x2d, 0x75, 0x72, 0x6c,
2960 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x65, 0x64, 0x0d,
2961 0x0a, 0x0d, 0x0a, 0x58, 0x58, 0x58, 0x58, 0x58,
2962 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41, 0x41,
2963 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2964 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2965 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2966 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2967 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2968 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2969 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2970 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2971 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2972 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2973 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2974 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2975 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2976 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2977 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2978 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2979 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2980 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2981 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2982 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2983 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2984 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2985 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2986 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2987 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2988 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2989 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2990 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2991 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2992 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2993 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2994 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2995 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2996 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2997 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2998 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2999 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3000 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3001 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3002 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3003 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3004 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3005 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3006 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3007 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3008 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3009 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3010 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3011 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3012 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3013 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3014 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3015 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3016 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3017 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3018 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3019 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3020 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3021 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3022 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3023 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3024 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3025 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
3026 0x41, 0x41, 0x41, 0x58, 0x58, 0x58, 0x58, 0x58,
3030 return DetectContentLongPatternMatchTest(pkt, (uint16_t)
sizeof(pkt), sig,
3034 static int DetectLongContentTest1(
void)
3037 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
3039 return DetectLongContentTestCommon(sig, 1);
3042 static int DetectLongContentTest2(
void)
3045 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
3047 return DetectLongContentTestCommon(sig, 1);
3050 static int DetectLongContentTest3(
void)
3053 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
3055 return !DetectLongContentTestCommon(sig, 1);
3058 static int DetectBadBinContent(
void)
3065 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|a|\"; sid:1;)"));
3067 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa b|\"; sid:1;)"));
3069 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|aa bz|\"; sid:1;)"));
3072 de_ctx,
"alert tcp any any -> any any (msg:\"test\"; content:\"|22 2 22|\"; sid:1;)"));
3080 static void DetectContentRegisterTests(
void)
3085 UtRegisterTest(
"DetectContentDepthTest01", DetectContentDepthTest01);
3087 UtRegisterTest(
"DetectContentParseTest01", DetectContentParseTest01);
3088 UtRegisterTest(
"DetectContentParseTest02", DetectContentParseTest02);
3089 UtRegisterTest(
"DetectContentParseTest03", DetectContentParseTest03);
3090 UtRegisterTest(
"DetectContentParseTest04", DetectContentParseTest04);
3091 UtRegisterTest(
"DetectContentParseTest05", DetectContentParseTest05);
3092 UtRegisterTest(
"DetectContentParseTest06", DetectContentParseTest06);
3093 UtRegisterTest(
"DetectContentParseTest07", DetectContentParseTest07);
3094 UtRegisterTest(
"DetectContentParseTest08", DetectContentParseTest08);
3095 UtRegisterTest(
"DetectContentParseTest09", DetectContentParseTest09);
3096 UtRegisterTest(
"DetectContentParseTest17", DetectContentParseTest17);
3097 UtRegisterTest(
"DetectContentParseTest18", DetectContentParseTest18);
3098 UtRegisterTest(
"DetectContentParseTest19", DetectContentParseTest19);
3099 UtRegisterTest(
"DetectContentParseTest20", DetectContentParseTest20);
3100 UtRegisterTest(
"DetectContentParseTest21", DetectContentParseTest21);
3101 UtRegisterTest(
"DetectContentParseTest22", DetectContentParseTest22);
3102 UtRegisterTest(
"DetectContentParseTest23", DetectContentParseTest23);
3103 UtRegisterTest(
"DetectContentParseTest24", DetectContentParseTest24);
3104 UtRegisterTest(
"DetectContentParseTest25", DetectContentParseTest25);
3105 UtRegisterTest(
"DetectContentParseTest26", DetectContentParseTest26);
3106 UtRegisterTest(
"DetectContentParseTest27", DetectContentParseTest27);
3107 UtRegisterTest(
"DetectContentParseTest28", DetectContentParseTest28);
3108 UtRegisterTest(
"DetectContentParseTest29", DetectContentParseTest29);
3109 UtRegisterTest(
"DetectContentParseTest30", DetectContentParseTest30);
3110 UtRegisterTest(
"DetectContentParseTest31", DetectContentParseTest31);
3111 UtRegisterTest(
"DetectContentParseTest32", DetectContentParseTest32);
3112 UtRegisterTest(
"DetectContentParseTest33", DetectContentParseTest33);
3113 UtRegisterTest(
"DetectContentParseTest34", DetectContentParseTest34);
3114 UtRegisterTest(
"DetectContentParseTest35", DetectContentParseTest35);
3115 UtRegisterTest(
"DetectContentParseTest36", DetectContentParseTest36);
3116 UtRegisterTest(
"DetectContentParseTest37", DetectContentParseTest37);
3117 UtRegisterTest(
"DetectContentParseTest38", DetectContentParseTest38);
3118 UtRegisterTest(
"DetectContentParseTest39", DetectContentParseTest39);
3119 UtRegisterTest(
"DetectContentParseTest40", DetectContentParseTest40);
3120 UtRegisterTest(
"DetectContentParseTest41", DetectContentParseTest41);
3121 UtRegisterTest(
"DetectContentParseTest42", DetectContentParseTest42);
3122 UtRegisterTest(
"DetectContentParseTest43", DetectContentParseTest43);
3123 UtRegisterTest(
"DetectContentParseTest44", DetectContentParseTest44);
3124 UtRegisterTest(
"DetectContentParseTest45", DetectContentParseTest45);
3128 DetectContentLongPatternMatchTest01);
3130 DetectContentLongPatternMatchTest02);
3132 DetectContentLongPatternMatchTest03);
3134 DetectContentLongPatternMatchTest04);
3136 DetectContentLongPatternMatchTest05);
3138 DetectContentLongPatternMatchTest06);
3140 DetectContentLongPatternMatchTest07);
3142 DetectContentLongPatternMatchTest08);
3144 DetectContentLongPatternMatchTest09);
3146 DetectContentLongPatternMatchTest10);
3148 DetectContentLongPatternMatchTest11);
3151 UtRegisterTest(
"SigTest41TestNegatedContent", SigTest41TestNegatedContent);
3153 SigTest41aTestNegatedContent);
3154 UtRegisterTest(
"SigTest42TestNegatedContent", SigTest42TestNegatedContent);
3155 UtRegisterTest(
"SigTest43TestNegatedContent", SigTest43TestNegatedContent);
3156 UtRegisterTest(
"SigTest44TestNegatedContent", SigTest44TestNegatedContent);
3157 UtRegisterTest(
"SigTest45TestNegatedContent", SigTest45TestNegatedContent);
3158 UtRegisterTest(
"SigTest46TestNegatedContent", SigTest46TestNegatedContent);
3159 UtRegisterTest(
"SigTest47TestNegatedContent", SigTest47TestNegatedContent);
3160 UtRegisterTest(
"SigTest48TestNegatedContent", SigTest48TestNegatedContent);
3161 UtRegisterTest(
"SigTest49TestNegatedContent", SigTest49TestNegatedContent);
3162 UtRegisterTest(
"SigTest50TestNegatedContent", SigTest50TestNegatedContent);
3163 UtRegisterTest(
"SigTest51TestNegatedContent", SigTest51TestNegatedContent);
3164 UtRegisterTest(
"SigTest52TestNegatedContent", SigTest52TestNegatedContent);
3165 UtRegisterTest(
"SigTest53TestNegatedContent", SigTest53TestNegatedContent);
3166 UtRegisterTest(
"SigTest54TestNegatedContent", SigTest54TestNegatedContent);
3167 UtRegisterTest(
"SigTest55TestNegatedContent", SigTest55TestNegatedContent);
3168 UtRegisterTest(
"SigTest56TestNegatedContent", SigTest56TestNegatedContent);
3169 UtRegisterTest(
"SigTest57TestNegatedContent", SigTest57TestNegatedContent);
3170 UtRegisterTest(
"SigTest58TestNegatedContent", SigTest58TestNegatedContent);
3171 UtRegisterTest(
"SigTest59TestNegatedContent", SigTest59TestNegatedContent);
3172 UtRegisterTest(
"SigTest60TestNegatedContent", SigTest60TestNegatedContent);
3173 UtRegisterTest(
"SigTest61TestNegatedContent", SigTest61TestNegatedContent);
3174 UtRegisterTest(
"SigTest62TestNegatedContent", SigTest62TestNegatedContent);
3175 UtRegisterTest(
"SigTest63TestNegatedContent", SigTest63TestNegatedContent);
3176 UtRegisterTest(
"SigTest64TestNegatedContent", SigTest64TestNegatedContent);
3177 UtRegisterTest(
"SigTest65TestNegatedContent", SigTest65TestNegatedContent);
3178 UtRegisterTest(
"SigTest66TestNegatedContent", SigTest66TestNegatedContent);
3179 UtRegisterTest(
"SigTest67TestNegatedContent", SigTest67TestNegatedContent);
3180 UtRegisterTest(
"SigTest68TestNegatedContent", SigTest68TestNegatedContent);
3181 UtRegisterTest(
"SigTest69TestNegatedContent", SigTest69TestNegatedContent);
3182 UtRegisterTest(
"SigTest70TestNegatedContent", SigTest70TestNegatedContent);
3183 UtRegisterTest(
"SigTest71TestNegatedContent", SigTest71TestNegatedContent);
3184 UtRegisterTest(
"SigTest72TestNegatedContent", SigTest72TestNegatedContent);
3185 UtRegisterTest(
"SigTest73TestNegatedContent", SigTest73TestNegatedContent);
3186 UtRegisterTest(
"SigTest74TestNegatedContent", SigTest74TestNegatedContent);
3187 UtRegisterTest(
"SigTest75TestNegatedContent", SigTest75TestNegatedContent);
3192 UtRegisterTest(
"DetectLongContentTest1", DetectLongContentTest1);
3193 UtRegisterTest(
"DetectLongContentTest2", DetectLongContentTest2);
3194 UtRegisterTest(
"DetectLongContentTest3", DetectLongContentTest3);