53 static void DetectContentRegisterTests(
void);
79 uint8_t **pstr, uint16_t *plen)
84 slen = strlen(contentstr);
88 uint8_t buffer[slen + 1];
89 strlcpy((
char *)&buffer, contentstr, slen + 1);
92 SCLogDebug(
"\"%s\", len %" PRIuMAX, str, (uintmax_t)slen);
101 uint8_t binstr[3] =
"";
103 uint16_t bin_count = 0;
105 for (i = 0, x = 0; i < slen; i++) {
114 }
else if(!escape && str[i] ==
'\\') {
118 if (isdigit((
unsigned char)str[i]) ||
119 str[i] ==
'A' || str[i] ==
'a' ||
120 str[i] ==
'B' || str[i] ==
'b' ||
121 str[i] ==
'C' || str[i] ==
'c' ||
122 str[i] ==
'D' || str[i] ==
'd' ||
123 str[i] ==
'E' || str[i] ==
'e' ||
124 str[i] ==
'F' || str[i] ==
'f')
128 binstr[binpos] = (char)str[i];
132 uint8_t c = strtol((
char *)binstr, (
char **) NULL, 16) & 0xFF;
138 }
else if (str[i] ==
' ') {
141 else if (str[i] !=
',') {
143 "content - %s, hex %c. Invalidating signature.", str, str[i]);
160 }
else if (str[i] ==
'"') {
170 if (bin_count % 2 != 0) {
172 "%s - %s. Invalidating signature.", keyword, contentstr);
186 memcpy(ptr, str, slen);
188 *plen = (uint16_t)slen;
200 const char *contentstr)
203 uint8_t *content = NULL;
221 memcpy(cd->
content, content, len);
226 spm_global_thread_ctx);
244 const char *contentstr)
256 SCLogDebug(
"DetectContentData \"cd\" is NULL");
260 if (tmpstr != NULL) {
289 if (tmprstr != NULL) {
343 sm->
ctx = (
void *)cd;
384 if (max_right_edge_i < 0) {
388 uint32_t max_right_edge = (uint32_t)max_right_edge_i;
391 for ( ; sm != NULL; sm = sm->
next) {
398 "signature can't match as content length %u is bigger than dsize %u.",
402 if (right_edge > max_right_edge) {
404 "signature can't match as content length %u with offset %u (=%u) is bigger than dsize %u.",
432 uint16_t offset_plus_pat = 0;
434 bool last_reset =
false;
436 bool has_depth =
false;
437 bool has_ends_with =
false;
438 uint16_t ends_with_depth = 0;
440 bool have_anchor =
false;
443 for ( ; sm != NULL; sm = sm->
next) {
471 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u", offset, depth, offset_plus_pat);
480 SCLogDebug(
"no distance, reset offset_plus_pat & offset");
481 offset_plus_pat = offset = 0;
484 SCLogDebug(
"stored: offset %u depth %u offset_plus_pat %u", offset, depth, offset_plus_pat);
491 if (depth && depth > offset_plus_pat) {
495 SCLogDebug(
"distance to add: %u. depth + dist %u", dist, depth + dist);
505 if (cd->
depth == 0 && depth != 0) {
518 has_ends_with =
true;
519 if (ends_with_depth == 0)
520 ends_with_depth = depth;
521 ends_with_depth =
MIN(ends_with_depth, depth);
528 cd->
offset = offset_plus_pat;
539 SCLogDebug(
"offset %u offset_plus_pat %u", offset, offset_plus_pat);
545 SCLogDebug(
"stored offset %u offset_plus_pat %u", offset, offset_plus_pat);
552 has_ends_with =
true;
553 if (ends_with_depth == 0)
554 ends_with_depth = depth;
555 ends_with_depth =
MIN(ends_with_depth, depth);
573 SCLogDebug(
"non-anchored PCRE not supported, reset offset_plus_pat & offset");
574 offset_plus_pat = offset = depth = 0;
580 SCLogDebug(
"keyword not supported, reset offset_plus_pat & offset");
581 offset_plus_pat = offset = depth = 0;
588 if (has_depth && has_ends_with) {
590 for ( ; sm != NULL; sm = sm->
next) {
595 cd->
depth = ends_with_depth;
609 static bool TestLastContent(
const Signature *s, uint16_t o, uint16_t d)
625 if (d != cd->
depth) {
632 #define TEST_RUN(sig, o, d) \ 634 SCLogDebug("TEST_RUN start: '%s'", (sig)); \ 635 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \ 636 FAIL_IF_NULL(de_ctx); \ 638 snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \ 639 Signature *s = DetectEngineAppendSig(de_ctx, rule); \ 641 SigAddressPrepareStage1(de_ctx); \ 642 bool res = TestLastContent(s, (o), (d)); \ 643 FAIL_IF(res == false); \ 644 DetectEngineCtxFree(de_ctx); \ 651 static int DetectContentDepthTest01(
void)
654 TEST_RUN(
"content:\"abc\"; offset:1; depth:3;", 1, 4);
656 TEST_RUN(
"dsize:10; content:\"abc\";", 0, 10);
659 TEST_RUN(
"content:\"abc\"; depth:3; content:\"xyz\"; distance:0; within:3; ", 3, 6);
661 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
662 TEST_RUN(
"content:\"abc\"; depth:6; content:\"xyz\"; distance:0; within:3; ", 3, 9);
665 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; within:3; content:\"xyz\"; distance:0; within:3; ", 6, 9);
667 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; content:\"xyz\"; distance:0; within:3; ", 3, 0);
669 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/; content:\"xyz\"; distance:0; within:3; ", 0, 0);
671 TEST_RUN(
"content:\"abc\"; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 3, 0);
672 TEST_RUN(
"content:\"abc\"; offset:3; depth:3; pcre:/\"klm\"/R; content:\"xyz\"; distance:0; within:3; ", 6, 0);
674 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; ", 0, 9);
676 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; distance:0; content:\"xyz\"; distance:0; ", 6, 0);
679 TEST_RUN(
"content:\"abc\"; depth:6; isdataat:!1,relative; content:\"klm\";", 0, 6);
680 TEST_RUN(
"content:\"abc\"; depth:3; content:\"klm\"; within:3; content:\"xyz\"; within:3; isdataat:!1,relative; content:\"def\"; ", 0, 9);
682 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1;", 5, 6);
683 TEST_RUN(
"content:\"|03|\"; depth:1; content:\"|e0|\"; distance:4; within:1; content:\"Cookie|3a|\"; distance:5; within:7;", 11, 18);
685 TEST_RUN(
"content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; content:\"string\"; within:8;", 0, 0);
687 TEST_RUN(
"dsize:<80; content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 80);
688 TEST_RUN(
"content:!\"|00 22 02 00|\"; depth: 4; content:\"|00 00 04|\"; distance:8; within:3; content:\"|00 00 00 00 00|\"; distance:6; within:5;", 17, 0);
690 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0;", 4, 0);
691 TEST_RUN(
"content:\"|0d 0a 0d 0a|\"; content:\"code=\"; distance:0; content:\"xploit.class\"; distance:2; within:18;", 11, 0);
693 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0;", 2, 0);
694 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14;", 6, 0);
695 TEST_RUN(
"content:\"|16 03|\"; depth:2; content:\"|55 04 0a|\"; distance:0; content:\"|0d|LogMeIn, Inc.\"; distance:1; within:14; content:\".app\";", 0, 0);
697 TEST_RUN(
"content:\"=\"; offset:4; depth:9;", 4, 13);
700 TEST_RUN(
"content:\"=\"; offset:4; depth:9; content:\"=&\"; distance:55; within:2;", 60, 70);
710 static void DetectContentPrintAll(
SigMatch *sm)
722 for (; first_sm != NULL; first_sm = first_sm->
next) {
724 SCLogDebug(
"Printing SigMatch DETECT_CONTENT %d", ++i);
732 static int g_file_data_buffer_id = 0;
733 static int g_dce_stub_data_buffer_id = 0;
738 static int DetectContentParseTest01 (
void)
742 const char *teststring =
"abc\\:def";
743 const char *teststringparsed =
"abc:def";
747 FAIL_IF(spm_global_thread_ctx == NULL);
751 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
752 SCLogDebug(
"expected %s got ", teststringparsed);
759 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
769 static int DetectContentParseTest02 (
void)
773 const char *teststring =
"abc\\;def";
774 const char *teststringparsed =
"abc;def";
778 FAIL_IF(spm_global_thread_ctx == NULL);
782 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
783 SCLogDebug(
"expected %s got ", teststringparsed);
790 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
800 static int DetectContentParseTest03 (
void)
804 const char *teststring =
"abc\\\"def";
805 const char *teststringparsed =
"abc\"def";
809 FAIL_IF(spm_global_thread_ctx == NULL);
813 if (memcmp(cd->
content, teststringparsed, strlen(teststringparsed)) != 0) {
814 SCLogDebug(
"expected %s got ", teststringparsed);
821 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
831 static int DetectContentParseTest04 (
void)
835 const char *teststring =
"abc\\\\def";
836 const char *teststringparsed =
"abc\\def";
840 FAIL_IF(spm_global_thread_ctx == NULL);
845 if (memcmp(cd->
content, teststringparsed, len) != 0) {
846 SCLogDebug(
"expected %s got ", teststringparsed);
853 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
863 static int DetectContentParseTest05 (
void)
867 const char *teststring =
"abc\\def";
871 FAIL_IF(spm_global_thread_ctx == NULL);
888 static int DetectContentParseTest06 (
void)
892 const char *teststring =
"a|42|c|44|e|46|";
893 const char *teststringparsed =
"abcdef";
897 FAIL_IF(spm_global_thread_ctx == NULL);
902 if (memcmp(cd->
content, teststringparsed, len) != 0) {
903 SCLogDebug(
"expected %s got ", teststringparsed);
910 SCLogDebug(
"expected %s got NULL: ", teststringparsed);
920 static int DetectContentParseTest07 (
void)
924 const char *teststring =
"";
928 FAIL_IF(spm_global_thread_ctx == NULL);
943 static int DetectContentParseTest08 (
void)
947 const char *teststring =
"";
951 FAIL_IF(spm_global_thread_ctx == NULL);
972 static int DetectContentLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize,
const char *sig,
987 memset(&th_v, 0,
sizeof(th_v));
993 if (de_ctx == NULL) {
1008 printf(
"relative next flag set on final match which is content: ");
1013 SCLogDebug(
"---DetectContentLongPatternMatchTest---");
1030 if (det_ctx != NULL)
1044 static int DetectContentLongPatternMatchTestWrp(
const char *sig, uint32_t sid)
1051 uint8_t raw_eth_pkt[] = {
1052 0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,
1053 0x00,0x00,0x00,0x00,0x08,0x00,0x45,0x00,
1054 0x00,0x85,0x00,0x01,0x00,0x00,0x40,0x06,
1055 0x7c,0x70,0x7f,0x00,0x00,0x01,0x7f,0x00,
1056 0x00,0x01,0x00,0x14,0x00,0x50,0x00,0x00,
1057 0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x02,
1058 0x20,0x00,0xc9,0xad,0x00,0x00,0x48,0x69,
1059 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
1060 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
1061 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
1062 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
1063 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
1064 0x74,0x63,0x68,0x65,0x73,0x20,0x6f,0x66,
1065 0x20,0x73,0x70,0x6c,0x69,0x74,0x74,0x65,
1066 0x64,0x20,0x70,0x61,0x74,0x74,0x65,0x72,
1067 0x6e,0x73,0x20,0x62,0x65,0x74,0x77,0x65,
1068 0x65,0x6e,0x20,0x6d,0x75,0x6c,0x74,0x69,
1069 0x70,0x6c,0x65,0x20,0x63,0x68,0x75,0x6e,
1072 return DetectContentLongPatternMatchTest(raw_eth_pkt, (uint16_t)
sizeof(raw_eth_pkt),
1079 static int DetectContentLongPatternMatchTest01(
void)
1081 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";" 1082 " content:\"Hi, this is a big test\"; sid:1;)";
1083 return DetectContentLongPatternMatchTestWrp(sig, 1);
1089 static int DetectContentLongPatternMatchTest02(
void)
1091 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";" 1092 " content:\"Hi, this is a big test to check content matches of" 1093 " splitted patterns between multiple chunks!\"; sid:1;)";
1094 return DetectContentLongPatternMatchTestWrp(sig, 1);
1101 static int DetectContentLongPatternMatchTest03(
void)
1104 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\";" 1105 " content:\"Hi, this is a big test to check content matches of" 1106 " splitted patterns between multiple splitted chunks!\"; sid:1;)";
1107 return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
1113 static int DetectContentLongPatternMatchTest04(
void)
1115 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1116 " content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; " 1117 " within:15; content:\"to check content matches of\"; " 1118 " within:30; content:\"splitted patterns\"; distance:1; " 1121 return DetectContentLongPatternMatchTestWrp(sig, 1);
1129 static int DetectContentLongPatternMatchTest05(
void)
1131 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1132 " content:\"Hi, this is a big\"; depth:17; " 1133 " isdataat:30, relative; " 1134 " content:\"test\"; within: 5; distance:1; " 1135 " isdataat:15, relative; " 1136 " content:\"of splitted\"; within:37; distance:15; " 1137 " isdataat:20,relative; " 1138 " content:\"patterns\"; within:9; distance:1; " 1139 " isdataat:10, relative; " 1141 return DetectContentLongPatternMatchTestWrp(sig, 1);
1149 static int DetectContentLongPatternMatchTest06(
void)
1151 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1152 " content:\"Hi, this is a big test to check cont\"; depth:36;" 1153 " content:\"ent matches\"; within:11; distance:0; " 1154 " content:\"of splitted patterns between multiple\"; " 1155 " within:38; distance:1; " 1156 " content:\"chunks!\"; within: 8; distance:1; " 1158 return DetectContentLongPatternMatchTestWrp(sig, 1);
1165 static int DetectContentLongPatternMatchTest07(
void)
1167 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1168 " content:\"chunks!\"; " 1169 " content:\"content matches\"; offset:32; depth:47; " 1170 " content:\"of splitted patterns between multiple\"; " 1171 " content:\"Hi, this is a big\"; offset:0; depth:17; " 1173 return DetectContentLongPatternMatchTestWrp(sig, 1);
1180 static int DetectContentLongPatternMatchTest08(
void)
1182 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1183 " content:\"ent matches\"; " 1184 " content:\"of splitted patterns between multiple\"; " 1185 " within:38; distance:1; " 1186 " content:\"chunks!\"; within: 8; distance:1; " 1187 " content:\"Hi, this is a big test to check cont\"; depth:36;" 1189 return DetectContentLongPatternMatchTestWrp(sig, 1);
1196 static int DetectContentLongPatternMatchTest09(
void)
1198 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1199 " content:\"ent matches\"; " 1200 " content:\"of splitted patterns between multiple\"; " 1201 " offset:47; depth:85; " 1202 " content:\"chunks!\"; within: 8; distance:1; " 1203 " content:\"Hi, this is a big test to chec\"; depth:36;" 1204 " content:\"k cont\"; distance:0; within:6;" 1206 return DetectContentLongPatternMatchTestWrp(sig, 1);
1212 static int DetectContentLongPatternMatchTest10(
void)
1214 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1215 " content:\"Hi, this is a big test to check \"; " 1216 " content:\"con\"; " 1218 return DetectContentLongPatternMatchTestWrp(sig, 1);
1224 static int DetectContentLongPatternMatchTest11(
void)
1226 const char *sig =
"alert tcp any any -> any any (msg:\"Nothing..\"; " 1230 return DetectContentLongPatternMatchTestWrp(sig, 1);
1233 static int DetectContentParseTest09(
void)
1236 const char *teststring =
"boo";
1240 FAIL_IF(spm_global_thread_ctx == NULL);
1253 static int DetectContentParseTest17(
void)
1256 const char *sigstr =
"alert tcp any any -> any any (msg:\"Dummy\"; " 1257 "content:\"one\"; content:\"two\"; within:2; sid:1;)";
1279 static int DetectContentParseTest18(
void)
1284 if (de_ctx == NULL) {
1293 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
1302 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
1315 static int DetectContentParseTest19(
void)
1328 "(msg:\"Testing dce iface, stub_data with content\"; " 1329 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " 1331 "content:\"one\"; distance:0; sid:1;)");
1333 printf (
"failed dce iface, stub_data with content ");
1338 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1342 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1356 s->
next =
SigInit(de_ctx,
"alert tcp any any -> any any " 1357 "(msg:\"Testing dce iface, stub_data with contents & distance, within\"; " 1358 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " 1360 "content:\"one\"; distance:0; content:\"two\"; within:10; sid:1;)");
1361 if (s->
next == NULL) {
1362 printf(
"failed dce iface, stub_data with content & distance, within");
1367 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1371 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1384 result &= (data->
within == 10);
1458 s->
next =
SigInit(de_ctx,
"alert tcp any any -> any any " 1459 "(msg:\"Testing dce iface, stub with contents, distance, within\"; " 1460 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " 1462 "content:\"one\"; distance:0; " 1463 "content:\"two\"; within:10; distance:2; sid:1;)");
1464 if (s->
next == NULL) {
1469 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
1473 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_CONTENT);
1578 s->
next =
SigInit(de_ctx,
"alert tcp any any -> any any " 1579 "(msg:\"Testing content\"; " 1580 "content:\"one\"; sid:1;)");
1581 if (s->
next == NULL) {
1582 printf (
"failed testing content");
1587 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
1604 static int DetectContentParseTest20(
void)
1615 "alert udp any any -> any any " 1616 "(msg:\"test\"; content:\"\"; sid:238012;)");
1633 static int DetectContentParseTest21(
void)
1644 "alert udp any any -> any any " 1645 "(msg:\"test\"; content:\"; sid:238012;)");
1662 static int DetectContentParseTest22(
void)
1673 "alert udp any any -> any any " 1674 "(msg:\"test\"; content:\"boo; sid:238012;)");
1691 static int DetectContentParseTest23(
void)
1702 "alert udp any any -> any any " 1703 "(msg:\"test\"; content:boo\"; sid:238012;)");
1720 static int DetectContentParseTest24(
void)
1733 "alert udp any any -> any any " 1734 "(msg:\"test\"; content: !\"boo\"; sid:238012;)");
1736 printf(
"de_ctx->sig_list == NULL: ");
1742 printf(
"de_ctx->pmatch_tail == NULL || de_ctx->pmatch_tail->ctx == NULL: ");
1761 static int DetectContentParseTest25(
void)
1772 "alert udp any any -> any any " 1773 "(msg:\"test\"; content:\"|\"; sid:1;)");
1790 static int DetectContentParseTest26(
void)
1801 "alert udp any any -> any any " 1802 "(msg:\"test\"; content:\"|af\"; sid:1;)");
1819 static int DetectContentParseTest27(
void)
1830 "alert udp any any -> any any " 1831 "(msg:\"test\"; content:\"af|\"; sid:1;)");
1848 static int DetectContentParseTest28(
void)
1859 "alert udp any any -> any any " 1860 "(msg:\"test\"; content:\"|af|\"; sid:1;)");
1877 static int DetectContentParseTest29(
void)
1888 "alert udp any any -> any any " 1889 "(msg:\"test\"; content:\"aast|\"; sid:1;)");
1906 static int DetectContentParseTest30(
void)
1917 "alert udp any any -> any any " 1918 "(msg:\"test\"; content:\"aast|af\"; sid:1;)");
1935 static int DetectContentParseTest31(
void)
1946 "alert udp any any -> any any " 1947 "(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
1964 static int DetectContentParseTest32(
void)
1975 "alert udp any any -> any any " 1976 "(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
1993 static int DetectContentParseTest33(
void)
2004 "alert udp any any -> any any " 2005 "(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
2022 static int DetectContentParseTest34(
void)
2033 "alert udp any any -> any any " 2034 "(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
2051 static int DetectContentParseTest35(
void)
2062 "alert udp any any -> any any " 2063 "(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
2080 static int DetectContentParseTest36(
void)
2091 "alert tcp any any -> any any " 2092 "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
2094 printf(
"sig parse failed: ");
2099 printf(
"content still in PMATCH list: ");
2103 if (de_ctx->
sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
2104 printf(
"content not in FILEDATA list: ");
2120 static int DetectContentParseTest37(
void)
2131 "alert tcp any any -> any any " 2132 "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; sid:1;)");
2134 printf(
"sig parse failed: ");
2139 printf(
"content still in PMATCH list: ");
2143 if (de_ctx->
sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
2144 printf(
"content not in FILEDATA list: ");
2160 static int DetectContentParseTest38(
void)
2171 "alert tcp any any -> any any " 2172 "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; within:8; sid:1;)");
2174 printf(
"sig parse failed: ");
2179 printf(
"content still in PMATCH list: ");
2183 if (de_ctx->
sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
2184 printf(
"content not in FILEDATA list: ");
2197 static int SigTestPositiveTestContent(
const char *rule, uint8_t *buf)
2199 uint16_t buflen = strlen((
char *)buf);
2203 memset(&th_v, 0,
sizeof(th_v));
2232 static int DetectContentParseTest39(
void)
2243 "alert tcp any any -> any any " 2244 "(msg:\"test\"; file_data; content:\"abc\"; within:8; sid:1;)");
2246 printf(
"sig parse failed: ");
2251 printf(
"content still in PMATCH list: ");
2255 if (de_ctx->
sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
2256 printf(
"content not in FILEDATA list: ");
2272 static int DetectContentParseTest40(
void)
2283 "alert tcp any any -> any any " 2284 "(msg:\"test\"; file_data; content:\"abc\"; distance:3; sid:1;)");
2286 printf(
"sig parse failed: ");
2291 printf(
"content still in PMATCH list: ");
2295 if (de_ctx->
sig_list->sm_lists[g_file_data_buffer_id] == NULL) {
2296 printf(
"content not in FILEDATA list: ");
2309 static int DetectContentParseTest41(
void)
2314 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2318 for (
int i = 0; i < patlen; idx++, i++) {
2319 teststring[idx] =
'a';
2321 teststring[idx++] =
'\0';
2325 FAIL_IF(spm_global_thread_ctx == NULL);
2342 static int DetectContentParseTest42(
void)
2347 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2351 for (
int i = 0; i < patlen; idx++, i++) {
2352 teststring[idx] =
'a';
2354 teststring[idx++] =
'\0';
2358 FAIL_IF(spm_global_thread_ctx == NULL);
2372 static int DetectContentParseTest43(
void)
2377 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2381 teststring[idx++] =
'|';
2382 teststring[idx++] =
'4';
2383 teststring[idx++] =
'6';
2384 teststring[idx++] =
'|';
2385 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2386 teststring[idx] =
'a';
2388 teststring[idx++] =
'\0';
2392 FAIL_IF(spm_global_thread_ctx == NULL);
2409 static int DetectContentParseTest44(
void)
2414 char *teststring =
SCMalloc(
sizeof(
char) * (patlen + 1));
2418 teststring[idx++] =
'|';
2419 teststring[idx++] =
'4';
2420 teststring[idx++] =
'6';
2421 teststring[idx++] =
'|';
2422 for (
int i = 0; i < (patlen - 4); idx++, i++) {
2423 teststring[idx] =
'a';
2425 teststring[idx++] =
'\0';
2429 FAIL_IF(spm_global_thread_ctx == NULL);
2446 static int DetectContentParseTest45(
void)
2455 "alert tcp any any -> any any " 2456 "(msg:\"test\"; content:\"|ff|\" content:\"TEST\"; sid:1;)");
2464 static int SigTestNegativeTestContent(
const char *rule, uint8_t *buf)
2466 uint16_t buflen = strlen((
char *)buf);
2471 memset(&th_v, 0,
sizeof(th_v));
2496 if (det_ctx != NULL) {
2499 if (de_ctx != NULL) {
2512 static int SigTest41TestNegatedContent(
void)
2514 return SigTestPositiveTestContent(
"alert tcp any any -> any any " 2515 "(msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)",
2517 (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\n" 2518 "GET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2526 static int SigTest41aTestNegatedContent(
void)
2528 (void)SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; flow:to_server; content:\"GET\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2537 static int SigTest42TestNegatedContent(
void)
2539 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; depth:22; offset:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2549 static int SigTest43TestNegatedContent(
void)
2551 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:!\"twentythree\"; depth:34; offset:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2559 static int SigTest44TestNegatedContent(
void)
2561 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; offset:40; depth:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2568 static int SigTest45TestNegatedContent(
void)
2570 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2577 static int SigTest46TestNegatedContent(
void)
2579 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"onee\"; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2587 static int SigTest47TestNegatedContent(
void)
2589 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; offset:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2596 static int SigTest48TestNegatedContent(
void)
2598 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2605 static int SigTest49TestNegatedContent(
void)
2607 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"Host\"; within:26; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2614 static int SigTest50TestNegatedContent(
void)
2616 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2626 static int SigTest51TestNegatedContent(
void)
2628 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; distance:17; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2635 static int SigTest52TestNegatedContent(
void)
2637 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GES\"; content:!\"BOO\"; sid:1;)", (uint8_t *)
"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
2644 static int SigTest53TestNegatedContent(
void)
2646 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2653 static int SigTest54TestNegatedContent(
void)
2655 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:20; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2662 static int SigTest55TestNegatedContent(
void)
2664 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; depth:5; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2671 static int SigTest56TestNegatedContent(
void)
2673 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2680 static int SigTest57TestNegatedContent(
void)
2682 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2689 static int SigTest58TestNegatedContent(
void)
2691 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:57; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2698 static int SigTest59TestNegatedContent(
void)
2700 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2703 static int SigTest60TestNegatedContent(
void)
2705 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; content:\"fourty\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2708 static int SigTest61TestNegatedContent(
void)
2710 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2720 static int SigTest62TestNegatedContent(
void)
2722 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:49; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2725 static int SigTest63TestNegatedContent(
void)
2727 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:10; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2730 static int SigTest64TestNegatedContent(
void)
2732 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2742 static int SigTest65TestNegatedContent(
void)
2744 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; distance:0; within:49; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2747 static int SigTest66TestNegatedContent(
void)
2749 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2752 static int SigTest67TestNegatedContent(
void)
2754 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"four\"; within:56; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2757 static int SigTest68TestNegatedContent(
void)
2759 return SigTestPositiveTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2762 static int SigTest69TestNegatedContent(
void)
2764 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:48; content:\"fiftysix\"; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2767 static int SigTest70TestNegatedContent(
void)
2769 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:52; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2773 static int SigTest71TestNegatedContent(
void)
2775 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:40; distance:43; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2778 static int SigTest72TestNegatedContent(
void)
2780 return SigTestNegativeTestContent(
"alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:49; distance:43; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2783 static int SigTest73TestNegatedContent(
void)
2785 return SigTestNegativeTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:35; sid:1;)", (uint8_t *)
"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
2788 static int SigTest74TestNegatedContent(
void)
2790 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)
"USER apple");
2793 static int SigTest75TestNegatedContent(
void)
2795 return SigTestPositiveTestContent(
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)
"USER !PASS");
2798 static int SigTest76TestBug134(
void)
2800 uint8_t *buf = (uint8_t *)
"test detect ${IFS} in traffic";
2801 uint16_t buflen = strlen((
char *)buf);
2806 memset(&f, 0,
sizeof(
Flow));
2815 char sig[] =
"alert tcp any any -> any 515 " 2816 "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";" 2817 " depth:50; offset:0; sid:900091; rev:1;)";
2832 static int SigTest77TestBug139(
void)
2835 0x12, 0x23, 0x34, 0x35, 0x52, 0x52, 0x24, 0x42, 0x22, 0x24,
2836 0x52, 0x24, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x34 };
2837 uint16_t buflen =
sizeof(buf);
2842 char sig[] =
"alert udp any any -> any 53 (msg:\"dns testing\";" 2843 " content:\"|00 00|\"; depth:5; offset:13; sid:9436601;" 2857 static int DetectLongContentTestCommon(
const char *sig, uint32_t sid)
2860 static uint8_t pkt[739] = {
2861 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2862 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x45, 0x00,
2863 0x02, 0xd5, 0x4a, 0x18, 0x40, 0x00, 0x40, 0x06,
2864 0xd7, 0xd6, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10,
2865 0x01, 0x0a, 0xdb, 0x36, 0x00, 0x50, 0xca, 0xc5,
2866 0xcc, 0xd1, 0x95, 0x77, 0x0f, 0x7d, 0x80, 0x18,
2867 0x00, 0xe5, 0x77, 0x9d, 0x00, 0x00, 0x01, 0x01,
2868 0x08, 0x0a, 0x1d, 0xe0, 0x86, 0xc6, 0xfc, 0x73,
2869 0x49, 0xf3, 0x50, 0x4f, 0x53, 0x54, 0x20, 0x2f,
2870 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e,
2871 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
2872 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x63,
2873 0x75, 0x72, 0x6c, 0x2f, 0x37, 0x2e, 0x33, 0x37,
2874 0x2e, 0x30, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74,
2875 0x3a, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x36, 0x2e,
2876 0x31, 0x2e, 0x31, 0x30, 0x0d, 0x0a, 0x41, 0x63,
2877 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f,
2878 0x2a, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65,
2879 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74,
2880 0x68, 0x3a, 0x20, 0x35, 0x32, 0x38, 0x0d, 0x0a,
2881 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
2882 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x61, 0x70,
2883 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
2884 0x6e, 0x2f, 0x78, 0x2d, 0x77, 0x77, 0x77, 0x2d,
2885 0x66, 0x6f, 0x72, 0x6d, 0x2d, 0x75, 0x72, 0x6c,
2886 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x65, 0x64, 0x0d,
2887 0x0a, 0x0d, 0x0a, 0x58, 0x58, 0x58, 0x58, 0x58,
2888 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41, 0x41,
2889 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2890 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2891 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2892 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2893 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2894 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2895 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2896 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2897 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2898 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2899 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2900 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2901 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2902 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2903 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2904 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2905 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2906 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2907 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2908 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2909 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2910 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2911 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2912 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2913 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2914 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2915 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2916 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2917 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2918 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2919 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2920 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2921 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2922 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2923 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2924 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2925 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2926 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2927 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2928 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2929 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2930 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2931 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2932 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2933 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2934 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2935 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2936 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2937 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2938 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2939 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2940 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2941 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2942 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2943 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2944 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2945 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2946 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2947 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2948 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2949 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2950 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2951 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
2952 0x41, 0x41, 0x41, 0x58, 0x58, 0x58, 0x58, 0x58,
2956 return DetectContentLongPatternMatchTest(pkt, (uint16_t)
sizeof(pkt), sig,
2960 static int DetectLongContentTest1(
void)
2963 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2965 return DetectLongContentTestCommon(sig, 1);
2968 static int DetectLongContentTest2(
void)
2971 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2973 return DetectLongContentTestCommon(sig, 1);
2976 static int DetectLongContentTest3(
void)
2979 const char *sig =
"alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
2981 return !DetectLongContentTestCommon(sig, 1);
2989 static void DetectContentRegisterTests(
void)
2995 UtRegisterTest(
"DetectContentDepthTest01", DetectContentDepthTest01);
2997 UtRegisterTest(
"DetectContentParseTest01", DetectContentParseTest01);
2998 UtRegisterTest(
"DetectContentParseTest02", DetectContentParseTest02);
2999 UtRegisterTest(
"DetectContentParseTest03", DetectContentParseTest03);
3000 UtRegisterTest(
"DetectContentParseTest04", DetectContentParseTest04);
3001 UtRegisterTest(
"DetectContentParseTest05", DetectContentParseTest05);
3002 UtRegisterTest(
"DetectContentParseTest06", DetectContentParseTest06);
3003 UtRegisterTest(
"DetectContentParseTest07", DetectContentParseTest07);
3004 UtRegisterTest(
"DetectContentParseTest08", DetectContentParseTest08);
3005 UtRegisterTest(
"DetectContentParseTest09", DetectContentParseTest09);
3006 UtRegisterTest(
"DetectContentParseTest17", DetectContentParseTest17);
3007 UtRegisterTest(
"DetectContentParseTest18", DetectContentParseTest18);
3008 UtRegisterTest(
"DetectContentParseTest19", DetectContentParseTest19);
3009 UtRegisterTest(
"DetectContentParseTest20", DetectContentParseTest20);
3010 UtRegisterTest(
"DetectContentParseTest21", DetectContentParseTest21);
3011 UtRegisterTest(
"DetectContentParseTest22", DetectContentParseTest22);
3012 UtRegisterTest(
"DetectContentParseTest23", DetectContentParseTest23);
3013 UtRegisterTest(
"DetectContentParseTest24", DetectContentParseTest24);
3014 UtRegisterTest(
"DetectContentParseTest25", DetectContentParseTest25);
3015 UtRegisterTest(
"DetectContentParseTest26", DetectContentParseTest26);
3016 UtRegisterTest(
"DetectContentParseTest27", DetectContentParseTest27);
3017 UtRegisterTest(
"DetectContentParseTest28", DetectContentParseTest28);
3018 UtRegisterTest(
"DetectContentParseTest29", DetectContentParseTest29);
3019 UtRegisterTest(
"DetectContentParseTest30", DetectContentParseTest30);
3020 UtRegisterTest(
"DetectContentParseTest31", DetectContentParseTest31);
3021 UtRegisterTest(
"DetectContentParseTest32", DetectContentParseTest32);
3022 UtRegisterTest(
"DetectContentParseTest33", DetectContentParseTest33);
3023 UtRegisterTest(
"DetectContentParseTest34", DetectContentParseTest34);
3024 UtRegisterTest(
"DetectContentParseTest35", DetectContentParseTest35);
3025 UtRegisterTest(
"DetectContentParseTest36", DetectContentParseTest36);
3026 UtRegisterTest(
"DetectContentParseTest37", DetectContentParseTest37);
3027 UtRegisterTest(
"DetectContentParseTest38", DetectContentParseTest38);
3028 UtRegisterTest(
"DetectContentParseTest39", DetectContentParseTest39);
3029 UtRegisterTest(
"DetectContentParseTest40", DetectContentParseTest40);
3030 UtRegisterTest(
"DetectContentParseTest41", DetectContentParseTest41);
3031 UtRegisterTest(
"DetectContentParseTest42", DetectContentParseTest42);
3032 UtRegisterTest(
"DetectContentParseTest43", DetectContentParseTest43);
3033 UtRegisterTest(
"DetectContentParseTest44", DetectContentParseTest44);
3034 UtRegisterTest(
"DetectContentParseTest45", DetectContentParseTest45);
3038 DetectContentLongPatternMatchTest01);
3040 DetectContentLongPatternMatchTest02);
3042 DetectContentLongPatternMatchTest03);
3044 DetectContentLongPatternMatchTest04);
3046 DetectContentLongPatternMatchTest05);
3048 DetectContentLongPatternMatchTest06);
3050 DetectContentLongPatternMatchTest07);
3052 DetectContentLongPatternMatchTest08);
3054 DetectContentLongPatternMatchTest09);
3056 DetectContentLongPatternMatchTest10);
3058 DetectContentLongPatternMatchTest11);
3061 UtRegisterTest(
"SigTest41TestNegatedContent", SigTest41TestNegatedContent);
3063 SigTest41aTestNegatedContent);
3064 UtRegisterTest(
"SigTest42TestNegatedContent", SigTest42TestNegatedContent);
3065 UtRegisterTest(
"SigTest43TestNegatedContent", SigTest43TestNegatedContent);
3066 UtRegisterTest(
"SigTest44TestNegatedContent", SigTest44TestNegatedContent);
3067 UtRegisterTest(
"SigTest45TestNegatedContent", SigTest45TestNegatedContent);
3068 UtRegisterTest(
"SigTest46TestNegatedContent", SigTest46TestNegatedContent);
3069 UtRegisterTest(
"SigTest47TestNegatedContent", SigTest47TestNegatedContent);
3070 UtRegisterTest(
"SigTest48TestNegatedContent", SigTest48TestNegatedContent);
3071 UtRegisterTest(
"SigTest49TestNegatedContent", SigTest49TestNegatedContent);
3072 UtRegisterTest(
"SigTest50TestNegatedContent", SigTest50TestNegatedContent);
3073 UtRegisterTest(
"SigTest51TestNegatedContent", SigTest51TestNegatedContent);
3074 UtRegisterTest(
"SigTest52TestNegatedContent", SigTest52TestNegatedContent);
3075 UtRegisterTest(
"SigTest53TestNegatedContent", SigTest53TestNegatedContent);
3076 UtRegisterTest(
"SigTest54TestNegatedContent", SigTest54TestNegatedContent);
3077 UtRegisterTest(
"SigTest55TestNegatedContent", SigTest55TestNegatedContent);
3078 UtRegisterTest(
"SigTest56TestNegatedContent", SigTest56TestNegatedContent);
3079 UtRegisterTest(
"SigTest57TestNegatedContent", SigTest57TestNegatedContent);
3080 UtRegisterTest(
"SigTest58TestNegatedContent", SigTest58TestNegatedContent);
3081 UtRegisterTest(
"SigTest59TestNegatedContent", SigTest59TestNegatedContent);
3082 UtRegisterTest(
"SigTest60TestNegatedContent", SigTest60TestNegatedContent);
3083 UtRegisterTest(
"SigTest61TestNegatedContent", SigTest61TestNegatedContent);
3084 UtRegisterTest(
"SigTest62TestNegatedContent", SigTest62TestNegatedContent);
3085 UtRegisterTest(
"SigTest63TestNegatedContent", SigTest63TestNegatedContent);
3086 UtRegisterTest(
"SigTest64TestNegatedContent", SigTest64TestNegatedContent);
3087 UtRegisterTest(
"SigTest65TestNegatedContent", SigTest65TestNegatedContent);
3088 UtRegisterTest(
"SigTest66TestNegatedContent", SigTest66TestNegatedContent);
3089 UtRegisterTest(
"SigTest67TestNegatedContent", SigTest67TestNegatedContent);
3090 UtRegisterTest(
"SigTest68TestNegatedContent", SigTest68TestNegatedContent);
3091 UtRegisterTest(
"SigTest69TestNegatedContent", SigTest69TestNegatedContent);
3092 UtRegisterTest(
"SigTest70TestNegatedContent", SigTest70TestNegatedContent);
3093 UtRegisterTest(
"SigTest71TestNegatedContent", SigTest71TestNegatedContent);
3094 UtRegisterTest(
"SigTest72TestNegatedContent", SigTest72TestNegatedContent);
3095 UtRegisterTest(
"SigTest73TestNegatedContent", SigTest73TestNegatedContent);
3096 UtRegisterTest(
"SigTest74TestNegatedContent", SigTest74TestNegatedContent);
3097 UtRegisterTest(
"SigTest75TestNegatedContent", SigTest75TestNegatedContent);
3102 UtRegisterTest(
"DetectLongContentTest1", DetectLongContentTest1);
3103 UtRegisterTest(
"DetectLongContentTest2", DetectLongContentTest2);
3104 UtRegisterTest(
"DetectLongContentTest3", DetectLongContentTest3);
#define TEST_RUN(sig, o, d)
void DetectContentRegister(void)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SignatureInitData * init_data
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
SpmGlobalThreadCtx * spm_global_thread_ctx
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define DETECT_PCRE_RELATIVE
void SpmDestroyGlobalThreadCtx(SpmGlobalThreadCtx *global_thread_ctx)
size_t strlcpy(char *dst, const char *src, size_t siz)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define DETECT_CONTENT_FAST_PATTERN
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
void DetectContentPrint(DetectContentData *cd)
Helper function to print a DetectContentData.
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
int DetectContentDataParse(const char *keyword, const char *contentstr, uint8_t **pstr, uint16_t *plen)
Parse a content string, ie "abc|DE|fgh".
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
#define FLOW_PKT_ESTABLISHED
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define PACKET_RECYCLE(p)
#define DETECT_CONTENT_DISTANCE
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define DETECT_CONTENT_DEPTH
main detection engine ctx
int SCLogDebugEnabled(void)
Returns whether debug messages are enabled to be logged or not.
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DETECT_CONTENT_RAWBYTES
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
int DetectBufferTypeGetByName(const char *name)
DetectContentData * DetectContentParseEncloseQuotes(SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
SpmCtx * SpmInitCtx(const uint8_t *needle, uint16_t needle_len, int nocase, SpmGlobalThreadCtx *global_thread_ctx)
Data structures and function prototypes for keeping state for the detection engine.
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void SigFree(Signature *)
DetectContentData * DetectContentParse(SpmGlobalThreadCtx *spm_global_thread_ctx, const char *contentstr)
DetectContentParse .
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int SigParseGetMaxDsize(const Signature *s)
get max dsize "depth"
#define SIGMATCH_QUOTES_MANDATORY
#define DETECT_SM_LIST_NOTSET
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
_Bool DetectContentPMATCHValidateCallback(const Signature *s)
struct SigMatch_ ** smlists_tail
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
void PrintRawUriFp(FILE *fp, uint8_t *buf, uint32_t buflen)
int SigGroupCleanup(DetectEngineCtx *de_ctx)
void DetectContentFree(void *ptr)
this function will SCFree memory associated with DetectContentData
#define DETECT_CONTENT_ENDS_WITH
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
struct SigMatch_ ** smlists
Signature * SigAlloc(void)
uint32_t smlists_array_size
#define DETECT_CONTENT_NEGATED
SpmGlobalThreadCtx * SpmInitGlobalThreadCtx(uint16_t matcher)
void FlowShutdown(void)
shutdown the flow engine
void SpmDestroyCtx(SpmCtx *ctx)
#define FLOW_INITIALIZE(f)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define DETECT_CONTENT_WITHIN
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define DETECT_CONTENT_NOCASE
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
#define DETECT_CONTENT_RELATIVE_NEXT
SigMatch * SigMatchAlloc(void)
uint16_t SinglePatternMatchDefaultMatcher(void)
Returns the single pattern matcher algorithm to be used, based on the spm-algo setting in yaml...
Per thread variable structure.
#define SIGMATCH_HANDLE_NEGATION
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
#define DETECT_CONTENT_OFFSET
void(* RegisterTests)(void)
a single match condition for a signature
void DetectContentPropagateLimits(Signature *s)
apply depth/offset and distance/within to content matches
DetectEngineCtx * DetectEngineCtxInit(void)
void FlowInitConfig(char quiet)
initialize the configuration