suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 
41 #include "stream-tcp.h"
42 
43 #include "app-layer.h"
44 #include "app-layer-dcerpc.h"
45 #include "flow-util.h"
46 #include "util-debug.h"
47 
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 
51 #include "detect-dce-iface.h"
52 
53 static int g_dce_stub_data_buffer_id = 0;
54 
55 
56 /**************************************Unittests*******************************/
57 
58 #ifdef UNITTESTS
59 
60 /**
61  * \test Test the working of byte_test endianness.
62  */
63 static int DcePayloadTest15(void)
64 {
65  int result = 0;
66 
67  uint8_t request1[] = {
68  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
69  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
70  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
71  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
72  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
73  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
74  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
75  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
76  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
77  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
78  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
79  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
80  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
81  };
82  uint32_t request1_len = sizeof(request1);
83 
84  TcpSession ssn;
85  Packet *p = NULL;
86  ThreadVars tv;
87  DetectEngineCtx *de_ctx = NULL;
88  DetectEngineThreadCtx *det_ctx = NULL;
89  Flow f;
90  int r;
91 
92  const char *sig1 = "alert tcp any any -> any any "
93  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
94  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
95  const char *sig2 = "alert tcp any any -> any any "
96  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
97  "byte_test:2,=,46,5,relative,dce; sid:2;)";
98 
99  Signature *s;
100  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
101 
102  memset(&tv, 0, sizeof(ThreadVars));
103  memset(&f, 0, sizeof(Flow));
104  memset(&ssn, 0, sizeof(TcpSession));
105 
106  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
107  p->flow = &f;
108  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
109  p->flowflags |= FLOW_PKT_TOSERVER;
110  p->flowflags |= FLOW_PKT_ESTABLISHED;
111 
112  FLOW_INITIALIZE(&f);
113  f.protoctx = (void *)&ssn;
114  f.proto = IPPROTO_TCP;
115  f.flags |= FLOW_IPV4;
116  f.alproto = ALPROTO_DCERPC;
117 
118  StreamTcpInitConfig(TRUE);
119 
120  de_ctx = DetectEngineCtxInit();
121  if (de_ctx == NULL)
122  goto end;
123  de_ctx->flags |= DE_QUIET;
124 
125  de_ctx->sig_list = SigInit(de_ctx, sig1);
126  s = de_ctx->sig_list;
127  if (s == NULL)
128  goto end;
129  s->next = SigInit(de_ctx, sig2);
130  if (s->next == NULL)
131  goto end;
132 
133  SigGroupBuild(de_ctx);
134  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
135 
136  /* request 1 */
137  FLOWLOCK_WRLOCK(&f);
138  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
139  STREAM_TOSERVER, request1, request1_len);
140  if (r != 0) {
141  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
142  result = 0;
143  FLOWLOCK_UNLOCK(&f);
144  goto end;
145  }
146  FLOWLOCK_UNLOCK(&f);
147  /* detection phase */
148  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
149  if (!(PacketAlertCheck(p, 1))) {
150  printf("sid 1 didn't match but should have for packet: ");
151  goto end;
152  }
153  if (!(PacketAlertCheck(p, 2))) {
154  printf("sid 2 didn't match but should have for packet: ");
155  goto end;
156  }
157 
158  result = 1;
159 
160 end:
161  if (alp_tctx != NULL)
162  AppLayerParserThreadCtxFree(alp_tctx);
163  if (de_ctx != NULL) {
164  SigGroupCleanup(de_ctx);
165  SigCleanSignatures(de_ctx);
166 
167  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
168  DetectEngineCtxFree(de_ctx);
169  }
170 
171  StreamTcpFreeConfig(TRUE);
172 
173  UTHFreePackets(&p, 1);
174  return result;
175 }
176 
177 /**
178  * \test Test the working of byte_test endianness.
179  */
180 static int DcePayloadTest16(void)
181 {
182  int result = 0;
183 
184  uint8_t request1[] = {
185  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
186  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
187  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
188  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
189  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
190  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
191  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
192  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
193  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
194  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
195  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
196  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
197  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
198  };
199  uint32_t request1_len = sizeof(request1);
200 
201  TcpSession ssn;
202  Packet *p = NULL;
203  ThreadVars tv;
204  DetectEngineCtx *de_ctx = NULL;
205  DetectEngineThreadCtx *det_ctx = NULL;
206  Flow f;
207  int r;
208 
209  const char *sig1 = "alert tcp any any -> any any "
210  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
211  "byte_test:2,=,55,0,relative; sid:1;)";
212  const char *sig2 = "alert tcp any any -> any any "
213  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
214  "byte_test:2,=,11776,5,relative; sid:2;)";
215 
216  Signature *s;
217  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
218 
219  memset(&tv, 0, sizeof(ThreadVars));
220  memset(&f, 0, sizeof(Flow));
221  memset(&ssn, 0, sizeof(TcpSession));
222 
223  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
224  p->flow = &f;
225  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
226  p->flowflags |= FLOW_PKT_TOSERVER;
227  p->flowflags |= FLOW_PKT_ESTABLISHED;
228 
229  FLOW_INITIALIZE(&f);
230  f.protoctx = (void *)&ssn;
231  f.proto = IPPROTO_TCP;
232  f.flags |= FLOW_IPV4;
233  f.alproto = ALPROTO_DCERPC;
234 
235  StreamTcpInitConfig(TRUE);
236 
237  de_ctx = DetectEngineCtxInit();
238  if (de_ctx == NULL)
239  goto end;
240  de_ctx->flags |= DE_QUIET;
241 
242  de_ctx->sig_list = SigInit(de_ctx, sig1);
243  s = de_ctx->sig_list;
244  if (s == NULL)
245  goto end;
246  s->next = SigInit(de_ctx, sig2);
247  if (s->next == NULL)
248  goto end;
249 
250  SigGroupBuild(de_ctx);
251  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
252 
253  /* request 1 */
254  FLOWLOCK_WRLOCK(&f);
255  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
256  STREAM_TOSERVER, request1, request1_len);
257  if (r != 0) {
258  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
259  result = 0;
260  FLOWLOCK_UNLOCK(&f);
261  goto end;
262  }
263  FLOWLOCK_UNLOCK(&f);
264  /* detection phase */
265  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
266  if (!(PacketAlertCheck(p, 1))) {
267  printf("sid 1 didn't match but should have for packet: ");
268  goto end;
269  }
270  if (!(PacketAlertCheck(p, 2))) {
271  printf("sid 2 didn't match but should have for packet: ");
272  goto end;
273  }
274 
275  result = 1;
276 
277 end:
278  if (alp_tctx != NULL)
279  AppLayerParserThreadCtxFree(alp_tctx);
280  if (de_ctx != NULL) {
281  SigGroupCleanup(de_ctx);
282  SigCleanSignatures(de_ctx);
283 
284  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
285  DetectEngineCtxFree(de_ctx);
286  }
287 
288  StreamTcpFreeConfig(TRUE);
289 
290  UTHFreePackets(&p, 1);
291  return result;
292 }
293 
294 /**
295  * \test Test the working of byte_test endianness.
296  */
297 static int DcePayloadTest17(void)
298 {
299  int result = 0;
300 
301  uint8_t request1[] = {
302  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
303  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
304  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
305  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
306  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
307  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
308  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
309  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
310  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
311  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
312  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
313  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
314  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
315  };
316  uint32_t request1_len = sizeof(request1);
317 
318  TcpSession ssn;
319  Packet *p = NULL;
320  ThreadVars tv;
321  DetectEngineCtx *de_ctx = NULL;
322  DetectEngineThreadCtx *det_ctx = NULL;
323  Flow f;
324  int r;
325 
326  const char *sig1 = "alert tcp any any -> any any "
327  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
328  "byte_test:2,=,55,0,relative,big; sid:1;)";
329  const char *sig2 = "alert tcp any any -> any any "
330  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
331  "byte_test:2,=,46,5,relative,little; sid:2;)";
332 
333  Signature *s;
334  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
335 
336  memset(&tv, 0, sizeof(ThreadVars));
337  memset(&f, 0, sizeof(Flow));
338  memset(&ssn, 0, sizeof(TcpSession));
339 
340  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
341  p->flow = &f;
342  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
343  p->flowflags |= FLOW_PKT_TOSERVER;
344  p->flowflags |= FLOW_PKT_ESTABLISHED;
345 
346  FLOW_INITIALIZE(&f);
347  f.protoctx = (void *)&ssn;
348  f.proto = IPPROTO_TCP;
349  f.flags |= FLOW_IPV4;
350  f.alproto = ALPROTO_DCERPC;
351 
352  StreamTcpInitConfig(TRUE);
353 
354  de_ctx = DetectEngineCtxInit();
355  if (de_ctx == NULL)
356  goto end;
357  de_ctx->flags |= DE_QUIET;
358 
359  de_ctx->sig_list = SigInit(de_ctx, sig1);
360  s = de_ctx->sig_list;
361  if (s == NULL)
362  goto end;
363  s->next = SigInit(de_ctx, sig2);
364  if (s->next == NULL)
365  goto end;
366 
367  SigGroupBuild(de_ctx);
368  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
369 
370  /* request 1 */
371  FLOWLOCK_WRLOCK(&f);
372  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
373  STREAM_TOSERVER, request1, request1_len);
374  if (r != 0) {
375  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
376  result = 0;
377  FLOWLOCK_UNLOCK(&f);
378  goto end;
379  }
380  FLOWLOCK_UNLOCK(&f);
381  /* detection phase */
382  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
383  if (!(PacketAlertCheck(p, 1))) {
384  printf("sid 1 didn't match but should have for packet: ");
385  goto end;
386  }
387  if (!(PacketAlertCheck(p, 2))) {
388  printf("sid 2 didn't match but should have for packet: ");
389  goto end;
390  }
391 
392  result = 1;
393 
394 end:
395  if (alp_tctx != NULL)
396  AppLayerParserThreadCtxFree(alp_tctx);
397  if (de_ctx != NULL) {
398  SigGroupCleanup(de_ctx);
399  SigCleanSignatures(de_ctx);
400 
401  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
402  DetectEngineCtxFree(de_ctx);
403  }
404 
405  StreamTcpFreeConfig(TRUE);
406 
407  UTHFreePackets(&p, 1);
408  return result;
409 }
410 
411 /**
412  * \test Test the working of byte_jump endianness.
413  */
414 static int DcePayloadTest18(void)
415 {
416  int result = 0;
417 
418  uint8_t request1[] = {
419  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
420  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
421  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
422  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
423  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
424  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
425  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
426  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
427  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
428  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
429  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
430  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
431  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
432  };
433  uint32_t request1_len = sizeof(request1);
434 
435  TcpSession ssn;
436  Packet *p = NULL;
437  ThreadVars tv;
438  DetectEngineCtx *de_ctx = NULL;
439  DetectEngineThreadCtx *det_ctx = NULL;
440  Flow f;
441  int r;
442 
443  const char *sig1 = "alert tcp any any -> any any "
444  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
445  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
446  const char *sig2 = "alert tcp any any -> any any "
447  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
448  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
449 
450  Signature *s;
451  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
452 
453  memset(&tv, 0, sizeof(ThreadVars));
454  memset(&f, 0, sizeof(Flow));
455  memset(&ssn, 0, sizeof(TcpSession));
456 
457  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
458  p->flow = &f;
459  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
460  p->flowflags |= FLOW_PKT_TOSERVER;
461  p->flowflags |= FLOW_PKT_ESTABLISHED;
462 
463  FLOW_INITIALIZE(&f);
464  f.protoctx = (void *)&ssn;
465  f.proto = IPPROTO_TCP;
466  f.flags |= FLOW_IPV4;
467  f.alproto = ALPROTO_DCERPC;
468 
469  StreamTcpInitConfig(TRUE);
470 
471  de_ctx = DetectEngineCtxInit();
472  if (de_ctx == NULL)
473  goto end;
474  de_ctx->flags |= DE_QUIET;
475 
476  de_ctx->sig_list = SigInit(de_ctx, sig1);
477  s = de_ctx->sig_list;
478  if (s == NULL)
479  goto end;
480  s->next = SigInit(de_ctx, sig2);
481  if (s->next == NULL)
482  goto end;
483 
484  SigGroupBuild(de_ctx);
485  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
486 
487  /* request 1 */
488  FLOWLOCK_WRLOCK(&f);
489  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
490  STREAM_TOSERVER, request1, request1_len);
491  if (r != 0) {
492  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
493  result = 0;
494  FLOWLOCK_UNLOCK(&f);
495  goto end;
496  }
497  FLOWLOCK_UNLOCK(&f);
498  /* detection phase */
499  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
500  if (!(PacketAlertCheck(p, 1))) {
501  printf("sid 1 didn't match but should have for packet: ");
502  goto end;
503  }
504  if (!(PacketAlertCheck(p, 2))) {
505  printf("sid 2 didn't match but should have for packet: ");
506  goto end;
507  }
508 
509  result = 1;
510 
511 end:
512  if (alp_tctx != NULL)
513  AppLayerParserThreadCtxFree(alp_tctx);
514  if (de_ctx != NULL) {
515  SigGroupCleanup(de_ctx);
516  SigCleanSignatures(de_ctx);
517 
518  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
519  DetectEngineCtxFree(de_ctx);
520  }
521 
522  StreamTcpFreeConfig(TRUE);
523 
524  UTHFreePackets(&p, 1);
525  return result;
526 }
527 
528 /**
529  * \test Test the working of byte_jump endianness.
530  */
531 static int DcePayloadTest19(void)
532 {
533  int result = 0;
534 
535  uint8_t request1[] = {
536  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
537  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
538  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
539  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
540  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
541  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
542  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
543  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
544  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
545  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
546  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
547  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
548  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
549  };
550  uint32_t request1_len = sizeof(request1);
551 
552  TcpSession ssn;
553  Packet *p = NULL;
554  ThreadVars tv;
555  DetectEngineCtx *de_ctx = NULL;
556  DetectEngineThreadCtx *det_ctx = NULL;
557  Flow f;
558  int r;
559 
560  const char *sig1 = "alert tcp any any -> any any "
561  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
562  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
563  const char *sig2 = "alert tcp any any -> any any "
564  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
565  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
566 
567  Signature *s;
568  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
569 
570  memset(&tv, 0, sizeof(ThreadVars));
571  memset(&f, 0, sizeof(Flow));
572  memset(&ssn, 0, sizeof(TcpSession));
573 
574  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
575  p->flow = &f;
576  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
577  p->flowflags |= FLOW_PKT_TOSERVER;
578  p->flowflags |= FLOW_PKT_ESTABLISHED;
579 
580  FLOW_INITIALIZE(&f);
581  f.protoctx = (void *)&ssn;
582  f.proto = IPPROTO_TCP;
583  f.flags |= FLOW_IPV4;
584  f.alproto = ALPROTO_DCERPC;
585 
586  StreamTcpInitConfig(TRUE);
587 
588  de_ctx = DetectEngineCtxInit();
589  if (de_ctx == NULL)
590  goto end;
591  de_ctx->flags |= DE_QUIET;
592 
593  de_ctx->sig_list = SigInit(de_ctx, sig1);
594  s = de_ctx->sig_list;
595  if (s == NULL)
596  goto end;
597  s->next = SigInit(de_ctx, sig2);
598  if (s->next == NULL)
599  goto end;
600 
601  SigGroupBuild(de_ctx);
602  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
603 
604  /* request 1 */
605  FLOWLOCK_WRLOCK(&f);
606  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
607  STREAM_TOSERVER, request1, request1_len);
608  if (r != 0) {
609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
610  result = 0;
611  FLOWLOCK_UNLOCK(&f);
612  goto end;
613  }
614  FLOWLOCK_UNLOCK(&f);
615  /* detection phase */
616  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
617  if (!(PacketAlertCheck(p, 1))) {
618  printf("sid 1 didn't match but should have for packet: ");
619  goto end;
620  }
621  if (!(PacketAlertCheck(p, 2))) {
622  printf("sid 2 didn't match but should have for packet: ");
623  goto end;
624  }
625 
626  result = 1;
627 
628 end:
629  if (alp_tctx != NULL)
630  AppLayerParserThreadCtxFree(alp_tctx);
631  if (de_ctx != NULL) {
632  SigGroupCleanup(de_ctx);
633  SigCleanSignatures(de_ctx);
634 
635  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
636  DetectEngineCtxFree(de_ctx);
637  }
638 
639  StreamTcpFreeConfig(TRUE);
640 
641  UTHFreePackets(&p, 1);
642  return result;
643 }
644 
645 /**
646  * \test Test the working of byte_jump endianness.
647  */
648 static int DcePayloadTest20(void)
649 {
650  int result = 0;
651 
652  uint8_t request1[] = {
653  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
654  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
655  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
656  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
657  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
658  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
659  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
660  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
661  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
662  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
663  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
664  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
665  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
666  };
667  uint32_t request1_len = sizeof(request1);
668 
669  TcpSession ssn;
670  Packet *p = NULL;
671  ThreadVars tv;
672  DetectEngineCtx *de_ctx = NULL;
673  DetectEngineThreadCtx *det_ctx = NULL;
674  Flow f;
675  int r;
676 
677  const char *sig1 = "alert tcp any any -> any any "
678  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
679  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
680  const char *sig2 = "alert tcp any any -> any any "
681  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
682  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
683 
684  Signature *s;
685  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
686 
687  memset(&tv, 0, sizeof(ThreadVars));
688  memset(&f, 0, sizeof(Flow));
689  memset(&ssn, 0, sizeof(TcpSession));
690 
691  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
692  p->flow = &f;
693  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
694  p->flowflags |= FLOW_PKT_TOSERVER;
695  p->flowflags |= FLOW_PKT_ESTABLISHED;
696 
697  FLOW_INITIALIZE(&f);
698  f.protoctx = (void *)&ssn;
699  f.proto = IPPROTO_TCP;
700  f.flags |= FLOW_IPV4;
701  f.alproto = ALPROTO_DCERPC;
702 
703  StreamTcpInitConfig(TRUE);
704 
705  de_ctx = DetectEngineCtxInit();
706  if (de_ctx == NULL)
707  goto end;
708  de_ctx->flags |= DE_QUIET;
709 
710  de_ctx->sig_list = SigInit(de_ctx, sig1);
711  s = de_ctx->sig_list;
712  if (s == NULL)
713  goto end;
714  s->next = SigInit(de_ctx, sig2);
715  if (s->next == NULL)
716  goto end;
717 
718  SigGroupBuild(de_ctx);
719  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
720 
721  /* request 1 */
722  FLOWLOCK_WRLOCK(&f);
723  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
724  STREAM_TOSERVER, request1, request1_len);
725  if (r != 0) {
726  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
727  result = 0;
728  FLOWLOCK_UNLOCK(&f);
729  goto end;
730  }
731  FLOWLOCK_UNLOCK(&f);
732  /* detection phase */
733  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
734  if (!(PacketAlertCheck(p, 1))) {
735  printf("sid 1 didn't match but should have for packet: ");
736  goto end;
737  }
738  if (!(PacketAlertCheck(p, 2))) {
739  printf("sid 2 didn't match but should have for packet: ");
740  goto end;
741  }
742 
743  result = 1;
744 
745 end:
746  if (alp_tctx != NULL)
747  AppLayerParserThreadCtxFree(alp_tctx);
748  if (de_ctx != NULL) {
749  SigGroupCleanup(de_ctx);
750  SigCleanSignatures(de_ctx);
751 
752  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
753  DetectEngineCtxFree(de_ctx);
754  }
755 
756  StreamTcpFreeConfig(TRUE);
757 
758  UTHFreePackets(&p, 1);
759  return result;
760 }
761 
762 /**
763  * \test Test content for dce sig.
764  */
765 static int DcePayloadParseTest25(void)
766 {
767  DetectEngineCtx *de_ctx = NULL;
768  int result = 1;
769  Signature *s = NULL;
770  SigMatch *sm = NULL;
771  DetectContentData *data = NULL;
772 
773  de_ctx = DetectEngineCtxInit();
774  if (de_ctx == NULL)
775  goto end;
776 
777  de_ctx->flags |= DE_QUIET;
778  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
779  "(msg:\"Testing bytejump_body\"; "
780  "content:\"one\"; content:\"two\"; "
781  "content:\"three\"; within:10; "
782  "content:\"four\"; distance:4; "
783  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
784  "sid:1;)");
785  if (de_ctx->sig_list == NULL) {
786  result = 0;
787  goto end;
788  }
789 
790  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
791  result = 0;
792  goto end;
793  }
794  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
795  result = 0;
796  goto end;
797  }
798 
799  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
800  if (sm->type != DETECT_CONTENT) {
801  result = 0;
802  goto end;
803  }
804  data = (DetectContentData *)sm->ctx;
805  if (data->flags & DETECT_CONTENT_RAWBYTES ||
806  data->flags & DETECT_CONTENT_NOCASE ||
807  data->flags & DETECT_CONTENT_WITHIN ||
808  data->flags & DETECT_CONTENT_DISTANCE ||
809  data->flags & DETECT_CONTENT_FAST_PATTERN ||
810  data->flags & DETECT_CONTENT_NEGATED ) {
811  result = 0;
812  goto end;
813  }
814  result &= (strncmp((char *)data->content, "one", 3) == 0);
815  if (result == 0)
816  goto end;
817 
818  sm = sm->next;
819  if (sm->type != DETECT_CONTENT) {
820  result = 0;
821  goto end;
822  }
823  data = (DetectContentData *)sm->ctx;
824  if (data->flags & DETECT_CONTENT_RAWBYTES ||
825  data->flags & DETECT_CONTENT_NOCASE ||
826  data->flags & DETECT_CONTENT_WITHIN ||
827  data->flags & DETECT_CONTENT_DISTANCE ||
828  data->flags & DETECT_CONTENT_FAST_PATTERN ||
829  data->flags & DETECT_CONTENT_NEGATED ) {
830  result = 0;
831  goto end;
832  }
833  result &= (strncmp((char *)data->content, "two", 3) == 0);
834  if (result == 0)
835  goto end;
836 
837  sm = sm->next;
838  if (sm->type != DETECT_CONTENT) {
839  result = 0;
840  goto end;
841  }
842  data = (DetectContentData *)sm->ctx;
843  if (data->flags & DETECT_CONTENT_RAWBYTES ||
844  data->flags & DETECT_CONTENT_NOCASE ||
845  !(data->flags & DETECT_CONTENT_WITHIN) ||
846  data->flags & DETECT_CONTENT_DISTANCE ||
847  data->flags & DETECT_CONTENT_FAST_PATTERN ||
848  data->flags & DETECT_CONTENT_NEGATED ) {
849  result = 0;
850  goto end;
851  }
852  result &= (strncmp((char *)data->content, "three", 5) == 0);
853  if (result == 0)
854  goto end;
855 
856  sm = sm->next;
857  if (sm->type != DETECT_CONTENT) {
858  result = 0;
859  goto end;
860  }
861  data = (DetectContentData *)sm->ctx;
862  if (data->flags & DETECT_CONTENT_RAWBYTES ||
863  data->flags & DETECT_CONTENT_NOCASE ||
864  data->flags & DETECT_CONTENT_WITHIN ||
865  !(data->flags & DETECT_CONTENT_DISTANCE) ||
866  data->flags & DETECT_CONTENT_FAST_PATTERN ||
867  data->flags & DETECT_CONTENT_NEGATED ) {
868  result = 0;
869  goto end;
870  }
871  result &= (strncmp((char *)data->content, "four", 4) == 0);
872  if (result == 0)
873  goto end;
874 
875  end:
876  SigGroupCleanup(de_ctx);
877  SigCleanSignatures(de_ctx);
878  DetectEngineCtxFree(de_ctx);
879 
880  return result;
881 }
882 
883 /**
884  * \test Test content for dce sig.
885  */
886 static int DcePayloadParseTest26(void)
887 {
888  DetectEngineCtx *de_ctx = NULL;
889  int result = 1;
890  Signature *s = NULL;
891  SigMatch *sm = NULL;
892  DetectContentData *data = NULL;
893 
894  de_ctx = DetectEngineCtxInit();
895  if (de_ctx == NULL)
896  goto end;
897 
898  de_ctx->flags |= DE_QUIET;
899  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
900  "(msg:\"Testing bytejump_body\"; "
901  "dce_stub_data; "
902  "pkt_data; "
903  "content:\"one\"; "
904  "content:\"two\"; "
905  "content:\"three\"; within:5; "
906  "content:\"four\"; distance:10; "
907  "sid:1;)");
908  if (de_ctx->sig_list == NULL) {
909  result = 0;
910  goto end;
911  }
912 
913  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
914  result = 0;
915  goto end;
916  }
917  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
918  result = 0;
919  goto end;
920  }
921 
922  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
923  if (sm->type != DETECT_CONTENT) {
924  result = 0;
925  goto end;
926  }
927  data = (DetectContentData *)sm->ctx;
928  if (data->flags & DETECT_CONTENT_RAWBYTES ||
929  data->flags & DETECT_CONTENT_NOCASE ||
930  data->flags & DETECT_CONTENT_WITHIN ||
931  data->flags & DETECT_CONTENT_DISTANCE ||
932  data->flags & DETECT_CONTENT_FAST_PATTERN ||
933  data->flags & DETECT_CONTENT_NEGATED ) {
934  result = 0;
935  printf("one failed\n");
936  goto end;
937  }
938  result &= (strncmp((char *)data->content, "one", 3) == 0);
939  if (result == 0)
940  goto end;
941 
942  sm = sm->next;
943  if (sm->type != DETECT_CONTENT) {
944  result = 0;
945  goto end;
946  }
947  data = (DetectContentData *)sm->ctx;
948  if (data->flags & DETECT_CONTENT_RAWBYTES ||
949  data->flags & DETECT_CONTENT_NOCASE ||
950  data->flags & DETECT_CONTENT_WITHIN ||
951  data->flags & DETECT_CONTENT_DISTANCE ||
952  data->flags & DETECT_CONTENT_FAST_PATTERN ||
953  data->flags & DETECT_CONTENT_NEGATED ) {
954  result = 0;
955  printf("two failed\n");
956  goto end;
957  }
958  result &= (strncmp((char *)data->content, "two", 3) == 0);
959  if (result == 0)
960  goto end;
961 
962  sm = sm->next;
963  if (sm->type != DETECT_CONTENT) {
964  result = 0;
965  goto end;
966  }
967  data = (DetectContentData *)sm->ctx;
968  if (data->flags & DETECT_CONTENT_RAWBYTES ||
969  data->flags & DETECT_CONTENT_NOCASE ||
970  !(data->flags & DETECT_CONTENT_WITHIN) ||
971  data->flags & DETECT_CONTENT_DISTANCE ||
972  data->flags & DETECT_CONTENT_FAST_PATTERN ||
973  data->flags & DETECT_CONTENT_NEGATED ) {
974  printf("three failed\n");
975  result = 0;
976  goto end;
977  }
978  result &= (strncmp((char *)data->content, "three", 5) == 0);
979  if (result == 0)
980  goto end;
981 
982  sm = sm->next;
983  if (sm->type != DETECT_CONTENT) {
984  result = 0;
985  goto end;
986  }
987  data = (DetectContentData *)sm->ctx;
988  if (data->flags & DETECT_CONTENT_RAWBYTES ||
989  data->flags & DETECT_CONTENT_NOCASE ||
990  data->flags & DETECT_CONTENT_WITHIN ||
991  !(data->flags & DETECT_CONTENT_DISTANCE) ||
992  data->flags & DETECT_CONTENT_FAST_PATTERN ||
993  data->flags & DETECT_CONTENT_NEGATED ) {
994  printf("four failed\n");
995  result = 0;
996  goto end;
997  }
998  result &= (strncmp((char *)data->content, "four", 4) == 0);
999  if (result == 0)
1000  goto end;
1001 
1002  end:
1003  SigGroupCleanup(de_ctx);
1004  SigCleanSignatures(de_ctx);
1005  DetectEngineCtxFree(de_ctx);
1006 
1007  return result;
1008 }
1009 
1010 /**
1011  * \test Test content for dce sig.
1012  */
1013 static int DcePayloadParseTest27(void)
1014 {
1015  DetectEngineCtx *de_ctx = NULL;
1016  int result = 1;
1017  Signature *s = NULL;
1018  SigMatch *sm = NULL;
1019  DetectContentData *data = NULL;
1020 
1021  de_ctx = DetectEngineCtxInit();
1022  if (de_ctx == NULL)
1023  goto end;
1024 
1025  de_ctx->flags |= DE_QUIET;
1026  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1027  "(msg:\"Testing bytejump_body\"; "
1028  "dce_stub_data; "
1029  "content:\"one\"; distance:10; within:5; "
1030  "content:\"two\"; within:5;"
1031  "content:\"three\"; within:5; "
1032  "content:\"four\"; distance:10; "
1033  "sid:1;)");
1034  if (de_ctx->sig_list == NULL) {
1035  result = 0;
1036  goto end;
1037  }
1038 
1039  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1040  result = 0;
1041  goto end;
1042  }
1043  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] != NULL) {
1044  result = 0;
1045  goto end;
1046  }
1047 
1048  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1049  if (sm->type != DETECT_CONTENT) {
1050  result = 0;
1051  goto end;
1052  }
1053  data = (DetectContentData *)sm->ctx;
1054  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1055  data->flags & DETECT_CONTENT_NOCASE ||
1056  !(data->flags & DETECT_CONTENT_WITHIN) ||
1057  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1058  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1059  data->flags & DETECT_CONTENT_NEGATED ) {
1060  result = 0;
1061  printf("one failed\n");
1062  goto end;
1063  }
1064  result &= (strncmp((char *)data->content, "one", 3) == 0);
1065  if (result == 0)
1066  goto end;
1067 
1068  sm = sm->next;
1069  if (sm->type != DETECT_CONTENT) {
1070  result = 0;
1071  goto end;
1072  }
1073  data = (DetectContentData *)sm->ctx;
1074  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1075  data->flags & DETECT_CONTENT_NOCASE ||
1076  !(data->flags & DETECT_CONTENT_WITHIN) ||
1077  data->flags & DETECT_CONTENT_DISTANCE ||
1078  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1079  data->flags & DETECT_CONTENT_NEGATED ) {
1080  result = 0;
1081  printf("two failed\n");
1082  goto end;
1083  }
1084  result &= (strncmp((char *)data->content, "two", 3) == 0);
1085  if (result == 0)
1086  goto end;
1087 
1088  sm = sm->next;
1089  if (sm->type != DETECT_CONTENT) {
1090  result = 0;
1091  goto end;
1092  }
1093  data = (DetectContentData *)sm->ctx;
1094  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1095  data->flags & DETECT_CONTENT_NOCASE ||
1096  !(data->flags & DETECT_CONTENT_WITHIN) ||
1097  data->flags & DETECT_CONTENT_DISTANCE ||
1098  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1099  data->flags & DETECT_CONTENT_NEGATED ) {
1100  printf("three failed\n");
1101  result = 0;
1102  goto end;
1103  }
1104  result &= (strncmp((char *)data->content, "three", 5) == 0);
1105  if (result == 0)
1106  goto end;
1107 
1108  sm = sm->next;
1109  if (sm->type != DETECT_CONTENT) {
1110  result = 0;
1111  goto end;
1112  }
1113  data = (DetectContentData *)sm->ctx;
1114  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1115  data->flags & DETECT_CONTENT_NOCASE ||
1116  data->flags & DETECT_CONTENT_WITHIN ||
1117  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1118  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1119  data->flags & DETECT_CONTENT_NEGATED ) {
1120  printf("four failed\n");
1121  result = 0;
1122  goto end;
1123  }
1124  result &= (strncmp((char *)data->content, "four", 4) == 0);
1125  if (result == 0)
1126  goto end;
1127 
1128  end:
1129  SigGroupCleanup(de_ctx);
1130  SigCleanSignatures(de_ctx);
1131  DetectEngineCtxFree(de_ctx);
1132 
1133  return result;
1134 }
1135 
1136 /**
1137  * \test Test content for dce sig.
1138  */
1139 static int DcePayloadParseTest28(void)
1140 {
1141  DetectEngineCtx *de_ctx = NULL;
1142  int result = 1;
1143  Signature *s = NULL;
1144  SigMatch *sm = NULL;
1145  DetectContentData *data = NULL;
1146 
1147  de_ctx = DetectEngineCtxInit();
1148  if (de_ctx == NULL)
1149  goto end;
1150 
1151  de_ctx->flags |= DE_QUIET;
1152  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1153  "(msg:\"Testing bytejump_body\"; "
1154  "dce_stub_data; "
1155  "content:\"one\"; distance:10; within:5; "
1156  "content:\"two\"; within:5;"
1157  "pkt_data; "
1158  "content:\"three\";"
1159  "content:\"four\";"
1160  "sid:1;)");
1161  if (de_ctx->sig_list == NULL) {
1162  result = 0;
1163  goto end;
1164  }
1165 
1166  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1167  result = 0;
1168  goto end;
1169  }
1170  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1171  result = 0;
1172  goto end;
1173  }
1174 
1175  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1176  if (sm->type != DETECT_CONTENT) {
1177  result = 0;
1178  goto end;
1179  }
1180  data = (DetectContentData *)sm->ctx;
1181  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1182  data->flags & DETECT_CONTENT_NOCASE ||
1183  !(data->flags & DETECT_CONTENT_WITHIN) ||
1184  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1185  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1186  data->flags & DETECT_CONTENT_NEGATED ) {
1187  result = 0;
1188  printf("one failed\n");
1189  goto end;
1190  }
1191  result &= (strncmp((char *)data->content, "one", 3) == 0);
1192  if (result == 0)
1193  goto end;
1194 
1195  sm = sm->next;
1196  if (sm->type != DETECT_CONTENT) {
1197  result = 0;
1198  goto end;
1199  }
1200  data = (DetectContentData *)sm->ctx;
1201  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1202  data->flags & DETECT_CONTENT_NOCASE ||
1203  !(data->flags & DETECT_CONTENT_WITHIN) ||
1204  data->flags & DETECT_CONTENT_DISTANCE ||
1205  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1206  data->flags & DETECT_CONTENT_NEGATED ) {
1207  result = 0;
1208  printf("two failed\n");
1209  goto end;
1210  }
1211  result &= (strncmp((char *)data->content, "two", 3) == 0);
1212  if (result == 0)
1213  goto end;
1214 
1215  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1216  if (sm->type != DETECT_CONTENT) {
1217  result = 0;
1218  goto end;
1219  }
1220  data = (DetectContentData *)sm->ctx;
1221  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1222  data->flags & DETECT_CONTENT_NOCASE ||
1223  data->flags & DETECT_CONTENT_WITHIN ||
1224  data->flags & DETECT_CONTENT_DISTANCE ||
1225  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1226  data->flags & DETECT_CONTENT_NEGATED ) {
1227  printf("three failed\n");
1228  result = 0;
1229  goto end;
1230  }
1231  result &= (strncmp((char *)data->content, "three", 5) == 0);
1232  if (result == 0)
1233  goto end;
1234 
1235  sm = sm->next;
1236  if (sm->type != DETECT_CONTENT) {
1237  result = 0;
1238  goto end;
1239  }
1240  data = (DetectContentData *)sm->ctx;
1241  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1242  data->flags & DETECT_CONTENT_NOCASE ||
1243  data->flags & DETECT_CONTENT_WITHIN ||
1244  data->flags & DETECT_CONTENT_DISTANCE ||
1245  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1246  data->flags & DETECT_CONTENT_NEGATED ) {
1247  printf("four failed\n");
1248  result = 0;
1249  goto end;
1250  }
1251  result &= (strncmp((char *)data->content, "four", 4) == 0);
1252  if (result == 0)
1253  goto end;
1254 
1255  end:
1256  SigGroupCleanup(de_ctx);
1257  SigCleanSignatures(de_ctx);
1258  DetectEngineCtxFree(de_ctx);
1259 
1260  return result;
1261 }
1262 
1263 /**
1264  * \test Test content for dce sig.
1265  */
1266 static int DcePayloadParseTest29(void)
1267 {
1268  DetectEngineCtx *de_ctx = NULL;
1269  int result = 1;
1270  Signature *s = NULL;
1271  SigMatch *sm = NULL;
1272  DetectContentData *data = NULL;
1273  DetectPcreData *pd = NULL;
1274 
1275  de_ctx = DetectEngineCtxInit();
1276  if (de_ctx == NULL)
1277  goto end;
1278 
1279  de_ctx->flags |= DE_QUIET;
1280  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1281  "(msg:\"Testing bytejump_body\"; "
1282  "dce_stub_data; "
1283  "pkt_data; "
1284  "pcre:/boom/; "
1285  "content:\"one\"; distance:10; within:5; "
1286  "content:\"two\"; within:5;"
1287  "content:\"three\";"
1288  "content:\"four\";"
1289  "sid:1;)");
1290  if (de_ctx->sig_list == NULL) {
1291  result = 0;
1292  goto end;
1293  }
1294 
1295  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1296  result = 0;
1297  goto end;
1298  }
1299  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1300  result = 0;
1301  goto end;
1302  }
1303 
1304  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1305  if (sm->type != DETECT_PCRE) {
1306  result = 0;
1307  goto end;
1308  }
1309  pd = (DetectPcreData *)sm->ctx;
1310  if (pd->flags & DETECT_PCRE_RAWBYTES ||
1311  pd->flags & DETECT_PCRE_RELATIVE) {
1312  result = 0;
1313  printf("one failed\n");
1314  goto end;
1315  }
1316 
1317  sm = sm->next;
1318  if (sm->type != DETECT_CONTENT) {
1319  result = 0;
1320  goto end;
1321  }
1322  data = (DetectContentData *)sm->ctx;
1323  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1324  data->flags & DETECT_CONTENT_NOCASE ||
1325  !(data->flags & DETECT_CONTENT_WITHIN) ||
1326  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1327  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1328  data->flags & DETECT_CONTENT_NEGATED ) {
1329  result = 0;
1330  printf("one failed\n");
1331  goto end;
1332  }
1333  result &= (strncmp((char *)data->content, "one", 3) == 0);
1334  if (result == 0)
1335  goto end;
1336 
1337  sm = sm->next;
1338  if (sm->type != DETECT_CONTENT) {
1339  result = 0;
1340  goto end;
1341  }
1342  data = (DetectContentData *)sm->ctx;
1343  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1344  data->flags & DETECT_CONTENT_NOCASE ||
1345  !(data->flags & DETECT_CONTENT_WITHIN) ||
1346  data->flags & DETECT_CONTENT_DISTANCE ||
1347  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1348  data->flags & DETECT_CONTENT_NEGATED ) {
1349  result = 0;
1350  printf("two failed\n");
1351  goto end;
1352  }
1353  result &= (strncmp((char *)data->content, "two", 3) == 0);
1354  if (result == 0)
1355  goto end;
1356 
1357  sm = sm->next;
1358  if (sm->type != DETECT_CONTENT) {
1359  result = 0;
1360  goto end;
1361  }
1362  data = (DetectContentData *)sm->ctx;
1363  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1364  data->flags & DETECT_CONTENT_NOCASE ||
1365  data->flags & DETECT_CONTENT_WITHIN ||
1366  data->flags & DETECT_CONTENT_DISTANCE ||
1367  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1368  data->flags & DETECT_CONTENT_NEGATED ) {
1369  printf("three failed\n");
1370  result = 0;
1371  goto end;
1372  }
1373  result &= (strncmp((char *)data->content, "three", 5) == 0);
1374  if (result == 0)
1375  goto end;
1376 
1377  sm = sm->next;
1378  if (sm->type != DETECT_CONTENT) {
1379  result = 0;
1380  goto end;
1381  }
1382  data = (DetectContentData *)sm->ctx;
1383  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1384  data->flags & DETECT_CONTENT_NOCASE ||
1385  data->flags & DETECT_CONTENT_WITHIN ||
1386  data->flags & DETECT_CONTENT_DISTANCE ||
1387  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1388  data->flags & DETECT_CONTENT_NEGATED ) {
1389  printf("four failed\n");
1390  result = 0;
1391  goto end;
1392  }
1393  result &= (strncmp((char *)data->content, "four", 4) == 0);
1394  if (result == 0)
1395  goto end;
1396 
1397  end:
1398  SigGroupCleanup(de_ctx);
1399  SigCleanSignatures(de_ctx);
1400  DetectEngineCtxFree(de_ctx);
1401 
1402  return result;
1403 }
1404 
1405 /**
1406  * \test Test content for dce sig.
1407  */
1408 static int DcePayloadParseTest30(void)
1409 {
1410  DetectEngineCtx *de_ctx = NULL;
1411  int result = 1;
1412  Signature *s = NULL;
1413  SigMatch *sm = NULL;
1414  DetectContentData *data = NULL;
1415  DetectBytejumpData *bd = NULL;
1416 
1417  de_ctx = DetectEngineCtxInit();
1418  if (de_ctx == NULL)
1419  goto end;
1420 
1421  de_ctx->flags |= DE_QUIET;
1422  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1423  "(msg:\"Testing bytejump_body\"; "
1424  "dce_stub_data; "
1425  "pkt_data; "
1426  "byte_jump:2,5; "
1427  "content:\"one\"; distance:10; within:5; "
1428  "content:\"two\"; within:5;"
1429  "content:\"three\";"
1430  "content:\"four\";"
1431  "sid:1;)");
1432  if (de_ctx->sig_list == NULL) {
1433  result = 0;
1434  goto end;
1435  }
1436 
1437  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1438  result = 0;
1439  goto end;
1440  }
1441  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1442  result = 0;
1443  goto end;
1444  }
1445 
1446  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1447  if (sm->type != DETECT_BYTEJUMP) {
1448  result = 0;
1449  goto end;
1450  }
1451  bd = (DetectBytejumpData *)sm->ctx;
1452  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1453  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1454  bd->flags & DETECT_BYTEJUMP_BIG ||
1455  bd->flags & DETECT_BYTEJUMP_STRING ||
1456  bd->flags & DETECT_BYTEJUMP_RELATIVE ||
1457  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1458  bd->flags & DETECT_BYTEJUMP_DCE ) {
1459  result = 0;
1460  printf("one failed\n");
1461  goto end;
1462  }
1463 
1464  sm = sm->next;
1465  if (sm->type != DETECT_CONTENT) {
1466  result = 0;
1467  goto end;
1468  }
1469  data = (DetectContentData *)sm->ctx;
1470  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1471  data->flags & DETECT_CONTENT_NOCASE ||
1472  !(data->flags & DETECT_CONTENT_WITHIN) ||
1473  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1474  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1475  data->flags & DETECT_CONTENT_NEGATED ) {
1476  result = 0;
1477  printf("one failed\n");
1478  goto end;
1479  }
1480  result &= (strncmp((char *)data->content, "one", 3) == 0);
1481  if (result == 0)
1482  goto end;
1483 
1484  sm = sm->next;
1485  if (sm->type != DETECT_CONTENT) {
1486  result = 0;
1487  goto end;
1488  }
1489  data = (DetectContentData *)sm->ctx;
1490  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1491  data->flags & DETECT_CONTENT_NOCASE ||
1492  !(data->flags & DETECT_CONTENT_WITHIN) ||
1493  data->flags & DETECT_CONTENT_DISTANCE ||
1494  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1495  data->flags & DETECT_CONTENT_NEGATED ) {
1496  result = 0;
1497  printf("two failed\n");
1498  goto end;
1499  }
1500  result &= (strncmp((char *)data->content, "two", 3) == 0);
1501  if (result == 0)
1502  goto end;
1503 
1504  sm = sm->next;
1505  if (sm->type != DETECT_CONTENT) {
1506  result = 0;
1507  goto end;
1508  }
1509  data = (DetectContentData *)sm->ctx;
1510  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1511  data->flags & DETECT_CONTENT_NOCASE ||
1512  data->flags & DETECT_CONTENT_WITHIN ||
1513  data->flags & DETECT_CONTENT_DISTANCE ||
1514  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1515  data->flags & DETECT_CONTENT_NEGATED ) {
1516  printf("three failed\n");
1517  result = 0;
1518  goto end;
1519  }
1520  result &= (strncmp((char *)data->content, "three", 5) == 0);
1521  if (result == 0)
1522  goto end;
1523 
1524  sm = sm->next;
1525  if (sm->type != DETECT_CONTENT) {
1526  result = 0;
1527  goto end;
1528  }
1529  data = (DetectContentData *)sm->ctx;
1530  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1531  data->flags & DETECT_CONTENT_NOCASE ||
1532  data->flags & DETECT_CONTENT_WITHIN ||
1533  data->flags & DETECT_CONTENT_DISTANCE ||
1534  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1535  data->flags & DETECT_CONTENT_NEGATED ) {
1536  printf("four failed\n");
1537  result = 0;
1538  goto end;
1539  }
1540  result &= (strncmp((char *)data->content, "four", 4) == 0);
1541  if (result == 0)
1542  goto end;
1543 
1544  end:
1545  SigGroupCleanup(de_ctx);
1546  SigCleanSignatures(de_ctx);
1547  DetectEngineCtxFree(de_ctx);
1548 
1549  return result;
1550 }
1551 
1552 /**
1553  * \test Test content for dce sig.
1554  */
1555 static int DcePayloadParseTest31(void)
1556 {
1557  DetectEngineCtx *de_ctx = NULL;
1558  int result = 1;
1559  Signature *s = NULL;
1560  SigMatch *sm = NULL;
1561  DetectContentData *data = NULL;
1562  DetectBytejumpData *bd = NULL;
1563 
1564  de_ctx = DetectEngineCtxInit();
1565  if (de_ctx == NULL)
1566  goto end;
1567 
1568  de_ctx->flags |= DE_QUIET;
1569  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1570  "(msg:\"Testing bytejump_body\"; "
1571  "dce_stub_data; "
1572  "byte_jump:2,5,relative; "
1573  "content:\"one\"; distance:10; within:5; "
1574  "content:\"two\"; within:5;"
1575  "pkt_data; "
1576  "content:\"three\";"
1577  "content:\"four\";"
1578  "sid:1;)");
1579  if (de_ctx->sig_list == NULL) {
1580  result = 0;
1581  goto end;
1582  }
1583 
1584  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1585  result = 0;
1586  goto end;
1587  }
1588  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1589  result = 0;
1590  goto end;
1591  }
1592 
1593  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1594  if (sm->type != DETECT_BYTEJUMP) {
1595  result = 0;
1596  goto end;
1597  }
1598  bd = (DetectBytejumpData *)sm->ctx;
1599  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1600  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1601  bd->flags & DETECT_BYTEJUMP_BIG ||
1602  bd->flags & DETECT_BYTEJUMP_STRING ||
1603  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1604  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1605  bd->flags & DETECT_BYTEJUMP_DCE ) {
1606  result = 0;
1607  printf("one failed\n");
1608  goto end;
1609  }
1610 
1611  sm = sm->next;
1612  if (sm->type != DETECT_CONTENT) {
1613  result = 0;
1614  goto end;
1615  }
1616  data = (DetectContentData *)sm->ctx;
1617  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1618  data->flags & DETECT_CONTENT_NOCASE ||
1619  !(data->flags & DETECT_CONTENT_WITHIN) ||
1620  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1621  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1622  data->flags & DETECT_CONTENT_NEGATED ) {
1623  result = 0;
1624  printf("one failed\n");
1625  goto end;
1626  }
1627  result &= (strncmp((char *)data->content, "one", 3) == 0);
1628  if (result == 0)
1629  goto end;
1630 
1631  sm = sm->next;
1632  if (sm->type != DETECT_CONTENT) {
1633  result = 0;
1634  goto end;
1635  }
1636  data = (DetectContentData *)sm->ctx;
1637  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1638  data->flags & DETECT_CONTENT_NOCASE ||
1639  !(data->flags & DETECT_CONTENT_WITHIN) ||
1640  data->flags & DETECT_CONTENT_DISTANCE ||
1641  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1642  data->flags & DETECT_CONTENT_NEGATED ) {
1643  result = 0;
1644  printf("two failed\n");
1645  goto end;
1646  }
1647  result &= (strncmp((char *)data->content, "two", 3) == 0);
1648  if (result == 0)
1649  goto end;
1650 
1651  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1652  if (sm->type != DETECT_CONTENT) {
1653  result = 0;
1654  goto end;
1655  }
1656  data = (DetectContentData *)sm->ctx;
1657  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1658  data->flags & DETECT_CONTENT_NOCASE ||
1659  data->flags & DETECT_CONTENT_WITHIN ||
1660  data->flags & DETECT_CONTENT_DISTANCE ||
1661  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1662  data->flags & DETECT_CONTENT_NEGATED ) {
1663  printf("three failed\n");
1664  result = 0;
1665  goto end;
1666  }
1667  result &= (strncmp((char *)data->content, "three", 5) == 0);
1668  if (result == 0)
1669  goto end;
1670 
1671  sm = sm->next;
1672  if (sm->type != DETECT_CONTENT) {
1673  result = 0;
1674  goto end;
1675  }
1676  data = (DetectContentData *)sm->ctx;
1677  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1678  data->flags & DETECT_CONTENT_NOCASE ||
1679  data->flags & DETECT_CONTENT_WITHIN ||
1680  data->flags & DETECT_CONTENT_DISTANCE ||
1681  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1682  data->flags & DETECT_CONTENT_NEGATED ) {
1683  printf("four failed\n");
1684  result = 0;
1685  goto end;
1686  }
1687  result &= (strncmp((char *)data->content, "four", 4) == 0);
1688  if (result == 0)
1689  goto end;
1690 
1691  end:
1692  SigGroupCleanup(de_ctx);
1693  SigCleanSignatures(de_ctx);
1694  DetectEngineCtxFree(de_ctx);
1695 
1696  return result;
1697 }
1698 
1699 /**
1700  * \test Test content for dce sig.
1701  */
1702 static int DcePayloadParseTest32(void)
1703 {
1704  DetectEngineCtx *de_ctx = NULL;
1705  int result = 1;
1706  Signature *s = NULL;
1707  SigMatch *sm = NULL;
1708  DetectContentData *data = NULL;
1709  DetectBytejumpData *bd = NULL;
1710 
1711  de_ctx = DetectEngineCtxInit();
1712  if (de_ctx == NULL)
1713  goto end;
1714 
1715  de_ctx->flags |= DE_QUIET;
1716  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1717  "(msg:\"Testing bytejump_body\"; "
1718  "dce_stub_data; "
1719  "byte_jump:2,5,relative; "
1720  "content:\"one\"; distance:10; within:5; "
1721  "content:\"two\"; within:5;"
1722  "pkt_data; "
1723  "content:\"three\";"
1724  "content:\"four\"; within:4; "
1725  "sid:1;)");
1726  if (de_ctx->sig_list == NULL) {
1727  result = 0;
1728  goto end;
1729  }
1730 
1731  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1732  result = 0;
1733  goto end;
1734  }
1735  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1736  result = 0;
1737  goto end;
1738  }
1739 
1740  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1741  if (sm->type != DETECT_BYTEJUMP) {
1742  result = 0;
1743  goto end;
1744  }
1745  bd = (DetectBytejumpData *)sm->ctx;
1746  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1747  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1748  bd->flags & DETECT_BYTEJUMP_BIG ||
1749  bd->flags & DETECT_BYTEJUMP_STRING ||
1750  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1751  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1752  bd->flags & DETECT_BYTEJUMP_DCE ) {
1753  result = 0;
1754  printf("one failed\n");
1755  goto end;
1756  }
1757 
1758  sm = sm->next;
1759  if (sm->type != DETECT_CONTENT) {
1760  result = 0;
1761  goto end;
1762  }
1763  data = (DetectContentData *)sm->ctx;
1764  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1765  data->flags & DETECT_CONTENT_NOCASE ||
1766  !(data->flags & DETECT_CONTENT_WITHIN) ||
1767  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1768  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1769  data->flags & DETECT_CONTENT_NEGATED ) {
1770  result = 0;
1771  printf("one failed\n");
1772  goto end;
1773  }
1774  result &= (strncmp((char *)data->content, "one", 3) == 0);
1775  if (result == 0)
1776  goto end;
1777 
1778  sm = sm->next;
1779  if (sm->type != DETECT_CONTENT) {
1780  result = 0;
1781  goto end;
1782  }
1783  data = (DetectContentData *)sm->ctx;
1784  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1785  data->flags & DETECT_CONTENT_NOCASE ||
1786  !(data->flags & DETECT_CONTENT_WITHIN) ||
1787  data->flags & DETECT_CONTENT_DISTANCE ||
1788  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1789  data->flags & DETECT_CONTENT_NEGATED ) {
1790  result = 0;
1791  printf("two failed\n");
1792  goto end;
1793  }
1794  result &= (strncmp((char *)data->content, "two", 3) == 0);
1795  if (result == 0)
1796  goto end;
1797 
1798  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1799  if (sm->type != DETECT_CONTENT) {
1800  result = 0;
1801  goto end;
1802  }
1803  data = (DetectContentData *)sm->ctx;
1804  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1805  data->flags & DETECT_CONTENT_NOCASE ||
1806  data->flags & DETECT_CONTENT_WITHIN ||
1807  data->flags & DETECT_CONTENT_DISTANCE ||
1808  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1809  data->flags & DETECT_CONTENT_NEGATED ) {
1810  printf("three failed\n");
1811  result = 0;
1812  goto end;
1813  }
1814  result &= (strncmp((char *)data->content, "three", 5) == 0);
1815  if (result == 0)
1816  goto end;
1817 
1818  sm = sm->next;
1819  if (sm->type != DETECT_CONTENT) {
1820  result = 0;
1821  goto end;
1822  }
1823  data = (DetectContentData *)sm->ctx;
1824  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1825  data->flags & DETECT_CONTENT_NOCASE ||
1826  !(data->flags & DETECT_CONTENT_WITHIN) ||
1827  data->flags & DETECT_CONTENT_DISTANCE ||
1828  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1829  data->flags & DETECT_CONTENT_NEGATED ) {
1830  printf("four failed\n");
1831  result = 0;
1832  goto end;
1833  }
1834  result &= (strncmp((char *)data->content, "four", 4) == 0);
1835  if (result == 0)
1836  goto end;
1837 
1838  end:
1839  SigGroupCleanup(de_ctx);
1840  SigCleanSignatures(de_ctx);
1841  DetectEngineCtxFree(de_ctx);
1842 
1843  return result;
1844 }
1845 
1846 /**
1847  * \test Test content for dce sig.
1848  */
1849 static int DcePayloadParseTest33(void)
1850 {
1851  DetectEngineCtx *de_ctx = NULL;
1852  int result = 1;
1853  Signature *s = NULL;
1854  SigMatch *sm = NULL;
1855  DetectContentData *data = NULL;
1856  DetectPcreData *pd = NULL;
1857 
1858  de_ctx = DetectEngineCtxInit();
1859  if (de_ctx == NULL)
1860  goto end;
1861 
1862  de_ctx->flags |= DE_QUIET;
1863  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1864  "(msg:\"Testing bytejump_body\"; "
1865  "dce_stub_data; "
1866  "pcre:/boom/R; "
1867  "content:\"one\"; distance:10; within:5; "
1868  "content:\"two\"; within:5;"
1869  "pkt_data; "
1870  "content:\"three\";"
1871  "content:\"four\"; distance:5;"
1872  "sid:1;)");
1873  if (de_ctx->sig_list == NULL) {
1874  result = 0;
1875  goto end;
1876  }
1877 
1878  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1879  result = 0;
1880  goto end;
1881  }
1882  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1883  result = 0;
1884  goto end;
1885  }
1886 
1887  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1888  if (sm->type != DETECT_PCRE) {
1889  result = 0;
1890  goto end;
1891  }
1892  pd = (DetectPcreData *)sm->ctx;
1893  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
1894  !(pd->flags & DETECT_PCRE_RELATIVE)) {
1895  result = 0;
1896  printf("one failed\n");
1897  goto end;
1898  }
1899 
1900  sm = sm->next;
1901  if (sm->type != DETECT_CONTENT) {
1902  result = 0;
1903  goto end;
1904  }
1905  data = (DetectContentData *)sm->ctx;
1906  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1907  data->flags & DETECT_CONTENT_NOCASE ||
1908  !(data->flags & DETECT_CONTENT_WITHIN) ||
1909  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1910  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1911  data->flags & DETECT_CONTENT_NEGATED ) {
1912  result = 0;
1913  printf("one failed\n");
1914  goto end;
1915  }
1916  result &= (strncmp((char *)data->content, "one", 3) == 0);
1917  if (result == 0)
1918  goto end;
1919 
1920  sm = sm->next;
1921  if (sm->type != DETECT_CONTENT) {
1922  result = 0;
1923  goto end;
1924  }
1925  data = (DetectContentData *)sm->ctx;
1926  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1927  data->flags & DETECT_CONTENT_NOCASE ||
1928  !(data->flags & DETECT_CONTENT_WITHIN) ||
1929  data->flags & DETECT_CONTENT_DISTANCE ||
1930  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1931  data->flags & DETECT_CONTENT_NEGATED ) {
1932  result = 0;
1933  printf("two failed\n");
1934  goto end;
1935  }
1936  result &= (strncmp((char *)data->content, "two", 3) == 0);
1937  if (result == 0)
1938  goto end;
1939 
1940  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1941  if (sm->type != DETECT_CONTENT) {
1942  result = 0;
1943  goto end;
1944  }
1945  data = (DetectContentData *)sm->ctx;
1946  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1947  data->flags & DETECT_CONTENT_NOCASE ||
1948  data->flags & DETECT_CONTENT_WITHIN ||
1949  data->flags & DETECT_CONTENT_DISTANCE ||
1950  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1951  data->flags & DETECT_CONTENT_NEGATED ) {
1952  printf("three failed\n");
1953  result = 0;
1954  goto end;
1955  }
1956  result &= (strncmp((char *)data->content, "three", 5) == 0);
1957  if (result == 0)
1958  goto end;
1959 
1960  sm = sm->next;
1961  if (sm->type != DETECT_CONTENT) {
1962  result = 0;
1963  goto end;
1964  }
1965  data = (DetectContentData *)sm->ctx;
1966  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1967  data->flags & DETECT_CONTENT_NOCASE ||
1968  data->flags & DETECT_CONTENT_WITHIN ||
1969  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1970  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1971  data->flags & DETECT_CONTENT_NEGATED ) {
1972  printf("four failed\n");
1973  result = 0;
1974  goto end;
1975  }
1976  result &= (strncmp((char *)data->content, "four", 4) == 0);
1977  if (result == 0)
1978  goto end;
1979 
1980  end:
1981  SigGroupCleanup(de_ctx);
1982  SigCleanSignatures(de_ctx);
1983  DetectEngineCtxFree(de_ctx);
1984 
1985  return result;
1986 }
1987 
1988 /**
1989  * \test Test content for dce sig.
1990  */
1991 static int DcePayloadParseTest34(void)
1992 {
1993  DetectEngineCtx *de_ctx = NULL;
1994  int result = 1;
1995  Signature *s = NULL;
1996  SigMatch *sm = NULL;
1997  DetectContentData *data = NULL;
1998  DetectPcreData *pd = NULL;
1999  DetectBytejumpData *bd = NULL;
2000 
2001  de_ctx = DetectEngineCtxInit();
2002  if (de_ctx == NULL)
2003  goto end;
2004 
2005  de_ctx->flags |= DE_QUIET;
2006  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2007  "(msg:\"Testing bytejump_body\"; "
2008  "dce_iface:12345678-1234-1234-1234-123456789012; "
2009  "dce_opnum:10; dce_stub_data; "
2010  "pcre:/boom/R; "
2011  "byte_jump:1,2,relative,align,dce; "
2012  "content:\"one\"; within:4; distance:8; "
2013  "pkt_data; "
2014  "content:\"two\"; "
2015  "sid:1;)");
2016  if (de_ctx->sig_list == NULL) {
2017  result = 0;
2018  goto end;
2019  }
2020 
2021  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2022  result = 0;
2023  goto end;
2024  }
2025  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2026  result = 0;
2027  goto end;
2028  }
2029 
2030  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2031  if (sm->type != DETECT_PCRE) {
2032  result = 0;
2033  goto end;
2034  }
2035  pd = (DetectPcreData *)sm->ctx;
2036  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2037  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2038  result = 0;
2039  goto end;
2040  }
2041 
2042  sm = sm->next;
2043  if (sm->type != DETECT_BYTEJUMP) {
2044  result = 0;
2045  goto end;
2046  }
2047  bd = (DetectBytejumpData *)sm->ctx;
2048  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
2049  bd->flags & DETECT_BYTEJUMP_LITTLE ||
2050  bd->flags & DETECT_BYTEJUMP_BIG ||
2051  bd->flags & DETECT_BYTEJUMP_STRING ||
2052  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2053  !(bd->flags & DETECT_BYTEJUMP_ALIGN) ||
2054  !(bd->flags & DETECT_BYTEJUMP_DCE) ) {
2055  result = 0;
2056  printf("one failed\n");
2057  goto end;
2058  }
2059 
2060  sm = sm->next;
2061  if (sm->type != DETECT_CONTENT) {
2062  result = 0;
2063  goto end;
2064  }
2065  data = (DetectContentData *)sm->ctx;
2066  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2067  data->flags & DETECT_CONTENT_NOCASE ||
2068  !(data->flags & DETECT_CONTENT_WITHIN) ||
2069  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2070  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2071  data->flags & DETECT_CONTENT_NEGATED ) {
2072  result = 0;
2073  printf("two failed\n");
2074  goto end;
2075  }
2076  result &= (strncmp((char *)data->content, "one", 3) == 0);
2077  if (result == 0)
2078  goto end;
2079 
2080  result &= (sm->next == NULL);
2081 
2082  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2083  if (sm->type != DETECT_CONTENT) {
2084  result = 0;
2085  goto end;
2086  }
2087  data = (DetectContentData *)sm->ctx;
2088  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2089  data->flags & DETECT_CONTENT_NOCASE ||
2090  data->flags & DETECT_CONTENT_WITHIN ||
2091  data->flags & DETECT_CONTENT_DISTANCE ||
2092  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2093  data->flags & DETECT_CONTENT_NEGATED ) {
2094  printf("three failed\n");
2095  result = 0;
2096  goto end;
2097  }
2098  result &= (strncmp((char *)data->content, "two", 3) == 0);
2099  if (result == 0)
2100  goto end;
2101 
2102  result &= (sm->next == NULL);
2103 
2104  end:
2105  SigGroupCleanup(de_ctx);
2106  SigCleanSignatures(de_ctx);
2107  DetectEngineCtxFree(de_ctx);
2108 
2109  return result;
2110 }
2111 
2112 /**
2113  * \test Test content for dce sig.
2114  */
2115 static int DcePayloadParseTest35(void)
2116 {
2117  DetectEngineCtx *de_ctx = NULL;
2118  int result = 1;
2119  Signature *s = NULL;
2120  SigMatch *sm = NULL;
2121  DetectContentData *data = NULL;
2122  DetectBytetestData *bd = NULL;
2123 
2124  de_ctx = DetectEngineCtxInit();
2125  if (de_ctx == NULL)
2126  goto end;
2127 
2128  de_ctx->flags |= DE_QUIET;
2129  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2130  "(msg:\"Testing bytejump_body\"; "
2131  "dce_iface:12345678-1234-1234-1234-123456789012; "
2132  "dce_opnum:10; dce_stub_data; "
2133  "byte_test:1,=,0,0,relative,dce; "
2134  "pkt_data; "
2135  "content:\"one\"; "
2136  "sid:1;)");
2137  if (de_ctx->sig_list == NULL) {
2138  result = 0;
2139  goto end;
2140  }
2141 
2142  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2143  result = 0;
2144  goto end;
2145  }
2146  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2147  result = 0;
2148  goto end;
2149  }
2150 
2151  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2152  if (sm->type != DETECT_BYTETEST) {
2153  result = 0;
2154  goto end;
2155  }
2156  bd = (DetectBytetestData *)sm->ctx;
2157  if (bd->flags & DETECT_BYTETEST_LITTLE ||
2158  bd->flags & DETECT_BYTETEST_BIG ||
2159  bd->flags & DETECT_BYTETEST_STRING ||
2160  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2161  !(bd->flags & DETECT_BYTETEST_DCE) ) {
2162  result = 0;
2163  printf("one failed\n");
2164  goto end;
2165  }
2166 
2167  result &= (sm->next == NULL);
2168 
2169  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2170  if (sm->type != DETECT_CONTENT) {
2171  result = 0;
2172  goto end;
2173  }
2174  data = (DetectContentData *)sm->ctx;
2175  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2176  data->flags & DETECT_CONTENT_NOCASE ||
2177  data->flags & DETECT_CONTENT_WITHIN ||
2178  data->flags & DETECT_CONTENT_DISTANCE ||
2179  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2180  data->flags & DETECT_CONTENT_NEGATED ) {
2181  result = 0;
2182  printf("two failed\n");
2183  goto end;
2184  }
2185  result &= (strncmp((char *)data->content, "one", 3) == 0);
2186  if (result == 0)
2187  goto end;
2188 
2189  result &= (sm->next == NULL);
2190 
2191  end:
2192  SigGroupCleanup(de_ctx);
2193  SigCleanSignatures(de_ctx);
2194  DetectEngineCtxFree(de_ctx);
2195 
2196  return result;
2197 }
2198 
2199 /**
2200  * \test Test content for dce sig.
2201  */
2202 static int DcePayloadParseTest36(void)
2203 {
2204  DetectEngineCtx *de_ctx = NULL;
2205  int result = 1;
2206  Signature *s = NULL;
2207  SigMatch *sm = NULL;
2208  DetectContentData *data = NULL;
2209  DetectIsdataatData *isd = NULL;
2210 
2211  de_ctx = DetectEngineCtxInit();
2212  if (de_ctx == NULL)
2213  goto end;
2214 
2215  de_ctx->flags |= DE_QUIET;
2216  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2217  "(msg:\"Testing bytejump_body\"; "
2218  "dce_iface:12345678-1234-1234-1234-123456789012; "
2219  "dce_opnum:10; dce_stub_data; "
2220  "isdataat:10,relative; "
2221  "content:\"one\"; within:4; distance:8; "
2222  "pkt_data; "
2223  "content:\"two\"; "
2224  "sid:1;)");
2225  if (de_ctx->sig_list == NULL) {
2226  result = 0;
2227  goto end;
2228  }
2229 
2230  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2231  result = 0;
2232  goto end;
2233  }
2234  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2235  result = 0;
2236  goto end;
2237  }
2238 
2239  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2240  if (sm->type != DETECT_ISDATAAT) {
2241  result = 0;
2242  goto end;
2243  }
2244  isd = (DetectIsdataatData *)sm->ctx;
2245  if ( isd->flags & ISDATAAT_RAWBYTES ||
2246  !(isd->flags & ISDATAAT_RELATIVE)) {
2247  result = 0;
2248  goto end;
2249  }
2250 
2251  sm = sm->next;
2252  if (sm->type != DETECT_CONTENT) {
2253  result = 0;
2254  goto end;
2255  }
2256  data = (DetectContentData *)sm->ctx;
2257  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2258  data->flags & DETECT_CONTENT_NOCASE ||
2259  !(data->flags & DETECT_CONTENT_WITHIN) ||
2260  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2261  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2262  data->flags & DETECT_CONTENT_NEGATED ) {
2263  result = 0;
2264  printf("two failed\n");
2265  goto end;
2266  }
2267  result &= (strncmp((char *)data->content, "one", 3) == 0);
2268  if (result == 0)
2269  goto end;
2270 
2271  result &= (sm->next == NULL);
2272 
2273  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2274  if (sm->type != DETECT_CONTENT) {
2275  result = 0;
2276  goto end;
2277  }
2278  data = (DetectContentData *)sm->ctx;
2279  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2280  data->flags & DETECT_CONTENT_NOCASE ||
2281  data->flags & DETECT_CONTENT_WITHIN ||
2282  data->flags & DETECT_CONTENT_DISTANCE ||
2283  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2284  data->flags & DETECT_CONTENT_NEGATED ) {
2285  printf("three failed\n");
2286  result = 0;
2287  goto end;
2288  }
2289  result &= (strncmp((char *)data->content, "two", 3) == 0);
2290  if (result == 0)
2291  goto end;
2292 
2293  result &= (sm->next == NULL);
2294 
2295  end:
2296  SigGroupCleanup(de_ctx);
2297  SigCleanSignatures(de_ctx);
2298  DetectEngineCtxFree(de_ctx);
2299 
2300  return result;
2301 }
2302 
2303 /**
2304  * \test Test content for dce sig.
2305  */
2306 static int DcePayloadParseTest37(void)
2307 {
2308  DetectEngineCtx *de_ctx = NULL;
2309  int result = 1;
2310  Signature *s = NULL;
2311  SigMatch *sm = NULL;
2312  DetectContentData *data = NULL;
2313  DetectBytejumpData *bjd = NULL;
2314  DetectBytetestData *btd = NULL;
2315 
2316  de_ctx = DetectEngineCtxInit();
2317  if (de_ctx == NULL)
2318  goto end;
2319 
2320  de_ctx->flags |= DE_QUIET;
2321  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2322  "(msg:\"Testing bytejump_body\"; "
2323  "dce_iface:12345678-1234-1234-1234-123456789012; "
2324  "dce_opnum:10; dce_stub_data; "
2325  "byte_jump:1,2,relative,align,dce; "
2326  "byte_test:1,=,2,0,relative,dce; "
2327  "pkt_data; "
2328  "content:\"one\"; "
2329  "sid:1;)");
2330  if (de_ctx->sig_list == NULL) {
2331  result = 0;
2332  goto end;
2333  }
2334 
2335  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2336  result = 0;
2337  goto end;
2338  }
2339  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2340  result = 0;
2341  goto end;
2342  }
2343 
2344  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2345  if (sm->type != DETECT_BYTEJUMP) {
2346  result = 0;
2347  goto end;
2348  }
2349  bjd = (DetectBytejumpData *)sm->ctx;
2350  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2351  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2352  bjd->flags & DETECT_BYTEJUMP_BIG ||
2353  bjd->flags & DETECT_BYTEJUMP_STRING ||
2354  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2355  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2356  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2357  result = 0;
2358  printf("one failed\n");
2359  goto end;
2360  }
2361 
2362  sm = sm->next;
2363  if (sm->type != DETECT_BYTETEST) {
2364  result = 0;
2365  goto end;
2366  }
2367  btd = (DetectBytetestData *)sm->ctx;
2368  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2369  btd->flags & DETECT_BYTETEST_BIG ||
2370  btd->flags & DETECT_BYTETEST_STRING ||
2371  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2372  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2373  result = 0;
2374  printf("one failed\n");
2375  goto end;
2376  }
2377 
2378  result &= (sm->next == NULL);
2379 
2380  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2381  if (sm->type != DETECT_CONTENT) {
2382  result = 0;
2383  goto end;
2384  }
2385  data = (DetectContentData *)sm->ctx;
2386  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2387  data->flags & DETECT_CONTENT_NOCASE ||
2388  data->flags & DETECT_CONTENT_WITHIN ||
2389  data->flags & DETECT_CONTENT_DISTANCE ||
2390  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2391  data->flags & DETECT_CONTENT_NEGATED ) {
2392  printf("three failed\n");
2393  result = 0;
2394  goto end;
2395  }
2396  result &= (strncmp((char *)data->content, "one", 3) == 0);
2397  if (result == 0)
2398  goto end;
2399 
2400  result &= (sm->next == NULL);
2401 
2402  end:
2403  SigGroupCleanup(de_ctx);
2404  SigCleanSignatures(de_ctx);
2405  DetectEngineCtxFree(de_ctx);
2406 
2407  return result;
2408 }
2409 
2410 /**
2411  * \test Test content for dce sig.
2412  */
2413 static int DcePayloadParseTest38(void)
2414 {
2415  DetectEngineCtx *de_ctx = NULL;
2416  int result = 1;
2417  Signature *s = NULL;
2418  SigMatch *sm = NULL;
2419  DetectContentData *data = NULL;
2420  DetectPcreData *pd = NULL;
2421  DetectBytejumpData *bjd = NULL;
2422  DetectBytetestData *btd = NULL;
2423 
2424  de_ctx = DetectEngineCtxInit();
2425  if (de_ctx == NULL)
2426  goto end;
2427 
2428  de_ctx->flags |= DE_QUIET;
2429  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2430  "(msg:\"Testing bytejump_body\"; "
2431  "dce_iface:12345678-1234-1234-1234-123456789012; "
2432  "dce_opnum:10; dce_stub_data; "
2433  "pcre:/boom/R; "
2434  "byte_jump:1,2,relative,align,dce; "
2435  "byte_test:1,=,2,0,relative,dce; "
2436  "pkt_data; "
2437  "content:\"one\"; "
2438  "sid:1;)");
2439  if (de_ctx->sig_list == NULL) {
2440  result = 0;
2441  goto end;
2442  }
2443 
2444  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2445  result = 0;
2446  goto end;
2447  }
2448  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2449  result = 0;
2450  goto end;
2451  }
2452 
2453  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2454  if (sm->type != DETECT_PCRE) {
2455  result = 0;
2456  goto end;
2457  }
2458  pd = (DetectPcreData *)sm->ctx;
2459  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2460  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2461  result = 0;
2462  printf("one failed\n");
2463  goto end;
2464  }
2465 
2466  sm = sm->next;
2467  if (sm->type != DETECT_BYTEJUMP) {
2468  result = 0;
2469  goto end;
2470  }
2471  bjd = (DetectBytejumpData *)sm->ctx;
2472  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2473  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2474  bjd->flags & DETECT_BYTEJUMP_BIG ||
2475  bjd->flags & DETECT_BYTEJUMP_STRING ||
2476  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2477  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2478  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2479  result = 0;
2480  printf("one failed\n");
2481  goto end;
2482  }
2483 
2484  sm = sm->next;
2485  if (sm->type != DETECT_BYTETEST) {
2486  result = 0;
2487  goto end;
2488  }
2489  btd = (DetectBytetestData *)sm->ctx;
2490  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2491  btd->flags & DETECT_BYTETEST_BIG ||
2492  btd->flags & DETECT_BYTETEST_STRING ||
2493  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2494  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2495  result = 0;
2496  printf("one failed\n");
2497  goto end;
2498  }
2499 
2500  result &= (sm->next == NULL);
2501 
2502  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2503  if (sm->type != DETECT_CONTENT) {
2504  result = 0;
2505  goto end;
2506  }
2507  data = (DetectContentData *)sm->ctx;
2508  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2509  data->flags & DETECT_CONTENT_NOCASE ||
2510  data->flags & DETECT_CONTENT_WITHIN ||
2511  data->flags & DETECT_CONTENT_DISTANCE ||
2512  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2513  data->flags & DETECT_CONTENT_NEGATED ) {
2514  printf("three failed\n");
2515  result = 0;
2516  goto end;
2517  }
2518  result &= (strncmp((char *)data->content, "one", 3) == 0);
2519  if (result == 0)
2520  goto end;
2521 
2522  result &= (sm->next == NULL);
2523 
2524  end:
2525  SigGroupCleanup(de_ctx);
2526  SigCleanSignatures(de_ctx);
2527  DetectEngineCtxFree(de_ctx);
2528 
2529  return result;
2530 }
2531 
2532 /**
2533  * \test Test content for dce sig.
2534  */
2535 static int DcePayloadParseTest39(void)
2536 {
2537  DetectEngineCtx *de_ctx = NULL;
2538  int result = 1;
2539  Signature *s = NULL;
2540  SigMatch *sm = NULL;
2541  DetectContentData *data = NULL;
2542 
2543  de_ctx = DetectEngineCtxInit();
2544  if (de_ctx == NULL)
2545  goto end;
2546 
2547  de_ctx->flags |= DE_QUIET;
2548  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2549  "(msg:\"Testing bytejump_body\"; "
2550  "content:\"one\"; "
2551  "dce_iface:12345678-1234-1234-1234-123456789012; "
2552  "dce_opnum:10; dce_stub_data; "
2553  "content:\"two\"; within:4; distance:8; "
2554  "sid:1;)");
2555  if (de_ctx->sig_list == NULL) {
2556  result = 0;
2557  goto end;
2558  }
2559 
2560  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2561  result = 0;
2562  goto end;
2563  }
2564  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2565  result = 0;
2566  goto end;
2567  }
2568 
2569  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2570  if (sm->type != DETECT_CONTENT) {
2571  result = 0;
2572  goto end;
2573  }
2574  data = (DetectContentData *)sm->ctx;
2575  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2576  data->flags & DETECT_CONTENT_NOCASE ||
2577  data->flags & DETECT_CONTENT_WITHIN ||
2578  data->flags & DETECT_CONTENT_DISTANCE ||
2579  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2580  data->flags & DETECT_CONTENT_NEGATED ) {
2581  printf("three failed\n");
2582  result = 0;
2583  goto end;
2584  }
2585  result &= (strncmp((char *)data->content, "one", 3) == 0);
2586  if (result == 0)
2587  goto end;
2588 
2589  result &= (sm->next == NULL);
2590 
2591  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2592  data = (DetectContentData *)sm->ctx;
2593  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2594  data->flags & DETECT_CONTENT_NOCASE ||
2595  !(data->flags & DETECT_CONTENT_WITHIN) ||
2596  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2597  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2598  data->flags & DETECT_CONTENT_NEGATED ) {
2599  printf("three failed\n");
2600  result = 0;
2601  goto end;
2602  }
2603  result &= (strncmp((char *)data->content, "two", 3) == 0);
2604  if (result == 0)
2605  goto end;
2606 
2607  result &= (sm->next == NULL);
2608 
2609  end:
2610  SigGroupCleanup(de_ctx);
2611  SigCleanSignatures(de_ctx);
2612  DetectEngineCtxFree(de_ctx);
2613 
2614  return result;
2615 }
2616 
2617 /**
2618  * \test Test content for dce sig.
2619  */
2620 static int DcePayloadParseTest40(void)
2621 {
2622  DetectEngineCtx *de_ctx = NULL;
2623  int result = 1;
2624  Signature *s = NULL;
2625  SigMatch *sm = NULL;
2626  DetectContentData *data = NULL;
2627  DetectBytetestData *btd = NULL;
2628 
2629  de_ctx = DetectEngineCtxInit();
2630  if (de_ctx == NULL)
2631  goto end;
2632 
2633  de_ctx->flags |= DE_QUIET;
2634  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2635  "(msg:\"Testing bytejump_body\"; "
2636  "dce_iface:12345678-1234-1234-1234-123456789012; "
2637  "dce_opnum:10; dce_stub_data; "
2638  "content:\"one\"; within:10; "
2639  "content:\"two\"; distance:20; within:30; "
2640  "byte_test:1,=,2,0,relative,dce; "
2641  "pkt_data; "
2642  "content:\"three\"; "
2643  "sid:1;)");
2644  if (de_ctx->sig_list == NULL) {
2645  result = 0;
2646  goto end;
2647  }
2648 
2649  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2650  result = 0;
2651  goto end;
2652  }
2653  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2654  result = 0;
2655  goto end;
2656  }
2657 
2658  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2659  if (sm->type != DETECT_CONTENT) {
2660  result = 0;
2661  goto end;
2662  }
2663  data = (DetectContentData *)sm->ctx;
2664  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2665  data->flags & DETECT_CONTENT_NOCASE ||
2666  !(data->flags & DETECT_CONTENT_WITHIN) ||
2667  data->flags & DETECT_CONTENT_DISTANCE ||
2668  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2669  data->flags & DETECT_CONTENT_NEGATED ) {
2670  printf("three failed\n");
2671  result = 0;
2672  goto end;
2673  }
2674  result &= (strncmp((char *)data->content, "one", 3) == 0);
2675  if (result == 0)
2676  goto end;
2677 
2678 
2679  sm = sm->next;
2680  if (sm->type != DETECT_CONTENT) {
2681  result = 0;
2682  goto end;
2683  }
2684  data = (DetectContentData *)sm->ctx;
2685  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2686  data->flags & DETECT_CONTENT_NOCASE ||
2687  !(data->flags & DETECT_CONTENT_WITHIN) ||
2688  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2689  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2690  data->flags & DETECT_CONTENT_NEGATED ) {
2691  printf("three failed\n");
2692  result = 0;
2693  goto end;
2694  }
2695  result &= (strncmp((char *)data->content, "two", 3) == 0);
2696  if (result == 0)
2697  goto end;
2698 
2699  sm = sm->next;
2700  if (sm->type != DETECT_BYTETEST) {
2701  result = 0;
2702  goto end;
2703  }
2704  btd = (DetectBytetestData *)sm->ctx;
2705  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2706  btd->flags & DETECT_BYTETEST_BIG ||
2707  btd->flags & DETECT_BYTETEST_STRING ||
2708  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2709  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2710  result = 0;
2711  printf("one failed\n");
2712  goto end;
2713  }
2714 
2715  result &= (sm->next == NULL);
2716 
2717  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2718  if (sm->type != DETECT_CONTENT) {
2719  result = 0;
2720  goto end;
2721  }
2722  data = (DetectContentData *)sm->ctx;
2723  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2724  data->flags & DETECT_CONTENT_NOCASE ||
2725  data->flags & DETECT_CONTENT_WITHIN ||
2726  data->flags & DETECT_CONTENT_DISTANCE ||
2727  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2728  data->flags & DETECT_CONTENT_NEGATED ) {
2729  printf("three failed\n");
2730  result = 0;
2731  goto end;
2732  }
2733  result &= (strncmp((char *)data->content, "three", 5) == 0);
2734  if (result == 0)
2735  goto end;
2736 
2737  result &= (sm->next == NULL);
2738 
2739  end:
2740  SigGroupCleanup(de_ctx);
2741  SigCleanSignatures(de_ctx);
2742  DetectEngineCtxFree(de_ctx);
2743 
2744  return result;
2745 }
2746 
2747 /**
2748  * \test Test content for dce sig.
2749  */
2750 static int DcePayloadParseTest41(void)
2751 {
2752  DetectEngineCtx *de_ctx = NULL;
2753  int result = 1;
2754  Signature *s = NULL;
2755  SigMatch *sm = NULL;
2756  DetectContentData *data = NULL;
2757  DetectBytetestData *btd = NULL;
2758 
2759  de_ctx = DetectEngineCtxInit();
2760  if (de_ctx == NULL)
2761  goto end;
2762 
2763  de_ctx->flags |= DE_QUIET;
2764  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2765  "(msg:\"Testing bytejump_body\"; "
2766  "dce_iface:12345678-1234-1234-1234-123456789012; "
2767  "dce_opnum:10; dce_stub_data; "
2768  "content:\"one\"; within:10; "
2769  "pkt_data; "
2770  "content:\"two\"; "
2771  "byte_test:1,=,2,0,relative,dce; "
2772  "content:\"three\"; "
2773  "sid:1;)");
2774  if (de_ctx->sig_list == NULL) {
2775  result = 0;
2776  goto end;
2777  }
2778 
2779  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2780  result = 0;
2781  goto end;
2782  }
2783  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2784  result = 0;
2785  goto end;
2786  }
2787 
2788  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2789  if (sm->type != DETECT_CONTENT) {
2790  result = 0;
2791  goto end;
2792  }
2793  data = (DetectContentData *)sm->ctx;
2794  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2795  data->flags & DETECT_CONTENT_NOCASE ||
2796  !(data->flags & DETECT_CONTENT_WITHIN) ||
2797  data->flags & DETECT_CONTENT_DISTANCE ||
2798  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2799  data->flags & DETECT_CONTENT_NEGATED ) {
2800  printf("three failed\n");
2801  result = 0;
2802  goto end;
2803  }
2804  result &= (strncmp((char *)data->content, "one", 3) == 0);
2805  if (result == 0)
2806  goto end;
2807 
2808  result &= (sm->next == NULL);
2809 
2810  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2811  if (sm->type != DETECT_CONTENT) {
2812  result = 0;
2813  goto end;
2814  }
2815  data = (DetectContentData *)sm->ctx;
2816  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2817  data->flags & DETECT_CONTENT_NOCASE ||
2818  data->flags & DETECT_CONTENT_WITHIN ||
2819  data->flags & DETECT_CONTENT_DISTANCE ||
2820  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2821  data->flags & DETECT_CONTENT_NEGATED ) {
2822  printf("three failed\n");
2823  result = 0;
2824  goto end;
2825  }
2826  result &= (strncmp((char *)data->content, "two", 3) == 0);
2827  if (result == 0)
2828  goto end;
2829 
2830  sm = sm->next;
2831  if (sm->type != DETECT_BYTETEST) {
2832  result = 0;
2833  goto end;
2834  }
2835  btd = (DetectBytetestData *)sm->ctx;
2836  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2837  btd->flags & DETECT_BYTETEST_BIG ||
2838  btd->flags & DETECT_BYTETEST_STRING ||
2839  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2840  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2841  result = 0;
2842  printf("one failed\n");
2843  goto end;
2844  }
2845 
2846  sm = sm->next;
2847  if (sm->type != DETECT_CONTENT) {
2848  result = 0;
2849  goto end;
2850  }
2851  data = (DetectContentData *)sm->ctx;
2852  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2853  data->flags & DETECT_CONTENT_NOCASE ||
2854  data->flags & DETECT_CONTENT_WITHIN ||
2855  data->flags & DETECT_CONTENT_DISTANCE ||
2856  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2857  data->flags & DETECT_CONTENT_NEGATED ) {
2858  printf("three failed\n");
2859  result = 0;
2860  goto end;
2861  }
2862  result &= (strncmp((char *)data->content, "three", 5) == 0);
2863  if (result == 0)
2864  goto end;
2865 
2866  result &= (sm->next == NULL);
2867 
2868  end:
2869  SigGroupCleanup(de_ctx);
2870  SigCleanSignatures(de_ctx);
2871  DetectEngineCtxFree(de_ctx);
2872 
2873  return result;
2874 }
2875 
2876 /**
2877  * \test Test content for dce sig.
2878  */
2879 static int DcePayloadParseTest44(void)
2880 {
2881  DetectEngineCtx *de_ctx = NULL;
2882  Signature *s = NULL;
2883  SigMatch *sm = NULL;
2884  DetectContentData *data = NULL;
2885  DetectIsdataatData *isd = NULL;
2886 
2887  de_ctx = DetectEngineCtxInit();
2888  FAIL_IF_NULL(de_ctx);
2889  de_ctx->flags |= DE_QUIET;
2890 
2891  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2892  "content:\"one\"; "
2893  "dce_iface:12345678-1234-1234-1234-123456789012; "
2894  "dce_opnum:10; dce_stub_data; "
2895  "isdataat:10,relative; "
2896  "content:\"one\"; within:4; distance:8; "
2897  "pkt_data; "
2898  "content:\"two\"; "
2899  "sid:1;)");
2900  FAIL_IF_NULL(s);
2901 
2902  FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
2903  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2904 
2905  /* isdataat:10,relative; */
2906  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2907  FAIL_IF(sm->type != DETECT_ISDATAAT);
2908  isd = (DetectIsdataatData *)sm->ctx;
2909  FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
2910  FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
2911  FAIL_IF_NULL(sm->next);
2912 
2913  sm = sm->next;
2914 
2915  /* content:\"one\"; within:4; distance:8; */
2916  FAIL_IF(sm->type != DETECT_CONTENT);
2917  data = (DetectContentData *)sm->ctx;
2918  FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
2919  data->flags & DETECT_CONTENT_NOCASE ||
2920  !(data->flags & DETECT_CONTENT_WITHIN) ||
2921  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2922  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2923  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2924  data->flags & DETECT_CONTENT_NEGATED );
2925 
2926  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2927  FAIL_IF_NOT(sm->next == NULL);
2928 
2929  /* first content:\"one\"; */
2930  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2931  FAIL_IF(sm->type != DETECT_CONTENT);
2932  data = (DetectContentData *)sm->ctx;
2933  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
2934  FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
2935  FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
2936  FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
2937  FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
2938  FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
2939  FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
2940  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2941 
2942  FAIL_IF_NULL(sm->next);
2943  sm = sm->next;
2944 
2945  FAIL_IF(sm->type != DETECT_CONTENT);
2946 
2947  data = (DetectContentData *)sm->ctx;
2948  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
2949  data->flags & DETECT_CONTENT_NOCASE ||
2950  data->flags & DETECT_CONTENT_WITHIN ||
2951  data->flags & DETECT_CONTENT_DISTANCE ||
2952  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2953  data->flags & DETECT_CONTENT_NEGATED );
2954 
2955  FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
2956 
2957  FAIL_IF_NOT(sm->next == NULL);
2958 
2959  SigGroupCleanup(de_ctx);
2960  SigCleanSignatures(de_ctx);
2961  DetectEngineCtxFree(de_ctx);
2962 
2963  PASS;
2964 }
2965 
2966 /**
2967  * \test Test content for dce sig.
2968  */
2969 static int DcePayloadParseTest45(void)
2970 {
2971  DetectEngineCtx *de_ctx = NULL;
2972  int result = 1;
2973  Signature *s = NULL;
2974  SigMatch *sm = NULL;
2975  DetectContentData *data = NULL;
2976  DetectBytejumpData *bjd = NULL;
2977 
2978  de_ctx = DetectEngineCtxInit();
2979  if (de_ctx == NULL)
2980  goto end;
2981 
2982  de_ctx->flags |= DE_QUIET;
2983  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2984  "(msg:\"Testing bytejump_body\"; "
2985  "dce_iface:12345678-1234-1234-1234-123456789012; "
2986  "content:\"one\"; "
2987  "dce_opnum:10; dce_stub_data; "
2988  "byte_jump:1,2,relative,align,dce; "
2989  "pkt_data; "
2990  "content:\"two\"; "
2991  "sid:1;)");
2992  if (de_ctx->sig_list == NULL) {
2993  result = 0;
2994  goto end;
2995  }
2996 
2997  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2998  result = 0;
2999  goto end;
3000  }
3001  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3002  result = 0;
3003  goto end;
3004  }
3005 
3006  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3007  if (sm->type != DETECT_BYTEJUMP) {
3008  result = 0;
3009  goto end;
3010  }
3011  bjd = (DetectBytejumpData *)sm->ctx;
3012  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
3013  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
3014  bjd->flags & DETECT_BYTEJUMP_BIG ||
3015  bjd->flags & DETECT_BYTEJUMP_STRING ||
3016  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
3017  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
3018  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
3019  result = 0;
3020  printf("one failed\n");
3021  goto end;
3022  }
3023 
3024  result &= (sm->next == NULL);
3025 
3026  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3027  if (sm->type != DETECT_CONTENT) {
3028  result = 0;
3029  goto end;
3030  }
3031  data = (DetectContentData *)sm->ctx;
3032  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3033  data->flags & DETECT_CONTENT_NOCASE ||
3034  data->flags & DETECT_CONTENT_WITHIN ||
3035  data->flags & DETECT_CONTENT_DISTANCE ||
3036  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3037  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3038  data->flags & DETECT_CONTENT_NEGATED ) {
3039  printf("one failed\n");
3040  result = 0;
3041  goto end;
3042  }
3043  result &= (strncmp((char *)data->content, "one", 3) == 0);
3044  if (result == 0)
3045  goto end;
3046 
3047  sm = sm->next;
3048  if (sm->type != DETECT_CONTENT) {
3049  result = 0;
3050  goto end;
3051  }
3052  data = (DetectContentData *)sm->ctx;
3053  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3054  data->flags & DETECT_CONTENT_NOCASE ||
3055  data->flags & DETECT_CONTENT_WITHIN ||
3056  data->flags & DETECT_CONTENT_DISTANCE ||
3057  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3058  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3059  data->flags & DETECT_CONTENT_NEGATED ) {
3060  printf("two failed\n");
3061  result = 0;
3062  goto end;
3063  }
3064  result &= (strncmp((char *)data->content, "two", 3) == 0);
3065  if (result == 0)
3066  goto end;
3067 
3068  result &= (sm->next == NULL);
3069 
3070  end:
3071  SigGroupCleanup(de_ctx);
3072  SigCleanSignatures(de_ctx);
3073  DetectEngineCtxFree(de_ctx);
3074 
3075  return result;
3076 }
3077 
3078 /**
3079  * \test Test content for dce sig.
3080  */
3081 static int DcePayloadParseTest46(void)
3082 {
3083  DetectEngineCtx *de_ctx = NULL;
3084  int result = 1;
3085  Signature *s = NULL;
3086  SigMatch *sm = NULL;
3087  DetectContentData *data = NULL;
3088  DetectBytetestData *btd = NULL;
3089 
3090  de_ctx = DetectEngineCtxInit();
3091  if (de_ctx == NULL)
3092  goto end;
3093 
3094  de_ctx->flags |= DE_QUIET;
3095  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3096  "(msg:\"Testing bytejump_body\"; "
3097  "dce_iface:12345678-1234-1234-1234-123456789012; "
3098  "content:\"one\"; "
3099  "dce_opnum:10; dce_stub_data; "
3100  "byte_test:1,=,2,0,relative,dce; "
3101  "pkt_data; "
3102  "content:\"two\"; "
3103  "sid:1;)");
3104  if (de_ctx->sig_list == NULL) {
3105  result = 0;
3106  goto end;
3107  }
3108 
3109  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3110  result = 0;
3111  goto end;
3112  }
3113  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3114  result = 0;
3115  goto end;
3116  }
3117 
3118  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3119  if (sm->type != DETECT_BYTETEST) {
3120  result = 0;
3121  goto end;
3122  }
3123  btd = (DetectBytetestData *)sm->ctx;
3124  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3125  btd->flags & DETECT_BYTETEST_BIG ||
3126  btd->flags & DETECT_BYTETEST_STRING ||
3127  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3128  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3129  result = 0;
3130  printf("one failed\n");
3131  goto end;
3132  }
3133 
3134  result &= (sm->next == NULL);
3135 
3136  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3137  if (sm->type != DETECT_CONTENT) {
3138  result = 0;
3139  goto end;
3140  }
3141  data = (DetectContentData *)sm->ctx;
3142  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3143  data->flags & DETECT_CONTENT_NOCASE ||
3144  data->flags & DETECT_CONTENT_WITHIN ||
3145  data->flags & DETECT_CONTENT_DISTANCE ||
3146  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3147  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3148  data->flags & DETECT_CONTENT_NEGATED ) {
3149  printf("one failed\n");
3150  result = 0;
3151  goto end;
3152  }
3153  result &= (strncmp((char *)data->content, "one", 3) == 0);
3154  if (result == 0)
3155  goto end;
3156 
3157  sm = sm->next;
3158  if (sm->type != DETECT_CONTENT) {
3159  result = 0;
3160  goto end;
3161  }
3162  data = (DetectContentData *)sm->ctx;
3163  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3164  data->flags & DETECT_CONTENT_NOCASE ||
3165  data->flags & DETECT_CONTENT_WITHIN ||
3166  data->flags & DETECT_CONTENT_DISTANCE ||
3167  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3168  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3169  data->flags & DETECT_CONTENT_NEGATED ) {
3170  printf("two failed\n");
3171  result = 0;
3172  goto end;
3173  }
3174  result &= (strncmp((char *)data->content, "two", 3) == 0);
3175  if (result == 0)
3176  goto end;
3177 
3178  result &= (sm->next == NULL);
3179 
3180  end:
3181  SigGroupCleanup(de_ctx);
3182  SigCleanSignatures(de_ctx);
3183  DetectEngineCtxFree(de_ctx);
3184 
3185  return result;
3186 }
3187 
3188 #endif /* UNITTESTS */
3189 
3190 void DcePayloadRegisterTests(void)
3191 {
3192  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
3193 
3194 #ifdef UNITTESTS
3195  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
3196  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
3197  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
3198  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
3199  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
3200  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
3201 
3202  UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25);
3203  UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26);
3204  UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27);
3205  UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28);
3206  UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29);
3207  UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30);
3208  UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31);
3209  UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32);
3210  UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33);
3211  UtRegisterTest("DcePayloadParseTest34", DcePayloadParseTest34);
3212  UtRegisterTest("DcePayloadParseTest35", DcePayloadParseTest35);
3213  UtRegisterTest("DcePayloadParseTest36", DcePayloadParseTest36);
3214  UtRegisterTest("DcePayloadParseTest37", DcePayloadParseTest37);
3215  UtRegisterTest("DcePayloadParseTest38", DcePayloadParseTest38);
3216  UtRegisterTest("DcePayloadParseTest39", DcePayloadParseTest39);
3217  UtRegisterTest("DcePayloadParseTest40", DcePayloadParseTest40);
3218  UtRegisterTest("DcePayloadParseTest41", DcePayloadParseTest41);
3219 
3220  UtRegisterTest("DcePayloadParseTest44", DcePayloadParseTest44);
3221  UtRegisterTest("DcePayloadParseTest45", DcePayloadParseTest45);
3222  UtRegisterTest("DcePayloadParseTest46", DcePayloadParseTest46);
3223 #endif /* UNITTESTS */
3224 
3225  return;
3226 }
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
app-layer-dcerpc.h
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:73
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:59
detect-isdataat.h
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:3190
Flow_
Flow data structure.
Definition: flow.h:343
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2035
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2092
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:276
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:48
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
DetectBytetestData_
Definition: detect-bytetest.h:52
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
DETECT_BYTEJUMP_BIG
#define DETECT_BYTEJUMP_BIG
Definition: detect-bytejump.h:36
Flow_::protoctx
void * protoctx
Definition: flow.h:416
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:260
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:879
Signature_::next
struct Signature_ * next
Definition: detect.h:599
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:523
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:30
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
DETECT_BYTEJUMP_ALIGN
#define DETECT_BYTEJUMP_ALIGN
Definition: detect-bytejump.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:257
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:323
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
Packet_
Definition: decode.h:411
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:596
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:521
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:250
detect-engine-content-inspection.h
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:72
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2340
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2796
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1166
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3004
detect-byte-extract.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Flow_::flags
uint32_t flags
Definition: flow.h:396
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:79
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2047
suricata.h
DetectPcreData_
Definition: detect-pcre.h:39
DETECT_BYTEJUMP_STRING
#define DETECT_BYTEJUMP_STRING
Definition: detect-bytejump.h:37
DETECT_BYTEJUMP_BEGIN
#define DETECT_BYTEJUMP_BEGIN
Definition: detect-bytejump.h:34
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
TcpSession_
Definition: stream-tcp-private.h:260
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
detect-engine-dcepayload.h
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
DETECT_BYTEJUMP_RELATIVE
#define DETECT_BYTEJUMP_RELATIVE
Definition: detect-bytejump.h:38
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1085
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467