suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 
41 #include "stream-tcp.h"
42 
43 #include "app-layer.h"
44 #include "app-layer-dcerpc.h"
45 #include "flow-util.h"
46 #include "util-debug.h"
47 
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
50 
51 #include "detect-dce-iface.h"
52 
53 static int g_dce_stub_data_buffer_id = 0;
54 
55 
56 /**************************************Unittests*******************************/
57 
58 #ifdef UNITTESTS
59 
60 /**
61  * \test Test the working of byte_test endianness.
62  */
63 static int DcePayloadTest15(void)
64 {
65  int result = 0;
66 
67  uint8_t request1[] = {
68  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
69  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
70  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
71  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
72  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
73  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
74  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
75  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
76  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
77  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
78  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
79  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
80  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
81  };
82  uint32_t request1_len = sizeof(request1);
83 
84  TcpSession ssn;
85  Packet *p = NULL;
86  ThreadVars tv;
87  DetectEngineCtx *de_ctx = NULL;
88  DetectEngineThreadCtx *det_ctx = NULL;
89  Flow f;
90  int r;
91 
92  const char *sig1 = "alert tcp any any -> any any "
93  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
94  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
95  const char *sig2 = "alert tcp any any -> any any "
96  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
97  "byte_test:2,=,46,5,relative,dce; sid:2;)";
98 
99  Signature *s;
100  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
101 
102  memset(&tv, 0, sizeof(ThreadVars));
103  memset(&f, 0, sizeof(Flow));
104  memset(&ssn, 0, sizeof(TcpSession));
105 
106  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
107  p->flow = &f;
108  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
109  p->flowflags |= FLOW_PKT_TOSERVER;
110  p->flowflags |= FLOW_PKT_ESTABLISHED;
111 
112  FLOW_INITIALIZE(&f);
113  f.protoctx = (void *)&ssn;
114  f.proto = IPPROTO_TCP;
115  f.flags |= FLOW_IPV4;
116  f.alproto = ALPROTO_DCERPC;
117 
118  StreamTcpInitConfig(TRUE);
119 
120  de_ctx = DetectEngineCtxInit();
121  if (de_ctx == NULL)
122  goto end;
123  de_ctx->flags |= DE_QUIET;
124 
125  de_ctx->sig_list = SigInit(de_ctx, sig1);
126  s = de_ctx->sig_list;
127  if (s == NULL)
128  goto end;
129  s->next = SigInit(de_ctx, sig2);
130  if (s->next == NULL)
131  goto end;
132 
133  SigGroupBuild(de_ctx);
134  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
135 
136  /* request 1 */
137  FLOWLOCK_WRLOCK(&f);
138  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
139  STREAM_TOSERVER, request1, request1_len);
140  if (r != 0) {
141  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
142  result = 0;
143  FLOWLOCK_UNLOCK(&f);
144  goto end;
145  }
146  FLOWLOCK_UNLOCK(&f);
147  /* detection phase */
148  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
149  if (!(PacketAlertCheck(p, 1))) {
150  printf("sid 1 didn't match but should have for packet: ");
151  goto end;
152  }
153  if (!(PacketAlertCheck(p, 2))) {
154  printf("sid 2 didn't match but should have for packet: ");
155  goto end;
156  }
157 
158  result = 1;
159 
160 end:
161  if (alp_tctx != NULL)
162  AppLayerParserThreadCtxFree(alp_tctx);
163  if (de_ctx != NULL) {
164  SigGroupCleanup(de_ctx);
165  SigCleanSignatures(de_ctx);
166 
167  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
168  DetectEngineCtxFree(de_ctx);
169  }
170 
171  StreamTcpFreeConfig(TRUE);
172 
173  UTHFreePackets(&p, 1);
174  return result;
175 }
176 
177 /**
178  * \test Test the working of byte_test endianness.
179  */
180 static int DcePayloadTest16(void)
181 {
182  int result = 0;
183 
184  uint8_t request1[] = {
185  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
186  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
187  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
188  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
189  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
190  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
191  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
192  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
193  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
194  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
195  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
196  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
197  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
198  };
199  uint32_t request1_len = sizeof(request1);
200 
201  TcpSession ssn;
202  Packet *p = NULL;
203  ThreadVars tv;
204  DetectEngineCtx *de_ctx = NULL;
205  DetectEngineThreadCtx *det_ctx = NULL;
206  Flow f;
207  int r;
208 
209  const char *sig1 = "alert tcp any any -> any any "
210  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
211  "byte_test:2,=,55,0,relative; sid:1;)";
212  const char *sig2 = "alert tcp any any -> any any "
213  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
214  "byte_test:2,=,11776,5,relative; sid:2;)";
215 
216  Signature *s;
217  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
218 
219  memset(&tv, 0, sizeof(ThreadVars));
220  memset(&f, 0, sizeof(Flow));
221  memset(&ssn, 0, sizeof(TcpSession));
222 
223  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
224  p->flow = &f;
225  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
226  p->flowflags |= FLOW_PKT_TOSERVER;
227  p->flowflags |= FLOW_PKT_ESTABLISHED;
228 
229  FLOW_INITIALIZE(&f);
230  f.protoctx = (void *)&ssn;
231  f.proto = IPPROTO_TCP;
232  f.flags |= FLOW_IPV4;
233  f.alproto = ALPROTO_DCERPC;
234 
235  StreamTcpInitConfig(TRUE);
236 
237  de_ctx = DetectEngineCtxInit();
238  if (de_ctx == NULL)
239  goto end;
240  de_ctx->flags |= DE_QUIET;
241 
242  de_ctx->sig_list = SigInit(de_ctx, sig1);
243  s = de_ctx->sig_list;
244  if (s == NULL)
245  goto end;
246  s->next = SigInit(de_ctx, sig2);
247  if (s->next == NULL)
248  goto end;
249 
250  SigGroupBuild(de_ctx);
251  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
252 
253  /* request 1 */
254  FLOWLOCK_WRLOCK(&f);
255  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
256  STREAM_TOSERVER, request1, request1_len);
257  if (r != 0) {
258  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
259  result = 0;
260  FLOWLOCK_UNLOCK(&f);
261  goto end;
262  }
263  FLOWLOCK_UNLOCK(&f);
264  /* detection phase */
265  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
266  if (!(PacketAlertCheck(p, 1))) {
267  printf("sid 1 didn't match but should have for packet: ");
268  goto end;
269  }
270  if (!(PacketAlertCheck(p, 2))) {
271  printf("sid 2 didn't match but should have for packet: ");
272  goto end;
273  }
274 
275  result = 1;
276 
277 end:
278  if (alp_tctx != NULL)
279  AppLayerParserThreadCtxFree(alp_tctx);
280  if (de_ctx != NULL) {
281  SigGroupCleanup(de_ctx);
282  SigCleanSignatures(de_ctx);
283 
284  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
285  DetectEngineCtxFree(de_ctx);
286  }
287 
288  StreamTcpFreeConfig(TRUE);
289 
290  UTHFreePackets(&p, 1);
291  return result;
292 }
293 
294 /**
295  * \test Test the working of byte_test endianness.
296  */
297 static int DcePayloadTest17(void)
298 {
299  int result = 0;
300 
301  uint8_t request1[] = {
302  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
303  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
304  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
305  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
306  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
307  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
308  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
309  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
310  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
311  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
312  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
313  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
314  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
315  };
316  uint32_t request1_len = sizeof(request1);
317 
318  TcpSession ssn;
319  Packet *p = NULL;
320  ThreadVars tv;
321  DetectEngineCtx *de_ctx = NULL;
322  DetectEngineThreadCtx *det_ctx = NULL;
323  Flow f;
324  int r;
325 
326  const char *sig1 = "alert tcp any any -> any any "
327  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
328  "byte_test:2,=,55,0,relative,big; sid:1;)";
329  const char *sig2 = "alert tcp any any -> any any "
330  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
331  "byte_test:2,=,46,5,relative,little; sid:2;)";
332 
333  Signature *s;
334  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
335 
336  memset(&tv, 0, sizeof(ThreadVars));
337  memset(&f, 0, sizeof(Flow));
338  memset(&ssn, 0, sizeof(TcpSession));
339 
340  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
341  p->flow = &f;
342  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
343  p->flowflags |= FLOW_PKT_TOSERVER;
344  p->flowflags |= FLOW_PKT_ESTABLISHED;
345 
346  FLOW_INITIALIZE(&f);
347  f.protoctx = (void *)&ssn;
348  f.proto = IPPROTO_TCP;
349  f.flags |= FLOW_IPV4;
350  f.alproto = ALPROTO_DCERPC;
351 
352  StreamTcpInitConfig(TRUE);
353 
354  de_ctx = DetectEngineCtxInit();
355  if (de_ctx == NULL)
356  goto end;
357  de_ctx->flags |= DE_QUIET;
358 
359  de_ctx->sig_list = SigInit(de_ctx, sig1);
360  s = de_ctx->sig_list;
361  if (s == NULL)
362  goto end;
363  s->next = SigInit(de_ctx, sig2);
364  if (s->next == NULL)
365  goto end;
366 
367  SigGroupBuild(de_ctx);
368  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
369 
370  /* request 1 */
371  FLOWLOCK_WRLOCK(&f);
372  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
373  STREAM_TOSERVER, request1, request1_len);
374  if (r != 0) {
375  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
376  result = 0;
377  FLOWLOCK_UNLOCK(&f);
378  goto end;
379  }
380  FLOWLOCK_UNLOCK(&f);
381  /* detection phase */
382  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
383  if (!(PacketAlertCheck(p, 1))) {
384  printf("sid 1 didn't match but should have for packet: ");
385  goto end;
386  }
387  if (!(PacketAlertCheck(p, 2))) {
388  printf("sid 2 didn't match but should have for packet: ");
389  goto end;
390  }
391 
392  result = 1;
393 
394 end:
395  if (alp_tctx != NULL)
396  AppLayerParserThreadCtxFree(alp_tctx);
397  if (de_ctx != NULL) {
398  SigGroupCleanup(de_ctx);
399  SigCleanSignatures(de_ctx);
400 
401  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
402  DetectEngineCtxFree(de_ctx);
403  }
404 
405  StreamTcpFreeConfig(TRUE);
406 
407  UTHFreePackets(&p, 1);
408  return result;
409 }
410 
411 /**
412  * \test Test the working of byte_jump endianness.
413  */
414 static int DcePayloadTest18(void)
415 {
416  int result = 0;
417 
418  uint8_t request1[] = {
419  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
420  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
421  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
422  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
423  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
424  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
425  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
426  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
427  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
428  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
429  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
430  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
431  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
432  };
433  uint32_t request1_len = sizeof(request1);
434 
435  TcpSession ssn;
436  Packet *p = NULL;
437  ThreadVars tv;
438  DetectEngineCtx *de_ctx = NULL;
439  DetectEngineThreadCtx *det_ctx = NULL;
440  Flow f;
441  int r;
442 
443  const char *sig1 = "alert tcp any any -> any any "
444  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
445  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
446  const char *sig2 = "alert tcp any any -> any any "
447  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
448  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
449 
450  Signature *s;
451  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
452 
453  memset(&tv, 0, sizeof(ThreadVars));
454  memset(&f, 0, sizeof(Flow));
455  memset(&ssn, 0, sizeof(TcpSession));
456 
457  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
458  p->flow = &f;
459  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
460  p->flowflags |= FLOW_PKT_TOSERVER;
461  p->flowflags |= FLOW_PKT_ESTABLISHED;
462 
463  FLOW_INITIALIZE(&f);
464  f.protoctx = (void *)&ssn;
465  f.proto = IPPROTO_TCP;
466  f.flags |= FLOW_IPV4;
467  f.alproto = ALPROTO_DCERPC;
468 
469  StreamTcpInitConfig(TRUE);
470 
471  de_ctx = DetectEngineCtxInit();
472  if (de_ctx == NULL)
473  goto end;
474  de_ctx->flags |= DE_QUIET;
475 
476  de_ctx->sig_list = SigInit(de_ctx, sig1);
477  s = de_ctx->sig_list;
478  if (s == NULL)
479  goto end;
480  s->next = SigInit(de_ctx, sig2);
481  if (s->next == NULL)
482  goto end;
483 
484  SigGroupBuild(de_ctx);
485  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
486 
487  /* request 1 */
488  FLOWLOCK_WRLOCK(&f);
489  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
490  STREAM_TOSERVER, request1, request1_len);
491  if (r != 0) {
492  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
493  result = 0;
494  FLOWLOCK_UNLOCK(&f);
495  goto end;
496  }
497  FLOWLOCK_UNLOCK(&f);
498  /* detection phase */
499  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
500  if (!(PacketAlertCheck(p, 1))) {
501  printf("sid 1 didn't match but should have for packet: ");
502  goto end;
503  }
504  if (!(PacketAlertCheck(p, 2))) {
505  printf("sid 2 didn't match but should have for packet: ");
506  goto end;
507  }
508 
509  result = 1;
510 
511 end:
512  if (alp_tctx != NULL)
513  AppLayerParserThreadCtxFree(alp_tctx);
514  if (de_ctx != NULL) {
515  SigGroupCleanup(de_ctx);
516  SigCleanSignatures(de_ctx);
517 
518  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
519  DetectEngineCtxFree(de_ctx);
520  }
521 
522  StreamTcpFreeConfig(TRUE);
523 
524  UTHFreePackets(&p, 1);
525  return result;
526 }
527 
528 /**
529  * \test Test the working of byte_jump endianness.
530  */
531 static int DcePayloadTest19(void)
532 {
533  int result = 0;
534 
535  uint8_t request1[] = {
536  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
537  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
538  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
539  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
540  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
541  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
542  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
543  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
544  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
545  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
546  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
547  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
548  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
549  };
550  uint32_t request1_len = sizeof(request1);
551 
552  TcpSession ssn;
553  Packet *p = NULL;
554  ThreadVars tv;
555  DetectEngineCtx *de_ctx = NULL;
556  DetectEngineThreadCtx *det_ctx = NULL;
557  Flow f;
558  int r;
559 
560  const char *sig1 = "alert tcp any any -> any any "
561  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
562  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
563  const char *sig2 = "alert tcp any any -> any any "
564  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
565  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
566 
567  Signature *s;
568  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
569 
570  memset(&tv, 0, sizeof(ThreadVars));
571  memset(&f, 0, sizeof(Flow));
572  memset(&ssn, 0, sizeof(TcpSession));
573 
574  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
575  p->flow = &f;
576  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
577  p->flowflags |= FLOW_PKT_TOSERVER;
578  p->flowflags |= FLOW_PKT_ESTABLISHED;
579 
580  FLOW_INITIALIZE(&f);
581  f.protoctx = (void *)&ssn;
582  f.proto = IPPROTO_TCP;
583  f.flags |= FLOW_IPV4;
584  f.alproto = ALPROTO_DCERPC;
585 
586  StreamTcpInitConfig(TRUE);
587 
588  de_ctx = DetectEngineCtxInit();
589  if (de_ctx == NULL)
590  goto end;
591  de_ctx->flags |= DE_QUIET;
592 
593  de_ctx->sig_list = SigInit(de_ctx, sig1);
594  s = de_ctx->sig_list;
595  if (s == NULL)
596  goto end;
597  s->next = SigInit(de_ctx, sig2);
598  if (s->next == NULL)
599  goto end;
600 
601  SigGroupBuild(de_ctx);
602  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
603 
604  /* request 1 */
605  FLOWLOCK_WRLOCK(&f);
606  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
607  STREAM_TOSERVER, request1, request1_len);
608  if (r != 0) {
609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
610  result = 0;
611  FLOWLOCK_UNLOCK(&f);
612  goto end;
613  }
614  FLOWLOCK_UNLOCK(&f);
615  /* detection phase */
616  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
617  if (!(PacketAlertCheck(p, 1))) {
618  printf("sid 1 didn't match but should have for packet: ");
619  goto end;
620  }
621  if (!(PacketAlertCheck(p, 2))) {
622  printf("sid 2 didn't match but should have for packet: ");
623  goto end;
624  }
625 
626  result = 1;
627 
628 end:
629  if (alp_tctx != NULL)
630  AppLayerParserThreadCtxFree(alp_tctx);
631  if (de_ctx != NULL) {
632  SigGroupCleanup(de_ctx);
633  SigCleanSignatures(de_ctx);
634 
635  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
636  DetectEngineCtxFree(de_ctx);
637  }
638 
639  StreamTcpFreeConfig(TRUE);
640 
641  UTHFreePackets(&p, 1);
642  return result;
643 }
644 
645 /**
646  * \test Test the working of byte_jump endianness.
647  */
648 static int DcePayloadTest20(void)
649 {
650  int result = 0;
651 
652  uint8_t request1[] = {
653  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
654  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
655  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
656  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
657  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
658  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
659  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
660  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
661  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
662  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
663  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
664  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
665  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
666  };
667  uint32_t request1_len = sizeof(request1);
668 
669  TcpSession ssn;
670  Packet *p = NULL;
671  ThreadVars tv;
672  DetectEngineCtx *de_ctx = NULL;
673  DetectEngineThreadCtx *det_ctx = NULL;
674  Flow f;
675  int r;
676 
677  const char *sig1 = "alert tcp any any -> any any "
678  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
679  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
680  const char *sig2 = "alert tcp any any -> any any "
681  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
682  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
683 
684  Signature *s;
685  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
686 
687  memset(&tv, 0, sizeof(ThreadVars));
688  memset(&f, 0, sizeof(Flow));
689  memset(&ssn, 0, sizeof(TcpSession));
690 
691  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
692  p->flow = &f;
693  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
694  p->flowflags |= FLOW_PKT_TOSERVER;
695  p->flowflags |= FLOW_PKT_ESTABLISHED;
696 
697  FLOW_INITIALIZE(&f);
698  f.protoctx = (void *)&ssn;
699  f.proto = IPPROTO_TCP;
700  f.flags |= FLOW_IPV4;
701  f.alproto = ALPROTO_DCERPC;
702 
703  StreamTcpInitConfig(TRUE);
704 
705  de_ctx = DetectEngineCtxInit();
706  if (de_ctx == NULL)
707  goto end;
708  de_ctx->flags |= DE_QUIET;
709 
710  de_ctx->sig_list = SigInit(de_ctx, sig1);
711  s = de_ctx->sig_list;
712  if (s == NULL)
713  goto end;
714  s->next = SigInit(de_ctx, sig2);
715  if (s->next == NULL)
716  goto end;
717 
718  SigGroupBuild(de_ctx);
719  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
720 
721  /* request 1 */
722  FLOWLOCK_WRLOCK(&f);
723  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
724  STREAM_TOSERVER, request1, request1_len);
725  if (r != 0) {
726  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
727  result = 0;
728  FLOWLOCK_UNLOCK(&f);
729  goto end;
730  }
731  FLOWLOCK_UNLOCK(&f);
732  /* detection phase */
733  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
734  if (!(PacketAlertCheck(p, 1))) {
735  printf("sid 1 didn't match but should have for packet: ");
736  goto end;
737  }
738  if (!(PacketAlertCheck(p, 2))) {
739  printf("sid 2 didn't match but should have for packet: ");
740  goto end;
741  }
742 
743  result = 1;
744 
745 end:
746  if (alp_tctx != NULL)
747  AppLayerParserThreadCtxFree(alp_tctx);
748  if (de_ctx != NULL) {
749  SigGroupCleanup(de_ctx);
750  SigCleanSignatures(de_ctx);
751 
752  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
753  DetectEngineCtxFree(de_ctx);
754  }
755 
756  StreamTcpFreeConfig(TRUE);
757 
758  UTHFreePackets(&p, 1);
759  return result;
760 }
761 
762 /**
763  * \test Test the working of consecutive relative matches.
764  */
765 static int DcePayloadTest21(void)
766 {
767  int result = 0;
768 
769  uint8_t request1[] = {
770  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
771  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
772  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
773  0x6e, 0x6f, 0x77, 0x20, 0x74, 0x68, 0x69, 0x73, /* "now this" */
774  0x20, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x62, /* " is is b" */
775  0x69, 0x67, 0x20, 0x62, 0x69, 0x67, 0x20, 0x73, /* "ig big s" */
776  0x74, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x6e, 0x6f, /* "tring no" */
777  0x77 }; /* "w" */
778  uint32_t request1_len = sizeof(request1);
779 
780  TcpSession ssn;
781  Packet *p = NULL;
782  ThreadVars tv;
783  DetectEngineCtx *de_ctx = NULL;
784  DetectEngineThreadCtx *det_ctx = NULL;
785  Flow f;
786  int r;
787 
788  const char *sig1 = "alert tcp any any -> any any "
789  "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
790  "content:\"this\"; distance:0; content:\"is\"; within:6; content:\"big\"; within:8; "
791  "content:\"string\"; within:8; sid:1;)";
792 
793  Signature *s;
794  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
795 
796  memset(&tv, 0, sizeof(ThreadVars));
797  memset(&f, 0, sizeof(Flow));
798  memset(&ssn, 0, sizeof(TcpSession));
799 
800  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
801  p->flow = &f;
802  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
803  p->flowflags |= FLOW_PKT_TOSERVER;
804  p->flowflags |= FLOW_PKT_ESTABLISHED;
805 
806  FLOW_INITIALIZE(&f);
807  f.protoctx = (void *)&ssn;
808  f.proto = IPPROTO_TCP;
809  f.flags |= FLOW_IPV4;
810  f.alproto = ALPROTO_DCERPC;
811 
812  StreamTcpInitConfig(TRUE);
813 
814  de_ctx = DetectEngineCtxInit();
815  if (de_ctx == NULL)
816  goto end;
817  de_ctx->flags |= DE_QUIET;
818 
819  de_ctx->sig_list = SigInit(de_ctx, sig1);
820  s = de_ctx->sig_list;
821  if (s == NULL)
822  goto end;
823 
824  SigGroupBuild(de_ctx);
825  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
826 
827  /* request 1 */
828  FLOWLOCK_WRLOCK(&f);
829  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
830  STREAM_TOSERVER, request1, request1_len);
831  if (r != 0) {
832  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
833  result = 0;
834  FLOWLOCK_UNLOCK(&f);
835  goto end;
836  }
837  FLOWLOCK_UNLOCK(&f);
838  /* detection phase */
839  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
840  if (!(PacketAlertCheck(p, 1))) {
841  printf("sid 1 didn't match but should have for packet: ");
842  goto end;
843  }
844 
845  result = 1;
846 
847 end:
848  if (alp_tctx != NULL)
849  AppLayerParserThreadCtxFree(alp_tctx);
850  if (de_ctx != NULL) {
851  SigGroupCleanup(de_ctx);
852  SigCleanSignatures(de_ctx);
853 
854  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
855  DetectEngineCtxFree(de_ctx);
856  }
857 
858  StreamTcpFreeConfig(TRUE);
859 
860  UTHFreePackets(&p, 1);
861  return result;
862 }
863 
864 /**
865  * \test Test the working of consecutive relative matches.
866  */
867 static int DcePayloadTest22(void)
868 {
869  int result = 0;
870 
871  uint8_t request1[] = {
872  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
873  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
874  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
875  0x6e, 0x6f, 0x77, 0x20, 0x74, 0x68, 0x69, 0x73, /* "now this" */
876  0x20, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x69, /* " is is i" */
877  0x73, 0x20, 0x62, 0x69, 0x67, 0x20, 0x62, 0x69, /* "s big bi" */
878  0x67, 0x20, 0x62, 0x69, 0x67, 0x20, 0x73, 0x74, /* "g big st" */
879  0x72, 0x69, 0x6e, 0x67, 0x20, 0x6e, 0x6f, 0x77 }; /* "ring now" */
880  uint32_t request1_len = sizeof(request1);
881 
882  TcpSession ssn;
883  Packet *p = NULL;
884  ThreadVars tv;
885  DetectEngineCtx *de_ctx = NULL;
886  DetectEngineThreadCtx *det_ctx = NULL;
887  Flow f;
888  int r;
889 
890  const char *sig1 = "alert tcp any any -> any any "
891  "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
892  "content:\"this\"; distance:0; content:\"is\"; within:9; content:\"big\"; within:12; "
893  "content:\"string\"; within:8; sid:1;)";
894 
895  Signature *s;
896  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
897 
898  memset(&tv, 0, sizeof(ThreadVars));
899  memset(&f, 0, sizeof(Flow));
900  memset(&ssn, 0, sizeof(TcpSession));
901 
902  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
903  p->flow = &f;
904  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
905  p->flowflags |= FLOW_PKT_TOSERVER;
906  p->flowflags |= FLOW_PKT_ESTABLISHED;
907 
908  FLOW_INITIALIZE(&f);
909  f.protoctx = (void *)&ssn;
910  f.proto = IPPROTO_TCP;
911  f.flags |= FLOW_IPV4;
912  f.alproto = ALPROTO_DCERPC;
913 
914  StreamTcpInitConfig(TRUE);
915 
916  de_ctx = DetectEngineCtxInit();
917  if (de_ctx == NULL)
918  goto end;
919  de_ctx->flags |= DE_QUIET;
920 
921  de_ctx->sig_list = SigInit(de_ctx, sig1);
922  s = de_ctx->sig_list;
923  if (s == NULL)
924  goto end;
925 
926  SigGroupBuild(de_ctx);
927  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
928 
929  /* request 1 */
930  FLOWLOCK_WRLOCK(&f);
931  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
932  STREAM_TOSERVER, request1, request1_len);
933  if (r != 0) {
934  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
935  result = 0;
936  FLOWLOCK_UNLOCK(&f);
937  goto end;
938  }
939  FLOWLOCK_UNLOCK(&f);
940  /* detection phase */
941  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
942  if (!(PacketAlertCheck(p, 1))) {
943  printf("sid 1 didn't match but should have for packet: ");
944  goto end;
945  }
946 
947  result = 1;
948 
949 end:
950  if (alp_tctx != NULL)
951  AppLayerParserThreadCtxFree(alp_tctx);
952  if (de_ctx != NULL) {
953  SigGroupCleanup(de_ctx);
954  SigCleanSignatures(de_ctx);
955 
956  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
957  DetectEngineCtxFree(de_ctx);
958  }
959 
960  StreamTcpFreeConfig(TRUE);
961 
962  UTHFreePackets(&p, 1);
963  return result;
964 }
965 
966 /**
967  * \test Test the working of consecutive relative matches.
968  */
969 static int DcePayloadTest23(void)
970 {
971  int result = 0;
972 
973  uint8_t request1[] = {
974  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
975  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
976  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
977  0x74, 0x68, 0x69, 0x73, 0x20, 0x74, 0x68, 0x69, /* "this thi" */
978  0x73, 0x20, 0x6e, 0x6f, 0x77, 0x20, 0x69, 0x73, /* "s now is" */
979  0x20, 0x69, 0x73, 0x20, 0x20, 0x20, 0x20, 0x20, /* " is " */
980  0x62, 0x69, 0x67, 0x20, 0x73, 0x74, 0x72, 0x69, /* "big stri" */
981  0x6e, 0x67, 0x20, 0x6e, 0x6f, 0x77 }; /* "ng now" */
982  uint32_t request1_len = sizeof(request1);
983 
984  TcpSession ssn;
985  Packet *p = NULL;
986  ThreadVars tv;
987  DetectEngineCtx *de_ctx = NULL;
988  DetectEngineThreadCtx *det_ctx = NULL;
989  Flow f;
990  int r;
991 
992  const char *sig1 = "alert tcp any any -> any any "
993  "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
994  "content:\"now\"; distance:0; content:\"this\"; distance:-20; "
995  "content:\"is\"; within:12; content:\"big\"; within:8; "
996  "content:\"string\"; within:8; sid:1;)";
997 
998  Signature *s;
999  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1000 
1001  memset(&tv, 0, sizeof(ThreadVars));
1002  memset(&f, 0, sizeof(Flow));
1003  memset(&ssn, 0, sizeof(TcpSession));
1004 
1005  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1006  p->flow = &f;
1007  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1008  p->flowflags |= FLOW_PKT_TOSERVER;
1009  p->flowflags |= FLOW_PKT_ESTABLISHED;
1010 
1011  FLOW_INITIALIZE(&f);
1012  f.protoctx = (void *)&ssn;
1013  f.proto = IPPROTO_TCP;
1014  f.flags |= FLOW_IPV4;
1015  f.alproto = ALPROTO_DCERPC;
1016 
1017  StreamTcpInitConfig(TRUE);
1018 
1019  de_ctx = DetectEngineCtxInit();
1020  if (de_ctx == NULL)
1021  goto end;
1022  de_ctx->flags |= DE_QUIET;
1023 
1024  de_ctx->sig_list = SigInit(de_ctx, sig1);
1025  s = de_ctx->sig_list;
1026  if (s == NULL)
1027  goto end;
1028 
1029  SigGroupBuild(de_ctx);
1030  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
1031 
1032  /* request 1 */
1033  FLOWLOCK_WRLOCK(&f);
1034  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
1035  STREAM_TOSERVER, request1, request1_len);
1036  if (r != 0) {
1037  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
1038  result = 0;
1039  FLOWLOCK_UNLOCK(&f);
1040  goto end;
1041  }
1042  FLOWLOCK_UNLOCK(&f);
1043  /* detection phase */
1044  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
1045  if (!(PacketAlertCheck(p, 1))) {
1046  printf("sid 1 didn't match but should have for packet: ");
1047  goto end;
1048  }
1049 
1050  result = 1;
1051 
1052 end:
1053  if (alp_tctx != NULL)
1054  AppLayerParserThreadCtxFree(alp_tctx);
1055  if (de_ctx != NULL) {
1056  SigGroupCleanup(de_ctx);
1057  SigCleanSignatures(de_ctx);
1058 
1059  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
1060  DetectEngineCtxFree(de_ctx);
1061  }
1062 
1063  StreamTcpFreeConfig(TRUE);
1064 
1065  UTHFreePackets(&p, 1);
1066  return result;
1067 }
1068 
1069 /**
1070  * \test Test content for dce sig.
1071  */
1072 static int DcePayloadParseTest25(void)
1073 {
1074  DetectEngineCtx *de_ctx = NULL;
1075  int result = 1;
1076  Signature *s = NULL;
1077  SigMatch *sm = NULL;
1078  DetectContentData *data = NULL;
1079 
1080  de_ctx = DetectEngineCtxInit();
1081  if (de_ctx == NULL)
1082  goto end;
1083 
1084  de_ctx->flags |= DE_QUIET;
1085  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1086  "(msg:\"Testing bytejump_body\"; "
1087  "content:\"one\"; content:\"two\"; "
1088  "content:\"three\"; within:10; "
1089  "content:\"four\"; distance:4; "
1090  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1091  "sid:1;)");
1092  if (de_ctx->sig_list == NULL) {
1093  result = 0;
1094  goto end;
1095  }
1096 
1097  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1098  result = 0;
1099  goto end;
1100  }
1101  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1102  result = 0;
1103  goto end;
1104  }
1105 
1106  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1107  if (sm->type != DETECT_CONTENT) {
1108  result = 0;
1109  goto end;
1110  }
1111  data = (DetectContentData *)sm->ctx;
1112  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1113  data->flags & DETECT_CONTENT_NOCASE ||
1114  data->flags & DETECT_CONTENT_WITHIN ||
1115  data->flags & DETECT_CONTENT_DISTANCE ||
1116  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1117  data->flags & DETECT_CONTENT_NEGATED ) {
1118  result = 0;
1119  goto end;
1120  }
1121  result &= (strncmp((char *)data->content, "one", 3) == 0);
1122  if (result == 0)
1123  goto end;
1124 
1125  sm = sm->next;
1126  if (sm->type != DETECT_CONTENT) {
1127  result = 0;
1128  goto end;
1129  }
1130  data = (DetectContentData *)sm->ctx;
1131  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1132  data->flags & DETECT_CONTENT_NOCASE ||
1133  data->flags & DETECT_CONTENT_WITHIN ||
1134  data->flags & DETECT_CONTENT_DISTANCE ||
1135  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1136  data->flags & DETECT_CONTENT_NEGATED ) {
1137  result = 0;
1138  goto end;
1139  }
1140  result &= (strncmp((char *)data->content, "two", 3) == 0);
1141  if (result == 0)
1142  goto end;
1143 
1144  sm = sm->next;
1145  if (sm->type != DETECT_CONTENT) {
1146  result = 0;
1147  goto end;
1148  }
1149  data = (DetectContentData *)sm->ctx;
1150  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1151  data->flags & DETECT_CONTENT_NOCASE ||
1152  !(data->flags & DETECT_CONTENT_WITHIN) ||
1153  data->flags & DETECT_CONTENT_DISTANCE ||
1154  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1155  data->flags & DETECT_CONTENT_NEGATED ) {
1156  result = 0;
1157  goto end;
1158  }
1159  result &= (strncmp((char *)data->content, "three", 5) == 0);
1160  if (result == 0)
1161  goto end;
1162 
1163  sm = sm->next;
1164  if (sm->type != DETECT_CONTENT) {
1165  result = 0;
1166  goto end;
1167  }
1168  data = (DetectContentData *)sm->ctx;
1169  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1170  data->flags & DETECT_CONTENT_NOCASE ||
1171  data->flags & DETECT_CONTENT_WITHIN ||
1172  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1173  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1174  data->flags & DETECT_CONTENT_NEGATED ) {
1175  result = 0;
1176  goto end;
1177  }
1178  result &= (strncmp((char *)data->content, "four", 4) == 0);
1179  if (result == 0)
1180  goto end;
1181 
1182  end:
1183  SigGroupCleanup(de_ctx);
1184  SigCleanSignatures(de_ctx);
1185  DetectEngineCtxFree(de_ctx);
1186 
1187  return result;
1188 }
1189 
1190 /**
1191  * \test Test content for dce sig.
1192  */
1193 static int DcePayloadParseTest26(void)
1194 {
1195  DetectEngineCtx *de_ctx = NULL;
1196  int result = 1;
1197  Signature *s = NULL;
1198  SigMatch *sm = NULL;
1199  DetectContentData *data = NULL;
1200 
1201  de_ctx = DetectEngineCtxInit();
1202  if (de_ctx == NULL)
1203  goto end;
1204 
1205  de_ctx->flags |= DE_QUIET;
1206  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1207  "(msg:\"Testing bytejump_body\"; "
1208  "dce_stub_data; "
1209  "pkt_data; "
1210  "content:\"one\"; "
1211  "content:\"two\"; "
1212  "content:\"three\"; within:5; "
1213  "content:\"four\"; distance:10; "
1214  "sid:1;)");
1215  if (de_ctx->sig_list == NULL) {
1216  result = 0;
1217  goto end;
1218  }
1219 
1220  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1221  result = 0;
1222  goto end;
1223  }
1224  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1225  result = 0;
1226  goto end;
1227  }
1228 
1229  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1230  if (sm->type != DETECT_CONTENT) {
1231  result = 0;
1232  goto end;
1233  }
1234  data = (DetectContentData *)sm->ctx;
1235  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1236  data->flags & DETECT_CONTENT_NOCASE ||
1237  data->flags & DETECT_CONTENT_WITHIN ||
1238  data->flags & DETECT_CONTENT_DISTANCE ||
1239  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1240  data->flags & DETECT_CONTENT_NEGATED ) {
1241  result = 0;
1242  printf("one failed\n");
1243  goto end;
1244  }
1245  result &= (strncmp((char *)data->content, "one", 3) == 0);
1246  if (result == 0)
1247  goto end;
1248 
1249  sm = sm->next;
1250  if (sm->type != DETECT_CONTENT) {
1251  result = 0;
1252  goto end;
1253  }
1254  data = (DetectContentData *)sm->ctx;
1255  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1256  data->flags & DETECT_CONTENT_NOCASE ||
1257  data->flags & DETECT_CONTENT_WITHIN ||
1258  data->flags & DETECT_CONTENT_DISTANCE ||
1259  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1260  data->flags & DETECT_CONTENT_NEGATED ) {
1261  result = 0;
1262  printf("two failed\n");
1263  goto end;
1264  }
1265  result &= (strncmp((char *)data->content, "two", 3) == 0);
1266  if (result == 0)
1267  goto end;
1268 
1269  sm = sm->next;
1270  if (sm->type != DETECT_CONTENT) {
1271  result = 0;
1272  goto end;
1273  }
1274  data = (DetectContentData *)sm->ctx;
1275  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1276  data->flags & DETECT_CONTENT_NOCASE ||
1277  !(data->flags & DETECT_CONTENT_WITHIN) ||
1278  data->flags & DETECT_CONTENT_DISTANCE ||
1279  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1280  data->flags & DETECT_CONTENT_NEGATED ) {
1281  printf("three failed\n");
1282  result = 0;
1283  goto end;
1284  }
1285  result &= (strncmp((char *)data->content, "three", 5) == 0);
1286  if (result == 0)
1287  goto end;
1288 
1289  sm = sm->next;
1290  if (sm->type != DETECT_CONTENT) {
1291  result = 0;
1292  goto end;
1293  }
1294  data = (DetectContentData *)sm->ctx;
1295  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1296  data->flags & DETECT_CONTENT_NOCASE ||
1297  data->flags & DETECT_CONTENT_WITHIN ||
1298  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1299  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1300  data->flags & DETECT_CONTENT_NEGATED ) {
1301  printf("four failed\n");
1302  result = 0;
1303  goto end;
1304  }
1305  result &= (strncmp((char *)data->content, "four", 4) == 0);
1306  if (result == 0)
1307  goto end;
1308 
1309  end:
1310  SigGroupCleanup(de_ctx);
1311  SigCleanSignatures(de_ctx);
1312  DetectEngineCtxFree(de_ctx);
1313 
1314  return result;
1315 }
1316 
1317 /**
1318  * \test Test content for dce sig.
1319  */
1320 static int DcePayloadParseTest27(void)
1321 {
1322  DetectEngineCtx *de_ctx = NULL;
1323  int result = 1;
1324  Signature *s = NULL;
1325  SigMatch *sm = NULL;
1326  DetectContentData *data = NULL;
1327 
1328  de_ctx = DetectEngineCtxInit();
1329  if (de_ctx == NULL)
1330  goto end;
1331 
1332  de_ctx->flags |= DE_QUIET;
1333  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1334  "(msg:\"Testing bytejump_body\"; "
1335  "dce_stub_data; "
1336  "content:\"one\"; distance:10; within:5; "
1337  "content:\"two\"; within:5;"
1338  "content:\"three\"; within:5; "
1339  "content:\"four\"; distance:10; "
1340  "sid:1;)");
1341  if (de_ctx->sig_list == NULL) {
1342  result = 0;
1343  goto end;
1344  }
1345 
1346  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1347  result = 0;
1348  goto end;
1349  }
1350  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] != NULL) {
1351  result = 0;
1352  goto end;
1353  }
1354 
1355  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1356  if (sm->type != DETECT_CONTENT) {
1357  result = 0;
1358  goto end;
1359  }
1360  data = (DetectContentData *)sm->ctx;
1361  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1362  data->flags & DETECT_CONTENT_NOCASE ||
1363  !(data->flags & DETECT_CONTENT_WITHIN) ||
1364  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1365  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1366  data->flags & DETECT_CONTENT_NEGATED ) {
1367  result = 0;
1368  printf("one failed\n");
1369  goto end;
1370  }
1371  result &= (strncmp((char *)data->content, "one", 3) == 0);
1372  if (result == 0)
1373  goto end;
1374 
1375  sm = sm->next;
1376  if (sm->type != DETECT_CONTENT) {
1377  result = 0;
1378  goto end;
1379  }
1380  data = (DetectContentData *)sm->ctx;
1381  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1382  data->flags & DETECT_CONTENT_NOCASE ||
1383  !(data->flags & DETECT_CONTENT_WITHIN) ||
1384  data->flags & DETECT_CONTENT_DISTANCE ||
1385  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1386  data->flags & DETECT_CONTENT_NEGATED ) {
1387  result = 0;
1388  printf("two failed\n");
1389  goto end;
1390  }
1391  result &= (strncmp((char *)data->content, "two", 3) == 0);
1392  if (result == 0)
1393  goto end;
1394 
1395  sm = sm->next;
1396  if (sm->type != DETECT_CONTENT) {
1397  result = 0;
1398  goto end;
1399  }
1400  data = (DetectContentData *)sm->ctx;
1401  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1402  data->flags & DETECT_CONTENT_NOCASE ||
1403  !(data->flags & DETECT_CONTENT_WITHIN) ||
1404  data->flags & DETECT_CONTENT_DISTANCE ||
1405  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1406  data->flags & DETECT_CONTENT_NEGATED ) {
1407  printf("three failed\n");
1408  result = 0;
1409  goto end;
1410  }
1411  result &= (strncmp((char *)data->content, "three", 5) == 0);
1412  if (result == 0)
1413  goto end;
1414 
1415  sm = sm->next;
1416  if (sm->type != DETECT_CONTENT) {
1417  result = 0;
1418  goto end;
1419  }
1420  data = (DetectContentData *)sm->ctx;
1421  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1422  data->flags & DETECT_CONTENT_NOCASE ||
1423  data->flags & DETECT_CONTENT_WITHIN ||
1424  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1425  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1426  data->flags & DETECT_CONTENT_NEGATED ) {
1427  printf("four failed\n");
1428  result = 0;
1429  goto end;
1430  }
1431  result &= (strncmp((char *)data->content, "four", 4) == 0);
1432  if (result == 0)
1433  goto end;
1434 
1435  end:
1436  SigGroupCleanup(de_ctx);
1437  SigCleanSignatures(de_ctx);
1438  DetectEngineCtxFree(de_ctx);
1439 
1440  return result;
1441 }
1442 
1443 /**
1444  * \test Test content for dce sig.
1445  */
1446 static int DcePayloadParseTest28(void)
1447 {
1448  DetectEngineCtx *de_ctx = NULL;
1449  int result = 1;
1450  Signature *s = NULL;
1451  SigMatch *sm = NULL;
1452  DetectContentData *data = NULL;
1453 
1454  de_ctx = DetectEngineCtxInit();
1455  if (de_ctx == NULL)
1456  goto end;
1457 
1458  de_ctx->flags |= DE_QUIET;
1459  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1460  "(msg:\"Testing bytejump_body\"; "
1461  "dce_stub_data; "
1462  "content:\"one\"; distance:10; within:5; "
1463  "content:\"two\"; within:5;"
1464  "pkt_data; "
1465  "content:\"three\";"
1466  "content:\"four\";"
1467  "sid:1;)");
1468  if (de_ctx->sig_list == NULL) {
1469  result = 0;
1470  goto end;
1471  }
1472 
1473  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1474  result = 0;
1475  goto end;
1476  }
1477  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1478  result = 0;
1479  goto end;
1480  }
1481 
1482  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1483  if (sm->type != DETECT_CONTENT) {
1484  result = 0;
1485  goto end;
1486  }
1487  data = (DetectContentData *)sm->ctx;
1488  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1489  data->flags & DETECT_CONTENT_NOCASE ||
1490  !(data->flags & DETECT_CONTENT_WITHIN) ||
1491  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1492  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1493  data->flags & DETECT_CONTENT_NEGATED ) {
1494  result = 0;
1495  printf("one failed\n");
1496  goto end;
1497  }
1498  result &= (strncmp((char *)data->content, "one", 3) == 0);
1499  if (result == 0)
1500  goto end;
1501 
1502  sm = sm->next;
1503  if (sm->type != DETECT_CONTENT) {
1504  result = 0;
1505  goto end;
1506  }
1507  data = (DetectContentData *)sm->ctx;
1508  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1509  data->flags & DETECT_CONTENT_NOCASE ||
1510  !(data->flags & DETECT_CONTENT_WITHIN) ||
1511  data->flags & DETECT_CONTENT_DISTANCE ||
1512  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1513  data->flags & DETECT_CONTENT_NEGATED ) {
1514  result = 0;
1515  printf("two failed\n");
1516  goto end;
1517  }
1518  result &= (strncmp((char *)data->content, "two", 3) == 0);
1519  if (result == 0)
1520  goto end;
1521 
1522  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1523  if (sm->type != DETECT_CONTENT) {
1524  result = 0;
1525  goto end;
1526  }
1527  data = (DetectContentData *)sm->ctx;
1528  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1529  data->flags & DETECT_CONTENT_NOCASE ||
1530  data->flags & DETECT_CONTENT_WITHIN ||
1531  data->flags & DETECT_CONTENT_DISTANCE ||
1532  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1533  data->flags & DETECT_CONTENT_NEGATED ) {
1534  printf("three failed\n");
1535  result = 0;
1536  goto end;
1537  }
1538  result &= (strncmp((char *)data->content, "three", 5) == 0);
1539  if (result == 0)
1540  goto end;
1541 
1542  sm = sm->next;
1543  if (sm->type != DETECT_CONTENT) {
1544  result = 0;
1545  goto end;
1546  }
1547  data = (DetectContentData *)sm->ctx;
1548  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1549  data->flags & DETECT_CONTENT_NOCASE ||
1550  data->flags & DETECT_CONTENT_WITHIN ||
1551  data->flags & DETECT_CONTENT_DISTANCE ||
1552  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1553  data->flags & DETECT_CONTENT_NEGATED ) {
1554  printf("four failed\n");
1555  result = 0;
1556  goto end;
1557  }
1558  result &= (strncmp((char *)data->content, "four", 4) == 0);
1559  if (result == 0)
1560  goto end;
1561 
1562  end:
1563  SigGroupCleanup(de_ctx);
1564  SigCleanSignatures(de_ctx);
1565  DetectEngineCtxFree(de_ctx);
1566 
1567  return result;
1568 }
1569 
1570 /**
1571  * \test Test content for dce sig.
1572  */
1573 static int DcePayloadParseTest29(void)
1574 {
1575  DetectEngineCtx *de_ctx = NULL;
1576  int result = 1;
1577  Signature *s = NULL;
1578  SigMatch *sm = NULL;
1579  DetectContentData *data = NULL;
1580  DetectPcreData *pd = NULL;
1581 
1582  de_ctx = DetectEngineCtxInit();
1583  if (de_ctx == NULL)
1584  goto end;
1585 
1586  de_ctx->flags |= DE_QUIET;
1587  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1588  "(msg:\"Testing bytejump_body\"; "
1589  "dce_stub_data; "
1590  "pkt_data; "
1591  "pcre:/boom/; "
1592  "content:\"one\"; distance:10; within:5; "
1593  "content:\"two\"; within:5;"
1594  "content:\"three\";"
1595  "content:\"four\";"
1596  "sid:1;)");
1597  if (de_ctx->sig_list == NULL) {
1598  result = 0;
1599  goto end;
1600  }
1601 
1602  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1603  result = 0;
1604  goto end;
1605  }
1606  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1607  result = 0;
1608  goto end;
1609  }
1610 
1611  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1612  if (sm->type != DETECT_PCRE) {
1613  result = 0;
1614  goto end;
1615  }
1616  pd = (DetectPcreData *)sm->ctx;
1617  if (pd->flags & DETECT_PCRE_RAWBYTES ||
1618  pd->flags & DETECT_PCRE_RELATIVE) {
1619  result = 0;
1620  printf("one failed\n");
1621  goto end;
1622  }
1623 
1624  sm = sm->next;
1625  if (sm->type != DETECT_CONTENT) {
1626  result = 0;
1627  goto end;
1628  }
1629  data = (DetectContentData *)sm->ctx;
1630  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1631  data->flags & DETECT_CONTENT_NOCASE ||
1632  !(data->flags & DETECT_CONTENT_WITHIN) ||
1633  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1634  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1635  data->flags & DETECT_CONTENT_NEGATED ) {
1636  result = 0;
1637  printf("one failed\n");
1638  goto end;
1639  }
1640  result &= (strncmp((char *)data->content, "one", 3) == 0);
1641  if (result == 0)
1642  goto end;
1643 
1644  sm = sm->next;
1645  if (sm->type != DETECT_CONTENT) {
1646  result = 0;
1647  goto end;
1648  }
1649  data = (DetectContentData *)sm->ctx;
1650  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1651  data->flags & DETECT_CONTENT_NOCASE ||
1652  !(data->flags & DETECT_CONTENT_WITHIN) ||
1653  data->flags & DETECT_CONTENT_DISTANCE ||
1654  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1655  data->flags & DETECT_CONTENT_NEGATED ) {
1656  result = 0;
1657  printf("two failed\n");
1658  goto end;
1659  }
1660  result &= (strncmp((char *)data->content, "two", 3) == 0);
1661  if (result == 0)
1662  goto end;
1663 
1664  sm = sm->next;
1665  if (sm->type != DETECT_CONTENT) {
1666  result = 0;
1667  goto end;
1668  }
1669  data = (DetectContentData *)sm->ctx;
1670  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1671  data->flags & DETECT_CONTENT_NOCASE ||
1672  data->flags & DETECT_CONTENT_WITHIN ||
1673  data->flags & DETECT_CONTENT_DISTANCE ||
1674  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1675  data->flags & DETECT_CONTENT_NEGATED ) {
1676  printf("three failed\n");
1677  result = 0;
1678  goto end;
1679  }
1680  result &= (strncmp((char *)data->content, "three", 5) == 0);
1681  if (result == 0)
1682  goto end;
1683 
1684  sm = sm->next;
1685  if (sm->type != DETECT_CONTENT) {
1686  result = 0;
1687  goto end;
1688  }
1689  data = (DetectContentData *)sm->ctx;
1690  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1691  data->flags & DETECT_CONTENT_NOCASE ||
1692  data->flags & DETECT_CONTENT_WITHIN ||
1693  data->flags & DETECT_CONTENT_DISTANCE ||
1694  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1695  data->flags & DETECT_CONTENT_NEGATED ) {
1696  printf("four failed\n");
1697  result = 0;
1698  goto end;
1699  }
1700  result &= (strncmp((char *)data->content, "four", 4) == 0);
1701  if (result == 0)
1702  goto end;
1703 
1704  end:
1705  SigGroupCleanup(de_ctx);
1706  SigCleanSignatures(de_ctx);
1707  DetectEngineCtxFree(de_ctx);
1708 
1709  return result;
1710 }
1711 
1712 /**
1713  * \test Test content for dce sig.
1714  */
1715 static int DcePayloadParseTest30(void)
1716 {
1717  DetectEngineCtx *de_ctx = NULL;
1718  int result = 1;
1719  Signature *s = NULL;
1720  SigMatch *sm = NULL;
1721  DetectContentData *data = NULL;
1722  DetectBytejumpData *bd = NULL;
1723 
1724  de_ctx = DetectEngineCtxInit();
1725  if (de_ctx == NULL)
1726  goto end;
1727 
1728  de_ctx->flags |= DE_QUIET;
1729  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1730  "(msg:\"Testing bytejump_body\"; "
1731  "dce_stub_data; "
1732  "pkt_data; "
1733  "byte_jump:2,5; "
1734  "content:\"one\"; distance:10; within:5; "
1735  "content:\"two\"; within:5;"
1736  "content:\"three\";"
1737  "content:\"four\";"
1738  "sid:1;)");
1739  if (de_ctx->sig_list == NULL) {
1740  result = 0;
1741  goto end;
1742  }
1743 
1744  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1745  result = 0;
1746  goto end;
1747  }
1748  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1749  result = 0;
1750  goto end;
1751  }
1752 
1753  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1754  if (sm->type != DETECT_BYTEJUMP) {
1755  result = 0;
1756  goto end;
1757  }
1758  bd = (DetectBytejumpData *)sm->ctx;
1759  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1760  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1761  bd->flags & DETECT_BYTEJUMP_BIG ||
1762  bd->flags & DETECT_BYTEJUMP_STRING ||
1763  bd->flags & DETECT_BYTEJUMP_RELATIVE ||
1764  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1765  bd->flags & DETECT_BYTEJUMP_DCE ) {
1766  result = 0;
1767  printf("one failed\n");
1768  goto end;
1769  }
1770 
1771  sm = sm->next;
1772  if (sm->type != DETECT_CONTENT) {
1773  result = 0;
1774  goto end;
1775  }
1776  data = (DetectContentData *)sm->ctx;
1777  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1778  data->flags & DETECT_CONTENT_NOCASE ||
1779  !(data->flags & DETECT_CONTENT_WITHIN) ||
1780  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1781  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1782  data->flags & DETECT_CONTENT_NEGATED ) {
1783  result = 0;
1784  printf("one failed\n");
1785  goto end;
1786  }
1787  result &= (strncmp((char *)data->content, "one", 3) == 0);
1788  if (result == 0)
1789  goto end;
1790 
1791  sm = sm->next;
1792  if (sm->type != DETECT_CONTENT) {
1793  result = 0;
1794  goto end;
1795  }
1796  data = (DetectContentData *)sm->ctx;
1797  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1798  data->flags & DETECT_CONTENT_NOCASE ||
1799  !(data->flags & DETECT_CONTENT_WITHIN) ||
1800  data->flags & DETECT_CONTENT_DISTANCE ||
1801  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1802  data->flags & DETECT_CONTENT_NEGATED ) {
1803  result = 0;
1804  printf("two failed\n");
1805  goto end;
1806  }
1807  result &= (strncmp((char *)data->content, "two", 3) == 0);
1808  if (result == 0)
1809  goto end;
1810 
1811  sm = sm->next;
1812  if (sm->type != DETECT_CONTENT) {
1813  result = 0;
1814  goto end;
1815  }
1816  data = (DetectContentData *)sm->ctx;
1817  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1818  data->flags & DETECT_CONTENT_NOCASE ||
1819  data->flags & DETECT_CONTENT_WITHIN ||
1820  data->flags & DETECT_CONTENT_DISTANCE ||
1821  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1822  data->flags & DETECT_CONTENT_NEGATED ) {
1823  printf("three failed\n");
1824  result = 0;
1825  goto end;
1826  }
1827  result &= (strncmp((char *)data->content, "three", 5) == 0);
1828  if (result == 0)
1829  goto end;
1830 
1831  sm = sm->next;
1832  if (sm->type != DETECT_CONTENT) {
1833  result = 0;
1834  goto end;
1835  }
1836  data = (DetectContentData *)sm->ctx;
1837  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1838  data->flags & DETECT_CONTENT_NOCASE ||
1839  data->flags & DETECT_CONTENT_WITHIN ||
1840  data->flags & DETECT_CONTENT_DISTANCE ||
1841  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1842  data->flags & DETECT_CONTENT_NEGATED ) {
1843  printf("four failed\n");
1844  result = 0;
1845  goto end;
1846  }
1847  result &= (strncmp((char *)data->content, "four", 4) == 0);
1848  if (result == 0)
1849  goto end;
1850 
1851  end:
1852  SigGroupCleanup(de_ctx);
1853  SigCleanSignatures(de_ctx);
1854  DetectEngineCtxFree(de_ctx);
1855 
1856  return result;
1857 }
1858 
1859 /**
1860  * \test Test content for dce sig.
1861  */
1862 static int DcePayloadParseTest31(void)
1863 {
1864  DetectEngineCtx *de_ctx = NULL;
1865  int result = 1;
1866  Signature *s = NULL;
1867  SigMatch *sm = NULL;
1868  DetectContentData *data = NULL;
1869  DetectBytejumpData *bd = NULL;
1870 
1871  de_ctx = DetectEngineCtxInit();
1872  if (de_ctx == NULL)
1873  goto end;
1874 
1875  de_ctx->flags |= DE_QUIET;
1876  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1877  "(msg:\"Testing bytejump_body\"; "
1878  "dce_stub_data; "
1879  "byte_jump:2,5,relative; "
1880  "content:\"one\"; distance:10; within:5; "
1881  "content:\"two\"; within:5;"
1882  "pkt_data; "
1883  "content:\"three\";"
1884  "content:\"four\";"
1885  "sid:1;)");
1886  if (de_ctx->sig_list == NULL) {
1887  result = 0;
1888  goto end;
1889  }
1890 
1891  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1892  result = 0;
1893  goto end;
1894  }
1895  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1896  result = 0;
1897  goto end;
1898  }
1899 
1900  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1901  if (sm->type != DETECT_BYTEJUMP) {
1902  result = 0;
1903  goto end;
1904  }
1905  bd = (DetectBytejumpData *)sm->ctx;
1906  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1907  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1908  bd->flags & DETECT_BYTEJUMP_BIG ||
1909  bd->flags & DETECT_BYTEJUMP_STRING ||
1910  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1911  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1912  bd->flags & DETECT_BYTEJUMP_DCE ) {
1913  result = 0;
1914  printf("one failed\n");
1915  goto end;
1916  }
1917 
1918  sm = sm->next;
1919  if (sm->type != DETECT_CONTENT) {
1920  result = 0;
1921  goto end;
1922  }
1923  data = (DetectContentData *)sm->ctx;
1924  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1925  data->flags & DETECT_CONTENT_NOCASE ||
1926  !(data->flags & DETECT_CONTENT_WITHIN) ||
1927  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1928  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1929  data->flags & DETECT_CONTENT_NEGATED ) {
1930  result = 0;
1931  printf("one failed\n");
1932  goto end;
1933  }
1934  result &= (strncmp((char *)data->content, "one", 3) == 0);
1935  if (result == 0)
1936  goto end;
1937 
1938  sm = sm->next;
1939  if (sm->type != DETECT_CONTENT) {
1940  result = 0;
1941  goto end;
1942  }
1943  data = (DetectContentData *)sm->ctx;
1944  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1945  data->flags & DETECT_CONTENT_NOCASE ||
1946  !(data->flags & DETECT_CONTENT_WITHIN) ||
1947  data->flags & DETECT_CONTENT_DISTANCE ||
1948  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1949  data->flags & DETECT_CONTENT_NEGATED ) {
1950  result = 0;
1951  printf("two failed\n");
1952  goto end;
1953  }
1954  result &= (strncmp((char *)data->content, "two", 3) == 0);
1955  if (result == 0)
1956  goto end;
1957 
1958  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1959  if (sm->type != DETECT_CONTENT) {
1960  result = 0;
1961  goto end;
1962  }
1963  data = (DetectContentData *)sm->ctx;
1964  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1965  data->flags & DETECT_CONTENT_NOCASE ||
1966  data->flags & DETECT_CONTENT_WITHIN ||
1967  data->flags & DETECT_CONTENT_DISTANCE ||
1968  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1969  data->flags & DETECT_CONTENT_NEGATED ) {
1970  printf("three failed\n");
1971  result = 0;
1972  goto end;
1973  }
1974  result &= (strncmp((char *)data->content, "three", 5) == 0);
1975  if (result == 0)
1976  goto end;
1977 
1978  sm = sm->next;
1979  if (sm->type != DETECT_CONTENT) {
1980  result = 0;
1981  goto end;
1982  }
1983  data = (DetectContentData *)sm->ctx;
1984  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1985  data->flags & DETECT_CONTENT_NOCASE ||
1986  data->flags & DETECT_CONTENT_WITHIN ||
1987  data->flags & DETECT_CONTENT_DISTANCE ||
1988  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1989  data->flags & DETECT_CONTENT_NEGATED ) {
1990  printf("four failed\n");
1991  result = 0;
1992  goto end;
1993  }
1994  result &= (strncmp((char *)data->content, "four", 4) == 0);
1995  if (result == 0)
1996  goto end;
1997 
1998  end:
1999  SigGroupCleanup(de_ctx);
2000  SigCleanSignatures(de_ctx);
2001  DetectEngineCtxFree(de_ctx);
2002 
2003  return result;
2004 }
2005 
2006 /**
2007  * \test Test content for dce sig.
2008  */
2009 static int DcePayloadParseTest32(void)
2010 {
2011  DetectEngineCtx *de_ctx = NULL;
2012  int result = 1;
2013  Signature *s = NULL;
2014  SigMatch *sm = NULL;
2015  DetectContentData *data = NULL;
2016  DetectBytejumpData *bd = NULL;
2017 
2018  de_ctx = DetectEngineCtxInit();
2019  if (de_ctx == NULL)
2020  goto end;
2021 
2022  de_ctx->flags |= DE_QUIET;
2023  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2024  "(msg:\"Testing bytejump_body\"; "
2025  "dce_stub_data; "
2026  "byte_jump:2,5,relative; "
2027  "content:\"one\"; distance:10; within:5; "
2028  "content:\"two\"; within:5;"
2029  "pkt_data; "
2030  "content:\"three\";"
2031  "content:\"four\"; within:4; "
2032  "sid:1;)");
2033  if (de_ctx->sig_list == NULL) {
2034  result = 0;
2035  goto end;
2036  }
2037 
2038  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2039  result = 0;
2040  goto end;
2041  }
2042  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2043  result = 0;
2044  goto end;
2045  }
2046 
2047  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2048  if (sm->type != DETECT_BYTEJUMP) {
2049  result = 0;
2050  goto end;
2051  }
2052  bd = (DetectBytejumpData *)sm->ctx;
2053  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
2054  bd->flags & DETECT_BYTEJUMP_LITTLE ||
2055  bd->flags & DETECT_BYTEJUMP_BIG ||
2056  bd->flags & DETECT_BYTEJUMP_STRING ||
2057  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2058  bd->flags & DETECT_BYTEJUMP_ALIGN ||
2059  bd->flags & DETECT_BYTEJUMP_DCE ) {
2060  result = 0;
2061  printf("one failed\n");
2062  goto end;
2063  }
2064 
2065  sm = sm->next;
2066  if (sm->type != DETECT_CONTENT) {
2067  result = 0;
2068  goto end;
2069  }
2070  data = (DetectContentData *)sm->ctx;
2071  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2072  data->flags & DETECT_CONTENT_NOCASE ||
2073  !(data->flags & DETECT_CONTENT_WITHIN) ||
2074  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2075  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2076  data->flags & DETECT_CONTENT_NEGATED ) {
2077  result = 0;
2078  printf("one failed\n");
2079  goto end;
2080  }
2081  result &= (strncmp((char *)data->content, "one", 3) == 0);
2082  if (result == 0)
2083  goto end;
2084 
2085  sm = sm->next;
2086  if (sm->type != DETECT_CONTENT) {
2087  result = 0;
2088  goto end;
2089  }
2090  data = (DetectContentData *)sm->ctx;
2091  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2092  data->flags & DETECT_CONTENT_NOCASE ||
2093  !(data->flags & DETECT_CONTENT_WITHIN) ||
2094  data->flags & DETECT_CONTENT_DISTANCE ||
2095  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2096  data->flags & DETECT_CONTENT_NEGATED ) {
2097  result = 0;
2098  printf("two failed\n");
2099  goto end;
2100  }
2101  result &= (strncmp((char *)data->content, "two", 3) == 0);
2102  if (result == 0)
2103  goto end;
2104 
2105  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2106  if (sm->type != DETECT_CONTENT) {
2107  result = 0;
2108  goto end;
2109  }
2110  data = (DetectContentData *)sm->ctx;
2111  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2112  data->flags & DETECT_CONTENT_NOCASE ||
2113  data->flags & DETECT_CONTENT_WITHIN ||
2114  data->flags & DETECT_CONTENT_DISTANCE ||
2115  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2116  data->flags & DETECT_CONTENT_NEGATED ) {
2117  printf("three failed\n");
2118  result = 0;
2119  goto end;
2120  }
2121  result &= (strncmp((char *)data->content, "three", 5) == 0);
2122  if (result == 0)
2123  goto end;
2124 
2125  sm = sm->next;
2126  if (sm->type != DETECT_CONTENT) {
2127  result = 0;
2128  goto end;
2129  }
2130  data = (DetectContentData *)sm->ctx;
2131  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2132  data->flags & DETECT_CONTENT_NOCASE ||
2133  !(data->flags & DETECT_CONTENT_WITHIN) ||
2134  data->flags & DETECT_CONTENT_DISTANCE ||
2135  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2136  data->flags & DETECT_CONTENT_NEGATED ) {
2137  printf("four failed\n");
2138  result = 0;
2139  goto end;
2140  }
2141  result &= (strncmp((char *)data->content, "four", 4) == 0);
2142  if (result == 0)
2143  goto end;
2144 
2145  end:
2146  SigGroupCleanup(de_ctx);
2147  SigCleanSignatures(de_ctx);
2148  DetectEngineCtxFree(de_ctx);
2149 
2150  return result;
2151 }
2152 
2153 /**
2154  * \test Test content for dce sig.
2155  */
2156 static int DcePayloadParseTest33(void)
2157 {
2158  DetectEngineCtx *de_ctx = NULL;
2159  int result = 1;
2160  Signature *s = NULL;
2161  SigMatch *sm = NULL;
2162  DetectContentData *data = NULL;
2163  DetectPcreData *pd = NULL;
2164 
2165  de_ctx = DetectEngineCtxInit();
2166  if (de_ctx == NULL)
2167  goto end;
2168 
2169  de_ctx->flags |= DE_QUIET;
2170  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2171  "(msg:\"Testing bytejump_body\"; "
2172  "dce_stub_data; "
2173  "pcre:/boom/R; "
2174  "content:\"one\"; distance:10; within:5; "
2175  "content:\"two\"; within:5;"
2176  "pkt_data; "
2177  "content:\"three\";"
2178  "content:\"four\"; distance:5;"
2179  "sid:1;)");
2180  if (de_ctx->sig_list == NULL) {
2181  result = 0;
2182  goto end;
2183  }
2184 
2185  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2186  result = 0;
2187  goto end;
2188  }
2189  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2190  result = 0;
2191  goto end;
2192  }
2193 
2194  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2195  if (sm->type != DETECT_PCRE) {
2196  result = 0;
2197  goto end;
2198  }
2199  pd = (DetectPcreData *)sm->ctx;
2200  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2201  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2202  result = 0;
2203  printf("one failed\n");
2204  goto end;
2205  }
2206 
2207  sm = sm->next;
2208  if (sm->type != DETECT_CONTENT) {
2209  result = 0;
2210  goto end;
2211  }
2212  data = (DetectContentData *)sm->ctx;
2213  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2214  data->flags & DETECT_CONTENT_NOCASE ||
2215  !(data->flags & DETECT_CONTENT_WITHIN) ||
2216  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2217  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2218  data->flags & DETECT_CONTENT_NEGATED ) {
2219  result = 0;
2220  printf("one failed\n");
2221  goto end;
2222  }
2223  result &= (strncmp((char *)data->content, "one", 3) == 0);
2224  if (result == 0)
2225  goto end;
2226 
2227  sm = sm->next;
2228  if (sm->type != DETECT_CONTENT) {
2229  result = 0;
2230  goto end;
2231  }
2232  data = (DetectContentData *)sm->ctx;
2233  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2234  data->flags & DETECT_CONTENT_NOCASE ||
2235  !(data->flags & DETECT_CONTENT_WITHIN) ||
2236  data->flags & DETECT_CONTENT_DISTANCE ||
2237  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2238  data->flags & DETECT_CONTENT_NEGATED ) {
2239  result = 0;
2240  printf("two failed\n");
2241  goto end;
2242  }
2243  result &= (strncmp((char *)data->content, "two", 3) == 0);
2244  if (result == 0)
2245  goto end;
2246 
2247  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2248  if (sm->type != DETECT_CONTENT) {
2249  result = 0;
2250  goto end;
2251  }
2252  data = (DetectContentData *)sm->ctx;
2253  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2254  data->flags & DETECT_CONTENT_NOCASE ||
2255  data->flags & DETECT_CONTENT_WITHIN ||
2256  data->flags & DETECT_CONTENT_DISTANCE ||
2257  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2258  data->flags & DETECT_CONTENT_NEGATED ) {
2259  printf("three failed\n");
2260  result = 0;
2261  goto end;
2262  }
2263  result &= (strncmp((char *)data->content, "three", 5) == 0);
2264  if (result == 0)
2265  goto end;
2266 
2267  sm = sm->next;
2268  if (sm->type != DETECT_CONTENT) {
2269  result = 0;
2270  goto end;
2271  }
2272  data = (DetectContentData *)sm->ctx;
2273  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2274  data->flags & DETECT_CONTENT_NOCASE ||
2275  data->flags & DETECT_CONTENT_WITHIN ||
2276  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2277  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2278  data->flags & DETECT_CONTENT_NEGATED ) {
2279  printf("four failed\n");
2280  result = 0;
2281  goto end;
2282  }
2283  result &= (strncmp((char *)data->content, "four", 4) == 0);
2284  if (result == 0)
2285  goto end;
2286 
2287  end:
2288  SigGroupCleanup(de_ctx);
2289  SigCleanSignatures(de_ctx);
2290  DetectEngineCtxFree(de_ctx);
2291 
2292  return result;
2293 }
2294 
2295 /**
2296  * \test Test content for dce sig.
2297  */
2298 static int DcePayloadParseTest34(void)
2299 {
2300  DetectEngineCtx *de_ctx = NULL;
2301  int result = 1;
2302  Signature *s = NULL;
2303  SigMatch *sm = NULL;
2304  DetectContentData *data = NULL;
2305  DetectPcreData *pd = NULL;
2306  DetectBytejumpData *bd = NULL;
2307 
2308  de_ctx = DetectEngineCtxInit();
2309  if (de_ctx == NULL)
2310  goto end;
2311 
2312  de_ctx->flags |= DE_QUIET;
2313  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2314  "(msg:\"Testing bytejump_body\"; "
2315  "dce_iface:12345678-1234-1234-1234-123456789012; "
2316  "dce_opnum:10; dce_stub_data; "
2317  "pcre:/boom/R; "
2318  "byte_jump:1,2,relative,align,dce; "
2319  "content:\"one\"; within:4; distance:8; "
2320  "pkt_data; "
2321  "content:\"two\"; "
2322  "sid:1;)");
2323  if (de_ctx->sig_list == NULL) {
2324  result = 0;
2325  goto end;
2326  }
2327 
2328  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2329  result = 0;
2330  goto end;
2331  }
2332  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2333  result = 0;
2334  goto end;
2335  }
2336 
2337  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2338  if (sm->type != DETECT_PCRE) {
2339  result = 0;
2340  goto end;
2341  }
2342  pd = (DetectPcreData *)sm->ctx;
2343  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2344  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2345  result = 0;
2346  goto end;
2347  }
2348 
2349  sm = sm->next;
2350  if (sm->type != DETECT_BYTEJUMP) {
2351  result = 0;
2352  goto end;
2353  }
2354  bd = (DetectBytejumpData *)sm->ctx;
2355  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
2356  bd->flags & DETECT_BYTEJUMP_LITTLE ||
2357  bd->flags & DETECT_BYTEJUMP_BIG ||
2358  bd->flags & DETECT_BYTEJUMP_STRING ||
2359  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2360  !(bd->flags & DETECT_BYTEJUMP_ALIGN) ||
2361  !(bd->flags & DETECT_BYTEJUMP_DCE) ) {
2362  result = 0;
2363  printf("one failed\n");
2364  goto end;
2365  }
2366 
2367  sm = sm->next;
2368  if (sm->type != DETECT_CONTENT) {
2369  result = 0;
2370  goto end;
2371  }
2372  data = (DetectContentData *)sm->ctx;
2373  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2374  data->flags & DETECT_CONTENT_NOCASE ||
2375  !(data->flags & DETECT_CONTENT_WITHIN) ||
2376  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2377  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2378  data->flags & DETECT_CONTENT_NEGATED ) {
2379  result = 0;
2380  printf("two failed\n");
2381  goto end;
2382  }
2383  result &= (strncmp((char *)data->content, "one", 3) == 0);
2384  if (result == 0)
2385  goto end;
2386 
2387  result &= (sm->next == NULL);
2388 
2389  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2390  if (sm->type != DETECT_CONTENT) {
2391  result = 0;
2392  goto end;
2393  }
2394  data = (DetectContentData *)sm->ctx;
2395  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2396  data->flags & DETECT_CONTENT_NOCASE ||
2397  data->flags & DETECT_CONTENT_WITHIN ||
2398  data->flags & DETECT_CONTENT_DISTANCE ||
2399  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2400  data->flags & DETECT_CONTENT_NEGATED ) {
2401  printf("three failed\n");
2402  result = 0;
2403  goto end;
2404  }
2405  result &= (strncmp((char *)data->content, "two", 3) == 0);
2406  if (result == 0)
2407  goto end;
2408 
2409  result &= (sm->next == NULL);
2410 
2411  end:
2412  SigGroupCleanup(de_ctx);
2413  SigCleanSignatures(de_ctx);
2414  DetectEngineCtxFree(de_ctx);
2415 
2416  return result;
2417 }
2418 
2419 /**
2420  * \test Test content for dce sig.
2421  */
2422 static int DcePayloadParseTest35(void)
2423 {
2424  DetectEngineCtx *de_ctx = NULL;
2425  int result = 1;
2426  Signature *s = NULL;
2427  SigMatch *sm = NULL;
2428  DetectContentData *data = NULL;
2429  DetectBytetestData *bd = NULL;
2430 
2431  de_ctx = DetectEngineCtxInit();
2432  if (de_ctx == NULL)
2433  goto end;
2434 
2435  de_ctx->flags |= DE_QUIET;
2436  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2437  "(msg:\"Testing bytejump_body\"; "
2438  "dce_iface:12345678-1234-1234-1234-123456789012; "
2439  "dce_opnum:10; dce_stub_data; "
2440  "byte_test:1,=,0,0,relative,dce; "
2441  "pkt_data; "
2442  "content:\"one\"; "
2443  "sid:1;)");
2444  if (de_ctx->sig_list == NULL) {
2445  result = 0;
2446  goto end;
2447  }
2448 
2449  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2450  result = 0;
2451  goto end;
2452  }
2453  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2454  result = 0;
2455  goto end;
2456  }
2457 
2458  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2459  if (sm->type != DETECT_BYTETEST) {
2460  result = 0;
2461  goto end;
2462  }
2463  bd = (DetectBytetestData *)sm->ctx;
2464  if (bd->flags & DETECT_BYTETEST_LITTLE ||
2465  bd->flags & DETECT_BYTETEST_BIG ||
2466  bd->flags & DETECT_BYTETEST_STRING ||
2467  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2468  !(bd->flags & DETECT_BYTETEST_DCE) ) {
2469  result = 0;
2470  printf("one failed\n");
2471  goto end;
2472  }
2473 
2474  result &= (sm->next == NULL);
2475 
2476  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2477  if (sm->type != DETECT_CONTENT) {
2478  result = 0;
2479  goto end;
2480  }
2481  data = (DetectContentData *)sm->ctx;
2482  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2483  data->flags & DETECT_CONTENT_NOCASE ||
2484  data->flags & DETECT_CONTENT_WITHIN ||
2485  data->flags & DETECT_CONTENT_DISTANCE ||
2486  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2487  data->flags & DETECT_CONTENT_NEGATED ) {
2488  result = 0;
2489  printf("two failed\n");
2490  goto end;
2491  }
2492  result &= (strncmp((char *)data->content, "one", 3) == 0);
2493  if (result == 0)
2494  goto end;
2495 
2496  result &= (sm->next == NULL);
2497 
2498  end:
2499  SigGroupCleanup(de_ctx);
2500  SigCleanSignatures(de_ctx);
2501  DetectEngineCtxFree(de_ctx);
2502 
2503  return result;
2504 }
2505 
2506 /**
2507  * \test Test content for dce sig.
2508  */
2509 static int DcePayloadParseTest36(void)
2510 {
2511  DetectEngineCtx *de_ctx = NULL;
2512  int result = 1;
2513  Signature *s = NULL;
2514  SigMatch *sm = NULL;
2515  DetectContentData *data = NULL;
2516  DetectIsdataatData *isd = NULL;
2517 
2518  de_ctx = DetectEngineCtxInit();
2519  if (de_ctx == NULL)
2520  goto end;
2521 
2522  de_ctx->flags |= DE_QUIET;
2523  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2524  "(msg:\"Testing bytejump_body\"; "
2525  "dce_iface:12345678-1234-1234-1234-123456789012; "
2526  "dce_opnum:10; dce_stub_data; "
2527  "isdataat:10,relative; "
2528  "content:\"one\"; within:4; distance:8; "
2529  "pkt_data; "
2530  "content:\"two\"; "
2531  "sid:1;)");
2532  if (de_ctx->sig_list == NULL) {
2533  result = 0;
2534  goto end;
2535  }
2536 
2537  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2538  result = 0;
2539  goto end;
2540  }
2541  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2542  result = 0;
2543  goto end;
2544  }
2545 
2546  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2547  if (sm->type != DETECT_ISDATAAT) {
2548  result = 0;
2549  goto end;
2550  }
2551  isd = (DetectIsdataatData *)sm->ctx;
2552  if ( isd->flags & ISDATAAT_RAWBYTES ||
2553  !(isd->flags & ISDATAAT_RELATIVE)) {
2554  result = 0;
2555  goto end;
2556  }
2557 
2558  sm = sm->next;
2559  if (sm->type != DETECT_CONTENT) {
2560  result = 0;
2561  goto end;
2562  }
2563  data = (DetectContentData *)sm->ctx;
2564  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2565  data->flags & DETECT_CONTENT_NOCASE ||
2566  !(data->flags & DETECT_CONTENT_WITHIN) ||
2567  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2568  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2569  data->flags & DETECT_CONTENT_NEGATED ) {
2570  result = 0;
2571  printf("two failed\n");
2572  goto end;
2573  }
2574  result &= (strncmp((char *)data->content, "one", 3) == 0);
2575  if (result == 0)
2576  goto end;
2577 
2578  result &= (sm->next == NULL);
2579 
2580  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2581  if (sm->type != DETECT_CONTENT) {
2582  result = 0;
2583  goto end;
2584  }
2585  data = (DetectContentData *)sm->ctx;
2586  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2587  data->flags & DETECT_CONTENT_NOCASE ||
2588  data->flags & DETECT_CONTENT_WITHIN ||
2589  data->flags & DETECT_CONTENT_DISTANCE ||
2590  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2591  data->flags & DETECT_CONTENT_NEGATED ) {
2592  printf("three failed\n");
2593  result = 0;
2594  goto end;
2595  }
2596  result &= (strncmp((char *)data->content, "two", 3) == 0);
2597  if (result == 0)
2598  goto end;
2599 
2600  result &= (sm->next == NULL);
2601 
2602  end:
2603  SigGroupCleanup(de_ctx);
2604  SigCleanSignatures(de_ctx);
2605  DetectEngineCtxFree(de_ctx);
2606 
2607  return result;
2608 }
2609 
2610 /**
2611  * \test Test content for dce sig.
2612  */
2613 static int DcePayloadParseTest37(void)
2614 {
2615  DetectEngineCtx *de_ctx = NULL;
2616  int result = 1;
2617  Signature *s = NULL;
2618  SigMatch *sm = NULL;
2619  DetectContentData *data = NULL;
2620  DetectBytejumpData *bjd = NULL;
2621  DetectBytetestData *btd = NULL;
2622 
2623  de_ctx = DetectEngineCtxInit();
2624  if (de_ctx == NULL)
2625  goto end;
2626 
2627  de_ctx->flags |= DE_QUIET;
2628  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2629  "(msg:\"Testing bytejump_body\"; "
2630  "dce_iface:12345678-1234-1234-1234-123456789012; "
2631  "dce_opnum:10; dce_stub_data; "
2632  "byte_jump:1,2,relative,align,dce; "
2633  "byte_test:1,=,2,0,relative,dce; "
2634  "pkt_data; "
2635  "content:\"one\"; "
2636  "sid:1;)");
2637  if (de_ctx->sig_list == NULL) {
2638  result = 0;
2639  goto end;
2640  }
2641 
2642  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2643  result = 0;
2644  goto end;
2645  }
2646  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2647  result = 0;
2648  goto end;
2649  }
2650 
2651  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2652  if (sm->type != DETECT_BYTEJUMP) {
2653  result = 0;
2654  goto end;
2655  }
2656  bjd = (DetectBytejumpData *)sm->ctx;
2657  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2658  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2659  bjd->flags & DETECT_BYTEJUMP_BIG ||
2660  bjd->flags & DETECT_BYTEJUMP_STRING ||
2661  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2662  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2663  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2664  result = 0;
2665  printf("one failed\n");
2666  goto end;
2667  }
2668 
2669  sm = sm->next;
2670  if (sm->type != DETECT_BYTETEST) {
2671  result = 0;
2672  goto end;
2673  }
2674  btd = (DetectBytetestData *)sm->ctx;
2675  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2676  btd->flags & DETECT_BYTETEST_BIG ||
2677  btd->flags & DETECT_BYTETEST_STRING ||
2678  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2679  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2680  result = 0;
2681  printf("one failed\n");
2682  goto end;
2683  }
2684 
2685  result &= (sm->next == NULL);
2686 
2687  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2688  if (sm->type != DETECT_CONTENT) {
2689  result = 0;
2690  goto end;
2691  }
2692  data = (DetectContentData *)sm->ctx;
2693  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2694  data->flags & DETECT_CONTENT_NOCASE ||
2695  data->flags & DETECT_CONTENT_WITHIN ||
2696  data->flags & DETECT_CONTENT_DISTANCE ||
2697  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2698  data->flags & DETECT_CONTENT_NEGATED ) {
2699  printf("three failed\n");
2700  result = 0;
2701  goto end;
2702  }
2703  result &= (strncmp((char *)data->content, "one", 3) == 0);
2704  if (result == 0)
2705  goto end;
2706 
2707  result &= (sm->next == NULL);
2708 
2709  end:
2710  SigGroupCleanup(de_ctx);
2711  SigCleanSignatures(de_ctx);
2712  DetectEngineCtxFree(de_ctx);
2713 
2714  return result;
2715 }
2716 
2717 /**
2718  * \test Test content for dce sig.
2719  */
2720 static int DcePayloadParseTest38(void)
2721 {
2722  DetectEngineCtx *de_ctx = NULL;
2723  int result = 1;
2724  Signature *s = NULL;
2725  SigMatch *sm = NULL;
2726  DetectContentData *data = NULL;
2727  DetectPcreData *pd = NULL;
2728  DetectBytejumpData *bjd = NULL;
2729  DetectBytetestData *btd = NULL;
2730 
2731  de_ctx = DetectEngineCtxInit();
2732  if (de_ctx == NULL)
2733  goto end;
2734 
2735  de_ctx->flags |= DE_QUIET;
2736  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2737  "(msg:\"Testing bytejump_body\"; "
2738  "dce_iface:12345678-1234-1234-1234-123456789012; "
2739  "dce_opnum:10; dce_stub_data; "
2740  "pcre:/boom/R; "
2741  "byte_jump:1,2,relative,align,dce; "
2742  "byte_test:1,=,2,0,relative,dce; "
2743  "pkt_data; "
2744  "content:\"one\"; "
2745  "sid:1;)");
2746  if (de_ctx->sig_list == NULL) {
2747  result = 0;
2748  goto end;
2749  }
2750 
2751  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2752  result = 0;
2753  goto end;
2754  }
2755  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2756  result = 0;
2757  goto end;
2758  }
2759 
2760  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2761  if (sm->type != DETECT_PCRE) {
2762  result = 0;
2763  goto end;
2764  }
2765  pd = (DetectPcreData *)sm->ctx;
2766  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2767  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2768  result = 0;
2769  printf("one failed\n");
2770  goto end;
2771  }
2772 
2773  sm = sm->next;
2774  if (sm->type != DETECT_BYTEJUMP) {
2775  result = 0;
2776  goto end;
2777  }
2778  bjd = (DetectBytejumpData *)sm->ctx;
2779  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2780  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2781  bjd->flags & DETECT_BYTEJUMP_BIG ||
2782  bjd->flags & DETECT_BYTEJUMP_STRING ||
2783  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2784  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2785  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2786  result = 0;
2787  printf("one failed\n");
2788  goto end;
2789  }
2790 
2791  sm = sm->next;
2792  if (sm->type != DETECT_BYTETEST) {
2793  result = 0;
2794  goto end;
2795  }
2796  btd = (DetectBytetestData *)sm->ctx;
2797  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2798  btd->flags & DETECT_BYTETEST_BIG ||
2799  btd->flags & DETECT_BYTETEST_STRING ||
2800  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2801  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2802  result = 0;
2803  printf("one failed\n");
2804  goto end;
2805  }
2806 
2807  result &= (sm->next == NULL);
2808 
2809  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2810  if (sm->type != DETECT_CONTENT) {
2811  result = 0;
2812  goto end;
2813  }
2814  data = (DetectContentData *)sm->ctx;
2815  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2816  data->flags & DETECT_CONTENT_NOCASE ||
2817  data->flags & DETECT_CONTENT_WITHIN ||
2818  data->flags & DETECT_CONTENT_DISTANCE ||
2819  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2820  data->flags & DETECT_CONTENT_NEGATED ) {
2821  printf("three failed\n");
2822  result = 0;
2823  goto end;
2824  }
2825  result &= (strncmp((char *)data->content, "one", 3) == 0);
2826  if (result == 0)
2827  goto end;
2828 
2829  result &= (sm->next == NULL);
2830 
2831  end:
2832  SigGroupCleanup(de_ctx);
2833  SigCleanSignatures(de_ctx);
2834  DetectEngineCtxFree(de_ctx);
2835 
2836  return result;
2837 }
2838 
2839 /**
2840  * \test Test content for dce sig.
2841  */
2842 static int DcePayloadParseTest39(void)
2843 {
2844  DetectEngineCtx *de_ctx = NULL;
2845  int result = 1;
2846  Signature *s = NULL;
2847  SigMatch *sm = NULL;
2848  DetectContentData *data = NULL;
2849 
2850  de_ctx = DetectEngineCtxInit();
2851  if (de_ctx == NULL)
2852  goto end;
2853 
2854  de_ctx->flags |= DE_QUIET;
2855  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2856  "(msg:\"Testing bytejump_body\"; "
2857  "content:\"one\"; "
2858  "dce_iface:12345678-1234-1234-1234-123456789012; "
2859  "dce_opnum:10; dce_stub_data; "
2860  "content:\"two\"; within:4; distance:8; "
2861  "sid:1;)");
2862  if (de_ctx->sig_list == NULL) {
2863  result = 0;
2864  goto end;
2865  }
2866 
2867  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2868  result = 0;
2869  goto end;
2870  }
2871  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2872  result = 0;
2873  goto end;
2874  }
2875 
2876  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2877  if (sm->type != DETECT_CONTENT) {
2878  result = 0;
2879  goto end;
2880  }
2881  data = (DetectContentData *)sm->ctx;
2882  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2883  data->flags & DETECT_CONTENT_NOCASE ||
2884  data->flags & DETECT_CONTENT_WITHIN ||
2885  data->flags & DETECT_CONTENT_DISTANCE ||
2886  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2887  data->flags & DETECT_CONTENT_NEGATED ) {
2888  printf("three failed\n");
2889  result = 0;
2890  goto end;
2891  }
2892  result &= (strncmp((char *)data->content, "one", 3) == 0);
2893  if (result == 0)
2894  goto end;
2895 
2896  result &= (sm->next == NULL);
2897 
2898  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2899  data = (DetectContentData *)sm->ctx;
2900  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2901  data->flags & DETECT_CONTENT_NOCASE ||
2902  !(data->flags & DETECT_CONTENT_WITHIN) ||
2903  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2904  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2905  data->flags & DETECT_CONTENT_NEGATED ) {
2906  printf("three failed\n");
2907  result = 0;
2908  goto end;
2909  }
2910  result &= (strncmp((char *)data->content, "two", 3) == 0);
2911  if (result == 0)
2912  goto end;
2913 
2914  result &= (sm->next == NULL);
2915 
2916  end:
2917  SigGroupCleanup(de_ctx);
2918  SigCleanSignatures(de_ctx);
2919  DetectEngineCtxFree(de_ctx);
2920 
2921  return result;
2922 }
2923 
2924 /**
2925  * \test Test content for dce sig.
2926  */
2927 static int DcePayloadParseTest40(void)
2928 {
2929  DetectEngineCtx *de_ctx = NULL;
2930  int result = 1;
2931  Signature *s = NULL;
2932  SigMatch *sm = NULL;
2933  DetectContentData *data = NULL;
2934  DetectBytetestData *btd = NULL;
2935 
2936  de_ctx = DetectEngineCtxInit();
2937  if (de_ctx == NULL)
2938  goto end;
2939 
2940  de_ctx->flags |= DE_QUIET;
2941  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2942  "(msg:\"Testing bytejump_body\"; "
2943  "dce_iface:12345678-1234-1234-1234-123456789012; "
2944  "dce_opnum:10; dce_stub_data; "
2945  "content:\"one\"; within:10; "
2946  "content:\"two\"; distance:20; within:30; "
2947  "byte_test:1,=,2,0,relative,dce; "
2948  "pkt_data; "
2949  "content:\"three\"; "
2950  "sid:1;)");
2951  if (de_ctx->sig_list == NULL) {
2952  result = 0;
2953  goto end;
2954  }
2955 
2956  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2957  result = 0;
2958  goto end;
2959  }
2960  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2961  result = 0;
2962  goto end;
2963  }
2964 
2965  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2966  if (sm->type != DETECT_CONTENT) {
2967  result = 0;
2968  goto end;
2969  }
2970  data = (DetectContentData *)sm->ctx;
2971  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2972  data->flags & DETECT_CONTENT_NOCASE ||
2973  !(data->flags & DETECT_CONTENT_WITHIN) ||
2974  data->flags & DETECT_CONTENT_DISTANCE ||
2975  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2976  data->flags & DETECT_CONTENT_NEGATED ) {
2977  printf("three failed\n");
2978  result = 0;
2979  goto end;
2980  }
2981  result &= (strncmp((char *)data->content, "one", 3) == 0);
2982  if (result == 0)
2983  goto end;
2984 
2985 
2986  sm = sm->next;
2987  if (sm->type != DETECT_CONTENT) {
2988  result = 0;
2989  goto end;
2990  }
2991  data = (DetectContentData *)sm->ctx;
2992  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2993  data->flags & DETECT_CONTENT_NOCASE ||
2994  !(data->flags & DETECT_CONTENT_WITHIN) ||
2995  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2996  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2997  data->flags & DETECT_CONTENT_NEGATED ) {
2998  printf("three failed\n");
2999  result = 0;
3000  goto end;
3001  }
3002  result &= (strncmp((char *)data->content, "two", 3) == 0);
3003  if (result == 0)
3004  goto end;
3005 
3006  sm = sm->next;
3007  if (sm->type != DETECT_BYTETEST) {
3008  result = 0;
3009  goto end;
3010  }
3011  btd = (DetectBytetestData *)sm->ctx;
3012  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3013  btd->flags & DETECT_BYTETEST_BIG ||
3014  btd->flags & DETECT_BYTETEST_STRING ||
3015  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3016  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3017  result = 0;
3018  printf("one failed\n");
3019  goto end;
3020  }
3021 
3022  result &= (sm->next == NULL);
3023 
3024  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3025  if (sm->type != DETECT_CONTENT) {
3026  result = 0;
3027  goto end;
3028  }
3029  data = (DetectContentData *)sm->ctx;
3030  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3031  data->flags & DETECT_CONTENT_NOCASE ||
3032  data->flags & DETECT_CONTENT_WITHIN ||
3033  data->flags & DETECT_CONTENT_DISTANCE ||
3034  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3035  data->flags & DETECT_CONTENT_NEGATED ) {
3036  printf("three failed\n");
3037  result = 0;
3038  goto end;
3039  }
3040  result &= (strncmp((char *)data->content, "three", 5) == 0);
3041  if (result == 0)
3042  goto end;
3043 
3044  result &= (sm->next == NULL);
3045 
3046  end:
3047  SigGroupCleanup(de_ctx);
3048  SigCleanSignatures(de_ctx);
3049  DetectEngineCtxFree(de_ctx);
3050 
3051  return result;
3052 }
3053 
3054 /**
3055  * \test Test content for dce sig.
3056  */
3057 static int DcePayloadParseTest41(void)
3058 {
3059  DetectEngineCtx *de_ctx = NULL;
3060  int result = 1;
3061  Signature *s = NULL;
3062  SigMatch *sm = NULL;
3063  DetectContentData *data = NULL;
3064  DetectBytetestData *btd = NULL;
3065 
3066  de_ctx = DetectEngineCtxInit();
3067  if (de_ctx == NULL)
3068  goto end;
3069 
3070  de_ctx->flags |= DE_QUIET;
3071  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3072  "(msg:\"Testing bytejump_body\"; "
3073  "dce_iface:12345678-1234-1234-1234-123456789012; "
3074  "dce_opnum:10; dce_stub_data; "
3075  "content:\"one\"; within:10; "
3076  "pkt_data; "
3077  "content:\"two\"; "
3078  "byte_test:1,=,2,0,relative,dce; "
3079  "content:\"three\"; "
3080  "sid:1;)");
3081  if (de_ctx->sig_list == NULL) {
3082  result = 0;
3083  goto end;
3084  }
3085 
3086  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3087  result = 0;
3088  goto end;
3089  }
3090  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3091  result = 0;
3092  goto end;
3093  }
3094 
3095  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3096  if (sm->type != DETECT_CONTENT) {
3097  result = 0;
3098  goto end;
3099  }
3100  data = (DetectContentData *)sm->ctx;
3101  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3102  data->flags & DETECT_CONTENT_NOCASE ||
3103  !(data->flags & DETECT_CONTENT_WITHIN) ||
3104  data->flags & DETECT_CONTENT_DISTANCE ||
3105  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3106  data->flags & DETECT_CONTENT_NEGATED ) {
3107  printf("three failed\n");
3108  result = 0;
3109  goto end;
3110  }
3111  result &= (strncmp((char *)data->content, "one", 3) == 0);
3112  if (result == 0)
3113  goto end;
3114 
3115  result &= (sm->next == NULL);
3116 
3117  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3118  if (sm->type != DETECT_CONTENT) {
3119  result = 0;
3120  goto end;
3121  }
3122  data = (DetectContentData *)sm->ctx;
3123  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3124  data->flags & DETECT_CONTENT_NOCASE ||
3125  data->flags & DETECT_CONTENT_WITHIN ||
3126  data->flags & DETECT_CONTENT_DISTANCE ||
3127  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3128  data->flags & DETECT_CONTENT_NEGATED ) {
3129  printf("three failed\n");
3130  result = 0;
3131  goto end;
3132  }
3133  result &= (strncmp((char *)data->content, "two", 3) == 0);
3134  if (result == 0)
3135  goto end;
3136 
3137  sm = sm->next;
3138  if (sm->type != DETECT_BYTETEST) {
3139  result = 0;
3140  goto end;
3141  }
3142  btd = (DetectBytetestData *)sm->ctx;
3143  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3144  btd->flags & DETECT_BYTETEST_BIG ||
3145  btd->flags & DETECT_BYTETEST_STRING ||
3146  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3147  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3148  result = 0;
3149  printf("one failed\n");
3150  goto end;
3151  }
3152 
3153  sm = sm->next;
3154  if (sm->type != DETECT_CONTENT) {
3155  result = 0;
3156  goto end;
3157  }
3158  data = (DetectContentData *)sm->ctx;
3159  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3160  data->flags & DETECT_CONTENT_NOCASE ||
3161  data->flags & DETECT_CONTENT_WITHIN ||
3162  data->flags & DETECT_CONTENT_DISTANCE ||
3163  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3164  data->flags & DETECT_CONTENT_NEGATED ) {
3165  printf("three failed\n");
3166  result = 0;
3167  goto end;
3168  }
3169  result &= (strncmp((char *)data->content, "three", 5) == 0);
3170  if (result == 0)
3171  goto end;
3172 
3173  result &= (sm->next == NULL);
3174 
3175  end:
3176  SigGroupCleanup(de_ctx);
3177  SigCleanSignatures(de_ctx);
3178  DetectEngineCtxFree(de_ctx);
3179 
3180  return result;
3181 }
3182 
3183 /**
3184  * \test Test the working of consecutive relative matches with a negated content.
3185  */
3186 static int DcePayloadTest42(void)
3187 {
3188  int result = 0;
3189 
3190  uint8_t request1[] = {
3191  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3192  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3193  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
3194  0x77, 0x65, 0x20, 0x6e, 0x65, 0x65, 0x64, 0x20, /* "we need " */
3195  0x74, 0x6f, 0x20, 0x66, 0x69, 0x78, 0x20, 0x74, /* "to fix t" */
3196  0x68, 0x69, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, /* "his and " */
3197  0x79, 0x65, 0x73, 0x20, 0x66, 0x69, 0x78, 0x20, /* "yes fix " */
3198  0x74, 0x68, 0x69, 0x73, 0x20, 0x6e, 0x6f, 0x77 /* "this now" */
3199  };
3200  uint32_t request1_len = sizeof(request1);
3201 
3202  TcpSession ssn;
3203  Packet *p = NULL;
3204  ThreadVars tv;
3205  DetectEngineCtx *de_ctx = NULL;
3206  DetectEngineThreadCtx *det_ctx = NULL;
3207  Flow f;
3208  int r;
3209 
3210  const char *sig1 = "alert tcp any any -> any any "
3211  "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
3212  "content:\"fix\"; distance:0; content:\"this\"; within:6; "
3213  "content:!\"and\"; distance:0; sid:1;)";
3214 
3215  Signature *s;
3216  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3217 
3218  memset(&tv, 0, sizeof(ThreadVars));
3219  memset(&f, 0, sizeof(Flow));
3220  memset(&ssn, 0, sizeof(TcpSession));
3221 
3222  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3223  p->flow = &f;
3224  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3225  p->flowflags |= FLOW_PKT_TOSERVER;
3226  p->flowflags |= FLOW_PKT_ESTABLISHED;
3227 
3228  FLOW_INITIALIZE(&f);
3229  f.protoctx = (void *)&ssn;
3230  f.proto = IPPROTO_TCP;
3231  f.flags |= FLOW_IPV4;
3232  f.alproto = ALPROTO_DCERPC;
3233 
3234  StreamTcpInitConfig(TRUE);
3235 
3236  de_ctx = DetectEngineCtxInit();
3237  if (de_ctx == NULL)
3238  goto end;
3239  de_ctx->flags |= DE_QUIET;
3240 
3241  de_ctx->sig_list = SigInit(de_ctx, sig1);
3242  s = de_ctx->sig_list;
3243  if (s == NULL)
3244  goto end;
3245 
3246  SigGroupBuild(de_ctx);
3247  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3248 
3249  /* request 1 */
3250  FLOWLOCK_WRLOCK(&f);
3251  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3252  STREAM_TOSERVER, request1, request1_len);
3253  if (r != 0) {
3254  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3255  result = 0;
3256  FLOWLOCK_UNLOCK(&f);
3257  goto end;
3258  }
3259  FLOWLOCK_UNLOCK(&f);
3260  /* detection phase */
3261  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3262  if (!(PacketAlertCheck(p, 1))) {
3263  printf("sid 1 matched but shouldn't have for packet: ");
3264  goto end;
3265  }
3266 
3267  result = 1;
3268 
3269 end:
3270  if (alp_tctx != NULL)
3271  AppLayerParserThreadCtxFree(alp_tctx);
3272  if (de_ctx != NULL) {
3273  SigGroupCleanup(de_ctx);
3274  SigCleanSignatures(de_ctx);
3275 
3276  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
3277  DetectEngineCtxFree(de_ctx);
3278  }
3279 
3280  StreamTcpFreeConfig(TRUE);
3281 
3282  UTHFreePackets(&p, 1);
3283  return result;
3284 }
3285 
3286 /**
3287  * \test Test the working of consecutive relative pcres.
3288  */
3289 static int DcePayloadTest43(void)
3290 {
3291  int result = 0;
3292 
3293  uint8_t request1[] = {
3294  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
3295  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
3296  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
3297  0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
3298  0x61, 0x20, 0x73, 0x75, 0x70, 0x65, 0x72, 0x20,
3299  0x64, 0x75, 0x70, 0x65, 0x72, 0x20, 0x6e, 0x6f,
3300  0x76, 0x61, 0x20, 0x69, 0x6e, 0x20, 0x73, 0x75,
3301  0x70, 0x65, 0x72, 0x20, 0x6e, 0x6f, 0x76, 0x61,
3302  0x20, 0x6e, 0x6f, 0x77
3303  };
3304  uint32_t request1_len = sizeof(request1);
3305 
3306  TcpSession ssn;
3307  Packet *p = NULL;
3308  ThreadVars tv;
3309  DetectEngineCtx *de_ctx = NULL;
3310  DetectEngineThreadCtx *det_ctx = NULL;
3311  Flow f;
3312  int r;
3313 
3314  const char *sig1 = "alert tcp any any -> any any "
3315  "(msg:\"testing dce consecutive relative matches\"; dce_stub_data; "
3316  "pcre:/super/R; content:\"nova\"; within:7; sid:1;)";
3317 
3318  Signature *s;
3319  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
3320 
3321  memset(&tv, 0, sizeof(ThreadVars));
3322  memset(&f, 0, sizeof(Flow));
3323  memset(&ssn, 0, sizeof(TcpSession));
3324 
3325  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
3326  p->flow = &f;
3327  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
3328  p->flowflags |= FLOW_PKT_TOSERVER;
3329  p->flowflags |= FLOW_PKT_ESTABLISHED;
3330 
3331  FLOW_INITIALIZE(&f);
3332  f.protoctx = (void *)&ssn;
3333  f.proto = IPPROTO_TCP;
3334  f.flags |= FLOW_IPV4;
3335  f.alproto = ALPROTO_DCERPC;
3336 
3337  StreamTcpInitConfig(TRUE);
3338 
3339  de_ctx = DetectEngineCtxInit();
3340  if (de_ctx == NULL)
3341  goto end;
3342  de_ctx->flags |= DE_QUIET;
3343 
3344  de_ctx->sig_list = SigInit(de_ctx, sig1);
3345  s = de_ctx->sig_list;
3346  if (s == NULL)
3347  goto end;
3348 
3349  SigGroupBuild(de_ctx);
3350  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
3351 
3352  /* request 1 */
3353  FLOWLOCK_WRLOCK(&f);
3354  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
3355  STREAM_TOSERVER, request1, request1_len);
3356  if (r != 0) {
3357  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
3358  result = 0;
3359  FLOWLOCK_UNLOCK(&f);
3360  goto end;
3361  }
3362  FLOWLOCK_UNLOCK(&f);
3363  /* detection phase */
3364  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
3365  if ( !(PacketAlertCheck(p, 1))) {
3366  printf("sid 1 didn't match but should have: ");
3367  goto end;
3368  }
3369 
3370  result = 1;
3371 
3372 end:
3373  if (alp_tctx != NULL)
3374  AppLayerParserThreadCtxFree(alp_tctx);
3375  if (de_ctx != NULL) {
3376  SigGroupCleanup(de_ctx);
3377  SigCleanSignatures(de_ctx);
3378 
3379  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
3380  DetectEngineCtxFree(de_ctx);
3381  }
3382 
3383  StreamTcpFreeConfig(TRUE);
3384 
3385  UTHFreePackets(&p, 1);
3386  return result;
3387 }
3388 
3389 /**
3390  * \test Test content for dce sig.
3391  */
3392 static int DcePayloadParseTest44(void)
3393 {
3394  DetectEngineCtx *de_ctx = NULL;
3395  Signature *s = NULL;
3396  SigMatch *sm = NULL;
3397  DetectContentData *data = NULL;
3398  DetectIsdataatData *isd = NULL;
3399 
3400  de_ctx = DetectEngineCtxInit();
3401  FAIL_IF_NULL(de_ctx);
3402  de_ctx->flags |= DE_QUIET;
3403 
3404  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3405  "content:\"one\"; "
3406  "dce_iface:12345678-1234-1234-1234-123456789012; "
3407  "dce_opnum:10; dce_stub_data; "
3408  "isdataat:10,relative; "
3409  "content:\"one\"; within:4; distance:8; "
3410  "pkt_data; "
3411  "content:\"two\"; "
3412  "sid:1;)");
3413  FAIL_IF_NULL(s);
3414 
3415  FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
3416  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
3417 
3418  /* isdataat:10,relative; */
3419  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3420  FAIL_IF(sm->type != DETECT_ISDATAAT);
3421  isd = (DetectIsdataatData *)sm->ctx;
3422  FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
3423  FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
3424  FAIL_IF_NULL(sm->next);
3425 
3426  sm = sm->next;
3427 
3428  /* content:\"one\"; within:4; distance:8; */
3429  FAIL_IF(sm->type != DETECT_CONTENT);
3430  data = (DetectContentData *)sm->ctx;
3431  FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
3432  data->flags & DETECT_CONTENT_NOCASE ||
3433  !(data->flags & DETECT_CONTENT_WITHIN) ||
3434  !(data->flags & DETECT_CONTENT_DISTANCE) ||
3435  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3436  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3437  data->flags & DETECT_CONTENT_NEGATED );
3438 
3439  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
3440  FAIL_IF_NOT(sm->next == NULL);
3441 
3442  /* first content:\"one\"; */
3443  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3444  FAIL_IF(sm->type != DETECT_CONTENT);
3445  data = (DetectContentData *)sm->ctx;
3446  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
3447  FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
3448  FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
3449  FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
3450  FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
3451  FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
3452  FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
3453  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
3454 
3455  FAIL_IF_NULL(sm->next);
3456  sm = sm->next;
3457 
3458  FAIL_IF(sm->type != DETECT_CONTENT);
3459 
3460  data = (DetectContentData *)sm->ctx;
3461  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
3462  data->flags & DETECT_CONTENT_NOCASE ||
3463  data->flags & DETECT_CONTENT_WITHIN ||
3464  data->flags & DETECT_CONTENT_DISTANCE ||
3465  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3466  data->flags & DETECT_CONTENT_NEGATED );
3467 
3468  FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
3469 
3470  FAIL_IF_NOT(sm->next == NULL);
3471 
3472  SigGroupCleanup(de_ctx);
3473  SigCleanSignatures(de_ctx);
3474  DetectEngineCtxFree(de_ctx);
3475 
3476  PASS;
3477 }
3478 
3479 /**
3480  * \test Test content for dce sig.
3481  */
3482 static int DcePayloadParseTest45(void)
3483 {
3484  DetectEngineCtx *de_ctx = NULL;
3485  int result = 1;
3486  Signature *s = NULL;
3487  SigMatch *sm = NULL;
3488  DetectContentData *data = NULL;
3489  DetectBytejumpData *bjd = NULL;
3490 
3491  de_ctx = DetectEngineCtxInit();
3492  if (de_ctx == NULL)
3493  goto end;
3494 
3495  de_ctx->flags |= DE_QUIET;
3496  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3497  "(msg:\"Testing bytejump_body\"; "
3498  "dce_iface:12345678-1234-1234-1234-123456789012; "
3499  "content:\"one\"; "
3500  "dce_opnum:10; dce_stub_data; "
3501  "byte_jump:1,2,relative,align,dce; "
3502  "pkt_data; "
3503  "content:\"two\"; "
3504  "sid:1;)");
3505  if (de_ctx->sig_list == NULL) {
3506  result = 0;
3507  goto end;
3508  }
3509 
3510  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3511  result = 0;
3512  goto end;
3513  }
3514  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3515  result = 0;
3516  goto end;
3517  }
3518 
3519  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3520  if (sm->type != DETECT_BYTEJUMP) {
3521  result = 0;
3522  goto end;
3523  }
3524  bjd = (DetectBytejumpData *)sm->ctx;
3525  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
3526  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
3527  bjd->flags & DETECT_BYTEJUMP_BIG ||
3528  bjd->flags & DETECT_BYTEJUMP_STRING ||
3529  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
3530  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
3531  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
3532  result = 0;
3533  printf("one failed\n");
3534  goto end;
3535  }
3536 
3537  result &= (sm->next == NULL);
3538 
3539  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3540  if (sm->type != DETECT_CONTENT) {
3541  result = 0;
3542  goto end;
3543  }
3544  data = (DetectContentData *)sm->ctx;
3545  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3546  data->flags & DETECT_CONTENT_NOCASE ||
3547  data->flags & DETECT_CONTENT_WITHIN ||
3548  data->flags & DETECT_CONTENT_DISTANCE ||
3549  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3550  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3551  data->flags & DETECT_CONTENT_NEGATED ) {
3552  printf("one failed\n");
3553  result = 0;
3554  goto end;
3555  }
3556  result &= (strncmp((char *)data->content, "one", 3) == 0);
3557  if (result == 0)
3558  goto end;
3559 
3560  sm = sm->next;
3561  if (sm->type != DETECT_CONTENT) {
3562  result = 0;
3563  goto end;
3564  }
3565  data = (DetectContentData *)sm->ctx;
3566  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3567  data->flags & DETECT_CONTENT_NOCASE ||
3568  data->flags & DETECT_CONTENT_WITHIN ||
3569  data->flags & DETECT_CONTENT_DISTANCE ||
3570  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3571  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3572  data->flags & DETECT_CONTENT_NEGATED ) {
3573  printf("two failed\n");
3574  result = 0;
3575  goto end;
3576  }
3577  result &= (strncmp((char *)data->content, "two", 3) == 0);
3578  if (result == 0)
3579  goto end;
3580 
3581  result &= (sm->next == NULL);
3582 
3583  end:
3584  SigGroupCleanup(de_ctx);
3585  SigCleanSignatures(de_ctx);
3586  DetectEngineCtxFree(de_ctx);
3587 
3588  return result;
3589 }
3590 
3591 /**
3592  * \test Test content for dce sig.
3593  */
3594 static int DcePayloadParseTest46(void)
3595 {
3596  DetectEngineCtx *de_ctx = NULL;
3597  int result = 1;
3598  Signature *s = NULL;
3599  SigMatch *sm = NULL;
3600  DetectContentData *data = NULL;
3601  DetectBytetestData *btd = NULL;
3602 
3603  de_ctx = DetectEngineCtxInit();
3604  if (de_ctx == NULL)
3605  goto end;
3606 
3607  de_ctx->flags |= DE_QUIET;
3608  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3609  "(msg:\"Testing bytejump_body\"; "
3610  "dce_iface:12345678-1234-1234-1234-123456789012; "
3611  "content:\"one\"; "
3612  "dce_opnum:10; dce_stub_data; "
3613  "byte_test:1,=,2,0,relative,dce; "
3614  "pkt_data; "
3615  "content:\"two\"; "
3616  "sid:1;)");
3617  if (de_ctx->sig_list == NULL) {
3618  result = 0;
3619  goto end;
3620  }
3621 
3622  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3623  result = 0;
3624  goto end;
3625  }
3626  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3627  result = 0;
3628  goto end;
3629  }
3630 
3631  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3632  if (sm->type != DETECT_BYTETEST) {
3633  result = 0;
3634  goto end;
3635  }
3636  btd = (DetectBytetestData *)sm->ctx;
3637  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3638  btd->flags & DETECT_BYTETEST_BIG ||
3639  btd->flags & DETECT_BYTETEST_STRING ||
3640  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3641  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3642  result = 0;
3643  printf("one failed\n");
3644  goto end;
3645  }
3646 
3647  result &= (sm->next == NULL);
3648 
3649  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3650  if (sm->type != DETECT_CONTENT) {
3651  result = 0;
3652  goto end;
3653  }
3654  data = (DetectContentData *)sm->ctx;
3655  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3656  data->flags & DETECT_CONTENT_NOCASE ||
3657  data->flags & DETECT_CONTENT_WITHIN ||
3658  data->flags & DETECT_CONTENT_DISTANCE ||
3659  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3660  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3661  data->flags & DETECT_CONTENT_NEGATED ) {
3662  printf("one failed\n");
3663  result = 0;
3664  goto end;
3665  }
3666  result &= (strncmp((char *)data->content, "one", 3) == 0);
3667  if (result == 0)
3668  goto end;
3669 
3670  sm = sm->next;
3671  if (sm->type != DETECT_CONTENT) {
3672  result = 0;
3673  goto end;
3674  }
3675  data = (DetectContentData *)sm->ctx;
3676  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3677  data->flags & DETECT_CONTENT_NOCASE ||
3678  data->flags & DETECT_CONTENT_WITHIN ||
3679  data->flags & DETECT_CONTENT_DISTANCE ||
3680  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3681  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3682  data->flags & DETECT_CONTENT_NEGATED ) {
3683  printf("two failed\n");
3684  result = 0;
3685  goto end;
3686  }
3687  result &= (strncmp((char *)data->content, "two", 3) == 0);
3688  if (result == 0)
3689  goto end;
3690 
3691  result &= (sm->next == NULL);
3692 
3693  end:
3694  SigGroupCleanup(de_ctx);
3695  SigCleanSignatures(de_ctx);
3696  DetectEngineCtxFree(de_ctx);
3697 
3698  return result;
3699 }
3700 
3701 #endif /* UNITTESTS */
3702 
3703 void DcePayloadRegisterTests(void)
3704 {
3705  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
3706 
3707 #ifdef UNITTESTS
3708  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
3709  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
3710  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
3711  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
3712  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
3713  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
3714  UtRegisterTest("DcePayloadTest21", DcePayloadTest21);
3715  UtRegisterTest("DcePayloadTest22", DcePayloadTest22);
3716  UtRegisterTest("DcePayloadTest23", DcePayloadTest23);
3717 
3718  UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25);
3719  UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26);
3720  UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27);
3721  UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28);
3722  UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29);
3723  UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30);
3724  UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31);
3725  UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32);
3726  UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33);
3727  UtRegisterTest("DcePayloadParseTest34", DcePayloadParseTest34);
3728  UtRegisterTest("DcePayloadParseTest35", DcePayloadParseTest35);
3729  UtRegisterTest("DcePayloadParseTest36", DcePayloadParseTest36);
3730  UtRegisterTest("DcePayloadParseTest37", DcePayloadParseTest37);
3731  UtRegisterTest("DcePayloadParseTest38", DcePayloadParseTest38);
3732  UtRegisterTest("DcePayloadParseTest39", DcePayloadParseTest39);
3733  UtRegisterTest("DcePayloadParseTest40", DcePayloadParseTest40);
3734  UtRegisterTest("DcePayloadParseTest41", DcePayloadParseTest41);
3735 
3736  UtRegisterTest("DcePayloadTest42", DcePayloadTest42);
3737  UtRegisterTest("DcePayloadTest43", DcePayloadTest43);
3738 
3739  UtRegisterTest("DcePayloadParseTest44", DcePayloadParseTest44);
3740  UtRegisterTest("DcePayloadParseTest45", DcePayloadParseTest45);
3741  UtRegisterTest("DcePayloadParseTest46", DcePayloadParseTest46);
3742 #endif /* UNITTESTS */
3743 
3744  return;
3745 }
DETECT_BYTEJUMP_BEGIN
#define DETECT_BYTEJUMP_BEGIN
Definition: detect-bytejump.h:34
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2302
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:591
TcpSession_
Definition: stream-tcp-private.h:259
detect-content.h
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:44
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:27
Packet_::flow
struct Flow_ * flow
Definition: decode.h:446
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Flow_::proto
uint8_t proto
Definition: flow.h:344
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2009
DetectBytejumpData_
Definition: detect-bytejump.h:43
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectIsdataatData_
Definition: detect-isdataat.h:35
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2770
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:45
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
Signature_
Signature container.
Definition: detect.h:522
TRUE
#define TRUE
Definition: suricata-common.h:33
Flow_::protoctx
void * protoctx
Definition: flow.h:400
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:42
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:322
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2978
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DetectBytejumpData_::flags
uint8_t flags
Definition: detect-bytejump.h:46
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:860
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:46
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:440
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:518
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
Definition: app-layer-parser.c:253
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
Signature_::next
struct Signature_ * next
Definition: detect.h:594
SigMatch_::type
uint8_t type
Definition: detect.h:319
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:28
Packet_
Definition: decode.h:408
DETECT_BYTEJUMP_BIG
#define DETECT_BYTEJUMP_BIG
Definition: detect-bytejump.h:36
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:3703
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:516
DetectContentData_
Definition: detect-content.h:86
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
DETECT_BYTEJUMP_RELATIVE
#define DETECT_BYTEJUMP_RELATIVE
Definition: detect-bytejump.h:38
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:47
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:56
detect-engine-content-inspection.h
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1184
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:48
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1094
DetectPcreData_
Definition: detect-pcre.h:37
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:1003
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:409
Packet_::flags
uint32_t flags
Definition: decode.h:444
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
DETECT_BYTEJUMP_ALIGN
#define DETECT_BYTEJUMP_ALIGN
Definition: detect-bytejump.h:39
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2074
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
Flow_
Flow data structure.
Definition: flow.h:325
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
Flow_::flags
uint32_t flags
Definition: flow.h:379
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1092
SigMatch_
a single match condition for a signature
Definition: detect.h:318
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DETECT_BYTEJUMP_STRING
#define DETECT_BYTEJUMP_STRING
Definition: detect-bytejump.h:37
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2029