suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 #include "detect-engine-build.h"
41 #include "app-layer-parser.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "flow-util.h"
47 #include "util-debug.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 #include "detect-dce-iface.h"
53 
54 static int g_dce_stub_data_buffer_id = 0;
55 
56 
57 /**************************************Unittests*******************************/
58 
59 #ifdef UNITTESTS
60 #include "detect-engine-alert.h"
61 
62 /**
63  * \test Test the working of byte_test endianness.
64  */
65 static int DcePayloadTest15(void)
66 {
67  int result = 0;
68 
69  uint8_t request1[] = {
70  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
71  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
72  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
73  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
74  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
75  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
76  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
77  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
78  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
79  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
80  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
81  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
82  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
83  };
84  uint32_t request1_len = sizeof(request1);
85 
86  TcpSession ssn;
87  Packet *p = NULL;
88  ThreadVars tv;
89  DetectEngineCtx *de_ctx = NULL;
90  DetectEngineThreadCtx *det_ctx = NULL;
91  Flow f;
92  int r;
93 
94  const char *sig1 = "alert tcp any any -> any any "
95  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
96  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
97  const char *sig2 = "alert tcp any any -> any any "
98  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
99  "byte_test:2,=,46,5,relative,dce; sid:2;)";
100 
101  Signature *s;
102  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
103 
104  memset(&tv, 0, sizeof(ThreadVars));
105  memset(&f, 0, sizeof(Flow));
106  memset(&ssn, 0, sizeof(TcpSession));
107 
108  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
109  p->flow = &f;
110  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
111  p->flowflags |= FLOW_PKT_TOSERVER;
112  p->flowflags |= FLOW_PKT_ESTABLISHED;
113 
114  FLOW_INITIALIZE(&f);
115  f.protoctx = (void *)&ssn;
116  f.proto = IPPROTO_TCP;
117  f.flags |= FLOW_IPV4;
118  f.alproto = ALPROTO_DCERPC;
119 
120  StreamTcpInitConfig(true);
121 
122  de_ctx = DetectEngineCtxInit();
123  if (de_ctx == NULL)
124  goto end;
125  de_ctx->flags |= DE_QUIET;
126 
127  de_ctx->sig_list = SigInit(de_ctx, sig1);
128  s = de_ctx->sig_list;
129  if (s == NULL)
130  goto end;
131  s->next = SigInit(de_ctx, sig2);
132  if (s->next == NULL)
133  goto end;
134 
135  SigGroupBuild(de_ctx);
136  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
137 
138  /* request 1 */
139  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
140  STREAM_TOSERVER, request1, request1_len);
141  if (r != 0) {
142  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
143  result = 0;
144  goto end;
145  }
146  /* detection phase */
147  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
148  if (!(PacketAlertCheck(p, 1))) {
149  printf("sid 1 didn't match but should have for packet: ");
150  goto end;
151  }
152  if (!(PacketAlertCheck(p, 2))) {
153  printf("sid 2 didn't match but should have for packet: ");
154  goto end;
155  }
156 
157  result = 1;
158 
159 end:
160  if (alp_tctx != NULL)
161  AppLayerParserThreadCtxFree(alp_tctx);
162  if (de_ctx != NULL) {
163  SigGroupCleanup(de_ctx);
164  SigCleanSignatures(de_ctx);
165 
166  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
167  DetectEngineCtxFree(de_ctx);
168  }
169 
170  StreamTcpFreeConfig(true);
171 
172  UTHFreePackets(&p, 1);
173  return result;
174 }
175 
176 /**
177  * \test Test the working of byte_test endianness.
178  */
179 static int DcePayloadTest16(void)
180 {
181  int result = 0;
182 
183  uint8_t request1[] = {
184  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
185  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
186  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
187  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
188  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
189  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
190  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
191  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
192  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
193  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
194  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
195  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
196  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
197  };
198  uint32_t request1_len = sizeof(request1);
199 
200  TcpSession ssn;
201  Packet *p = NULL;
202  ThreadVars tv;
203  DetectEngineCtx *de_ctx = NULL;
204  DetectEngineThreadCtx *det_ctx = NULL;
205  Flow f;
206  int r;
207 
208  const char *sig1 = "alert tcp any any -> any any "
209  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
210  "byte_test:2,=,55,0,relative; sid:1;)";
211  const char *sig2 = "alert tcp any any -> any any "
212  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
213  "byte_test:2,=,11776,5,relative; sid:2;)";
214 
215  Signature *s;
216  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
217 
218  memset(&tv, 0, sizeof(ThreadVars));
219  memset(&f, 0, sizeof(Flow));
220  memset(&ssn, 0, sizeof(TcpSession));
221 
222  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
223  p->flow = &f;
224  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
225  p->flowflags |= FLOW_PKT_TOSERVER;
226  p->flowflags |= FLOW_PKT_ESTABLISHED;
227 
228  FLOW_INITIALIZE(&f);
229  f.protoctx = (void *)&ssn;
230  f.proto = IPPROTO_TCP;
231  f.flags |= FLOW_IPV4;
232  f.alproto = ALPROTO_DCERPC;
233 
234  StreamTcpInitConfig(true);
235 
236  de_ctx = DetectEngineCtxInit();
237  if (de_ctx == NULL)
238  goto end;
239  de_ctx->flags |= DE_QUIET;
240 
241  de_ctx->sig_list = SigInit(de_ctx, sig1);
242  s = de_ctx->sig_list;
243  if (s == NULL)
244  goto end;
245  s->next = SigInit(de_ctx, sig2);
246  if (s->next == NULL)
247  goto end;
248 
249  SigGroupBuild(de_ctx);
250  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
251 
252  /* request 1 */
253  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
254  STREAM_TOSERVER, request1, request1_len);
255  if (r != 0) {
256  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
257  result = 0;
258  goto end;
259  }
260  /* detection phase */
261  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
262  if (!(PacketAlertCheck(p, 1))) {
263  printf("sid 1 didn't match but should have for packet: ");
264  goto end;
265  }
266  if (!(PacketAlertCheck(p, 2))) {
267  printf("sid 2 didn't match but should have for packet: ");
268  goto end;
269  }
270 
271  result = 1;
272 
273 end:
274  if (alp_tctx != NULL)
275  AppLayerParserThreadCtxFree(alp_tctx);
276  if (de_ctx != NULL) {
277  SigGroupCleanup(de_ctx);
278  SigCleanSignatures(de_ctx);
279 
280  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
281  DetectEngineCtxFree(de_ctx);
282  }
283 
284  StreamTcpFreeConfig(true);
285 
286  UTHFreePackets(&p, 1);
287  return result;
288 }
289 
290 /**
291  * \test Test the working of byte_test endianness.
292  */
293 static int DcePayloadTest17(void)
294 {
295  int result = 0;
296 
297  uint8_t request1[] = {
298  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
299  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
300  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
301  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
302  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
303  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
304  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
305  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
306  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
307  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
308  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
309  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
310  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
311  };
312  uint32_t request1_len = sizeof(request1);
313 
314  TcpSession ssn;
315  Packet *p = NULL;
316  ThreadVars tv;
317  DetectEngineCtx *de_ctx = NULL;
318  DetectEngineThreadCtx *det_ctx = NULL;
319  Flow f;
320  int r;
321 
322  const char *sig1 = "alert tcp any any -> any any "
323  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
324  "byte_test:2,=,55,0,relative,big; sid:1;)";
325  const char *sig2 = "alert tcp any any -> any any "
326  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
327  "byte_test:2,=,46,5,relative,little; sid:2;)";
328 
329  Signature *s;
330  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
331 
332  memset(&tv, 0, sizeof(ThreadVars));
333  memset(&f, 0, sizeof(Flow));
334  memset(&ssn, 0, sizeof(TcpSession));
335 
336  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
337  p->flow = &f;
338  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
339  p->flowflags |= FLOW_PKT_TOSERVER;
340  p->flowflags |= FLOW_PKT_ESTABLISHED;
341 
342  FLOW_INITIALIZE(&f);
343  f.protoctx = (void *)&ssn;
344  f.proto = IPPROTO_TCP;
345  f.flags |= FLOW_IPV4;
346  f.alproto = ALPROTO_DCERPC;
347 
348  StreamTcpInitConfig(true);
349 
350  de_ctx = DetectEngineCtxInit();
351  if (de_ctx == NULL)
352  goto end;
353  de_ctx->flags |= DE_QUIET;
354 
355  de_ctx->sig_list = SigInit(de_ctx, sig1);
356  s = de_ctx->sig_list;
357  if (s == NULL)
358  goto end;
359  s->next = SigInit(de_ctx, sig2);
360  if (s->next == NULL)
361  goto end;
362 
363  SigGroupBuild(de_ctx);
364  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
365 
366  /* request 1 */
367  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
368  STREAM_TOSERVER, request1, request1_len);
369  if (r != 0) {
370  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
371  result = 0;
372  goto end;
373  }
374  /* detection phase */
375  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
376  if (!(PacketAlertCheck(p, 1))) {
377  printf("sid 1 didn't match but should have for packet: ");
378  goto end;
379  }
380  if (!(PacketAlertCheck(p, 2))) {
381  printf("sid 2 didn't match but should have for packet: ");
382  goto end;
383  }
384 
385  result = 1;
386 
387 end:
388  if (alp_tctx != NULL)
389  AppLayerParserThreadCtxFree(alp_tctx);
390  if (de_ctx != NULL) {
391  SigGroupCleanup(de_ctx);
392  SigCleanSignatures(de_ctx);
393 
394  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
395  DetectEngineCtxFree(de_ctx);
396  }
397 
398  StreamTcpFreeConfig(true);
399 
400  UTHFreePackets(&p, 1);
401  return result;
402 }
403 
404 /**
405  * \test Test the working of byte_jump endianness.
406  */
407 static int DcePayloadTest18(void)
408 {
409  int result = 0;
410 
411  uint8_t request1[] = {
412  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
413  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
414  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
415  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
416  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
417  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
418  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
419  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
420  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
421  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
422  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
423  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
424  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
425  };
426  uint32_t request1_len = sizeof(request1);
427 
428  TcpSession ssn;
429  Packet *p = NULL;
430  ThreadVars tv;
431  DetectEngineCtx *de_ctx = NULL;
432  DetectEngineThreadCtx *det_ctx = NULL;
433  Flow f;
434  int r;
435 
436  const char *sig1 = "alert tcp any any -> any any "
437  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
438  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
439  const char *sig2 = "alert tcp any any -> any any "
440  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
441  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
442 
443  Signature *s;
444  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
445 
446  memset(&tv, 0, sizeof(ThreadVars));
447  memset(&f, 0, sizeof(Flow));
448  memset(&ssn, 0, sizeof(TcpSession));
449 
450  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
451  p->flow = &f;
452  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
453  p->flowflags |= FLOW_PKT_TOSERVER;
454  p->flowflags |= FLOW_PKT_ESTABLISHED;
455 
456  FLOW_INITIALIZE(&f);
457  f.protoctx = (void *)&ssn;
458  f.proto = IPPROTO_TCP;
459  f.flags |= FLOW_IPV4;
460  f.alproto = ALPROTO_DCERPC;
461 
462  StreamTcpInitConfig(true);
463 
464  de_ctx = DetectEngineCtxInit();
465  if (de_ctx == NULL)
466  goto end;
467  de_ctx->flags |= DE_QUIET;
468 
469  de_ctx->sig_list = SigInit(de_ctx, sig1);
470  s = de_ctx->sig_list;
471  if (s == NULL)
472  goto end;
473  s->next = SigInit(de_ctx, sig2);
474  if (s->next == NULL)
475  goto end;
476 
477  SigGroupBuild(de_ctx);
478  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
479 
480  /* request 1 */
481  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
482  STREAM_TOSERVER, request1, request1_len);
483  if (r != 0) {
484  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
485  result = 0;
486  goto end;
487  }
488  /* detection phase */
489  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
490  if (!(PacketAlertCheck(p, 1))) {
491  printf("sid 1 didn't match but should have for packet: ");
492  goto end;
493  }
494  if (!(PacketAlertCheck(p, 2))) {
495  printf("sid 2 didn't match but should have for packet: ");
496  goto end;
497  }
498 
499  result = 1;
500 
501 end:
502  if (alp_tctx != NULL)
503  AppLayerParserThreadCtxFree(alp_tctx);
504  if (de_ctx != NULL) {
505  SigGroupCleanup(de_ctx);
506  SigCleanSignatures(de_ctx);
507 
508  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
509  DetectEngineCtxFree(de_ctx);
510  }
511 
512  StreamTcpFreeConfig(true);
513 
514  UTHFreePackets(&p, 1);
515  return result;
516 }
517 
518 /**
519  * \test Test the working of byte_jump endianness.
520  */
521 static int DcePayloadTest19(void)
522 {
523  int result = 0;
524 
525  uint8_t request1[] = {
526  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
527  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
528  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
529  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
530  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
531  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
532  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
533  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
534  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
535  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
536  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
537  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
538  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
539  };
540  uint32_t request1_len = sizeof(request1);
541 
542  TcpSession ssn;
543  Packet *p = NULL;
544  ThreadVars tv;
545  DetectEngineCtx *de_ctx = NULL;
546  DetectEngineThreadCtx *det_ctx = NULL;
547  Flow f;
548  int r;
549 
550  const char *sig1 = "alert tcp any any -> any any "
551  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
552  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
553  const char *sig2 = "alert tcp any any -> any any "
554  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
555  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
556 
557  Signature *s;
558  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
559 
560  memset(&tv, 0, sizeof(ThreadVars));
561  memset(&f, 0, sizeof(Flow));
562  memset(&ssn, 0, sizeof(TcpSession));
563 
564  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
565  p->flow = &f;
566  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
567  p->flowflags |= FLOW_PKT_TOSERVER;
568  p->flowflags |= FLOW_PKT_ESTABLISHED;
569 
570  FLOW_INITIALIZE(&f);
571  f.protoctx = (void *)&ssn;
572  f.proto = IPPROTO_TCP;
573  f.flags |= FLOW_IPV4;
574  f.alproto = ALPROTO_DCERPC;
575 
576  StreamTcpInitConfig(true);
577 
578  de_ctx = DetectEngineCtxInit();
579  if (de_ctx == NULL)
580  goto end;
581  de_ctx->flags |= DE_QUIET;
582 
583  de_ctx->sig_list = SigInit(de_ctx, sig1);
584  s = de_ctx->sig_list;
585  if (s == NULL)
586  goto end;
587  s->next = SigInit(de_ctx, sig2);
588  if (s->next == NULL)
589  goto end;
590 
591  SigGroupBuild(de_ctx);
592  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
593 
594  /* request 1 */
595  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
596  STREAM_TOSERVER, request1, request1_len);
597  if (r != 0) {
598  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
599  result = 0;
600  goto end;
601  }
602  /* detection phase */
603  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
604  if (!(PacketAlertCheck(p, 1))) {
605  printf("sid 1 didn't match but should have for packet: ");
606  goto end;
607  }
608  if (!(PacketAlertCheck(p, 2))) {
609  printf("sid 2 didn't match but should have for packet: ");
610  goto end;
611  }
612 
613  result = 1;
614 
615 end:
616  if (alp_tctx != NULL)
617  AppLayerParserThreadCtxFree(alp_tctx);
618  if (de_ctx != NULL) {
619  SigGroupCleanup(de_ctx);
620  SigCleanSignatures(de_ctx);
621 
622  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
623  DetectEngineCtxFree(de_ctx);
624  }
625 
626  StreamTcpFreeConfig(true);
627 
628  UTHFreePackets(&p, 1);
629  return result;
630 }
631 
632 /**
633  * \test Test the working of byte_jump endianness.
634  */
635 static int DcePayloadTest20(void)
636 {
637  int result = 0;
638 
639  uint8_t request1[] = {
640  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
641  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
642  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
643  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
644  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
645  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
646  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
647  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
648  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
649  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
650  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
651  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
652  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
653  };
654  uint32_t request1_len = sizeof(request1);
655 
656  TcpSession ssn;
657  Packet *p = NULL;
658  ThreadVars tv;
659  DetectEngineCtx *de_ctx = NULL;
660  DetectEngineThreadCtx *det_ctx = NULL;
661  Flow f;
662  int r;
663 
664  const char *sig1 = "alert tcp any any -> any any "
665  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
666  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
667  const char *sig2 = "alert tcp any any -> any any "
668  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
669  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
670 
671  Signature *s;
672  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
673 
674  memset(&tv, 0, sizeof(ThreadVars));
675  memset(&f, 0, sizeof(Flow));
676  memset(&ssn, 0, sizeof(TcpSession));
677 
678  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
679  p->flow = &f;
680  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
681  p->flowflags |= FLOW_PKT_TOSERVER;
682  p->flowflags |= FLOW_PKT_ESTABLISHED;
683 
684  FLOW_INITIALIZE(&f);
685  f.protoctx = (void *)&ssn;
686  f.proto = IPPROTO_TCP;
687  f.flags |= FLOW_IPV4;
688  f.alproto = ALPROTO_DCERPC;
689 
690  StreamTcpInitConfig(true);
691 
692  de_ctx = DetectEngineCtxInit();
693  if (de_ctx == NULL)
694  goto end;
695  de_ctx->flags |= DE_QUIET;
696 
697  de_ctx->sig_list = SigInit(de_ctx, sig1);
698  s = de_ctx->sig_list;
699  if (s == NULL)
700  goto end;
701  s->next = SigInit(de_ctx, sig2);
702  if (s->next == NULL)
703  goto end;
704 
705  SigGroupBuild(de_ctx);
706  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
707 
708  /* request 1 */
709  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
710  STREAM_TOSERVER, request1, request1_len);
711  if (r != 0) {
712  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
713  result = 0;
714  goto end;
715  }
716  /* detection phase */
717  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
718  if (!(PacketAlertCheck(p, 1))) {
719  printf("sid 1 didn't match but should have for packet: ");
720  goto end;
721  }
722  if (!(PacketAlertCheck(p, 2))) {
723  printf("sid 2 didn't match but should have for packet: ");
724  goto end;
725  }
726 
727  result = 1;
728 
729 end:
730  if (alp_tctx != NULL)
731  AppLayerParserThreadCtxFree(alp_tctx);
732  if (de_ctx != NULL) {
733  SigGroupCleanup(de_ctx);
734  SigCleanSignatures(de_ctx);
735 
736  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
737  DetectEngineCtxFree(de_ctx);
738  }
739 
740  StreamTcpFreeConfig(true);
741 
742  UTHFreePackets(&p, 1);
743  return result;
744 }
745 
746 /**
747  * \test Test content for dce sig.
748  */
749 static int DcePayloadParseTest25(void)
750 {
751  DetectEngineCtx *de_ctx = NULL;
752  int result = 1;
753  Signature *s = NULL;
754  SigMatch *sm = NULL;
755  DetectContentData *data = NULL;
756 
757  de_ctx = DetectEngineCtxInit();
758  if (de_ctx == NULL)
759  goto end;
760 
761  de_ctx->flags |= DE_QUIET;
762  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
763  "(msg:\"Testing bytejump_body\"; "
764  "content:\"one\"; content:\"two\"; "
765  "content:\"three\"; within:10; "
766  "content:\"four\"; distance:4; "
767  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
768  "sid:1;)");
769  if (de_ctx->sig_list == NULL) {
770  result = 0;
771  goto end;
772  }
773 
774  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
775  result = 0;
776  goto end;
777  }
778  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
779  result = 0;
780  goto end;
781  }
782 
783  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
784  if (sm->type != DETECT_CONTENT) {
785  result = 0;
786  goto end;
787  }
788  data = (DetectContentData *)sm->ctx;
789  if (data->flags & DETECT_CONTENT_RAWBYTES ||
790  data->flags & DETECT_CONTENT_NOCASE ||
791  data->flags & DETECT_CONTENT_WITHIN ||
792  data->flags & DETECT_CONTENT_DISTANCE ||
793  data->flags & DETECT_CONTENT_FAST_PATTERN ||
794  data->flags & DETECT_CONTENT_NEGATED ) {
795  result = 0;
796  goto end;
797  }
798  result &= (strncmp((char *)data->content, "one", 3) == 0);
799  if (result == 0)
800  goto end;
801 
802  sm = sm->next;
803  if (sm->type != DETECT_CONTENT) {
804  result = 0;
805  goto end;
806  }
807  data = (DetectContentData *)sm->ctx;
808  if (data->flags & DETECT_CONTENT_RAWBYTES ||
809  data->flags & DETECT_CONTENT_NOCASE ||
810  data->flags & DETECT_CONTENT_WITHIN ||
811  data->flags & DETECT_CONTENT_DISTANCE ||
812  data->flags & DETECT_CONTENT_FAST_PATTERN ||
813  data->flags & DETECT_CONTENT_NEGATED ) {
814  result = 0;
815  goto end;
816  }
817  result &= (strncmp((char *)data->content, "two", 3) == 0);
818  if (result == 0)
819  goto end;
820 
821  sm = sm->next;
822  if (sm->type != DETECT_CONTENT) {
823  result = 0;
824  goto end;
825  }
826  data = (DetectContentData *)sm->ctx;
827  if (data->flags & DETECT_CONTENT_RAWBYTES ||
828  data->flags & DETECT_CONTENT_NOCASE ||
829  !(data->flags & DETECT_CONTENT_WITHIN) ||
830  data->flags & DETECT_CONTENT_DISTANCE ||
831  data->flags & DETECT_CONTENT_FAST_PATTERN ||
832  data->flags & DETECT_CONTENT_NEGATED ) {
833  result = 0;
834  goto end;
835  }
836  result &= (strncmp((char *)data->content, "three", 5) == 0);
837  if (result == 0)
838  goto end;
839 
840  sm = sm->next;
841  if (sm->type != DETECT_CONTENT) {
842  result = 0;
843  goto end;
844  }
845  data = (DetectContentData *)sm->ctx;
846  if (data->flags & DETECT_CONTENT_RAWBYTES ||
847  data->flags & DETECT_CONTENT_NOCASE ||
848  data->flags & DETECT_CONTENT_WITHIN ||
849  !(data->flags & DETECT_CONTENT_DISTANCE) ||
850  data->flags & DETECT_CONTENT_FAST_PATTERN ||
851  data->flags & DETECT_CONTENT_NEGATED ) {
852  result = 0;
853  goto end;
854  }
855  result &= (strncmp((char *)data->content, "four", 4) == 0);
856  if (result == 0)
857  goto end;
858 
859  end:
860  SigGroupCleanup(de_ctx);
861  SigCleanSignatures(de_ctx);
862  DetectEngineCtxFree(de_ctx);
863 
864  return result;
865 }
866 
867 /**
868  * \test Test content for dce sig.
869  */
870 static int DcePayloadParseTest26(void)
871 {
872  DetectEngineCtx *de_ctx = NULL;
873  int result = 1;
874  Signature *s = NULL;
875  SigMatch *sm = NULL;
876  DetectContentData *data = NULL;
877 
878  de_ctx = DetectEngineCtxInit();
879  if (de_ctx == NULL)
880  goto end;
881 
882  de_ctx->flags |= DE_QUIET;
883  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
884  "(msg:\"Testing bytejump_body\"; "
885  "dce_stub_data; "
886  "pkt_data; "
887  "content:\"one\"; "
888  "content:\"two\"; "
889  "content:\"three\"; within:5; "
890  "content:\"four\"; distance:10; "
891  "sid:1;)");
892  if (de_ctx->sig_list == NULL) {
893  result = 0;
894  goto end;
895  }
896 
897  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
898  result = 0;
899  goto end;
900  }
901  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
902  result = 0;
903  goto end;
904  }
905 
906  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
907  if (sm->type != DETECT_CONTENT) {
908  result = 0;
909  goto end;
910  }
911  data = (DetectContentData *)sm->ctx;
912  if (data->flags & DETECT_CONTENT_RAWBYTES ||
913  data->flags & DETECT_CONTENT_NOCASE ||
914  data->flags & DETECT_CONTENT_WITHIN ||
915  data->flags & DETECT_CONTENT_DISTANCE ||
916  data->flags & DETECT_CONTENT_FAST_PATTERN ||
917  data->flags & DETECT_CONTENT_NEGATED ) {
918  result = 0;
919  printf("one failed\n");
920  goto end;
921  }
922  result &= (strncmp((char *)data->content, "one", 3) == 0);
923  if (result == 0)
924  goto end;
925 
926  sm = sm->next;
927  if (sm->type != DETECT_CONTENT) {
928  result = 0;
929  goto end;
930  }
931  data = (DetectContentData *)sm->ctx;
932  if (data->flags & DETECT_CONTENT_RAWBYTES ||
933  data->flags & DETECT_CONTENT_NOCASE ||
934  data->flags & DETECT_CONTENT_WITHIN ||
935  data->flags & DETECT_CONTENT_DISTANCE ||
936  data->flags & DETECT_CONTENT_FAST_PATTERN ||
937  data->flags & DETECT_CONTENT_NEGATED ) {
938  result = 0;
939  printf("two failed\n");
940  goto end;
941  }
942  result &= (strncmp((char *)data->content, "two", 3) == 0);
943  if (result == 0)
944  goto end;
945 
946  sm = sm->next;
947  if (sm->type != DETECT_CONTENT) {
948  result = 0;
949  goto end;
950  }
951  data = (DetectContentData *)sm->ctx;
952  if (data->flags & DETECT_CONTENT_RAWBYTES ||
953  data->flags & DETECT_CONTENT_NOCASE ||
954  !(data->flags & DETECT_CONTENT_WITHIN) ||
955  data->flags & DETECT_CONTENT_DISTANCE ||
956  data->flags & DETECT_CONTENT_FAST_PATTERN ||
957  data->flags & DETECT_CONTENT_NEGATED ) {
958  printf("three failed\n");
959  result = 0;
960  goto end;
961  }
962  result &= (strncmp((char *)data->content, "three", 5) == 0);
963  if (result == 0)
964  goto end;
965 
966  sm = sm->next;
967  if (sm->type != DETECT_CONTENT) {
968  result = 0;
969  goto end;
970  }
971  data = (DetectContentData *)sm->ctx;
972  if (data->flags & DETECT_CONTENT_RAWBYTES ||
973  data->flags & DETECT_CONTENT_NOCASE ||
974  data->flags & DETECT_CONTENT_WITHIN ||
975  !(data->flags & DETECT_CONTENT_DISTANCE) ||
976  data->flags & DETECT_CONTENT_FAST_PATTERN ||
977  data->flags & DETECT_CONTENT_NEGATED ) {
978  printf("four failed\n");
979  result = 0;
980  goto end;
981  }
982  result &= (strncmp((char *)data->content, "four", 4) == 0);
983  if (result == 0)
984  goto end;
985 
986  end:
987  SigGroupCleanup(de_ctx);
988  SigCleanSignatures(de_ctx);
989  DetectEngineCtxFree(de_ctx);
990 
991  return result;
992 }
993 
994 /**
995  * \test Test content for dce sig.
996  */
997 static int DcePayloadParseTest27(void)
998 {
999  DetectEngineCtx *de_ctx = NULL;
1000  int result = 1;
1001  Signature *s = NULL;
1002  SigMatch *sm = NULL;
1003  DetectContentData *data = NULL;
1004 
1005  de_ctx = DetectEngineCtxInit();
1006  if (de_ctx == NULL)
1007  goto end;
1008 
1009  de_ctx->flags |= DE_QUIET;
1010  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1011  "(msg:\"Testing bytejump_body\"; "
1012  "dce_stub_data; "
1013  "content:\"one\"; distance:10; within:5; "
1014  "content:\"two\"; within:5;"
1015  "content:\"three\"; within:5; "
1016  "content:\"four\"; distance:10; "
1017  "sid:1;)");
1018  if (de_ctx->sig_list == NULL) {
1019  result = 0;
1020  goto end;
1021  }
1022 
1023  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1024  result = 0;
1025  goto end;
1026  }
1027  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] != NULL) {
1028  result = 0;
1029  goto end;
1030  }
1031 
1032  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1033  if (sm->type != DETECT_CONTENT) {
1034  result = 0;
1035  goto end;
1036  }
1037  data = (DetectContentData *)sm->ctx;
1038  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1039  data->flags & DETECT_CONTENT_NOCASE ||
1040  !(data->flags & DETECT_CONTENT_WITHIN) ||
1041  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1042  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1043  data->flags & DETECT_CONTENT_NEGATED ) {
1044  result = 0;
1045  printf("one failed\n");
1046  goto end;
1047  }
1048  result &= (strncmp((char *)data->content, "one", 3) == 0);
1049  if (result == 0)
1050  goto end;
1051 
1052  sm = sm->next;
1053  if (sm->type != DETECT_CONTENT) {
1054  result = 0;
1055  goto end;
1056  }
1057  data = (DetectContentData *)sm->ctx;
1058  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1059  data->flags & DETECT_CONTENT_NOCASE ||
1060  !(data->flags & DETECT_CONTENT_WITHIN) ||
1061  data->flags & DETECT_CONTENT_DISTANCE ||
1062  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1063  data->flags & DETECT_CONTENT_NEGATED ) {
1064  result = 0;
1065  printf("two failed\n");
1066  goto end;
1067  }
1068  result &= (strncmp((char *)data->content, "two", 3) == 0);
1069  if (result == 0)
1070  goto end;
1071 
1072  sm = sm->next;
1073  if (sm->type != DETECT_CONTENT) {
1074  result = 0;
1075  goto end;
1076  }
1077  data = (DetectContentData *)sm->ctx;
1078  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1079  data->flags & DETECT_CONTENT_NOCASE ||
1080  !(data->flags & DETECT_CONTENT_WITHIN) ||
1081  data->flags & DETECT_CONTENT_DISTANCE ||
1082  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1083  data->flags & DETECT_CONTENT_NEGATED ) {
1084  printf("three failed\n");
1085  result = 0;
1086  goto end;
1087  }
1088  result &= (strncmp((char *)data->content, "three", 5) == 0);
1089  if (result == 0)
1090  goto end;
1091 
1092  sm = sm->next;
1093  if (sm->type != DETECT_CONTENT) {
1094  result = 0;
1095  goto end;
1096  }
1097  data = (DetectContentData *)sm->ctx;
1098  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1099  data->flags & DETECT_CONTENT_NOCASE ||
1100  data->flags & DETECT_CONTENT_WITHIN ||
1101  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1102  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1103  data->flags & DETECT_CONTENT_NEGATED ) {
1104  printf("four failed\n");
1105  result = 0;
1106  goto end;
1107  }
1108  result &= (strncmp((char *)data->content, "four", 4) == 0);
1109  if (result == 0)
1110  goto end;
1111 
1112  end:
1113  SigGroupCleanup(de_ctx);
1114  SigCleanSignatures(de_ctx);
1115  DetectEngineCtxFree(de_ctx);
1116 
1117  return result;
1118 }
1119 
1120 /**
1121  * \test Test content for dce sig.
1122  */
1123 static int DcePayloadParseTest28(void)
1124 {
1125  DetectEngineCtx *de_ctx = NULL;
1126  int result = 1;
1127  Signature *s = NULL;
1128  SigMatch *sm = NULL;
1129  DetectContentData *data = NULL;
1130 
1131  de_ctx = DetectEngineCtxInit();
1132  if (de_ctx == NULL)
1133  goto end;
1134 
1135  de_ctx->flags |= DE_QUIET;
1136  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1137  "(msg:\"Testing bytejump_body\"; "
1138  "dce_stub_data; "
1139  "content:\"one\"; distance:10; within:5; "
1140  "content:\"two\"; within:5;"
1141  "pkt_data; "
1142  "content:\"three\";"
1143  "content:\"four\";"
1144  "sid:1;)");
1145  if (de_ctx->sig_list == NULL) {
1146  result = 0;
1147  goto end;
1148  }
1149 
1150  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1151  result = 0;
1152  goto end;
1153  }
1154  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1155  result = 0;
1156  goto end;
1157  }
1158 
1159  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1160  if (sm->type != DETECT_CONTENT) {
1161  result = 0;
1162  goto end;
1163  }
1164  data = (DetectContentData *)sm->ctx;
1165  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1166  data->flags & DETECT_CONTENT_NOCASE ||
1167  !(data->flags & DETECT_CONTENT_WITHIN) ||
1168  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1169  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1170  data->flags & DETECT_CONTENT_NEGATED ) {
1171  result = 0;
1172  printf("one failed\n");
1173  goto end;
1174  }
1175  result &= (strncmp((char *)data->content, "one", 3) == 0);
1176  if (result == 0)
1177  goto end;
1178 
1179  sm = sm->next;
1180  if (sm->type != DETECT_CONTENT) {
1181  result = 0;
1182  goto end;
1183  }
1184  data = (DetectContentData *)sm->ctx;
1185  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1186  data->flags & DETECT_CONTENT_NOCASE ||
1187  !(data->flags & DETECT_CONTENT_WITHIN) ||
1188  data->flags & DETECT_CONTENT_DISTANCE ||
1189  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1190  data->flags & DETECT_CONTENT_NEGATED ) {
1191  result = 0;
1192  printf("two failed\n");
1193  goto end;
1194  }
1195  result &= (strncmp((char *)data->content, "two", 3) == 0);
1196  if (result == 0)
1197  goto end;
1198 
1199  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1200  if (sm->type != DETECT_CONTENT) {
1201  result = 0;
1202  goto end;
1203  }
1204  data = (DetectContentData *)sm->ctx;
1205  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1206  data->flags & DETECT_CONTENT_NOCASE ||
1207  data->flags & DETECT_CONTENT_WITHIN ||
1208  data->flags & DETECT_CONTENT_DISTANCE ||
1209  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1210  data->flags & DETECT_CONTENT_NEGATED ) {
1211  printf("three failed\n");
1212  result = 0;
1213  goto end;
1214  }
1215  result &= (strncmp((char *)data->content, "three", 5) == 0);
1216  if (result == 0)
1217  goto end;
1218 
1219  sm = sm->next;
1220  if (sm->type != DETECT_CONTENT) {
1221  result = 0;
1222  goto end;
1223  }
1224  data = (DetectContentData *)sm->ctx;
1225  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1226  data->flags & DETECT_CONTENT_NOCASE ||
1227  data->flags & DETECT_CONTENT_WITHIN ||
1228  data->flags & DETECT_CONTENT_DISTANCE ||
1229  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1230  data->flags & DETECT_CONTENT_NEGATED ) {
1231  printf("four failed\n");
1232  result = 0;
1233  goto end;
1234  }
1235  result &= (strncmp((char *)data->content, "four", 4) == 0);
1236  if (result == 0)
1237  goto end;
1238 
1239  end:
1240  SigGroupCleanup(de_ctx);
1241  SigCleanSignatures(de_ctx);
1242  DetectEngineCtxFree(de_ctx);
1243 
1244  return result;
1245 }
1246 
1247 /**
1248  * \test Test content for dce sig.
1249  */
1250 static int DcePayloadParseTest29(void)
1251 {
1252  DetectEngineCtx *de_ctx = NULL;
1253  int result = 1;
1254  Signature *s = NULL;
1255  SigMatch *sm = NULL;
1256  DetectContentData *data = NULL;
1257  DetectPcreData *pd = NULL;
1258 
1259  de_ctx = DetectEngineCtxInit();
1260  if (de_ctx == NULL)
1261  goto end;
1262 
1263  de_ctx->flags |= DE_QUIET;
1264  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1265  "(msg:\"Testing bytejump_body\"; "
1266  "dce_stub_data; "
1267  "pkt_data; "
1268  "pcre:/boom/; "
1269  "content:\"one\"; distance:10; within:5; "
1270  "content:\"two\"; within:5;"
1271  "content:\"three\";"
1272  "content:\"four\";"
1273  "sid:1;)");
1274  if (de_ctx->sig_list == NULL) {
1275  result = 0;
1276  goto end;
1277  }
1278 
1279  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1280  result = 0;
1281  goto end;
1282  }
1283  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1284  result = 0;
1285  goto end;
1286  }
1287 
1288  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1289  if (sm->type != DETECT_PCRE) {
1290  result = 0;
1291  goto end;
1292  }
1293  pd = (DetectPcreData *)sm->ctx;
1294  if (pd->flags & DETECT_PCRE_RAWBYTES ||
1295  pd->flags & DETECT_PCRE_RELATIVE) {
1296  result = 0;
1297  printf("one failed\n");
1298  goto end;
1299  }
1300 
1301  sm = sm->next;
1302  if (sm->type != DETECT_CONTENT) {
1303  result = 0;
1304  goto end;
1305  }
1306  data = (DetectContentData *)sm->ctx;
1307  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1308  data->flags & DETECT_CONTENT_NOCASE ||
1309  !(data->flags & DETECT_CONTENT_WITHIN) ||
1310  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1311  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1312  data->flags & DETECT_CONTENT_NEGATED ) {
1313  result = 0;
1314  printf("one failed\n");
1315  goto end;
1316  }
1317  result &= (strncmp((char *)data->content, "one", 3) == 0);
1318  if (result == 0)
1319  goto end;
1320 
1321  sm = sm->next;
1322  if (sm->type != DETECT_CONTENT) {
1323  result = 0;
1324  goto end;
1325  }
1326  data = (DetectContentData *)sm->ctx;
1327  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1328  data->flags & DETECT_CONTENT_NOCASE ||
1329  !(data->flags & DETECT_CONTENT_WITHIN) ||
1330  data->flags & DETECT_CONTENT_DISTANCE ||
1331  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1332  data->flags & DETECT_CONTENT_NEGATED ) {
1333  result = 0;
1334  printf("two failed\n");
1335  goto end;
1336  }
1337  result &= (strncmp((char *)data->content, "two", 3) == 0);
1338  if (result == 0)
1339  goto end;
1340 
1341  sm = sm->next;
1342  if (sm->type != DETECT_CONTENT) {
1343  result = 0;
1344  goto end;
1345  }
1346  data = (DetectContentData *)sm->ctx;
1347  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1348  data->flags & DETECT_CONTENT_NOCASE ||
1349  data->flags & DETECT_CONTENT_WITHIN ||
1350  data->flags & DETECT_CONTENT_DISTANCE ||
1351  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1352  data->flags & DETECT_CONTENT_NEGATED ) {
1353  printf("three failed\n");
1354  result = 0;
1355  goto end;
1356  }
1357  result &= (strncmp((char *)data->content, "three", 5) == 0);
1358  if (result == 0)
1359  goto end;
1360 
1361  sm = sm->next;
1362  if (sm->type != DETECT_CONTENT) {
1363  result = 0;
1364  goto end;
1365  }
1366  data = (DetectContentData *)sm->ctx;
1367  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1368  data->flags & DETECT_CONTENT_NOCASE ||
1369  data->flags & DETECT_CONTENT_WITHIN ||
1370  data->flags & DETECT_CONTENT_DISTANCE ||
1371  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1372  data->flags & DETECT_CONTENT_NEGATED ) {
1373  printf("four failed\n");
1374  result = 0;
1375  goto end;
1376  }
1377  result &= (strncmp((char *)data->content, "four", 4) == 0);
1378  if (result == 0)
1379  goto end;
1380 
1381  end:
1382  SigGroupCleanup(de_ctx);
1383  SigCleanSignatures(de_ctx);
1384  DetectEngineCtxFree(de_ctx);
1385 
1386  return result;
1387 }
1388 
1389 /**
1390  * \test Test content for dce sig.
1391  */
1392 static int DcePayloadParseTest30(void)
1393 {
1394  DetectEngineCtx *de_ctx = NULL;
1395  int result = 1;
1396  Signature *s = NULL;
1397  SigMatch *sm = NULL;
1398  DetectContentData *data = NULL;
1399  DetectBytejumpData *bd = NULL;
1400 
1401  de_ctx = DetectEngineCtxInit();
1402  if (de_ctx == NULL)
1403  goto end;
1404 
1405  de_ctx->flags |= DE_QUIET;
1406  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1407  "(msg:\"Testing bytejump_body\"; "
1408  "dce_stub_data; "
1409  "pkt_data; "
1410  "byte_jump:2,5; "
1411  "content:\"one\"; distance:10; within:5; "
1412  "content:\"two\"; within:5;"
1413  "content:\"three\";"
1414  "content:\"four\";"
1415  "sid:1;)");
1416  if (de_ctx->sig_list == NULL) {
1417  result = 0;
1418  goto end;
1419  }
1420 
1421  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1422  result = 0;
1423  goto end;
1424  }
1425  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1426  result = 0;
1427  goto end;
1428  }
1429 
1430  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1431  if (sm->type != DETECT_BYTEJUMP) {
1432  result = 0;
1433  goto end;
1434  }
1435  bd = (DetectBytejumpData *)sm->ctx;
1436  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1437  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1438  bd->flags & DETECT_BYTEJUMP_BIG ||
1439  bd->flags & DETECT_BYTEJUMP_STRING ||
1440  bd->flags & DETECT_BYTEJUMP_RELATIVE ||
1441  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1442  bd->flags & DETECT_BYTEJUMP_DCE ) {
1443  result = 0;
1444  printf("one failed\n");
1445  goto end;
1446  }
1447 
1448  sm = sm->next;
1449  if (sm->type != DETECT_CONTENT) {
1450  result = 0;
1451  goto end;
1452  }
1453  data = (DetectContentData *)sm->ctx;
1454  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1455  data->flags & DETECT_CONTENT_NOCASE ||
1456  !(data->flags & DETECT_CONTENT_WITHIN) ||
1457  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1458  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1459  data->flags & DETECT_CONTENT_NEGATED ) {
1460  result = 0;
1461  printf("one failed\n");
1462  goto end;
1463  }
1464  result &= (strncmp((char *)data->content, "one", 3) == 0);
1465  if (result == 0)
1466  goto end;
1467 
1468  sm = sm->next;
1469  if (sm->type != DETECT_CONTENT) {
1470  result = 0;
1471  goto end;
1472  }
1473  data = (DetectContentData *)sm->ctx;
1474  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1475  data->flags & DETECT_CONTENT_NOCASE ||
1476  !(data->flags & DETECT_CONTENT_WITHIN) ||
1477  data->flags & DETECT_CONTENT_DISTANCE ||
1478  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1479  data->flags & DETECT_CONTENT_NEGATED ) {
1480  result = 0;
1481  printf("two failed\n");
1482  goto end;
1483  }
1484  result &= (strncmp((char *)data->content, "two", 3) == 0);
1485  if (result == 0)
1486  goto end;
1487 
1488  sm = sm->next;
1489  if (sm->type != DETECT_CONTENT) {
1490  result = 0;
1491  goto end;
1492  }
1493  data = (DetectContentData *)sm->ctx;
1494  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1495  data->flags & DETECT_CONTENT_NOCASE ||
1496  data->flags & DETECT_CONTENT_WITHIN ||
1497  data->flags & DETECT_CONTENT_DISTANCE ||
1498  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1499  data->flags & DETECT_CONTENT_NEGATED ) {
1500  printf("three failed\n");
1501  result = 0;
1502  goto end;
1503  }
1504  result &= (strncmp((char *)data->content, "three", 5) == 0);
1505  if (result == 0)
1506  goto end;
1507 
1508  sm = sm->next;
1509  if (sm->type != DETECT_CONTENT) {
1510  result = 0;
1511  goto end;
1512  }
1513  data = (DetectContentData *)sm->ctx;
1514  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1515  data->flags & DETECT_CONTENT_NOCASE ||
1516  data->flags & DETECT_CONTENT_WITHIN ||
1517  data->flags & DETECT_CONTENT_DISTANCE ||
1518  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1519  data->flags & DETECT_CONTENT_NEGATED ) {
1520  printf("four failed\n");
1521  result = 0;
1522  goto end;
1523  }
1524  result &= (strncmp((char *)data->content, "four", 4) == 0);
1525  if (result == 0)
1526  goto end;
1527 
1528  end:
1529  SigGroupCleanup(de_ctx);
1530  SigCleanSignatures(de_ctx);
1531  DetectEngineCtxFree(de_ctx);
1532 
1533  return result;
1534 }
1535 
1536 /**
1537  * \test Test content for dce sig.
1538  */
1539 static int DcePayloadParseTest31(void)
1540 {
1541  DetectEngineCtx *de_ctx = NULL;
1542  int result = 1;
1543  Signature *s = NULL;
1544  SigMatch *sm = NULL;
1545  DetectContentData *data = NULL;
1546  DetectBytejumpData *bd = NULL;
1547 
1548  de_ctx = DetectEngineCtxInit();
1549  if (de_ctx == NULL)
1550  goto end;
1551 
1552  de_ctx->flags |= DE_QUIET;
1553  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1554  "(msg:\"Testing bytejump_body\"; "
1555  "dce_stub_data; "
1556  "byte_jump:2,5,relative; "
1557  "content:\"one\"; distance:10; within:5; "
1558  "content:\"two\"; within:5;"
1559  "pkt_data; "
1560  "content:\"three\";"
1561  "content:\"four\";"
1562  "sid:1;)");
1563  if (de_ctx->sig_list == NULL) {
1564  result = 0;
1565  goto end;
1566  }
1567 
1568  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1569  result = 0;
1570  goto end;
1571  }
1572  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1573  result = 0;
1574  goto end;
1575  }
1576 
1577  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1578  if (sm->type != DETECT_BYTEJUMP) {
1579  result = 0;
1580  goto end;
1581  }
1582  bd = (DetectBytejumpData *)sm->ctx;
1583  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1584  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1585  bd->flags & DETECT_BYTEJUMP_BIG ||
1586  bd->flags & DETECT_BYTEJUMP_STRING ||
1587  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1588  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1589  bd->flags & DETECT_BYTEJUMP_DCE ) {
1590  result = 0;
1591  printf("one failed\n");
1592  goto end;
1593  }
1594 
1595  sm = sm->next;
1596  if (sm->type != DETECT_CONTENT) {
1597  result = 0;
1598  goto end;
1599  }
1600  data = (DetectContentData *)sm->ctx;
1601  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1602  data->flags & DETECT_CONTENT_NOCASE ||
1603  !(data->flags & DETECT_CONTENT_WITHIN) ||
1604  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1605  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1606  data->flags & DETECT_CONTENT_NEGATED ) {
1607  result = 0;
1608  printf("one failed\n");
1609  goto end;
1610  }
1611  result &= (strncmp((char *)data->content, "one", 3) == 0);
1612  if (result == 0)
1613  goto end;
1614 
1615  sm = sm->next;
1616  if (sm->type != DETECT_CONTENT) {
1617  result = 0;
1618  goto end;
1619  }
1620  data = (DetectContentData *)sm->ctx;
1621  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1622  data->flags & DETECT_CONTENT_NOCASE ||
1623  !(data->flags & DETECT_CONTENT_WITHIN) ||
1624  data->flags & DETECT_CONTENT_DISTANCE ||
1625  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1626  data->flags & DETECT_CONTENT_NEGATED ) {
1627  result = 0;
1628  printf("two failed\n");
1629  goto end;
1630  }
1631  result &= (strncmp((char *)data->content, "two", 3) == 0);
1632  if (result == 0)
1633  goto end;
1634 
1635  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1636  if (sm->type != DETECT_CONTENT) {
1637  result = 0;
1638  goto end;
1639  }
1640  data = (DetectContentData *)sm->ctx;
1641  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1642  data->flags & DETECT_CONTENT_NOCASE ||
1643  data->flags & DETECT_CONTENT_WITHIN ||
1644  data->flags & DETECT_CONTENT_DISTANCE ||
1645  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1646  data->flags & DETECT_CONTENT_NEGATED ) {
1647  printf("three failed\n");
1648  result = 0;
1649  goto end;
1650  }
1651  result &= (strncmp((char *)data->content, "three", 5) == 0);
1652  if (result == 0)
1653  goto end;
1654 
1655  sm = sm->next;
1656  if (sm->type != DETECT_CONTENT) {
1657  result = 0;
1658  goto end;
1659  }
1660  data = (DetectContentData *)sm->ctx;
1661  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1662  data->flags & DETECT_CONTENT_NOCASE ||
1663  data->flags & DETECT_CONTENT_WITHIN ||
1664  data->flags & DETECT_CONTENT_DISTANCE ||
1665  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1666  data->flags & DETECT_CONTENT_NEGATED ) {
1667  printf("four failed\n");
1668  result = 0;
1669  goto end;
1670  }
1671  result &= (strncmp((char *)data->content, "four", 4) == 0);
1672  if (result == 0)
1673  goto end;
1674 
1675  end:
1676  SigGroupCleanup(de_ctx);
1677  SigCleanSignatures(de_ctx);
1678  DetectEngineCtxFree(de_ctx);
1679 
1680  return result;
1681 }
1682 
1683 /**
1684  * \test Test content for dce sig.
1685  */
1686 static int DcePayloadParseTest32(void)
1687 {
1688  DetectEngineCtx *de_ctx = NULL;
1689  int result = 1;
1690  Signature *s = NULL;
1691  SigMatch *sm = NULL;
1692  DetectContentData *data = NULL;
1693  DetectBytejumpData *bd = NULL;
1694 
1695  de_ctx = DetectEngineCtxInit();
1696  if (de_ctx == NULL)
1697  goto end;
1698 
1699  de_ctx->flags |= DE_QUIET;
1700  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1701  "(msg:\"Testing bytejump_body\"; "
1702  "dce_stub_data; "
1703  "byte_jump:2,5,relative; "
1704  "content:\"one\"; distance:10; within:5; "
1705  "content:\"two\"; within:5;"
1706  "pkt_data; "
1707  "content:\"three\";"
1708  "content:\"four\"; within:4; "
1709  "sid:1;)");
1710  if (de_ctx->sig_list == NULL) {
1711  result = 0;
1712  goto end;
1713  }
1714 
1715  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1716  result = 0;
1717  goto end;
1718  }
1719  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1720  result = 0;
1721  goto end;
1722  }
1723 
1724  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1725  if (sm->type != DETECT_BYTEJUMP) {
1726  result = 0;
1727  goto end;
1728  }
1729  bd = (DetectBytejumpData *)sm->ctx;
1730  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1731  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1732  bd->flags & DETECT_BYTEJUMP_BIG ||
1733  bd->flags & DETECT_BYTEJUMP_STRING ||
1734  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1735  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1736  bd->flags & DETECT_BYTEJUMP_DCE ) {
1737  result = 0;
1738  printf("one failed\n");
1739  goto end;
1740  }
1741 
1742  sm = sm->next;
1743  if (sm->type != DETECT_CONTENT) {
1744  result = 0;
1745  goto end;
1746  }
1747  data = (DetectContentData *)sm->ctx;
1748  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1749  data->flags & DETECT_CONTENT_NOCASE ||
1750  !(data->flags & DETECT_CONTENT_WITHIN) ||
1751  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1752  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1753  data->flags & DETECT_CONTENT_NEGATED ) {
1754  result = 0;
1755  printf("one failed\n");
1756  goto end;
1757  }
1758  result &= (strncmp((char *)data->content, "one", 3) == 0);
1759  if (result == 0)
1760  goto end;
1761 
1762  sm = sm->next;
1763  if (sm->type != DETECT_CONTENT) {
1764  result = 0;
1765  goto end;
1766  }
1767  data = (DetectContentData *)sm->ctx;
1768  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1769  data->flags & DETECT_CONTENT_NOCASE ||
1770  !(data->flags & DETECT_CONTENT_WITHIN) ||
1771  data->flags & DETECT_CONTENT_DISTANCE ||
1772  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1773  data->flags & DETECT_CONTENT_NEGATED ) {
1774  result = 0;
1775  printf("two failed\n");
1776  goto end;
1777  }
1778  result &= (strncmp((char *)data->content, "two", 3) == 0);
1779  if (result == 0)
1780  goto end;
1781 
1782  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1783  if (sm->type != DETECT_CONTENT) {
1784  result = 0;
1785  goto end;
1786  }
1787  data = (DetectContentData *)sm->ctx;
1788  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1789  data->flags & DETECT_CONTENT_NOCASE ||
1790  data->flags & DETECT_CONTENT_WITHIN ||
1791  data->flags & DETECT_CONTENT_DISTANCE ||
1792  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1793  data->flags & DETECT_CONTENT_NEGATED ) {
1794  printf("three failed\n");
1795  result = 0;
1796  goto end;
1797  }
1798  result &= (strncmp((char *)data->content, "three", 5) == 0);
1799  if (result == 0)
1800  goto end;
1801 
1802  sm = sm->next;
1803  if (sm->type != DETECT_CONTENT) {
1804  result = 0;
1805  goto end;
1806  }
1807  data = (DetectContentData *)sm->ctx;
1808  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1809  data->flags & DETECT_CONTENT_NOCASE ||
1810  !(data->flags & DETECT_CONTENT_WITHIN) ||
1811  data->flags & DETECT_CONTENT_DISTANCE ||
1812  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1813  data->flags & DETECT_CONTENT_NEGATED ) {
1814  printf("four failed\n");
1815  result = 0;
1816  goto end;
1817  }
1818  result &= (strncmp((char *)data->content, "four", 4) == 0);
1819  if (result == 0)
1820  goto end;
1821 
1822  end:
1823  SigGroupCleanup(de_ctx);
1824  SigCleanSignatures(de_ctx);
1825  DetectEngineCtxFree(de_ctx);
1826 
1827  return result;
1828 }
1829 
1830 /**
1831  * \test Test content for dce sig.
1832  */
1833 static int DcePayloadParseTest33(void)
1834 {
1835  DetectEngineCtx *de_ctx = NULL;
1836  int result = 1;
1837  Signature *s = NULL;
1838  SigMatch *sm = NULL;
1839  DetectContentData *data = NULL;
1840  DetectPcreData *pd = NULL;
1841 
1842  de_ctx = DetectEngineCtxInit();
1843  if (de_ctx == NULL)
1844  goto end;
1845 
1846  de_ctx->flags |= DE_QUIET;
1847  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1848  "(msg:\"Testing bytejump_body\"; "
1849  "dce_stub_data; "
1850  "pcre:/boom/R; "
1851  "content:\"one\"; distance:10; within:5; "
1852  "content:\"two\"; within:5;"
1853  "pkt_data; "
1854  "content:\"three\";"
1855  "content:\"four\"; distance:5;"
1856  "sid:1;)");
1857  if (de_ctx->sig_list == NULL) {
1858  result = 0;
1859  goto end;
1860  }
1861 
1862  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1863  result = 0;
1864  goto end;
1865  }
1866  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1867  result = 0;
1868  goto end;
1869  }
1870 
1871  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1872  if (sm->type != DETECT_PCRE) {
1873  result = 0;
1874  goto end;
1875  }
1876  pd = (DetectPcreData *)sm->ctx;
1877  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
1878  !(pd->flags & DETECT_PCRE_RELATIVE)) {
1879  result = 0;
1880  printf("one failed\n");
1881  goto end;
1882  }
1883 
1884  sm = sm->next;
1885  if (sm->type != DETECT_CONTENT) {
1886  result = 0;
1887  goto end;
1888  }
1889  data = (DetectContentData *)sm->ctx;
1890  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1891  data->flags & DETECT_CONTENT_NOCASE ||
1892  !(data->flags & DETECT_CONTENT_WITHIN) ||
1893  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1894  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1895  data->flags & DETECT_CONTENT_NEGATED ) {
1896  result = 0;
1897  printf("one failed\n");
1898  goto end;
1899  }
1900  result &= (strncmp((char *)data->content, "one", 3) == 0);
1901  if (result == 0)
1902  goto end;
1903 
1904  sm = sm->next;
1905  if (sm->type != DETECT_CONTENT) {
1906  result = 0;
1907  goto end;
1908  }
1909  data = (DetectContentData *)sm->ctx;
1910  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1911  data->flags & DETECT_CONTENT_NOCASE ||
1912  !(data->flags & DETECT_CONTENT_WITHIN) ||
1913  data->flags & DETECT_CONTENT_DISTANCE ||
1914  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1915  data->flags & DETECT_CONTENT_NEGATED ) {
1916  result = 0;
1917  printf("two failed\n");
1918  goto end;
1919  }
1920  result &= (strncmp((char *)data->content, "two", 3) == 0);
1921  if (result == 0)
1922  goto end;
1923 
1924  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1925  if (sm->type != DETECT_CONTENT) {
1926  result = 0;
1927  goto end;
1928  }
1929  data = (DetectContentData *)sm->ctx;
1930  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1931  data->flags & DETECT_CONTENT_NOCASE ||
1932  data->flags & DETECT_CONTENT_WITHIN ||
1933  data->flags & DETECT_CONTENT_DISTANCE ||
1934  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1935  data->flags & DETECT_CONTENT_NEGATED ) {
1936  printf("three failed\n");
1937  result = 0;
1938  goto end;
1939  }
1940  result &= (strncmp((char *)data->content, "three", 5) == 0);
1941  if (result == 0)
1942  goto end;
1943 
1944  sm = sm->next;
1945  if (sm->type != DETECT_CONTENT) {
1946  result = 0;
1947  goto end;
1948  }
1949  data = (DetectContentData *)sm->ctx;
1950  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1951  data->flags & DETECT_CONTENT_NOCASE ||
1952  data->flags & DETECT_CONTENT_WITHIN ||
1953  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1954  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1955  data->flags & DETECT_CONTENT_NEGATED ) {
1956  printf("four failed\n");
1957  result = 0;
1958  goto end;
1959  }
1960  result &= (strncmp((char *)data->content, "four", 4) == 0);
1961  if (result == 0)
1962  goto end;
1963 
1964  end:
1965  SigGroupCleanup(de_ctx);
1966  SigCleanSignatures(de_ctx);
1967  DetectEngineCtxFree(de_ctx);
1968 
1969  return result;
1970 }
1971 
1972 /**
1973  * \test Test content for dce sig.
1974  */
1975 static int DcePayloadParseTest34(void)
1976 {
1977  DetectEngineCtx *de_ctx = NULL;
1978  int result = 1;
1979  Signature *s = NULL;
1980  SigMatch *sm = NULL;
1981  DetectContentData *data = NULL;
1982  DetectPcreData *pd = NULL;
1983  DetectBytejumpData *bd = NULL;
1984 
1985  de_ctx = DetectEngineCtxInit();
1986  if (de_ctx == NULL)
1987  goto end;
1988 
1989  de_ctx->flags |= DE_QUIET;
1990  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1991  "(msg:\"Testing bytejump_body\"; "
1992  "dce_iface:12345678-1234-1234-1234-123456789012; "
1993  "dce_opnum:10; dce_stub_data; "
1994  "pcre:/boom/R; "
1995  "byte_jump:1,2,relative,align,dce; "
1996  "content:\"one\"; within:4; distance:8; "
1997  "pkt_data; "
1998  "content:\"two\"; "
1999  "sid:1;)");
2000  if (de_ctx->sig_list == NULL) {
2001  result = 0;
2002  goto end;
2003  }
2004 
2005  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2006  result = 0;
2007  goto end;
2008  }
2009  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2010  result = 0;
2011  goto end;
2012  }
2013 
2014  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2015  if (sm->type != DETECT_PCRE) {
2016  result = 0;
2017  goto end;
2018  }
2019  pd = (DetectPcreData *)sm->ctx;
2020  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2021  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2022  result = 0;
2023  goto end;
2024  }
2025 
2026  sm = sm->next;
2027  if (sm->type != DETECT_BYTEJUMP) {
2028  result = 0;
2029  goto end;
2030  }
2031  bd = (DetectBytejumpData *)sm->ctx;
2032  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
2033  bd->flags & DETECT_BYTEJUMP_LITTLE ||
2034  bd->flags & DETECT_BYTEJUMP_BIG ||
2035  bd->flags & DETECT_BYTEJUMP_STRING ||
2036  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2037  !(bd->flags & DETECT_BYTEJUMP_ALIGN) ||
2038  !(bd->flags & DETECT_BYTEJUMP_DCE) ) {
2039  result = 0;
2040  printf("one failed\n");
2041  goto end;
2042  }
2043 
2044  sm = sm->next;
2045  if (sm->type != DETECT_CONTENT) {
2046  result = 0;
2047  goto end;
2048  }
2049  data = (DetectContentData *)sm->ctx;
2050  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2051  data->flags & DETECT_CONTENT_NOCASE ||
2052  !(data->flags & DETECT_CONTENT_WITHIN) ||
2053  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2054  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2055  data->flags & DETECT_CONTENT_NEGATED ) {
2056  result = 0;
2057  printf("two failed\n");
2058  goto end;
2059  }
2060  result &= (strncmp((char *)data->content, "one", 3) == 0);
2061  if (result == 0)
2062  goto end;
2063 
2064  result &= (sm->next == NULL);
2065 
2066  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2067  if (sm->type != DETECT_CONTENT) {
2068  result = 0;
2069  goto end;
2070  }
2071  data = (DetectContentData *)sm->ctx;
2072  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2073  data->flags & DETECT_CONTENT_NOCASE ||
2074  data->flags & DETECT_CONTENT_WITHIN ||
2075  data->flags & DETECT_CONTENT_DISTANCE ||
2076  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2077  data->flags & DETECT_CONTENT_NEGATED ) {
2078  printf("three failed\n");
2079  result = 0;
2080  goto end;
2081  }
2082  result &= (strncmp((char *)data->content, "two", 3) == 0);
2083  if (result == 0)
2084  goto end;
2085 
2086  result &= (sm->next == NULL);
2087 
2088  end:
2089  SigGroupCleanup(de_ctx);
2090  SigCleanSignatures(de_ctx);
2091  DetectEngineCtxFree(de_ctx);
2092 
2093  return result;
2094 }
2095 
2096 /**
2097  * \test Test content for dce sig.
2098  */
2099 static int DcePayloadParseTest35(void)
2100 {
2101  DetectEngineCtx *de_ctx = NULL;
2102  int result = 1;
2103  Signature *s = NULL;
2104  SigMatch *sm = NULL;
2105  DetectContentData *data = NULL;
2106  DetectBytetestData *bd = NULL;
2107 
2108  de_ctx = DetectEngineCtxInit();
2109  if (de_ctx == NULL)
2110  goto end;
2111 
2112  de_ctx->flags |= DE_QUIET;
2113  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2114  "(msg:\"Testing bytejump_body\"; "
2115  "dce_iface:12345678-1234-1234-1234-123456789012; "
2116  "dce_opnum:10; dce_stub_data; "
2117  "byte_test:1,=,0,0,relative,dce; "
2118  "pkt_data; "
2119  "content:\"one\"; "
2120  "sid:1;)");
2121  if (de_ctx->sig_list == NULL) {
2122  result = 0;
2123  goto end;
2124  }
2125 
2126  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2127  result = 0;
2128  goto end;
2129  }
2130  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2131  result = 0;
2132  goto end;
2133  }
2134 
2135  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2136  if (sm->type != DETECT_BYTETEST) {
2137  result = 0;
2138  goto end;
2139  }
2140  bd = (DetectBytetestData *)sm->ctx;
2141  if (bd->flags & DETECT_BYTETEST_LITTLE ||
2142  bd->flags & DETECT_BYTETEST_BIG ||
2143  bd->flags & DETECT_BYTETEST_STRING ||
2144  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2145  !(bd->flags & DETECT_BYTETEST_DCE) ) {
2146  result = 0;
2147  printf("one failed\n");
2148  goto end;
2149  }
2150 
2151  result &= (sm->next == NULL);
2152 
2153  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2154  if (sm->type != DETECT_CONTENT) {
2155  result = 0;
2156  goto end;
2157  }
2158  data = (DetectContentData *)sm->ctx;
2159  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2160  data->flags & DETECT_CONTENT_NOCASE ||
2161  data->flags & DETECT_CONTENT_WITHIN ||
2162  data->flags & DETECT_CONTENT_DISTANCE ||
2163  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2164  data->flags & DETECT_CONTENT_NEGATED ) {
2165  result = 0;
2166  printf("two failed\n");
2167  goto end;
2168  }
2169  result &= (strncmp((char *)data->content, "one", 3) == 0);
2170  if (result == 0)
2171  goto end;
2172 
2173  result &= (sm->next == NULL);
2174 
2175  end:
2176  SigGroupCleanup(de_ctx);
2177  SigCleanSignatures(de_ctx);
2178  DetectEngineCtxFree(de_ctx);
2179 
2180  return result;
2181 }
2182 
2183 /**
2184  * \test Test content for dce sig.
2185  */
2186 static int DcePayloadParseTest36(void)
2187 {
2188  DetectEngineCtx *de_ctx = NULL;
2189  int result = 1;
2190  Signature *s = NULL;
2191  SigMatch *sm = NULL;
2192  DetectContentData *data = NULL;
2193  DetectIsdataatData *isd = NULL;
2194 
2195  de_ctx = DetectEngineCtxInit();
2196  if (de_ctx == NULL)
2197  goto end;
2198 
2199  de_ctx->flags |= DE_QUIET;
2200  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2201  "(msg:\"Testing bytejump_body\"; "
2202  "dce_iface:12345678-1234-1234-1234-123456789012; "
2203  "dce_opnum:10; dce_stub_data; "
2204  "isdataat:10,relative; "
2205  "content:\"one\"; within:4; distance:8; "
2206  "pkt_data; "
2207  "content:\"two\"; "
2208  "sid:1;)");
2209  if (de_ctx->sig_list == NULL) {
2210  result = 0;
2211  goto end;
2212  }
2213 
2214  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2215  result = 0;
2216  goto end;
2217  }
2218  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2219  result = 0;
2220  goto end;
2221  }
2222 
2223  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2224  if (sm->type != DETECT_ISDATAAT) {
2225  result = 0;
2226  goto end;
2227  }
2228  isd = (DetectIsdataatData *)sm->ctx;
2229  if ( isd->flags & ISDATAAT_RAWBYTES ||
2230  !(isd->flags & ISDATAAT_RELATIVE)) {
2231  result = 0;
2232  goto end;
2233  }
2234 
2235  sm = sm->next;
2236  if (sm->type != DETECT_CONTENT) {
2237  result = 0;
2238  goto end;
2239  }
2240  data = (DetectContentData *)sm->ctx;
2241  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2242  data->flags & DETECT_CONTENT_NOCASE ||
2243  !(data->flags & DETECT_CONTENT_WITHIN) ||
2244  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2245  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2246  data->flags & DETECT_CONTENT_NEGATED ) {
2247  result = 0;
2248  printf("two failed\n");
2249  goto end;
2250  }
2251  result &= (strncmp((char *)data->content, "one", 3) == 0);
2252  if (result == 0)
2253  goto end;
2254 
2255  result &= (sm->next == NULL);
2256 
2257  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2258  if (sm->type != DETECT_CONTENT) {
2259  result = 0;
2260  goto end;
2261  }
2262  data = (DetectContentData *)sm->ctx;
2263  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2264  data->flags & DETECT_CONTENT_NOCASE ||
2265  data->flags & DETECT_CONTENT_WITHIN ||
2266  data->flags & DETECT_CONTENT_DISTANCE ||
2267  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2268  data->flags & DETECT_CONTENT_NEGATED ) {
2269  printf("three failed\n");
2270  result = 0;
2271  goto end;
2272  }
2273  result &= (strncmp((char *)data->content, "two", 3) == 0);
2274  if (result == 0)
2275  goto end;
2276 
2277  result &= (sm->next == NULL);
2278 
2279  end:
2280  SigGroupCleanup(de_ctx);
2281  SigCleanSignatures(de_ctx);
2282  DetectEngineCtxFree(de_ctx);
2283 
2284  return result;
2285 }
2286 
2287 /**
2288  * \test Test content for dce sig.
2289  */
2290 static int DcePayloadParseTest37(void)
2291 {
2292  DetectEngineCtx *de_ctx = NULL;
2293  int result = 1;
2294  Signature *s = NULL;
2295  SigMatch *sm = NULL;
2296  DetectContentData *data = NULL;
2297  DetectBytejumpData *bjd = NULL;
2298  DetectBytetestData *btd = NULL;
2299 
2300  de_ctx = DetectEngineCtxInit();
2301  if (de_ctx == NULL)
2302  goto end;
2303 
2304  de_ctx->flags |= DE_QUIET;
2305  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2306  "(msg:\"Testing bytejump_body\"; "
2307  "dce_iface:12345678-1234-1234-1234-123456789012; "
2308  "dce_opnum:10; dce_stub_data; "
2309  "byte_jump:1,2,relative,align,dce; "
2310  "byte_test:1,=,2,0,relative,dce; "
2311  "pkt_data; "
2312  "content:\"one\"; "
2313  "sid:1;)");
2314  if (de_ctx->sig_list == NULL) {
2315  result = 0;
2316  goto end;
2317  }
2318 
2319  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2320  result = 0;
2321  goto end;
2322  }
2323  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2324  result = 0;
2325  goto end;
2326  }
2327 
2328  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2329  if (sm->type != DETECT_BYTEJUMP) {
2330  result = 0;
2331  goto end;
2332  }
2333  bjd = (DetectBytejumpData *)sm->ctx;
2334  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2335  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2336  bjd->flags & DETECT_BYTEJUMP_BIG ||
2337  bjd->flags & DETECT_BYTEJUMP_STRING ||
2338  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2339  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2340  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2341  result = 0;
2342  printf("one failed\n");
2343  goto end;
2344  }
2345 
2346  sm = sm->next;
2347  if (sm->type != DETECT_BYTETEST) {
2348  result = 0;
2349  goto end;
2350  }
2351  btd = (DetectBytetestData *)sm->ctx;
2352  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2353  btd->flags & DETECT_BYTETEST_BIG ||
2354  btd->flags & DETECT_BYTETEST_STRING ||
2355  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2356  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2357  result = 0;
2358  printf("one failed\n");
2359  goto end;
2360  }
2361 
2362  result &= (sm->next == NULL);
2363 
2364  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2365  if (sm->type != DETECT_CONTENT) {
2366  result = 0;
2367  goto end;
2368  }
2369  data = (DetectContentData *)sm->ctx;
2370  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2371  data->flags & DETECT_CONTENT_NOCASE ||
2372  data->flags & DETECT_CONTENT_WITHIN ||
2373  data->flags & DETECT_CONTENT_DISTANCE ||
2374  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2375  data->flags & DETECT_CONTENT_NEGATED ) {
2376  printf("three failed\n");
2377  result = 0;
2378  goto end;
2379  }
2380  result &= (strncmp((char *)data->content, "one", 3) == 0);
2381  if (result == 0)
2382  goto end;
2383 
2384  result &= (sm->next == NULL);
2385 
2386  end:
2387  SigGroupCleanup(de_ctx);
2388  SigCleanSignatures(de_ctx);
2389  DetectEngineCtxFree(de_ctx);
2390 
2391  return result;
2392 }
2393 
2394 /**
2395  * \test Test content for dce sig.
2396  */
2397 static int DcePayloadParseTest38(void)
2398 {
2399  DetectEngineCtx *de_ctx = NULL;
2400  int result = 1;
2401  Signature *s = NULL;
2402  SigMatch *sm = NULL;
2403  DetectContentData *data = NULL;
2404  DetectPcreData *pd = NULL;
2405  DetectBytejumpData *bjd = NULL;
2406  DetectBytetestData *btd = NULL;
2407 
2408  de_ctx = DetectEngineCtxInit();
2409  if (de_ctx == NULL)
2410  goto end;
2411 
2412  de_ctx->flags |= DE_QUIET;
2413  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2414  "(msg:\"Testing bytejump_body\"; "
2415  "dce_iface:12345678-1234-1234-1234-123456789012; "
2416  "dce_opnum:10; dce_stub_data; "
2417  "pcre:/boom/R; "
2418  "byte_jump:1,2,relative,align,dce; "
2419  "byte_test:1,=,2,0,relative,dce; "
2420  "pkt_data; "
2421  "content:\"one\"; "
2422  "sid:1;)");
2423  if (de_ctx->sig_list == NULL) {
2424  result = 0;
2425  goto end;
2426  }
2427 
2428  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2429  result = 0;
2430  goto end;
2431  }
2432  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2433  result = 0;
2434  goto end;
2435  }
2436 
2437  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2438  if (sm->type != DETECT_PCRE) {
2439  result = 0;
2440  goto end;
2441  }
2442  pd = (DetectPcreData *)sm->ctx;
2443  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2444  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2445  result = 0;
2446  printf("one failed\n");
2447  goto end;
2448  }
2449 
2450  sm = sm->next;
2451  if (sm->type != DETECT_BYTEJUMP) {
2452  result = 0;
2453  goto end;
2454  }
2455  bjd = (DetectBytejumpData *)sm->ctx;
2456  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2457  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2458  bjd->flags & DETECT_BYTEJUMP_BIG ||
2459  bjd->flags & DETECT_BYTEJUMP_STRING ||
2460  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2461  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2462  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2463  result = 0;
2464  printf("one failed\n");
2465  goto end;
2466  }
2467 
2468  sm = sm->next;
2469  if (sm->type != DETECT_BYTETEST) {
2470  result = 0;
2471  goto end;
2472  }
2473  btd = (DetectBytetestData *)sm->ctx;
2474  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2475  btd->flags & DETECT_BYTETEST_BIG ||
2476  btd->flags & DETECT_BYTETEST_STRING ||
2477  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2478  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2479  result = 0;
2480  printf("one failed\n");
2481  goto end;
2482  }
2483 
2484  result &= (sm->next == NULL);
2485 
2486  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2487  if (sm->type != DETECT_CONTENT) {
2488  result = 0;
2489  goto end;
2490  }
2491  data = (DetectContentData *)sm->ctx;
2492  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2493  data->flags & DETECT_CONTENT_NOCASE ||
2494  data->flags & DETECT_CONTENT_WITHIN ||
2495  data->flags & DETECT_CONTENT_DISTANCE ||
2496  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2497  data->flags & DETECT_CONTENT_NEGATED ) {
2498  printf("three failed\n");
2499  result = 0;
2500  goto end;
2501  }
2502  result &= (strncmp((char *)data->content, "one", 3) == 0);
2503  if (result == 0)
2504  goto end;
2505 
2506  result &= (sm->next == NULL);
2507 
2508  end:
2509  SigGroupCleanup(de_ctx);
2510  SigCleanSignatures(de_ctx);
2511  DetectEngineCtxFree(de_ctx);
2512 
2513  return result;
2514 }
2515 
2516 /**
2517  * \test Test content for dce sig.
2518  */
2519 static int DcePayloadParseTest39(void)
2520 {
2521  DetectEngineCtx *de_ctx = NULL;
2522  int result = 1;
2523  Signature *s = NULL;
2524  SigMatch *sm = NULL;
2525  DetectContentData *data = NULL;
2526 
2527  de_ctx = DetectEngineCtxInit();
2528  if (de_ctx == NULL)
2529  goto end;
2530 
2531  de_ctx->flags |= DE_QUIET;
2532  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2533  "(msg:\"Testing bytejump_body\"; "
2534  "content:\"one\"; "
2535  "dce_iface:12345678-1234-1234-1234-123456789012; "
2536  "dce_opnum:10; dce_stub_data; "
2537  "content:\"two\"; within:4; distance:8; "
2538  "sid:1;)");
2539  if (de_ctx->sig_list == NULL) {
2540  result = 0;
2541  goto end;
2542  }
2543 
2544  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2545  result = 0;
2546  goto end;
2547  }
2548  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2549  result = 0;
2550  goto end;
2551  }
2552 
2553  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2554  if (sm->type != DETECT_CONTENT) {
2555  result = 0;
2556  goto end;
2557  }
2558  data = (DetectContentData *)sm->ctx;
2559  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2560  data->flags & DETECT_CONTENT_NOCASE ||
2561  data->flags & DETECT_CONTENT_WITHIN ||
2562  data->flags & DETECT_CONTENT_DISTANCE ||
2563  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2564  data->flags & DETECT_CONTENT_NEGATED ) {
2565  printf("three failed\n");
2566  result = 0;
2567  goto end;
2568  }
2569  result &= (strncmp((char *)data->content, "one", 3) == 0);
2570  if (result == 0)
2571  goto end;
2572 
2573  result &= (sm->next == NULL);
2574 
2575  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2576  data = (DetectContentData *)sm->ctx;
2577  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2578  data->flags & DETECT_CONTENT_NOCASE ||
2579  !(data->flags & DETECT_CONTENT_WITHIN) ||
2580  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2581  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2582  data->flags & DETECT_CONTENT_NEGATED ) {
2583  printf("three failed\n");
2584  result = 0;
2585  goto end;
2586  }
2587  result &= (strncmp((char *)data->content, "two", 3) == 0);
2588  if (result == 0)
2589  goto end;
2590 
2591  result &= (sm->next == NULL);
2592 
2593  end:
2594  SigGroupCleanup(de_ctx);
2595  SigCleanSignatures(de_ctx);
2596  DetectEngineCtxFree(de_ctx);
2597 
2598  return result;
2599 }
2600 
2601 /**
2602  * \test Test content for dce sig.
2603  */
2604 static int DcePayloadParseTest40(void)
2605 {
2606  DetectEngineCtx *de_ctx = NULL;
2607  int result = 1;
2608  Signature *s = NULL;
2609  SigMatch *sm = NULL;
2610  DetectContentData *data = NULL;
2611  DetectBytetestData *btd = NULL;
2612 
2613  de_ctx = DetectEngineCtxInit();
2614  if (de_ctx == NULL)
2615  goto end;
2616 
2617  de_ctx->flags |= DE_QUIET;
2618  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2619  "(msg:\"Testing bytejump_body\"; "
2620  "dce_iface:12345678-1234-1234-1234-123456789012; "
2621  "dce_opnum:10; dce_stub_data; "
2622  "content:\"one\"; within:10; "
2623  "content:\"two\"; distance:20; within:30; "
2624  "byte_test:1,=,2,0,relative,dce; "
2625  "pkt_data; "
2626  "content:\"three\"; "
2627  "sid:1;)");
2628  if (de_ctx->sig_list == NULL) {
2629  result = 0;
2630  goto end;
2631  }
2632 
2633  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2634  result = 0;
2635  goto end;
2636  }
2637  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2638  result = 0;
2639  goto end;
2640  }
2641 
2642  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2643  if (sm->type != DETECT_CONTENT) {
2644  result = 0;
2645  goto end;
2646  }
2647  data = (DetectContentData *)sm->ctx;
2648  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2649  data->flags & DETECT_CONTENT_NOCASE ||
2650  !(data->flags & DETECT_CONTENT_WITHIN) ||
2651  data->flags & DETECT_CONTENT_DISTANCE ||
2652  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2653  data->flags & DETECT_CONTENT_NEGATED ) {
2654  printf("three failed\n");
2655  result = 0;
2656  goto end;
2657  }
2658  result &= (strncmp((char *)data->content, "one", 3) == 0);
2659  if (result == 0)
2660  goto end;
2661 
2662 
2663  sm = sm->next;
2664  if (sm->type != DETECT_CONTENT) {
2665  result = 0;
2666  goto end;
2667  }
2668  data = (DetectContentData *)sm->ctx;
2669  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2670  data->flags & DETECT_CONTENT_NOCASE ||
2671  !(data->flags & DETECT_CONTENT_WITHIN) ||
2672  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2673  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2674  data->flags & DETECT_CONTENT_NEGATED ) {
2675  printf("three failed\n");
2676  result = 0;
2677  goto end;
2678  }
2679  result &= (strncmp((char *)data->content, "two", 3) == 0);
2680  if (result == 0)
2681  goto end;
2682 
2683  sm = sm->next;
2684  if (sm->type != DETECT_BYTETEST) {
2685  result = 0;
2686  goto end;
2687  }
2688  btd = (DetectBytetestData *)sm->ctx;
2689  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2690  btd->flags & DETECT_BYTETEST_BIG ||
2691  btd->flags & DETECT_BYTETEST_STRING ||
2692  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2693  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2694  result = 0;
2695  printf("one failed\n");
2696  goto end;
2697  }
2698 
2699  result &= (sm->next == NULL);
2700 
2701  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2702  if (sm->type != DETECT_CONTENT) {
2703  result = 0;
2704  goto end;
2705  }
2706  data = (DetectContentData *)sm->ctx;
2707  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2708  data->flags & DETECT_CONTENT_NOCASE ||
2709  data->flags & DETECT_CONTENT_WITHIN ||
2710  data->flags & DETECT_CONTENT_DISTANCE ||
2711  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2712  data->flags & DETECT_CONTENT_NEGATED ) {
2713  printf("three failed\n");
2714  result = 0;
2715  goto end;
2716  }
2717  result &= (strncmp((char *)data->content, "three", 5) == 0);
2718  if (result == 0)
2719  goto end;
2720 
2721  result &= (sm->next == NULL);
2722 
2723  end:
2724  SigGroupCleanup(de_ctx);
2725  SigCleanSignatures(de_ctx);
2726  DetectEngineCtxFree(de_ctx);
2727 
2728  return result;
2729 }
2730 
2731 /**
2732  * \test Test content for dce sig.
2733  */
2734 static int DcePayloadParseTest41(void)
2735 {
2736  DetectEngineCtx *de_ctx = NULL;
2737  int result = 1;
2738  Signature *s = NULL;
2739  SigMatch *sm = NULL;
2740  DetectContentData *data = NULL;
2741  DetectBytetestData *btd = NULL;
2742 
2743  de_ctx = DetectEngineCtxInit();
2744  if (de_ctx == NULL)
2745  goto end;
2746 
2747  de_ctx->flags |= DE_QUIET;
2748  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2749  "(msg:\"Testing bytejump_body\"; "
2750  "dce_iface:12345678-1234-1234-1234-123456789012; "
2751  "dce_opnum:10; dce_stub_data; "
2752  "content:\"one\"; within:10; "
2753  "pkt_data; "
2754  "content:\"two\"; "
2755  "byte_test:1,=,2,0,relative,dce; "
2756  "content:\"three\"; "
2757  "sid:1;)");
2758  if (de_ctx->sig_list == NULL) {
2759  result = 0;
2760  goto end;
2761  }
2762 
2763  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2764  result = 0;
2765  goto end;
2766  }
2767  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2768  result = 0;
2769  goto end;
2770  }
2771 
2772  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2773  if (sm->type != DETECT_CONTENT) {
2774  result = 0;
2775  goto end;
2776  }
2777  data = (DetectContentData *)sm->ctx;
2778  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2779  data->flags & DETECT_CONTENT_NOCASE ||
2780  !(data->flags & DETECT_CONTENT_WITHIN) ||
2781  data->flags & DETECT_CONTENT_DISTANCE ||
2782  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2783  data->flags & DETECT_CONTENT_NEGATED ) {
2784  printf("three failed\n");
2785  result = 0;
2786  goto end;
2787  }
2788  result &= (strncmp((char *)data->content, "one", 3) == 0);
2789  if (result == 0)
2790  goto end;
2791 
2792  result &= (sm->next == NULL);
2793 
2794  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2795  if (sm->type != DETECT_CONTENT) {
2796  result = 0;
2797  goto end;
2798  }
2799  data = (DetectContentData *)sm->ctx;
2800  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2801  data->flags & DETECT_CONTENT_NOCASE ||
2802  data->flags & DETECT_CONTENT_WITHIN ||
2803  data->flags & DETECT_CONTENT_DISTANCE ||
2804  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2805  data->flags & DETECT_CONTENT_NEGATED ) {
2806  printf("three failed\n");
2807  result = 0;
2808  goto end;
2809  }
2810  result &= (strncmp((char *)data->content, "two", 3) == 0);
2811  if (result == 0)
2812  goto end;
2813 
2814  sm = sm->next;
2815  if (sm->type != DETECT_BYTETEST) {
2816  result = 0;
2817  goto end;
2818  }
2819  btd = (DetectBytetestData *)sm->ctx;
2820  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2821  btd->flags & DETECT_BYTETEST_BIG ||
2822  btd->flags & DETECT_BYTETEST_STRING ||
2823  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2824  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2825  result = 0;
2826  printf("one failed\n");
2827  goto end;
2828  }
2829 
2830  sm = sm->next;
2831  if (sm->type != DETECT_CONTENT) {
2832  result = 0;
2833  goto end;
2834  }
2835  data = (DetectContentData *)sm->ctx;
2836  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2837  data->flags & DETECT_CONTENT_NOCASE ||
2838  data->flags & DETECT_CONTENT_WITHIN ||
2839  data->flags & DETECT_CONTENT_DISTANCE ||
2840  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2841  data->flags & DETECT_CONTENT_NEGATED ) {
2842  printf("three failed\n");
2843  result = 0;
2844  goto end;
2845  }
2846  result &= (strncmp((char *)data->content, "three", 5) == 0);
2847  if (result == 0)
2848  goto end;
2849 
2850  result &= (sm->next == NULL);
2851 
2852  end:
2853  SigGroupCleanup(de_ctx);
2854  SigCleanSignatures(de_ctx);
2855  DetectEngineCtxFree(de_ctx);
2856 
2857  return result;
2858 }
2859 
2860 /**
2861  * \test Test content for dce sig.
2862  */
2863 static int DcePayloadParseTest44(void)
2864 {
2865  DetectEngineCtx *de_ctx = NULL;
2866  Signature *s = NULL;
2867  SigMatch *sm = NULL;
2868  DetectContentData *data = NULL;
2869  DetectIsdataatData *isd = NULL;
2870 
2871  de_ctx = DetectEngineCtxInit();
2872  FAIL_IF_NULL(de_ctx);
2873  de_ctx->flags |= DE_QUIET;
2874 
2875  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2876  "content:\"one\"; "
2877  "dce_iface:12345678-1234-1234-1234-123456789012; "
2878  "dce_opnum:10; dce_stub_data; "
2879  "isdataat:10,relative; "
2880  "content:\"one\"; within:4; distance:8; "
2881  "pkt_data; "
2882  "content:\"two\"; "
2883  "sid:1;)");
2884  FAIL_IF_NULL(s);
2885 
2886  FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
2887  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2888 
2889  /* isdataat:10,relative; */
2890  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2891  FAIL_IF(sm->type != DETECT_ISDATAAT);
2892  isd = (DetectIsdataatData *)sm->ctx;
2893  FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
2894  FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
2895  FAIL_IF_NULL(sm->next);
2896 
2897  sm = sm->next;
2898 
2899  /* content:\"one\"; within:4; distance:8; */
2900  FAIL_IF(sm->type != DETECT_CONTENT);
2901  data = (DetectContentData *)sm->ctx;
2902  FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
2903  data->flags & DETECT_CONTENT_NOCASE ||
2904  !(data->flags & DETECT_CONTENT_WITHIN) ||
2905  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2906  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2907  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2908  data->flags & DETECT_CONTENT_NEGATED );
2909 
2910  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2911  FAIL_IF_NOT(sm->next == NULL);
2912 
2913  /* first content:\"one\"; */
2914  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2915  FAIL_IF(sm->type != DETECT_CONTENT);
2916  data = (DetectContentData *)sm->ctx;
2917  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
2918  FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
2919  FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
2920  FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
2921  FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
2922  FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
2923  FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
2924  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2925 
2926  FAIL_IF_NULL(sm->next);
2927  sm = sm->next;
2928 
2929  FAIL_IF(sm->type != DETECT_CONTENT);
2930 
2931  data = (DetectContentData *)sm->ctx;
2932  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
2933  data->flags & DETECT_CONTENT_NOCASE ||
2934  data->flags & DETECT_CONTENT_WITHIN ||
2935  data->flags & DETECT_CONTENT_DISTANCE ||
2936  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2937  data->flags & DETECT_CONTENT_NEGATED );
2938 
2939  FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
2940 
2941  FAIL_IF_NOT(sm->next == NULL);
2942 
2943  SigGroupCleanup(de_ctx);
2944  SigCleanSignatures(de_ctx);
2945  DetectEngineCtxFree(de_ctx);
2946 
2947  PASS;
2948 }
2949 
2950 /**
2951  * \test Test content for dce sig.
2952  */
2953 static int DcePayloadParseTest45(void)
2954 {
2955  DetectEngineCtx *de_ctx = NULL;
2956  int result = 1;
2957  Signature *s = NULL;
2958  SigMatch *sm = NULL;
2959  DetectContentData *data = NULL;
2960  DetectBytejumpData *bjd = NULL;
2961 
2962  de_ctx = DetectEngineCtxInit();
2963  if (de_ctx == NULL)
2964  goto end;
2965 
2966  de_ctx->flags |= DE_QUIET;
2967  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2968  "(msg:\"Testing bytejump_body\"; "
2969  "dce_iface:12345678-1234-1234-1234-123456789012; "
2970  "content:\"one\"; "
2971  "dce_opnum:10; dce_stub_data; "
2972  "byte_jump:1,2,relative,align,dce; "
2973  "pkt_data; "
2974  "content:\"two\"; "
2975  "sid:1;)");
2976  if (de_ctx->sig_list == NULL) {
2977  result = 0;
2978  goto end;
2979  }
2980 
2981  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2982  result = 0;
2983  goto end;
2984  }
2985  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2986  result = 0;
2987  goto end;
2988  }
2989 
2990  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2991  if (sm->type != DETECT_BYTEJUMP) {
2992  result = 0;
2993  goto end;
2994  }
2995  bjd = (DetectBytejumpData *)sm->ctx;
2996  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2997  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2998  bjd->flags & DETECT_BYTEJUMP_BIG ||
2999  bjd->flags & DETECT_BYTEJUMP_STRING ||
3000  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
3001  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
3002  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
3003  result = 0;
3004  printf("one failed\n");
3005  goto end;
3006  }
3007 
3008  result &= (sm->next == NULL);
3009 
3010  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3011  if (sm->type != DETECT_CONTENT) {
3012  result = 0;
3013  goto end;
3014  }
3015  data = (DetectContentData *)sm->ctx;
3016  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3017  data->flags & DETECT_CONTENT_NOCASE ||
3018  data->flags & DETECT_CONTENT_WITHIN ||
3019  data->flags & DETECT_CONTENT_DISTANCE ||
3020  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3021  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3022  data->flags & DETECT_CONTENT_NEGATED ) {
3023  printf("one failed\n");
3024  result = 0;
3025  goto end;
3026  }
3027  result &= (strncmp((char *)data->content, "one", 3) == 0);
3028  if (result == 0)
3029  goto end;
3030 
3031  sm = sm->next;
3032  if (sm->type != DETECT_CONTENT) {
3033  result = 0;
3034  goto end;
3035  }
3036  data = (DetectContentData *)sm->ctx;
3037  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3038  data->flags & DETECT_CONTENT_NOCASE ||
3039  data->flags & DETECT_CONTENT_WITHIN ||
3040  data->flags & DETECT_CONTENT_DISTANCE ||
3041  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3042  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3043  data->flags & DETECT_CONTENT_NEGATED ) {
3044  printf("two failed\n");
3045  result = 0;
3046  goto end;
3047  }
3048  result &= (strncmp((char *)data->content, "two", 3) == 0);
3049  if (result == 0)
3050  goto end;
3051 
3052  result &= (sm->next == NULL);
3053 
3054  end:
3055  SigGroupCleanup(de_ctx);
3056  SigCleanSignatures(de_ctx);
3057  DetectEngineCtxFree(de_ctx);
3058 
3059  return result;
3060 }
3061 
3062 /**
3063  * \test Test content for dce sig.
3064  */
3065 static int DcePayloadParseTest46(void)
3066 {
3067  DetectEngineCtx *de_ctx = NULL;
3068  int result = 1;
3069  Signature *s = NULL;
3070  SigMatch *sm = NULL;
3071  DetectContentData *data = NULL;
3072  DetectBytetestData *btd = NULL;
3073 
3074  de_ctx = DetectEngineCtxInit();
3075  if (de_ctx == NULL)
3076  goto end;
3077 
3078  de_ctx->flags |= DE_QUIET;
3079  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3080  "(msg:\"Testing bytejump_body\"; "
3081  "dce_iface:12345678-1234-1234-1234-123456789012; "
3082  "content:\"one\"; "
3083  "dce_opnum:10; dce_stub_data; "
3084  "byte_test:1,=,2,0,relative,dce; "
3085  "pkt_data; "
3086  "content:\"two\"; "
3087  "sid:1;)");
3088  if (de_ctx->sig_list == NULL) {
3089  result = 0;
3090  goto end;
3091  }
3092 
3093  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3094  result = 0;
3095  goto end;
3096  }
3097  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3098  result = 0;
3099  goto end;
3100  }
3101 
3102  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3103  if (sm->type != DETECT_BYTETEST) {
3104  result = 0;
3105  goto end;
3106  }
3107  btd = (DetectBytetestData *)sm->ctx;
3108  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3109  btd->flags & DETECT_BYTETEST_BIG ||
3110  btd->flags & DETECT_BYTETEST_STRING ||
3111  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3112  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3113  result = 0;
3114  printf("one failed\n");
3115  goto end;
3116  }
3117 
3118  result &= (sm->next == NULL);
3119 
3120  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3121  if (sm->type != DETECT_CONTENT) {
3122  result = 0;
3123  goto end;
3124  }
3125  data = (DetectContentData *)sm->ctx;
3126  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3127  data->flags & DETECT_CONTENT_NOCASE ||
3128  data->flags & DETECT_CONTENT_WITHIN ||
3129  data->flags & DETECT_CONTENT_DISTANCE ||
3130  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3131  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3132  data->flags & DETECT_CONTENT_NEGATED ) {
3133  printf("one failed\n");
3134  result = 0;
3135  goto end;
3136  }
3137  result &= (strncmp((char *)data->content, "one", 3) == 0);
3138  if (result == 0)
3139  goto end;
3140 
3141  sm = sm->next;
3142  if (sm->type != DETECT_CONTENT) {
3143  result = 0;
3144  goto end;
3145  }
3146  data = (DetectContentData *)sm->ctx;
3147  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3148  data->flags & DETECT_CONTENT_NOCASE ||
3149  data->flags & DETECT_CONTENT_WITHIN ||
3150  data->flags & DETECT_CONTENT_DISTANCE ||
3151  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3152  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3153  data->flags & DETECT_CONTENT_NEGATED ) {
3154  printf("two failed\n");
3155  result = 0;
3156  goto end;
3157  }
3158  result &= (strncmp((char *)data->content, "two", 3) == 0);
3159  if (result == 0)
3160  goto end;
3161 
3162  result &= (sm->next == NULL);
3163 
3164  end:
3165  SigGroupCleanup(de_ctx);
3166  SigCleanSignatures(de_ctx);
3167  DetectEngineCtxFree(de_ctx);
3168 
3169  return result;
3170 }
3171 
3172 #endif /* UNITTESTS */
3173 
3174 void DcePayloadRegisterTests(void)
3175 {
3176  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
3177 
3178 #ifdef UNITTESTS
3179  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
3180  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
3181  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
3182  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
3183  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
3184  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
3185 
3186  UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25);
3187  UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26);
3188  UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27);
3189  UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28);
3190  UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29);
3191  UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30);
3192  UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31);
3193  UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32);
3194  UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33);
3195  UtRegisterTest("DcePayloadParseTest34", DcePayloadParseTest34);
3196  UtRegisterTest("DcePayloadParseTest35", DcePayloadParseTest35);
3197  UtRegisterTest("DcePayloadParseTest36", DcePayloadParseTest36);
3198  UtRegisterTest("DcePayloadParseTest37", DcePayloadParseTest37);
3199  UtRegisterTest("DcePayloadParseTest38", DcePayloadParseTest38);
3200  UtRegisterTest("DcePayloadParseTest39", DcePayloadParseTest39);
3201  UtRegisterTest("DcePayloadParseTest40", DcePayloadParseTest40);
3202  UtRegisterTest("DcePayloadParseTest41", DcePayloadParseTest41);
3203 
3204  UtRegisterTest("DcePayloadParseTest44", DcePayloadParseTest44);
3205  UtRegisterTest("DcePayloadParseTest45", DcePayloadParseTest45);
3206  UtRegisterTest("DcePayloadParseTest46", DcePayloadParseTest46);
3207 #endif /* UNITTESTS */
3208 
3209  return;
3210 }
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:76
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
detect-isdataat.h
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
Flow_::proto
uint8_t proto
Definition: flow.h:379
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:3174
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:47
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
DetectBytetestData_
Definition: detect-bytetest.h:52
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
DETECT_BYTEJUMP_BIG
#define DETECT_BYTEJUMP_BIG
Definition: detect-bytejump.h:36
Flow_::protoctx
void * protoctx
Definition: flow.h:447
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1079
Signature_::next
struct Signature_ * next
Definition: detect.h:614
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:356
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:30
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
DETECT_BYTEJUMP_ALIGN
#define DETECT_BYTEJUMP_ALIGN
Definition: detect-bytejump.h:39
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
Packet_
Definition: decode.h:428
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
detect-engine-alert.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
detect-engine-content-inspection.h
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:75
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:668
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
detect-byte-extract.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Flow_::flags
uint32_t flags
Definition: flow.h:427
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
suricata.h
DetectPcreData_
Definition: detect-pcre.h:42
DETECT_BYTEJUMP_STRING
#define DETECT_BYTEJUMP_STRING
Definition: detect-bytejump.h:37
DETECT_BYTEJUMP_BEGIN
#define DETECT_BYTEJUMP_BEGIN
Definition: detect-bytejump.h:34
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
TcpSession_
Definition: stream-tcp-private.h:272
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
detect-engine-dcepayload.h
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
DETECT_BYTEJUMP_RELATIVE
#define DETECT_BYTEJUMP_RELATIVE
Definition: detect-bytejump.h:38
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468