suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 #include "detect-engine-build.h"
41 #include "app-layer-parser.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "flow-util.h"
47 #include "util-debug.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 #include "detect-dce-iface.h"
53 
54 static int g_dce_stub_data_buffer_id = 0;
55 
56 
57 /**************************************Unittests*******************************/
58 
59 #ifdef UNITTESTS
60 
61 /**
62  * \test Test the working of byte_test endianness.
63  */
64 static int DcePayloadTest15(void)
65 {
66  int result = 0;
67 
68  uint8_t request1[] = {
69  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
70  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
71  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
72  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
73  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
74  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
75  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
76  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
77  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
78  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
79  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
80  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
81  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
82  };
83  uint32_t request1_len = sizeof(request1);
84 
85  TcpSession ssn;
86  Packet *p = NULL;
87  ThreadVars tv;
88  DetectEngineCtx *de_ctx = NULL;
89  DetectEngineThreadCtx *det_ctx = NULL;
90  Flow f;
91  int r;
92 
93  const char *sig1 = "alert tcp any any -> any any "
94  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
95  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
96  const char *sig2 = "alert tcp any any -> any any "
97  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
98  "byte_test:2,=,46,5,relative,dce; sid:2;)";
99 
100  Signature *s;
101  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
102 
103  memset(&tv, 0, sizeof(ThreadVars));
104  memset(&f, 0, sizeof(Flow));
105  memset(&ssn, 0, sizeof(TcpSession));
106 
107  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
108  p->flow = &f;
109  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
110  p->flowflags |= FLOW_PKT_TOSERVER;
111  p->flowflags |= FLOW_PKT_ESTABLISHED;
112 
113  FLOW_INITIALIZE(&f);
114  f.protoctx = (void *)&ssn;
115  f.proto = IPPROTO_TCP;
116  f.flags |= FLOW_IPV4;
117  f.alproto = ALPROTO_DCERPC;
118 
119  StreamTcpInitConfig(true);
120 
121  de_ctx = DetectEngineCtxInit();
122  if (de_ctx == NULL)
123  goto end;
124  de_ctx->flags |= DE_QUIET;
125 
126  de_ctx->sig_list = SigInit(de_ctx, sig1);
127  s = de_ctx->sig_list;
128  if (s == NULL)
129  goto end;
130  s->next = SigInit(de_ctx, sig2);
131  if (s->next == NULL)
132  goto end;
133 
134  SigGroupBuild(de_ctx);
135  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
136 
137  /* request 1 */
138  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
139  STREAM_TOSERVER, request1, request1_len);
140  if (r != 0) {
141  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
142  result = 0;
143  goto end;
144  }
145  /* detection phase */
146  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
147  if (!(PacketAlertCheck(p, 1))) {
148  printf("sid 1 didn't match but should have for packet: ");
149  goto end;
150  }
151  if (!(PacketAlertCheck(p, 2))) {
152  printf("sid 2 didn't match but should have for packet: ");
153  goto end;
154  }
155 
156  result = 1;
157 
158 end:
159  if (alp_tctx != NULL)
160  AppLayerParserThreadCtxFree(alp_tctx);
161  if (de_ctx != NULL) {
162  SigGroupCleanup(de_ctx);
163  SigCleanSignatures(de_ctx);
164 
165  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
166  DetectEngineCtxFree(de_ctx);
167  }
168 
169  StreamTcpFreeConfig(true);
170 
171  UTHFreePackets(&p, 1);
172  return result;
173 }
174 
175 /**
176  * \test Test the working of byte_test endianness.
177  */
178 static int DcePayloadTest16(void)
179 {
180  int result = 0;
181 
182  uint8_t request1[] = {
183  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
184  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
185  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
186  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
187  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
188  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
189  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
190  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
191  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
192  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
193  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
194  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
195  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
196  };
197  uint32_t request1_len = sizeof(request1);
198 
199  TcpSession ssn;
200  Packet *p = NULL;
201  ThreadVars tv;
202  DetectEngineCtx *de_ctx = NULL;
203  DetectEngineThreadCtx *det_ctx = NULL;
204  Flow f;
205  int r;
206 
207  const char *sig1 = "alert tcp any any -> any any "
208  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
209  "byte_test:2,=,55,0,relative; sid:1;)";
210  const char *sig2 = "alert tcp any any -> any any "
211  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
212  "byte_test:2,=,11776,5,relative; sid:2;)";
213 
214  Signature *s;
215  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
216 
217  memset(&tv, 0, sizeof(ThreadVars));
218  memset(&f, 0, sizeof(Flow));
219  memset(&ssn, 0, sizeof(TcpSession));
220 
221  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
222  p->flow = &f;
223  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
224  p->flowflags |= FLOW_PKT_TOSERVER;
225  p->flowflags |= FLOW_PKT_ESTABLISHED;
226 
227  FLOW_INITIALIZE(&f);
228  f.protoctx = (void *)&ssn;
229  f.proto = IPPROTO_TCP;
230  f.flags |= FLOW_IPV4;
231  f.alproto = ALPROTO_DCERPC;
232 
233  StreamTcpInitConfig(true);
234 
235  de_ctx = DetectEngineCtxInit();
236  if (de_ctx == NULL)
237  goto end;
238  de_ctx->flags |= DE_QUIET;
239 
240  de_ctx->sig_list = SigInit(de_ctx, sig1);
241  s = de_ctx->sig_list;
242  if (s == NULL)
243  goto end;
244  s->next = SigInit(de_ctx, sig2);
245  if (s->next == NULL)
246  goto end;
247 
248  SigGroupBuild(de_ctx);
249  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
250 
251  /* request 1 */
252  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
253  STREAM_TOSERVER, request1, request1_len);
254  if (r != 0) {
255  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
256  result = 0;
257  goto end;
258  }
259  /* detection phase */
260  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
261  if (!(PacketAlertCheck(p, 1))) {
262  printf("sid 1 didn't match but should have for packet: ");
263  goto end;
264  }
265  if (!(PacketAlertCheck(p, 2))) {
266  printf("sid 2 didn't match but should have for packet: ");
267  goto end;
268  }
269 
270  result = 1;
271 
272 end:
273  if (alp_tctx != NULL)
274  AppLayerParserThreadCtxFree(alp_tctx);
275  if (de_ctx != NULL) {
276  SigGroupCleanup(de_ctx);
277  SigCleanSignatures(de_ctx);
278 
279  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
280  DetectEngineCtxFree(de_ctx);
281  }
282 
283  StreamTcpFreeConfig(true);
284 
285  UTHFreePackets(&p, 1);
286  return result;
287 }
288 
289 /**
290  * \test Test the working of byte_test endianness.
291  */
292 static int DcePayloadTest17(void)
293 {
294  int result = 0;
295 
296  uint8_t request1[] = {
297  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
298  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
299  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
300  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
301  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
302  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
303  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
304  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
305  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
306  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
307  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
308  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
309  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
310  };
311  uint32_t request1_len = sizeof(request1);
312 
313  TcpSession ssn;
314  Packet *p = NULL;
315  ThreadVars tv;
316  DetectEngineCtx *de_ctx = NULL;
317  DetectEngineThreadCtx *det_ctx = NULL;
318  Flow f;
319  int r;
320 
321  const char *sig1 = "alert tcp any any -> any any "
322  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
323  "byte_test:2,=,55,0,relative,big; sid:1;)";
324  const char *sig2 = "alert tcp any any -> any any "
325  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
326  "byte_test:2,=,46,5,relative,little; sid:2;)";
327 
328  Signature *s;
329  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
330 
331  memset(&tv, 0, sizeof(ThreadVars));
332  memset(&f, 0, sizeof(Flow));
333  memset(&ssn, 0, sizeof(TcpSession));
334 
335  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
336  p->flow = &f;
337  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
338  p->flowflags |= FLOW_PKT_TOSERVER;
339  p->flowflags |= FLOW_PKT_ESTABLISHED;
340 
341  FLOW_INITIALIZE(&f);
342  f.protoctx = (void *)&ssn;
343  f.proto = IPPROTO_TCP;
344  f.flags |= FLOW_IPV4;
345  f.alproto = ALPROTO_DCERPC;
346 
347  StreamTcpInitConfig(true);
348 
349  de_ctx = DetectEngineCtxInit();
350  if (de_ctx == NULL)
351  goto end;
352  de_ctx->flags |= DE_QUIET;
353 
354  de_ctx->sig_list = SigInit(de_ctx, sig1);
355  s = de_ctx->sig_list;
356  if (s == NULL)
357  goto end;
358  s->next = SigInit(de_ctx, sig2);
359  if (s->next == NULL)
360  goto end;
361 
362  SigGroupBuild(de_ctx);
363  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
364 
365  /* request 1 */
366  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
367  STREAM_TOSERVER, request1, request1_len);
368  if (r != 0) {
369  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
370  result = 0;
371  goto end;
372  }
373  /* detection phase */
374  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
375  if (!(PacketAlertCheck(p, 1))) {
376  printf("sid 1 didn't match but should have for packet: ");
377  goto end;
378  }
379  if (!(PacketAlertCheck(p, 2))) {
380  printf("sid 2 didn't match but should have for packet: ");
381  goto end;
382  }
383 
384  result = 1;
385 
386 end:
387  if (alp_tctx != NULL)
388  AppLayerParserThreadCtxFree(alp_tctx);
389  if (de_ctx != NULL) {
390  SigGroupCleanup(de_ctx);
391  SigCleanSignatures(de_ctx);
392 
393  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
394  DetectEngineCtxFree(de_ctx);
395  }
396 
397  StreamTcpFreeConfig(true);
398 
399  UTHFreePackets(&p, 1);
400  return result;
401 }
402 
403 /**
404  * \test Test the working of byte_jump endianness.
405  */
406 static int DcePayloadTest18(void)
407 {
408  int result = 0;
409 
410  uint8_t request1[] = {
411  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
412  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
413  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
414  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
415  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
416  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
417  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
418  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
419  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
420  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
421  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
422  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
423  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
424  };
425  uint32_t request1_len = sizeof(request1);
426 
427  TcpSession ssn;
428  Packet *p = NULL;
429  ThreadVars tv;
430  DetectEngineCtx *de_ctx = NULL;
431  DetectEngineThreadCtx *det_ctx = NULL;
432  Flow f;
433  int r;
434 
435  const char *sig1 = "alert tcp any any -> any any "
436  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
437  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
438  const char *sig2 = "alert tcp any any -> any any "
439  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
440  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
441 
442  Signature *s;
443  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
444 
445  memset(&tv, 0, sizeof(ThreadVars));
446  memset(&f, 0, sizeof(Flow));
447  memset(&ssn, 0, sizeof(TcpSession));
448 
449  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
450  p->flow = &f;
451  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
452  p->flowflags |= FLOW_PKT_TOSERVER;
453  p->flowflags |= FLOW_PKT_ESTABLISHED;
454 
455  FLOW_INITIALIZE(&f);
456  f.protoctx = (void *)&ssn;
457  f.proto = IPPROTO_TCP;
458  f.flags |= FLOW_IPV4;
459  f.alproto = ALPROTO_DCERPC;
460 
461  StreamTcpInitConfig(true);
462 
463  de_ctx = DetectEngineCtxInit();
464  if (de_ctx == NULL)
465  goto end;
466  de_ctx->flags |= DE_QUIET;
467 
468  de_ctx->sig_list = SigInit(de_ctx, sig1);
469  s = de_ctx->sig_list;
470  if (s == NULL)
471  goto end;
472  s->next = SigInit(de_ctx, sig2);
473  if (s->next == NULL)
474  goto end;
475 
476  SigGroupBuild(de_ctx);
477  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
478 
479  /* request 1 */
480  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
481  STREAM_TOSERVER, request1, request1_len);
482  if (r != 0) {
483  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
484  result = 0;
485  goto end;
486  }
487  /* detection phase */
488  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
489  if (!(PacketAlertCheck(p, 1))) {
490  printf("sid 1 didn't match but should have for packet: ");
491  goto end;
492  }
493  if (!(PacketAlertCheck(p, 2))) {
494  printf("sid 2 didn't match but should have for packet: ");
495  goto end;
496  }
497 
498  result = 1;
499 
500 end:
501  if (alp_tctx != NULL)
502  AppLayerParserThreadCtxFree(alp_tctx);
503  if (de_ctx != NULL) {
504  SigGroupCleanup(de_ctx);
505  SigCleanSignatures(de_ctx);
506 
507  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
508  DetectEngineCtxFree(de_ctx);
509  }
510 
511  StreamTcpFreeConfig(true);
512 
513  UTHFreePackets(&p, 1);
514  return result;
515 }
516 
517 /**
518  * \test Test the working of byte_jump endianness.
519  */
520 static int DcePayloadTest19(void)
521 {
522  int result = 0;
523 
524  uint8_t request1[] = {
525  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
526  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
527  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
528  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
529  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
530  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
531  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
532  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
533  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
534  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
535  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
536  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
537  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
538  };
539  uint32_t request1_len = sizeof(request1);
540 
541  TcpSession ssn;
542  Packet *p = NULL;
543  ThreadVars tv;
544  DetectEngineCtx *de_ctx = NULL;
545  DetectEngineThreadCtx *det_ctx = NULL;
546  Flow f;
547  int r;
548 
549  const char *sig1 = "alert tcp any any -> any any "
550  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
551  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
552  const char *sig2 = "alert tcp any any -> any any "
553  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
554  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
555 
556  Signature *s;
557  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
558 
559  memset(&tv, 0, sizeof(ThreadVars));
560  memset(&f, 0, sizeof(Flow));
561  memset(&ssn, 0, sizeof(TcpSession));
562 
563  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
564  p->flow = &f;
565  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
566  p->flowflags |= FLOW_PKT_TOSERVER;
567  p->flowflags |= FLOW_PKT_ESTABLISHED;
568 
569  FLOW_INITIALIZE(&f);
570  f.protoctx = (void *)&ssn;
571  f.proto = IPPROTO_TCP;
572  f.flags |= FLOW_IPV4;
573  f.alproto = ALPROTO_DCERPC;
574 
575  StreamTcpInitConfig(true);
576 
577  de_ctx = DetectEngineCtxInit();
578  if (de_ctx == NULL)
579  goto end;
580  de_ctx->flags |= DE_QUIET;
581 
582  de_ctx->sig_list = SigInit(de_ctx, sig1);
583  s = de_ctx->sig_list;
584  if (s == NULL)
585  goto end;
586  s->next = SigInit(de_ctx, sig2);
587  if (s->next == NULL)
588  goto end;
589 
590  SigGroupBuild(de_ctx);
591  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
592 
593  /* request 1 */
594  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
595  STREAM_TOSERVER, request1, request1_len);
596  if (r != 0) {
597  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
598  result = 0;
599  goto end;
600  }
601  /* detection phase */
602  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
603  if (!(PacketAlertCheck(p, 1))) {
604  printf("sid 1 didn't match but should have for packet: ");
605  goto end;
606  }
607  if (!(PacketAlertCheck(p, 2))) {
608  printf("sid 2 didn't match but should have for packet: ");
609  goto end;
610  }
611 
612  result = 1;
613 
614 end:
615  if (alp_tctx != NULL)
616  AppLayerParserThreadCtxFree(alp_tctx);
617  if (de_ctx != NULL) {
618  SigGroupCleanup(de_ctx);
619  SigCleanSignatures(de_ctx);
620 
621  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
622  DetectEngineCtxFree(de_ctx);
623  }
624 
625  StreamTcpFreeConfig(true);
626 
627  UTHFreePackets(&p, 1);
628  return result;
629 }
630 
631 /**
632  * \test Test the working of byte_jump endianness.
633  */
634 static int DcePayloadTest20(void)
635 {
636  int result = 0;
637 
638  uint8_t request1[] = {
639  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
640  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
641  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
642  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
643  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
644  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
645  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
646  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
647  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
648  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
649  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
650  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
651  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
652  };
653  uint32_t request1_len = sizeof(request1);
654 
655  TcpSession ssn;
656  Packet *p = NULL;
657  ThreadVars tv;
658  DetectEngineCtx *de_ctx = NULL;
659  DetectEngineThreadCtx *det_ctx = NULL;
660  Flow f;
661  int r;
662 
663  const char *sig1 = "alert tcp any any -> any any "
664  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
665  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
666  const char *sig2 = "alert tcp any any -> any any "
667  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
668  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
669 
670  Signature *s;
671  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
672 
673  memset(&tv, 0, sizeof(ThreadVars));
674  memset(&f, 0, sizeof(Flow));
675  memset(&ssn, 0, sizeof(TcpSession));
676 
677  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
678  p->flow = &f;
679  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
680  p->flowflags |= FLOW_PKT_TOSERVER;
681  p->flowflags |= FLOW_PKT_ESTABLISHED;
682 
683  FLOW_INITIALIZE(&f);
684  f.protoctx = (void *)&ssn;
685  f.proto = IPPROTO_TCP;
686  f.flags |= FLOW_IPV4;
687  f.alproto = ALPROTO_DCERPC;
688 
689  StreamTcpInitConfig(true);
690 
691  de_ctx = DetectEngineCtxInit();
692  if (de_ctx == NULL)
693  goto end;
694  de_ctx->flags |= DE_QUIET;
695 
696  de_ctx->sig_list = SigInit(de_ctx, sig1);
697  s = de_ctx->sig_list;
698  if (s == NULL)
699  goto end;
700  s->next = SigInit(de_ctx, sig2);
701  if (s->next == NULL)
702  goto end;
703 
704  SigGroupBuild(de_ctx);
705  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
706 
707  /* request 1 */
708  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
709  STREAM_TOSERVER, request1, request1_len);
710  if (r != 0) {
711  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
712  result = 0;
713  goto end;
714  }
715  /* detection phase */
716  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
717  if (!(PacketAlertCheck(p, 1))) {
718  printf("sid 1 didn't match but should have for packet: ");
719  goto end;
720  }
721  if (!(PacketAlertCheck(p, 2))) {
722  printf("sid 2 didn't match but should have for packet: ");
723  goto end;
724  }
725 
726  result = 1;
727 
728 end:
729  if (alp_tctx != NULL)
730  AppLayerParserThreadCtxFree(alp_tctx);
731  if (de_ctx != NULL) {
732  SigGroupCleanup(de_ctx);
733  SigCleanSignatures(de_ctx);
734 
735  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
736  DetectEngineCtxFree(de_ctx);
737  }
738 
739  StreamTcpFreeConfig(true);
740 
741  UTHFreePackets(&p, 1);
742  return result;
743 }
744 
745 /**
746  * \test Test content for dce sig.
747  */
748 static int DcePayloadParseTest25(void)
749 {
750  DetectEngineCtx *de_ctx = NULL;
751  int result = 1;
752  Signature *s = NULL;
753  SigMatch *sm = NULL;
754  DetectContentData *data = NULL;
755 
756  de_ctx = DetectEngineCtxInit();
757  if (de_ctx == NULL)
758  goto end;
759 
760  de_ctx->flags |= DE_QUIET;
761  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
762  "(msg:\"Testing bytejump_body\"; "
763  "content:\"one\"; content:\"two\"; "
764  "content:\"three\"; within:10; "
765  "content:\"four\"; distance:4; "
766  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
767  "sid:1;)");
768  if (de_ctx->sig_list == NULL) {
769  result = 0;
770  goto end;
771  }
772 
773  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
774  result = 0;
775  goto end;
776  }
777  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
778  result = 0;
779  goto end;
780  }
781 
782  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
783  if (sm->type != DETECT_CONTENT) {
784  result = 0;
785  goto end;
786  }
787  data = (DetectContentData *)sm->ctx;
788  if (data->flags & DETECT_CONTENT_RAWBYTES ||
789  data->flags & DETECT_CONTENT_NOCASE ||
790  data->flags & DETECT_CONTENT_WITHIN ||
791  data->flags & DETECT_CONTENT_DISTANCE ||
792  data->flags & DETECT_CONTENT_FAST_PATTERN ||
793  data->flags & DETECT_CONTENT_NEGATED ) {
794  result = 0;
795  goto end;
796  }
797  result &= (strncmp((char *)data->content, "one", 3) == 0);
798  if (result == 0)
799  goto end;
800 
801  sm = sm->next;
802  if (sm->type != DETECT_CONTENT) {
803  result = 0;
804  goto end;
805  }
806  data = (DetectContentData *)sm->ctx;
807  if (data->flags & DETECT_CONTENT_RAWBYTES ||
808  data->flags & DETECT_CONTENT_NOCASE ||
809  data->flags & DETECT_CONTENT_WITHIN ||
810  data->flags & DETECT_CONTENT_DISTANCE ||
811  data->flags & DETECT_CONTENT_FAST_PATTERN ||
812  data->flags & DETECT_CONTENT_NEGATED ) {
813  result = 0;
814  goto end;
815  }
816  result &= (strncmp((char *)data->content, "two", 3) == 0);
817  if (result == 0)
818  goto end;
819 
820  sm = sm->next;
821  if (sm->type != DETECT_CONTENT) {
822  result = 0;
823  goto end;
824  }
825  data = (DetectContentData *)sm->ctx;
826  if (data->flags & DETECT_CONTENT_RAWBYTES ||
827  data->flags & DETECT_CONTENT_NOCASE ||
828  !(data->flags & DETECT_CONTENT_WITHIN) ||
829  data->flags & DETECT_CONTENT_DISTANCE ||
830  data->flags & DETECT_CONTENT_FAST_PATTERN ||
831  data->flags & DETECT_CONTENT_NEGATED ) {
832  result = 0;
833  goto end;
834  }
835  result &= (strncmp((char *)data->content, "three", 5) == 0);
836  if (result == 0)
837  goto end;
838 
839  sm = sm->next;
840  if (sm->type != DETECT_CONTENT) {
841  result = 0;
842  goto end;
843  }
844  data = (DetectContentData *)sm->ctx;
845  if (data->flags & DETECT_CONTENT_RAWBYTES ||
846  data->flags & DETECT_CONTENT_NOCASE ||
847  data->flags & DETECT_CONTENT_WITHIN ||
848  !(data->flags & DETECT_CONTENT_DISTANCE) ||
849  data->flags & DETECT_CONTENT_FAST_PATTERN ||
850  data->flags & DETECT_CONTENT_NEGATED ) {
851  result = 0;
852  goto end;
853  }
854  result &= (strncmp((char *)data->content, "four", 4) == 0);
855  if (result == 0)
856  goto end;
857 
858  end:
859  SigGroupCleanup(de_ctx);
860  SigCleanSignatures(de_ctx);
861  DetectEngineCtxFree(de_ctx);
862 
863  return result;
864 }
865 
866 /**
867  * \test Test content for dce sig.
868  */
869 static int DcePayloadParseTest26(void)
870 {
871  DetectEngineCtx *de_ctx = NULL;
872  int result = 1;
873  Signature *s = NULL;
874  SigMatch *sm = NULL;
875  DetectContentData *data = NULL;
876 
877  de_ctx = DetectEngineCtxInit();
878  if (de_ctx == NULL)
879  goto end;
880 
881  de_ctx->flags |= DE_QUIET;
882  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
883  "(msg:\"Testing bytejump_body\"; "
884  "dce_stub_data; "
885  "pkt_data; "
886  "content:\"one\"; "
887  "content:\"two\"; "
888  "content:\"three\"; within:5; "
889  "content:\"four\"; distance:10; "
890  "sid:1;)");
891  if (de_ctx->sig_list == NULL) {
892  result = 0;
893  goto end;
894  }
895 
896  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
897  result = 0;
898  goto end;
899  }
900  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
901  result = 0;
902  goto end;
903  }
904 
905  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
906  if (sm->type != DETECT_CONTENT) {
907  result = 0;
908  goto end;
909  }
910  data = (DetectContentData *)sm->ctx;
911  if (data->flags & DETECT_CONTENT_RAWBYTES ||
912  data->flags & DETECT_CONTENT_NOCASE ||
913  data->flags & DETECT_CONTENT_WITHIN ||
914  data->flags & DETECT_CONTENT_DISTANCE ||
915  data->flags & DETECT_CONTENT_FAST_PATTERN ||
916  data->flags & DETECT_CONTENT_NEGATED ) {
917  result = 0;
918  printf("one failed\n");
919  goto end;
920  }
921  result &= (strncmp((char *)data->content, "one", 3) == 0);
922  if (result == 0)
923  goto end;
924 
925  sm = sm->next;
926  if (sm->type != DETECT_CONTENT) {
927  result = 0;
928  goto end;
929  }
930  data = (DetectContentData *)sm->ctx;
931  if (data->flags & DETECT_CONTENT_RAWBYTES ||
932  data->flags & DETECT_CONTENT_NOCASE ||
933  data->flags & DETECT_CONTENT_WITHIN ||
934  data->flags & DETECT_CONTENT_DISTANCE ||
935  data->flags & DETECT_CONTENT_FAST_PATTERN ||
936  data->flags & DETECT_CONTENT_NEGATED ) {
937  result = 0;
938  printf("two failed\n");
939  goto end;
940  }
941  result &= (strncmp((char *)data->content, "two", 3) == 0);
942  if (result == 0)
943  goto end;
944 
945  sm = sm->next;
946  if (sm->type != DETECT_CONTENT) {
947  result = 0;
948  goto end;
949  }
950  data = (DetectContentData *)sm->ctx;
951  if (data->flags & DETECT_CONTENT_RAWBYTES ||
952  data->flags & DETECT_CONTENT_NOCASE ||
953  !(data->flags & DETECT_CONTENT_WITHIN) ||
954  data->flags & DETECT_CONTENT_DISTANCE ||
955  data->flags & DETECT_CONTENT_FAST_PATTERN ||
956  data->flags & DETECT_CONTENT_NEGATED ) {
957  printf("three failed\n");
958  result = 0;
959  goto end;
960  }
961  result &= (strncmp((char *)data->content, "three", 5) == 0);
962  if (result == 0)
963  goto end;
964 
965  sm = sm->next;
966  if (sm->type != DETECT_CONTENT) {
967  result = 0;
968  goto end;
969  }
970  data = (DetectContentData *)sm->ctx;
971  if (data->flags & DETECT_CONTENT_RAWBYTES ||
972  data->flags & DETECT_CONTENT_NOCASE ||
973  data->flags & DETECT_CONTENT_WITHIN ||
974  !(data->flags & DETECT_CONTENT_DISTANCE) ||
975  data->flags & DETECT_CONTENT_FAST_PATTERN ||
976  data->flags & DETECT_CONTENT_NEGATED ) {
977  printf("four failed\n");
978  result = 0;
979  goto end;
980  }
981  result &= (strncmp((char *)data->content, "four", 4) == 0);
982  if (result == 0)
983  goto end;
984 
985  end:
986  SigGroupCleanup(de_ctx);
987  SigCleanSignatures(de_ctx);
988  DetectEngineCtxFree(de_ctx);
989 
990  return result;
991 }
992 
993 /**
994  * \test Test content for dce sig.
995  */
996 static int DcePayloadParseTest27(void)
997 {
998  DetectEngineCtx *de_ctx = NULL;
999  int result = 1;
1000  Signature *s = NULL;
1001  SigMatch *sm = NULL;
1002  DetectContentData *data = NULL;
1003 
1004  de_ctx = DetectEngineCtxInit();
1005  if (de_ctx == NULL)
1006  goto end;
1007 
1008  de_ctx->flags |= DE_QUIET;
1009  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1010  "(msg:\"Testing bytejump_body\"; "
1011  "dce_stub_data; "
1012  "content:\"one\"; distance:10; within:5; "
1013  "content:\"two\"; within:5;"
1014  "content:\"three\"; within:5; "
1015  "content:\"four\"; distance:10; "
1016  "sid:1;)");
1017  if (de_ctx->sig_list == NULL) {
1018  result = 0;
1019  goto end;
1020  }
1021 
1022  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1023  result = 0;
1024  goto end;
1025  }
1026  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] != NULL) {
1027  result = 0;
1028  goto end;
1029  }
1030 
1031  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1032  if (sm->type != DETECT_CONTENT) {
1033  result = 0;
1034  goto end;
1035  }
1036  data = (DetectContentData *)sm->ctx;
1037  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1038  data->flags & DETECT_CONTENT_NOCASE ||
1039  !(data->flags & DETECT_CONTENT_WITHIN) ||
1040  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1041  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1042  data->flags & DETECT_CONTENT_NEGATED ) {
1043  result = 0;
1044  printf("one failed\n");
1045  goto end;
1046  }
1047  result &= (strncmp((char *)data->content, "one", 3) == 0);
1048  if (result == 0)
1049  goto end;
1050 
1051  sm = sm->next;
1052  if (sm->type != DETECT_CONTENT) {
1053  result = 0;
1054  goto end;
1055  }
1056  data = (DetectContentData *)sm->ctx;
1057  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1058  data->flags & DETECT_CONTENT_NOCASE ||
1059  !(data->flags & DETECT_CONTENT_WITHIN) ||
1060  data->flags & DETECT_CONTENT_DISTANCE ||
1061  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1062  data->flags & DETECT_CONTENT_NEGATED ) {
1063  result = 0;
1064  printf("two failed\n");
1065  goto end;
1066  }
1067  result &= (strncmp((char *)data->content, "two", 3) == 0);
1068  if (result == 0)
1069  goto end;
1070 
1071  sm = sm->next;
1072  if (sm->type != DETECT_CONTENT) {
1073  result = 0;
1074  goto end;
1075  }
1076  data = (DetectContentData *)sm->ctx;
1077  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1078  data->flags & DETECT_CONTENT_NOCASE ||
1079  !(data->flags & DETECT_CONTENT_WITHIN) ||
1080  data->flags & DETECT_CONTENT_DISTANCE ||
1081  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1082  data->flags & DETECT_CONTENT_NEGATED ) {
1083  printf("three failed\n");
1084  result = 0;
1085  goto end;
1086  }
1087  result &= (strncmp((char *)data->content, "three", 5) == 0);
1088  if (result == 0)
1089  goto end;
1090 
1091  sm = sm->next;
1092  if (sm->type != DETECT_CONTENT) {
1093  result = 0;
1094  goto end;
1095  }
1096  data = (DetectContentData *)sm->ctx;
1097  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1098  data->flags & DETECT_CONTENT_NOCASE ||
1099  data->flags & DETECT_CONTENT_WITHIN ||
1100  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1101  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1102  data->flags & DETECT_CONTENT_NEGATED ) {
1103  printf("four failed\n");
1104  result = 0;
1105  goto end;
1106  }
1107  result &= (strncmp((char *)data->content, "four", 4) == 0);
1108  if (result == 0)
1109  goto end;
1110 
1111  end:
1112  SigGroupCleanup(de_ctx);
1113  SigCleanSignatures(de_ctx);
1114  DetectEngineCtxFree(de_ctx);
1115 
1116  return result;
1117 }
1118 
1119 /**
1120  * \test Test content for dce sig.
1121  */
1122 static int DcePayloadParseTest28(void)
1123 {
1124  DetectEngineCtx *de_ctx = NULL;
1125  int result = 1;
1126  Signature *s = NULL;
1127  SigMatch *sm = NULL;
1128  DetectContentData *data = NULL;
1129 
1130  de_ctx = DetectEngineCtxInit();
1131  if (de_ctx == NULL)
1132  goto end;
1133 
1134  de_ctx->flags |= DE_QUIET;
1135  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1136  "(msg:\"Testing bytejump_body\"; "
1137  "dce_stub_data; "
1138  "content:\"one\"; distance:10; within:5; "
1139  "content:\"two\"; within:5;"
1140  "pkt_data; "
1141  "content:\"three\";"
1142  "content:\"four\";"
1143  "sid:1;)");
1144  if (de_ctx->sig_list == NULL) {
1145  result = 0;
1146  goto end;
1147  }
1148 
1149  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1150  result = 0;
1151  goto end;
1152  }
1153  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1154  result = 0;
1155  goto end;
1156  }
1157 
1158  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1159  if (sm->type != DETECT_CONTENT) {
1160  result = 0;
1161  goto end;
1162  }
1163  data = (DetectContentData *)sm->ctx;
1164  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1165  data->flags & DETECT_CONTENT_NOCASE ||
1166  !(data->flags & DETECT_CONTENT_WITHIN) ||
1167  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1168  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1169  data->flags & DETECT_CONTENT_NEGATED ) {
1170  result = 0;
1171  printf("one failed\n");
1172  goto end;
1173  }
1174  result &= (strncmp((char *)data->content, "one", 3) == 0);
1175  if (result == 0)
1176  goto end;
1177 
1178  sm = sm->next;
1179  if (sm->type != DETECT_CONTENT) {
1180  result = 0;
1181  goto end;
1182  }
1183  data = (DetectContentData *)sm->ctx;
1184  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1185  data->flags & DETECT_CONTENT_NOCASE ||
1186  !(data->flags & DETECT_CONTENT_WITHIN) ||
1187  data->flags & DETECT_CONTENT_DISTANCE ||
1188  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1189  data->flags & DETECT_CONTENT_NEGATED ) {
1190  result = 0;
1191  printf("two failed\n");
1192  goto end;
1193  }
1194  result &= (strncmp((char *)data->content, "two", 3) == 0);
1195  if (result == 0)
1196  goto end;
1197 
1198  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1199  if (sm->type != DETECT_CONTENT) {
1200  result = 0;
1201  goto end;
1202  }
1203  data = (DetectContentData *)sm->ctx;
1204  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1205  data->flags & DETECT_CONTENT_NOCASE ||
1206  data->flags & DETECT_CONTENT_WITHIN ||
1207  data->flags & DETECT_CONTENT_DISTANCE ||
1208  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1209  data->flags & DETECT_CONTENT_NEGATED ) {
1210  printf("three failed\n");
1211  result = 0;
1212  goto end;
1213  }
1214  result &= (strncmp((char *)data->content, "three", 5) == 0);
1215  if (result == 0)
1216  goto end;
1217 
1218  sm = sm->next;
1219  if (sm->type != DETECT_CONTENT) {
1220  result = 0;
1221  goto end;
1222  }
1223  data = (DetectContentData *)sm->ctx;
1224  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1225  data->flags & DETECT_CONTENT_NOCASE ||
1226  data->flags & DETECT_CONTENT_WITHIN ||
1227  data->flags & DETECT_CONTENT_DISTANCE ||
1228  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1229  data->flags & DETECT_CONTENT_NEGATED ) {
1230  printf("four failed\n");
1231  result = 0;
1232  goto end;
1233  }
1234  result &= (strncmp((char *)data->content, "four", 4) == 0);
1235  if (result == 0)
1236  goto end;
1237 
1238  end:
1239  SigGroupCleanup(de_ctx);
1240  SigCleanSignatures(de_ctx);
1241  DetectEngineCtxFree(de_ctx);
1242 
1243  return result;
1244 }
1245 
1246 /**
1247  * \test Test content for dce sig.
1248  */
1249 static int DcePayloadParseTest29(void)
1250 {
1251  DetectEngineCtx *de_ctx = NULL;
1252  int result = 1;
1253  Signature *s = NULL;
1254  SigMatch *sm = NULL;
1255  DetectContentData *data = NULL;
1256  DetectPcreData *pd = NULL;
1257 
1258  de_ctx = DetectEngineCtxInit();
1259  if (de_ctx == NULL)
1260  goto end;
1261 
1262  de_ctx->flags |= DE_QUIET;
1263  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1264  "(msg:\"Testing bytejump_body\"; "
1265  "dce_stub_data; "
1266  "pkt_data; "
1267  "pcre:/boom/; "
1268  "content:\"one\"; distance:10; within:5; "
1269  "content:\"two\"; within:5;"
1270  "content:\"three\";"
1271  "content:\"four\";"
1272  "sid:1;)");
1273  if (de_ctx->sig_list == NULL) {
1274  result = 0;
1275  goto end;
1276  }
1277 
1278  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1279  result = 0;
1280  goto end;
1281  }
1282  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1283  result = 0;
1284  goto end;
1285  }
1286 
1287  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1288  if (sm->type != DETECT_PCRE) {
1289  result = 0;
1290  goto end;
1291  }
1292  pd = (DetectPcreData *)sm->ctx;
1293  if (pd->flags & DETECT_PCRE_RAWBYTES ||
1294  pd->flags & DETECT_PCRE_RELATIVE) {
1295  result = 0;
1296  printf("one failed\n");
1297  goto end;
1298  }
1299 
1300  sm = sm->next;
1301  if (sm->type != DETECT_CONTENT) {
1302  result = 0;
1303  goto end;
1304  }
1305  data = (DetectContentData *)sm->ctx;
1306  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1307  data->flags & DETECT_CONTENT_NOCASE ||
1308  !(data->flags & DETECT_CONTENT_WITHIN) ||
1309  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1310  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1311  data->flags & DETECT_CONTENT_NEGATED ) {
1312  result = 0;
1313  printf("one failed\n");
1314  goto end;
1315  }
1316  result &= (strncmp((char *)data->content, "one", 3) == 0);
1317  if (result == 0)
1318  goto end;
1319 
1320  sm = sm->next;
1321  if (sm->type != DETECT_CONTENT) {
1322  result = 0;
1323  goto end;
1324  }
1325  data = (DetectContentData *)sm->ctx;
1326  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1327  data->flags & DETECT_CONTENT_NOCASE ||
1328  !(data->flags & DETECT_CONTENT_WITHIN) ||
1329  data->flags & DETECT_CONTENT_DISTANCE ||
1330  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1331  data->flags & DETECT_CONTENT_NEGATED ) {
1332  result = 0;
1333  printf("two failed\n");
1334  goto end;
1335  }
1336  result &= (strncmp((char *)data->content, "two", 3) == 0);
1337  if (result == 0)
1338  goto end;
1339 
1340  sm = sm->next;
1341  if (sm->type != DETECT_CONTENT) {
1342  result = 0;
1343  goto end;
1344  }
1345  data = (DetectContentData *)sm->ctx;
1346  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1347  data->flags & DETECT_CONTENT_NOCASE ||
1348  data->flags & DETECT_CONTENT_WITHIN ||
1349  data->flags & DETECT_CONTENT_DISTANCE ||
1350  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1351  data->flags & DETECT_CONTENT_NEGATED ) {
1352  printf("three failed\n");
1353  result = 0;
1354  goto end;
1355  }
1356  result &= (strncmp((char *)data->content, "three", 5) == 0);
1357  if (result == 0)
1358  goto end;
1359 
1360  sm = sm->next;
1361  if (sm->type != DETECT_CONTENT) {
1362  result = 0;
1363  goto end;
1364  }
1365  data = (DetectContentData *)sm->ctx;
1366  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1367  data->flags & DETECT_CONTENT_NOCASE ||
1368  data->flags & DETECT_CONTENT_WITHIN ||
1369  data->flags & DETECT_CONTENT_DISTANCE ||
1370  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1371  data->flags & DETECT_CONTENT_NEGATED ) {
1372  printf("four failed\n");
1373  result = 0;
1374  goto end;
1375  }
1376  result &= (strncmp((char *)data->content, "four", 4) == 0);
1377  if (result == 0)
1378  goto end;
1379 
1380  end:
1381  SigGroupCleanup(de_ctx);
1382  SigCleanSignatures(de_ctx);
1383  DetectEngineCtxFree(de_ctx);
1384 
1385  return result;
1386 }
1387 
1388 /**
1389  * \test Test content for dce sig.
1390  */
1391 static int DcePayloadParseTest30(void)
1392 {
1393  DetectEngineCtx *de_ctx = NULL;
1394  int result = 1;
1395  Signature *s = NULL;
1396  SigMatch *sm = NULL;
1397  DetectContentData *data = NULL;
1398  DetectBytejumpData *bd = NULL;
1399 
1400  de_ctx = DetectEngineCtxInit();
1401  if (de_ctx == NULL)
1402  goto end;
1403 
1404  de_ctx->flags |= DE_QUIET;
1405  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1406  "(msg:\"Testing bytejump_body\"; "
1407  "dce_stub_data; "
1408  "pkt_data; "
1409  "byte_jump:2,5; "
1410  "content:\"one\"; distance:10; within:5; "
1411  "content:\"two\"; within:5;"
1412  "content:\"three\";"
1413  "content:\"four\";"
1414  "sid:1;)");
1415  if (de_ctx->sig_list == NULL) {
1416  result = 0;
1417  goto end;
1418  }
1419 
1420  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1421  result = 0;
1422  goto end;
1423  }
1424  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1425  result = 0;
1426  goto end;
1427  }
1428 
1429  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1430  if (sm->type != DETECT_BYTEJUMP) {
1431  result = 0;
1432  goto end;
1433  }
1434  bd = (DetectBytejumpData *)sm->ctx;
1435  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1436  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1437  bd->flags & DETECT_BYTEJUMP_BIG ||
1438  bd->flags & DETECT_BYTEJUMP_STRING ||
1439  bd->flags & DETECT_BYTEJUMP_RELATIVE ||
1440  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1441  bd->flags & DETECT_BYTEJUMP_DCE ) {
1442  result = 0;
1443  printf("one failed\n");
1444  goto end;
1445  }
1446 
1447  sm = sm->next;
1448  if (sm->type != DETECT_CONTENT) {
1449  result = 0;
1450  goto end;
1451  }
1452  data = (DetectContentData *)sm->ctx;
1453  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1454  data->flags & DETECT_CONTENT_NOCASE ||
1455  !(data->flags & DETECT_CONTENT_WITHIN) ||
1456  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1457  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1458  data->flags & DETECT_CONTENT_NEGATED ) {
1459  result = 0;
1460  printf("one failed\n");
1461  goto end;
1462  }
1463  result &= (strncmp((char *)data->content, "one", 3) == 0);
1464  if (result == 0)
1465  goto end;
1466 
1467  sm = sm->next;
1468  if (sm->type != DETECT_CONTENT) {
1469  result = 0;
1470  goto end;
1471  }
1472  data = (DetectContentData *)sm->ctx;
1473  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1474  data->flags & DETECT_CONTENT_NOCASE ||
1475  !(data->flags & DETECT_CONTENT_WITHIN) ||
1476  data->flags & DETECT_CONTENT_DISTANCE ||
1477  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1478  data->flags & DETECT_CONTENT_NEGATED ) {
1479  result = 0;
1480  printf("two failed\n");
1481  goto end;
1482  }
1483  result &= (strncmp((char *)data->content, "two", 3) == 0);
1484  if (result == 0)
1485  goto end;
1486 
1487  sm = sm->next;
1488  if (sm->type != DETECT_CONTENT) {
1489  result = 0;
1490  goto end;
1491  }
1492  data = (DetectContentData *)sm->ctx;
1493  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1494  data->flags & DETECT_CONTENT_NOCASE ||
1495  data->flags & DETECT_CONTENT_WITHIN ||
1496  data->flags & DETECT_CONTENT_DISTANCE ||
1497  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1498  data->flags & DETECT_CONTENT_NEGATED ) {
1499  printf("three failed\n");
1500  result = 0;
1501  goto end;
1502  }
1503  result &= (strncmp((char *)data->content, "three", 5) == 0);
1504  if (result == 0)
1505  goto end;
1506 
1507  sm = sm->next;
1508  if (sm->type != DETECT_CONTENT) {
1509  result = 0;
1510  goto end;
1511  }
1512  data = (DetectContentData *)sm->ctx;
1513  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1514  data->flags & DETECT_CONTENT_NOCASE ||
1515  data->flags & DETECT_CONTENT_WITHIN ||
1516  data->flags & DETECT_CONTENT_DISTANCE ||
1517  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1518  data->flags & DETECT_CONTENT_NEGATED ) {
1519  printf("four failed\n");
1520  result = 0;
1521  goto end;
1522  }
1523  result &= (strncmp((char *)data->content, "four", 4) == 0);
1524  if (result == 0)
1525  goto end;
1526 
1527  end:
1528  SigGroupCleanup(de_ctx);
1529  SigCleanSignatures(de_ctx);
1530  DetectEngineCtxFree(de_ctx);
1531 
1532  return result;
1533 }
1534 
1535 /**
1536  * \test Test content for dce sig.
1537  */
1538 static int DcePayloadParseTest31(void)
1539 {
1540  DetectEngineCtx *de_ctx = NULL;
1541  int result = 1;
1542  Signature *s = NULL;
1543  SigMatch *sm = NULL;
1544  DetectContentData *data = NULL;
1545  DetectBytejumpData *bd = NULL;
1546 
1547  de_ctx = DetectEngineCtxInit();
1548  if (de_ctx == NULL)
1549  goto end;
1550 
1551  de_ctx->flags |= DE_QUIET;
1552  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1553  "(msg:\"Testing bytejump_body\"; "
1554  "dce_stub_data; "
1555  "byte_jump:2,5,relative; "
1556  "content:\"one\"; distance:10; within:5; "
1557  "content:\"two\"; within:5;"
1558  "pkt_data; "
1559  "content:\"three\";"
1560  "content:\"four\";"
1561  "sid:1;)");
1562  if (de_ctx->sig_list == NULL) {
1563  result = 0;
1564  goto end;
1565  }
1566 
1567  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1568  result = 0;
1569  goto end;
1570  }
1571  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1572  result = 0;
1573  goto end;
1574  }
1575 
1576  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1577  if (sm->type != DETECT_BYTEJUMP) {
1578  result = 0;
1579  goto end;
1580  }
1581  bd = (DetectBytejumpData *)sm->ctx;
1582  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1583  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1584  bd->flags & DETECT_BYTEJUMP_BIG ||
1585  bd->flags & DETECT_BYTEJUMP_STRING ||
1586  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1587  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1588  bd->flags & DETECT_BYTEJUMP_DCE ) {
1589  result = 0;
1590  printf("one failed\n");
1591  goto end;
1592  }
1593 
1594  sm = sm->next;
1595  if (sm->type != DETECT_CONTENT) {
1596  result = 0;
1597  goto end;
1598  }
1599  data = (DetectContentData *)sm->ctx;
1600  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1601  data->flags & DETECT_CONTENT_NOCASE ||
1602  !(data->flags & DETECT_CONTENT_WITHIN) ||
1603  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1604  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1605  data->flags & DETECT_CONTENT_NEGATED ) {
1606  result = 0;
1607  printf("one failed\n");
1608  goto end;
1609  }
1610  result &= (strncmp((char *)data->content, "one", 3) == 0);
1611  if (result == 0)
1612  goto end;
1613 
1614  sm = sm->next;
1615  if (sm->type != DETECT_CONTENT) {
1616  result = 0;
1617  goto end;
1618  }
1619  data = (DetectContentData *)sm->ctx;
1620  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1621  data->flags & DETECT_CONTENT_NOCASE ||
1622  !(data->flags & DETECT_CONTENT_WITHIN) ||
1623  data->flags & DETECT_CONTENT_DISTANCE ||
1624  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1625  data->flags & DETECT_CONTENT_NEGATED ) {
1626  result = 0;
1627  printf("two failed\n");
1628  goto end;
1629  }
1630  result &= (strncmp((char *)data->content, "two", 3) == 0);
1631  if (result == 0)
1632  goto end;
1633 
1634  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1635  if (sm->type != DETECT_CONTENT) {
1636  result = 0;
1637  goto end;
1638  }
1639  data = (DetectContentData *)sm->ctx;
1640  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1641  data->flags & DETECT_CONTENT_NOCASE ||
1642  data->flags & DETECT_CONTENT_WITHIN ||
1643  data->flags & DETECT_CONTENT_DISTANCE ||
1644  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1645  data->flags & DETECT_CONTENT_NEGATED ) {
1646  printf("three failed\n");
1647  result = 0;
1648  goto end;
1649  }
1650  result &= (strncmp((char *)data->content, "three", 5) == 0);
1651  if (result == 0)
1652  goto end;
1653 
1654  sm = sm->next;
1655  if (sm->type != DETECT_CONTENT) {
1656  result = 0;
1657  goto end;
1658  }
1659  data = (DetectContentData *)sm->ctx;
1660  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1661  data->flags & DETECT_CONTENT_NOCASE ||
1662  data->flags & DETECT_CONTENT_WITHIN ||
1663  data->flags & DETECT_CONTENT_DISTANCE ||
1664  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1665  data->flags & DETECT_CONTENT_NEGATED ) {
1666  printf("four failed\n");
1667  result = 0;
1668  goto end;
1669  }
1670  result &= (strncmp((char *)data->content, "four", 4) == 0);
1671  if (result == 0)
1672  goto end;
1673 
1674  end:
1675  SigGroupCleanup(de_ctx);
1676  SigCleanSignatures(de_ctx);
1677  DetectEngineCtxFree(de_ctx);
1678 
1679  return result;
1680 }
1681 
1682 /**
1683  * \test Test content for dce sig.
1684  */
1685 static int DcePayloadParseTest32(void)
1686 {
1687  DetectEngineCtx *de_ctx = NULL;
1688  int result = 1;
1689  Signature *s = NULL;
1690  SigMatch *sm = NULL;
1691  DetectContentData *data = NULL;
1692  DetectBytejumpData *bd = NULL;
1693 
1694  de_ctx = DetectEngineCtxInit();
1695  if (de_ctx == NULL)
1696  goto end;
1697 
1698  de_ctx->flags |= DE_QUIET;
1699  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1700  "(msg:\"Testing bytejump_body\"; "
1701  "dce_stub_data; "
1702  "byte_jump:2,5,relative; "
1703  "content:\"one\"; distance:10; within:5; "
1704  "content:\"two\"; within:5;"
1705  "pkt_data; "
1706  "content:\"three\";"
1707  "content:\"four\"; within:4; "
1708  "sid:1;)");
1709  if (de_ctx->sig_list == NULL) {
1710  result = 0;
1711  goto end;
1712  }
1713 
1714  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1715  result = 0;
1716  goto end;
1717  }
1718  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1719  result = 0;
1720  goto end;
1721  }
1722 
1723  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1724  if (sm->type != DETECT_BYTEJUMP) {
1725  result = 0;
1726  goto end;
1727  }
1728  bd = (DetectBytejumpData *)sm->ctx;
1729  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1730  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1731  bd->flags & DETECT_BYTEJUMP_BIG ||
1732  bd->flags & DETECT_BYTEJUMP_STRING ||
1733  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1734  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1735  bd->flags & DETECT_BYTEJUMP_DCE ) {
1736  result = 0;
1737  printf("one failed\n");
1738  goto end;
1739  }
1740 
1741  sm = sm->next;
1742  if (sm->type != DETECT_CONTENT) {
1743  result = 0;
1744  goto end;
1745  }
1746  data = (DetectContentData *)sm->ctx;
1747  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1748  data->flags & DETECT_CONTENT_NOCASE ||
1749  !(data->flags & DETECT_CONTENT_WITHIN) ||
1750  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1751  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1752  data->flags & DETECT_CONTENT_NEGATED ) {
1753  result = 0;
1754  printf("one failed\n");
1755  goto end;
1756  }
1757  result &= (strncmp((char *)data->content, "one", 3) == 0);
1758  if (result == 0)
1759  goto end;
1760 
1761  sm = sm->next;
1762  if (sm->type != DETECT_CONTENT) {
1763  result = 0;
1764  goto end;
1765  }
1766  data = (DetectContentData *)sm->ctx;
1767  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1768  data->flags & DETECT_CONTENT_NOCASE ||
1769  !(data->flags & DETECT_CONTENT_WITHIN) ||
1770  data->flags & DETECT_CONTENT_DISTANCE ||
1771  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1772  data->flags & DETECT_CONTENT_NEGATED ) {
1773  result = 0;
1774  printf("two failed\n");
1775  goto end;
1776  }
1777  result &= (strncmp((char *)data->content, "two", 3) == 0);
1778  if (result == 0)
1779  goto end;
1780 
1781  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1782  if (sm->type != DETECT_CONTENT) {
1783  result = 0;
1784  goto end;
1785  }
1786  data = (DetectContentData *)sm->ctx;
1787  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1788  data->flags & DETECT_CONTENT_NOCASE ||
1789  data->flags & DETECT_CONTENT_WITHIN ||
1790  data->flags & DETECT_CONTENT_DISTANCE ||
1791  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1792  data->flags & DETECT_CONTENT_NEGATED ) {
1793  printf("three failed\n");
1794  result = 0;
1795  goto end;
1796  }
1797  result &= (strncmp((char *)data->content, "three", 5) == 0);
1798  if (result == 0)
1799  goto end;
1800 
1801  sm = sm->next;
1802  if (sm->type != DETECT_CONTENT) {
1803  result = 0;
1804  goto end;
1805  }
1806  data = (DetectContentData *)sm->ctx;
1807  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1808  data->flags & DETECT_CONTENT_NOCASE ||
1809  !(data->flags & DETECT_CONTENT_WITHIN) ||
1810  data->flags & DETECT_CONTENT_DISTANCE ||
1811  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1812  data->flags & DETECT_CONTENT_NEGATED ) {
1813  printf("four failed\n");
1814  result = 0;
1815  goto end;
1816  }
1817  result &= (strncmp((char *)data->content, "four", 4) == 0);
1818  if (result == 0)
1819  goto end;
1820 
1821  end:
1822  SigGroupCleanup(de_ctx);
1823  SigCleanSignatures(de_ctx);
1824  DetectEngineCtxFree(de_ctx);
1825 
1826  return result;
1827 }
1828 
1829 /**
1830  * \test Test content for dce sig.
1831  */
1832 static int DcePayloadParseTest33(void)
1833 {
1834  DetectEngineCtx *de_ctx = NULL;
1835  int result = 1;
1836  Signature *s = NULL;
1837  SigMatch *sm = NULL;
1838  DetectContentData *data = NULL;
1839  DetectPcreData *pd = NULL;
1840 
1841  de_ctx = DetectEngineCtxInit();
1842  if (de_ctx == NULL)
1843  goto end;
1844 
1845  de_ctx->flags |= DE_QUIET;
1846  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1847  "(msg:\"Testing bytejump_body\"; "
1848  "dce_stub_data; "
1849  "pcre:/boom/R; "
1850  "content:\"one\"; distance:10; within:5; "
1851  "content:\"two\"; within:5;"
1852  "pkt_data; "
1853  "content:\"three\";"
1854  "content:\"four\"; distance:5;"
1855  "sid:1;)");
1856  if (de_ctx->sig_list == NULL) {
1857  result = 0;
1858  goto end;
1859  }
1860 
1861  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1862  result = 0;
1863  goto end;
1864  }
1865  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1866  result = 0;
1867  goto end;
1868  }
1869 
1870  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1871  if (sm->type != DETECT_PCRE) {
1872  result = 0;
1873  goto end;
1874  }
1875  pd = (DetectPcreData *)sm->ctx;
1876  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
1877  !(pd->flags & DETECT_PCRE_RELATIVE)) {
1878  result = 0;
1879  printf("one failed\n");
1880  goto end;
1881  }
1882 
1883  sm = sm->next;
1884  if (sm->type != DETECT_CONTENT) {
1885  result = 0;
1886  goto end;
1887  }
1888  data = (DetectContentData *)sm->ctx;
1889  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1890  data->flags & DETECT_CONTENT_NOCASE ||
1891  !(data->flags & DETECT_CONTENT_WITHIN) ||
1892  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1893  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1894  data->flags & DETECT_CONTENT_NEGATED ) {
1895  result = 0;
1896  printf("one failed\n");
1897  goto end;
1898  }
1899  result &= (strncmp((char *)data->content, "one", 3) == 0);
1900  if (result == 0)
1901  goto end;
1902 
1903  sm = sm->next;
1904  if (sm->type != DETECT_CONTENT) {
1905  result = 0;
1906  goto end;
1907  }
1908  data = (DetectContentData *)sm->ctx;
1909  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1910  data->flags & DETECT_CONTENT_NOCASE ||
1911  !(data->flags & DETECT_CONTENT_WITHIN) ||
1912  data->flags & DETECT_CONTENT_DISTANCE ||
1913  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1914  data->flags & DETECT_CONTENT_NEGATED ) {
1915  result = 0;
1916  printf("two failed\n");
1917  goto end;
1918  }
1919  result &= (strncmp((char *)data->content, "two", 3) == 0);
1920  if (result == 0)
1921  goto end;
1922 
1923  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1924  if (sm->type != DETECT_CONTENT) {
1925  result = 0;
1926  goto end;
1927  }
1928  data = (DetectContentData *)sm->ctx;
1929  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1930  data->flags & DETECT_CONTENT_NOCASE ||
1931  data->flags & DETECT_CONTENT_WITHIN ||
1932  data->flags & DETECT_CONTENT_DISTANCE ||
1933  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1934  data->flags & DETECT_CONTENT_NEGATED ) {
1935  printf("three failed\n");
1936  result = 0;
1937  goto end;
1938  }
1939  result &= (strncmp((char *)data->content, "three", 5) == 0);
1940  if (result == 0)
1941  goto end;
1942 
1943  sm = sm->next;
1944  if (sm->type != DETECT_CONTENT) {
1945  result = 0;
1946  goto end;
1947  }
1948  data = (DetectContentData *)sm->ctx;
1949  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1950  data->flags & DETECT_CONTENT_NOCASE ||
1951  data->flags & DETECT_CONTENT_WITHIN ||
1952  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1953  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1954  data->flags & DETECT_CONTENT_NEGATED ) {
1955  printf("four failed\n");
1956  result = 0;
1957  goto end;
1958  }
1959  result &= (strncmp((char *)data->content, "four", 4) == 0);
1960  if (result == 0)
1961  goto end;
1962 
1963  end:
1964  SigGroupCleanup(de_ctx);
1965  SigCleanSignatures(de_ctx);
1966  DetectEngineCtxFree(de_ctx);
1967 
1968  return result;
1969 }
1970 
1971 /**
1972  * \test Test content for dce sig.
1973  */
1974 static int DcePayloadParseTest34(void)
1975 {
1976  DetectEngineCtx *de_ctx = NULL;
1977  int result = 1;
1978  Signature *s = NULL;
1979  SigMatch *sm = NULL;
1980  DetectContentData *data = NULL;
1981  DetectPcreData *pd = NULL;
1982  DetectBytejumpData *bd = NULL;
1983 
1984  de_ctx = DetectEngineCtxInit();
1985  if (de_ctx == NULL)
1986  goto end;
1987 
1988  de_ctx->flags |= DE_QUIET;
1989  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1990  "(msg:\"Testing bytejump_body\"; "
1991  "dce_iface:12345678-1234-1234-1234-123456789012; "
1992  "dce_opnum:10; dce_stub_data; "
1993  "pcre:/boom/R; "
1994  "byte_jump:1,2,relative,align,dce; "
1995  "content:\"one\"; within:4; distance:8; "
1996  "pkt_data; "
1997  "content:\"two\"; "
1998  "sid:1;)");
1999  if (de_ctx->sig_list == NULL) {
2000  result = 0;
2001  goto end;
2002  }
2003 
2004  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2005  result = 0;
2006  goto end;
2007  }
2008  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2009  result = 0;
2010  goto end;
2011  }
2012 
2013  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2014  if (sm->type != DETECT_PCRE) {
2015  result = 0;
2016  goto end;
2017  }
2018  pd = (DetectPcreData *)sm->ctx;
2019  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2020  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2021  result = 0;
2022  goto end;
2023  }
2024 
2025  sm = sm->next;
2026  if (sm->type != DETECT_BYTEJUMP) {
2027  result = 0;
2028  goto end;
2029  }
2030  bd = (DetectBytejumpData *)sm->ctx;
2031  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
2032  bd->flags & DETECT_BYTEJUMP_LITTLE ||
2033  bd->flags & DETECT_BYTEJUMP_BIG ||
2034  bd->flags & DETECT_BYTEJUMP_STRING ||
2035  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2036  !(bd->flags & DETECT_BYTEJUMP_ALIGN) ||
2037  !(bd->flags & DETECT_BYTEJUMP_DCE) ) {
2038  result = 0;
2039  printf("one failed\n");
2040  goto end;
2041  }
2042 
2043  sm = sm->next;
2044  if (sm->type != DETECT_CONTENT) {
2045  result = 0;
2046  goto end;
2047  }
2048  data = (DetectContentData *)sm->ctx;
2049  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2050  data->flags & DETECT_CONTENT_NOCASE ||
2051  !(data->flags & DETECT_CONTENT_WITHIN) ||
2052  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2053  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2054  data->flags & DETECT_CONTENT_NEGATED ) {
2055  result = 0;
2056  printf("two failed\n");
2057  goto end;
2058  }
2059  result &= (strncmp((char *)data->content, "one", 3) == 0);
2060  if (result == 0)
2061  goto end;
2062 
2063  result &= (sm->next == NULL);
2064 
2065  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2066  if (sm->type != DETECT_CONTENT) {
2067  result = 0;
2068  goto end;
2069  }
2070  data = (DetectContentData *)sm->ctx;
2071  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2072  data->flags & DETECT_CONTENT_NOCASE ||
2073  data->flags & DETECT_CONTENT_WITHIN ||
2074  data->flags & DETECT_CONTENT_DISTANCE ||
2075  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2076  data->flags & DETECT_CONTENT_NEGATED ) {
2077  printf("three failed\n");
2078  result = 0;
2079  goto end;
2080  }
2081  result &= (strncmp((char *)data->content, "two", 3) == 0);
2082  if (result == 0)
2083  goto end;
2084 
2085  result &= (sm->next == NULL);
2086 
2087  end:
2088  SigGroupCleanup(de_ctx);
2089  SigCleanSignatures(de_ctx);
2090  DetectEngineCtxFree(de_ctx);
2091 
2092  return result;
2093 }
2094 
2095 /**
2096  * \test Test content for dce sig.
2097  */
2098 static int DcePayloadParseTest35(void)
2099 {
2100  DetectEngineCtx *de_ctx = NULL;
2101  int result = 1;
2102  Signature *s = NULL;
2103  SigMatch *sm = NULL;
2104  DetectContentData *data = NULL;
2105  DetectBytetestData *bd = NULL;
2106 
2107  de_ctx = DetectEngineCtxInit();
2108  if (de_ctx == NULL)
2109  goto end;
2110 
2111  de_ctx->flags |= DE_QUIET;
2112  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2113  "(msg:\"Testing bytejump_body\"; "
2114  "dce_iface:12345678-1234-1234-1234-123456789012; "
2115  "dce_opnum:10; dce_stub_data; "
2116  "byte_test:1,=,0,0,relative,dce; "
2117  "pkt_data; "
2118  "content:\"one\"; "
2119  "sid:1;)");
2120  if (de_ctx->sig_list == NULL) {
2121  result = 0;
2122  goto end;
2123  }
2124 
2125  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2126  result = 0;
2127  goto end;
2128  }
2129  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2130  result = 0;
2131  goto end;
2132  }
2133 
2134  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2135  if (sm->type != DETECT_BYTETEST) {
2136  result = 0;
2137  goto end;
2138  }
2139  bd = (DetectBytetestData *)sm->ctx;
2140  if (bd->flags & DETECT_BYTETEST_LITTLE ||
2141  bd->flags & DETECT_BYTETEST_BIG ||
2142  bd->flags & DETECT_BYTETEST_STRING ||
2143  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2144  !(bd->flags & DETECT_BYTETEST_DCE) ) {
2145  result = 0;
2146  printf("one failed\n");
2147  goto end;
2148  }
2149 
2150  result &= (sm->next == NULL);
2151 
2152  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2153  if (sm->type != DETECT_CONTENT) {
2154  result = 0;
2155  goto end;
2156  }
2157  data = (DetectContentData *)sm->ctx;
2158  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2159  data->flags & DETECT_CONTENT_NOCASE ||
2160  data->flags & DETECT_CONTENT_WITHIN ||
2161  data->flags & DETECT_CONTENT_DISTANCE ||
2162  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2163  data->flags & DETECT_CONTENT_NEGATED ) {
2164  result = 0;
2165  printf("two failed\n");
2166  goto end;
2167  }
2168  result &= (strncmp((char *)data->content, "one", 3) == 0);
2169  if (result == 0)
2170  goto end;
2171 
2172  result &= (sm->next == NULL);
2173 
2174  end:
2175  SigGroupCleanup(de_ctx);
2176  SigCleanSignatures(de_ctx);
2177  DetectEngineCtxFree(de_ctx);
2178 
2179  return result;
2180 }
2181 
2182 /**
2183  * \test Test content for dce sig.
2184  */
2185 static int DcePayloadParseTest36(void)
2186 {
2187  DetectEngineCtx *de_ctx = NULL;
2188  int result = 1;
2189  Signature *s = NULL;
2190  SigMatch *sm = NULL;
2191  DetectContentData *data = NULL;
2192  DetectIsdataatData *isd = NULL;
2193 
2194  de_ctx = DetectEngineCtxInit();
2195  if (de_ctx == NULL)
2196  goto end;
2197 
2198  de_ctx->flags |= DE_QUIET;
2199  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2200  "(msg:\"Testing bytejump_body\"; "
2201  "dce_iface:12345678-1234-1234-1234-123456789012; "
2202  "dce_opnum:10; dce_stub_data; "
2203  "isdataat:10,relative; "
2204  "content:\"one\"; within:4; distance:8; "
2205  "pkt_data; "
2206  "content:\"two\"; "
2207  "sid:1;)");
2208  if (de_ctx->sig_list == NULL) {
2209  result = 0;
2210  goto end;
2211  }
2212 
2213  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2214  result = 0;
2215  goto end;
2216  }
2217  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2218  result = 0;
2219  goto end;
2220  }
2221 
2222  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2223  if (sm->type != DETECT_ISDATAAT) {
2224  result = 0;
2225  goto end;
2226  }
2227  isd = (DetectIsdataatData *)sm->ctx;
2228  if ( isd->flags & ISDATAAT_RAWBYTES ||
2229  !(isd->flags & ISDATAAT_RELATIVE)) {
2230  result = 0;
2231  goto end;
2232  }
2233 
2234  sm = sm->next;
2235  if (sm->type != DETECT_CONTENT) {
2236  result = 0;
2237  goto end;
2238  }
2239  data = (DetectContentData *)sm->ctx;
2240  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2241  data->flags & DETECT_CONTENT_NOCASE ||
2242  !(data->flags & DETECT_CONTENT_WITHIN) ||
2243  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2244  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2245  data->flags & DETECT_CONTENT_NEGATED ) {
2246  result = 0;
2247  printf("two failed\n");
2248  goto end;
2249  }
2250  result &= (strncmp((char *)data->content, "one", 3) == 0);
2251  if (result == 0)
2252  goto end;
2253 
2254  result &= (sm->next == NULL);
2255 
2256  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2257  if (sm->type != DETECT_CONTENT) {
2258  result = 0;
2259  goto end;
2260  }
2261  data = (DetectContentData *)sm->ctx;
2262  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2263  data->flags & DETECT_CONTENT_NOCASE ||
2264  data->flags & DETECT_CONTENT_WITHIN ||
2265  data->flags & DETECT_CONTENT_DISTANCE ||
2266  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2267  data->flags & DETECT_CONTENT_NEGATED ) {
2268  printf("three failed\n");
2269  result = 0;
2270  goto end;
2271  }
2272  result &= (strncmp((char *)data->content, "two", 3) == 0);
2273  if (result == 0)
2274  goto end;
2275 
2276  result &= (sm->next == NULL);
2277 
2278  end:
2279  SigGroupCleanup(de_ctx);
2280  SigCleanSignatures(de_ctx);
2281  DetectEngineCtxFree(de_ctx);
2282 
2283  return result;
2284 }
2285 
2286 /**
2287  * \test Test content for dce sig.
2288  */
2289 static int DcePayloadParseTest37(void)
2290 {
2291  DetectEngineCtx *de_ctx = NULL;
2292  int result = 1;
2293  Signature *s = NULL;
2294  SigMatch *sm = NULL;
2295  DetectContentData *data = NULL;
2296  DetectBytejumpData *bjd = NULL;
2297  DetectBytetestData *btd = NULL;
2298 
2299  de_ctx = DetectEngineCtxInit();
2300  if (de_ctx == NULL)
2301  goto end;
2302 
2303  de_ctx->flags |= DE_QUIET;
2304  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2305  "(msg:\"Testing bytejump_body\"; "
2306  "dce_iface:12345678-1234-1234-1234-123456789012; "
2307  "dce_opnum:10; dce_stub_data; "
2308  "byte_jump:1,2,relative,align,dce; "
2309  "byte_test:1,=,2,0,relative,dce; "
2310  "pkt_data; "
2311  "content:\"one\"; "
2312  "sid:1;)");
2313  if (de_ctx->sig_list == NULL) {
2314  result = 0;
2315  goto end;
2316  }
2317 
2318  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2319  result = 0;
2320  goto end;
2321  }
2322  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2323  result = 0;
2324  goto end;
2325  }
2326 
2327  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2328  if (sm->type != DETECT_BYTEJUMP) {
2329  result = 0;
2330  goto end;
2331  }
2332  bjd = (DetectBytejumpData *)sm->ctx;
2333  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2334  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2335  bjd->flags & DETECT_BYTEJUMP_BIG ||
2336  bjd->flags & DETECT_BYTEJUMP_STRING ||
2337  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2338  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2339  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2340  result = 0;
2341  printf("one failed\n");
2342  goto end;
2343  }
2344 
2345  sm = sm->next;
2346  if (sm->type != DETECT_BYTETEST) {
2347  result = 0;
2348  goto end;
2349  }
2350  btd = (DetectBytetestData *)sm->ctx;
2351  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2352  btd->flags & DETECT_BYTETEST_BIG ||
2353  btd->flags & DETECT_BYTETEST_STRING ||
2354  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2355  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2356  result = 0;
2357  printf("one failed\n");
2358  goto end;
2359  }
2360 
2361  result &= (sm->next == NULL);
2362 
2363  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2364  if (sm->type != DETECT_CONTENT) {
2365  result = 0;
2366  goto end;
2367  }
2368  data = (DetectContentData *)sm->ctx;
2369  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2370  data->flags & DETECT_CONTENT_NOCASE ||
2371  data->flags & DETECT_CONTENT_WITHIN ||
2372  data->flags & DETECT_CONTENT_DISTANCE ||
2373  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2374  data->flags & DETECT_CONTENT_NEGATED ) {
2375  printf("three failed\n");
2376  result = 0;
2377  goto end;
2378  }
2379  result &= (strncmp((char *)data->content, "one", 3) == 0);
2380  if (result == 0)
2381  goto end;
2382 
2383  result &= (sm->next == NULL);
2384 
2385  end:
2386  SigGroupCleanup(de_ctx);
2387  SigCleanSignatures(de_ctx);
2388  DetectEngineCtxFree(de_ctx);
2389 
2390  return result;
2391 }
2392 
2393 /**
2394  * \test Test content for dce sig.
2395  */
2396 static int DcePayloadParseTest38(void)
2397 {
2398  DetectEngineCtx *de_ctx = NULL;
2399  int result = 1;
2400  Signature *s = NULL;
2401  SigMatch *sm = NULL;
2402  DetectContentData *data = NULL;
2403  DetectPcreData *pd = NULL;
2404  DetectBytejumpData *bjd = NULL;
2405  DetectBytetestData *btd = NULL;
2406 
2407  de_ctx = DetectEngineCtxInit();
2408  if (de_ctx == NULL)
2409  goto end;
2410 
2411  de_ctx->flags |= DE_QUIET;
2412  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2413  "(msg:\"Testing bytejump_body\"; "
2414  "dce_iface:12345678-1234-1234-1234-123456789012; "
2415  "dce_opnum:10; dce_stub_data; "
2416  "pcre:/boom/R; "
2417  "byte_jump:1,2,relative,align,dce; "
2418  "byte_test:1,=,2,0,relative,dce; "
2419  "pkt_data; "
2420  "content:\"one\"; "
2421  "sid:1;)");
2422  if (de_ctx->sig_list == NULL) {
2423  result = 0;
2424  goto end;
2425  }
2426 
2427  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2428  result = 0;
2429  goto end;
2430  }
2431  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2432  result = 0;
2433  goto end;
2434  }
2435 
2436  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2437  if (sm->type != DETECT_PCRE) {
2438  result = 0;
2439  goto end;
2440  }
2441  pd = (DetectPcreData *)sm->ctx;
2442  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2443  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2444  result = 0;
2445  printf("one failed\n");
2446  goto end;
2447  }
2448 
2449  sm = sm->next;
2450  if (sm->type != DETECT_BYTEJUMP) {
2451  result = 0;
2452  goto end;
2453  }
2454  bjd = (DetectBytejumpData *)sm->ctx;
2455  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2456  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2457  bjd->flags & DETECT_BYTEJUMP_BIG ||
2458  bjd->flags & DETECT_BYTEJUMP_STRING ||
2459  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2460  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2461  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2462  result = 0;
2463  printf("one failed\n");
2464  goto end;
2465  }
2466 
2467  sm = sm->next;
2468  if (sm->type != DETECT_BYTETEST) {
2469  result = 0;
2470  goto end;
2471  }
2472  btd = (DetectBytetestData *)sm->ctx;
2473  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2474  btd->flags & DETECT_BYTETEST_BIG ||
2475  btd->flags & DETECT_BYTETEST_STRING ||
2476  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2477  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2478  result = 0;
2479  printf("one failed\n");
2480  goto end;
2481  }
2482 
2483  result &= (sm->next == NULL);
2484 
2485  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2486  if (sm->type != DETECT_CONTENT) {
2487  result = 0;
2488  goto end;
2489  }
2490  data = (DetectContentData *)sm->ctx;
2491  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2492  data->flags & DETECT_CONTENT_NOCASE ||
2493  data->flags & DETECT_CONTENT_WITHIN ||
2494  data->flags & DETECT_CONTENT_DISTANCE ||
2495  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2496  data->flags & DETECT_CONTENT_NEGATED ) {
2497  printf("three failed\n");
2498  result = 0;
2499  goto end;
2500  }
2501  result &= (strncmp((char *)data->content, "one", 3) == 0);
2502  if (result == 0)
2503  goto end;
2504 
2505  result &= (sm->next == NULL);
2506 
2507  end:
2508  SigGroupCleanup(de_ctx);
2509  SigCleanSignatures(de_ctx);
2510  DetectEngineCtxFree(de_ctx);
2511 
2512  return result;
2513 }
2514 
2515 /**
2516  * \test Test content for dce sig.
2517  */
2518 static int DcePayloadParseTest39(void)
2519 {
2520  DetectEngineCtx *de_ctx = NULL;
2521  int result = 1;
2522  Signature *s = NULL;
2523  SigMatch *sm = NULL;
2524  DetectContentData *data = NULL;
2525 
2526  de_ctx = DetectEngineCtxInit();
2527  if (de_ctx == NULL)
2528  goto end;
2529 
2530  de_ctx->flags |= DE_QUIET;
2531  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2532  "(msg:\"Testing bytejump_body\"; "
2533  "content:\"one\"; "
2534  "dce_iface:12345678-1234-1234-1234-123456789012; "
2535  "dce_opnum:10; dce_stub_data; "
2536  "content:\"two\"; within:4; distance:8; "
2537  "sid:1;)");
2538  if (de_ctx->sig_list == NULL) {
2539  result = 0;
2540  goto end;
2541  }
2542 
2543  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2544  result = 0;
2545  goto end;
2546  }
2547  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2548  result = 0;
2549  goto end;
2550  }
2551 
2552  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2553  if (sm->type != DETECT_CONTENT) {
2554  result = 0;
2555  goto end;
2556  }
2557  data = (DetectContentData *)sm->ctx;
2558  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2559  data->flags & DETECT_CONTENT_NOCASE ||
2560  data->flags & DETECT_CONTENT_WITHIN ||
2561  data->flags & DETECT_CONTENT_DISTANCE ||
2562  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2563  data->flags & DETECT_CONTENT_NEGATED ) {
2564  printf("three failed\n");
2565  result = 0;
2566  goto end;
2567  }
2568  result &= (strncmp((char *)data->content, "one", 3) == 0);
2569  if (result == 0)
2570  goto end;
2571 
2572  result &= (sm->next == NULL);
2573 
2574  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2575  data = (DetectContentData *)sm->ctx;
2576  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2577  data->flags & DETECT_CONTENT_NOCASE ||
2578  !(data->flags & DETECT_CONTENT_WITHIN) ||
2579  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2580  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2581  data->flags & DETECT_CONTENT_NEGATED ) {
2582  printf("three failed\n");
2583  result = 0;
2584  goto end;
2585  }
2586  result &= (strncmp((char *)data->content, "two", 3) == 0);
2587  if (result == 0)
2588  goto end;
2589 
2590  result &= (sm->next == NULL);
2591 
2592  end:
2593  SigGroupCleanup(de_ctx);
2594  SigCleanSignatures(de_ctx);
2595  DetectEngineCtxFree(de_ctx);
2596 
2597  return result;
2598 }
2599 
2600 /**
2601  * \test Test content for dce sig.
2602  */
2603 static int DcePayloadParseTest40(void)
2604 {
2605  DetectEngineCtx *de_ctx = NULL;
2606  int result = 1;
2607  Signature *s = NULL;
2608  SigMatch *sm = NULL;
2609  DetectContentData *data = NULL;
2610  DetectBytetestData *btd = NULL;
2611 
2612  de_ctx = DetectEngineCtxInit();
2613  if (de_ctx == NULL)
2614  goto end;
2615 
2616  de_ctx->flags |= DE_QUIET;
2617  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2618  "(msg:\"Testing bytejump_body\"; "
2619  "dce_iface:12345678-1234-1234-1234-123456789012; "
2620  "dce_opnum:10; dce_stub_data; "
2621  "content:\"one\"; within:10; "
2622  "content:\"two\"; distance:20; within:30; "
2623  "byte_test:1,=,2,0,relative,dce; "
2624  "pkt_data; "
2625  "content:\"three\"; "
2626  "sid:1;)");
2627  if (de_ctx->sig_list == NULL) {
2628  result = 0;
2629  goto end;
2630  }
2631 
2632  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2633  result = 0;
2634  goto end;
2635  }
2636  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2637  result = 0;
2638  goto end;
2639  }
2640 
2641  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2642  if (sm->type != DETECT_CONTENT) {
2643  result = 0;
2644  goto end;
2645  }
2646  data = (DetectContentData *)sm->ctx;
2647  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2648  data->flags & DETECT_CONTENT_NOCASE ||
2649  !(data->flags & DETECT_CONTENT_WITHIN) ||
2650  data->flags & DETECT_CONTENT_DISTANCE ||
2651  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2652  data->flags & DETECT_CONTENT_NEGATED ) {
2653  printf("three failed\n");
2654  result = 0;
2655  goto end;
2656  }
2657  result &= (strncmp((char *)data->content, "one", 3) == 0);
2658  if (result == 0)
2659  goto end;
2660 
2661 
2662  sm = sm->next;
2663  if (sm->type != DETECT_CONTENT) {
2664  result = 0;
2665  goto end;
2666  }
2667  data = (DetectContentData *)sm->ctx;
2668  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2669  data->flags & DETECT_CONTENT_NOCASE ||
2670  !(data->flags & DETECT_CONTENT_WITHIN) ||
2671  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2672  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2673  data->flags & DETECT_CONTENT_NEGATED ) {
2674  printf("three failed\n");
2675  result = 0;
2676  goto end;
2677  }
2678  result &= (strncmp((char *)data->content, "two", 3) == 0);
2679  if (result == 0)
2680  goto end;
2681 
2682  sm = sm->next;
2683  if (sm->type != DETECT_BYTETEST) {
2684  result = 0;
2685  goto end;
2686  }
2687  btd = (DetectBytetestData *)sm->ctx;
2688  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2689  btd->flags & DETECT_BYTETEST_BIG ||
2690  btd->flags & DETECT_BYTETEST_STRING ||
2691  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2692  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2693  result = 0;
2694  printf("one failed\n");
2695  goto end;
2696  }
2697 
2698  result &= (sm->next == NULL);
2699 
2700  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2701  if (sm->type != DETECT_CONTENT) {
2702  result = 0;
2703  goto end;
2704  }
2705  data = (DetectContentData *)sm->ctx;
2706  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2707  data->flags & DETECT_CONTENT_NOCASE ||
2708  data->flags & DETECT_CONTENT_WITHIN ||
2709  data->flags & DETECT_CONTENT_DISTANCE ||
2710  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2711  data->flags & DETECT_CONTENT_NEGATED ) {
2712  printf("three failed\n");
2713  result = 0;
2714  goto end;
2715  }
2716  result &= (strncmp((char *)data->content, "three", 5) == 0);
2717  if (result == 0)
2718  goto end;
2719 
2720  result &= (sm->next == NULL);
2721 
2722  end:
2723  SigGroupCleanup(de_ctx);
2724  SigCleanSignatures(de_ctx);
2725  DetectEngineCtxFree(de_ctx);
2726 
2727  return result;
2728 }
2729 
2730 /**
2731  * \test Test content for dce sig.
2732  */
2733 static int DcePayloadParseTest41(void)
2734 {
2735  DetectEngineCtx *de_ctx = NULL;
2736  int result = 1;
2737  Signature *s = NULL;
2738  SigMatch *sm = NULL;
2739  DetectContentData *data = NULL;
2740  DetectBytetestData *btd = NULL;
2741 
2742  de_ctx = DetectEngineCtxInit();
2743  if (de_ctx == NULL)
2744  goto end;
2745 
2746  de_ctx->flags |= DE_QUIET;
2747  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2748  "(msg:\"Testing bytejump_body\"; "
2749  "dce_iface:12345678-1234-1234-1234-123456789012; "
2750  "dce_opnum:10; dce_stub_data; "
2751  "content:\"one\"; within:10; "
2752  "pkt_data; "
2753  "content:\"two\"; "
2754  "byte_test:1,=,2,0,relative,dce; "
2755  "content:\"three\"; "
2756  "sid:1;)");
2757  if (de_ctx->sig_list == NULL) {
2758  result = 0;
2759  goto end;
2760  }
2761 
2762  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2763  result = 0;
2764  goto end;
2765  }
2766  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2767  result = 0;
2768  goto end;
2769  }
2770 
2771  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2772  if (sm->type != DETECT_CONTENT) {
2773  result = 0;
2774  goto end;
2775  }
2776  data = (DetectContentData *)sm->ctx;
2777  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2778  data->flags & DETECT_CONTENT_NOCASE ||
2779  !(data->flags & DETECT_CONTENT_WITHIN) ||
2780  data->flags & DETECT_CONTENT_DISTANCE ||
2781  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2782  data->flags & DETECT_CONTENT_NEGATED ) {
2783  printf("three failed\n");
2784  result = 0;
2785  goto end;
2786  }
2787  result &= (strncmp((char *)data->content, "one", 3) == 0);
2788  if (result == 0)
2789  goto end;
2790 
2791  result &= (sm->next == NULL);
2792 
2793  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2794  if (sm->type != DETECT_CONTENT) {
2795  result = 0;
2796  goto end;
2797  }
2798  data = (DetectContentData *)sm->ctx;
2799  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2800  data->flags & DETECT_CONTENT_NOCASE ||
2801  data->flags & DETECT_CONTENT_WITHIN ||
2802  data->flags & DETECT_CONTENT_DISTANCE ||
2803  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2804  data->flags & DETECT_CONTENT_NEGATED ) {
2805  printf("three failed\n");
2806  result = 0;
2807  goto end;
2808  }
2809  result &= (strncmp((char *)data->content, "two", 3) == 0);
2810  if (result == 0)
2811  goto end;
2812 
2813  sm = sm->next;
2814  if (sm->type != DETECT_BYTETEST) {
2815  result = 0;
2816  goto end;
2817  }
2818  btd = (DetectBytetestData *)sm->ctx;
2819  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2820  btd->flags & DETECT_BYTETEST_BIG ||
2821  btd->flags & DETECT_BYTETEST_STRING ||
2822  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2823  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2824  result = 0;
2825  printf("one failed\n");
2826  goto end;
2827  }
2828 
2829  sm = sm->next;
2830  if (sm->type != DETECT_CONTENT) {
2831  result = 0;
2832  goto end;
2833  }
2834  data = (DetectContentData *)sm->ctx;
2835  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2836  data->flags & DETECT_CONTENT_NOCASE ||
2837  data->flags & DETECT_CONTENT_WITHIN ||
2838  data->flags & DETECT_CONTENT_DISTANCE ||
2839  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2840  data->flags & DETECT_CONTENT_NEGATED ) {
2841  printf("three failed\n");
2842  result = 0;
2843  goto end;
2844  }
2845  result &= (strncmp((char *)data->content, "three", 5) == 0);
2846  if (result == 0)
2847  goto end;
2848 
2849  result &= (sm->next == NULL);
2850 
2851  end:
2852  SigGroupCleanup(de_ctx);
2853  SigCleanSignatures(de_ctx);
2854  DetectEngineCtxFree(de_ctx);
2855 
2856  return result;
2857 }
2858 
2859 /**
2860  * \test Test content for dce sig.
2861  */
2862 static int DcePayloadParseTest44(void)
2863 {
2864  DetectEngineCtx *de_ctx = NULL;
2865  Signature *s = NULL;
2866  SigMatch *sm = NULL;
2867  DetectContentData *data = NULL;
2868  DetectIsdataatData *isd = NULL;
2869 
2870  de_ctx = DetectEngineCtxInit();
2871  FAIL_IF_NULL(de_ctx);
2872  de_ctx->flags |= DE_QUIET;
2873 
2874  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2875  "content:\"one\"; "
2876  "dce_iface:12345678-1234-1234-1234-123456789012; "
2877  "dce_opnum:10; dce_stub_data; "
2878  "isdataat:10,relative; "
2879  "content:\"one\"; within:4; distance:8; "
2880  "pkt_data; "
2881  "content:\"two\"; "
2882  "sid:1;)");
2883  FAIL_IF_NULL(s);
2884 
2885  FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
2886  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2887 
2888  /* isdataat:10,relative; */
2889  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2890  FAIL_IF(sm->type != DETECT_ISDATAAT);
2891  isd = (DetectIsdataatData *)sm->ctx;
2892  FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
2893  FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
2894  FAIL_IF_NULL(sm->next);
2895 
2896  sm = sm->next;
2897 
2898  /* content:\"one\"; within:4; distance:8; */
2899  FAIL_IF(sm->type != DETECT_CONTENT);
2900  data = (DetectContentData *)sm->ctx;
2901  FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
2902  data->flags & DETECT_CONTENT_NOCASE ||
2903  !(data->flags & DETECT_CONTENT_WITHIN) ||
2904  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2905  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2906  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2907  data->flags & DETECT_CONTENT_NEGATED );
2908 
2909  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2910  FAIL_IF_NOT(sm->next == NULL);
2911 
2912  /* first content:\"one\"; */
2913  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2914  FAIL_IF(sm->type != DETECT_CONTENT);
2915  data = (DetectContentData *)sm->ctx;
2916  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
2917  FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
2918  FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
2919  FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
2920  FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
2921  FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
2922  FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
2923  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2924 
2925  FAIL_IF_NULL(sm->next);
2926  sm = sm->next;
2927 
2928  FAIL_IF(sm->type != DETECT_CONTENT);
2929 
2930  data = (DetectContentData *)sm->ctx;
2931  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
2932  data->flags & DETECT_CONTENT_NOCASE ||
2933  data->flags & DETECT_CONTENT_WITHIN ||
2934  data->flags & DETECT_CONTENT_DISTANCE ||
2935  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2936  data->flags & DETECT_CONTENT_NEGATED );
2937 
2938  FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
2939 
2940  FAIL_IF_NOT(sm->next == NULL);
2941 
2942  SigGroupCleanup(de_ctx);
2943  SigCleanSignatures(de_ctx);
2944  DetectEngineCtxFree(de_ctx);
2945 
2946  PASS;
2947 }
2948 
2949 /**
2950  * \test Test content for dce sig.
2951  */
2952 static int DcePayloadParseTest45(void)
2953 {
2954  DetectEngineCtx *de_ctx = NULL;
2955  int result = 1;
2956  Signature *s = NULL;
2957  SigMatch *sm = NULL;
2958  DetectContentData *data = NULL;
2959  DetectBytejumpData *bjd = NULL;
2960 
2961  de_ctx = DetectEngineCtxInit();
2962  if (de_ctx == NULL)
2963  goto end;
2964 
2965  de_ctx->flags |= DE_QUIET;
2966  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2967  "(msg:\"Testing bytejump_body\"; "
2968  "dce_iface:12345678-1234-1234-1234-123456789012; "
2969  "content:\"one\"; "
2970  "dce_opnum:10; dce_stub_data; "
2971  "byte_jump:1,2,relative,align,dce; "
2972  "pkt_data; "
2973  "content:\"two\"; "
2974  "sid:1;)");
2975  if (de_ctx->sig_list == NULL) {
2976  result = 0;
2977  goto end;
2978  }
2979 
2980  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2981  result = 0;
2982  goto end;
2983  }
2984  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2985  result = 0;
2986  goto end;
2987  }
2988 
2989  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2990  if (sm->type != DETECT_BYTEJUMP) {
2991  result = 0;
2992  goto end;
2993  }
2994  bjd = (DetectBytejumpData *)sm->ctx;
2995  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2996  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2997  bjd->flags & DETECT_BYTEJUMP_BIG ||
2998  bjd->flags & DETECT_BYTEJUMP_STRING ||
2999  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
3000  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
3001  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
3002  result = 0;
3003  printf("one failed\n");
3004  goto end;
3005  }
3006 
3007  result &= (sm->next == NULL);
3008 
3009  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3010  if (sm->type != DETECT_CONTENT) {
3011  result = 0;
3012  goto end;
3013  }
3014  data = (DetectContentData *)sm->ctx;
3015  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3016  data->flags & DETECT_CONTENT_NOCASE ||
3017  data->flags & DETECT_CONTENT_WITHIN ||
3018  data->flags & DETECT_CONTENT_DISTANCE ||
3019  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3020  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3021  data->flags & DETECT_CONTENT_NEGATED ) {
3022  printf("one failed\n");
3023  result = 0;
3024  goto end;
3025  }
3026  result &= (strncmp((char *)data->content, "one", 3) == 0);
3027  if (result == 0)
3028  goto end;
3029 
3030  sm = sm->next;
3031  if (sm->type != DETECT_CONTENT) {
3032  result = 0;
3033  goto end;
3034  }
3035  data = (DetectContentData *)sm->ctx;
3036  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3037  data->flags & DETECT_CONTENT_NOCASE ||
3038  data->flags & DETECT_CONTENT_WITHIN ||
3039  data->flags & DETECT_CONTENT_DISTANCE ||
3040  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3041  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3042  data->flags & DETECT_CONTENT_NEGATED ) {
3043  printf("two failed\n");
3044  result = 0;
3045  goto end;
3046  }
3047  result &= (strncmp((char *)data->content, "two", 3) == 0);
3048  if (result == 0)
3049  goto end;
3050 
3051  result &= (sm->next == NULL);
3052 
3053  end:
3054  SigGroupCleanup(de_ctx);
3055  SigCleanSignatures(de_ctx);
3056  DetectEngineCtxFree(de_ctx);
3057 
3058  return result;
3059 }
3060 
3061 /**
3062  * \test Test content for dce sig.
3063  */
3064 static int DcePayloadParseTest46(void)
3065 {
3066  DetectEngineCtx *de_ctx = NULL;
3067  int result = 1;
3068  Signature *s = NULL;
3069  SigMatch *sm = NULL;
3070  DetectContentData *data = NULL;
3071  DetectBytetestData *btd = NULL;
3072 
3073  de_ctx = DetectEngineCtxInit();
3074  if (de_ctx == NULL)
3075  goto end;
3076 
3077  de_ctx->flags |= DE_QUIET;
3078  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3079  "(msg:\"Testing bytejump_body\"; "
3080  "dce_iface:12345678-1234-1234-1234-123456789012; "
3081  "content:\"one\"; "
3082  "dce_opnum:10; dce_stub_data; "
3083  "byte_test:1,=,2,0,relative,dce; "
3084  "pkt_data; "
3085  "content:\"two\"; "
3086  "sid:1;)");
3087  if (de_ctx->sig_list == NULL) {
3088  result = 0;
3089  goto end;
3090  }
3091 
3092  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3093  result = 0;
3094  goto end;
3095  }
3096  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3097  result = 0;
3098  goto end;
3099  }
3100 
3101  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3102  if (sm->type != DETECT_BYTETEST) {
3103  result = 0;
3104  goto end;
3105  }
3106  btd = (DetectBytetestData *)sm->ctx;
3107  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3108  btd->flags & DETECT_BYTETEST_BIG ||
3109  btd->flags & DETECT_BYTETEST_STRING ||
3110  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3111  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3112  result = 0;
3113  printf("one failed\n");
3114  goto end;
3115  }
3116 
3117  result &= (sm->next == NULL);
3118 
3119  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3120  if (sm->type != DETECT_CONTENT) {
3121  result = 0;
3122  goto end;
3123  }
3124  data = (DetectContentData *)sm->ctx;
3125  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3126  data->flags & DETECT_CONTENT_NOCASE ||
3127  data->flags & DETECT_CONTENT_WITHIN ||
3128  data->flags & DETECT_CONTENT_DISTANCE ||
3129  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3130  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3131  data->flags & DETECT_CONTENT_NEGATED ) {
3132  printf("one failed\n");
3133  result = 0;
3134  goto end;
3135  }
3136  result &= (strncmp((char *)data->content, "one", 3) == 0);
3137  if (result == 0)
3138  goto end;
3139 
3140  sm = sm->next;
3141  if (sm->type != DETECT_CONTENT) {
3142  result = 0;
3143  goto end;
3144  }
3145  data = (DetectContentData *)sm->ctx;
3146  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3147  data->flags & DETECT_CONTENT_NOCASE ||
3148  data->flags & DETECT_CONTENT_WITHIN ||
3149  data->flags & DETECT_CONTENT_DISTANCE ||
3150  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3151  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3152  data->flags & DETECT_CONTENT_NEGATED ) {
3153  printf("two failed\n");
3154  result = 0;
3155  goto end;
3156  }
3157  result &= (strncmp((char *)data->content, "two", 3) == 0);
3158  if (result == 0)
3159  goto end;
3160 
3161  result &= (sm->next == NULL);
3162 
3163  end:
3164  SigGroupCleanup(de_ctx);
3165  SigCleanSignatures(de_ctx);
3166  DetectEngineCtxFree(de_ctx);
3167 
3168  return result;
3169 }
3170 
3171 #endif /* UNITTESTS */
3172 
3173 void DcePayloadRegisterTests(void)
3174 {
3175  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
3176 
3177 #ifdef UNITTESTS
3178  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
3179  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
3180  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
3181  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
3182  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
3183  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
3184 
3185  UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25);
3186  UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26);
3187  UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27);
3188  UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28);
3189  UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29);
3190  UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30);
3191  UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31);
3192  UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32);
3193  UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33);
3194  UtRegisterTest("DcePayloadParseTest34", DcePayloadParseTest34);
3195  UtRegisterTest("DcePayloadParseTest35", DcePayloadParseTest35);
3196  UtRegisterTest("DcePayloadParseTest36", DcePayloadParseTest36);
3197  UtRegisterTest("DcePayloadParseTest37", DcePayloadParseTest37);
3198  UtRegisterTest("DcePayloadParseTest38", DcePayloadParseTest38);
3199  UtRegisterTest("DcePayloadParseTest39", DcePayloadParseTest39);
3200  UtRegisterTest("DcePayloadParseTest40", DcePayloadParseTest40);
3201  UtRegisterTest("DcePayloadParseTest41", DcePayloadParseTest41);
3202 
3203  UtRegisterTest("DcePayloadParseTest44", DcePayloadParseTest44);
3204  UtRegisterTest("DcePayloadParseTest45", DcePayloadParseTest45);
3205  UtRegisterTest("DcePayloadParseTest46", DcePayloadParseTest46);
3206 #endif /* UNITTESTS */
3207 
3208  return;
3209 }
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:81
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1176
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:74
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
detect-isdataat.h
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
Flow_::proto
uint8_t proto
Definition: flow.h:375
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:468
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:3173
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2117
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2446
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:328
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:288
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:338
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1786
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:47
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:45
DetectBytetestData_
Definition: detect-bytetest.h:52
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:464
DETECT_BYTEJUMP_BIG
#define DETECT_BYTEJUMP_BIG
Definition: detect-bytejump.h:36
Flow_::protoctx
void * protoctx
Definition: flow.h:451
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:96
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1087
Signature_::next
struct Signature_ * next
Definition: detect.h:614
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:536
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:360
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:30
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1034
DETECT_BYTEJUMP_ALIGN
#define DETECT_BYTEJUMP_ALIGN
Definition: detect-bytejump.h:39
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:21
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:56
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:318
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:317
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2025
Packet_
Definition: decode.h:433
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
detect-engine-build.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:611
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:534
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:62
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1957
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:307
detect-engine-content-inspection.h
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:73
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2422
Packet_::flow
struct Flow_ * flow
Definition: decode.h:470
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3155
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:667
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1245
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3369
SigMatch_::type
uint16_t type
Definition: detect.h:315
detect-byte-extract.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
SigMatch_
a single match condition for a signature
Definition: detect.h:314
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2407
suricata.h
DetectPcreData_
Definition: detect-pcre.h:42
DETECT_BYTEJUMP_STRING
#define DETECT_BYTEJUMP_STRING
Definition: detect-bytejump.h:37
DETECT_BYTEJUMP_BEGIN
#define DETECT_BYTEJUMP_BEGIN
Definition: detect-bytejump.h:34
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:87
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
TcpSession_
Definition: stream-tcp-private.h:271
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
detect-engine-dcepayload.h
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
DETECT_BYTEJUMP_RELATIVE
#define DETECT_BYTEJUMP_RELATIVE
Definition: detect-bytejump.h:38
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1173
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:469