suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 
41 #include "stream-tcp.h"
42 
43 #include "app-layer.h"
44 #include "flow-util.h"
45 #include "util-debug.h"
46 
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 
50 #include "detect-dce-iface.h"
51 
52 static int g_dce_stub_data_buffer_id = 0;
53 
54 
55 /**************************************Unittests*******************************/
56 
57 #ifdef UNITTESTS
58 
59 /**
60  * \test Test the working of byte_test endianness.
61  */
62 static int DcePayloadTest15(void)
63 {
64  int result = 0;
65 
66  uint8_t request1[] = {
67  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
68  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
69  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
70  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
71  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
72  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
73  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
74  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
75  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
76  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
77  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
78  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
79  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
80  };
81  uint32_t request1_len = sizeof(request1);
82 
83  TcpSession ssn;
84  Packet *p = NULL;
85  ThreadVars tv;
86  DetectEngineCtx *de_ctx = NULL;
87  DetectEngineThreadCtx *det_ctx = NULL;
88  Flow f;
89  int r;
90 
91  const char *sig1 = "alert tcp any any -> any any "
92  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
93  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
94  const char *sig2 = "alert tcp any any -> any any "
95  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
96  "byte_test:2,=,46,5,relative,dce; sid:2;)";
97 
98  Signature *s;
99  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
100 
101  memset(&tv, 0, sizeof(ThreadVars));
102  memset(&f, 0, sizeof(Flow));
103  memset(&ssn, 0, sizeof(TcpSession));
104 
105  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
106  p->flow = &f;
107  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
108  p->flowflags |= FLOW_PKT_TOSERVER;
109  p->flowflags |= FLOW_PKT_ESTABLISHED;
110 
111  FLOW_INITIALIZE(&f);
112  f.protoctx = (void *)&ssn;
113  f.proto = IPPROTO_TCP;
114  f.flags |= FLOW_IPV4;
115  f.alproto = ALPROTO_DCERPC;
116 
117  StreamTcpInitConfig(true);
118 
119  de_ctx = DetectEngineCtxInit();
120  if (de_ctx == NULL)
121  goto end;
122  de_ctx->flags |= DE_QUIET;
123 
124  de_ctx->sig_list = SigInit(de_ctx, sig1);
125  s = de_ctx->sig_list;
126  if (s == NULL)
127  goto end;
128  s->next = SigInit(de_ctx, sig2);
129  if (s->next == NULL)
130  goto end;
131 
132  SigGroupBuild(de_ctx);
133  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
134 
135  /* request 1 */
136  FLOWLOCK_WRLOCK(&f);
137  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
138  STREAM_TOSERVER, request1, request1_len);
139  if (r != 0) {
140  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
141  result = 0;
142  FLOWLOCK_UNLOCK(&f);
143  goto end;
144  }
145  FLOWLOCK_UNLOCK(&f);
146  /* detection phase */
147  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
148  if (!(PacketAlertCheck(p, 1))) {
149  printf("sid 1 didn't match but should have for packet: ");
150  goto end;
151  }
152  if (!(PacketAlertCheck(p, 2))) {
153  printf("sid 2 didn't match but should have for packet: ");
154  goto end;
155  }
156 
157  result = 1;
158 
159 end:
160  if (alp_tctx != NULL)
161  AppLayerParserThreadCtxFree(alp_tctx);
162  if (de_ctx != NULL) {
163  SigGroupCleanup(de_ctx);
164  SigCleanSignatures(de_ctx);
165 
166  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
167  DetectEngineCtxFree(de_ctx);
168  }
169 
170  StreamTcpFreeConfig(true);
171 
172  UTHFreePackets(&p, 1);
173  return result;
174 }
175 
176 /**
177  * \test Test the working of byte_test endianness.
178  */
179 static int DcePayloadTest16(void)
180 {
181  int result = 0;
182 
183  uint8_t request1[] = {
184  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
185  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
186  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
187  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
188  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
189  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
190  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
191  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
192  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
193  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
194  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
195  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
196  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
197  };
198  uint32_t request1_len = sizeof(request1);
199 
200  TcpSession ssn;
201  Packet *p = NULL;
202  ThreadVars tv;
203  DetectEngineCtx *de_ctx = NULL;
204  DetectEngineThreadCtx *det_ctx = NULL;
205  Flow f;
206  int r;
207 
208  const char *sig1 = "alert tcp any any -> any any "
209  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
210  "byte_test:2,=,55,0,relative; sid:1;)";
211  const char *sig2 = "alert tcp any any -> any any "
212  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
213  "byte_test:2,=,11776,5,relative; sid:2;)";
214 
215  Signature *s;
216  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
217 
218  memset(&tv, 0, sizeof(ThreadVars));
219  memset(&f, 0, sizeof(Flow));
220  memset(&ssn, 0, sizeof(TcpSession));
221 
222  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
223  p->flow = &f;
224  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
225  p->flowflags |= FLOW_PKT_TOSERVER;
226  p->flowflags |= FLOW_PKT_ESTABLISHED;
227 
228  FLOW_INITIALIZE(&f);
229  f.protoctx = (void *)&ssn;
230  f.proto = IPPROTO_TCP;
231  f.flags |= FLOW_IPV4;
232  f.alproto = ALPROTO_DCERPC;
233 
234  StreamTcpInitConfig(true);
235 
236  de_ctx = DetectEngineCtxInit();
237  if (de_ctx == NULL)
238  goto end;
239  de_ctx->flags |= DE_QUIET;
240 
241  de_ctx->sig_list = SigInit(de_ctx, sig1);
242  s = de_ctx->sig_list;
243  if (s == NULL)
244  goto end;
245  s->next = SigInit(de_ctx, sig2);
246  if (s->next == NULL)
247  goto end;
248 
249  SigGroupBuild(de_ctx);
250  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
251 
252  /* request 1 */
253  FLOWLOCK_WRLOCK(&f);
254  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
255  STREAM_TOSERVER, request1, request1_len);
256  if (r != 0) {
257  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
258  result = 0;
259  FLOWLOCK_UNLOCK(&f);
260  goto end;
261  }
262  FLOWLOCK_UNLOCK(&f);
263  /* detection phase */
264  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
265  if (!(PacketAlertCheck(p, 1))) {
266  printf("sid 1 didn't match but should have for packet: ");
267  goto end;
268  }
269  if (!(PacketAlertCheck(p, 2))) {
270  printf("sid 2 didn't match but should have for packet: ");
271  goto end;
272  }
273 
274  result = 1;
275 
276 end:
277  if (alp_tctx != NULL)
278  AppLayerParserThreadCtxFree(alp_tctx);
279  if (de_ctx != NULL) {
280  SigGroupCleanup(de_ctx);
281  SigCleanSignatures(de_ctx);
282 
283  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
284  DetectEngineCtxFree(de_ctx);
285  }
286 
287  StreamTcpFreeConfig(true);
288 
289  UTHFreePackets(&p, 1);
290  return result;
291 }
292 
293 /**
294  * \test Test the working of byte_test endianness.
295  */
296 static int DcePayloadTest17(void)
297 {
298  int result = 0;
299 
300  uint8_t request1[] = {
301  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
302  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
303  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
304  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
305  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
306  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
307  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
308  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
309  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
310  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
311  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
312  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
313  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
314  };
315  uint32_t request1_len = sizeof(request1);
316 
317  TcpSession ssn;
318  Packet *p = NULL;
319  ThreadVars tv;
320  DetectEngineCtx *de_ctx = NULL;
321  DetectEngineThreadCtx *det_ctx = NULL;
322  Flow f;
323  int r;
324 
325  const char *sig1 = "alert tcp any any -> any any "
326  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
327  "byte_test:2,=,55,0,relative,big; sid:1;)";
328  const char *sig2 = "alert tcp any any -> any any "
329  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
330  "byte_test:2,=,46,5,relative,little; sid:2;)";
331 
332  Signature *s;
333  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
334 
335  memset(&tv, 0, sizeof(ThreadVars));
336  memset(&f, 0, sizeof(Flow));
337  memset(&ssn, 0, sizeof(TcpSession));
338 
339  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
340  p->flow = &f;
341  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
342  p->flowflags |= FLOW_PKT_TOSERVER;
343  p->flowflags |= FLOW_PKT_ESTABLISHED;
344 
345  FLOW_INITIALIZE(&f);
346  f.protoctx = (void *)&ssn;
347  f.proto = IPPROTO_TCP;
348  f.flags |= FLOW_IPV4;
349  f.alproto = ALPROTO_DCERPC;
350 
351  StreamTcpInitConfig(true);
352 
353  de_ctx = DetectEngineCtxInit();
354  if (de_ctx == NULL)
355  goto end;
356  de_ctx->flags |= DE_QUIET;
357 
358  de_ctx->sig_list = SigInit(de_ctx, sig1);
359  s = de_ctx->sig_list;
360  if (s == NULL)
361  goto end;
362  s->next = SigInit(de_ctx, sig2);
363  if (s->next == NULL)
364  goto end;
365 
366  SigGroupBuild(de_ctx);
367  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
368 
369  /* request 1 */
370  FLOWLOCK_WRLOCK(&f);
371  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
372  STREAM_TOSERVER, request1, request1_len);
373  if (r != 0) {
374  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
375  result = 0;
376  FLOWLOCK_UNLOCK(&f);
377  goto end;
378  }
379  FLOWLOCK_UNLOCK(&f);
380  /* detection phase */
381  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
382  if (!(PacketAlertCheck(p, 1))) {
383  printf("sid 1 didn't match but should have for packet: ");
384  goto end;
385  }
386  if (!(PacketAlertCheck(p, 2))) {
387  printf("sid 2 didn't match but should have for packet: ");
388  goto end;
389  }
390 
391  result = 1;
392 
393 end:
394  if (alp_tctx != NULL)
395  AppLayerParserThreadCtxFree(alp_tctx);
396  if (de_ctx != NULL) {
397  SigGroupCleanup(de_ctx);
398  SigCleanSignatures(de_ctx);
399 
400  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
401  DetectEngineCtxFree(de_ctx);
402  }
403 
404  StreamTcpFreeConfig(true);
405 
406  UTHFreePackets(&p, 1);
407  return result;
408 }
409 
410 /**
411  * \test Test the working of byte_jump endianness.
412  */
413 static int DcePayloadTest18(void)
414 {
415  int result = 0;
416 
417  uint8_t request1[] = {
418  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
419  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
420  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
421  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
422  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
423  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
424  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
425  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
426  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
427  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
428  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
429  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
430  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
431  };
432  uint32_t request1_len = sizeof(request1);
433 
434  TcpSession ssn;
435  Packet *p = NULL;
436  ThreadVars tv;
437  DetectEngineCtx *de_ctx = NULL;
438  DetectEngineThreadCtx *det_ctx = NULL;
439  Flow f;
440  int r;
441 
442  const char *sig1 = "alert tcp any any -> any any "
443  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
444  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
445  const char *sig2 = "alert tcp any any -> any any "
446  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
447  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
448 
449  Signature *s;
450  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
451 
452  memset(&tv, 0, sizeof(ThreadVars));
453  memset(&f, 0, sizeof(Flow));
454  memset(&ssn, 0, sizeof(TcpSession));
455 
456  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
457  p->flow = &f;
458  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
459  p->flowflags |= FLOW_PKT_TOSERVER;
460  p->flowflags |= FLOW_PKT_ESTABLISHED;
461 
462  FLOW_INITIALIZE(&f);
463  f.protoctx = (void *)&ssn;
464  f.proto = IPPROTO_TCP;
465  f.flags |= FLOW_IPV4;
466  f.alproto = ALPROTO_DCERPC;
467 
468  StreamTcpInitConfig(true);
469 
470  de_ctx = DetectEngineCtxInit();
471  if (de_ctx == NULL)
472  goto end;
473  de_ctx->flags |= DE_QUIET;
474 
475  de_ctx->sig_list = SigInit(de_ctx, sig1);
476  s = de_ctx->sig_list;
477  if (s == NULL)
478  goto end;
479  s->next = SigInit(de_ctx, sig2);
480  if (s->next == NULL)
481  goto end;
482 
483  SigGroupBuild(de_ctx);
484  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
485 
486  /* request 1 */
487  FLOWLOCK_WRLOCK(&f);
488  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
489  STREAM_TOSERVER, request1, request1_len);
490  if (r != 0) {
491  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
492  result = 0;
493  FLOWLOCK_UNLOCK(&f);
494  goto end;
495  }
496  FLOWLOCK_UNLOCK(&f);
497  /* detection phase */
498  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
499  if (!(PacketAlertCheck(p, 1))) {
500  printf("sid 1 didn't match but should have for packet: ");
501  goto end;
502  }
503  if (!(PacketAlertCheck(p, 2))) {
504  printf("sid 2 didn't match but should have for packet: ");
505  goto end;
506  }
507 
508  result = 1;
509 
510 end:
511  if (alp_tctx != NULL)
512  AppLayerParserThreadCtxFree(alp_tctx);
513  if (de_ctx != NULL) {
514  SigGroupCleanup(de_ctx);
515  SigCleanSignatures(de_ctx);
516 
517  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
518  DetectEngineCtxFree(de_ctx);
519  }
520 
521  StreamTcpFreeConfig(true);
522 
523  UTHFreePackets(&p, 1);
524  return result;
525 }
526 
527 /**
528  * \test Test the working of byte_jump endianness.
529  */
530 static int DcePayloadTest19(void)
531 {
532  int result = 0;
533 
534  uint8_t request1[] = {
535  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
536  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
537  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
538  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
539  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
540  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
541  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
542  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
543  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
544  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
545  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
546  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
547  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
548  };
549  uint32_t request1_len = sizeof(request1);
550 
551  TcpSession ssn;
552  Packet *p = NULL;
553  ThreadVars tv;
554  DetectEngineCtx *de_ctx = NULL;
555  DetectEngineThreadCtx *det_ctx = NULL;
556  Flow f;
557  int r;
558 
559  const char *sig1 = "alert tcp any any -> any any "
560  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
561  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
562  const char *sig2 = "alert tcp any any -> any any "
563  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
564  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
565 
566  Signature *s;
567  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
568 
569  memset(&tv, 0, sizeof(ThreadVars));
570  memset(&f, 0, sizeof(Flow));
571  memset(&ssn, 0, sizeof(TcpSession));
572 
573  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
574  p->flow = &f;
575  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
576  p->flowflags |= FLOW_PKT_TOSERVER;
577  p->flowflags |= FLOW_PKT_ESTABLISHED;
578 
579  FLOW_INITIALIZE(&f);
580  f.protoctx = (void *)&ssn;
581  f.proto = IPPROTO_TCP;
582  f.flags |= FLOW_IPV4;
583  f.alproto = ALPROTO_DCERPC;
584 
585  StreamTcpInitConfig(true);
586 
587  de_ctx = DetectEngineCtxInit();
588  if (de_ctx == NULL)
589  goto end;
590  de_ctx->flags |= DE_QUIET;
591 
592  de_ctx->sig_list = SigInit(de_ctx, sig1);
593  s = de_ctx->sig_list;
594  if (s == NULL)
595  goto end;
596  s->next = SigInit(de_ctx, sig2);
597  if (s->next == NULL)
598  goto end;
599 
600  SigGroupBuild(de_ctx);
601  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
602 
603  /* request 1 */
604  FLOWLOCK_WRLOCK(&f);
605  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
606  STREAM_TOSERVER, request1, request1_len);
607  if (r != 0) {
608  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
609  result = 0;
610  FLOWLOCK_UNLOCK(&f);
611  goto end;
612  }
613  FLOWLOCK_UNLOCK(&f);
614  /* detection phase */
615  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
616  if (!(PacketAlertCheck(p, 1))) {
617  printf("sid 1 didn't match but should have for packet: ");
618  goto end;
619  }
620  if (!(PacketAlertCheck(p, 2))) {
621  printf("sid 2 didn't match but should have for packet: ");
622  goto end;
623  }
624 
625  result = 1;
626 
627 end:
628  if (alp_tctx != NULL)
629  AppLayerParserThreadCtxFree(alp_tctx);
630  if (de_ctx != NULL) {
631  SigGroupCleanup(de_ctx);
632  SigCleanSignatures(de_ctx);
633 
634  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
635  DetectEngineCtxFree(de_ctx);
636  }
637 
638  StreamTcpFreeConfig(true);
639 
640  UTHFreePackets(&p, 1);
641  return result;
642 }
643 
644 /**
645  * \test Test the working of byte_jump endianness.
646  */
647 static int DcePayloadTest20(void)
648 {
649  int result = 0;
650 
651  uint8_t request1[] = {
652  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
653  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
654  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
655  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
656  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
657  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
658  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
659  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
660  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
661  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
662  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
663  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
664  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
665  };
666  uint32_t request1_len = sizeof(request1);
667 
668  TcpSession ssn;
669  Packet *p = NULL;
670  ThreadVars tv;
671  DetectEngineCtx *de_ctx = NULL;
672  DetectEngineThreadCtx *det_ctx = NULL;
673  Flow f;
674  int r;
675 
676  const char *sig1 = "alert tcp any any -> any any "
677  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
678  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
679  const char *sig2 = "alert tcp any any -> any any "
680  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
681  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
682 
683  Signature *s;
684  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
685 
686  memset(&tv, 0, sizeof(ThreadVars));
687  memset(&f, 0, sizeof(Flow));
688  memset(&ssn, 0, sizeof(TcpSession));
689 
690  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
691  p->flow = &f;
692  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
693  p->flowflags |= FLOW_PKT_TOSERVER;
694  p->flowflags |= FLOW_PKT_ESTABLISHED;
695 
696  FLOW_INITIALIZE(&f);
697  f.protoctx = (void *)&ssn;
698  f.proto = IPPROTO_TCP;
699  f.flags |= FLOW_IPV4;
700  f.alproto = ALPROTO_DCERPC;
701 
702  StreamTcpInitConfig(true);
703 
704  de_ctx = DetectEngineCtxInit();
705  if (de_ctx == NULL)
706  goto end;
707  de_ctx->flags |= DE_QUIET;
708 
709  de_ctx->sig_list = SigInit(de_ctx, sig1);
710  s = de_ctx->sig_list;
711  if (s == NULL)
712  goto end;
713  s->next = SigInit(de_ctx, sig2);
714  if (s->next == NULL)
715  goto end;
716 
717  SigGroupBuild(de_ctx);
718  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
719 
720  /* request 1 */
721  FLOWLOCK_WRLOCK(&f);
722  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
723  STREAM_TOSERVER, request1, request1_len);
724  if (r != 0) {
725  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
726  result = 0;
727  FLOWLOCK_UNLOCK(&f);
728  goto end;
729  }
730  FLOWLOCK_UNLOCK(&f);
731  /* detection phase */
732  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
733  if (!(PacketAlertCheck(p, 1))) {
734  printf("sid 1 didn't match but should have for packet: ");
735  goto end;
736  }
737  if (!(PacketAlertCheck(p, 2))) {
738  printf("sid 2 didn't match but should have for packet: ");
739  goto end;
740  }
741 
742  result = 1;
743 
744 end:
745  if (alp_tctx != NULL)
746  AppLayerParserThreadCtxFree(alp_tctx);
747  if (de_ctx != NULL) {
748  SigGroupCleanup(de_ctx);
749  SigCleanSignatures(de_ctx);
750 
751  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
752  DetectEngineCtxFree(de_ctx);
753  }
754 
755  StreamTcpFreeConfig(true);
756 
757  UTHFreePackets(&p, 1);
758  return result;
759 }
760 
761 /**
762  * \test Test content for dce sig.
763  */
764 static int DcePayloadParseTest25(void)
765 {
766  DetectEngineCtx *de_ctx = NULL;
767  int result = 1;
768  Signature *s = NULL;
769  SigMatch *sm = NULL;
770  DetectContentData *data = NULL;
771 
772  de_ctx = DetectEngineCtxInit();
773  if (de_ctx == NULL)
774  goto end;
775 
776  de_ctx->flags |= DE_QUIET;
777  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
778  "(msg:\"Testing bytejump_body\"; "
779  "content:\"one\"; content:\"two\"; "
780  "content:\"three\"; within:10; "
781  "content:\"four\"; distance:4; "
782  "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
783  "sid:1;)");
784  if (de_ctx->sig_list == NULL) {
785  result = 0;
786  goto end;
787  }
788 
789  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
790  result = 0;
791  goto end;
792  }
793  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
794  result = 0;
795  goto end;
796  }
797 
798  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
799  if (sm->type != DETECT_CONTENT) {
800  result = 0;
801  goto end;
802  }
803  data = (DetectContentData *)sm->ctx;
804  if (data->flags & DETECT_CONTENT_RAWBYTES ||
805  data->flags & DETECT_CONTENT_NOCASE ||
806  data->flags & DETECT_CONTENT_WITHIN ||
807  data->flags & DETECT_CONTENT_DISTANCE ||
808  data->flags & DETECT_CONTENT_FAST_PATTERN ||
809  data->flags & DETECT_CONTENT_NEGATED ) {
810  result = 0;
811  goto end;
812  }
813  result &= (strncmp((char *)data->content, "one", 3) == 0);
814  if (result == 0)
815  goto end;
816 
817  sm = sm->next;
818  if (sm->type != DETECT_CONTENT) {
819  result = 0;
820  goto end;
821  }
822  data = (DetectContentData *)sm->ctx;
823  if (data->flags & DETECT_CONTENT_RAWBYTES ||
824  data->flags & DETECT_CONTENT_NOCASE ||
825  data->flags & DETECT_CONTENT_WITHIN ||
826  data->flags & DETECT_CONTENT_DISTANCE ||
827  data->flags & DETECT_CONTENT_FAST_PATTERN ||
828  data->flags & DETECT_CONTENT_NEGATED ) {
829  result = 0;
830  goto end;
831  }
832  result &= (strncmp((char *)data->content, "two", 3) == 0);
833  if (result == 0)
834  goto end;
835 
836  sm = sm->next;
837  if (sm->type != DETECT_CONTENT) {
838  result = 0;
839  goto end;
840  }
841  data = (DetectContentData *)sm->ctx;
842  if (data->flags & DETECT_CONTENT_RAWBYTES ||
843  data->flags & DETECT_CONTENT_NOCASE ||
844  !(data->flags & DETECT_CONTENT_WITHIN) ||
845  data->flags & DETECT_CONTENT_DISTANCE ||
846  data->flags & DETECT_CONTENT_FAST_PATTERN ||
847  data->flags & DETECT_CONTENT_NEGATED ) {
848  result = 0;
849  goto end;
850  }
851  result &= (strncmp((char *)data->content, "three", 5) == 0);
852  if (result == 0)
853  goto end;
854 
855  sm = sm->next;
856  if (sm->type != DETECT_CONTENT) {
857  result = 0;
858  goto end;
859  }
860  data = (DetectContentData *)sm->ctx;
861  if (data->flags & DETECT_CONTENT_RAWBYTES ||
862  data->flags & DETECT_CONTENT_NOCASE ||
863  data->flags & DETECT_CONTENT_WITHIN ||
864  !(data->flags & DETECT_CONTENT_DISTANCE) ||
865  data->flags & DETECT_CONTENT_FAST_PATTERN ||
866  data->flags & DETECT_CONTENT_NEGATED ) {
867  result = 0;
868  goto end;
869  }
870  result &= (strncmp((char *)data->content, "four", 4) == 0);
871  if (result == 0)
872  goto end;
873 
874  end:
875  SigGroupCleanup(de_ctx);
876  SigCleanSignatures(de_ctx);
877  DetectEngineCtxFree(de_ctx);
878 
879  return result;
880 }
881 
882 /**
883  * \test Test content for dce sig.
884  */
885 static int DcePayloadParseTest26(void)
886 {
887  DetectEngineCtx *de_ctx = NULL;
888  int result = 1;
889  Signature *s = NULL;
890  SigMatch *sm = NULL;
891  DetectContentData *data = NULL;
892 
893  de_ctx = DetectEngineCtxInit();
894  if (de_ctx == NULL)
895  goto end;
896 
897  de_ctx->flags |= DE_QUIET;
898  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
899  "(msg:\"Testing bytejump_body\"; "
900  "dce_stub_data; "
901  "pkt_data; "
902  "content:\"one\"; "
903  "content:\"two\"; "
904  "content:\"three\"; within:5; "
905  "content:\"four\"; distance:10; "
906  "sid:1;)");
907  if (de_ctx->sig_list == NULL) {
908  result = 0;
909  goto end;
910  }
911 
912  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
913  result = 0;
914  goto end;
915  }
916  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
917  result = 0;
918  goto end;
919  }
920 
921  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
922  if (sm->type != DETECT_CONTENT) {
923  result = 0;
924  goto end;
925  }
926  data = (DetectContentData *)sm->ctx;
927  if (data->flags & DETECT_CONTENT_RAWBYTES ||
928  data->flags & DETECT_CONTENT_NOCASE ||
929  data->flags & DETECT_CONTENT_WITHIN ||
930  data->flags & DETECT_CONTENT_DISTANCE ||
931  data->flags & DETECT_CONTENT_FAST_PATTERN ||
932  data->flags & DETECT_CONTENT_NEGATED ) {
933  result = 0;
934  printf("one failed\n");
935  goto end;
936  }
937  result &= (strncmp((char *)data->content, "one", 3) == 0);
938  if (result == 0)
939  goto end;
940 
941  sm = sm->next;
942  if (sm->type != DETECT_CONTENT) {
943  result = 0;
944  goto end;
945  }
946  data = (DetectContentData *)sm->ctx;
947  if (data->flags & DETECT_CONTENT_RAWBYTES ||
948  data->flags & DETECT_CONTENT_NOCASE ||
949  data->flags & DETECT_CONTENT_WITHIN ||
950  data->flags & DETECT_CONTENT_DISTANCE ||
951  data->flags & DETECT_CONTENT_FAST_PATTERN ||
952  data->flags & DETECT_CONTENT_NEGATED ) {
953  result = 0;
954  printf("two failed\n");
955  goto end;
956  }
957  result &= (strncmp((char *)data->content, "two", 3) == 0);
958  if (result == 0)
959  goto end;
960 
961  sm = sm->next;
962  if (sm->type != DETECT_CONTENT) {
963  result = 0;
964  goto end;
965  }
966  data = (DetectContentData *)sm->ctx;
967  if (data->flags & DETECT_CONTENT_RAWBYTES ||
968  data->flags & DETECT_CONTENT_NOCASE ||
969  !(data->flags & DETECT_CONTENT_WITHIN) ||
970  data->flags & DETECT_CONTENT_DISTANCE ||
971  data->flags & DETECT_CONTENT_FAST_PATTERN ||
972  data->flags & DETECT_CONTENT_NEGATED ) {
973  printf("three failed\n");
974  result = 0;
975  goto end;
976  }
977  result &= (strncmp((char *)data->content, "three", 5) == 0);
978  if (result == 0)
979  goto end;
980 
981  sm = sm->next;
982  if (sm->type != DETECT_CONTENT) {
983  result = 0;
984  goto end;
985  }
986  data = (DetectContentData *)sm->ctx;
987  if (data->flags & DETECT_CONTENT_RAWBYTES ||
988  data->flags & DETECT_CONTENT_NOCASE ||
989  data->flags & DETECT_CONTENT_WITHIN ||
990  !(data->flags & DETECT_CONTENT_DISTANCE) ||
991  data->flags & DETECT_CONTENT_FAST_PATTERN ||
992  data->flags & DETECT_CONTENT_NEGATED ) {
993  printf("four failed\n");
994  result = 0;
995  goto end;
996  }
997  result &= (strncmp((char *)data->content, "four", 4) == 0);
998  if (result == 0)
999  goto end;
1000 
1001  end:
1002  SigGroupCleanup(de_ctx);
1003  SigCleanSignatures(de_ctx);
1004  DetectEngineCtxFree(de_ctx);
1005 
1006  return result;
1007 }
1008 
1009 /**
1010  * \test Test content for dce sig.
1011  */
1012 static int DcePayloadParseTest27(void)
1013 {
1014  DetectEngineCtx *de_ctx = NULL;
1015  int result = 1;
1016  Signature *s = NULL;
1017  SigMatch *sm = NULL;
1018  DetectContentData *data = NULL;
1019 
1020  de_ctx = DetectEngineCtxInit();
1021  if (de_ctx == NULL)
1022  goto end;
1023 
1024  de_ctx->flags |= DE_QUIET;
1025  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1026  "(msg:\"Testing bytejump_body\"; "
1027  "dce_stub_data; "
1028  "content:\"one\"; distance:10; within:5; "
1029  "content:\"two\"; within:5;"
1030  "content:\"three\"; within:5; "
1031  "content:\"four\"; distance:10; "
1032  "sid:1;)");
1033  if (de_ctx->sig_list == NULL) {
1034  result = 0;
1035  goto end;
1036  }
1037 
1038  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1039  result = 0;
1040  goto end;
1041  }
1042  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] != NULL) {
1043  result = 0;
1044  goto end;
1045  }
1046 
1047  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1048  if (sm->type != DETECT_CONTENT) {
1049  result = 0;
1050  goto end;
1051  }
1052  data = (DetectContentData *)sm->ctx;
1053  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1054  data->flags & DETECT_CONTENT_NOCASE ||
1055  !(data->flags & DETECT_CONTENT_WITHIN) ||
1056  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1057  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1058  data->flags & DETECT_CONTENT_NEGATED ) {
1059  result = 0;
1060  printf("one failed\n");
1061  goto end;
1062  }
1063  result &= (strncmp((char *)data->content, "one", 3) == 0);
1064  if (result == 0)
1065  goto end;
1066 
1067  sm = sm->next;
1068  if (sm->type != DETECT_CONTENT) {
1069  result = 0;
1070  goto end;
1071  }
1072  data = (DetectContentData *)sm->ctx;
1073  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1074  data->flags & DETECT_CONTENT_NOCASE ||
1075  !(data->flags & DETECT_CONTENT_WITHIN) ||
1076  data->flags & DETECT_CONTENT_DISTANCE ||
1077  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1078  data->flags & DETECT_CONTENT_NEGATED ) {
1079  result = 0;
1080  printf("two failed\n");
1081  goto end;
1082  }
1083  result &= (strncmp((char *)data->content, "two", 3) == 0);
1084  if (result == 0)
1085  goto end;
1086 
1087  sm = sm->next;
1088  if (sm->type != DETECT_CONTENT) {
1089  result = 0;
1090  goto end;
1091  }
1092  data = (DetectContentData *)sm->ctx;
1093  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1094  data->flags & DETECT_CONTENT_NOCASE ||
1095  !(data->flags & DETECT_CONTENT_WITHIN) ||
1096  data->flags & DETECT_CONTENT_DISTANCE ||
1097  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1098  data->flags & DETECT_CONTENT_NEGATED ) {
1099  printf("three failed\n");
1100  result = 0;
1101  goto end;
1102  }
1103  result &= (strncmp((char *)data->content, "three", 5) == 0);
1104  if (result == 0)
1105  goto end;
1106 
1107  sm = sm->next;
1108  if (sm->type != DETECT_CONTENT) {
1109  result = 0;
1110  goto end;
1111  }
1112  data = (DetectContentData *)sm->ctx;
1113  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1114  data->flags & DETECT_CONTENT_NOCASE ||
1115  data->flags & DETECT_CONTENT_WITHIN ||
1116  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1117  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1118  data->flags & DETECT_CONTENT_NEGATED ) {
1119  printf("four failed\n");
1120  result = 0;
1121  goto end;
1122  }
1123  result &= (strncmp((char *)data->content, "four", 4) == 0);
1124  if (result == 0)
1125  goto end;
1126 
1127  end:
1128  SigGroupCleanup(de_ctx);
1129  SigCleanSignatures(de_ctx);
1130  DetectEngineCtxFree(de_ctx);
1131 
1132  return result;
1133 }
1134 
1135 /**
1136  * \test Test content for dce sig.
1137  */
1138 static int DcePayloadParseTest28(void)
1139 {
1140  DetectEngineCtx *de_ctx = NULL;
1141  int result = 1;
1142  Signature *s = NULL;
1143  SigMatch *sm = NULL;
1144  DetectContentData *data = NULL;
1145 
1146  de_ctx = DetectEngineCtxInit();
1147  if (de_ctx == NULL)
1148  goto end;
1149 
1150  de_ctx->flags |= DE_QUIET;
1151  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1152  "(msg:\"Testing bytejump_body\"; "
1153  "dce_stub_data; "
1154  "content:\"one\"; distance:10; within:5; "
1155  "content:\"two\"; within:5;"
1156  "pkt_data; "
1157  "content:\"three\";"
1158  "content:\"four\";"
1159  "sid:1;)");
1160  if (de_ctx->sig_list == NULL) {
1161  result = 0;
1162  goto end;
1163  }
1164 
1165  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1166  result = 0;
1167  goto end;
1168  }
1169  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1170  result = 0;
1171  goto end;
1172  }
1173 
1174  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1175  if (sm->type != DETECT_CONTENT) {
1176  result = 0;
1177  goto end;
1178  }
1179  data = (DetectContentData *)sm->ctx;
1180  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1181  data->flags & DETECT_CONTENT_NOCASE ||
1182  !(data->flags & DETECT_CONTENT_WITHIN) ||
1183  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1184  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1185  data->flags & DETECT_CONTENT_NEGATED ) {
1186  result = 0;
1187  printf("one failed\n");
1188  goto end;
1189  }
1190  result &= (strncmp((char *)data->content, "one", 3) == 0);
1191  if (result == 0)
1192  goto end;
1193 
1194  sm = sm->next;
1195  if (sm->type != DETECT_CONTENT) {
1196  result = 0;
1197  goto end;
1198  }
1199  data = (DetectContentData *)sm->ctx;
1200  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1201  data->flags & DETECT_CONTENT_NOCASE ||
1202  !(data->flags & DETECT_CONTENT_WITHIN) ||
1203  data->flags & DETECT_CONTENT_DISTANCE ||
1204  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1205  data->flags & DETECT_CONTENT_NEGATED ) {
1206  result = 0;
1207  printf("two failed\n");
1208  goto end;
1209  }
1210  result &= (strncmp((char *)data->content, "two", 3) == 0);
1211  if (result == 0)
1212  goto end;
1213 
1214  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1215  if (sm->type != DETECT_CONTENT) {
1216  result = 0;
1217  goto end;
1218  }
1219  data = (DetectContentData *)sm->ctx;
1220  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1221  data->flags & DETECT_CONTENT_NOCASE ||
1222  data->flags & DETECT_CONTENT_WITHIN ||
1223  data->flags & DETECT_CONTENT_DISTANCE ||
1224  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1225  data->flags & DETECT_CONTENT_NEGATED ) {
1226  printf("three failed\n");
1227  result = 0;
1228  goto end;
1229  }
1230  result &= (strncmp((char *)data->content, "three", 5) == 0);
1231  if (result == 0)
1232  goto end;
1233 
1234  sm = sm->next;
1235  if (sm->type != DETECT_CONTENT) {
1236  result = 0;
1237  goto end;
1238  }
1239  data = (DetectContentData *)sm->ctx;
1240  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1241  data->flags & DETECT_CONTENT_NOCASE ||
1242  data->flags & DETECT_CONTENT_WITHIN ||
1243  data->flags & DETECT_CONTENT_DISTANCE ||
1244  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1245  data->flags & DETECT_CONTENT_NEGATED ) {
1246  printf("four failed\n");
1247  result = 0;
1248  goto end;
1249  }
1250  result &= (strncmp((char *)data->content, "four", 4) == 0);
1251  if (result == 0)
1252  goto end;
1253 
1254  end:
1255  SigGroupCleanup(de_ctx);
1256  SigCleanSignatures(de_ctx);
1257  DetectEngineCtxFree(de_ctx);
1258 
1259  return result;
1260 }
1261 
1262 /**
1263  * \test Test content for dce sig.
1264  */
1265 static int DcePayloadParseTest29(void)
1266 {
1267  DetectEngineCtx *de_ctx = NULL;
1268  int result = 1;
1269  Signature *s = NULL;
1270  SigMatch *sm = NULL;
1271  DetectContentData *data = NULL;
1272  DetectPcreData *pd = NULL;
1273 
1274  de_ctx = DetectEngineCtxInit();
1275  if (de_ctx == NULL)
1276  goto end;
1277 
1278  de_ctx->flags |= DE_QUIET;
1279  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1280  "(msg:\"Testing bytejump_body\"; "
1281  "dce_stub_data; "
1282  "pkt_data; "
1283  "pcre:/boom/; "
1284  "content:\"one\"; distance:10; within:5; "
1285  "content:\"two\"; within:5;"
1286  "content:\"three\";"
1287  "content:\"four\";"
1288  "sid:1;)");
1289  if (de_ctx->sig_list == NULL) {
1290  result = 0;
1291  goto end;
1292  }
1293 
1294  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1295  result = 0;
1296  goto end;
1297  }
1298  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1299  result = 0;
1300  goto end;
1301  }
1302 
1303  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1304  if (sm->type != DETECT_PCRE) {
1305  result = 0;
1306  goto end;
1307  }
1308  pd = (DetectPcreData *)sm->ctx;
1309  if (pd->flags & DETECT_PCRE_RAWBYTES ||
1310  pd->flags & DETECT_PCRE_RELATIVE) {
1311  result = 0;
1312  printf("one failed\n");
1313  goto end;
1314  }
1315 
1316  sm = sm->next;
1317  if (sm->type != DETECT_CONTENT) {
1318  result = 0;
1319  goto end;
1320  }
1321  data = (DetectContentData *)sm->ctx;
1322  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1323  data->flags & DETECT_CONTENT_NOCASE ||
1324  !(data->flags & DETECT_CONTENT_WITHIN) ||
1325  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1326  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1327  data->flags & DETECT_CONTENT_NEGATED ) {
1328  result = 0;
1329  printf("one failed\n");
1330  goto end;
1331  }
1332  result &= (strncmp((char *)data->content, "one", 3) == 0);
1333  if (result == 0)
1334  goto end;
1335 
1336  sm = sm->next;
1337  if (sm->type != DETECT_CONTENT) {
1338  result = 0;
1339  goto end;
1340  }
1341  data = (DetectContentData *)sm->ctx;
1342  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1343  data->flags & DETECT_CONTENT_NOCASE ||
1344  !(data->flags & DETECT_CONTENT_WITHIN) ||
1345  data->flags & DETECT_CONTENT_DISTANCE ||
1346  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1347  data->flags & DETECT_CONTENT_NEGATED ) {
1348  result = 0;
1349  printf("two failed\n");
1350  goto end;
1351  }
1352  result &= (strncmp((char *)data->content, "two", 3) == 0);
1353  if (result == 0)
1354  goto end;
1355 
1356  sm = sm->next;
1357  if (sm->type != DETECT_CONTENT) {
1358  result = 0;
1359  goto end;
1360  }
1361  data = (DetectContentData *)sm->ctx;
1362  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1363  data->flags & DETECT_CONTENT_NOCASE ||
1364  data->flags & DETECT_CONTENT_WITHIN ||
1365  data->flags & DETECT_CONTENT_DISTANCE ||
1366  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1367  data->flags & DETECT_CONTENT_NEGATED ) {
1368  printf("three failed\n");
1369  result = 0;
1370  goto end;
1371  }
1372  result &= (strncmp((char *)data->content, "three", 5) == 0);
1373  if (result == 0)
1374  goto end;
1375 
1376  sm = sm->next;
1377  if (sm->type != DETECT_CONTENT) {
1378  result = 0;
1379  goto end;
1380  }
1381  data = (DetectContentData *)sm->ctx;
1382  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1383  data->flags & DETECT_CONTENT_NOCASE ||
1384  data->flags & DETECT_CONTENT_WITHIN ||
1385  data->flags & DETECT_CONTENT_DISTANCE ||
1386  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1387  data->flags & DETECT_CONTENT_NEGATED ) {
1388  printf("four failed\n");
1389  result = 0;
1390  goto end;
1391  }
1392  result &= (strncmp((char *)data->content, "four", 4) == 0);
1393  if (result == 0)
1394  goto end;
1395 
1396  end:
1397  SigGroupCleanup(de_ctx);
1398  SigCleanSignatures(de_ctx);
1399  DetectEngineCtxFree(de_ctx);
1400 
1401  return result;
1402 }
1403 
1404 /**
1405  * \test Test content for dce sig.
1406  */
1407 static int DcePayloadParseTest30(void)
1408 {
1409  DetectEngineCtx *de_ctx = NULL;
1410  int result = 1;
1411  Signature *s = NULL;
1412  SigMatch *sm = NULL;
1413  DetectContentData *data = NULL;
1414  DetectBytejumpData *bd = NULL;
1415 
1416  de_ctx = DetectEngineCtxInit();
1417  if (de_ctx == NULL)
1418  goto end;
1419 
1420  de_ctx->flags |= DE_QUIET;
1421  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1422  "(msg:\"Testing bytejump_body\"; "
1423  "dce_stub_data; "
1424  "pkt_data; "
1425  "byte_jump:2,5; "
1426  "content:\"one\"; distance:10; within:5; "
1427  "content:\"two\"; within:5;"
1428  "content:\"three\";"
1429  "content:\"four\";"
1430  "sid:1;)");
1431  if (de_ctx->sig_list == NULL) {
1432  result = 0;
1433  goto end;
1434  }
1435 
1436  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
1437  result = 0;
1438  goto end;
1439  }
1440  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1441  result = 0;
1442  goto end;
1443  }
1444 
1445  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1446  if (sm->type != DETECT_BYTEJUMP) {
1447  result = 0;
1448  goto end;
1449  }
1450  bd = (DetectBytejumpData *)sm->ctx;
1451  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1452  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1453  bd->flags & DETECT_BYTEJUMP_BIG ||
1454  bd->flags & DETECT_BYTEJUMP_STRING ||
1455  bd->flags & DETECT_BYTEJUMP_RELATIVE ||
1456  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1457  bd->flags & DETECT_BYTEJUMP_DCE ) {
1458  result = 0;
1459  printf("one failed\n");
1460  goto end;
1461  }
1462 
1463  sm = sm->next;
1464  if (sm->type != DETECT_CONTENT) {
1465  result = 0;
1466  goto end;
1467  }
1468  data = (DetectContentData *)sm->ctx;
1469  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1470  data->flags & DETECT_CONTENT_NOCASE ||
1471  !(data->flags & DETECT_CONTENT_WITHIN) ||
1472  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1473  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1474  data->flags & DETECT_CONTENT_NEGATED ) {
1475  result = 0;
1476  printf("one failed\n");
1477  goto end;
1478  }
1479  result &= (strncmp((char *)data->content, "one", 3) == 0);
1480  if (result == 0)
1481  goto end;
1482 
1483  sm = sm->next;
1484  if (sm->type != DETECT_CONTENT) {
1485  result = 0;
1486  goto end;
1487  }
1488  data = (DetectContentData *)sm->ctx;
1489  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1490  data->flags & DETECT_CONTENT_NOCASE ||
1491  !(data->flags & DETECT_CONTENT_WITHIN) ||
1492  data->flags & DETECT_CONTENT_DISTANCE ||
1493  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1494  data->flags & DETECT_CONTENT_NEGATED ) {
1495  result = 0;
1496  printf("two failed\n");
1497  goto end;
1498  }
1499  result &= (strncmp((char *)data->content, "two", 3) == 0);
1500  if (result == 0)
1501  goto end;
1502 
1503  sm = sm->next;
1504  if (sm->type != DETECT_CONTENT) {
1505  result = 0;
1506  goto end;
1507  }
1508  data = (DetectContentData *)sm->ctx;
1509  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1510  data->flags & DETECT_CONTENT_NOCASE ||
1511  data->flags & DETECT_CONTENT_WITHIN ||
1512  data->flags & DETECT_CONTENT_DISTANCE ||
1513  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1514  data->flags & DETECT_CONTENT_NEGATED ) {
1515  printf("three failed\n");
1516  result = 0;
1517  goto end;
1518  }
1519  result &= (strncmp((char *)data->content, "three", 5) == 0);
1520  if (result == 0)
1521  goto end;
1522 
1523  sm = sm->next;
1524  if (sm->type != DETECT_CONTENT) {
1525  result = 0;
1526  goto end;
1527  }
1528  data = (DetectContentData *)sm->ctx;
1529  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1530  data->flags & DETECT_CONTENT_NOCASE ||
1531  data->flags & DETECT_CONTENT_WITHIN ||
1532  data->flags & DETECT_CONTENT_DISTANCE ||
1533  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1534  data->flags & DETECT_CONTENT_NEGATED ) {
1535  printf("four failed\n");
1536  result = 0;
1537  goto end;
1538  }
1539  result &= (strncmp((char *)data->content, "four", 4) == 0);
1540  if (result == 0)
1541  goto end;
1542 
1543  end:
1544  SigGroupCleanup(de_ctx);
1545  SigCleanSignatures(de_ctx);
1546  DetectEngineCtxFree(de_ctx);
1547 
1548  return result;
1549 }
1550 
1551 /**
1552  * \test Test content for dce sig.
1553  */
1554 static int DcePayloadParseTest31(void)
1555 {
1556  DetectEngineCtx *de_ctx = NULL;
1557  int result = 1;
1558  Signature *s = NULL;
1559  SigMatch *sm = NULL;
1560  DetectContentData *data = NULL;
1561  DetectBytejumpData *bd = NULL;
1562 
1563  de_ctx = DetectEngineCtxInit();
1564  if (de_ctx == NULL)
1565  goto end;
1566 
1567  de_ctx->flags |= DE_QUIET;
1568  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1569  "(msg:\"Testing bytejump_body\"; "
1570  "dce_stub_data; "
1571  "byte_jump:2,5,relative; "
1572  "content:\"one\"; distance:10; within:5; "
1573  "content:\"two\"; within:5;"
1574  "pkt_data; "
1575  "content:\"three\";"
1576  "content:\"four\";"
1577  "sid:1;)");
1578  if (de_ctx->sig_list == NULL) {
1579  result = 0;
1580  goto end;
1581  }
1582 
1583  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1584  result = 0;
1585  goto end;
1586  }
1587  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1588  result = 0;
1589  goto end;
1590  }
1591 
1592  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1593  if (sm->type != DETECT_BYTEJUMP) {
1594  result = 0;
1595  goto end;
1596  }
1597  bd = (DetectBytejumpData *)sm->ctx;
1598  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1599  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1600  bd->flags & DETECT_BYTEJUMP_BIG ||
1601  bd->flags & DETECT_BYTEJUMP_STRING ||
1602  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1603  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1604  bd->flags & DETECT_BYTEJUMP_DCE ) {
1605  result = 0;
1606  printf("one failed\n");
1607  goto end;
1608  }
1609 
1610  sm = sm->next;
1611  if (sm->type != DETECT_CONTENT) {
1612  result = 0;
1613  goto end;
1614  }
1615  data = (DetectContentData *)sm->ctx;
1616  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1617  data->flags & DETECT_CONTENT_NOCASE ||
1618  !(data->flags & DETECT_CONTENT_WITHIN) ||
1619  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1620  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1621  data->flags & DETECT_CONTENT_NEGATED ) {
1622  result = 0;
1623  printf("one failed\n");
1624  goto end;
1625  }
1626  result &= (strncmp((char *)data->content, "one", 3) == 0);
1627  if (result == 0)
1628  goto end;
1629 
1630  sm = sm->next;
1631  if (sm->type != DETECT_CONTENT) {
1632  result = 0;
1633  goto end;
1634  }
1635  data = (DetectContentData *)sm->ctx;
1636  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1637  data->flags & DETECT_CONTENT_NOCASE ||
1638  !(data->flags & DETECT_CONTENT_WITHIN) ||
1639  data->flags & DETECT_CONTENT_DISTANCE ||
1640  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1641  data->flags & DETECT_CONTENT_NEGATED ) {
1642  result = 0;
1643  printf("two failed\n");
1644  goto end;
1645  }
1646  result &= (strncmp((char *)data->content, "two", 3) == 0);
1647  if (result == 0)
1648  goto end;
1649 
1650  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1651  if (sm->type != DETECT_CONTENT) {
1652  result = 0;
1653  goto end;
1654  }
1655  data = (DetectContentData *)sm->ctx;
1656  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1657  data->flags & DETECT_CONTENT_NOCASE ||
1658  data->flags & DETECT_CONTENT_WITHIN ||
1659  data->flags & DETECT_CONTENT_DISTANCE ||
1660  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1661  data->flags & DETECT_CONTENT_NEGATED ) {
1662  printf("three failed\n");
1663  result = 0;
1664  goto end;
1665  }
1666  result &= (strncmp((char *)data->content, "three", 5) == 0);
1667  if (result == 0)
1668  goto end;
1669 
1670  sm = sm->next;
1671  if (sm->type != DETECT_CONTENT) {
1672  result = 0;
1673  goto end;
1674  }
1675  data = (DetectContentData *)sm->ctx;
1676  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1677  data->flags & DETECT_CONTENT_NOCASE ||
1678  data->flags & DETECT_CONTENT_WITHIN ||
1679  data->flags & DETECT_CONTENT_DISTANCE ||
1680  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1681  data->flags & DETECT_CONTENT_NEGATED ) {
1682  printf("four failed\n");
1683  result = 0;
1684  goto end;
1685  }
1686  result &= (strncmp((char *)data->content, "four", 4) == 0);
1687  if (result == 0)
1688  goto end;
1689 
1690  end:
1691  SigGroupCleanup(de_ctx);
1692  SigCleanSignatures(de_ctx);
1693  DetectEngineCtxFree(de_ctx);
1694 
1695  return result;
1696 }
1697 
1698 /**
1699  * \test Test content for dce sig.
1700  */
1701 static int DcePayloadParseTest32(void)
1702 {
1703  DetectEngineCtx *de_ctx = NULL;
1704  int result = 1;
1705  Signature *s = NULL;
1706  SigMatch *sm = NULL;
1707  DetectContentData *data = NULL;
1708  DetectBytejumpData *bd = NULL;
1709 
1710  de_ctx = DetectEngineCtxInit();
1711  if (de_ctx == NULL)
1712  goto end;
1713 
1714  de_ctx->flags |= DE_QUIET;
1715  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1716  "(msg:\"Testing bytejump_body\"; "
1717  "dce_stub_data; "
1718  "byte_jump:2,5,relative; "
1719  "content:\"one\"; distance:10; within:5; "
1720  "content:\"two\"; within:5;"
1721  "pkt_data; "
1722  "content:\"three\";"
1723  "content:\"four\"; within:4; "
1724  "sid:1;)");
1725  if (de_ctx->sig_list == NULL) {
1726  result = 0;
1727  goto end;
1728  }
1729 
1730  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1731  result = 0;
1732  goto end;
1733  }
1734  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1735  result = 0;
1736  goto end;
1737  }
1738 
1739  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1740  if (sm->type != DETECT_BYTEJUMP) {
1741  result = 0;
1742  goto end;
1743  }
1744  bd = (DetectBytejumpData *)sm->ctx;
1745  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
1746  bd->flags & DETECT_BYTEJUMP_LITTLE ||
1747  bd->flags & DETECT_BYTEJUMP_BIG ||
1748  bd->flags & DETECT_BYTEJUMP_STRING ||
1749  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
1750  bd->flags & DETECT_BYTEJUMP_ALIGN ||
1751  bd->flags & DETECT_BYTEJUMP_DCE ) {
1752  result = 0;
1753  printf("one failed\n");
1754  goto end;
1755  }
1756 
1757  sm = sm->next;
1758  if (sm->type != DETECT_CONTENT) {
1759  result = 0;
1760  goto end;
1761  }
1762  data = (DetectContentData *)sm->ctx;
1763  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1764  data->flags & DETECT_CONTENT_NOCASE ||
1765  !(data->flags & DETECT_CONTENT_WITHIN) ||
1766  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1767  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1768  data->flags & DETECT_CONTENT_NEGATED ) {
1769  result = 0;
1770  printf("one failed\n");
1771  goto end;
1772  }
1773  result &= (strncmp((char *)data->content, "one", 3) == 0);
1774  if (result == 0)
1775  goto end;
1776 
1777  sm = sm->next;
1778  if (sm->type != DETECT_CONTENT) {
1779  result = 0;
1780  goto end;
1781  }
1782  data = (DetectContentData *)sm->ctx;
1783  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1784  data->flags & DETECT_CONTENT_NOCASE ||
1785  !(data->flags & DETECT_CONTENT_WITHIN) ||
1786  data->flags & DETECT_CONTENT_DISTANCE ||
1787  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1788  data->flags & DETECT_CONTENT_NEGATED ) {
1789  result = 0;
1790  printf("two failed\n");
1791  goto end;
1792  }
1793  result &= (strncmp((char *)data->content, "two", 3) == 0);
1794  if (result == 0)
1795  goto end;
1796 
1797  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1798  if (sm->type != DETECT_CONTENT) {
1799  result = 0;
1800  goto end;
1801  }
1802  data = (DetectContentData *)sm->ctx;
1803  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1804  data->flags & DETECT_CONTENT_NOCASE ||
1805  data->flags & DETECT_CONTENT_WITHIN ||
1806  data->flags & DETECT_CONTENT_DISTANCE ||
1807  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1808  data->flags & DETECT_CONTENT_NEGATED ) {
1809  printf("three failed\n");
1810  result = 0;
1811  goto end;
1812  }
1813  result &= (strncmp((char *)data->content, "three", 5) == 0);
1814  if (result == 0)
1815  goto end;
1816 
1817  sm = sm->next;
1818  if (sm->type != DETECT_CONTENT) {
1819  result = 0;
1820  goto end;
1821  }
1822  data = (DetectContentData *)sm->ctx;
1823  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1824  data->flags & DETECT_CONTENT_NOCASE ||
1825  !(data->flags & DETECT_CONTENT_WITHIN) ||
1826  data->flags & DETECT_CONTENT_DISTANCE ||
1827  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1828  data->flags & DETECT_CONTENT_NEGATED ) {
1829  printf("four failed\n");
1830  result = 0;
1831  goto end;
1832  }
1833  result &= (strncmp((char *)data->content, "four", 4) == 0);
1834  if (result == 0)
1835  goto end;
1836 
1837  end:
1838  SigGroupCleanup(de_ctx);
1839  SigCleanSignatures(de_ctx);
1840  DetectEngineCtxFree(de_ctx);
1841 
1842  return result;
1843 }
1844 
1845 /**
1846  * \test Test content for dce sig.
1847  */
1848 static int DcePayloadParseTest33(void)
1849 {
1850  DetectEngineCtx *de_ctx = NULL;
1851  int result = 1;
1852  Signature *s = NULL;
1853  SigMatch *sm = NULL;
1854  DetectContentData *data = NULL;
1855  DetectPcreData *pd = NULL;
1856 
1857  de_ctx = DetectEngineCtxInit();
1858  if (de_ctx == NULL)
1859  goto end;
1860 
1861  de_ctx->flags |= DE_QUIET;
1862  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1863  "(msg:\"Testing bytejump_body\"; "
1864  "dce_stub_data; "
1865  "pcre:/boom/R; "
1866  "content:\"one\"; distance:10; within:5; "
1867  "content:\"two\"; within:5;"
1868  "pkt_data; "
1869  "content:\"three\";"
1870  "content:\"four\"; distance:5;"
1871  "sid:1;)");
1872  if (de_ctx->sig_list == NULL) {
1873  result = 0;
1874  goto end;
1875  }
1876 
1877  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
1878  result = 0;
1879  goto end;
1880  }
1881  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1882  result = 0;
1883  goto end;
1884  }
1885 
1886  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
1887  if (sm->type != DETECT_PCRE) {
1888  result = 0;
1889  goto end;
1890  }
1891  pd = (DetectPcreData *)sm->ctx;
1892  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
1893  !(pd->flags & DETECT_PCRE_RELATIVE)) {
1894  result = 0;
1895  printf("one failed\n");
1896  goto end;
1897  }
1898 
1899  sm = sm->next;
1900  if (sm->type != DETECT_CONTENT) {
1901  result = 0;
1902  goto end;
1903  }
1904  data = (DetectContentData *)sm->ctx;
1905  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1906  data->flags & DETECT_CONTENT_NOCASE ||
1907  !(data->flags & DETECT_CONTENT_WITHIN) ||
1908  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1909  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1910  data->flags & DETECT_CONTENT_NEGATED ) {
1911  result = 0;
1912  printf("one failed\n");
1913  goto end;
1914  }
1915  result &= (strncmp((char *)data->content, "one", 3) == 0);
1916  if (result == 0)
1917  goto end;
1918 
1919  sm = sm->next;
1920  if (sm->type != DETECT_CONTENT) {
1921  result = 0;
1922  goto end;
1923  }
1924  data = (DetectContentData *)sm->ctx;
1925  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1926  data->flags & DETECT_CONTENT_NOCASE ||
1927  !(data->flags & DETECT_CONTENT_WITHIN) ||
1928  data->flags & DETECT_CONTENT_DISTANCE ||
1929  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1930  data->flags & DETECT_CONTENT_NEGATED ) {
1931  result = 0;
1932  printf("two failed\n");
1933  goto end;
1934  }
1935  result &= (strncmp((char *)data->content, "two", 3) == 0);
1936  if (result == 0)
1937  goto end;
1938 
1939  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1940  if (sm->type != DETECT_CONTENT) {
1941  result = 0;
1942  goto end;
1943  }
1944  data = (DetectContentData *)sm->ctx;
1945  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1946  data->flags & DETECT_CONTENT_NOCASE ||
1947  data->flags & DETECT_CONTENT_WITHIN ||
1948  data->flags & DETECT_CONTENT_DISTANCE ||
1949  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1950  data->flags & DETECT_CONTENT_NEGATED ) {
1951  printf("three failed\n");
1952  result = 0;
1953  goto end;
1954  }
1955  result &= (strncmp((char *)data->content, "three", 5) == 0);
1956  if (result == 0)
1957  goto end;
1958 
1959  sm = sm->next;
1960  if (sm->type != DETECT_CONTENT) {
1961  result = 0;
1962  goto end;
1963  }
1964  data = (DetectContentData *)sm->ctx;
1965  if (data->flags & DETECT_CONTENT_RAWBYTES ||
1966  data->flags & DETECT_CONTENT_NOCASE ||
1967  data->flags & DETECT_CONTENT_WITHIN ||
1968  !(data->flags & DETECT_CONTENT_DISTANCE) ||
1969  data->flags & DETECT_CONTENT_FAST_PATTERN ||
1970  data->flags & DETECT_CONTENT_NEGATED ) {
1971  printf("four failed\n");
1972  result = 0;
1973  goto end;
1974  }
1975  result &= (strncmp((char *)data->content, "four", 4) == 0);
1976  if (result == 0)
1977  goto end;
1978 
1979  end:
1980  SigGroupCleanup(de_ctx);
1981  SigCleanSignatures(de_ctx);
1982  DetectEngineCtxFree(de_ctx);
1983 
1984  return result;
1985 }
1986 
1987 /**
1988  * \test Test content for dce sig.
1989  */
1990 static int DcePayloadParseTest34(void)
1991 {
1992  DetectEngineCtx *de_ctx = NULL;
1993  int result = 1;
1994  Signature *s = NULL;
1995  SigMatch *sm = NULL;
1996  DetectContentData *data = NULL;
1997  DetectPcreData *pd = NULL;
1998  DetectBytejumpData *bd = NULL;
1999 
2000  de_ctx = DetectEngineCtxInit();
2001  if (de_ctx == NULL)
2002  goto end;
2003 
2004  de_ctx->flags |= DE_QUIET;
2005  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2006  "(msg:\"Testing bytejump_body\"; "
2007  "dce_iface:12345678-1234-1234-1234-123456789012; "
2008  "dce_opnum:10; dce_stub_data; "
2009  "pcre:/boom/R; "
2010  "byte_jump:1,2,relative,align,dce; "
2011  "content:\"one\"; within:4; distance:8; "
2012  "pkt_data; "
2013  "content:\"two\"; "
2014  "sid:1;)");
2015  if (de_ctx->sig_list == NULL) {
2016  result = 0;
2017  goto end;
2018  }
2019 
2020  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2021  result = 0;
2022  goto end;
2023  }
2024  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2025  result = 0;
2026  goto end;
2027  }
2028 
2029  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2030  if (sm->type != DETECT_PCRE) {
2031  result = 0;
2032  goto end;
2033  }
2034  pd = (DetectPcreData *)sm->ctx;
2035  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2036  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2037  result = 0;
2038  goto end;
2039  }
2040 
2041  sm = sm->next;
2042  if (sm->type != DETECT_BYTEJUMP) {
2043  result = 0;
2044  goto end;
2045  }
2046  bd = (DetectBytejumpData *)sm->ctx;
2047  if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
2048  bd->flags & DETECT_BYTEJUMP_LITTLE ||
2049  bd->flags & DETECT_BYTEJUMP_BIG ||
2050  bd->flags & DETECT_BYTEJUMP_STRING ||
2051  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2052  !(bd->flags & DETECT_BYTEJUMP_ALIGN) ||
2053  !(bd->flags & DETECT_BYTEJUMP_DCE) ) {
2054  result = 0;
2055  printf("one failed\n");
2056  goto end;
2057  }
2058 
2059  sm = sm->next;
2060  if (sm->type != DETECT_CONTENT) {
2061  result = 0;
2062  goto end;
2063  }
2064  data = (DetectContentData *)sm->ctx;
2065  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2066  data->flags & DETECT_CONTENT_NOCASE ||
2067  !(data->flags & DETECT_CONTENT_WITHIN) ||
2068  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2069  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2070  data->flags & DETECT_CONTENT_NEGATED ) {
2071  result = 0;
2072  printf("two failed\n");
2073  goto end;
2074  }
2075  result &= (strncmp((char *)data->content, "one", 3) == 0);
2076  if (result == 0)
2077  goto end;
2078 
2079  result &= (sm->next == NULL);
2080 
2081  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2082  if (sm->type != DETECT_CONTENT) {
2083  result = 0;
2084  goto end;
2085  }
2086  data = (DetectContentData *)sm->ctx;
2087  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2088  data->flags & DETECT_CONTENT_NOCASE ||
2089  data->flags & DETECT_CONTENT_WITHIN ||
2090  data->flags & DETECT_CONTENT_DISTANCE ||
2091  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2092  data->flags & DETECT_CONTENT_NEGATED ) {
2093  printf("three failed\n");
2094  result = 0;
2095  goto end;
2096  }
2097  result &= (strncmp((char *)data->content, "two", 3) == 0);
2098  if (result == 0)
2099  goto end;
2100 
2101  result &= (sm->next == NULL);
2102 
2103  end:
2104  SigGroupCleanup(de_ctx);
2105  SigCleanSignatures(de_ctx);
2106  DetectEngineCtxFree(de_ctx);
2107 
2108  return result;
2109 }
2110 
2111 /**
2112  * \test Test content for dce sig.
2113  */
2114 static int DcePayloadParseTest35(void)
2115 {
2116  DetectEngineCtx *de_ctx = NULL;
2117  int result = 1;
2118  Signature *s = NULL;
2119  SigMatch *sm = NULL;
2120  DetectContentData *data = NULL;
2121  DetectBytetestData *bd = NULL;
2122 
2123  de_ctx = DetectEngineCtxInit();
2124  if (de_ctx == NULL)
2125  goto end;
2126 
2127  de_ctx->flags |= DE_QUIET;
2128  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2129  "(msg:\"Testing bytejump_body\"; "
2130  "dce_iface:12345678-1234-1234-1234-123456789012; "
2131  "dce_opnum:10; dce_stub_data; "
2132  "byte_test:1,=,0,0,relative,dce; "
2133  "pkt_data; "
2134  "content:\"one\"; "
2135  "sid:1;)");
2136  if (de_ctx->sig_list == NULL) {
2137  result = 0;
2138  goto end;
2139  }
2140 
2141  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2142  result = 0;
2143  goto end;
2144  }
2145  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2146  result = 0;
2147  goto end;
2148  }
2149 
2150  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2151  if (sm->type != DETECT_BYTETEST) {
2152  result = 0;
2153  goto end;
2154  }
2155  bd = (DetectBytetestData *)sm->ctx;
2156  if (bd->flags & DETECT_BYTETEST_LITTLE ||
2157  bd->flags & DETECT_BYTETEST_BIG ||
2158  bd->flags & DETECT_BYTETEST_STRING ||
2159  !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2160  !(bd->flags & DETECT_BYTETEST_DCE) ) {
2161  result = 0;
2162  printf("one failed\n");
2163  goto end;
2164  }
2165 
2166  result &= (sm->next == NULL);
2167 
2168  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2169  if (sm->type != DETECT_CONTENT) {
2170  result = 0;
2171  goto end;
2172  }
2173  data = (DetectContentData *)sm->ctx;
2174  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2175  data->flags & DETECT_CONTENT_NOCASE ||
2176  data->flags & DETECT_CONTENT_WITHIN ||
2177  data->flags & DETECT_CONTENT_DISTANCE ||
2178  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2179  data->flags & DETECT_CONTENT_NEGATED ) {
2180  result = 0;
2181  printf("two failed\n");
2182  goto end;
2183  }
2184  result &= (strncmp((char *)data->content, "one", 3) == 0);
2185  if (result == 0)
2186  goto end;
2187 
2188  result &= (sm->next == NULL);
2189 
2190  end:
2191  SigGroupCleanup(de_ctx);
2192  SigCleanSignatures(de_ctx);
2193  DetectEngineCtxFree(de_ctx);
2194 
2195  return result;
2196 }
2197 
2198 /**
2199  * \test Test content for dce sig.
2200  */
2201 static int DcePayloadParseTest36(void)
2202 {
2203  DetectEngineCtx *de_ctx = NULL;
2204  int result = 1;
2205  Signature *s = NULL;
2206  SigMatch *sm = NULL;
2207  DetectContentData *data = NULL;
2208  DetectIsdataatData *isd = NULL;
2209 
2210  de_ctx = DetectEngineCtxInit();
2211  if (de_ctx == NULL)
2212  goto end;
2213 
2214  de_ctx->flags |= DE_QUIET;
2215  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2216  "(msg:\"Testing bytejump_body\"; "
2217  "dce_iface:12345678-1234-1234-1234-123456789012; "
2218  "dce_opnum:10; dce_stub_data; "
2219  "isdataat:10,relative; "
2220  "content:\"one\"; within:4; distance:8; "
2221  "pkt_data; "
2222  "content:\"two\"; "
2223  "sid:1;)");
2224  if (de_ctx->sig_list == NULL) {
2225  result = 0;
2226  goto end;
2227  }
2228 
2229  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2230  result = 0;
2231  goto end;
2232  }
2233  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2234  result = 0;
2235  goto end;
2236  }
2237 
2238  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2239  if (sm->type != DETECT_ISDATAAT) {
2240  result = 0;
2241  goto end;
2242  }
2243  isd = (DetectIsdataatData *)sm->ctx;
2244  if ( isd->flags & ISDATAAT_RAWBYTES ||
2245  !(isd->flags & ISDATAAT_RELATIVE)) {
2246  result = 0;
2247  goto end;
2248  }
2249 
2250  sm = sm->next;
2251  if (sm->type != DETECT_CONTENT) {
2252  result = 0;
2253  goto end;
2254  }
2255  data = (DetectContentData *)sm->ctx;
2256  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2257  data->flags & DETECT_CONTENT_NOCASE ||
2258  !(data->flags & DETECT_CONTENT_WITHIN) ||
2259  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2260  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2261  data->flags & DETECT_CONTENT_NEGATED ) {
2262  result = 0;
2263  printf("two failed\n");
2264  goto end;
2265  }
2266  result &= (strncmp((char *)data->content, "one", 3) == 0);
2267  if (result == 0)
2268  goto end;
2269 
2270  result &= (sm->next == NULL);
2271 
2272  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2273  if (sm->type != DETECT_CONTENT) {
2274  result = 0;
2275  goto end;
2276  }
2277  data = (DetectContentData *)sm->ctx;
2278  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2279  data->flags & DETECT_CONTENT_NOCASE ||
2280  data->flags & DETECT_CONTENT_WITHIN ||
2281  data->flags & DETECT_CONTENT_DISTANCE ||
2282  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2283  data->flags & DETECT_CONTENT_NEGATED ) {
2284  printf("three failed\n");
2285  result = 0;
2286  goto end;
2287  }
2288  result &= (strncmp((char *)data->content, "two", 3) == 0);
2289  if (result == 0)
2290  goto end;
2291 
2292  result &= (sm->next == NULL);
2293 
2294  end:
2295  SigGroupCleanup(de_ctx);
2296  SigCleanSignatures(de_ctx);
2297  DetectEngineCtxFree(de_ctx);
2298 
2299  return result;
2300 }
2301 
2302 /**
2303  * \test Test content for dce sig.
2304  */
2305 static int DcePayloadParseTest37(void)
2306 {
2307  DetectEngineCtx *de_ctx = NULL;
2308  int result = 1;
2309  Signature *s = NULL;
2310  SigMatch *sm = NULL;
2311  DetectContentData *data = NULL;
2312  DetectBytejumpData *bjd = NULL;
2313  DetectBytetestData *btd = NULL;
2314 
2315  de_ctx = DetectEngineCtxInit();
2316  if (de_ctx == NULL)
2317  goto end;
2318 
2319  de_ctx->flags |= DE_QUIET;
2320  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2321  "(msg:\"Testing bytejump_body\"; "
2322  "dce_iface:12345678-1234-1234-1234-123456789012; "
2323  "dce_opnum:10; dce_stub_data; "
2324  "byte_jump:1,2,relative,align,dce; "
2325  "byte_test:1,=,2,0,relative,dce; "
2326  "pkt_data; "
2327  "content:\"one\"; "
2328  "sid:1;)");
2329  if (de_ctx->sig_list == NULL) {
2330  result = 0;
2331  goto end;
2332  }
2333 
2334  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2335  result = 0;
2336  goto end;
2337  }
2338  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2339  result = 0;
2340  goto end;
2341  }
2342 
2343  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2344  if (sm->type != DETECT_BYTEJUMP) {
2345  result = 0;
2346  goto end;
2347  }
2348  bjd = (DetectBytejumpData *)sm->ctx;
2349  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2350  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2351  bjd->flags & DETECT_BYTEJUMP_BIG ||
2352  bjd->flags & DETECT_BYTEJUMP_STRING ||
2353  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2354  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2355  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2356  result = 0;
2357  printf("one failed\n");
2358  goto end;
2359  }
2360 
2361  sm = sm->next;
2362  if (sm->type != DETECT_BYTETEST) {
2363  result = 0;
2364  goto end;
2365  }
2366  btd = (DetectBytetestData *)sm->ctx;
2367  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2368  btd->flags & DETECT_BYTETEST_BIG ||
2369  btd->flags & DETECT_BYTETEST_STRING ||
2370  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2371  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2372  result = 0;
2373  printf("one failed\n");
2374  goto end;
2375  }
2376 
2377  result &= (sm->next == NULL);
2378 
2379  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2380  if (sm->type != DETECT_CONTENT) {
2381  result = 0;
2382  goto end;
2383  }
2384  data = (DetectContentData *)sm->ctx;
2385  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2386  data->flags & DETECT_CONTENT_NOCASE ||
2387  data->flags & DETECT_CONTENT_WITHIN ||
2388  data->flags & DETECT_CONTENT_DISTANCE ||
2389  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2390  data->flags & DETECT_CONTENT_NEGATED ) {
2391  printf("three failed\n");
2392  result = 0;
2393  goto end;
2394  }
2395  result &= (strncmp((char *)data->content, "one", 3) == 0);
2396  if (result == 0)
2397  goto end;
2398 
2399  result &= (sm->next == NULL);
2400 
2401  end:
2402  SigGroupCleanup(de_ctx);
2403  SigCleanSignatures(de_ctx);
2404  DetectEngineCtxFree(de_ctx);
2405 
2406  return result;
2407 }
2408 
2409 /**
2410  * \test Test content for dce sig.
2411  */
2412 static int DcePayloadParseTest38(void)
2413 {
2414  DetectEngineCtx *de_ctx = NULL;
2415  int result = 1;
2416  Signature *s = NULL;
2417  SigMatch *sm = NULL;
2418  DetectContentData *data = NULL;
2419  DetectPcreData *pd = NULL;
2420  DetectBytejumpData *bjd = NULL;
2421  DetectBytetestData *btd = NULL;
2422 
2423  de_ctx = DetectEngineCtxInit();
2424  if (de_ctx == NULL)
2425  goto end;
2426 
2427  de_ctx->flags |= DE_QUIET;
2428  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2429  "(msg:\"Testing bytejump_body\"; "
2430  "dce_iface:12345678-1234-1234-1234-123456789012; "
2431  "dce_opnum:10; dce_stub_data; "
2432  "pcre:/boom/R; "
2433  "byte_jump:1,2,relative,align,dce; "
2434  "byte_test:1,=,2,0,relative,dce; "
2435  "pkt_data; "
2436  "content:\"one\"; "
2437  "sid:1;)");
2438  if (de_ctx->sig_list == NULL) {
2439  result = 0;
2440  goto end;
2441  }
2442 
2443  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2444  result = 0;
2445  goto end;
2446  }
2447  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2448  result = 0;
2449  goto end;
2450  }
2451 
2452  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2453  if (sm->type != DETECT_PCRE) {
2454  result = 0;
2455  goto end;
2456  }
2457  pd = (DetectPcreData *)sm->ctx;
2458  if ( pd->flags & DETECT_PCRE_RAWBYTES ||
2459  !(pd->flags & DETECT_PCRE_RELATIVE)) {
2460  result = 0;
2461  printf("one failed\n");
2462  goto end;
2463  }
2464 
2465  sm = sm->next;
2466  if (sm->type != DETECT_BYTEJUMP) {
2467  result = 0;
2468  goto end;
2469  }
2470  bjd = (DetectBytejumpData *)sm->ctx;
2471  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
2472  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
2473  bjd->flags & DETECT_BYTEJUMP_BIG ||
2474  bjd->flags & DETECT_BYTEJUMP_STRING ||
2475  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
2476  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
2477  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
2478  result = 0;
2479  printf("one failed\n");
2480  goto end;
2481  }
2482 
2483  sm = sm->next;
2484  if (sm->type != DETECT_BYTETEST) {
2485  result = 0;
2486  goto end;
2487  }
2488  btd = (DetectBytetestData *)sm->ctx;
2489  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2490  btd->flags & DETECT_BYTETEST_BIG ||
2491  btd->flags & DETECT_BYTETEST_STRING ||
2492  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2493  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2494  result = 0;
2495  printf("one failed\n");
2496  goto end;
2497  }
2498 
2499  result &= (sm->next == NULL);
2500 
2501  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2502  if (sm->type != DETECT_CONTENT) {
2503  result = 0;
2504  goto end;
2505  }
2506  data = (DetectContentData *)sm->ctx;
2507  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2508  data->flags & DETECT_CONTENT_NOCASE ||
2509  data->flags & DETECT_CONTENT_WITHIN ||
2510  data->flags & DETECT_CONTENT_DISTANCE ||
2511  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2512  data->flags & DETECT_CONTENT_NEGATED ) {
2513  printf("three failed\n");
2514  result = 0;
2515  goto end;
2516  }
2517  result &= (strncmp((char *)data->content, "one", 3) == 0);
2518  if (result == 0)
2519  goto end;
2520 
2521  result &= (sm->next == NULL);
2522 
2523  end:
2524  SigGroupCleanup(de_ctx);
2525  SigCleanSignatures(de_ctx);
2526  DetectEngineCtxFree(de_ctx);
2527 
2528  return result;
2529 }
2530 
2531 /**
2532  * \test Test content for dce sig.
2533  */
2534 static int DcePayloadParseTest39(void)
2535 {
2536  DetectEngineCtx *de_ctx = NULL;
2537  int result = 1;
2538  Signature *s = NULL;
2539  SigMatch *sm = NULL;
2540  DetectContentData *data = NULL;
2541 
2542  de_ctx = DetectEngineCtxInit();
2543  if (de_ctx == NULL)
2544  goto end;
2545 
2546  de_ctx->flags |= DE_QUIET;
2547  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2548  "(msg:\"Testing bytejump_body\"; "
2549  "content:\"one\"; "
2550  "dce_iface:12345678-1234-1234-1234-123456789012; "
2551  "dce_opnum:10; dce_stub_data; "
2552  "content:\"two\"; within:4; distance:8; "
2553  "sid:1;)");
2554  if (de_ctx->sig_list == NULL) {
2555  result = 0;
2556  goto end;
2557  }
2558 
2559  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2560  result = 0;
2561  goto end;
2562  }
2563  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2564  result = 0;
2565  goto end;
2566  }
2567 
2568  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2569  if (sm->type != DETECT_CONTENT) {
2570  result = 0;
2571  goto end;
2572  }
2573  data = (DetectContentData *)sm->ctx;
2574  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2575  data->flags & DETECT_CONTENT_NOCASE ||
2576  data->flags & DETECT_CONTENT_WITHIN ||
2577  data->flags & DETECT_CONTENT_DISTANCE ||
2578  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2579  data->flags & DETECT_CONTENT_NEGATED ) {
2580  printf("three failed\n");
2581  result = 0;
2582  goto end;
2583  }
2584  result &= (strncmp((char *)data->content, "one", 3) == 0);
2585  if (result == 0)
2586  goto end;
2587 
2588  result &= (sm->next == NULL);
2589 
2590  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2591  data = (DetectContentData *)sm->ctx;
2592  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2593  data->flags & DETECT_CONTENT_NOCASE ||
2594  !(data->flags & DETECT_CONTENT_WITHIN) ||
2595  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2596  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2597  data->flags & DETECT_CONTENT_NEGATED ) {
2598  printf("three failed\n");
2599  result = 0;
2600  goto end;
2601  }
2602  result &= (strncmp((char *)data->content, "two", 3) == 0);
2603  if (result == 0)
2604  goto end;
2605 
2606  result &= (sm->next == NULL);
2607 
2608  end:
2609  SigGroupCleanup(de_ctx);
2610  SigCleanSignatures(de_ctx);
2611  DetectEngineCtxFree(de_ctx);
2612 
2613  return result;
2614 }
2615 
2616 /**
2617  * \test Test content for dce sig.
2618  */
2619 static int DcePayloadParseTest40(void)
2620 {
2621  DetectEngineCtx *de_ctx = NULL;
2622  int result = 1;
2623  Signature *s = NULL;
2624  SigMatch *sm = NULL;
2625  DetectContentData *data = NULL;
2626  DetectBytetestData *btd = NULL;
2627 
2628  de_ctx = DetectEngineCtxInit();
2629  if (de_ctx == NULL)
2630  goto end;
2631 
2632  de_ctx->flags |= DE_QUIET;
2633  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2634  "(msg:\"Testing bytejump_body\"; "
2635  "dce_iface:12345678-1234-1234-1234-123456789012; "
2636  "dce_opnum:10; dce_stub_data; "
2637  "content:\"one\"; within:10; "
2638  "content:\"two\"; distance:20; within:30; "
2639  "byte_test:1,=,2,0,relative,dce; "
2640  "pkt_data; "
2641  "content:\"three\"; "
2642  "sid:1;)");
2643  if (de_ctx->sig_list == NULL) {
2644  result = 0;
2645  goto end;
2646  }
2647 
2648  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2649  result = 0;
2650  goto end;
2651  }
2652  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2653  result = 0;
2654  goto end;
2655  }
2656 
2657  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2658  if (sm->type != DETECT_CONTENT) {
2659  result = 0;
2660  goto end;
2661  }
2662  data = (DetectContentData *)sm->ctx;
2663  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2664  data->flags & DETECT_CONTENT_NOCASE ||
2665  !(data->flags & DETECT_CONTENT_WITHIN) ||
2666  data->flags & DETECT_CONTENT_DISTANCE ||
2667  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2668  data->flags & DETECT_CONTENT_NEGATED ) {
2669  printf("three failed\n");
2670  result = 0;
2671  goto end;
2672  }
2673  result &= (strncmp((char *)data->content, "one", 3) == 0);
2674  if (result == 0)
2675  goto end;
2676 
2677 
2678  sm = sm->next;
2679  if (sm->type != DETECT_CONTENT) {
2680  result = 0;
2681  goto end;
2682  }
2683  data = (DetectContentData *)sm->ctx;
2684  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2685  data->flags & DETECT_CONTENT_NOCASE ||
2686  !(data->flags & DETECT_CONTENT_WITHIN) ||
2687  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2688  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2689  data->flags & DETECT_CONTENT_NEGATED ) {
2690  printf("three failed\n");
2691  result = 0;
2692  goto end;
2693  }
2694  result &= (strncmp((char *)data->content, "two", 3) == 0);
2695  if (result == 0)
2696  goto end;
2697 
2698  sm = sm->next;
2699  if (sm->type != DETECT_BYTETEST) {
2700  result = 0;
2701  goto end;
2702  }
2703  btd = (DetectBytetestData *)sm->ctx;
2704  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2705  btd->flags & DETECT_BYTETEST_BIG ||
2706  btd->flags & DETECT_BYTETEST_STRING ||
2707  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2708  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2709  result = 0;
2710  printf("one failed\n");
2711  goto end;
2712  }
2713 
2714  result &= (sm->next == NULL);
2715 
2716  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2717  if (sm->type != DETECT_CONTENT) {
2718  result = 0;
2719  goto end;
2720  }
2721  data = (DetectContentData *)sm->ctx;
2722  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2723  data->flags & DETECT_CONTENT_NOCASE ||
2724  data->flags & DETECT_CONTENT_WITHIN ||
2725  data->flags & DETECT_CONTENT_DISTANCE ||
2726  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2727  data->flags & DETECT_CONTENT_NEGATED ) {
2728  printf("three failed\n");
2729  result = 0;
2730  goto end;
2731  }
2732  result &= (strncmp((char *)data->content, "three", 5) == 0);
2733  if (result == 0)
2734  goto end;
2735 
2736  result &= (sm->next == NULL);
2737 
2738  end:
2739  SigGroupCleanup(de_ctx);
2740  SigCleanSignatures(de_ctx);
2741  DetectEngineCtxFree(de_ctx);
2742 
2743  return result;
2744 }
2745 
2746 /**
2747  * \test Test content for dce sig.
2748  */
2749 static int DcePayloadParseTest41(void)
2750 {
2751  DetectEngineCtx *de_ctx = NULL;
2752  int result = 1;
2753  Signature *s = NULL;
2754  SigMatch *sm = NULL;
2755  DetectContentData *data = NULL;
2756  DetectBytetestData *btd = NULL;
2757 
2758  de_ctx = DetectEngineCtxInit();
2759  if (de_ctx == NULL)
2760  goto end;
2761 
2762  de_ctx->flags |= DE_QUIET;
2763  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2764  "(msg:\"Testing bytejump_body\"; "
2765  "dce_iface:12345678-1234-1234-1234-123456789012; "
2766  "dce_opnum:10; dce_stub_data; "
2767  "content:\"one\"; within:10; "
2768  "pkt_data; "
2769  "content:\"two\"; "
2770  "byte_test:1,=,2,0,relative,dce; "
2771  "content:\"three\"; "
2772  "sid:1;)");
2773  if (de_ctx->sig_list == NULL) {
2774  result = 0;
2775  goto end;
2776  }
2777 
2778  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2779  result = 0;
2780  goto end;
2781  }
2782  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2783  result = 0;
2784  goto end;
2785  }
2786 
2787  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2788  if (sm->type != DETECT_CONTENT) {
2789  result = 0;
2790  goto end;
2791  }
2792  data = (DetectContentData *)sm->ctx;
2793  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2794  data->flags & DETECT_CONTENT_NOCASE ||
2795  !(data->flags & DETECT_CONTENT_WITHIN) ||
2796  data->flags & DETECT_CONTENT_DISTANCE ||
2797  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2798  data->flags & DETECT_CONTENT_NEGATED ) {
2799  printf("three failed\n");
2800  result = 0;
2801  goto end;
2802  }
2803  result &= (strncmp((char *)data->content, "one", 3) == 0);
2804  if (result == 0)
2805  goto end;
2806 
2807  result &= (sm->next == NULL);
2808 
2809  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2810  if (sm->type != DETECT_CONTENT) {
2811  result = 0;
2812  goto end;
2813  }
2814  data = (DetectContentData *)sm->ctx;
2815  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2816  data->flags & DETECT_CONTENT_NOCASE ||
2817  data->flags & DETECT_CONTENT_WITHIN ||
2818  data->flags & DETECT_CONTENT_DISTANCE ||
2819  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2820  data->flags & DETECT_CONTENT_NEGATED ) {
2821  printf("three failed\n");
2822  result = 0;
2823  goto end;
2824  }
2825  result &= (strncmp((char *)data->content, "two", 3) == 0);
2826  if (result == 0)
2827  goto end;
2828 
2829  sm = sm->next;
2830  if (sm->type != DETECT_BYTETEST) {
2831  result = 0;
2832  goto end;
2833  }
2834  btd = (DetectBytetestData *)sm->ctx;
2835  if (btd->flags & DETECT_BYTETEST_LITTLE ||
2836  btd->flags & DETECT_BYTETEST_BIG ||
2837  btd->flags & DETECT_BYTETEST_STRING ||
2838  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
2839  !(btd->flags & DETECT_BYTETEST_DCE) ) {
2840  result = 0;
2841  printf("one failed\n");
2842  goto end;
2843  }
2844 
2845  sm = sm->next;
2846  if (sm->type != DETECT_CONTENT) {
2847  result = 0;
2848  goto end;
2849  }
2850  data = (DetectContentData *)sm->ctx;
2851  if (data->flags & DETECT_CONTENT_RAWBYTES ||
2852  data->flags & DETECT_CONTENT_NOCASE ||
2853  data->flags & DETECT_CONTENT_WITHIN ||
2854  data->flags & DETECT_CONTENT_DISTANCE ||
2855  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2856  data->flags & DETECT_CONTENT_NEGATED ) {
2857  printf("three failed\n");
2858  result = 0;
2859  goto end;
2860  }
2861  result &= (strncmp((char *)data->content, "three", 5) == 0);
2862  if (result == 0)
2863  goto end;
2864 
2865  result &= (sm->next == NULL);
2866 
2867  end:
2868  SigGroupCleanup(de_ctx);
2869  SigCleanSignatures(de_ctx);
2870  DetectEngineCtxFree(de_ctx);
2871 
2872  return result;
2873 }
2874 
2875 /**
2876  * \test Test content for dce sig.
2877  */
2878 static int DcePayloadParseTest44(void)
2879 {
2880  DetectEngineCtx *de_ctx = NULL;
2881  Signature *s = NULL;
2882  SigMatch *sm = NULL;
2883  DetectContentData *data = NULL;
2884  DetectIsdataatData *isd = NULL;
2885 
2886  de_ctx = DetectEngineCtxInit();
2887  FAIL_IF_NULL(de_ctx);
2888  de_ctx->flags |= DE_QUIET;
2889 
2890  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2891  "content:\"one\"; "
2892  "dce_iface:12345678-1234-1234-1234-123456789012; "
2893  "dce_opnum:10; dce_stub_data; "
2894  "isdataat:10,relative; "
2895  "content:\"one\"; within:4; distance:8; "
2896  "pkt_data; "
2897  "content:\"two\"; "
2898  "sid:1;)");
2899  FAIL_IF_NULL(s);
2900 
2901  FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
2902  FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2903 
2904  /* isdataat:10,relative; */
2905  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
2906  FAIL_IF(sm->type != DETECT_ISDATAAT);
2907  isd = (DetectIsdataatData *)sm->ctx;
2908  FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
2909  FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
2910  FAIL_IF_NULL(sm->next);
2911 
2912  sm = sm->next;
2913 
2914  /* content:\"one\"; within:4; distance:8; */
2915  FAIL_IF(sm->type != DETECT_CONTENT);
2916  data = (DetectContentData *)sm->ctx;
2917  FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
2918  data->flags & DETECT_CONTENT_NOCASE ||
2919  !(data->flags & DETECT_CONTENT_WITHIN) ||
2920  !(data->flags & DETECT_CONTENT_DISTANCE) ||
2921  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2922  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2923  data->flags & DETECT_CONTENT_NEGATED );
2924 
2925  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2926  FAIL_IF_NOT(sm->next == NULL);
2927 
2928  /* first content:\"one\"; */
2929  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2930  FAIL_IF(sm->type != DETECT_CONTENT);
2931  data = (DetectContentData *)sm->ctx;
2932  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
2933  FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
2934  FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
2935  FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
2936  FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
2937  FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
2938  FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
2939  FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
2940 
2941  FAIL_IF_NULL(sm->next);
2942  sm = sm->next;
2943 
2944  FAIL_IF(sm->type != DETECT_CONTENT);
2945 
2946  data = (DetectContentData *)sm->ctx;
2947  FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
2948  data->flags & DETECT_CONTENT_NOCASE ||
2949  data->flags & DETECT_CONTENT_WITHIN ||
2950  data->flags & DETECT_CONTENT_DISTANCE ||
2951  data->flags & DETECT_CONTENT_FAST_PATTERN ||
2952  data->flags & DETECT_CONTENT_NEGATED );
2953 
2954  FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
2955 
2956  FAIL_IF_NOT(sm->next == NULL);
2957 
2958  SigGroupCleanup(de_ctx);
2959  SigCleanSignatures(de_ctx);
2960  DetectEngineCtxFree(de_ctx);
2961 
2962  PASS;
2963 }
2964 
2965 /**
2966  * \test Test content for dce sig.
2967  */
2968 static int DcePayloadParseTest45(void)
2969 {
2970  DetectEngineCtx *de_ctx = NULL;
2971  int result = 1;
2972  Signature *s = NULL;
2973  SigMatch *sm = NULL;
2974  DetectContentData *data = NULL;
2975  DetectBytejumpData *bjd = NULL;
2976 
2977  de_ctx = DetectEngineCtxInit();
2978  if (de_ctx == NULL)
2979  goto end;
2980 
2981  de_ctx->flags |= DE_QUIET;
2982  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2983  "(msg:\"Testing bytejump_body\"; "
2984  "dce_iface:12345678-1234-1234-1234-123456789012; "
2985  "content:\"one\"; "
2986  "dce_opnum:10; dce_stub_data; "
2987  "byte_jump:1,2,relative,align,dce; "
2988  "pkt_data; "
2989  "content:\"two\"; "
2990  "sid:1;)");
2991  if (de_ctx->sig_list == NULL) {
2992  result = 0;
2993  goto end;
2994  }
2995 
2996  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
2997  result = 0;
2998  goto end;
2999  }
3000  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3001  result = 0;
3002  goto end;
3003  }
3004 
3005  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3006  if (sm->type != DETECT_BYTEJUMP) {
3007  result = 0;
3008  goto end;
3009  }
3010  bjd = (DetectBytejumpData *)sm->ctx;
3011  if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
3012  bjd->flags & DETECT_BYTEJUMP_LITTLE ||
3013  bjd->flags & DETECT_BYTEJUMP_BIG ||
3014  bjd->flags & DETECT_BYTEJUMP_STRING ||
3015  !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
3016  !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
3017  !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
3018  result = 0;
3019  printf("one failed\n");
3020  goto end;
3021  }
3022 
3023  result &= (sm->next == NULL);
3024 
3025  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3026  if (sm->type != DETECT_CONTENT) {
3027  result = 0;
3028  goto end;
3029  }
3030  data = (DetectContentData *)sm->ctx;
3031  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3032  data->flags & DETECT_CONTENT_NOCASE ||
3033  data->flags & DETECT_CONTENT_WITHIN ||
3034  data->flags & DETECT_CONTENT_DISTANCE ||
3035  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3036  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3037  data->flags & DETECT_CONTENT_NEGATED ) {
3038  printf("one failed\n");
3039  result = 0;
3040  goto end;
3041  }
3042  result &= (strncmp((char *)data->content, "one", 3) == 0);
3043  if (result == 0)
3044  goto end;
3045 
3046  sm = sm->next;
3047  if (sm->type != DETECT_CONTENT) {
3048  result = 0;
3049  goto end;
3050  }
3051  data = (DetectContentData *)sm->ctx;
3052  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3053  data->flags & DETECT_CONTENT_NOCASE ||
3054  data->flags & DETECT_CONTENT_WITHIN ||
3055  data->flags & DETECT_CONTENT_DISTANCE ||
3056  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3057  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3058  data->flags & DETECT_CONTENT_NEGATED ) {
3059  printf("two failed\n");
3060  result = 0;
3061  goto end;
3062  }
3063  result &= (strncmp((char *)data->content, "two", 3) == 0);
3064  if (result == 0)
3065  goto end;
3066 
3067  result &= (sm->next == NULL);
3068 
3069  end:
3070  SigGroupCleanup(de_ctx);
3071  SigCleanSignatures(de_ctx);
3072  DetectEngineCtxFree(de_ctx);
3073 
3074  return result;
3075 }
3076 
3077 /**
3078  * \test Test content for dce sig.
3079  */
3080 static int DcePayloadParseTest46(void)
3081 {
3082  DetectEngineCtx *de_ctx = NULL;
3083  int result = 1;
3084  Signature *s = NULL;
3085  SigMatch *sm = NULL;
3086  DetectContentData *data = NULL;
3087  DetectBytetestData *btd = NULL;
3088 
3089  de_ctx = DetectEngineCtxInit();
3090  if (de_ctx == NULL)
3091  goto end;
3092 
3093  de_ctx->flags |= DE_QUIET;
3094  s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3095  "(msg:\"Testing bytejump_body\"; "
3096  "dce_iface:12345678-1234-1234-1234-123456789012; "
3097  "content:\"one\"; "
3098  "dce_opnum:10; dce_stub_data; "
3099  "byte_test:1,=,2,0,relative,dce; "
3100  "pkt_data; "
3101  "content:\"two\"; "
3102  "sid:1;)");
3103  if (de_ctx->sig_list == NULL) {
3104  result = 0;
3105  goto end;
3106  }
3107 
3108  if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
3109  result = 0;
3110  goto end;
3111  }
3112  if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3113  result = 0;
3114  goto end;
3115  }
3116 
3117  sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
3118  if (sm->type != DETECT_BYTETEST) {
3119  result = 0;
3120  goto end;
3121  }
3122  btd = (DetectBytetestData *)sm->ctx;
3123  if (btd->flags & DETECT_BYTETEST_LITTLE ||
3124  btd->flags & DETECT_BYTETEST_BIG ||
3125  btd->flags & DETECT_BYTETEST_STRING ||
3126  !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
3127  !(btd->flags & DETECT_BYTETEST_DCE) ) {
3128  result = 0;
3129  printf("one failed\n");
3130  goto end;
3131  }
3132 
3133  result &= (sm->next == NULL);
3134 
3135  sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3136  if (sm->type != DETECT_CONTENT) {
3137  result = 0;
3138  goto end;
3139  }
3140  data = (DetectContentData *)sm->ctx;
3141  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3142  data->flags & DETECT_CONTENT_NOCASE ||
3143  data->flags & DETECT_CONTENT_WITHIN ||
3144  data->flags & DETECT_CONTENT_DISTANCE ||
3145  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3146  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3147  data->flags & DETECT_CONTENT_NEGATED ) {
3148  printf("one failed\n");
3149  result = 0;
3150  goto end;
3151  }
3152  result &= (strncmp((char *)data->content, "one", 3) == 0);
3153  if (result == 0)
3154  goto end;
3155 
3156  sm = sm->next;
3157  if (sm->type != DETECT_CONTENT) {
3158  result = 0;
3159  goto end;
3160  }
3161  data = (DetectContentData *)sm->ctx;
3162  if (data->flags & DETECT_CONTENT_RAWBYTES ||
3163  data->flags & DETECT_CONTENT_NOCASE ||
3164  data->flags & DETECT_CONTENT_WITHIN ||
3165  data->flags & DETECT_CONTENT_DISTANCE ||
3166  data->flags & DETECT_CONTENT_FAST_PATTERN ||
3167  data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3168  data->flags & DETECT_CONTENT_NEGATED ) {
3169  printf("two failed\n");
3170  result = 0;
3171  goto end;
3172  }
3173  result &= (strncmp((char *)data->content, "two", 3) == 0);
3174  if (result == 0)
3175  goto end;
3176 
3177  result &= (sm->next == NULL);
3178 
3179  end:
3180  SigGroupCleanup(de_ctx);
3181  SigCleanSignatures(de_ctx);
3182  DetectEngineCtxFree(de_ctx);
3183 
3184  return result;
3185 }
3186 
3187 #endif /* UNITTESTS */
3188 
3189 void DcePayloadRegisterTests(void)
3190 {
3191  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
3192 
3193 #ifdef UNITTESTS
3194  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
3195  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
3196  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
3197  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
3198  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
3199  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
3200 
3201  UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25);
3202  UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26);
3203  UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27);
3204  UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28);
3205  UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29);
3206  UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30);
3207  UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31);
3208  UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32);
3209  UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33);
3210  UtRegisterTest("DcePayloadParseTest34", DcePayloadParseTest34);
3211  UtRegisterTest("DcePayloadParseTest35", DcePayloadParseTest35);
3212  UtRegisterTest("DcePayloadParseTest36", DcePayloadParseTest36);
3213  UtRegisterTest("DcePayloadParseTest37", DcePayloadParseTest37);
3214  UtRegisterTest("DcePayloadParseTest38", DcePayloadParseTest38);
3215  UtRegisterTest("DcePayloadParseTest39", DcePayloadParseTest39);
3216  UtRegisterTest("DcePayloadParseTest40", DcePayloadParseTest40);
3217  UtRegisterTest("DcePayloadParseTest41", DcePayloadParseTest41);
3218 
3219  UtRegisterTest("DcePayloadParseTest44", DcePayloadParseTest44);
3220  UtRegisterTest("DcePayloadParseTest45", DcePayloadParseTest45);
3221  UtRegisterTest("DcePayloadParseTest46", DcePayloadParseTest46);
3222 #endif /* UNITTESTS */
3223 
3224  return;
3225 }
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition: detect-content.h:29
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:64
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1152
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:38
flow-util.h
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition: detect-engine-register.h:74
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_BYTEJUMP_LITTLE
#define DETECT_BYTEJUMP_LITTLE
Definition: detect-bytejump.h:35
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
detect-isdataat.h
DetectBytetestData_::flags
uint8_t flags
Definition: detect-bytetest.h:57
Flow_::proto
uint8_t proto
Definition: flow.h:375
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:449
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:3189
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2076
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition: detect-content.h:38
DETECT_BYTETEST_DCE
#define DETECT_BYTETEST_DCE
Definition: detect-bytetest.h:47
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2069
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:273
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
DETECT_BYTEJUMP_DCE
#define DETECT_BYTEJUMP_DCE
Definition: detect-bytejump.h:40
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1653
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:44
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:41
DetectBytetestData_
Definition: detect-bytetest.h:52
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
DETECT_BYTEJUMP_BIG
#define DETECT_BYTEJUMP_BIG
Definition: detect-bytejump.h:36
Flow_::protoctx
void * protoctx
Definition: flow.h:451
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
DetectBytejumpData_
Definition: detect-bytejump.h:44
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:270
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:829
Signature_::next
struct Signature_ * next
Definition: detect.h:590
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:513
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
DETECT_BYTETEST_RELATIVE
#define DETECT_BYTETEST_RELATIVE
Definition: detect-bytetest.h:46
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:30
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition: detect-content.h:30
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1003
DETECT_BYTEJUMP_ALIGN
#define DETECT_BYTEJUMP_ALIGN
Definition: detect-bytejump.h:39
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:267
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition: detect-content.h:40
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1999
Packet_
Definition: decode.h:414
DETECT_BYTETEST_BIG
#define DETECT_BYTETEST_BIG
Definition: detect-bytetest.h:44
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
detect-bytejump.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:587
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:511
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:62
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1932
SigMatch_::type
uint8_t type
Definition: detect.h:321
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:247
detect-engine-content-inspection.h
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition: detect-engine-register.h:73
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2381
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2773
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:670
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1168
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2981
detect-byte-extract.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:764
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
Flow_::flags
uint32_t flags
Definition: flow.h:431
detect-parse.h
Signature_
Signature container.
Definition: detect.h:517
SigMatch_
a single match condition for a signature
Definition: detect.h:320
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DETECT_BYTETEST_STRING
#define DETECT_BYTETEST_STRING
Definition: detect-bytetest.h:45
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2024
suricata.h
DetectPcreData_
Definition: detect-pcre.h:39
DETECT_BYTEJUMP_STRING
#define DETECT_BYTEJUMP_STRING
Definition: detect-bytejump.h:37
DETECT_BYTEJUMP_BEGIN
#define DETECT_BYTEJUMP_BEGIN
Definition: detect-bytejump.h:34
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:759
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
TcpSession_
Definition: stream-tcp-private.h:260
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
detect-engine-dcepayload.h
DETECT_BYTETEST_LITTLE
#define DETECT_BYTETEST_LITTLE
Definition: detect-bytetest.h:43
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition: detect-content.h:31
DETECT_BYTEJUMP_RELATIVE
#define DETECT_BYTEJUMP_RELATIVE
Definition: detect-bytejump.h:38
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1149
DetectBytejumpData_::flags
uint16_t flags
Definition: detect-bytejump.h:47
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468