64 #include <netinet/in.h>
89 for (; i <
head->netmask / 32 || i < 1; i++) {
90 if (item->
ip[i] <
head->ip[i])
101 static int InsertRange(
107 uint32_t first = first_in;
108 uint32_t last = last_in;
116 while (dd->
netmask > 0 && (first & (1UL << (32 - dd->
netmask))) == 0 &&
117 first + (1UL << (32 - (dd->
netmask - 1))) - 1 <= last) {
120 dd->
ip[0] = htonl(first);
121 first += 1UL << (32 - dd->
netmask);
123 while (first <= last && first != 0) {
130 while (new->netmask > 0 && (first & (1UL << (32 - new->netmask))) == 0 &&
131 first + (1UL << (32 - (new->netmask - 1))) - 1 <= last) {
134 new->ip[0] = htonl(first);
135 first += 1UL << (32 -
new->netmask);
136 dd = IPOnlyCIDRItemInsert(dd,
new);
160 char *ip = NULL, *ip2 = NULL;
165 while (*
str !=
'\0' && *
str ==
' ')
173 if (strcasecmp(
str,
"any") == 0) {
175 SCLogDebug(
"adding 0.0.0.0/0 and ::/0 as we\'re handling \'any\'");
177 IPOnlyCIDRItemParseSingle(&dd,
"0.0.0.0/0");
180 dd->
next = IPOnlyCIDRItemNew();
181 if (dd->
next == NULL)
184 IPOnlyCIDRItemParseSingle(&dd->
next,
"::/0");
198 if ((strchr(
str,
':')) == NULL) {
204 if ((mask = strchr(ip,
'/')) != NULL) {
206 ip[mask - ip] =
'\0';
208 uint32_t netmask = 0;
211 if ((strchr (mask,
'.')) == NULL) {
214 for (u = 0; u < strlen(mask); u++) {
215 if(!isdigit((
unsigned char)mask[u]))
227 r = inet_pton(AF_INET, mask, &in);
238 r = inet_pton(AF_INET, ip, &in);
242 dd->
ip[0] = in.s_addr & netmask;
244 }
else if ((ip2 = strchr(ip,
'-')) != NULL) {
249 uint32_t first, last;
251 r = inet_pton(AF_INET, ip, &in);
256 r = inet_pton(AF_INET, ip2, &in);
265 SCLogDebug(
"Creating CIDR range for [%s - %s]", ip, ip2);
266 return InsertRange(pdd, dd, first, last);
269 r = inet_pton(AF_INET, ip, &in);
274 dd->
ip[0] = in.s_addr;
279 struct in6_addr in6, mask6;
280 uint32_t ip6addr[4], netmask[4];
284 if ((mask = strchr(ip,
'/')) != NULL) {
288 r = inet_pton(AF_INET6, ip, &in6);
294 (
const char *)mask, 0, 128) < 0) {
298 memcpy(&ip6addr, &in6.s6_addr,
sizeof(ip6addr));
300 memcpy(&netmask, &mask6.s6_addr,
sizeof(netmask));
302 dd->
ip[0] = ip6addr[0] & netmask[0];
303 dd->
ip[1] = ip6addr[1] & netmask[1];
304 dd->
ip[2] = ip6addr[2] & netmask[2];
305 dd->
ip[3] = ip6addr[3] & netmask[3];
307 r = inet_pton(AF_INET6, ip, &in6);
311 memcpy(dd->
ip, &in6.s6_addr,
sizeof(dd->
ip));
341 if (IPOnlyCIDRItemParseSingle(gh, s) == -1) {
342 SCLogError(
"address parsing error \"%s\"", s);
376 if (item->
netmask ==
head->netmask && !IPOnlyCIDRItemCompare(
head, item)) {
382 for (prev = it =
head;
414 SCLogDebug(
"Head is NULL to insert item (%p)",item);
426 while (prev != NULL) {
434 head = IPOnlyCIDRItemInsertReal(
head, prev);
455 if (tmphead == NULL) {
466 SCLogDebug(
"Item(%p) %"PRIu32
" removed", it, i);
486 while (tmphead != NULL) {
488 tmphead = tmphead->
next;
502 while (tmphead != NULL) {
504 SCLogDebug(
"Item %"PRIu32
" has netmask %"PRIu8
" negated:"
505 " %s; IP: %s; signum: %"PRIu32, i, tmphead->
netmask,
506 (tmphead->
negated) ?
"yes":
"no",
507 inet_ntoa(*(
struct in_addr*)&tmphead->
ip[0]),
509 tmphead = tmphead->
next;
529 static void SigNumArrayPrint(
void *tmp)
532 for (uint32_t u = 0; u < sna->
size; u++) {
533 uint8_t bitarray = sna->
array[u];
534 for (uint8_t i = 0; i < 8; i++) {
536 printf(
"%" PRIu32
" ", u * 8 + i);
537 bitarray = bitarray >> 1;
556 FatalError(
"Fatal error encountered in SigNumArrayNew. Exiting...");
561 if (new->array == NULL) {
565 memset(new->array, 0, io_ctx->
max_idx / 8 + 1);
566 new->size = io_ctx->
max_idx / 8 + 1;
586 FatalError(
"Fatal error encountered in SigNumArrayCopy. Exiting...");
590 new->size = orig->
size;
593 if (new->array == NULL) {
597 memcpy(new->array, orig->
array, orig->
size);
605 static void SigNumArrayFree(
void *tmp)
612 if (sna->
array != NULL)
633 int o_set = 0, n_set = 0, d_set = 0;
635 size_t size = strlen(s);
637 const char *rule_var_address = NULL;
638 char *temp_rule_var_address = NULL;
641 head = subhead = NULL;
643 SCLogDebug(
"s %s negate %s", s, negate ?
"true" :
"false");
645 for (u = 0, x = 0; u < size && x <
sizeof(
address); u++) {
649 if (!o_set && s[u] ==
'!') {
652 }
else if (s[u] ==
'[') {
658 }
else if (s[u] ==
']') {
664 (negate + n_set) % 2)) == NULL)
667 head = IPOnlyCIDRItemInsert(
head, subhead);
671 }
else if (depth == 0 && s[u] ==
',') {
674 }
else if (d_set == 1) {
679 if (rule_var_address == NULL)
682 if ((negate + n_set) % 2) {
683 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
684 if (
unlikely(temp_rule_var_address == NULL)) {
688 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
689 "[%s]", rule_var_address);
691 temp_rule_var_address =
SCStrdup(rule_var_address);
692 if (
unlikely(temp_rule_var_address == NULL)) {
697 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
698 (negate + n_set) % 2);
699 head = IPOnlyCIDRItemInsert(
head, subhead);
704 SCFree(temp_rule_var_address);
709 subhead = IPOnlyCIDRItemNew();
713 if (!((negate + n_set) % 2))
718 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
723 head = IPOnlyCIDRItemInsert(
head, subhead);
728 }
else if (depth == 0 && s[u] ==
'$') {
730 }
else if (depth == 0 && u == size - 1) {
741 if (rule_var_address == NULL)
744 if ((negate + n_set) % 2) {
745 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
746 if (
unlikely(temp_rule_var_address == NULL)) {
749 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
750 "[%s]", rule_var_address);
752 temp_rule_var_address =
SCStrdup(rule_var_address);
753 if (
unlikely(temp_rule_var_address == NULL)) {
757 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
758 (negate + n_set) % 2);
759 head = IPOnlyCIDRItemInsert(
head, subhead);
763 SCFree(temp_rule_var_address);
765 subhead = IPOnlyCIDRItemNew();
769 if (!((negate + n_set) % 2))
774 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
779 head = IPOnlyCIDRItemInsert(
head, subhead);
811 *gh = IPOnlyCIDRListParse2(
de_ctx,
str, 0);
813 SCLogDebug(
"IPOnlyCIDRListParse2 returned null");
836 Signature *s,
const char *addrstr,
char flag)
838 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
842 if (strcasecmp(addrstr,
"any") == 0) {
844 if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_src,
"[0.0.0.0/0,::/0]") < 0)
847 }
else if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_src, (
char *)addrstr) < 0) {
853 if (strcasecmp(addrstr,
"any") == 0) {
855 if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_dst,
"[0.0.0.0/0,::/0]") < 0)
858 }
else if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_dst, (
char *)addrstr) < 0) {
887 FatalError(
"Unable to allocate iponly signature tracking area");
982 void *user_data_src = NULL, *user_data_dst = NULL;
1002 src = user_data_src;
1003 dst = user_data_dst;
1005 if (
src == NULL ||
dst == NULL)
1009 for (u = 0; u <
src->size; u++) {
1012 uint8_t bitarray =
dst->array[u] &
src->array[u];
1021 for (; i < 8; i++, bitarray = bitarray >> 1) {
1022 if (bitarray & 0x01) {
1046 if (dport == NULL) {
1056 if (sport == NULL) {
1062 SCLogDebug(
"port-less protocol and sig needs ports");
1066 if (!IPOnlyMatchCompatSMs(
tv, det_ctx, s, p)) {
1070 SCLogDebug(
"Signum %"PRIu32
" match (sid: %"PRIu32
", msg: %s)",
1071 u * 8 + i, s->
id, s->
msg);
1077 SCLogDebug(
"running match functions, sm %p", smd);
1120 if (
src->family == AF_INET) {
1130 void *user_data = NULL;
1131 if (
src->netmask == 32)
1138 src->netmask, &user_data);
1139 if (user_data == NULL) {
1147 if (user_data == NULL) {
1154 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1156 if (
src->negated > 0)
1158 sna->
array[
src->signum / 8] &= ~tmp;
1161 sna->
array[
src->signum / 8] |= tmp;
1163 if (
src->netmask == 32)
1173 "src ipv4 radix tree");
1182 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1184 if (
src->negated > 0)
1186 sna->
array[
src->signum / 8] &= ~tmp;
1189 sna->
array[
src->signum / 8] |= tmp;
1191 if (
src->netmask == 32)
1203 " src ipv4 radix tree ip %s netmask %" PRIu8,
1204 tmpstr,
src->netmask);
1216 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1218 if (
src->negated > 0)
1220 sna->
array[
src->signum / 8] &= ~tmp;
1223 sna->
array[
src->signum / 8] |= tmp;
1225 }
else if (
src->family == AF_INET6) {
1228 void *user_data = NULL;
1229 if (
src->netmask == 128)
1236 src->netmask, &user_data);
1238 if (user_data == NULL) {
1244 if (user_data == NULL) {
1249 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1251 if (
src->negated > 0)
1253 sna->
array[
src->signum / 8] &= ~tmp;
1256 sna->
array[
src->signum / 8] |= tmp;
1258 if (
src->netmask == 128)
1274 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1275 if (
src->negated > 0)
1277 sna->
array[
src->signum / 8] &= ~tmp;
1280 sna->
array[
src->signum / 8] |= tmp;
1282 if (
src->netmask == 128)
1298 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1299 if (
src->negated > 0)
1301 sna->
array[
src->signum / 8] &= ~tmp;
1304 sna->
array[
src->signum / 8] |= tmp;
1316 if (
dst->family == AF_INET) {
1319 SCLogDebug(
"Item has netmask %"PRIu8
" negated: %s; IP: %s; signum:"
1320 " %"PRIu32
"",
dst->netmask, (
dst->negated)?
"yes":
"no",
1321 inet_ntoa(*(
struct in_addr*)&
dst->ip[0]),
dst->signum);
1323 void *user_data = NULL;
1324 if (
dst->netmask == 32)
1334 if (user_data == NULL) {
1344 if (user_data == NULL) {
1351 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1352 if (
dst->negated > 0)
1354 sna->
array[
dst->signum / 8] &= ~tmp;
1357 sna->
array[
dst->signum / 8] |= tmp;
1359 if (
dst->netmask == 32)
1378 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1379 if (
dst->negated > 0)
1381 sna->
array[
dst->signum / 8] &= ~tmp;
1384 sna->
array[
dst->signum / 8] |= tmp;
1386 if (
dst->netmask == 32)
1405 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1406 if (
dst->negated > 0)
1408 sna->
array[
dst->signum / 8] &= ~tmp;
1411 sna->
array[
dst->signum / 8] |= tmp;
1413 }
else if (
dst->family == AF_INET6) {
1416 void *user_data = NULL;
1417 if (
dst->netmask == 128)
1424 dst->netmask, &user_data);
1426 if (user_data == NULL) {
1434 if (user_data == NULL) {
1439 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1440 if (
dst->negated > 0)
1442 sna->
array[
dst->signum / 8] &= ~tmp;
1445 sna->
array[
dst->signum / 8] |= tmp;
1447 if (
dst->netmask == 128)
1464 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1465 if (
dst->negated > 0)
1467 sna->
array[
dst->signum / 8] &= ~tmp;
1470 sna->
array[
dst->signum / 8] |= tmp;
1472 if (
dst->netmask == 128)
1489 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1490 if (
dst->negated > 0)
1492 sna->
array[
dst->signum / 8] &= ~tmp;
1495 sna->
array[
dst->signum / 8] |= tmp;
1533 SCLogDebug(
"Adding IPs from rule: %" PRIu32
" (%s) as %" PRIu32
" mapped to %" PRIu32
"\n",
1534 s->
id, s->
msg, s->
num, mapped_signum);
1536 IPOnlyCIDRListSetSigNum(s->
cidr_src, mapped_signum);
1538 IPOnlyCIDRListSetSigNum(s->
cidr_dst, mapped_signum);
1547 if (mapped_signum > io_ctx->
max_idx)
1548 io_ctx->
max_idx = mapped_signum;
1561 static int IPOnlyTestSig01(
void)
1581 static int IPOnlyTestSig02 (
void)
1601 static int IPOnlyTestSig03 (
void)
1613 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre and content) \"; content:\"php\"; pcre:\"/require(_once)?/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1619 printf(
"got a IPOnly signature (content): ");
1625 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (content) \"; content:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1631 printf(
"got a IPOnly signature (content): ");
1637 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (uricontent) \"; uricontent:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1643 printf(
"got a IPOnly signature (uricontent): ");
1649 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre) \"; pcre:\"/e?idps rule[sz]/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1655 printf(
"got a IPOnly signature (pcre): ");
1661 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flow) \"; flow:to_server; classtype:misc-activity; sid:400001; rev:1;)");
1667 printf(
"got a IPOnly signature (flow): ");
1673 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (dsize) \"; dsize:100; classtype:misc-activity; sid:400001; rev:1;)");
1679 printf(
"got a IPOnly signature (dsize): ");
1685 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowbits) \"; flowbits:unset; classtype:misc-activity; sid:400001; rev:1;)");
1691 printf(
"got a IPOnly signature (flowbits): ");
1697 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowvar) \"; pcre:\"/(?<flow_var>.*)/i\"; flowvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1703 printf(
"got a IPOnly signature (flowvar): ");
1709 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pktvar) \"; pcre:\"/(?<pkt_var>.*)/i\"; pktvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1715 printf(
"got a IPOnly signature (pktvar): ");
1729 static int IPOnlyTestSig04 (
void)
1736 new = IPOnlyCIDRItemNew();
1739 head = IPOnlyCIDRItemInsert(
head,
new);
1741 new = IPOnlyCIDRItemNew();
1744 head = IPOnlyCIDRItemInsert(
head,
new);
1746 new = IPOnlyCIDRItemNew();
1749 head = IPOnlyCIDRItemInsert(
head,
new);
1751 new = IPOnlyCIDRItemNew();
1754 head = IPOnlyCIDRItemInsert(
head,
new);
1756 new = IPOnlyCIDRItemNew();
1759 head = IPOnlyCIDRItemInsert(
head,
new);
1761 IPOnlyCIDRListPrint(
head);
1763 if (new->netmask != 9) {
1768 if (new->netmask != 10) {
1773 if (new->netmask != 10) {
1778 if (new->netmask != 10) {
1783 if (new->netmask != 11) {
1797 static int IPOnlyTestSig05(
void)
1800 uint8_t *buf = (uint8_t *)
"Hi all!";
1801 uint16_t buflen = strlen((
char *)buf);
1803 uint8_t numpkts = 1;
1804 uint8_t numsigs = 7;
1810 const char *sigs[numsigs];
1811 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1812 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1813 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1814 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1815 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1816 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1817 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1820 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1821 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1834 static int IPOnlyTestSig06(
void)
1837 uint8_t *buf = (uint8_t *)
"Hi all!";
1838 uint16_t buflen = strlen((
char *)buf);
1840 uint8_t numpkts = 1;
1841 uint8_t numsigs = 7;
1845 p[0] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"80.58.0.33",
"195.235.113.3");
1847 const char *sigs[numsigs];
1848 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1849 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1850 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1851 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1852 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1853 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1854 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1857 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1858 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1875 static int IPOnlyTestSig07(
void)
1878 uint8_t *buf = (uint8_t *)
"Hi all!";
1879 uint16_t buflen = strlen((
char *)buf);
1881 uint8_t numpkts = 1;
1882 uint8_t numsigs = 7;
1888 char *sigs[numsigs];
1889 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1890 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1891 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1892 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1893 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1894 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1895 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1898 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1899 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1913 static int IPOnlyTestSig08(
void)
1916 uint8_t *buf = (uint8_t *)
"Hi all!";
1917 uint16_t buflen = strlen((
char *)buf);
1919 uint8_t numpkts = 1;
1920 uint8_t numsigs = 7;
1926 const char *sigs[numsigs];
1927 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1928 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1929 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1930 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1931 sigs[4]=
"alert tcp any any -> !192.168.1.5 any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1932 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1933 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1936 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1937 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1950 static int IPOnlyTestSig09(
void)
1953 uint8_t *buf = (uint8_t *)
"Hi all!";
1954 uint16_t buflen = strlen((
char *)buf);
1956 uint8_t numpkts = 1;
1957 uint8_t numsigs = 7;
1961 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
1963 const char *sigs[numsigs];
1964 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1965 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1966 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1967 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1968 sigs[4]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1969 sigs[5]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1970 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1973 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1974 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1987 static int IPOnlyTestSig10(
void)
1990 uint8_t *buf = (uint8_t *)
"Hi all!";
1991 uint16_t buflen = strlen((
char *)buf);
1993 uint8_t numpkts = 1;
1994 uint8_t numsigs = 7;
1998 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2000 const char *sigs[numsigs];
2001 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2002 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2003 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2004 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2005 sigs[4]=
"alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2006 sigs[5]=
"alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2007 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
2010 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2011 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
2028 static int IPOnlyTestSig11(
void)
2031 uint8_t *buf = (uint8_t *)
"Hi all!";
2032 uint16_t buflen = strlen((
char *)buf);
2034 uint8_t numpkts = 2;
2035 uint8_t numsigs = 7;
2039 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
2042 char *sigs[numsigs];
2043 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2044 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2045 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2046 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2047 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2048 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2049 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2052 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2053 uint32_t
results[2][7] = {{ 1, 1, 1, 1, 1, 1, 1}, { 1, 1, 1, 1, 1, 1, 1}};
2067 static int IPOnlyTestSig12(
void)
2070 uint8_t *buf = (uint8_t *)
"Hi all!";
2071 uint16_t buflen = strlen((
char *)buf);
2073 uint8_t numpkts = 2;
2074 uint8_t numsigs = 7;
2078 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2081 const char *sigs[numsigs];
2082 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2083 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2084 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2085 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2086 sigs[4]=
"alert tcp any any -> [!3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565,!80.198.1.5] any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2087 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2088 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2091 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2092 uint32_t
results[2][7] = {{ 0, 0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0, 0, 0}};
2101 static int IPOnlyTestSig13(
void)
2108 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2109 "flowbits:set,myflow1; sid:1; rev:1;)");
2118 static int IPOnlyTestSig14(
void)
2125 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2126 "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2135 static int IPOnlyTestSig15(
void)
2138 uint8_t *buf = (uint8_t *)
"Hi all!";
2139 uint16_t buflen = strlen((
char *)buf);
2141 uint8_t numpkts = 1;
2142 uint8_t numsigs = 7;
2147 memset(&f, 0,
sizeof(
Flow));
2158 const char *sigs[numsigs];
2159 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
2160 "flowbits:set,one; sid:1;)";
2161 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
2162 "flowbits:set,two; sid:2;)";
2163 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
2164 "flowbits:set,three; sid:3;)";
2165 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
2166 "flowbits:set,four; sid:4;)";
2167 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
2168 "flowbits:set,five; sid:5;)";
2169 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
2170 "flowbits:set,six; sid:6;)";
2171 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
2172 "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2175 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2176 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2189 static int IPOnlyTestSig16(
void)
2192 uint8_t *buf = (uint8_t *)
"Hi all!";
2193 uint16_t buflen = strlen((
char *)buf);
2195 uint8_t numpkts = 1;
2196 uint8_t numsigs = 2;
2202 const char *sigs[numsigs];
2203 sigs[0]=
"alert tcp !100.100.0.1 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2204 sigs[1]=
"alert tcp any any -> !50.0.0.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2207 uint32_t sid[2] = { 1, 2};
2208 uint32_t
results[2] = { 1, 1};
2220 static int IPOnlyTestSig17(
void)
2223 uint8_t *buf = (uint8_t *)
"Hi all!";
2224 uint16_t buflen = strlen((
char *)buf);
2226 uint8_t numpkts = 1;
2227 uint8_t numsigs = 2;
2233 const char *sigs[numsigs];
2234 sigs[0]=
"alert ip 100.100.0.0 80 -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2235 sigs[1]=
"alert ip any any -> 50.0.0.0 123 (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2237 uint32_t sid[2] = { 1, 2};
2238 uint32_t
results[2] = { 0, 0};
2250 static int IPOnlyTestSig18(
void)
2253 uint8_t *buf = (uint8_t *)
"Hi all!";
2254 uint16_t buflen = strlen((
char *)buf);
2256 uint8_t numpkts = 4;
2257 uint8_t numsigs = 4;
2264 p[3] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"255.255.255.254",
"5.0.0.1");
2266 const char *sigs[numsigs];
2268 sigs[0]=
"alert ip 1.2.3.4-219.6.7.8 any -> any any (sid:1;)";
2269 sigs[1]=
"alert ip 51.2.3.4-253.1.2.3 any -> any any (sid:2;)";
2270 sigs[2]=
"alert ip 0.0.0.0-50.0.0.2 any -> any any (sid:3;)";
2271 sigs[3]=
"alert ip 50.0.0.0-255.255.255.255 any -> any any (sid:4;)";
2273 uint32_t sid[4] = { 1, 2, 3, 4, };
2275 { 1, 0, 1, 0, }, { 0, 1, 0, 1}, { 0, 0, 1, 0 }, { 0, 0, 0, 1}};
2287 static int IPOnlyTestBug5066v1(
void)
2294 de_ctx,
"alert ip [1.2.3.4/24,1.2.3.64/27] any -> any any (sid:1;)");
2305 static int IPOnlyTestBug5066v2(
void)
2310 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.4/24") != 0);
2313 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2323 static int IPOnlyTestBug5066v3(
void)
2328 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/26") != 0);
2331 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2341 static int IPOnlyTestBug5066v4(
void)
2346 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:1/122") != 0);
2349 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2352 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0000") == 0);
2359 static int IPOnlyTestBug5066v5(
void)
2364 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:40/122") != 0);
2367 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2370 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0040") == 0);
2377 static int IPOnlyTestBug5168v1(
void)
2382 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/0.0.0.0") != 0);
2385 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2395 static int IPOnlyTestBug5168v2(
void)
2399 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"0.0.0.5/0.0.0.5") != -1);