64 #include <netinet/in.h>
95 for (; i < lhs->
netmask / 32 || i < 1; i++) {
96 if (lhs->
ip[i] < rhs->
ip[i])
98 if (lhs->
ip[i] > rhs->
ip[i])
107 static int IPOnlyCIDRItemCompare(
const void *lhsv,
const void *rhsv)
112 return IPOnlyCIDRItemCompareReal(lhs, rhs);
133 SCLogError(
"Failed to allocate enough memory to sort IP-only CIDR items.");
138 for (
size_t i = 0; i <
len; i++) {
149 for (
size_t i = 0; i + 1 <
len; i++) {
150 tmp[i]->
next = tmp[i + 1];
162 static int InsertRange(
168 uint32_t first = first_in;
169 uint32_t last = last_in;
177 while (dd->
netmask > 0 && (first & (1UL << (32 - dd->
netmask))) == 0 &&
178 first + (1UL << (32 - (dd->
netmask - 1))) - 1 <= last) {
181 dd->
ip[0] = htonl(first);
182 first += 1UL << (32 - dd->
netmask);
184 while (first <= last && first != 0) {
191 while (new->netmask > 0 && (first & (1UL << (32 - new->netmask))) == 0 &&
192 first + (1UL << (32 - (new->netmask - 1))) - 1 <= last) {
195 new->ip[0] = htonl(first);
196 first += 1UL << (32 -
new->netmask);
197 dd = IPOnlyCIDRItemInsert(dd,
new);
221 char *ip = NULL, *ip2 = NULL;
226 while (*
str !=
'\0' && *
str ==
' ')
234 if (strcasecmp(
str,
"any") == 0) {
236 SCLogDebug(
"adding 0.0.0.0/0 and ::/0 as we\'re handling \'any\'");
238 IPOnlyCIDRItemParseSingle(&dd,
"0.0.0.0/0");
241 dd->
next = IPOnlyCIDRItemNew();
242 if (dd->
next == NULL)
245 IPOnlyCIDRItemParseSingle(&dd->
next,
"::/0");
259 if ((strchr(
str,
':')) == NULL) {
265 if ((mask = strchr(ip,
'/')) != NULL) {
267 ip[mask - ip] =
'\0';
269 uint32_t netmask = 0;
272 if ((strchr (mask,
'.')) == NULL) {
275 for (u = 0; u < strlen(mask); u++) {
276 if(!isdigit((
unsigned char)mask[u]))
288 r = inet_pton(AF_INET, mask, &in);
299 r = inet_pton(AF_INET, ip, &in);
303 dd->
ip[0] = in.s_addr & netmask;
305 }
else if ((ip2 = strchr(ip,
'-')) != NULL) {
310 uint32_t first, last;
312 r = inet_pton(AF_INET, ip, &in);
317 r = inet_pton(AF_INET, ip2, &in);
326 SCLogDebug(
"Creating CIDR range for [%s - %s]", ip, ip2);
327 return InsertRange(pdd, dd, first, last);
330 r = inet_pton(AF_INET, ip, &in);
335 dd->
ip[0] = in.s_addr;
340 struct in6_addr in6, mask6;
341 uint32_t ip6addr[4], netmask[4];
345 if ((mask = strchr(ip,
'/')) != NULL) {
349 r = inet_pton(AF_INET6, ip, &in6);
355 (
const char *)mask, 0, 128) < 0) {
359 memcpy(&ip6addr, &in6.s6_addr,
sizeof(ip6addr));
361 memcpy(&netmask, &mask6.s6_addr,
sizeof(netmask));
363 dd->
ip[0] = ip6addr[0] & netmask[0];
364 dd->
ip[1] = ip6addr[1] & netmask[1];
365 dd->
ip[2] = ip6addr[2] & netmask[2];
366 dd->
ip[3] = ip6addr[3] & netmask[3];
368 r = inet_pton(AF_INET6, ip, &in6);
372 memcpy(dd->
ip, &in6.s6_addr,
sizeof(dd->
ip));
402 if (IPOnlyCIDRItemParseSingle(gh, s) == -1) {
403 SCLogError(
"address parsing error \"%s\"", s);
448 SCLogDebug(
"Head is NULL to insert item (%p)",item);
460 while (prev != NULL) {
468 head = IPOnlyCIDRItemInsertReal(
head, prev);
489 if (tmphead == NULL) {
500 SCLogDebug(
"Item(%p) %"PRIu32
" removed", it, i);
520 while (tmphead != NULL) {
522 tmphead = tmphead->
next;
536 while (tmphead != NULL) {
538 SCLogDebug(
"Item %"PRIu32
" has netmask %"PRIu8
" negated:"
539 " %s; IP: %s; signum: %"PRIu32, i, tmphead->
netmask,
540 (tmphead->
negated) ?
"yes":
"no",
541 inet_ntoa(*(
struct in_addr*)&tmphead->
ip[0]),
543 tmphead = tmphead->
next;
563 static void SigNumArrayPrint(
void *tmp)
566 for (uint32_t u = 0; u < sna->
size; u++) {
567 uint8_t bitarray = sna->
array[u];
568 for (uint8_t i = 0; i < 8; i++) {
570 printf(
"%" PRIu32
" ", u * 8 + i);
571 bitarray = bitarray >> 1;
590 FatalError(
"Fatal error encountered in SigNumArrayNew. Exiting...");
594 if (new->array == NULL) {
598 new->size = io_ctx->
max_idx / 8 + 1;
618 FatalError(
"Fatal error encountered in SigNumArrayCopy. Exiting...");
621 new->size = orig->
size;
624 if (new->array == NULL) {
628 memcpy(new->array, orig->
array, orig->
size);
636 static void SigNumArrayFree(
void *tmp)
643 if (sna->
array != NULL)
664 int o_set = 0, n_set = 0, d_set = 0;
666 size_t size = strlen(s);
668 const char *rule_var_address = NULL;
669 char *temp_rule_var_address = NULL;
672 head = subhead = NULL;
674 SCLogDebug(
"s %s negate %s", s, negate ?
"true" :
"false");
676 for (u = 0, x = 0; u < size && x <
sizeof(
address); u++) {
680 if (!o_set && s[u] ==
'!') {
683 }
else if (s[u] ==
'[') {
689 }
else if (s[u] ==
']') {
695 (negate + n_set) % 2)) == NULL)
698 head = IPOnlyCIDRItemInsert(
head, subhead);
702 }
else if (depth == 0 && s[u] ==
',') {
705 }
else if (d_set == 1) {
710 if (rule_var_address == NULL)
713 if ((negate + n_set) % 2) {
714 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
715 if (
unlikely(temp_rule_var_address == NULL)) {
719 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
720 "[%s]", rule_var_address);
722 temp_rule_var_address =
SCStrdup(rule_var_address);
723 if (
unlikely(temp_rule_var_address == NULL)) {
728 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
729 (negate + n_set) % 2);
730 head = IPOnlyCIDRItemInsert(
head, subhead);
735 SCFree(temp_rule_var_address);
740 subhead = IPOnlyCIDRItemNew();
744 if (!((negate + n_set) % 2))
749 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
754 head = IPOnlyCIDRItemInsert(
head, subhead);
759 }
else if (depth == 0 && s[u] ==
'$') {
761 }
else if (depth == 0 && u == size - 1) {
772 if (rule_var_address == NULL)
775 if ((negate + n_set) % 2) {
776 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
777 if (
unlikely(temp_rule_var_address == NULL)) {
780 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
781 "[%s]", rule_var_address);
783 temp_rule_var_address =
SCStrdup(rule_var_address);
784 if (
unlikely(temp_rule_var_address == NULL)) {
788 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
789 (negate + n_set) % 2);
790 head = IPOnlyCIDRItemInsert(
head, subhead);
794 SCFree(temp_rule_var_address);
796 subhead = IPOnlyCIDRItemNew();
800 if (!((negate + n_set) % 2))
805 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
810 head = IPOnlyCIDRItemInsert(
head, subhead);
842 *gh = IPOnlyCIDRListParse2(
de_ctx,
str, 0);
844 SCLogDebug(
"IPOnlyCIDRListParse2 returned null");
867 Signature *s,
const char *addrstr,
char flag)
869 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
873 if (strcasecmp(addrstr,
"any") == 0) {
884 if (strcasecmp(addrstr,
"any") == 0) {
918 FatalError(
"Unable to allocate iponly signature tracking area");
975 static inline int IPOnlyMatchCompatSMs(
1009 void *user_data_src = NULL, *user_data_dst = NULL;
1029 src = user_data_src;
1030 dst = user_data_dst;
1032 if (
src == NULL ||
dst == NULL)
1035 for (uint32_t u = 0; u <
src->size; u++) {
1038 uint8_t bitarray =
dst->array[u] &
src->array[u];
1048 for (uint8_t i = 0; i < 8; i++, bitarray = bitarray >> 1) {
1049 if (bitarray & 0x01) {
1066 if (p->
proto == IPPROTO_TCP || p->
proto == IPPROTO_UDP ||
1073 if (dport == NULL) {
1083 if (sport == NULL) {
1090 SCLogDebug(
"port-less protocol and sig needs ports");
1094 if (!IPOnlyMatchCompatSMs(
tv, det_ctx, s, p)) {
1098 SCLogDebug(
"Signum %" PRIu32
" match (sid: %" PRIu32
", msg: %s)", u * 8 + i, s->
id,
1105 SCLogDebug(
"running match functions, sm %p", smd);
1150 if (
src->family == AF_INET) {
1160 void *user_data = NULL;
1161 if (
src->netmask == 32)
1168 src->netmask, &user_data);
1169 if (user_data == NULL) {
1177 if (user_data == NULL) {
1184 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1186 if (
src->negated > 0)
1188 sna->
array[
src->signum / 8] &= ~tmp;
1191 sna->
array[
src->signum / 8] |= tmp;
1193 if (
src->netmask == 32)
1203 "src ipv4 radix tree");
1212 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1214 if (
src->negated > 0)
1216 sna->
array[
src->signum / 8] &= ~tmp;
1219 sna->
array[
src->signum / 8] |= tmp;
1221 if (
src->netmask == 32)
1233 " src ipv4 radix tree ip %s netmask %" PRIu8,
1234 tmpstr,
src->netmask);
1246 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1248 if (
src->negated > 0)
1250 sna->
array[
src->signum / 8] &= ~tmp;
1253 sna->
array[
src->signum / 8] |= tmp;
1255 }
else if (
src->family == AF_INET6) {
1258 void *user_data = NULL;
1259 if (
src->netmask == 128)
1266 src->netmask, &user_data);
1268 if (user_data == NULL) {
1274 if (user_data == NULL) {
1279 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1281 if (
src->negated > 0)
1283 sna->
array[
src->signum / 8] &= ~tmp;
1286 sna->
array[
src->signum / 8] |= tmp;
1288 if (
src->netmask == 128)
1304 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1305 if (
src->negated > 0)
1307 sna->
array[
src->signum / 8] &= ~tmp;
1310 sna->
array[
src->signum / 8] |= tmp;
1312 if (
src->netmask == 128)
1328 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1329 if (
src->negated > 0)
1331 sna->
array[
src->signum / 8] &= ~tmp;
1334 sna->
array[
src->signum / 8] |= tmp;
1346 if (
dst->family == AF_INET) {
1349 SCLogDebug(
"Item has netmask %"PRIu8
" negated: %s; IP: %s; signum:"
1350 " %"PRIu32
"",
dst->netmask, (
dst->negated)?
"yes":
"no",
1351 inet_ntoa(*(
struct in_addr*)&
dst->ip[0]),
dst->signum);
1353 void *user_data = NULL;
1354 if (
dst->netmask == 32)
1364 if (user_data == NULL) {
1374 if (user_data == NULL) {
1381 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1382 if (
dst->negated > 0)
1384 sna->
array[
dst->signum / 8] &= ~tmp;
1387 sna->
array[
dst->signum / 8] |= tmp;
1389 if (
dst->netmask == 32)
1408 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1409 if (
dst->negated > 0)
1411 sna->
array[
dst->signum / 8] &= ~tmp;
1414 sna->
array[
dst->signum / 8] |= tmp;
1416 if (
dst->netmask == 32)
1435 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1436 if (
dst->negated > 0)
1438 sna->
array[
dst->signum / 8] &= ~tmp;
1441 sna->
array[
dst->signum / 8] |= tmp;
1443 }
else if (
dst->family == AF_INET6) {
1446 void *user_data = NULL;
1447 if (
dst->netmask == 128)
1454 dst->netmask, &user_data);
1456 if (user_data == NULL) {
1464 if (user_data == NULL) {
1469 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1470 if (
dst->negated > 0)
1472 sna->
array[
dst->signum / 8] &= ~tmp;
1475 sna->
array[
dst->signum / 8] |= tmp;
1477 if (
dst->netmask == 128)
1494 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1495 if (
dst->negated > 0)
1497 sna->
array[
dst->signum / 8] &= ~tmp;
1500 sna->
array[
dst->signum / 8] |= tmp;
1502 if (
dst->netmask == 128)
1519 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1520 if (
dst->negated > 0)
1522 sna->
array[
dst->signum / 8] &= ~tmp;
1525 sna->
array[
dst->signum / 8] |= tmp;
1563 SCLogDebug(
"Adding IPs from rule: %" PRIu32
" (%s) as %" PRIu32
" mapped to %" PRIu32
"\n",
1564 s->
id, s->
msg, s->
num, mapped_signum);
1577 if (mapped_signum > io_ctx->
max_idx)
1578 io_ctx->
max_idx = mapped_signum;
1591 static int IPOnlyTestSig01(
void)
1611 static int IPOnlyTestSig02 (
void)
1631 static int IPOnlyTestSig03 (
void)
1643 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre and content) \"; content:\"php\"; pcre:\"/require(_once)?/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1649 printf(
"got a IPOnly signature (content): ");
1655 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (content) \"; content:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1661 printf(
"got a IPOnly signature (content): ");
1667 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (uricontent) \"; uricontent:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1673 printf(
"got a IPOnly signature (uricontent): ");
1679 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre) \"; pcre:\"/e?idps rule[sz]/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1685 printf(
"got a IPOnly signature (pcre): ");
1691 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flow) \"; flow:to_server; classtype:misc-activity; sid:400001; rev:1;)");
1697 printf(
"got a IPOnly signature (flow): ");
1703 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (dsize) \"; dsize:100; classtype:misc-activity; sid:400001; rev:1;)");
1709 printf(
"got a IPOnly signature (dsize): ");
1715 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowbits) \"; flowbits:unset; classtype:misc-activity; sid:400001; rev:1;)");
1721 printf(
"got a IPOnly signature (flowbits): ");
1727 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowvar) \"; pcre:\"/(?<flow_var>.*)/i\"; flowvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1733 printf(
"got a IPOnly signature (flowvar): ");
1739 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pktvar) \"; pcre:\"/(?<pkt_var>.*)/i\"; pktvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1745 printf(
"got a IPOnly signature (pktvar): ");
1759 static int IPOnlyTestSig04 (
void)
1765 for (
int size = 0; size < 6; size++) {
1769 new = IPOnlyCIDRItemNew();
1773 head = IPOnlyCIDRItemInsert(
head,
new);
1777 new = IPOnlyCIDRItemNew();
1780 head = IPOnlyCIDRItemInsert(
head,
new);
1784 new = IPOnlyCIDRItemNew();
1787 head = IPOnlyCIDRItemInsert(
head,
new);
1791 new = IPOnlyCIDRItemNew();
1795 head = IPOnlyCIDRItemInsert(
head,
new);
1799 new = IPOnlyCIDRItemNew();
1803 head = IPOnlyCIDRItemInsert(
head,
new);
1806 IPOnlyCIDRListPrint(
head);
1808 IPOnlyCIDRListQSort(&
head);
1827 if (new->netmask != 9) {
1835 if (new->netmask != 10 || new->ip[0] != 1) {
1843 if (new->netmask != 10 || new->ip[0] != 2) {
1851 if (new->netmask != 10 || new->ip[0] != 3) {
1859 if (new->netmask != 11) {
1887 static int IPOnlyTestSig05(
void)
1890 uint8_t *buf = (uint8_t *)
"Hi all!";
1891 uint16_t buflen = strlen((
char *)buf);
1893 uint8_t numpkts = 1;
1894 uint8_t numsigs = 7;
1900 const char *sigs[numsigs];
1901 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1902 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1903 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1904 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1905 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1906 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1907 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1910 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1911 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1924 static int IPOnlyTestSig06(
void)
1927 uint8_t *buf = (uint8_t *)
"Hi all!";
1928 uint16_t buflen = strlen((
char *)buf);
1930 uint8_t numpkts = 1;
1931 uint8_t numsigs = 7;
1935 p[0] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"80.58.0.33",
"195.235.113.3");
1937 const char *sigs[numsigs];
1938 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1939 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1940 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1941 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1942 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1943 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1944 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1947 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1948 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1965 static int IPOnlyTestSig07(
void)
1968 uint8_t *buf = (uint8_t *)
"Hi all!";
1969 uint16_t buflen = strlen((
char *)buf);
1971 uint8_t numpkts = 1;
1972 uint8_t numsigs = 7;
1978 char *sigs[numsigs];
1979 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1980 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1981 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1982 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1983 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1984 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1985 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1988 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1989 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2003 static int IPOnlyTestSig08(
void)
2006 uint8_t *buf = (uint8_t *)
"Hi all!";
2007 uint16_t buflen = strlen((
char *)buf);
2009 uint8_t numpkts = 1;
2010 uint8_t numsigs = 7;
2016 const char *sigs[numsigs];
2017 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2018 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2019 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2020 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2021 sigs[4]=
"alert tcp any any -> !192.168.1.5 any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2022 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2023 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2026 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2027 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
2040 static int IPOnlyTestSig09(
void)
2043 uint8_t *buf = (uint8_t *)
"Hi all!";
2044 uint16_t buflen = strlen((
char *)buf);
2046 uint8_t numpkts = 1;
2047 uint8_t numsigs = 7;
2051 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
2053 const char *sigs[numsigs];
2054 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2055 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2056 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2057 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2058 sigs[4]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2059 sigs[5]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2060 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
2063 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2064 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2077 static int IPOnlyTestSig10(
void)
2080 uint8_t *buf = (uint8_t *)
"Hi all!";
2081 uint16_t buflen = strlen((
char *)buf);
2083 uint8_t numpkts = 1;
2084 uint8_t numsigs = 7;
2088 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2090 const char *sigs[numsigs];
2091 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2092 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2093 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2094 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2095 sigs[4]=
"alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2096 sigs[5]=
"alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2097 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
2100 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2101 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
2118 static int IPOnlyTestSig11(
void)
2121 uint8_t *buf = (uint8_t *)
"Hi all!";
2122 uint16_t buflen = strlen((
char *)buf);
2124 uint8_t numpkts = 2;
2125 uint8_t numsigs = 7;
2129 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
2132 char *sigs[numsigs];
2133 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2134 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2135 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2136 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2137 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2138 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2139 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2142 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2143 uint32_t
results[2][7] = {{ 1, 1, 1, 1, 1, 1, 1}, { 1, 1, 1, 1, 1, 1, 1}};
2157 static int IPOnlyTestSig12(
void)
2160 uint8_t *buf = (uint8_t *)
"Hi all!";
2161 uint16_t buflen = strlen((
char *)buf);
2163 uint8_t numpkts = 2;
2164 uint8_t numsigs = 7;
2168 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2171 const char *sigs[numsigs];
2172 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2173 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2174 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2175 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2176 sigs[4]=
"alert tcp any any -> [!3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565,!80.198.1.5] any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2177 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2178 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2181 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2182 uint32_t
results[2][7] = {{ 0, 0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0, 0, 0}};
2191 static int IPOnlyTestSig13(
void)
2198 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2199 "flowbits:set,myflow1; sid:1; rev:1;)");
2208 static int IPOnlyTestSig14(
void)
2215 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2216 "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2225 static int IPOnlyTestSig15(
void)
2228 uint8_t *buf = (uint8_t *)
"Hi all!";
2229 uint16_t buflen = strlen((
char *)buf);
2231 uint8_t numpkts = 1;
2232 uint8_t numsigs = 7;
2237 memset(&f, 0,
sizeof(
Flow));
2248 const char *sigs[numsigs];
2249 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
2250 "flowbits:set,one; sid:1;)";
2251 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
2252 "flowbits:set,two; sid:2;)";
2253 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
2254 "flowbits:set,three; sid:3;)";
2255 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
2256 "flowbits:set,four; sid:4;)";
2257 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
2258 "flowbits:set,five; sid:5;)";
2259 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
2260 "flowbits:set,six; sid:6;)";
2261 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
2262 "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2265 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2266 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2279 static int IPOnlyTestSig16(
void)
2282 uint8_t *buf = (uint8_t *)
"Hi all!";
2283 uint16_t buflen = strlen((
char *)buf);
2285 uint8_t numpkts = 1;
2286 uint8_t numsigs = 2;
2292 const char *sigs[numsigs];
2293 sigs[0]=
"alert tcp !100.100.0.1 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2294 sigs[1]=
"alert tcp any any -> !50.0.0.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2297 uint32_t sid[2] = { 1, 2};
2298 uint32_t
results[2] = { 1, 1};
2310 static int IPOnlyTestSig17(
void)
2313 uint8_t *buf = (uint8_t *)
"Hi all!";
2314 uint16_t buflen = strlen((
char *)buf);
2316 uint8_t numpkts = 1;
2317 uint8_t numsigs = 2;
2323 const char *sigs[numsigs];
2324 sigs[0]=
"alert ip 100.100.0.0 80 -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2325 sigs[1]=
"alert ip any any -> 50.0.0.0 123 (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2327 uint32_t sid[2] = { 1, 2};
2328 uint32_t
results[2] = { 0, 0};
2340 static int IPOnlyTestSig18(
void)
2343 uint8_t *buf = (uint8_t *)
"Hi all!";
2344 uint16_t buflen = strlen((
char *)buf);
2346 uint8_t numpkts = 4;
2347 uint8_t numsigs = 4;
2354 p[3] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"255.255.255.254",
"5.0.0.1");
2356 const char *sigs[numsigs];
2358 sigs[0]=
"alert ip 1.2.3.4-219.6.7.8 any -> any any (sid:1;)";
2359 sigs[1]=
"alert ip 51.2.3.4-253.1.2.3 any -> any any (sid:2;)";
2360 sigs[2]=
"alert ip 0.0.0.0-50.0.0.2 any -> any any (sid:3;)";
2361 sigs[3]=
"alert ip 50.0.0.0-255.255.255.255 any -> any any (sid:4;)";
2363 uint32_t sid[4] = { 1, 2, 3, 4, };
2365 { 1, 0, 1, 0, }, { 0, 1, 0, 1}, { 0, 0, 1, 0 }, { 0, 0, 0, 1}};
2377 static int IPOnlyTestBug5066v1(
void)
2384 de_ctx,
"alert ip [1.2.3.4/24,1.2.3.64/27] any -> any any (sid:1;)");
2395 static int IPOnlyTestBug5066v2(
void)
2400 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.4/24") != 0);
2403 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2413 static int IPOnlyTestBug5066v3(
void)
2418 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/26") != 0);
2421 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2431 static int IPOnlyTestBug5066v4(
void)
2436 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:1/122") != 0);
2439 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2442 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0000") == 0);
2449 static int IPOnlyTestBug5066v5(
void)
2454 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:40/122") != 0);
2457 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2460 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0040") == 0);
2467 static int IPOnlyTestBug5168v1(
void)
2472 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/0.0.0.0") != 0);
2475 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2485 static int IPOnlyTestBug5168v2(
void)
2489 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"0.0.0.5/0.0.0.5") != -1);