65 #include <netinet/in.h>
96 for (; i < lhs->
netmask / 32 || i < 1; i++) {
97 if (lhs->
ip[i] < rhs->
ip[i])
99 if (lhs->
ip[i] > rhs->
ip[i])
108 static int IPOnlyCIDRItemCompare(
const void *lhsv,
const void *rhsv)
113 return IPOnlyCIDRItemCompareReal(lhs, rhs);
134 SCLogError(
"Failed to allocate enough memory to sort IP-only CIDR items.");
139 for (
size_t i = 0; i <
len; i++) {
150 for (
size_t i = 0; i + 1 <
len; i++) {
151 tmp[i]->
next = tmp[i + 1];
163 static int InsertRange(
169 uint32_t first = first_in;
170 uint32_t last = last_in;
178 while (dd->
netmask > 0 && (first & (1UL << (32 - dd->
netmask))) == 0 &&
179 first + (1UL << (32 - (dd->
netmask - 1))) - 1 <= last) {
182 dd->
ip[0] = htonl(first);
183 first += 1UL << (32 - dd->
netmask);
185 while (first <= last && first != 0) {
192 while (new->netmask > 0 && (first & (1UL << (32 - new->netmask))) == 0 &&
193 first + (1UL << (32 - (new->netmask - 1))) - 1 <= last) {
196 new->ip[0] = htonl(first);
197 first += 1UL << (32 -
new->netmask);
198 dd = IPOnlyCIDRItemInsert(dd,
new);
222 char *ip = NULL, *ip2 = NULL;
227 while (*
str !=
'\0' && *
str ==
' ')
235 if (strcasecmp(
str,
"any") == 0) {
237 SCLogDebug(
"adding 0.0.0.0/0 and ::/0 as we\'re handling \'any\'");
239 IPOnlyCIDRItemParseSingle(&dd,
"0.0.0.0/0");
242 dd->
next = IPOnlyCIDRItemNew();
243 if (dd->
next == NULL)
246 IPOnlyCIDRItemParseSingle(&dd->
next,
"::/0");
260 if ((strchr(
str,
':')) == NULL) {
266 if ((mask = strchr(ip,
'/')) != NULL) {
268 ip[mask - ip] =
'\0';
270 uint32_t netmask = 0;
273 if ((strchr (mask,
'.')) == NULL) {
276 for (u = 0; u < strlen(mask); u++) {
277 if(!isdigit((
unsigned char)mask[u]))
289 r = inet_pton(AF_INET, mask, &in);
300 r = inet_pton(AF_INET, ip, &in);
304 dd->
ip[0] = in.s_addr & netmask;
306 }
else if ((ip2 = strchr(ip,
'-')) != NULL) {
311 uint32_t first, last;
313 r = inet_pton(AF_INET, ip, &in);
318 r = inet_pton(AF_INET, ip2, &in);
327 SCLogDebug(
"Creating CIDR range for [%s - %s]", ip, ip2);
328 return InsertRange(pdd, dd, first, last);
331 r = inet_pton(AF_INET, ip, &in);
336 dd->
ip[0] = in.s_addr;
341 struct in6_addr in6, mask6;
342 uint32_t ip6addr[4], netmask[4];
346 if ((mask = strchr(ip,
'/')) != NULL) {
350 r = inet_pton(AF_INET6, ip, &in6);
356 (
const char *)mask, 0, 128) < 0) {
360 memcpy(&ip6addr, &in6.s6_addr,
sizeof(ip6addr));
362 memcpy(&netmask, &mask6.s6_addr,
sizeof(netmask));
364 dd->
ip[0] = ip6addr[0] & netmask[0];
365 dd->
ip[1] = ip6addr[1] & netmask[1];
366 dd->
ip[2] = ip6addr[2] & netmask[2];
367 dd->
ip[3] = ip6addr[3] & netmask[3];
369 r = inet_pton(AF_INET6, ip, &in6);
373 memcpy(dd->
ip, &in6.s6_addr,
sizeof(dd->
ip));
403 if (IPOnlyCIDRItemParseSingle(gh, s) == -1) {
404 SCLogError(
"address parsing error \"%s\"", s);
449 SCLogDebug(
"Head is NULL to insert item (%p)",item);
461 while (prev != NULL) {
469 head = IPOnlyCIDRItemInsertReal(
head, prev);
490 if (tmphead == NULL) {
501 SCLogDebug(
"Item(%p) %"PRIu32
" removed", it, i);
521 while (tmphead != NULL) {
523 tmphead = tmphead->
next;
537 while (tmphead != NULL) {
539 SCLogDebug(
"Item %"PRIu32
" has netmask %"PRIu8
" negated:"
540 " %s; IP: %s; signum: %"PRIu32, i, tmphead->
netmask,
541 (tmphead->
negated) ?
"yes":
"no",
542 inet_ntoa(*(
struct in_addr*)&tmphead->
ip[0]),
544 tmphead = tmphead->
next;
564 static void SigNumArrayPrint(
void *tmp)
567 for (uint32_t u = 0; u < sna->
size; u++) {
568 uint8_t bitarray = sna->
array[u];
569 for (uint8_t i = 0; i < 8; i++) {
571 printf(
"%" PRIu32
" ", u * 8 + i);
572 bitarray = bitarray >> 1;
591 FatalError(
"Fatal error encountered in SigNumArrayNew. Exiting...");
595 if (new->array == NULL) {
599 new->size = io_ctx->
max_idx / 8 + 1;
619 FatalError(
"Fatal error encountered in SigNumArrayCopy. Exiting...");
622 new->size = orig->
size;
625 if (new->array == NULL) {
629 memcpy(new->array, orig->
array, orig->
size);
637 static void SigNumArrayFree(
void *tmp)
644 if (sna->
array != NULL)
665 int o_set = 0, n_set = 0, d_set = 0;
667 size_t size = strlen(s);
669 const char *rule_var_address = NULL;
670 char *temp_rule_var_address = NULL;
673 head = subhead = NULL;
675 SCLogDebug(
"s %s negate %s", s, negate ?
"true" :
"false");
677 for (u = 0, x = 0; u < size && x <
sizeof(
address); u++) {
681 if (!o_set && s[u] ==
'!') {
684 }
else if (s[u] ==
'[') {
690 }
else if (s[u] ==
']') {
696 (negate + n_set) % 2)) == NULL)
699 head = IPOnlyCIDRItemInsert(
head, subhead);
703 }
else if (depth == 0 && s[u] ==
',') {
706 }
else if (d_set == 1) {
711 if (rule_var_address == NULL)
714 if ((negate + n_set) % 2) {
716 const size_t str_size = strlen(rule_var_address) + 3 + 1;
717 temp_rule_var_address =
SCMalloc(str_size);
718 if (
unlikely(temp_rule_var_address == NULL)) {
722 snprintf(temp_rule_var_address, str_size,
"[%s]", rule_var_address);
724 temp_rule_var_address =
SCStrdup(rule_var_address);
725 if (
unlikely(temp_rule_var_address == NULL)) {
730 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
731 (negate + n_set) % 2);
732 head = IPOnlyCIDRItemInsert(
head, subhead);
737 SCFree(temp_rule_var_address);
742 subhead = IPOnlyCIDRItemNew();
746 if (!((negate + n_set) % 2))
751 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
756 head = IPOnlyCIDRItemInsert(
head, subhead);
761 }
else if (depth == 0 && s[u] ==
'$') {
763 }
else if (depth == 0 && u == size - 1) {
774 if (rule_var_address == NULL)
777 if ((negate + n_set) % 2) {
779 const size_t str_size = strlen(rule_var_address) + 3 + 1;
780 temp_rule_var_address =
SCMalloc(str_size);
781 if (
unlikely(temp_rule_var_address == NULL)) {
784 snprintf(temp_rule_var_address, str_size,
"[%s]", rule_var_address);
786 temp_rule_var_address =
SCStrdup(rule_var_address);
787 if (
unlikely(temp_rule_var_address == NULL)) {
791 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
792 (negate + n_set) % 2);
793 head = IPOnlyCIDRItemInsert(
head, subhead);
797 SCFree(temp_rule_var_address);
799 subhead = IPOnlyCIDRItemNew();
803 if (!((negate + n_set) % 2))
808 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
813 head = IPOnlyCIDRItemInsert(
head, subhead);
845 *gh = IPOnlyCIDRListParse2(
de_ctx,
str, 0);
847 SCLogDebug(
"IPOnlyCIDRListParse2 returned null");
870 Signature *s,
const char *addrstr,
char flag)
872 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
876 if (strcasecmp(addrstr,
"any") == 0) {
887 if (strcasecmp(addrstr,
"any") == 0) {
906 static const SCRadix4Config iponly_radix4_config = { SigNumArrayFree, SigNumArrayPrint };
907 static const SCRadix6Config iponly_radix6_config = { SigNumArrayFree, SigNumArrayPrint };
924 FatalError(
"Unable to allocate iponly signature tracking area");
971 static inline int IPOnlyMatchCompatSMs(
1005 void *user_data_src = NULL, *user_data_dst = NULL;
1025 src = user_data_src;
1026 dst = user_data_dst;
1028 if (
src == NULL ||
dst == NULL)
1031 for (uint32_t u = 0; u <
src->size; u++) {
1034 uint8_t bitarray =
dst->array[u] &
src->array[u];
1044 for (uint8_t i = 0; i < 8; i++, bitarray = bitarray >> 1) {
1045 if (bitarray & 0x01) {
1062 if (p->
proto == IPPROTO_TCP || p->
proto == IPPROTO_UDP ||
1069 if (dport == NULL) {
1079 if (sport == NULL) {
1086 SCLogDebug(
"port-less protocol and sig needs ports");
1090 if (!IPOnlyMatchCompatSMs(
tv, det_ctx, s, p)) {
1094 SCLogDebug(
"Signum %" PRIu32
" match (sid: %" PRIu32
", msg: %s)", u * 8 + i, s->
id,
1101 SCLogDebug(
"running match functions, sm %p", smd);
1123 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1124 if (
src->negated > 0)
1126 sna->
array[
src->signum / 8] &= ~tmp;
1129 sna->
array[
src->signum / 8] |= tmp;
1157 if (
src->family == AF_INET) {
1167 void *user_data = NULL;
1168 if (
src->netmask == 32)
1173 src->netmask, &user_data);
1174 if (user_data == NULL) {
1181 if (user_data == NULL) {
1186 IPOnlyPrepareUpdateBitarray(
src, sna);
1188 if (
src->netmask == 32)
1190 &iponly_radix4_config, (uint8_t *)&
src->ip[0], sna);
1193 &iponly_radix4_config, (uint8_t *)&
src->ip[0],
src->netmask, sna);
1196 "src ipv4 radix tree");
1202 IPOnlyPrepareUpdateBitarray(
src, sna);
1204 if (
src->netmask == 32)
1206 &iponly_radix4_config, (uint8_t *)&
src->ip[0], sna);
1209 &iponly_radix4_config, (uint8_t *)&
src->ip[0],
src->netmask, sna);
1210 if (node4 == NULL) {
1214 " src ipv4 radix tree ip %s netmask %" PRIu8,
1215 tmpstr,
src->netmask);
1224 IPOnlyPrepareUpdateBitarray(
src, sna);
1226 }
else if (
src->family == AF_INET6) {
1229 void *user_data = NULL;
1230 if (
src->netmask == 128)
1235 src->netmask, &user_data);
1236 if (user_data == NULL) {
1240 if (user_data == NULL) {
1243 IPOnlyPrepareUpdateBitarray(
src, sna);
1245 if (
src->netmask == 128)
1247 &iponly_radix6_config, (uint8_t *)&
src->ip[0], sna);
1250 &iponly_radix6_config, (uint8_t *)&
src->ip[0],
src->netmask, sna);
1257 IPOnlyPrepareUpdateBitarray(
src, sna);
1259 if (
src->netmask == 128)
1261 &iponly_radix6_config, (uint8_t *)&
src->ip[0], sna);
1264 &iponly_radix6_config, (uint8_t *)&
src->ip[0],
src->netmask, sna);
1272 IPOnlyPrepareUpdateBitarray(
src, sna);
1284 if (
dst->family == AF_INET) {
1286 SCLogDebug(
"Item has netmask %"PRIu8
" negated: %s; IP: %s; signum:"
1287 " %"PRIu32
"",
dst->netmask, (
dst->negated)?
"yes":
"no",
1288 inet_ntoa(*(
struct in_addr*)&
dst->ip[0]),
dst->signum);
1290 void *user_data = NULL;
1291 if (
dst->netmask == 32)
1296 dst->netmask, &user_data);
1297 if (user_data == NULL) {
1306 if (user_data == NULL) {
1311 IPOnlyPrepareUpdateBitarray(
dst, sna);
1313 if (
dst->netmask == 32)
1315 &iponly_radix4_config, (uint8_t *)&
dst->ip[0], sna);
1318 &iponly_radix4_config, (uint8_t *)&
dst->ip[0],
dst->netmask, sna);
1327 IPOnlyPrepareUpdateBitarray(
dst, sna);
1329 if (
dst->netmask == 32)
1331 &iponly_radix4_config, (uint8_t *)&
dst->ip[0], sna);
1334 &iponly_radix4_config, (uint8_t *)&
dst->ip[0],
dst->netmask, sna);
1345 IPOnlyPrepareUpdateBitarray(
dst, sna);
1347 }
else if (
dst->family == AF_INET6) {
1350 void *user_data = NULL;
1351 if (
dst->netmask == 128)
1356 dst->netmask, &user_data);
1357 if (user_data == NULL) {
1363 if (user_data == NULL) {
1366 IPOnlyPrepareUpdateBitarray(
dst, sna);
1368 if (
dst->netmask == 128)
1370 &iponly_radix6_config, (uint8_t *)&
dst->ip[0], sna);
1373 &iponly_radix6_config, (uint8_t *)&
dst->ip[0],
dst->netmask, sna);
1380 IPOnlyPrepareUpdateBitarray(
dst, sna);
1382 if (
dst->netmask == 128)
1384 &iponly_radix6_config, (uint8_t *)&
dst->ip[0], sna);
1387 &iponly_radix6_config, (uint8_t *)&
dst->ip[0],
dst->netmask, sna);
1395 IPOnlyPrepareUpdateBitarray(
dst, sna);
1419 SCLogDebug(
"Adding IPs from rule: %" PRIu32
" (%s) as %" PRIu32
" mapped to %" PRIu32
"\n",
1420 s->
id, s->
msg, s->
iid, mapped_signum);
1433 if (mapped_signum > io_ctx->
max_idx)
1434 io_ctx->
max_idx = mapped_signum;
1447 static int IPOnlyTestSig01(
void)
1467 static int IPOnlyTestSig02 (
void)
1487 static int IPOnlyTestSig03 (
void)
1499 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre and content) \"; content:\"php\"; pcre:\"/require(_once)?/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1505 printf(
"got a IPOnly signature (content): ");
1511 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (content) \"; content:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1517 printf(
"got a IPOnly signature (content): ");
1523 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (uricontent) \"; uricontent:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1529 printf(
"got a IPOnly signature (uricontent): ");
1535 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre) \"; pcre:\"/e?idps rule[sz]/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1541 printf(
"got a IPOnly signature (pcre): ");
1547 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flow) \"; flow:to_server; classtype:misc-activity; sid:400001; rev:1;)");
1553 printf(
"got a IPOnly signature (flow): ");
1559 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (dsize) \"; dsize:100; classtype:misc-activity; sid:400001; rev:1;)");
1565 printf(
"got a IPOnly signature (dsize): ");
1571 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowbits) \"; flowbits:unset; classtype:misc-activity; sid:400001; rev:1;)");
1577 printf(
"got a IPOnly signature (flowbits): ");
1583 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowvar) \"; pcre:\"/(?<flow_var>.*)/i\"; flowvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1589 printf(
"got a IPOnly signature (flowvar): ");
1595 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pktvar) \"; pcre:\"/(?<pkt_var>.*)/i\"; pktvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1601 printf(
"got a IPOnly signature (pktvar): ");
1615 static int IPOnlyTestSig04 (
void)
1621 for (
int size = 0; size < 6; size++) {
1625 new = IPOnlyCIDRItemNew();
1629 head = IPOnlyCIDRItemInsert(
head,
new);
1633 new = IPOnlyCIDRItemNew();
1636 head = IPOnlyCIDRItemInsert(
head,
new);
1640 new = IPOnlyCIDRItemNew();
1643 head = IPOnlyCIDRItemInsert(
head,
new);
1647 new = IPOnlyCIDRItemNew();
1651 head = IPOnlyCIDRItemInsert(
head,
new);
1655 new = IPOnlyCIDRItemNew();
1659 head = IPOnlyCIDRItemInsert(
head,
new);
1662 IPOnlyCIDRListPrint(
head);
1664 IPOnlyCIDRListQSort(&
head);
1683 if (new->netmask != 9) {
1691 if (new->netmask != 10 || new->ip[0] != 1) {
1699 if (new->netmask != 10 || new->ip[0] != 2) {
1707 if (new->netmask != 10 || new->ip[0] != 3) {
1715 if (new->netmask != 11) {
1743 static int IPOnlyTestSig05(
void)
1746 uint8_t *buf = (uint8_t *)
"Hi all!";
1747 uint16_t buflen = strlen((
char *)buf);
1749 uint8_t numpkts = 1;
1750 uint8_t numsigs = 7;
1756 const char *sigs[numsigs];
1757 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1758 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1759 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1760 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1761 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1762 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1763 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1766 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1767 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
1769 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1780 static int IPOnlyTestSig06(
void)
1783 uint8_t *buf = (uint8_t *)
"Hi all!";
1784 uint16_t buflen = strlen((
char *)buf);
1786 uint8_t numpkts = 1;
1787 uint8_t numsigs = 7;
1791 p[0] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"80.58.0.33",
"195.235.113.3");
1793 const char *sigs[numsigs];
1794 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1795 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1796 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1797 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1798 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1799 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1800 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1803 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1804 uint32_t results[7] = { 0, 0, 0, 0, 0, 0, 0};
1806 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1821 static int IPOnlyTestSig07(
void)
1824 uint8_t *buf = (uint8_t *)
"Hi all!";
1825 uint16_t buflen = strlen((
char *)buf);
1827 uint8_t numpkts = 1;
1828 uint8_t numsigs = 7;
1834 char *sigs[numsigs];
1835 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1836 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1837 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1838 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1839 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1840 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1841 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1844 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1845 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
1847 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1859 static int IPOnlyTestSig08(
void)
1862 uint8_t *buf = (uint8_t *)
"Hi all!";
1863 uint16_t buflen = strlen((
char *)buf);
1865 uint8_t numpkts = 1;
1866 uint8_t numsigs = 7;
1872 const char *sigs[numsigs];
1873 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1874 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1875 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1876 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1877 sigs[4]=
"alert tcp any any -> !192.168.1.5 any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1878 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1879 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1882 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1883 uint32_t results[7] = { 0, 0, 0, 0, 0, 0, 0};
1885 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1896 static int IPOnlyTestSig09(
void)
1899 uint8_t *buf = (uint8_t *)
"Hi all!";
1900 uint16_t buflen = strlen((
char *)buf);
1902 uint8_t numpkts = 1;
1903 uint8_t numsigs = 7;
1907 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
1909 const char *sigs[numsigs];
1910 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1911 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1912 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1913 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1914 sigs[4]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1915 sigs[5]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1916 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1919 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1920 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
1922 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1933 static int IPOnlyTestSig10(
void)
1936 uint8_t *buf = (uint8_t *)
"Hi all!";
1937 uint16_t buflen = strlen((
char *)buf);
1939 uint8_t numpkts = 1;
1940 uint8_t numsigs = 7;
1944 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565");
1946 const char *sigs[numsigs];
1947 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1948 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1949 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1950 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1951 sigs[4]=
"alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1952 sigs[5]=
"alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1953 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1956 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1957 uint32_t results[7] = { 0, 0, 0, 0, 0, 0, 0};
1959 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
1974 static int IPOnlyTestSig11(
void)
1977 uint8_t *buf = (uint8_t *)
"Hi all!";
1978 uint16_t buflen = strlen((
char *)buf);
1980 uint8_t numpkts = 2;
1981 uint8_t numsigs = 7;
1985 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
1988 char *sigs[numsigs];
1989 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1990 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1991 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1992 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1993 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1994 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1995 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1998 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1999 uint32_t results[2][7] = {{ 1, 1, 1, 1, 1, 1, 1}, { 1, 1, 1, 1, 1, 1, 1}};
2001 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2013 static int IPOnlyTestSig12(
void)
2016 uint8_t *buf = (uint8_t *)
"Hi all!";
2017 uint16_t buflen = strlen((
char *)buf);
2019 uint8_t numpkts = 2;
2020 uint8_t numsigs = 7;
2024 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2027 const char *sigs[numsigs];
2028 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2029 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2030 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2031 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2032 sigs[4]=
"alert tcp any any -> [!3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565,!80.198.1.5] any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2033 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2034 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2037 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2038 uint32_t results[2][7] = {{ 0, 0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0, 0, 0}};
2040 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2047 static int IPOnlyTestSig13(
void)
2054 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2055 "flowbits:set,myflow1; sid:1; rev:1;)");
2064 static int IPOnlyTestSig14(
void)
2071 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2072 "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2081 static int IPOnlyTestSig15(
void)
2084 uint8_t *buf = (uint8_t *)
"Hi all!";
2085 uint16_t buflen = strlen((
char *)buf);
2087 uint8_t numpkts = 1;
2088 uint8_t numsigs = 7;
2093 memset(&f, 0,
sizeof(
Flow));
2104 const char *sigs[numsigs];
2105 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
2106 "flowbits:set,one; sid:1;)";
2107 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
2108 "flowbits:set,two; sid:2;)";
2109 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
2110 "flowbits:set,three; sid:3;)";
2111 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
2112 "flowbits:set,four; sid:4;)";
2113 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
2114 "flowbits:set,five; sid:5;)";
2115 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
2116 "flowbits:set,six; sid:6;)";
2117 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
2118 "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2121 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2122 uint32_t results[7] = { 1, 1, 1, 1, 1, 1, 1};
2124 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2135 static int IPOnlyTestSig16(
void)
2138 uint8_t *buf = (uint8_t *)
"Hi all!";
2139 uint16_t buflen = strlen((
char *)buf);
2141 uint8_t numpkts = 1;
2142 uint8_t numsigs = 2;
2148 const char *sigs[numsigs];
2149 sigs[0]=
"alert tcp !100.100.0.1 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2150 sigs[1]=
"alert tcp any any -> !50.0.0.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2153 uint32_t sid[2] = { 1, 2};
2154 uint32_t results[2] = { 1, 1};
2156 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2166 static int IPOnlyTestSig17(
void)
2169 uint8_t *buf = (uint8_t *)
"Hi all!";
2170 uint16_t buflen = strlen((
char *)buf);
2172 uint8_t numpkts = 1;
2173 uint8_t numsigs = 2;
2179 const char *sigs[numsigs];
2180 sigs[0]=
"alert ip 100.100.0.0 80 -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2181 sigs[1]=
"alert ip any any -> 50.0.0.0 123 (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2183 uint32_t sid[2] = { 1, 2};
2184 uint32_t results[2] = { 0, 0};
2186 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2196 static int IPOnlyTestSig18(
void)
2199 uint8_t *buf = (uint8_t *)
"Hi all!";
2200 uint16_t buflen = strlen((
char *)buf);
2202 uint8_t numpkts = 4;
2203 uint8_t numsigs = 4;
2210 p[3] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"255.255.255.254",
"5.0.0.1");
2212 const char *sigs[numsigs];
2214 sigs[0]=
"alert ip 1.2.3.4-219.6.7.8 any -> any any (sid:1;)";
2215 sigs[1]=
"alert ip 51.2.3.4-253.1.2.3 any -> any any (sid:2;)";
2216 sigs[2]=
"alert ip 0.0.0.0-50.0.0.2 any -> any any (sid:3;)";
2217 sigs[3]=
"alert ip 50.0.0.0-255.255.255.255 any -> any any (sid:4;)";
2219 uint32_t sid[4] = { 1, 2, 3, 4, };
2220 uint32_t results[4][4] = {
2221 { 1, 0, 1, 0, }, { 0, 1, 0, 1}, { 0, 0, 1, 0 }, { 0, 0, 0, 1}};
2223 result =
UTHGenericTest(p, numpkts, sigs, sid, (uint32_t *) results, numsigs);
2233 static int IPOnlyTestBug5066v1(
void)
2240 de_ctx,
"alert ip [1.2.3.4/24,1.2.3.64/27] any -> any any (sid:1;)");
2251 static int IPOnlyTestBug5066v2(
void)
2256 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.4/24") != 0);
2259 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2269 static int IPOnlyTestBug5066v3(
void)
2274 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/26") != 0);
2277 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2287 static int IPOnlyTestBug5066v4(
void)
2292 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:1/122") != 0);
2295 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2298 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0000") == 0);
2305 static int IPOnlyTestBug5066v5(
void)
2310 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:40/122") != 0);
2313 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2316 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0040") == 0);
2323 static int IPOnlyTestBug5168v1(
void)
2328 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/0.0.0.0") != 0);
2331 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2341 static int IPOnlyTestBug5168v2(
void)
2345 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"0.0.0.5/0.0.0.5") != -1);