64 #include <netinet/in.h>
89 for (; i <
head->netmask / 32 || i < 1; i++) {
90 if (item->
ip[i] <
head->ip[i])
101 static int InsertRange(
107 uint32_t first = first_in;
108 uint32_t last = last_in;
116 while (dd->
netmask > 0 && (first & (1UL << (32 - dd->
netmask))) == 0 &&
117 first + (1UL << (32 - (dd->
netmask - 1))) - 1 <= last) {
120 dd->
ip[0] = htonl(first);
121 first += 1UL << (32 - dd->
netmask);
123 while (first <= last && first != 0) {
130 while (new->netmask > 0 && (first & (1UL << (32 - new->netmask))) == 0 &&
131 first + (1UL << (32 - (new->netmask - 1))) - 1 <= last) {
134 new->ip[0] = htonl(first);
135 first += 1UL << (32 -
new->netmask);
136 dd = IPOnlyCIDRItemInsert(dd,
new);
160 char *ip = NULL, *ip2 = NULL;
165 while (*
str !=
'\0' && *
str ==
' ')
173 if (strcasecmp(
str,
"any") == 0) {
175 SCLogDebug(
"adding 0.0.0.0/0 and ::/0 as we\'re handling \'any\'");
177 IPOnlyCIDRItemParseSingle(&dd,
"0.0.0.0/0");
180 dd->
next = IPOnlyCIDRItemNew();
181 if (dd->
next == NULL)
184 IPOnlyCIDRItemParseSingle(&dd->
next,
"::/0");
198 if ((strchr(
str,
':')) == NULL) {
204 if ((mask = strchr(ip,
'/')) != NULL) {
206 ip[mask - ip] =
'\0';
208 uint32_t netmask = 0;
211 if ((strchr (mask,
'.')) == NULL) {
214 for (u = 0; u < strlen(mask); u++) {
215 if(!isdigit((
unsigned char)mask[u]))
227 r = inet_pton(AF_INET, mask, &in);
238 r = inet_pton(AF_INET, ip, &in);
242 dd->
ip[0] = in.s_addr & netmask;
244 }
else if ((ip2 = strchr(ip,
'-')) != NULL) {
249 uint32_t first, last;
251 r = inet_pton(AF_INET, ip, &in);
256 r = inet_pton(AF_INET, ip2, &in);
265 SCLogDebug(
"Creating CIDR range for [%s - %s]", ip, ip2);
266 return InsertRange(pdd, dd, first, last);
269 r = inet_pton(AF_INET, ip, &in);
274 dd->
ip[0] = in.s_addr;
279 struct in6_addr in6, mask6;
280 uint32_t ip6addr[4], netmask[4];
284 if ((mask = strchr(ip,
'/')) != NULL) {
288 r = inet_pton(AF_INET6, ip, &in6);
294 (
const char *)mask, 0, 128) < 0) {
298 memcpy(&ip6addr, &in6.s6_addr,
sizeof(ip6addr));
300 memcpy(&netmask, &mask6.s6_addr,
sizeof(netmask));
302 dd->
ip[0] = ip6addr[0] & netmask[0];
303 dd->
ip[1] = ip6addr[1] & netmask[1];
304 dd->
ip[2] = ip6addr[2] & netmask[2];
305 dd->
ip[3] = ip6addr[3] & netmask[3];
307 r = inet_pton(AF_INET6, ip, &in6);
311 memcpy(dd->
ip, &in6.s6_addr,
sizeof(dd->
ip));
341 if (IPOnlyCIDRItemParseSingle(gh, s) == -1) {
342 SCLogError(
"address parsing error \"%s\"", s);
376 if (item->
netmask ==
head->netmask && !IPOnlyCIDRItemCompare(
head, item)) {
382 for (prev = it =
head;
414 SCLogDebug(
"Head is NULL to insert item (%p)",item);
426 while (prev != NULL) {
434 head = IPOnlyCIDRItemInsertReal(
head, prev);
455 if (tmphead == NULL) {
466 SCLogDebug(
"Item(%p) %"PRIu32
" removed", it, i);
486 while (tmphead != NULL) {
488 tmphead = tmphead->
next;
501 while (tmphead != NULL) {
503 SCLogDebug(
"Item %"PRIu32
" has netmask %"PRIu8
" negated:"
504 " %s; IP: %s; signum: %"PRIu32, i, tmphead->
netmask,
505 (tmphead->
negated) ?
"yes":
"no",
506 inet_ntoa(*(
struct in_addr*)&tmphead->
ip[0]),
508 tmphead = tmphead->
next;
527 static void SigNumArrayPrint(
void *tmp)
530 for (uint32_t u = 0; u < sna->
size; u++) {
531 uint8_t bitarray = sna->
array[u];
532 for (uint8_t i = 0; i < 8; i++) {
534 printf(
"%" PRIu32
" ", u * 8 + i);
535 bitarray = bitarray >> 1;
554 FatalError(
"Fatal error encountered in SigNumArrayNew. Exiting...");
559 if (new->array == NULL) {
563 memset(new->array, 0, io_ctx->
max_idx / 8 + 1);
564 new->size = io_ctx->
max_idx / 8 + 1;
584 FatalError(
"Fatal error encountered in SigNumArrayCopy. Exiting...");
588 new->size = orig->
size;
591 if (new->array == NULL) {
595 memcpy(new->array, orig->
array, orig->
size);
603 static void SigNumArrayFree(
void *tmp)
610 if (sna->
array != NULL)
631 int o_set = 0, n_set = 0, d_set = 0;
633 size_t size = strlen(s);
635 const char *rule_var_address = NULL;
636 char *temp_rule_var_address = NULL;
639 head = subhead = NULL;
641 SCLogDebug(
"s %s negate %s", s, negate ?
"true" :
"false");
643 for (u = 0, x = 0; u < size && x <
sizeof(
address); u++) {
647 if (!o_set && s[u] ==
'!') {
650 }
else if (s[u] ==
'[') {
656 }
else if (s[u] ==
']') {
662 (negate + n_set) % 2)) == NULL)
665 head = IPOnlyCIDRItemInsert(
head, subhead);
669 }
else if (depth == 0 && s[u] ==
',') {
672 }
else if (d_set == 1) {
677 if (rule_var_address == NULL)
680 if ((negate + n_set) % 2) {
681 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
682 if (
unlikely(temp_rule_var_address == NULL)) {
686 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
687 "[%s]", rule_var_address);
689 temp_rule_var_address =
SCStrdup(rule_var_address);
690 if (
unlikely(temp_rule_var_address == NULL)) {
695 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
696 (negate + n_set) % 2);
697 head = IPOnlyCIDRItemInsert(
head, subhead);
702 SCFree(temp_rule_var_address);
707 subhead = IPOnlyCIDRItemNew();
711 if (!((negate + n_set) % 2))
716 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
721 head = IPOnlyCIDRItemInsert(
head, subhead);
726 }
else if (depth == 0 && s[u] ==
'$') {
728 }
else if (depth == 0 && u == size - 1) {
739 if (rule_var_address == NULL)
742 if ((negate + n_set) % 2) {
743 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
744 if (
unlikely(temp_rule_var_address == NULL)) {
747 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
748 "[%s]", rule_var_address);
750 temp_rule_var_address =
SCStrdup(rule_var_address);
751 if (
unlikely(temp_rule_var_address == NULL)) {
755 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
756 (negate + n_set) % 2);
757 head = IPOnlyCIDRItemInsert(
head, subhead);
761 SCFree(temp_rule_var_address);
763 subhead = IPOnlyCIDRItemNew();
767 if (!((negate + n_set) % 2))
772 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
777 head = IPOnlyCIDRItemInsert(
head, subhead);
809 *gh = IPOnlyCIDRListParse2(
de_ctx,
str, 0);
811 SCLogDebug(
"IPOnlyCIDRListParse2 returned null");
834 Signature *s,
const char *addrstr,
char flag)
836 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
840 if (strcasecmp(addrstr,
"any") == 0) {
842 if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_src,
"[0.0.0.0/0,::/0]") < 0)
845 }
else if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_src, (
char *)addrstr) < 0) {
851 if (strcasecmp(addrstr,
"any") == 0) {
853 if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_dst,
"[0.0.0.0/0,::/0]") < 0)
856 }
else if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_dst, (
char *)addrstr) < 0) {
999 void *user_data_src = NULL, *user_data_dst = NULL;
1019 src = user_data_src;
1020 dst = user_data_dst;
1022 if (
src == NULL ||
dst == NULL)
1026 for (u = 0; u <
src->size; u++) {
1040 for (; i < 8; i++, bitarray = bitarray >> 1) {
1041 if (bitarray & 0x01) {
1065 if (dport == NULL) {
1075 if (sport == NULL) {
1081 SCLogDebug(
"port-less protocol and sig needs ports");
1085 if (!IPOnlyMatchCompatSMs(
tv, det_ctx, s, p)) {
1089 SCLogDebug(
"Signum %"PRIu32
" match (sid: %"PRIu32
", msg: %s)",
1090 u * 8 + i, s->
id, s->
msg);
1096 SCLogDebug(
"running match functions, sm %p", smd);
1139 if (
src->family == AF_INET) {
1149 void *user_data = NULL;
1150 if (
src->netmask == 32)
1157 src->netmask, &user_data);
1158 if (user_data == NULL) {
1166 if (user_data == NULL) {
1173 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1175 if (
src->negated > 0)
1177 sna->
array[
src->signum / 8] &= ~tmp;
1180 sna->
array[
src->signum / 8] |= tmp;
1182 if (
src->netmask == 32)
1192 "src ipv4 radix tree");
1201 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1203 if (
src->negated > 0)
1205 sna->
array[
src->signum / 8] &= ~tmp;
1208 sna->
array[
src->signum / 8] |= tmp;
1210 if (
src->netmask == 32)
1222 " src ipv4 radix tree ip %s netmask %" PRIu8,
1223 tmpstr,
src->netmask);
1235 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1237 if (
src->negated > 0)
1239 sna->
array[
src->signum / 8] &= ~tmp;
1242 sna->
array[
src->signum / 8] |= tmp;
1244 }
else if (
src->family == AF_INET6) {
1247 void *user_data = NULL;
1248 if (
src->netmask == 128)
1255 src->netmask, &user_data);
1257 if (user_data == NULL) {
1263 if (user_data == NULL) {
1268 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1270 if (
src->negated > 0)
1272 sna->
array[
src->signum / 8] &= ~tmp;
1275 sna->
array[
src->signum / 8] |= tmp;
1277 if (
src->netmask == 128)
1293 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1294 if (
src->negated > 0)
1296 sna->
array[
src->signum / 8] &= ~tmp;
1299 sna->
array[
src->signum / 8] |= tmp;
1301 if (
src->netmask == 128)
1317 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1318 if (
src->negated > 0)
1320 sna->
array[
src->signum / 8] &= ~tmp;
1323 sna->
array[
src->signum / 8] |= tmp;
1335 if (
dst->family == AF_INET) {
1338 SCLogDebug(
"Item has netmask %"PRIu8
" negated: %s; IP: %s; signum:"
1339 " %"PRIu32
"",
dst->netmask, (
dst->negated)?
"yes":
"no",
1340 inet_ntoa(*(
struct in_addr*)&
dst->ip[0]),
dst->signum);
1342 void *user_data = NULL;
1343 if (
dst->netmask == 32)
1353 if (user_data == NULL) {
1363 if (user_data == NULL) {
1370 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1371 if (
dst->negated > 0)
1373 sna->
array[
dst->signum / 8] &= ~tmp;
1376 sna->
array[
dst->signum / 8] |= tmp;
1378 if (
dst->netmask == 32)
1397 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1398 if (
dst->negated > 0)
1400 sna->
array[
dst->signum / 8] &= ~tmp;
1403 sna->
array[
dst->signum / 8] |= tmp;
1405 if (
dst->netmask == 32)
1424 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1425 if (
dst->negated > 0)
1427 sna->
array[
dst->signum / 8] &= ~tmp;
1430 sna->
array[
dst->signum / 8] |= tmp;
1432 }
else if (
dst->family == AF_INET6) {
1435 void *user_data = NULL;
1436 if (
dst->netmask == 128)
1443 dst->netmask, &user_data);
1445 if (user_data == NULL) {
1453 if (user_data == NULL) {
1458 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1459 if (
dst->negated > 0)
1461 sna->
array[
dst->signum / 8] &= ~tmp;
1464 sna->
array[
dst->signum / 8] |= tmp;
1466 if (
dst->netmask == 128)
1483 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1484 if (
dst->negated > 0)
1486 sna->
array[
dst->signum / 8] &= ~tmp;
1489 sna->
array[
dst->signum / 8] |= tmp;
1491 if (
dst->netmask == 128)
1508 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1509 if (
dst->negated > 0)
1511 sna->
array[
dst->signum / 8] &= ~tmp;
1514 sna->
array[
dst->signum / 8] |= tmp;
1577 static int IPOnlyTestSig01(
void)
1597 static int IPOnlyTestSig02 (
void)
1617 static int IPOnlyTestSig03 (
void)
1629 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre and content) \"; content:\"php\"; pcre:\"/require(_once)?/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1635 printf(
"got a IPOnly signature (content): ");
1641 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (content) \"; content:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1647 printf(
"got a IPOnly signature (content): ");
1653 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (uricontent) \"; uricontent:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1659 printf(
"got a IPOnly signature (uricontent): ");
1665 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre) \"; pcre:\"/e?idps rule[sz]/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1671 printf(
"got a IPOnly signature (pcre): ");
1677 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flow) \"; flow:to_server; classtype:misc-activity; sid:400001; rev:1;)");
1683 printf(
"got a IPOnly signature (flow): ");
1689 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (dsize) \"; dsize:100; classtype:misc-activity; sid:400001; rev:1;)");
1695 printf(
"got a IPOnly signature (dsize): ");
1701 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowbits) \"; flowbits:unset; classtype:misc-activity; sid:400001; rev:1;)");
1707 printf(
"got a IPOnly signature (flowbits): ");
1713 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowvar) \"; pcre:\"/(?<flow_var>.*)/i\"; flowvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1719 printf(
"got a IPOnly signature (flowvar): ");
1725 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pktvar) \"; pcre:\"/(?<pkt_var>.*)/i\"; pktvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1731 printf(
"got a IPOnly signature (pktvar): ");
1745 static int IPOnlyTestSig04 (
void)
1752 new = IPOnlyCIDRItemNew();
1755 head = IPOnlyCIDRItemInsert(
head,
new);
1757 new = IPOnlyCIDRItemNew();
1760 head = IPOnlyCIDRItemInsert(
head,
new);
1762 new = IPOnlyCIDRItemNew();
1765 head = IPOnlyCIDRItemInsert(
head,
new);
1767 new = IPOnlyCIDRItemNew();
1770 head = IPOnlyCIDRItemInsert(
head,
new);
1772 new = IPOnlyCIDRItemNew();
1775 head = IPOnlyCIDRItemInsert(
head,
new);
1777 IPOnlyCIDRListPrint(
head);
1779 if (new->netmask != 9) {
1784 if (new->netmask != 10) {
1789 if (new->netmask != 10) {
1794 if (new->netmask != 10) {
1799 if (new->netmask != 11) {
1813 static int IPOnlyTestSig05(
void)
1816 uint8_t *buf = (uint8_t *)
"Hi all!";
1817 uint16_t buflen = strlen((
char *)buf);
1819 uint8_t numpkts = 1;
1820 uint8_t numsigs = 7;
1826 const char *sigs[numsigs];
1827 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1828 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1829 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1830 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1831 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1832 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1833 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1836 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1837 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1850 static int IPOnlyTestSig06(
void)
1853 uint8_t *buf = (uint8_t *)
"Hi all!";
1854 uint16_t buflen = strlen((
char *)buf);
1856 uint8_t numpkts = 1;
1857 uint8_t numsigs = 7;
1861 p[0] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"80.58.0.33",
"195.235.113.3");
1863 const char *sigs[numsigs];
1864 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1865 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1866 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1867 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1868 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1869 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1870 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1873 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1874 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1891 static int IPOnlyTestSig07(
void)
1894 uint8_t *buf = (uint8_t *)
"Hi all!";
1895 uint16_t buflen = strlen((
char *)buf);
1897 uint8_t numpkts = 1;
1898 uint8_t numsigs = 7;
1904 char *sigs[numsigs];
1905 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1906 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1907 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1908 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1909 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1910 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1911 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1914 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1915 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1929 static int IPOnlyTestSig08(
void)
1932 uint8_t *buf = (uint8_t *)
"Hi all!";
1933 uint16_t buflen = strlen((
char *)buf);
1935 uint8_t numpkts = 1;
1936 uint8_t numsigs = 7;
1942 const char *sigs[numsigs];
1943 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1944 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1945 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1946 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1947 sigs[4]=
"alert tcp any any -> !192.168.1.5 any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1948 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1949 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1952 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1953 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1966 static int IPOnlyTestSig09(
void)
1969 uint8_t *buf = (uint8_t *)
"Hi all!";
1970 uint16_t buflen = strlen((
char *)buf);
1972 uint8_t numpkts = 1;
1973 uint8_t numsigs = 7;
1977 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
1979 const char *sigs[numsigs];
1980 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1981 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1982 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1983 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1984 sigs[4]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1985 sigs[5]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1986 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1989 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1990 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2003 static int IPOnlyTestSig10(
void)
2006 uint8_t *buf = (uint8_t *)
"Hi all!";
2007 uint16_t buflen = strlen((
char *)buf);
2009 uint8_t numpkts = 1;
2010 uint8_t numsigs = 7;
2014 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2016 const char *sigs[numsigs];
2017 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2018 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2019 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2020 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2021 sigs[4]=
"alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2022 sigs[5]=
"alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2023 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
2026 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2027 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
2044 static int IPOnlyTestSig11(
void)
2047 uint8_t *buf = (uint8_t *)
"Hi all!";
2048 uint16_t buflen = strlen((
char *)buf);
2050 uint8_t numpkts = 2;
2051 uint8_t numsigs = 7;
2055 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
2058 char *sigs[numsigs];
2059 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2060 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2061 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2062 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2063 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2064 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2065 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2068 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2069 uint32_t
results[2][7] = {{ 1, 1, 1, 1, 1, 1, 1}, { 1, 1, 1, 1, 1, 1, 1}};
2083 static int IPOnlyTestSig12(
void)
2086 uint8_t *buf = (uint8_t *)
"Hi all!";
2087 uint16_t buflen = strlen((
char *)buf);
2089 uint8_t numpkts = 2;
2090 uint8_t numsigs = 7;
2094 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2097 const char *sigs[numsigs];
2098 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2099 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2100 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2101 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2102 sigs[4]=
"alert tcp any any -> [!3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565,!80.198.1.5] any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2103 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2104 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2107 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2108 uint32_t
results[2][7] = {{ 0, 0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0, 0, 0}};
2117 static int IPOnlyTestSig13(
void)
2124 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2125 "flowbits:set,myflow1; sid:1; rev:1;)");
2134 static int IPOnlyTestSig14(
void)
2141 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2142 "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2151 static int IPOnlyTestSig15(
void)
2154 uint8_t *buf = (uint8_t *)
"Hi all!";
2155 uint16_t buflen = strlen((
char *)buf);
2157 uint8_t numpkts = 1;
2158 uint8_t numsigs = 7;
2163 memset(&f, 0,
sizeof(
Flow));
2174 const char *sigs[numsigs];
2175 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
2176 "flowbits:set,one; sid:1;)";
2177 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
2178 "flowbits:set,two; sid:2;)";
2179 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
2180 "flowbits:set,three; sid:3;)";
2181 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
2182 "flowbits:set,four; sid:4;)";
2183 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
2184 "flowbits:set,five; sid:5;)";
2185 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
2186 "flowbits:set,six; sid:6;)";
2187 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
2188 "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2191 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2192 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2205 static int IPOnlyTestSig16(
void)
2208 uint8_t *buf = (uint8_t *)
"Hi all!";
2209 uint16_t buflen = strlen((
char *)buf);
2211 uint8_t numpkts = 1;
2212 uint8_t numsigs = 2;
2218 const char *sigs[numsigs];
2219 sigs[0]=
"alert tcp !100.100.0.1 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2220 sigs[1]=
"alert tcp any any -> !50.0.0.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2223 uint32_t sid[2] = { 1, 2};
2224 uint32_t
results[2] = { 1, 1};
2236 static int IPOnlyTestSig17(
void)
2239 uint8_t *buf = (uint8_t *)
"Hi all!";
2240 uint16_t buflen = strlen((
char *)buf);
2242 uint8_t numpkts = 1;
2243 uint8_t numsigs = 2;
2249 const char *sigs[numsigs];
2250 sigs[0]=
"alert ip 100.100.0.0 80 -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2251 sigs[1]=
"alert ip any any -> 50.0.0.0 123 (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2253 uint32_t sid[2] = { 1, 2};
2254 uint32_t
results[2] = { 0, 0};
2266 static int IPOnlyTestSig18(
void)
2269 uint8_t *buf = (uint8_t *)
"Hi all!";
2270 uint16_t buflen = strlen((
char *)buf);
2272 uint8_t numpkts = 4;
2273 uint8_t numsigs = 4;
2280 p[3] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"255.255.255.254",
"5.0.0.1");
2282 const char *sigs[numsigs];
2284 sigs[0]=
"alert ip 1.2.3.4-219.6.7.8 any -> any any (sid:1;)";
2285 sigs[1]=
"alert ip 51.2.3.4-253.1.2.3 any -> any any (sid:2;)";
2286 sigs[2]=
"alert ip 0.0.0.0-50.0.0.2 any -> any any (sid:3;)";
2287 sigs[3]=
"alert ip 50.0.0.0-255.255.255.255 any -> any any (sid:4;)";
2289 uint32_t sid[4] = { 1, 2, 3, 4, };
2291 { 1, 0, 1, 0, }, { 0, 1, 0, 1}, { 0, 0, 1, 0 }, { 0, 0, 0, 1}};
2303 static int IPOnlyTestBug5066v1(
void)
2310 de_ctx,
"alert ip [1.2.3.4/24,1.2.3.64/27] any -> any any (sid:1;)");
2321 static int IPOnlyTestBug5066v2(
void)
2326 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.4/24") != 0);
2329 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2339 static int IPOnlyTestBug5066v3(
void)
2344 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/26") != 0);
2347 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2357 static int IPOnlyTestBug5066v4(
void)
2362 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:1/122") != 0);
2365 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2368 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0000") == 0);
2375 static int IPOnlyTestBug5066v5(
void)
2380 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:40/122") != 0);
2383 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2386 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0040") == 0);
2393 static int IPOnlyTestBug5168v1(
void)
2398 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/0.0.0.0") != 0);
2401 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2411 static int IPOnlyTestBug5168v2(
void)
2415 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"0.0.0.5/0.0.0.5") != -1);