64 #include <netinet/in.h>
89 for (; i <
head->netmask / 32 || i < 1; i++) {
90 if (item->
ip[i] <
head->ip[i])
101 static int InsertRange(
107 uint32_t first = first_in;
108 uint32_t last = last_in;
116 while (dd->
netmask > 0 && (first & (1UL << (32 - dd->
netmask))) == 0 &&
117 first + (1UL << (32 - (dd->
netmask - 1))) - 1 <= last) {
120 dd->
ip[0] = htonl(first);
121 first += 1UL << (32 - dd->
netmask);
123 while (first <= last && first != 0) {
130 while (new->netmask > 0 && (first & (1UL << (32 - new->netmask))) == 0 &&
131 first + (1UL << (32 - (new->netmask - 1))) - 1 <= last) {
134 new->ip[0] = htonl(first);
135 first += 1UL << (32 -
new->netmask);
136 dd = IPOnlyCIDRItemInsert(dd,
new);
160 char *ip = NULL, *ip2 = NULL;
165 while (*
str !=
'\0' && *
str ==
' ')
173 if (strcasecmp(
str,
"any") == 0) {
175 SCLogDebug(
"adding 0.0.0.0/0 and ::/0 as we\'re handling \'any\'");
177 IPOnlyCIDRItemParseSingle(&dd,
"0.0.0.0/0");
180 dd->
next = IPOnlyCIDRItemNew();
181 if (dd->
next == NULL)
184 IPOnlyCIDRItemParseSingle(&dd->
next,
"::/0");
198 if ((strchr(
str,
':')) == NULL) {
204 if ((mask = strchr(ip,
'/')) != NULL) {
206 ip[mask - ip] =
'\0';
208 uint32_t netmask = 0;
211 if ((strchr (mask,
'.')) == NULL) {
214 for (u = 0; u < strlen(mask); u++) {
215 if(!isdigit((
unsigned char)mask[u]))
227 r = inet_pton(AF_INET, mask, &in);
238 r = inet_pton(AF_INET, ip, &in);
242 dd->
ip[0] = in.s_addr & netmask;
244 }
else if ((ip2 = strchr(ip,
'-')) != NULL) {
249 uint32_t first, last;
251 r = inet_pton(AF_INET, ip, &in);
256 r = inet_pton(AF_INET, ip2, &in);
265 SCLogDebug(
"Creating CIDR range for [%s - %s]", ip, ip2);
266 return InsertRange(pdd, dd, first, last);
269 r = inet_pton(AF_INET, ip, &in);
274 dd->
ip[0] = in.s_addr;
279 struct in6_addr in6, mask6;
280 uint32_t ip6addr[4], netmask[4];
284 if ((mask = strchr(ip,
'/')) != NULL) {
288 r = inet_pton(AF_INET6, ip, &in6);
294 (
const char *)mask, 0, 128) < 0) {
298 memcpy(&ip6addr, &in6.s6_addr,
sizeof(ip6addr));
300 memcpy(&netmask, &mask6.s6_addr,
sizeof(netmask));
302 dd->
ip[0] = ip6addr[0] & netmask[0];
303 dd->
ip[1] = ip6addr[1] & netmask[1];
304 dd->
ip[2] = ip6addr[2] & netmask[2];
305 dd->
ip[3] = ip6addr[3] & netmask[3];
307 r = inet_pton(AF_INET6, ip, &in6);
311 memcpy(dd->
ip, &in6.s6_addr,
sizeof(dd->
ip));
341 if (IPOnlyCIDRItemParseSingle(gh, s) == -1) {
342 SCLogError(
"address parsing error \"%s\"", s);
376 if (item->
netmask ==
head->netmask && !IPOnlyCIDRItemCompare(
head, item)) {
382 for (prev = it =
head;
414 SCLogDebug(
"Head is NULL to insert item (%p)",item);
426 while (prev != NULL) {
434 head = IPOnlyCIDRItemInsertReal(
head, prev);
455 if (tmphead == NULL) {
466 SCLogDebug(
"Item(%p) %"PRIu32
" removed", it, i);
486 while (tmphead != NULL) {
488 tmphead = tmphead->
next;
501 while (tmphead != NULL) {
503 SCLogDebug(
"Item %"PRIu32
" has netmask %"PRIu8
" negated:"
504 " %s; IP: %s; signum: %"PRIu32, i, tmphead->
netmask,
505 (tmphead->
negated) ?
"yes":
"no",
506 inet_ntoa(*(
struct in_addr*)&tmphead->
ip[0]),
508 tmphead = tmphead->
next;
527 static void SigNumArrayPrint(
void *tmp)
530 for (uint32_t u = 0; u < sna->
size; u++) {
531 uint8_t bitarray = sna->
array[u];
532 for (uint8_t i = 0; i < 8; i++) {
534 printf(
"%" PRIu32
" ", u * 8 + i);
535 bitarray = bitarray >> 1;
554 FatalError(
"Fatal error encountered in SigNumArrayNew. Exiting...");
559 if (new->array == NULL) {
563 memset(new->array, 0, io_ctx->
max_idx / 8 + 1);
564 new->size = io_ctx->
max_idx / 8 + 1;
584 FatalError(
"Fatal error encountered in SigNumArrayCopy. Exiting...");
588 new->size = orig->
size;
591 if (new->array == NULL) {
595 memcpy(new->array, orig->
array, orig->
size);
603 static void SigNumArrayFree(
void *tmp)
610 if (sna->
array != NULL)
631 int o_set = 0, n_set = 0, d_set = 0;
633 size_t size = strlen(s);
635 const char *rule_var_address = NULL;
636 char *temp_rule_var_address = NULL;
639 head = subhead = NULL;
641 SCLogDebug(
"s %s negate %s", s, negate ?
"true" :
"false");
643 for (u = 0, x = 0; u < size && x <
sizeof(
address); u++) {
647 if (!o_set && s[u] ==
'!') {
650 }
else if (s[u] ==
'[') {
656 }
else if (s[u] ==
']') {
662 (negate + n_set) % 2)) == NULL)
665 head = IPOnlyCIDRItemInsert(
head, subhead);
669 }
else if (depth == 0 && s[u] ==
',') {
672 }
else if (d_set == 1) {
677 if (rule_var_address == NULL)
680 if ((negate + n_set) % 2) {
681 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
682 if (
unlikely(temp_rule_var_address == NULL)) {
686 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
687 "[%s]", rule_var_address);
689 temp_rule_var_address =
SCStrdup(rule_var_address);
690 if (
unlikely(temp_rule_var_address == NULL)) {
695 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
696 (negate + n_set) % 2);
697 head = IPOnlyCIDRItemInsert(
head, subhead);
702 SCFree(temp_rule_var_address);
707 subhead = IPOnlyCIDRItemNew();
711 if (!((negate + n_set) % 2))
716 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
721 head = IPOnlyCIDRItemInsert(
head, subhead);
726 }
else if (depth == 0 && s[u] ==
'$') {
728 }
else if (depth == 0 && u == size - 1) {
739 if (rule_var_address == NULL)
742 if ((negate + n_set) % 2) {
743 temp_rule_var_address =
SCMalloc(strlen(rule_var_address) + 3);
744 if (
unlikely(temp_rule_var_address == NULL)) {
747 snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
748 "[%s]", rule_var_address);
750 temp_rule_var_address =
SCStrdup(rule_var_address);
751 if (
unlikely(temp_rule_var_address == NULL)) {
755 subhead = IPOnlyCIDRListParse2(
de_ctx, temp_rule_var_address,
756 (negate + n_set) % 2);
757 head = IPOnlyCIDRItemInsert(
head, subhead);
761 SCFree(temp_rule_var_address);
763 subhead = IPOnlyCIDRItemNew();
767 if (!((negate + n_set) % 2))
772 if (IPOnlyCIDRItemSetup(&subhead,
address) < 0) {
777 head = IPOnlyCIDRItemInsert(
head, subhead);
809 *gh = IPOnlyCIDRListParse2(
de_ctx,
str, 0);
811 SCLogDebug(
"IPOnlyCIDRListParse2 returned null");
834 Signature *s,
const char *addrstr,
char flag)
836 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
840 if (strcasecmp(addrstr,
"any") == 0) {
842 if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_src,
"[0.0.0.0/0,::/0]") < 0)
845 }
else if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_src, (
char *)addrstr) < 0) {
851 if (strcasecmp(addrstr,
"any") == 0) {
853 if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_dst,
"[0.0.0.0/0,::/0]") < 0)
856 }
else if (IPOnlyCIDRListParse(
de_ctx, &s->
cidr_dst, (
char *)addrstr) < 0) {
885 FatalError(
"Unable to allocate iponly signature tracking area");
980 void *user_data_src = NULL, *user_data_dst = NULL;
1000 src = user_data_src;
1001 dst = user_data_dst;
1003 if (
src == NULL ||
dst == NULL)
1007 for (u = 0; u <
src->size; u++) {
1010 uint8_t bitarray =
dst->array[u] &
src->array[u];
1019 for (; i < 8; i++, bitarray = bitarray >> 1) {
1020 if (bitarray & 0x01) {
1044 if (dport == NULL) {
1054 if (sport == NULL) {
1060 SCLogDebug(
"port-less protocol and sig needs ports");
1064 if (!IPOnlyMatchCompatSMs(
tv, det_ctx, s, p)) {
1068 SCLogDebug(
"Signum %"PRIu32
" match (sid: %"PRIu32
", msg: %s)",
1069 u * 8 + i, s->
id, s->
msg);
1075 SCLogDebug(
"running match functions, sm %p", smd);
1118 if (
src->family == AF_INET) {
1128 void *user_data = NULL;
1129 if (
src->netmask == 32)
1136 src->netmask, &user_data);
1137 if (user_data == NULL) {
1145 if (user_data == NULL) {
1152 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1154 if (
src->negated > 0)
1156 sna->
array[
src->signum / 8] &= ~tmp;
1159 sna->
array[
src->signum / 8] |= tmp;
1161 if (
src->netmask == 32)
1171 "src ipv4 radix tree");
1180 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1182 if (
src->negated > 0)
1184 sna->
array[
src->signum / 8] &= ~tmp;
1187 sna->
array[
src->signum / 8] |= tmp;
1189 if (
src->netmask == 32)
1201 " src ipv4 radix tree ip %s netmask %" PRIu8,
1202 tmpstr,
src->netmask);
1214 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1216 if (
src->negated > 0)
1218 sna->
array[
src->signum / 8] &= ~tmp;
1221 sna->
array[
src->signum / 8] |= tmp;
1223 }
else if (
src->family == AF_INET6) {
1226 void *user_data = NULL;
1227 if (
src->netmask == 128)
1234 src->netmask, &user_data);
1236 if (user_data == NULL) {
1242 if (user_data == NULL) {
1247 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1249 if (
src->negated > 0)
1251 sna->
array[
src->signum / 8] &= ~tmp;
1254 sna->
array[
src->signum / 8] |= tmp;
1256 if (
src->netmask == 128)
1272 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1273 if (
src->negated > 0)
1275 sna->
array[
src->signum / 8] &= ~tmp;
1278 sna->
array[
src->signum / 8] |= tmp;
1280 if (
src->netmask == 128)
1296 uint8_t tmp = (uint8_t)(1 << (
src->signum % 8));
1297 if (
src->negated > 0)
1299 sna->
array[
src->signum / 8] &= ~tmp;
1302 sna->
array[
src->signum / 8] |= tmp;
1314 if (
dst->family == AF_INET) {
1317 SCLogDebug(
"Item has netmask %"PRIu8
" negated: %s; IP: %s; signum:"
1318 " %"PRIu32
"",
dst->netmask, (
dst->negated)?
"yes":
"no",
1319 inet_ntoa(*(
struct in_addr*)&
dst->ip[0]),
dst->signum);
1321 void *user_data = NULL;
1322 if (
dst->netmask == 32)
1332 if (user_data == NULL) {
1342 if (user_data == NULL) {
1349 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1350 if (
dst->negated > 0)
1352 sna->
array[
dst->signum / 8] &= ~tmp;
1355 sna->
array[
dst->signum / 8] |= tmp;
1357 if (
dst->netmask == 32)
1376 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1377 if (
dst->negated > 0)
1379 sna->
array[
dst->signum / 8] &= ~tmp;
1382 sna->
array[
dst->signum / 8] |= tmp;
1384 if (
dst->netmask == 32)
1403 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1404 if (
dst->negated > 0)
1406 sna->
array[
dst->signum / 8] &= ~tmp;
1409 sna->
array[
dst->signum / 8] |= tmp;
1411 }
else if (
dst->family == AF_INET6) {
1414 void *user_data = NULL;
1415 if (
dst->netmask == 128)
1422 dst->netmask, &user_data);
1424 if (user_data == NULL) {
1432 if (user_data == NULL) {
1437 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1438 if (
dst->negated > 0)
1440 sna->
array[
dst->signum / 8] &= ~tmp;
1443 sna->
array[
dst->signum / 8] |= tmp;
1445 if (
dst->netmask == 128)
1462 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1463 if (
dst->negated > 0)
1465 sna->
array[
dst->signum / 8] &= ~tmp;
1468 sna->
array[
dst->signum / 8] |= tmp;
1470 if (
dst->netmask == 128)
1487 uint8_t tmp = (uint8_t)(1 << (
dst->signum % 8));
1488 if (
dst->negated > 0)
1490 sna->
array[
dst->signum / 8] &= ~tmp;
1493 sna->
array[
dst->signum / 8] |= tmp;
1531 SCLogDebug(
"Adding IPs from rule: %" PRIu32
" (%s) as %" PRIu32
" mapped to %" PRIu32
"\n",
1532 s->
id, s->
msg, s->
num, mapped_signum);
1534 IPOnlyCIDRListSetSigNum(s->
cidr_src, mapped_signum);
1536 IPOnlyCIDRListSetSigNum(s->
cidr_dst, mapped_signum);
1545 if (mapped_signum > io_ctx->
max_idx)
1546 io_ctx->
max_idx = mapped_signum;
1559 static int IPOnlyTestSig01(
void)
1579 static int IPOnlyTestSig02 (
void)
1599 static int IPOnlyTestSig03 (
void)
1611 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre and content) \"; content:\"php\"; pcre:\"/require(_once)?/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1617 printf(
"got a IPOnly signature (content): ");
1623 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (content) \"; content:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1629 printf(
"got a IPOnly signature (content): ");
1635 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (uricontent) \"; uricontent:\"match something\"; classtype:misc-activity; sid:400001; rev:1;)");
1641 printf(
"got a IPOnly signature (uricontent): ");
1647 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pcre) \"; pcre:\"/e?idps rule[sz]/i\"; classtype:misc-activity; sid:400001; rev:1;)");
1653 printf(
"got a IPOnly signature (pcre): ");
1659 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flow) \"; flow:to_server; classtype:misc-activity; sid:400001; rev:1;)");
1665 printf(
"got a IPOnly signature (flow): ");
1671 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (dsize) \"; dsize:100; classtype:misc-activity; sid:400001; rev:1;)");
1677 printf(
"got a IPOnly signature (dsize): ");
1683 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowbits) \"; flowbits:unset; classtype:misc-activity; sid:400001; rev:1;)");
1689 printf(
"got a IPOnly signature (flowbits): ");
1695 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (flowvar) \"; pcre:\"/(?<flow_var>.*)/i\"; flowvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1701 printf(
"got a IPOnly signature (flowvar): ");
1707 s =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest40-03 sig is not IPOnly (pktvar) \"; pcre:\"/(?<pkt_var>.*)/i\"; pktvar:var,\"str\"; classtype:misc-activity; sid:400001; rev:1;)");
1713 printf(
"got a IPOnly signature (pktvar): ");
1727 static int IPOnlyTestSig04 (
void)
1734 new = IPOnlyCIDRItemNew();
1737 head = IPOnlyCIDRItemInsert(
head,
new);
1739 new = IPOnlyCIDRItemNew();
1742 head = IPOnlyCIDRItemInsert(
head,
new);
1744 new = IPOnlyCIDRItemNew();
1747 head = IPOnlyCIDRItemInsert(
head,
new);
1749 new = IPOnlyCIDRItemNew();
1752 head = IPOnlyCIDRItemInsert(
head,
new);
1754 new = IPOnlyCIDRItemNew();
1757 head = IPOnlyCIDRItemInsert(
head,
new);
1759 IPOnlyCIDRListPrint(
head);
1761 if (new->netmask != 9) {
1766 if (new->netmask != 10) {
1771 if (new->netmask != 10) {
1776 if (new->netmask != 10) {
1781 if (new->netmask != 11) {
1795 static int IPOnlyTestSig05(
void)
1798 uint8_t *buf = (uint8_t *)
"Hi all!";
1799 uint16_t buflen = strlen((
char *)buf);
1801 uint8_t numpkts = 1;
1802 uint8_t numsigs = 7;
1808 const char *sigs[numsigs];
1809 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1810 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1811 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1812 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1813 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1814 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1815 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1818 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1819 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1832 static int IPOnlyTestSig06(
void)
1835 uint8_t *buf = (uint8_t *)
"Hi all!";
1836 uint16_t buflen = strlen((
char *)buf);
1838 uint8_t numpkts = 1;
1839 uint8_t numsigs = 7;
1843 p[0] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"80.58.0.33",
"195.235.113.3");
1845 const char *sigs[numsigs];
1846 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1847 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1848 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1849 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1850 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1851 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1852 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1855 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1856 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1873 static int IPOnlyTestSig07(
void)
1876 uint8_t *buf = (uint8_t *)
"Hi all!";
1877 uint16_t buflen = strlen((
char *)buf);
1879 uint8_t numpkts = 1;
1880 uint8_t numsigs = 7;
1886 char *sigs[numsigs];
1887 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1888 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1889 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1890 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1891 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1892 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1893 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1896 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1897 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1911 static int IPOnlyTestSig08(
void)
1914 uint8_t *buf = (uint8_t *)
"Hi all!";
1915 uint16_t buflen = strlen((
char *)buf);
1917 uint8_t numpkts = 1;
1918 uint8_t numsigs = 7;
1924 const char *sigs[numsigs];
1925 sigs[0]=
"alert tcp 192.168.1.5 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
1926 sigs[1]=
"alert tcp [192.168.1.2,192.168.1.5,192.168.1.4] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
1927 sigs[2]=
"alert tcp [192.168.1.0/24,!192.168.1.1] any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1928 sigs[3]=
"alert tcp [192.0.0.0/8,!192.168.0.0/16,192.168.1.0/24,!192.168.1.1] any -> [192.168.1.0/24,!192.168.1.5] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1929 sigs[4]=
"alert tcp any any -> !192.168.1.5 any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1930 sigs[5]=
"alert tcp any any -> [192.168.0.0/16,!192.168.1.0/24,192.168.1.1] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1931 sigs[6]=
"alert tcp [78.129.202.0/24,192.168.1.5,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> 192.168.1.1 any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
1934 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1935 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
1948 static int IPOnlyTestSig09(
void)
1951 uint8_t *buf = (uint8_t *)
"Hi all!";
1952 uint16_t buflen = strlen((
char *)buf);
1954 uint8_t numpkts = 1;
1955 uint8_t numsigs = 7;
1959 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
1961 const char *sigs[numsigs];
1962 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
1963 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
1964 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
1965 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:0/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
1966 sigs[4]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
1967 sigs[5]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
1968 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
1971 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
1972 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
1985 static int IPOnlyTestSig10(
void)
1988 uint8_t *buf = (uint8_t *)
"Hi all!";
1989 uint16_t buflen = strlen((
char *)buf);
1991 uint8_t numpkts = 1;
1992 uint8_t numsigs = 7;
1996 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565");
1998 const char *sigs[numsigs];
1999 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2000 sigs[1]=
"alert tcp any any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2001 sigs[2]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562 any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2002 sigs[3]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565 any -> !3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562/96 any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2003 sigs[4]=
"alert tcp !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2004 sigs[5]=
"alert tcp any any -> !3FFE:FFFF:7654:FEDA:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2005 sigs[6]=
"alert tcp 3FFE:FFFF:7654:FEDA:0:0:0:0/64 any -> 3FFE:FFFF:7654:FEDB:0:0:0:0/64 any (msg:\"Testing src/dst ip (sid 7)\"; content:\"Hi all\";sid:7;)";
2008 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2009 uint32_t
results[7] = { 0, 0, 0, 0, 0, 0, 0};
2026 static int IPOnlyTestSig11(
void)
2029 uint8_t *buf = (uint8_t *)
"Hi all!";
2030 uint16_t buflen = strlen((
char *)buf);
2032 uint8_t numpkts = 2;
2033 uint8_t numsigs = 7;
2037 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565",
"3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562");
2040 char *sigs[numsigs];
2041 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2042 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2043 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2044 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2045 sigs[4]=
"alert tcp any any -> any any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2046 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2047 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2050 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2051 uint32_t
results[2][7] = {{ 1, 1, 1, 1, 1, 1, 1}, { 1, 1, 1, 1, 1, 1, 1}};
2065 static int IPOnlyTestSig12(
void)
2068 uint8_t *buf = (uint8_t *)
"Hi all!";
2069 uint16_t buflen = strlen((
char *)buf);
2071 uint8_t numpkts = 2;
2072 uint8_t numsigs = 7;
2076 p[0] =
UTHBuildPacketIPV6SrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4562",
"3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565");
2079 const char *sigs[numsigs];
2080 sigs[0]=
"alert tcp 3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1 any -> 3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.5 any (msg:\"Testing src/dst ip (sid 1)\"; sid:1;)";
2081 sigs[1]=
"alert tcp [192.168.1.1,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.4,192.168.1.5,!192.168.1.0/24] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.0/24] any (msg:\"Testing src/dst ip (sid 2)\"; sid:2;)";
2082 sigs[2]=
"alert tcp [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 3)\"; sid:3;)";
2083 sigs[3]=
"alert tcp [3FFE:FFFF:0:0:0:0:0:0/32,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.1] any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,192.168.1.0/24,!3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565] any (msg:\"Testing src/dst ip (sid 4)\"; sid:4;)";
2084 sigs[4]=
"alert tcp any any -> [!3FBE:FFFF:7654:FEDA:1245:BA98:3210:4565,!80.198.1.5] any (msg:\"Testing src/dst ip (sid 5)\"; sid:5;)";
2085 sigs[5]=
"alert tcp any any -> [3FFE:FFFF:7654:FEDA:0:0:0:0/64,!3FFE:FFFF:7654:FEDA:0:0:0:0/64,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.168.1.5] any (msg:\"Testing src/dst ip (sid 6)\"; sid:6;)";
2086 sigs[6]=
"alert tcp [78.129.202.0/24,3FFE:FFFF:7654:FEDA:1245:BA98:3210:4565,192.168.1.1,78.129.205.64,78.129.214.103,78.129.223.19,78.129.233.17,78.137.168.33,78.140.132.11,78.140.133.15,78.140.138.105,78.140.139.105,78.140.141.107,78.140.141.114,78.140.143.103,78.140.143.13,78.140.145.144,78.140.170.164,78.140.23.18,78.143.16.7,78.143.46.124,78.157.129.71] any -> [3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562,192.0.0.0/8] any (msg:\"ET RBN Known Russian Business Network IP TCP - BLOCKING (246)\"; sid:7;)";
2089 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2090 uint32_t
results[2][7] = {{ 0, 0, 0, 0, 0, 0, 0}, {0, 0, 0, 0, 0, 0, 0}};
2099 static int IPOnlyTestSig13(
void)
2106 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2107 "flowbits:set,myflow1; sid:1; rev:1;)");
2116 static int IPOnlyTestSig14(
void)
2123 "alert tcp any any -> any any (msg:\"Test flowbits ip only\"; "
2124 "flowbits:set,myflow1; flowbits:isset,myflow2; sid:1; rev:1;)");
2133 static int IPOnlyTestSig15(
void)
2136 uint8_t *buf = (uint8_t *)
"Hi all!";
2137 uint16_t buflen = strlen((
char *)buf);
2139 uint8_t numpkts = 1;
2140 uint8_t numsigs = 7;
2145 memset(&f, 0,
sizeof(
Flow));
2156 const char *sigs[numsigs];
2157 sigs[0]=
"alert tcp 192.168.1.5 any -> any any (msg:\"Testing src ip (sid 1)\"; "
2158 "flowbits:set,one; sid:1;)";
2159 sigs[1]=
"alert tcp any any -> 192.168.1.1 any (msg:\"Testing dst ip (sid 2)\"; "
2160 "flowbits:set,two; sid:2;)";
2161 sigs[2]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 3)\"; "
2162 "flowbits:set,three; sid:3;)";
2163 sigs[3]=
"alert tcp 192.168.1.5 any -> 192.168.1.1 any (msg:\"Testing src/dst ip (sid 4)\"; "
2164 "flowbits:set,four; sid:4;)";
2165 sigs[4]=
"alert tcp 192.168.1.0/24 any -> any any (msg:\"Testing src/dst ip (sid 5)\"; "
2166 "flowbits:set,five; sid:5;)";
2167 sigs[5]=
"alert tcp any any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 6)\"; "
2168 "flowbits:set,six; sid:6;)";
2169 sigs[6]=
"alert tcp 192.168.1.0/24 any -> 192.168.0.0/16 any (msg:\"Testing src/dst ip (sid 7)\"; "
2170 "flowbits:set,seven; content:\"Hi all\"; sid:7;)";
2173 uint32_t sid[7] = { 1, 2, 3, 4, 5, 6, 7};
2174 uint32_t
results[7] = { 1, 1, 1, 1, 1, 1, 1};
2187 static int IPOnlyTestSig16(
void)
2190 uint8_t *buf = (uint8_t *)
"Hi all!";
2191 uint16_t buflen = strlen((
char *)buf);
2193 uint8_t numpkts = 1;
2194 uint8_t numsigs = 2;
2200 const char *sigs[numsigs];
2201 sigs[0]=
"alert tcp !100.100.0.1 any -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2202 sigs[1]=
"alert tcp any any -> !50.0.0.1 any (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2205 uint32_t sid[2] = { 1, 2};
2206 uint32_t
results[2] = { 1, 1};
2218 static int IPOnlyTestSig17(
void)
2221 uint8_t *buf = (uint8_t *)
"Hi all!";
2222 uint16_t buflen = strlen((
char *)buf);
2224 uint8_t numpkts = 1;
2225 uint8_t numsigs = 2;
2231 const char *sigs[numsigs];
2232 sigs[0]=
"alert ip 100.100.0.0 80 -> any any (msg:\"Testing src ip (sid 1)\"; sid:1;)";
2233 sigs[1]=
"alert ip any any -> 50.0.0.0 123 (msg:\"Testing dst ip (sid 2)\"; sid:2;)";
2235 uint32_t sid[2] = { 1, 2};
2236 uint32_t
results[2] = { 0, 0};
2248 static int IPOnlyTestSig18(
void)
2251 uint8_t *buf = (uint8_t *)
"Hi all!";
2252 uint16_t buflen = strlen((
char *)buf);
2254 uint8_t numpkts = 4;
2255 uint8_t numsigs = 4;
2262 p[3] =
UTHBuildPacketSrcDst((uint8_t *)buf, buflen, IPPROTO_TCP,
"255.255.255.254",
"5.0.0.1");
2264 const char *sigs[numsigs];
2266 sigs[0]=
"alert ip 1.2.3.4-219.6.7.8 any -> any any (sid:1;)";
2267 sigs[1]=
"alert ip 51.2.3.4-253.1.2.3 any -> any any (sid:2;)";
2268 sigs[2]=
"alert ip 0.0.0.0-50.0.0.2 any -> any any (sid:3;)";
2269 sigs[3]=
"alert ip 50.0.0.0-255.255.255.255 any -> any any (sid:4;)";
2271 uint32_t sid[4] = { 1, 2, 3, 4, };
2273 { 1, 0, 1, 0, }, { 0, 1, 0, 1}, { 0, 0, 1, 0 }, { 0, 0, 0, 1}};
2285 static int IPOnlyTestBug5066v1(
void)
2292 de_ctx,
"alert ip [1.2.3.4/24,1.2.3.64/27] any -> any any (sid:1;)");
2303 static int IPOnlyTestBug5066v2(
void)
2308 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.4/24") != 0);
2311 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2321 static int IPOnlyTestBug5066v3(
void)
2326 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/26") != 0);
2329 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2339 static int IPOnlyTestBug5066v4(
void)
2344 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:1/122") != 0);
2347 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2350 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0000") == 0);
2357 static int IPOnlyTestBug5066v5(
void)
2362 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"2000::1:40/122") != 0);
2365 PrintInet(AF_INET6, (
const void *)&x->
ip, ip,
sizeof(ip));
2368 FAIL_IF_NOT(strcmp(ip,
"2000:0000:0000:0000:0000:0000:0001:0040") == 0);
2375 static int IPOnlyTestBug5168v1(
void)
2380 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"1.2.3.64/0.0.0.0") != 0);
2383 PrintInet(AF_INET, (
const void *)&x->
ip[0], ip,
sizeof(ip));
2393 static int IPOnlyTestBug5168v2(
void)
2397 FAIL_IF(IPOnlyCIDRItemParseSingle(&x,
"0.0.0.5/0.0.0.5") != -1);