57 static int StreamMpmFunc(
58 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
64 smd->
det_ctx->stream_mpm_size += data_len;
74 Packet *p,
const void *pectx)
82 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
86 StreamMpmFunc, &stream_mpm_data,
89 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
111 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
115 Packet *p,
const void *pectx)
132 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
224 static int StreamContentInspectFunc(
225 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
231 smd->
det_ctx->stream_persig_cnt++;
232 smd->
det_ctx->stream_persig_size += data_len;
240 NULL, smd->
f, (uint8_t *)data, data_len, 0, 0,
270 StreamContentInspectFunc, &inspect_data,
283 static int StreamContentInspectEngineFunc(
284 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
290 smd->det_ctx->stream_persig_cnt++;
291 smd->det_ctx->stream_persig_size += data_len;
293 smd->det_ctx->buffer_offset = 0;
294 smd->det_ctx->discontinue_matching = 0;
295 smd->det_ctx->inspection_recursion_counter = 0;
299 NULL,
smd->f, (uint8_t *)data, data_len, 0, 0,
318 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
324 if (p->
proto == IPPROTO_UDP) {
327 }
else if (p->
proto != IPPROTO_TCP)
334 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
340 StreamContentInspectEngineFunc, &inspect_data,
343 bool is_last =
false;
344 if (
flags & STREAM_TOSERVER) {
354 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
356 match ?
"matched" :
"didn't match");
374 static int PayloadTestSig01 (
void)
376 uint8_t *buf = (uint8_t *)
378 uint16_t buflen = strlen((
char *)buf);
383 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
393 static int PayloadTestSig02 (
void)
395 uint8_t *buf = (uint8_t *)
397 uint16_t buflen = strlen((
char *)buf);
402 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
412 static int PayloadTestSig03 (
void)
414 uint8_t *buf = (uint8_t *)
416 uint16_t buflen = strlen((
char *)buf);
421 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
433 static int PayloadTestSig04(
void)
435 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
436 uint16_t buflen = strlen((
char *)buf);
441 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
442 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
443 "content:\"string\"; within:8; sid:1;)";
455 static int PayloadTestSig05(
void)
457 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
458 uint16_t buflen = strlen((
char *)buf);
463 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
464 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
465 "content:\"string\"; within:8; sid:1;)";
477 static int PayloadTestSig06(
void)
479 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
480 uint16_t buflen = strlen((
char *)buf);
485 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
486 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
487 "content:\"string\"; within:8; sid:1;)";
499 static int PayloadTestSig07(
void)
501 uint8_t *buf = (uint8_t *)
" thus thus is a big";
502 uint16_t buflen = strlen((
char *)buf);
507 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
508 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
521 static int PayloadTestSig08(
void)
523 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
524 uint16_t buflen = strlen((
char *)buf);
529 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
530 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
542 static int PayloadTestSig09(
void)
544 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
545 uint16_t buflen = strlen((
char *)buf);
550 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
551 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
563 static int PayloadTestSig10(
void)
565 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
566 uint16_t buflen = strlen((
char *)buf);
571 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
572 "byte_test:4,>,2,0,relative; sid:11;)";
584 static int PayloadTestSig11(
void)
586 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
587 uint16_t buflen = strlen((
char *)buf);
592 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
593 "byte_jump:1,0,relative; sid:11;)";
605 static int PayloadTestSig12(
void)
607 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
608 uint16_t buflen = strlen((
char *)buf);
613 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
614 "isdataat:10,relative; sid:11;)";
626 static int PayloadTestSig13(
void)
628 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
631 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
632 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
633 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
634 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
635 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
636 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
637 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
638 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
639 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
640 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
641 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
642 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
643 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
644 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
645 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
646 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
647 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
649 uint16_t buflen = strlen((
char *)buf);
655 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
656 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
657 "byte_test:1,>,200,0,relative; sid:1;)";
664 memset(&th_v, 0,
sizeof(th_v));
695 static int PayloadTestSig14(
void)
697 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
698 uint16_t buflen = strlen((
char *)buf);
703 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
714 static int PayloadTestSig15(
void)
716 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
717 uint16_t buflen = strlen((
char *)buf);
722 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
723 "content:\"nova\"; isdataat:18,relative; sid:1;)";
732 static int PayloadTestSig16(
void)
734 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
735 uint16_t buflen = strlen((
char *)buf);
740 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
741 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
750 static int PayloadTestSig17(
void)
752 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
758 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
759 "content:\"%\"; depth:4; offset:0; "
760 "content:\"%\"; within:2; distance:1; sid:1;)";
769 static int PayloadTestSig18(
void)
772 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
773 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
776 uint16_t buflen =
sizeof(buf);
781 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
782 "content:\"|01 02 03 04|\"; "
783 "byte_extract:1,2,one,string,dec,relative; "
784 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
793 static int PayloadTestSig19(
void)
796 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
797 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
800 uint16_t buflen =
sizeof(buf);
805 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
806 "content:\"|01 02 03 04|\"; "
807 "byte_extract:1,2,one,string,hex,relative; "
808 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
817 static int PayloadTestSig20(
void)
820 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
821 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
824 uint16_t buflen =
sizeof(buf);
829 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
830 "content:\"|01 02 03 04|\"; "
831 "byte_extract:1,2,one,string,dec,relative; "
832 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
841 static int PayloadTestSig21(
void)
844 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
845 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
848 uint16_t buflen =
sizeof(buf);
853 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
854 "content:\"|01 02 03 04|\"; "
855 "byte_extract:1,2,one,string,dec,relative; "
856 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
865 static int PayloadTestSig22(
void)
868 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
869 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
872 uint16_t buflen =
sizeof(buf);
877 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
878 "content:\"|01 02 03 04|\"; "
879 "byte_extract:1,2,one,string,dec,relative; "
880 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
889 static int PayloadTestSig23(
void)
892 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
893 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
896 uint16_t buflen =
sizeof(buf);
901 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
902 "content:\"|01 02 03 04|\"; "
903 "byte_extract:1,2,one,string,dec,relative; "
904 "byte_extract:1,3,two,string,dec,relative; "
905 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
914 static int PayloadTestSig24(
void)
917 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
918 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
921 uint16_t buflen =
sizeof(buf);
926 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
927 "content:\"|01 02 03 04|\"; "
928 "byte_extract:1,2,one,string,dec,relative; "
929 "byte_jump:1,one,string,dec,relative; "
930 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
942 static int PayloadTestSig25(
void)
945 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
946 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
949 uint16_t buflen =
sizeof(buf);
954 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
955 "content:\"|35 07 08 09|\"; "
956 "byte_extract:1,-4,one,string,dec,relative; "
957 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
969 static int PayloadTestSig26(
void)
972 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
973 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
976 uint16_t buflen =
sizeof(buf);
981 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
982 "content:\"|35 07 08 09|\"; "
983 "byte_extract:1,-3000,one,string,dec,relative; "
984 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
996 static int PayloadTestSig27(
void)
998 uint8_t buf[] =
"dummypayload";
999 uint16_t buflen =
sizeof(buf) - 1;
1004 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
1018 static int PayloadTestSig28(
void)
1020 uint8_t buf[] =
"dummypayload";
1021 uint16_t buflen =
sizeof(buf) - 1;
1026 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1027 "offset:4; depth:12; sid:1;)";
1040 static int PayloadTestSig29(
void)
1042 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1043 uint16_t buflen = strlen((
char *)buf);
1048 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1049 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1058 static int PayloadTestSig30(
void)
1060 uint8_t *buf = (uint8_t *)
1061 "xyonexxxxxxtwojunkonetwo";
1062 uint16_t buflen = strlen((
char *)buf);
1067 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1076 static int PayloadTestSig31(
void)
1078 uint8_t *buf = (uint8_t *)
1079 "xyonexxxxxxtwojunkonetwo";
1080 uint16_t buflen = strlen((
char *)buf);
1085 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1097 static int PayloadTestSig32(
void)
1099 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1100 uint16_t buflen = strlen((
char *)buf);
1105 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1106 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1118 static int PayloadTestSig33(
void)
1120 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1121 uint16_t buflen = strlen((
char *)buf);
1126 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1127 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1139 static int PayloadTestSig34(
void)
1141 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1142 uint16_t buflen = strlen((
char *)buf);
1147 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1148 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18