suricata
detect-engine-payload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Performs payload matching functions
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "rust.h"
29 
30 #include "decode.h"
31 
32 #include "detect.h"
33 #include "detect-engine.h"
34 #include "detect-parse.h"
37 #include "detect-engine-state.h"
38 #include "detect-engine-payload.h"
39 
40 #include "stream.h"
41 #include "stream-tcp.h"
42 
43 #include "util-debug.h"
44 #include "util-print.h"
45 
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "util-validate.h"
49 
50 #include "util-mpm-ac.h"
51 
52 struct StreamMpmData {
54  const MpmCtx *mpm_ctx;
55 };
56 
57 static int StreamMpmFunc(
58  void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
59 {
60  struct StreamMpmData *smd = cb_data;
61  if (data_len >= smd->mpm_ctx->minlen) {
62 #ifdef DEBUG
63  smd->det_ctx->stream_mpm_cnt++;
64  smd->det_ctx->stream_mpm_size += data_len;
65 #endif
66  (void)mpm_table[smd->mpm_ctx->mpm_type].Search(smd->mpm_ctx,
67  &smd->det_ctx->mtcs, &smd->det_ctx->pmq,
68  data, data_len);
69  }
70  return 0;
71 }
72 
73 static void PrefilterPktStream(DetectEngineThreadCtx *det_ctx,
74  Packet *p, const void *pectx)
75 {
76  SCEnter();
77 
78  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
79 
80  /* for established packets inspect any stream we may have queued up */
82  SCLogDebug("PRE det_ctx->raw_stream_progress %"PRIu64,
84  struct StreamMpmData stream_mpm_data = { det_ctx, mpm_ctx };
86  StreamMpmFunc, &stream_mpm_data,
88  false /* mpm doesn't use min inspect depth */);
89  SCLogDebug("POST det_ctx->raw_stream_progress %"PRIu64,
91 
92  /* packets that have not been added to the stream will be inspected as if they are stream
93  * chunks */
94  } else if ((p->flags & (PKT_NOPAYLOAD_INSPECTION | PKT_STREAM_ADD)) == 0) {
95  if (p->payload_len >= mpm_ctx->minlen) {
96 #ifdef DEBUG
97  det_ctx->payload_mpm_cnt++;
98  det_ctx->payload_mpm_size += p->payload_len;
99 #endif
101  &det_ctx->mtc, &det_ctx->pmq,
102  p->payload, p->payload_len);
103  }
104  }
105 }
106 
108  SigGroupHead *sgh, MpmCtx *mpm_ctx)
109 {
111  PrefilterPktStream, mpm_ctx, NULL, "stream");
112 }
113 
114 static void PrefilterPktPayload(DetectEngineThreadCtx *det_ctx,
115  Packet *p, const void *pectx)
116 {
117  SCEnter();
118 
119  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
120  if (p->payload_len < mpm_ctx->minlen)
121  SCReturn;
122 
124  &det_ctx->mtc, &det_ctx->pmq,
125  p->payload, p->payload_len);
126 }
127 
129  SigGroupHead *sgh, MpmCtx *mpm_ctx)
130 {
132  PrefilterPktPayload, mpm_ctx, NULL, "payload");
133 }
134 
135 
136 /**
137  * \brief Do the content inspection & validation for a signature
138  *
139  * \param de_ctx Detection engine context
140  * \param det_ctx Detection engine thread context
141  * \param s Signature to inspect
142  * \param f flow (for pcre flowvar storage)
143  * \param p Packet
144  *
145  * \retval 0 no match
146  * \retval 1 match
147  */
149  const Signature *s, Flow *f, Packet *p)
150 {
151  SCEnter();
152  int r = 0;
153 
154  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
155  SCReturnInt(0);
156  }
157 #ifdef DEBUG
158  det_ctx->payload_persig_cnt++;
159  det_ctx->payload_persig_size += p->payload_len;
160 #endif
161  det_ctx->buffer_offset = 0;
164  det_ctx->replist = NULL;
165 
168  p, f, p->payload, p->payload_len, 0,
170  if (r == 1) {
171  SCReturnInt(1);
172  }
173  SCReturnInt(0);
174 }
175 
176 /**
177  * \brief Do the content inspection & validation for a sigmatch list
178  *
179  * \param de_ctx Detection engine context
180  * \param det_ctx Detection engine thread context
181  * \param s Signature to inspect
182  * \param smd array of matches to eval
183  * \param f flow (for pcre flowvar storage)
184  * \param p Packet
185  *
186  * \retval 0 no match
187  * \retval 1 match
188  */
189 static uint8_t DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
190  DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f,
191  Packet *p)
192 {
193  SCEnter();
194  int r = 0;
195 
196  if (smd == NULL) {
197  SCReturnInt(0);
198  }
199 #ifdef DEBUG
200  det_ctx->payload_persig_cnt++;
201  det_ctx->payload_persig_size += p->payload_len;
202 #endif
203  det_ctx->buffer_offset = 0;
206  det_ctx->replist = NULL;
207 
209  p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
211  if (r == 1) {
212  SCReturnInt(1);
213  }
214  SCReturnInt(0);
215 }
216 
220  const Signature *s;
221  Flow *f;
222 };
223 
224 static int StreamContentInspectFunc(
225  void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
226 {
227  SCEnter();
228  int r = 0;
229  struct StreamContentInspectData *smd = cb_data;
230 #ifdef DEBUG
231  smd->det_ctx->stream_persig_cnt++;
232  smd->det_ctx->stream_persig_size += data_len;
233 #endif
234  smd->det_ctx->buffer_offset = 0;
235  smd->det_ctx->discontinue_matching = 0;
237 
239  smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
240  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
242  if (r == 1) {
243  SCReturnInt(1);
244  }
245 
246  SCReturnInt(0);
247 }
248 
249 /**
250  * \brief Do the content inspection & validation for a signature
251  * on the raw stream
252  *
253  * \param de_ctx Detection engine context
254  * \param det_ctx Detection engine thread context
255  * \param s Signature to inspect
256  * \param f flow (for pcre flowvar storage)
257  *
258  * \retval 0 no match
259  * \retval 1 match
260  */
263  Flow *f, Packet *p)
264 {
265  SCEnter();
266  SCLogDebug("FLUSH? %s", (s->flags & SIG_FLAG_FLUSH)?"true":"false");
267  uint64_t unused;
268  struct StreamContentInspectData inspect_data = { de_ctx, det_ctx, s, f };
269  int r = StreamReassembleRaw(f->protoctx, p,
270  StreamContentInspectFunc, &inspect_data,
271  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
272  return r;
273 }
274 
278  const Signature *s;
280  Flow *f;
281 };
282 
283 static int StreamContentInspectEngineFunc(
284  void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
285 {
286  SCEnter();
287  int r = 0;
288  struct StreamContentInspectEngineData *smd = cb_data;
289 #ifdef DEBUG
290  smd->det_ctx->stream_persig_cnt++;
291  smd->det_ctx->stream_persig_size += data_len;
292 #endif
293  smd->det_ctx->buffer_offset = 0;
294  smd->det_ctx->discontinue_matching = 0;
295  smd->det_ctx->inspection_recursion_counter = 0;
296 
297  r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
298  smd->s, smd->smd,
299  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
301  if (r == 1) {
302  SCReturnInt(1);
303  }
304 
305  SCReturnInt(0);
306 }
307 
308 /**
309  * \brief inspect engine for stateful rules
310  *
311  * Caches results as it may be called multiple times if we inspect
312  * multiple transactions in one packet.
313  *
314  * Returns "can't match" if depth is reached.
315  */
317  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
318  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
319 {
320  Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
321 
322  /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
323  * we can get called for UDP. Then we simply inspect the packet payload */
324  if (p->proto == IPPROTO_UDP) {
325  return DetectEngineInspectStreamUDPPayload(de_ctx, det_ctx, s, engine->smd, f, p);
326  /* for other non-TCP protocols we assume match */
327  } else if (p->proto != IPPROTO_TCP)
329 
330  TcpSession *ssn = f->protoctx;
331  if (ssn == NULL)
333 
334  SCLogDebug("pre-inspect det_ctx->raw_stream_progress %"PRIu64" FLUSH? %s",
336  (s->flags & SIG_FLAG_FLUSH)?"true":"false");
337  uint64_t unused;
338  struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, engine->smd, f };
339  int match = StreamReassembleRaw(f->protoctx, p,
340  StreamContentInspectEngineFunc, &inspect_data,
341  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
342 
343  bool is_last = false;
344  if (flags & STREAM_TOSERVER) {
345  TcpStream *stream = &ssn->client;
347  is_last = true;
348  } else {
349  TcpStream *stream = &ssn->server;
351  is_last = true;
352  }
353 
354  SCLogDebug("%s ran stream for sid %u on packet %"PRIu64" and we %s",
355  is_last? "LAST:" : "normal:", s->id, p->pcap_cnt,
356  match ? "matched" : "didn't match");
357 
358  if (match) {
360  } else {
361  if (is_last) {
362  //SCLogNotice("last, so DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
364  }
365  /* TODO maybe we can set 'CANT_MATCH' for EOF too? */
367  }
368 }
369 
370 #ifdef UNITTESTS
371 
372 /** \test Not the first but the second occurence of "abc" should be used
373  * for the 2nd match */
374 static int PayloadTestSig01 (void)
375 {
376  uint8_t *buf = (uint8_t *)
377  "abcabcd";
378  uint16_t buflen = strlen((char *)buf);
379  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
380 
381  FAIL_IF_NULL(p);
382 
383  char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
384 
386 
387  UTHFreePacket(p);
388 
389  PASS;
390 }
391 
392 /** \test Nocase matching */
393 static int PayloadTestSig02 (void)
394 {
395  uint8_t *buf = (uint8_t *)
396  "abcaBcd";
397  uint16_t buflen = strlen((char *)buf);
398  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
399 
400  FAIL_IF_NULL(p);
401 
402  char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
403 
405 
406  UTHFreePacket(p);
407 
408  PASS;
409 }
410 
411 /** \test Negative distance matching */
412 static int PayloadTestSig03 (void)
413 {
414  uint8_t *buf = (uint8_t *)
415  "abcaBcd";
416  uint16_t buflen = strlen((char *)buf);
417  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
418 
419  FAIL_IF_NULL(p);
420 
421  char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
422 
424 
425  UTHFreePacket(p);
426 
427  PASS;
428 }
429 
430 /**
431  * \test Test multiple relative matches.
432  */
433 static int PayloadTestSig04(void)
434 {
435  uint8_t *buf = (uint8_t *)"now this is is big big string now";
436  uint16_t buflen = strlen((char *)buf);
437  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
438 
439  FAIL_IF_NULL(p);
440 
441  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
442  "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
443  "content:\"string\"; within:8; sid:1;)";
444 
446 
447  UTHFreePacket(p);
448 
449  PASS;
450 }
451 
452 /**
453  * \test Test multiple relative matches.
454  */
455 static int PayloadTestSig05(void)
456 {
457  uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
458  uint16_t buflen = strlen((char *)buf);
459  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
460 
461  FAIL_IF_NULL(p);
462 
463  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
464  "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
465  "content:\"string\"; within:8; sid:1;)";
466 
468 
469  UTHFreePacket(p);
470 
471  PASS;
472 }
473 
474 /**
475  * \test Test multiple relative matches.
476  */
477 static int PayloadTestSig06(void)
478 {
479  uint8_t *buf = (uint8_t *)"this this now is is big string now";
480  uint16_t buflen = strlen((char *)buf);
481  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
482 
483  FAIL_IF_NULL(p);
484 
485  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
486  "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
487  "content:\"string\"; within:8; sid:1;)";
488 
490 
491  UTHFreePacket(p);
492 
493  PASS;
494 }
495 
496 /**
497  * \test Test multiple relative matches.
498  */
499 static int PayloadTestSig07(void)
500 {
501  uint8_t *buf = (uint8_t *)" thus thus is a big";
502  uint16_t buflen = strlen((char *)buf);
503  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
504 
505  FAIL_IF_NULL(p);
506 
507  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
508  "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
509 
511 
512  UTHFreePacket(p);
513 
514  PASS;
515 }
516 
517 /**
518  * \test Test multiple relative matches with negative matches
519  * and show the need for det_ctx->discontinue_matching.
520  */
521 static int PayloadTestSig08(void)
522 {
523  uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
524  uint16_t buflen = strlen((char *)buf);
525  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
526 
527  FAIL_IF_NULL(p);
528 
529  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
530  "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
531 
533 
534  UTHFreePacket(p);
535 
536  PASS;
537 }
538 
539 /**
540  * \test Test pcre recursive matching.
541  */
542 static int PayloadTestSig09(void)
543 {
544  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
545  uint16_t buflen = strlen((char *)buf);
546  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
547 
548  FAIL_IF_NULL(p);
549 
550  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
551  "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
552 
554 
555  UTHFreePacket(p);
556 
557  PASS;
558 }
559 
560 /**
561  * \test Test invalid sig.
562  */
563 static int PayloadTestSig10(void)
564 {
565  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
566  uint16_t buflen = strlen((char *)buf);
567  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
568 
569  FAIL_IF_NULL(p);
570 
571  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
572  "byte_test:4,>,2,0,relative; sid:11;)";
573 
575 
576  UTHFreePacket(p);
577 
578  PASS;
579 }
580 
581 /**
582  * \test Test invalid sig.
583  */
584 static int PayloadTestSig11(void)
585 {
586  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
587  uint16_t buflen = strlen((char *)buf);
588  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
589 
590  FAIL_IF_NULL(p);
591 
592  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
593  "byte_jump:1,0,relative; sid:11;)";
594 
596 
597  UTHFreePacket(p);
598 
599  PASS;
600 }
601 
602 /**
603  * \test Test invalid sig.
604  */
605 static int PayloadTestSig12(void)
606 {
607  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
608  uint16_t buflen = strlen((char *)buf);
609  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
610 
611  FAIL_IF_NULL(p);
612 
613  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
614  "isdataat:10,relative; sid:11;)";
615 
617 
618  UTHFreePacket(p);
619 
620  PASS;
621 }
622 
623 /**
624  * \test Used to check the working of recursion_limit counter.
625  */
626 static int PayloadTestSig13(void)
627 {
628  uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
631  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
632  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
633  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
634  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
635  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
636  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
637  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
638  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
639  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
640  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
641  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
642  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
643  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
644  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
645  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
646  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
647  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
648 
649  uint16_t buflen = strlen((char *)buf);
650  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
651  uint16_t mpm_type = mpm_default_matcher;
652 
653  FAIL_IF_NULL(p);
654 
655  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
656  "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
657  "byte_test:1,>,200,0,relative; sid:1;)";
658 
660  ThreadVars th_v;
662 
663  memset(&dtv, 0, sizeof(DecodeThreadVars));
664  memset(&th_v, 0, sizeof(th_v));
665 
668 
670 
671  de_ctx->flags |= DE_QUIET;
672  de_ctx->mpm_matcher = mpm_type;
673 
674  de_ctx->sig_list = SigInit(de_ctx, sig);
676 
678  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
679 
680  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
681 
683 
684  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
686 
687  UTHFreePacket(p);
688 
689  PASS;
690 }
691 
692 /**
693  * \test normal & negated matching, both absolute and relative
694  */
695 static int PayloadTestSig14(void)
696 {
697  uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
698  uint16_t buflen = strlen((char *)buf);
699  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
700 
701  FAIL_IF_NULL(p);
702 
703  char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
704 
705  //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
706 
708 
709  UTHFreePacket(p);
710 
711  PASS;
712 }
713 
714 static int PayloadTestSig15(void)
715 {
716  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
717  uint16_t buflen = strlen((char *)buf);
718  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
719 
720  FAIL_IF_NULL(p);
721 
722  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
723  "content:\"nova\"; isdataat:18,relative; sid:1;)";
724 
726 
727  UTHFreePacket(p);
728 
729  PASS;
730 }
731 
732 static int PayloadTestSig16(void)
733 {
734  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
735  uint16_t buflen = strlen((char *)buf);
736  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
737 
738  FAIL_IF_NULL(p);
739 
740  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
741  "content:\"nova\"; isdataat:!20,relative; sid:1;)";
742 
744 
745  UTHFreePacket(p);
746 
747  PASS;
748 }
749 
750 static int PayloadTestSig17(void)
751 {
752  uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
753  uint16_t buflen = 9;
754  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
755 
756  FAIL_IF_NULL(p);
757 
758  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
759  "content:\"%\"; depth:4; offset:0; "
760  "content:\"%\"; within:2; distance:1; sid:1;)";
761 
763 
764  UTHFreePacket(p);
765 
766  PASS;
767 }
768 
769 static int PayloadTestSig18(void)
770 {
771  uint8_t buf[] = {
772  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
773  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
774  0x0E, 0x0F,
775  };
776  uint16_t buflen = sizeof(buf);
777  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
778 
779  FAIL_IF_NULL(p);
780 
781  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
782  "content:\"|01 02 03 04|\"; "
783  "byte_extract:1,2,one,string,dec,relative; "
784  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
785 
787 
788  UTHFreePacket(p);
789 
790  PASS;
791 }
792 
793 static int PayloadTestSig19(void)
794 {
795  uint8_t buf[] = {
796  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
797  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
798  0x0E, 0x0F,
799  };
800  uint16_t buflen = sizeof(buf);
801  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
802 
803  FAIL_IF_NULL(p);
804 
805  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
806  "content:\"|01 02 03 04|\"; "
807  "byte_extract:1,2,one,string,hex,relative; "
808  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
809 
811 
812  UTHFreePacket(p);
813 
814  PASS;
815 }
816 
817 static int PayloadTestSig20(void)
818 {
819  uint8_t buf[] = {
820  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
821  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
822  0x0E, 0x0F,
823  };
824  uint16_t buflen = sizeof(buf);
825  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
826 
827  FAIL_IF_NULL(p);
828 
829  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
830  "content:\"|01 02 03 04|\"; "
831  "byte_extract:1,2,one,string,dec,relative; "
832  "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
833 
835 
836  UTHFreePacket(p);
837 
838  PASS;
839 }
840 
841 static int PayloadTestSig21(void)
842 {
843  uint8_t buf[] = {
844  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
845  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
846  0x0E, 0x0F,
847  };
848  uint16_t buflen = sizeof(buf);
849  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
850 
851  FAIL_IF_NULL(p);
852 
853  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
854  "content:\"|01 02 03 04|\"; "
855  "byte_extract:1,2,one,string,dec,relative; "
856  "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
857 
859 
860  UTHFreePacket(p);
861 
862  PASS;
863 }
864 
865 static int PayloadTestSig22(void)
866 {
867  uint8_t buf[] = {
868  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
869  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
870  0x0E, 0x0F,
871  };
872  uint16_t buflen = sizeof(buf);
873  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
874 
875  FAIL_IF_NULL(p);
876 
877  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
878  "content:\"|01 02 03 04|\"; "
879  "byte_extract:1,2,one,string,dec,relative; "
880  "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
881 
883 
884  UTHFreePacket(p);
885 
886  PASS;
887 }
888 
889 static int PayloadTestSig23(void)
890 {
891  uint8_t buf[] = {
892  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
893  0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
894  0x32, 0x0F,
895  };
896  uint16_t buflen = sizeof(buf);
897  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
898 
899  FAIL_IF_NULL(p);
900 
901  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
902  "content:\"|01 02 03 04|\"; "
903  "byte_extract:1,2,one,string,dec,relative; "
904  "byte_extract:1,3,two,string,dec,relative; "
905  "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
906 
908 
909  UTHFreePacket(p);
910 
911  PASS;
912 }
913 
914 static int PayloadTestSig24(void)
915 {
916  uint8_t buf[] = {
917  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
918  0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
919  0x0E, 0x0F,
920  };
921  uint16_t buflen = sizeof(buf);
922  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
923 
924  FAIL_IF_NULL(p);
925 
926  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
927  "content:\"|01 02 03 04|\"; "
928  "byte_extract:1,2,one,string,dec,relative; "
929  "byte_jump:1,one,string,dec,relative; "
930  "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
931 
933 
934  UTHFreePacket(p);
935 
936  PASS;
937 }
938 
939 /*
940  * \test Test negative byte extract.
941  */
942 static int PayloadTestSig25(void)
943 {
944  uint8_t buf[] = {
945  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
946  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
947  0x0E, 0x0F,
948  };
949  uint16_t buflen = sizeof(buf);
950  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
951 
952  FAIL_IF_NULL(p);
953 
954  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
955  "content:\"|35 07 08 09|\"; "
956  "byte_extract:1,-4,one,string,dec,relative; "
957  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
958 
960 
961  UTHFreePacket(p);
962 
963  PASS;
964 }
965 
966 /*
967  * \test Test negative byte extract.
968  */
969 static int PayloadTestSig26(void)
970 {
971  uint8_t buf[] = {
972  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
973  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
974  0x0E, 0x0F,
975  };
976  uint16_t buflen = sizeof(buf);
977  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
978 
979  FAIL_IF_NULL(p);
980 
981  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
982  "content:\"|35 07 08 09|\"; "
983  "byte_extract:1,-3000,one,string,dec,relative; "
984  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
985 
987 
988  UTHFreePacket(p);
989 
990  PASS;
991 }
992 
993 /*
994  * \test Test packet/stream sigs
995  */
996 static int PayloadTestSig27(void)
997 {
998  uint8_t buf[] = "dummypayload";
999  uint16_t buflen = sizeof(buf) - 1;
1000  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1001 
1002  FAIL_IF_NULL(p);
1003 
1004  char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
1005  "depth:5; sid:1;)";
1006 
1007  p->flags |= PKT_STREAM_ADD;
1009 
1010  UTHFreePacket(p);
1011 
1012  PASS;
1013 }
1014 
1015 /*
1016  * \test Test packet/stream sigs
1017  */
1018 static int PayloadTestSig28(void)
1019 {
1020  uint8_t buf[] = "dummypayload";
1021  uint16_t buflen = sizeof(buf) - 1;
1022  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1023 
1024  FAIL_IF_NULL(p);
1025 
1026  char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
1027  "offset:4; depth:12; sid:1;)";
1028 
1029  p->flags |= PKT_STREAM_ADD;
1031 
1032  UTHFreePacket(p);
1033 
1034  PASS;
1035 }
1036 
1037 /**
1038  * \test Test pcre recursive matching - bug #529
1039  */
1040 static int PayloadTestSig29(void)
1041 {
1042  uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
1043  uint16_t buflen = strlen((char *)buf);
1044  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1045 
1046  FAIL_IF_NULL(p);
1047 
1048  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1049  "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1050 
1052 
1053  UTHFreePacket(p);
1054 
1055  PASS;
1056 }
1057 
1058 static int PayloadTestSig30(void)
1059 {
1060  uint8_t *buf = (uint8_t *)
1061  "xyonexxxxxxtwojunkonetwo";
1062  uint16_t buflen = strlen((char *)buf);
1063  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1064 
1065  FAIL_IF_NULL(p);
1066 
1067  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1068 
1070 
1071  UTHFreePacket(p);
1072 
1073  PASS;
1074 }
1075 
1076 static int PayloadTestSig31(void)
1077 {
1078  uint8_t *buf = (uint8_t *)
1079  "xyonexxxxxxtwojunkonetwo";
1080  uint16_t buflen = strlen((char *)buf);
1081  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1082 
1083  FAIL_IF_NULL(p);
1084 
1085  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1086 
1088 
1089  UTHFreePacket(p);
1090 
1091  PASS;
1092 }
1093 
1094 /**
1095  * \test Test byte_jump.
1096  */
1097 static int PayloadTestSig32(void)
1098 {
1099  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1100  uint16_t buflen = strlen((char *)buf);
1101  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1102 
1103  FAIL_IF_NULL(p);
1104 
1105  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1106  "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1107 
1109 
1110  UTHFreePacket(p);
1111 
1112  PASS;
1113 }
1114 
1115 /**
1116  * \test Test byte_test.
1117  */
1118 static int PayloadTestSig33(void)
1119 {
1120  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1121  uint16_t buflen = strlen((char *)buf);
1122  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1123 
1124  FAIL_IF_NULL(p);
1125 
1126  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1127  "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1128 
1130 
1131  UTHFreePacket(p);
1132 
1133  PASS;
1134 }
1135 
1136 /**
1137  * \test Test byte_extract.
1138  */
1139 static int PayloadTestSig34(void)
1140 {
1141  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1142  uint16_t buflen = strlen((char *)buf);
1143  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1144 
1145  FAIL_IF_NULL(p);
1146 
1147  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1148  "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1149 
1151 
1152  UTHFreePacket(p);
1153 
1154  PASS;
1155 }
1156 
1157 #endif /* UNITTESTS */
1158 
1160 {
1161 #ifdef UNITTESTS
1162  UtRegisterTest("PayloadTestSig01", PayloadTestSig01);
1163  UtRegisterTest("PayloadTestSig02", PayloadTestSig02);
1164  UtRegisterTest("PayloadTestSig03", PayloadTestSig03);
1165  UtRegisterTest("PayloadTestSig04", PayloadTestSig04);
1166  UtRegisterTest("PayloadTestSig05", PayloadTestSig05);
1167  UtRegisterTest("PayloadTestSig06", PayloadTestSig06);
1168  UtRegisterTest("PayloadTestSig07", PayloadTestSig07);
1169  UtRegisterTest("PayloadTestSig08", PayloadTestSig08);
1170  UtRegisterTest("PayloadTestSig09", PayloadTestSig09);
1171  UtRegisterTest("PayloadTestSig10", PayloadTestSig10);
1172  UtRegisterTest("PayloadTestSig11", PayloadTestSig11);
1173  UtRegisterTest("PayloadTestSig12", PayloadTestSig12);
1174  UtRegisterTest("PayloadTestSig13", PayloadTestSig13);
1175  UtRegisterTest("PayloadTestSig14", PayloadTestSig14);
1176  UtRegisterTest("PayloadTestSig15", PayloadTestSig15);
1177  UtRegisterTest("PayloadTestSig16", PayloadTestSig16);
1178  UtRegisterTest("PayloadTestSig17", PayloadTestSig17);
1179 
1180  UtRegisterTest("PayloadTestSig18", PayloadTestSig18);
1181  UtRegisterTest("PayloadTestSig19", PayloadTestSig19);
1182  UtRegisterTest("PayloadTestSig20", PayloadTestSig20);
1183  UtRegisterTest("PayloadTestSig21", PayloadTestSig21);
1184  UtRegisterTest("PayloadTestSig22", PayloadTestSig22);
1185  UtRegisterTest("PayloadTestSig23", PayloadTestSig23);
1186  UtRegisterTest("PayloadTestSig24", PayloadTestSig24);
1187  UtRegisterTest("PayloadTestSig25", PayloadTestSig25);
1188  UtRegisterTest("PayloadTestSig26", PayloadTestSig26);
1189  UtRegisterTest("PayloadTestSig27", PayloadTestSig27);
1190  UtRegisterTest("PayloadTestSig28", PayloadTestSig28);
1191  UtRegisterTest("PayloadTestSig29", PayloadTestSig29);
1192 
1193  UtRegisterTest("PayloadTestSig30", PayloadTestSig30);
1194  UtRegisterTest("PayloadTestSig31", PayloadTestSig31);
1195  UtRegisterTest("PayloadTestSig32", PayloadTestSig32);
1196  UtRegisterTest("PayloadTestSig33", PayloadTestSig33);
1197  UtRegisterTest("PayloadTestSig34", PayloadTestSig34);
1198 #endif /* UNITTESTS */
1199 
1200  return;
1201 }
DetectEngineAppInspectionEngine_
Definition: detect.h:399
Packet_::proto
uint8_t proto
Definition: decode.h:464
TcpStream_
Definition: stream-tcp-private.h:109
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1071
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
StreamContentInspectEngineData::de_ctx
DetectEngineCtx * de_ctx
Definition: detect-engine-payload.c:276
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
StreamReassembleRaw
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
Definition: stream-tcp-reassemble.c:1824
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1408
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:603
Packet_::payload
uint8_t * payload
Definition: decode.h:582
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:477
Flow_
Flow data structure.
Definition: flow.h:356
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2116
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1150
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:867
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:794
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:787
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2439
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1118
DetectEngineInspectPacketPayload
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
Definition: detect-engine-payload.c:148
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:297
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:110
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1782
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:604
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1174
detect-engine-payload.h
Flow_::protoctx
void * protoctx
Definition: flow.h:454
SigMatchData_
Data needed for Match()
Definition: detect.h:332
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:583
STREAMTCP_STREAM_FLAG_DEPTH_REACHED
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Definition: stream-tcp-private.h:218
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectEngineThreadCtx_::mtcs
MpmThreadCtx mtcs
Definition: detect.h:1149
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
Definition: detect-engine-content-inspection.h:34
StreamMpmData::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-payload.c:54
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1043
StreamContentInspectData::de_ctx
DetectEngineCtx * de_ctx
Definition: detect-engine-payload.c:218
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1180
StreamMpmData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:53
SIG_FLAG_FLUSH
#define SIG_FLAG_FLUSH
Definition: detect.h:231
DetectEngineInspectStreamPayload
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Definition: detect-engine-payload.c:261
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
StreamContentInspectEngineData::s
const Signature * s
Definition: detect-engine-payload.c:278
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1224
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:844
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1067
DetectEngineInspectStream
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
Definition: detect-engine-payload.c:316
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:550
stream.h
Packet_
Definition: decode.h:442
PrefilterPktPayloadRegister
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:128
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
util-mpm-ac.h
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1147
StreamContentInspectData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:219
StreamContentInspectData::f
Flow * f
Definition: detect-engine-payload.c:221
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1110
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:416
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:104
Packet_::flow
struct Flow_ * flow
Definition: decode.h:479
StreamMpmData
Definition: detect-engine-payload.c:52
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3146
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3358
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1127
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:800
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:287
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
util-validate.h
StreamContentInspectEngineData
Definition: detect-engine-payload.c:275
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:286
StreamContentInspectData
Definition: detect-engine-payload.c:217
StreamContentInspectEngineData::f
Flow * f
Definition: detect-engine-payload.c:280
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:672
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
PrefilterAppendPayloadEngine
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:236
Signature_::id
uint32_t id
Definition: detect.h:583
StreamContentInspectEngineData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:277
detect-parse.h
Signature_
Signature container.
Definition: detect.h:549
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
Definition: detect-engine-content-inspection.h:32
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2400
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
suricata.h
StreamContentInspectData::s
const Signature * s
Definition: detect-engine-payload.c:220
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:795
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1163
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:274
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PrefilterPktStreamRegister
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:107
StreamContentInspectEngineData::smd
const SigMatchData * smd
Definition: detect-engine-payload.c:279
PayloadRegisterTests
void PayloadRegisterTests(void)
Definition: detect-engine-payload.c:1159