58 static int StreamMpmFunc(
59 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
65 smd->
det_ctx->stream_mpm_size += data_len;
75 Packet *p,
const void *pectx)
83 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
87 StreamMpmFunc, &stream_mpm_data,
90 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
113 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
117 Packet *p,
const void *pectx)
136 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
215 static int StreamContentInspectFunc(
216 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
221 smd->
det_ctx->stream_persig_cnt++;
222 smd->
det_ctx->stream_persig_size += data_len;
257 StreamContentInspectFunc, &inspect_data,
270 static int StreamContentInspectEngineFunc(
271 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
276 smd->det_ctx->stream_persig_cnt++;
277 smd->det_ctx->stream_persig_size += data_len;
281 NULL,
smd->f, data, data_len, 0, 0,
300 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
306 if (p->
proto == IPPROTO_UDP) {
309 }
else if (p->
proto != IPPROTO_TCP)
316 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
322 StreamContentInspectEngineFunc, &inspect_data,
325 bool is_last =
false;
326 if (
flags & STREAM_TOSERVER) {
336 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
338 match ?
"matched" :
"didn't match");
357 static int PayloadTestSig01 (
void)
359 uint8_t *buf = (uint8_t *)
361 uint16_t buflen = strlen((
char *)buf);
366 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
376 static int PayloadTestSig02 (
void)
378 uint8_t *buf = (uint8_t *)
380 uint16_t buflen = strlen((
char *)buf);
385 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
395 static int PayloadTestSig03 (
void)
397 uint8_t *buf = (uint8_t *)
399 uint16_t buflen = strlen((
char *)buf);
404 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
416 static int PayloadTestSig04(
void)
418 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
419 uint16_t buflen = strlen((
char *)buf);
424 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
425 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
426 "content:\"string\"; within:8; sid:1;)";
438 static int PayloadTestSig05(
void)
440 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
441 uint16_t buflen = strlen((
char *)buf);
446 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
447 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
448 "content:\"string\"; within:8; sid:1;)";
460 static int PayloadTestSig06(
void)
462 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
463 uint16_t buflen = strlen((
char *)buf);
468 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
469 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
470 "content:\"string\"; within:8; sid:1;)";
482 static int PayloadTestSig07(
void)
484 uint8_t *buf = (uint8_t *)
" thus thus is a big";
485 uint16_t buflen = strlen((
char *)buf);
490 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
491 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
504 static int PayloadTestSig08(
void)
506 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
507 uint16_t buflen = strlen((
char *)buf);
512 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
513 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
525 static int PayloadTestSig09(
void)
527 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
528 uint16_t buflen = strlen((
char *)buf);
533 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
534 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
546 static int PayloadTestSig10(
void)
548 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
549 uint16_t buflen = strlen((
char *)buf);
554 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
555 "byte_test:4,>,2,0,relative; sid:11;)";
567 static int PayloadTestSig11(
void)
569 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
570 uint16_t buflen = strlen((
char *)buf);
575 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
576 "byte_jump:1,0,relative; sid:11;)";
588 static int PayloadTestSig12(
void)
590 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
591 uint16_t buflen = strlen((
char *)buf);
596 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
597 "isdataat:10,relative; sid:11;)";
609 static int PayloadTestSig13(
void)
611 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
612 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
613 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
614 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
615 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
616 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
617 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
618 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
619 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
620 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
621 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
622 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
623 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
624 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
625 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
626 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
627 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
628 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
632 uint16_t buflen = strlen((
char *)buf);
638 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
639 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
640 "byte_test:1,>,200,0,relative; sid:1;)";
647 memset(&th_v, 0,
sizeof(th_v));
678 static int PayloadTestSig14(
void)
680 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
681 uint16_t buflen = strlen((
char *)buf);
686 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
697 static int PayloadTestSig15(
void)
699 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
700 uint16_t buflen = strlen((
char *)buf);
705 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
706 "content:\"nova\"; isdataat:18,relative; sid:1;)";
715 static int PayloadTestSig16(
void)
717 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
718 uint16_t buflen = strlen((
char *)buf);
723 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
724 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
733 static int PayloadTestSig17(
void)
735 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
741 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
742 "content:\"%\"; depth:4; offset:0; "
743 "content:\"%\"; within:2; distance:1; sid:1;)";
752 static int PayloadTestSig18(
void)
755 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
756 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
759 uint16_t buflen =
sizeof(buf);
764 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
765 "content:\"|01 02 03 04|\"; "
766 "byte_extract:1,2,one,string,dec,relative; "
767 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
776 static int PayloadTestSig19(
void)
779 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
780 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
783 uint16_t buflen =
sizeof(buf);
788 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
789 "content:\"|01 02 03 04|\"; "
790 "byte_extract:1,2,one,string,hex,relative; "
791 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
800 static int PayloadTestSig20(
void)
803 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
804 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
807 uint16_t buflen =
sizeof(buf);
812 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
813 "content:\"|01 02 03 04|\"; "
814 "byte_extract:1,2,one,string,dec,relative; "
815 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
824 static int PayloadTestSig21(
void)
827 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
828 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
831 uint16_t buflen =
sizeof(buf);
836 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
837 "content:\"|01 02 03 04|\"; "
838 "byte_extract:1,2,one,string,dec,relative; "
839 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
848 static int PayloadTestSig22(
void)
851 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
852 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
855 uint16_t buflen =
sizeof(buf);
860 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
861 "content:\"|01 02 03 04|\"; "
862 "byte_extract:1,2,one,string,dec,relative; "
863 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
872 static int PayloadTestSig23(
void)
875 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
876 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
879 uint16_t buflen =
sizeof(buf);
884 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
885 "content:\"|01 02 03 04|\"; "
886 "byte_extract:1,2,one,string,dec,relative; "
887 "byte_extract:1,3,two,string,dec,relative; "
888 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
897 static int PayloadTestSig24(
void)
900 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
901 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
904 uint16_t buflen =
sizeof(buf);
909 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
910 "content:\"|01 02 03 04|\"; "
911 "byte_extract:1,2,one,string,dec,relative; "
912 "byte_jump:1,one,string,dec,relative; "
913 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
925 static int PayloadTestSig25(
void)
928 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
929 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
932 uint16_t buflen =
sizeof(buf);
937 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
938 "content:\"|35 07 08 09|\"; "
939 "byte_extract:1,-4,one,string,dec,relative; "
940 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
952 static int PayloadTestSig26(
void)
955 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
956 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
959 uint16_t buflen =
sizeof(buf);
964 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
965 "content:\"|35 07 08 09|\"; "
966 "byte_extract:1,-3000,one,string,dec,relative; "
967 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
979 static int PayloadTestSig27(
void)
981 uint8_t buf[] =
"dummypayload";
982 uint16_t buflen =
sizeof(buf) - 1;
987 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
1001 static int PayloadTestSig28(
void)
1003 uint8_t buf[] =
"dummypayload";
1004 uint16_t buflen =
sizeof(buf) - 1;
1009 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1010 "offset:4; depth:12; sid:1;)";
1023 static int PayloadTestSig29(
void)
1025 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1026 uint16_t buflen = strlen((
char *)buf);
1031 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1032 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1041 static int PayloadTestSig30(
void)
1043 uint8_t *buf = (uint8_t *)
1044 "xyonexxxxxxtwojunkonetwo";
1045 uint16_t buflen = strlen((
char *)buf);
1050 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1059 static int PayloadTestSig31(
void)
1061 uint8_t *buf = (uint8_t *)
1062 "xyonexxxxxxtwojunkonetwo";
1063 uint16_t buflen = strlen((
char *)buf);
1068 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1080 static int PayloadTestSig32(
void)
1082 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1083 uint16_t buflen = strlen((
char *)buf);
1088 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1089 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1101 static int PayloadTestSig33(
void)
1103 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1104 uint16_t buflen = strlen((
char *)buf);
1109 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1110 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1122 static int PayloadTestSig34(
void)
1124 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1125 uint16_t buflen = strlen((
char *)buf);
1130 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1131 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18