suricata
detect-engine-payload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Performs payload matching functions
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "rust.h"
29 
30 #include "decode.h"
31 
32 #include "detect.h"
33 #include "detect-engine.h"
34 #include "detect-parse.h"
37 #include "detect-engine-state.h"
38 #include "detect-engine-payload.h"
39 #include "detect-engine-build.h"
40 
41 #include "stream.h"
42 #include "stream-tcp.h"
43 
44 #include "util-debug.h"
45 #include "util-print.h"
46 
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 #include "util-validate.h"
50 #include "util-profiling.h"
51 #include "util-mpm-ac.h"
52 
53 struct StreamMpmData {
55  const MpmCtx *mpm_ctx;
56 };
57 
58 static int StreamMpmFunc(
59  void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
60 {
61  struct StreamMpmData *smd = cb_data;
62  if (data_len >= smd->mpm_ctx->minlen) {
63 #ifdef DEBUG
64  smd->det_ctx->stream_mpm_cnt++;
65  smd->det_ctx->stream_mpm_size += data_len;
66 #endif
67  (void)mpm_table[smd->mpm_ctx->mpm_type].Search(smd->mpm_ctx,
68  &smd->det_ctx->mtcs, &smd->det_ctx->pmq,
69  data, data_len);
70  PREFILTER_PROFILING_ADD_BYTES(smd->det_ctx, data_len);
71  }
72  return 0;
73 }
74 
75 static void PrefilterPktStream(DetectEngineThreadCtx *det_ctx,
76  Packet *p, const void *pectx)
77 {
78  SCEnter();
79 
80  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
81 
82  /* for established packets inspect any stream we may have queued up */
84  SCLogDebug("PRE det_ctx->raw_stream_progress %"PRIu64,
86  struct StreamMpmData stream_mpm_data = { det_ctx, mpm_ctx };
88  StreamMpmFunc, &stream_mpm_data,
90  false /* mpm doesn't use min inspect depth */);
91  SCLogDebug("POST det_ctx->raw_stream_progress %"PRIu64,
93 
94  /* packets that have not been added to the stream will be inspected as if they are stream
95  * chunks */
96  } else if ((p->flags & (PKT_NOPAYLOAD_INSPECTION | PKT_STREAM_ADD)) == 0) {
97  if (p->payload_len >= mpm_ctx->minlen) {
98 #ifdef DEBUG
99  det_ctx->payload_mpm_cnt++;
100  det_ctx->payload_mpm_size += p->payload_len;
101 #endif
103  &det_ctx->mtc, &det_ctx->pmq,
104  p->payload, p->payload_len);
106  }
107  }
108 }
109 
111  SigGroupHead *sgh, MpmCtx *mpm_ctx)
112 {
114  PrefilterPktStream, mpm_ctx, NULL, "stream");
115 }
116 
117 static void PrefilterPktPayload(DetectEngineThreadCtx *det_ctx,
118  Packet *p, const void *pectx)
119 {
120  SCEnter();
121 
122  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
123  if (p->payload_len < mpm_ctx->minlen)
124  SCReturn;
125 
127  &det_ctx->mtc, &det_ctx->pmq,
128  p->payload, p->payload_len);
129 
131 }
132 
134  SigGroupHead *sgh, MpmCtx *mpm_ctx)
135 {
137  PrefilterPktPayload, mpm_ctx, NULL, "payload");
138 }
139 
140 
141 /**
142  * \brief Do the content inspection & validation for a signature
143  *
144  * \param de_ctx Detection engine context
145  * \param det_ctx Detection engine thread context
146  * \param s Signature to inspect
147  * \param f flow (for pcre flowvar storage)
148  * \param p Packet
149  *
150  * \retval 0 no match
151  * \retval 1 match
152  */
154  const Signature *s, Flow *f, Packet *p)
155 {
156  SCEnter();
157  int r = 0;
158 
159  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
160  SCReturnInt(0);
161  }
162 #ifdef DEBUG
163  det_ctx->payload_persig_cnt++;
164  det_ctx->payload_persig_size += p->payload_len;
165 #endif
166  det_ctx->buffer_offset = 0;
169  det_ctx->replist = NULL;
170 
173  p, f, p->payload, p->payload_len, 0,
175  if (r == 1) {
176  SCReturnInt(1);
177  }
178  SCReturnInt(0);
179 }
180 
181 /**
182  * \brief Do the content inspection & validation for a sigmatch list
183  *
184  * \param de_ctx Detection engine context
185  * \param det_ctx Detection engine thread context
186  * \param s Signature to inspect
187  * \param smd array of matches to eval
188  * \param f flow (for pcre flowvar storage)
189  * \param p Packet
190  *
191  * \retval 0 no match
192  * \retval 1 match
193  */
194 static uint8_t DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
195  DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f,
196  Packet *p)
197 {
198  SCEnter();
199  int r = 0;
200 
201  if (smd == NULL) {
202  SCReturnInt(0);
203  }
204 #ifdef DEBUG
205  det_ctx->payload_persig_cnt++;
206  det_ctx->payload_persig_size += p->payload_len;
207 #endif
208  det_ctx->buffer_offset = 0;
211  det_ctx->replist = NULL;
212 
214  p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
216  if (r == 1) {
217  SCReturnInt(1);
218  }
219  SCReturnInt(0);
220 }
221 
225  const Signature *s;
226  Flow *f;
227 };
228 
229 static int StreamContentInspectFunc(
230  void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
231 {
232  SCEnter();
233  int r = 0;
234  struct StreamContentInspectData *smd = cb_data;
235 #ifdef DEBUG
236  smd->det_ctx->stream_persig_cnt++;
237  smd->det_ctx->stream_persig_size += data_len;
238 #endif
239  smd->det_ctx->buffer_offset = 0;
240  smd->det_ctx->discontinue_matching = 0;
242 
244  smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
245  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
247  if (r == 1) {
248  SCReturnInt(1);
249  }
250 
251  SCReturnInt(0);
252 }
253 
254 /**
255  * \brief Do the content inspection & validation for a signature
256  * on the raw stream
257  *
258  * \param de_ctx Detection engine context
259  * \param det_ctx Detection engine thread context
260  * \param s Signature to inspect
261  * \param f flow (for pcre flowvar storage)
262  *
263  * \retval 0 no match
264  * \retval 1 match
265  */
268  Flow *f, Packet *p)
269 {
270  SCEnter();
271  SCLogDebug("FLUSH? %s", (s->flags & SIG_FLAG_FLUSH)?"true":"false");
272  uint64_t unused;
273  struct StreamContentInspectData inspect_data = { de_ctx, det_ctx, s, f };
274  int r = StreamReassembleRaw(f->protoctx, p,
275  StreamContentInspectFunc, &inspect_data,
276  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
277  return r;
278 }
279 
283  const Signature *s;
285  Flow *f;
286 };
287 
288 static int StreamContentInspectEngineFunc(
289  void *cb_data, const uint8_t *data, const uint32_t data_len, const uint64_t _offset)
290 {
291  SCEnter();
292  int r = 0;
293  struct StreamContentInspectEngineData *smd = cb_data;
294 #ifdef DEBUG
295  smd->det_ctx->stream_persig_cnt++;
296  smd->det_ctx->stream_persig_size += data_len;
297 #endif
298  smd->det_ctx->buffer_offset = 0;
299  smd->det_ctx->discontinue_matching = 0;
300  smd->det_ctx->inspection_recursion_counter = 0;
301 
302  r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
303  smd->s, smd->smd,
304  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
306  if (r == 1) {
307  SCReturnInt(1);
308  }
309 
310  SCReturnInt(0);
311 }
312 
313 /**
314  * \brief inspect engine for stateful rules
315  *
316  * Caches results as it may be called multiple times if we inspect
317  * multiple transactions in one packet.
318  *
319  * Returns "can't match" if depth is reached.
320  */
322  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
323  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
324 {
325  Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
326 
327  /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
328  * we can get called for UDP. Then we simply inspect the packet payload */
329  if (p->proto == IPPROTO_UDP) {
330  return DetectEngineInspectStreamUDPPayload(de_ctx, det_ctx, s, engine->smd, f, p);
331  /* for other non-TCP protocols we assume match */
332  } else if (p->proto != IPPROTO_TCP)
334 
335  TcpSession *ssn = f->protoctx;
336  if (ssn == NULL)
338 
339  SCLogDebug("pre-inspect det_ctx->raw_stream_progress %"PRIu64" FLUSH? %s",
341  (s->flags & SIG_FLAG_FLUSH)?"true":"false");
342  uint64_t unused;
343  struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, engine->smd, f };
344  int match = StreamReassembleRaw(f->protoctx, p,
345  StreamContentInspectEngineFunc, &inspect_data,
346  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
347 
348  bool is_last = false;
349  if (flags & STREAM_TOSERVER) {
350  TcpStream *stream = &ssn->client;
352  is_last = true;
353  } else {
354  TcpStream *stream = &ssn->server;
356  is_last = true;
357  }
358 
359  SCLogDebug("%s ran stream for sid %u on packet %"PRIu64" and we %s",
360  is_last? "LAST:" : "normal:", s->id, p->pcap_cnt,
361  match ? "matched" : "didn't match");
362 
363  if (match) {
365  } else {
366  if (is_last) {
367  //SCLogNotice("last, so DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
369  }
370  /* TODO maybe we can set 'CANT_MATCH' for EOF too? */
372  }
373 }
374 
375 #ifdef UNITTESTS
376 #include "detect-engine-alert.h"
377 
378 /** \test Not the first but the second occurence of "abc" should be used
379  * for the 2nd match */
380 static int PayloadTestSig01 (void)
381 {
382  uint8_t *buf = (uint8_t *)
383  "abcabcd";
384  uint16_t buflen = strlen((char *)buf);
385  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
386 
387  FAIL_IF_NULL(p);
388 
389  char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
390 
392 
393  UTHFreePacket(p);
394 
395  PASS;
396 }
397 
398 /** \test Nocase matching */
399 static int PayloadTestSig02 (void)
400 {
401  uint8_t *buf = (uint8_t *)
402  "abcaBcd";
403  uint16_t buflen = strlen((char *)buf);
404  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
405 
406  FAIL_IF_NULL(p);
407 
408  char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
409 
411 
412  UTHFreePacket(p);
413 
414  PASS;
415 }
416 
417 /** \test Negative distance matching */
418 static int PayloadTestSig03 (void)
419 {
420  uint8_t *buf = (uint8_t *)
421  "abcaBcd";
422  uint16_t buflen = strlen((char *)buf);
423  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
424 
425  FAIL_IF_NULL(p);
426 
427  char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
428 
430 
431  UTHFreePacket(p);
432 
433  PASS;
434 }
435 
436 /**
437  * \test Test multiple relative matches.
438  */
439 static int PayloadTestSig04(void)
440 {
441  uint8_t *buf = (uint8_t *)"now this is is big big string now";
442  uint16_t buflen = strlen((char *)buf);
443  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
444 
445  FAIL_IF_NULL(p);
446 
447  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
448  "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
449  "content:\"string\"; within:8; sid:1;)";
450 
452 
453  UTHFreePacket(p);
454 
455  PASS;
456 }
457 
458 /**
459  * \test Test multiple relative matches.
460  */
461 static int PayloadTestSig05(void)
462 {
463  uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
464  uint16_t buflen = strlen((char *)buf);
465  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
466 
467  FAIL_IF_NULL(p);
468 
469  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
470  "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
471  "content:\"string\"; within:8; sid:1;)";
472 
474 
475  UTHFreePacket(p);
476 
477  PASS;
478 }
479 
480 /**
481  * \test Test multiple relative matches.
482  */
483 static int PayloadTestSig06(void)
484 {
485  uint8_t *buf = (uint8_t *)"this this now is is big string now";
486  uint16_t buflen = strlen((char *)buf);
487  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
488 
489  FAIL_IF_NULL(p);
490 
491  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
492  "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
493  "content:\"string\"; within:8; sid:1;)";
494 
496 
497  UTHFreePacket(p);
498 
499  PASS;
500 }
501 
502 /**
503  * \test Test multiple relative matches.
504  */
505 static int PayloadTestSig07(void)
506 {
507  uint8_t *buf = (uint8_t *)" thus thus is a big";
508  uint16_t buflen = strlen((char *)buf);
509  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
510 
511  FAIL_IF_NULL(p);
512 
513  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
514  "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
515 
517 
518  UTHFreePacket(p);
519 
520  PASS;
521 }
522 
523 /**
524  * \test Test multiple relative matches with negative matches
525  * and show the need for det_ctx->discontinue_matching.
526  */
527 static int PayloadTestSig08(void)
528 {
529  uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
530  uint16_t buflen = strlen((char *)buf);
531  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
532 
533  FAIL_IF_NULL(p);
534 
535  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
536  "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
537 
539 
540  UTHFreePacket(p);
541 
542  PASS;
543 }
544 
545 /**
546  * \test Test pcre recursive matching.
547  */
548 static int PayloadTestSig09(void)
549 {
550  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
551  uint16_t buflen = strlen((char *)buf);
552  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
553 
554  FAIL_IF_NULL(p);
555 
556  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
557  "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
558 
560 
561  UTHFreePacket(p);
562 
563  PASS;
564 }
565 
566 /**
567  * \test Test invalid sig.
568  */
569 static int PayloadTestSig10(void)
570 {
571  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
572  uint16_t buflen = strlen((char *)buf);
573  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
574 
575  FAIL_IF_NULL(p);
576 
577  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
578  "byte_test:4,>,2,0,relative; sid:11;)";
579 
581 
582  UTHFreePacket(p);
583 
584  PASS;
585 }
586 
587 /**
588  * \test Test invalid sig.
589  */
590 static int PayloadTestSig11(void)
591 {
592  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
593  uint16_t buflen = strlen((char *)buf);
594  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
595 
596  FAIL_IF_NULL(p);
597 
598  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
599  "byte_jump:1,0,relative; sid:11;)";
600 
602 
603  UTHFreePacket(p);
604 
605  PASS;
606 }
607 
608 /**
609  * \test Test invalid sig.
610  */
611 static int PayloadTestSig12(void)
612 {
613  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
614  uint16_t buflen = strlen((char *)buf);
615  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
616 
617  FAIL_IF_NULL(p);
618 
619  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
620  "isdataat:10,relative; sid:11;)";
621 
623 
624  UTHFreePacket(p);
625 
626  PASS;
627 }
628 
629 /**
630  * \test Used to check the working of recursion_limit counter.
631  */
632 static int PayloadTestSig13(void)
633 {
634  uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
635  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
636  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
637  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
638  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
639  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
640  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
641  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
642  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
643  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
644  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
645  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
646  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
647  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
648  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
649  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
650  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
651  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
652  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
653  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
654 
655  uint16_t buflen = strlen((char *)buf);
656  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
657  uint16_t mpm_type = mpm_default_matcher;
658 
659  FAIL_IF_NULL(p);
660 
661  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
662  "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
663  "byte_test:1,>,200,0,relative; sid:1;)";
664 
666  ThreadVars th_v;
668 
669  memset(&dtv, 0, sizeof(DecodeThreadVars));
670  memset(&th_v, 0, sizeof(th_v));
671 
674 
676 
677  de_ctx->flags |= DE_QUIET;
678  de_ctx->mpm_matcher = mpm_type;
679 
680  de_ctx->sig_list = SigInit(de_ctx, sig);
682 
684  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
685 
686  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
687 
689 
690  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
692 
693  UTHFreePacket(p);
694 
695  PASS;
696 }
697 
698 /**
699  * \test normal & negated matching, both absolute and relative
700  */
701 static int PayloadTestSig14(void)
702 {
703  uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
704  uint16_t buflen = strlen((char *)buf);
705  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
706 
707  FAIL_IF_NULL(p);
708 
709  char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
710 
711  //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
712 
714 
715  UTHFreePacket(p);
716 
717  PASS;
718 }
719 
720 static int PayloadTestSig15(void)
721 {
722  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
723  uint16_t buflen = strlen((char *)buf);
724  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
725 
726  FAIL_IF_NULL(p);
727 
728  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
729  "content:\"nova\"; isdataat:18,relative; sid:1;)";
730 
732 
733  UTHFreePacket(p);
734 
735  PASS;
736 }
737 
738 static int PayloadTestSig16(void)
739 {
740  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
741  uint16_t buflen = strlen((char *)buf);
742  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
743 
744  FAIL_IF_NULL(p);
745 
746  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
747  "content:\"nova\"; isdataat:!20,relative; sid:1;)";
748 
750 
751  UTHFreePacket(p);
752 
753  PASS;
754 }
755 
756 static int PayloadTestSig17(void)
757 {
758  uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
759  uint16_t buflen = 9;
760  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
761 
762  FAIL_IF_NULL(p);
763 
764  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
765  "content:\"%\"; depth:4; offset:0; "
766  "content:\"%\"; within:2; distance:1; sid:1;)";
767 
769 
770  UTHFreePacket(p);
771 
772  PASS;
773 }
774 
775 static int PayloadTestSig18(void)
776 {
777  uint8_t buf[] = {
778  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
779  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
780  0x0E, 0x0F,
781  };
782  uint16_t buflen = sizeof(buf);
783  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
784 
785  FAIL_IF_NULL(p);
786 
787  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
788  "content:\"|01 02 03 04|\"; "
789  "byte_extract:1,2,one,string,dec,relative; "
790  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
791 
793 
794  UTHFreePacket(p);
795 
796  PASS;
797 }
798 
799 static int PayloadTestSig19(void)
800 {
801  uint8_t buf[] = {
802  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
803  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
804  0x0E, 0x0F,
805  };
806  uint16_t buflen = sizeof(buf);
807  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
808 
809  FAIL_IF_NULL(p);
810 
811  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
812  "content:\"|01 02 03 04|\"; "
813  "byte_extract:1,2,one,string,hex,relative; "
814  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
815 
817 
818  UTHFreePacket(p);
819 
820  PASS;
821 }
822 
823 static int PayloadTestSig20(void)
824 {
825  uint8_t buf[] = {
826  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
827  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
828  0x0E, 0x0F,
829  };
830  uint16_t buflen = sizeof(buf);
831  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
832 
833  FAIL_IF_NULL(p);
834 
835  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
836  "content:\"|01 02 03 04|\"; "
837  "byte_extract:1,2,one,string,dec,relative; "
838  "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
839 
841 
842  UTHFreePacket(p);
843 
844  PASS;
845 }
846 
847 static int PayloadTestSig21(void)
848 {
849  uint8_t buf[] = {
850  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
851  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
852  0x0E, 0x0F,
853  };
854  uint16_t buflen = sizeof(buf);
855  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
856 
857  FAIL_IF_NULL(p);
858 
859  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
860  "content:\"|01 02 03 04|\"; "
861  "byte_extract:1,2,one,string,dec,relative; "
862  "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
863 
865 
866  UTHFreePacket(p);
867 
868  PASS;
869 }
870 
871 static int PayloadTestSig22(void)
872 {
873  uint8_t buf[] = {
874  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
875  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
876  0x0E, 0x0F,
877  };
878  uint16_t buflen = sizeof(buf);
879  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
880 
881  FAIL_IF_NULL(p);
882 
883  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
884  "content:\"|01 02 03 04|\"; "
885  "byte_extract:1,2,one,string,dec,relative; "
886  "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
887 
889 
890  UTHFreePacket(p);
891 
892  PASS;
893 }
894 
895 static int PayloadTestSig23(void)
896 {
897  uint8_t buf[] = {
898  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
899  0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
900  0x32, 0x0F,
901  };
902  uint16_t buflen = sizeof(buf);
903  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
904 
905  FAIL_IF_NULL(p);
906 
907  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
908  "content:\"|01 02 03 04|\"; "
909  "byte_extract:1,2,one,string,dec,relative; "
910  "byte_extract:1,3,two,string,dec,relative; "
911  "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
912 
914 
915  UTHFreePacket(p);
916 
917  PASS;
918 }
919 
920 static int PayloadTestSig24(void)
921 {
922  uint8_t buf[] = {
923  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
924  0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
925  0x0E, 0x0F,
926  };
927  uint16_t buflen = sizeof(buf);
928  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
929 
930  FAIL_IF_NULL(p);
931 
932  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
933  "content:\"|01 02 03 04|\"; "
934  "byte_extract:1,2,one,string,dec,relative; "
935  "byte_jump:1,one,string,dec,relative; "
936  "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
937 
939 
940  UTHFreePacket(p);
941 
942  PASS;
943 }
944 
945 /*
946  * \test Test negative byte extract.
947  */
948 static int PayloadTestSig25(void)
949 {
950  uint8_t buf[] = {
951  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
952  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
953  0x0E, 0x0F,
954  };
955  uint16_t buflen = sizeof(buf);
956  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
957 
958  FAIL_IF_NULL(p);
959 
960  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
961  "content:\"|35 07 08 09|\"; "
962  "byte_extract:1,-4,one,string,dec,relative; "
963  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
964 
966 
967  UTHFreePacket(p);
968 
969  PASS;
970 }
971 
972 /*
973  * \test Test negative byte extract.
974  */
975 static int PayloadTestSig26(void)
976 {
977  uint8_t buf[] = {
978  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
979  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
980  0x0E, 0x0F,
981  };
982  uint16_t buflen = sizeof(buf);
983  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
984 
985  FAIL_IF_NULL(p);
986 
987  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
988  "content:\"|35 07 08 09|\"; "
989  "byte_extract:1,-3000,one,string,dec,relative; "
990  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
991 
993 
994  UTHFreePacket(p);
995 
996  PASS;
997 }
998 
999 /*
1000  * \test Test packet/stream sigs
1001  */
1002 static int PayloadTestSig27(void)
1003 {
1004  uint8_t buf[] = "dummypayload";
1005  uint16_t buflen = sizeof(buf) - 1;
1006  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1007 
1008  FAIL_IF_NULL(p);
1009 
1010  char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
1011  "depth:5; sid:1;)";
1012 
1013  p->flags |= PKT_STREAM_ADD;
1015 
1016  UTHFreePacket(p);
1017 
1018  PASS;
1019 }
1020 
1021 /*
1022  * \test Test packet/stream sigs
1023  */
1024 static int PayloadTestSig28(void)
1025 {
1026  uint8_t buf[] = "dummypayload";
1027  uint16_t buflen = sizeof(buf) - 1;
1028  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1029 
1030  FAIL_IF_NULL(p);
1031 
1032  char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
1033  "offset:4; depth:12; sid:1;)";
1034 
1035  p->flags |= PKT_STREAM_ADD;
1037 
1038  UTHFreePacket(p);
1039 
1040  PASS;
1041 }
1042 
1043 /**
1044  * \test Test pcre recursive matching - bug #529
1045  */
1046 static int PayloadTestSig29(void)
1047 {
1048  uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
1049  uint16_t buflen = strlen((char *)buf);
1050  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1051 
1052  FAIL_IF_NULL(p);
1053 
1054  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1055  "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1056 
1058 
1059  UTHFreePacket(p);
1060 
1061  PASS;
1062 }
1063 
1064 static int PayloadTestSig30(void)
1065 {
1066  uint8_t *buf = (uint8_t *)
1067  "xyonexxxxxxtwojunkonetwo";
1068  uint16_t buflen = strlen((char *)buf);
1069  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1070 
1071  FAIL_IF_NULL(p);
1072 
1073  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1074 
1076 
1077  UTHFreePacket(p);
1078 
1079  PASS;
1080 }
1081 
1082 static int PayloadTestSig31(void)
1083 {
1084  uint8_t *buf = (uint8_t *)
1085  "xyonexxxxxxtwojunkonetwo";
1086  uint16_t buflen = strlen((char *)buf);
1087  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1088 
1089  FAIL_IF_NULL(p);
1090 
1091  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1092 
1094 
1095  UTHFreePacket(p);
1096 
1097  PASS;
1098 }
1099 
1100 /**
1101  * \test Test byte_jump.
1102  */
1103 static int PayloadTestSig32(void)
1104 {
1105  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1106  uint16_t buflen = strlen((char *)buf);
1107  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1108 
1109  FAIL_IF_NULL(p);
1110 
1111  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1112  "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1113 
1115 
1116  UTHFreePacket(p);
1117 
1118  PASS;
1119 }
1120 
1121 /**
1122  * \test Test byte_test.
1123  */
1124 static int PayloadTestSig33(void)
1125 {
1126  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1127  uint16_t buflen = strlen((char *)buf);
1128  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1129 
1130  FAIL_IF_NULL(p);
1131 
1132  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1133  "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1134 
1136 
1137  UTHFreePacket(p);
1138 
1139  PASS;
1140 }
1141 
1142 /**
1143  * \test Test byte_extract.
1144  */
1145 static int PayloadTestSig34(void)
1146 {
1147  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1148  uint16_t buflen = strlen((char *)buf);
1149  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1150 
1151  FAIL_IF_NULL(p);
1152 
1153  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1154  "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1155 
1157 
1158  UTHFreePacket(p);
1159 
1160  PASS;
1161 }
1162 
1163 #endif /* UNITTESTS */
1164 
1166 {
1167 #ifdef UNITTESTS
1168  UtRegisterTest("PayloadTestSig01", PayloadTestSig01);
1169  UtRegisterTest("PayloadTestSig02", PayloadTestSig02);
1170  UtRegisterTest("PayloadTestSig03", PayloadTestSig03);
1171  UtRegisterTest("PayloadTestSig04", PayloadTestSig04);
1172  UtRegisterTest("PayloadTestSig05", PayloadTestSig05);
1173  UtRegisterTest("PayloadTestSig06", PayloadTestSig06);
1174  UtRegisterTest("PayloadTestSig07", PayloadTestSig07);
1175  UtRegisterTest("PayloadTestSig08", PayloadTestSig08);
1176  UtRegisterTest("PayloadTestSig09", PayloadTestSig09);
1177  UtRegisterTest("PayloadTestSig10", PayloadTestSig10);
1178  UtRegisterTest("PayloadTestSig11", PayloadTestSig11);
1179  UtRegisterTest("PayloadTestSig12", PayloadTestSig12);
1180  UtRegisterTest("PayloadTestSig13", PayloadTestSig13);
1181  UtRegisterTest("PayloadTestSig14", PayloadTestSig14);
1182  UtRegisterTest("PayloadTestSig15", PayloadTestSig15);
1183  UtRegisterTest("PayloadTestSig16", PayloadTestSig16);
1184  UtRegisterTest("PayloadTestSig17", PayloadTestSig17);
1185 
1186  UtRegisterTest("PayloadTestSig18", PayloadTestSig18);
1187  UtRegisterTest("PayloadTestSig19", PayloadTestSig19);
1188  UtRegisterTest("PayloadTestSig20", PayloadTestSig20);
1189  UtRegisterTest("PayloadTestSig21", PayloadTestSig21);
1190  UtRegisterTest("PayloadTestSig22", PayloadTestSig22);
1191  UtRegisterTest("PayloadTestSig23", PayloadTestSig23);
1192  UtRegisterTest("PayloadTestSig24", PayloadTestSig24);
1193  UtRegisterTest("PayloadTestSig25", PayloadTestSig25);
1194  UtRegisterTest("PayloadTestSig26", PayloadTestSig26);
1195  UtRegisterTest("PayloadTestSig27", PayloadTestSig27);
1196  UtRegisterTest("PayloadTestSig28", PayloadTestSig28);
1197  UtRegisterTest("PayloadTestSig29", PayloadTestSig29);
1198 
1199  UtRegisterTest("PayloadTestSig30", PayloadTestSig30);
1200  UtRegisterTest("PayloadTestSig31", PayloadTestSig31);
1201  UtRegisterTest("PayloadTestSig32", PayloadTestSig32);
1202  UtRegisterTest("PayloadTestSig33", PayloadTestSig33);
1203  UtRegisterTest("PayloadTestSig34", PayloadTestSig34);
1204 #endif /* UNITTESTS */
1205 
1206  return;
1207 }
DetectEngineAppInspectionEngine_
Definition: detect.h:390
Packet_::proto
uint8_t proto
Definition: decode.h:450
TcpStream_
Definition: stream-tcp-private.h:106
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1053
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
StreamContentInspectEngineData::de_ctx
DetectEngineCtx * de_ctx
Definition: detect-engine-payload.c:281
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
StreamReassembleRaw
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
Definition: stream-tcp-reassemble.c:1874
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1395
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:594
Packet_::payload
uint8_t * payload
Definition: decode.h:573
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
Flow_
Flow data structure.
Definition: flow.h:357
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1134
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:858
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:790
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1102
DetectEngineInspectPacketPayload
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
Definition: detect-engine-payload.c:153
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:107
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:595
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:992
detect-engine-payload.h
Flow_::protoctx
void * protoctx
Definition: flow.h:447
SigMatchData_
Data needed for Match()
Definition: detect.h:322
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
STREAMTCP_STREAM_FLAG_DEPTH_REACHED
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Definition: stream-tcp-private.h:216
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectEngineThreadCtx_::mtcs
MpmThreadCtx mtcs
Definition: detect.h:1133
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
Definition: detect-engine-content-inspection.h:34
StreamMpmData::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-payload.c:55
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
StreamContentInspectData::de_ctx
DetectEngineCtx * de_ctx
Definition: detect-engine-payload.c:223
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:998
StreamMpmData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:54
SIG_FLAG_FLUSH
#define SIG_FLAG_FLUSH
Definition: detect.h:220
DetectEngineInspectStreamPayload
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Definition: detect-engine-payload.c:266
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StreamContentInspectEngineData::s
const Signature * s
Definition: detect-engine-payload.c:283
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1042
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:835
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
util-profiling.h
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1049
DetectEngineInspectStream
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
Definition: detect-engine-payload.c:321
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:541
stream.h
Packet_
Definition: decode.h:428
detect-engine-build.h
detect-engine-alert.h
PrefilterPktPayloadRegister
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:133
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
util-mpm-ac.h
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1131
StreamContentInspectData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:224
StreamContentInspectData::f
Flow * f
Definition: detect-engine-payload.c:226
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1092
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:407
DetectEngineContentInspection
uint8_t DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:106
PREFILTER_PROFILING_ADD_BYTES
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Definition: util-profiling.h:307
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
StreamMpmData
Definition: detect-engine-payload.c:53
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1111
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:285
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
util-validate.h
StreamContentInspectEngineData
Definition: detect-engine-payload.c:280
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:284
StreamContentInspectData
Definition: detect-engine-payload.c:222
StreamContentInspectEngineData::f
Flow * f
Definition: detect-engine-payload.c:285
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:664
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
PrefilterAppendPayloadEngine
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:236
Signature_::id
uint32_t id
Definition: detect.h:574
StreamContentInspectEngineData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:282
detect-parse.h
Signature_
Signature container.
Definition: detect.h:540
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
Definition: detect-engine-content-inspection.h:32
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
suricata.h
StreamContentInspectData::s
const Signature * s
Definition: detect-engine-payload.c:225
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1147
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:272
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
PrefilterPktStreamRegister
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:110
StreamContentInspectEngineData::smd
const SigMatchData * smd
Definition: detect-engine-payload.c:284
PayloadRegisterTests
void PayloadRegisterTests(void)
Definition: detect-engine-payload.c:1165