58 static int StreamMpmFunc(
59 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
65 smd->
det_ctx->stream_mpm_size += data_len;
76 Packet *p,
const void *pectx)
84 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
88 StreamMpmFunc, &stream_mpm_data,
91 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
114 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
118 Packet *p,
const void *pectx)
137 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
229 static int StreamContentInspectFunc(
230 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
236 smd->
det_ctx->stream_persig_cnt++;
237 smd->
det_ctx->stream_persig_size += data_len;
245 NULL, smd->
f, (uint8_t *)data, data_len, 0, 0,
275 StreamContentInspectFunc, &inspect_data,
288 static int StreamContentInspectEngineFunc(
289 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
295 smd->det_ctx->stream_persig_cnt++;
296 smd->det_ctx->stream_persig_size += data_len;
298 smd->det_ctx->buffer_offset = 0;
299 smd->det_ctx->discontinue_matching = 0;
300 smd->det_ctx->inspection_recursion_counter = 0;
304 NULL,
smd->f, (uint8_t *)data, data_len, 0, 0,
323 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
329 if (p->
proto == IPPROTO_UDP) {
332 }
else if (p->
proto != IPPROTO_TCP)
339 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
345 StreamContentInspectEngineFunc, &inspect_data,
348 bool is_last =
false;
349 if (
flags & STREAM_TOSERVER) {
359 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
361 match ?
"matched" :
"didn't match");
380 static int PayloadTestSig01 (
void)
382 uint8_t *buf = (uint8_t *)
384 uint16_t buflen = strlen((
char *)buf);
389 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
399 static int PayloadTestSig02 (
void)
401 uint8_t *buf = (uint8_t *)
403 uint16_t buflen = strlen((
char *)buf);
408 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
418 static int PayloadTestSig03 (
void)
420 uint8_t *buf = (uint8_t *)
422 uint16_t buflen = strlen((
char *)buf);
427 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
439 static int PayloadTestSig04(
void)
441 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
442 uint16_t buflen = strlen((
char *)buf);
447 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
448 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
449 "content:\"string\"; within:8; sid:1;)";
461 static int PayloadTestSig05(
void)
463 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
464 uint16_t buflen = strlen((
char *)buf);
469 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
470 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
471 "content:\"string\"; within:8; sid:1;)";
483 static int PayloadTestSig06(
void)
485 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
486 uint16_t buflen = strlen((
char *)buf);
491 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
492 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
493 "content:\"string\"; within:8; sid:1;)";
505 static int PayloadTestSig07(
void)
507 uint8_t *buf = (uint8_t *)
" thus thus is a big";
508 uint16_t buflen = strlen((
char *)buf);
513 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
514 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
527 static int PayloadTestSig08(
void)
529 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
530 uint16_t buflen = strlen((
char *)buf);
535 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
536 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
548 static int PayloadTestSig09(
void)
550 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
551 uint16_t buflen = strlen((
char *)buf);
556 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
557 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
569 static int PayloadTestSig10(
void)
571 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
572 uint16_t buflen = strlen((
char *)buf);
577 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
578 "byte_test:4,>,2,0,relative; sid:11;)";
590 static int PayloadTestSig11(
void)
592 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
593 uint16_t buflen = strlen((
char *)buf);
598 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
599 "byte_jump:1,0,relative; sid:11;)";
611 static int PayloadTestSig12(
void)
613 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
614 uint16_t buflen = strlen((
char *)buf);
619 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
620 "isdataat:10,relative; sid:11;)";
632 static int PayloadTestSig13(
void)
634 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
635 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
636 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
637 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
638 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
639 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
640 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
641 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
642 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
643 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
644 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
645 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
646 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
647 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
648 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
649 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
650 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
651 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
652 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
653 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
655 uint16_t buflen = strlen((
char *)buf);
661 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
662 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
663 "byte_test:1,>,200,0,relative; sid:1;)";
670 memset(&th_v, 0,
sizeof(th_v));
701 static int PayloadTestSig14(
void)
703 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
704 uint16_t buflen = strlen((
char *)buf);
709 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
720 static int PayloadTestSig15(
void)
722 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
723 uint16_t buflen = strlen((
char *)buf);
728 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
729 "content:\"nova\"; isdataat:18,relative; sid:1;)";
738 static int PayloadTestSig16(
void)
740 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
741 uint16_t buflen = strlen((
char *)buf);
746 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
747 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
756 static int PayloadTestSig17(
void)
758 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
764 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
765 "content:\"%\"; depth:4; offset:0; "
766 "content:\"%\"; within:2; distance:1; sid:1;)";
775 static int PayloadTestSig18(
void)
778 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
779 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
782 uint16_t buflen =
sizeof(buf);
787 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
788 "content:\"|01 02 03 04|\"; "
789 "byte_extract:1,2,one,string,dec,relative; "
790 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
799 static int PayloadTestSig19(
void)
802 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
803 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
806 uint16_t buflen =
sizeof(buf);
811 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
812 "content:\"|01 02 03 04|\"; "
813 "byte_extract:1,2,one,string,hex,relative; "
814 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
823 static int PayloadTestSig20(
void)
826 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
827 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
830 uint16_t buflen =
sizeof(buf);
835 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
836 "content:\"|01 02 03 04|\"; "
837 "byte_extract:1,2,one,string,dec,relative; "
838 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
847 static int PayloadTestSig21(
void)
850 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
851 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
854 uint16_t buflen =
sizeof(buf);
859 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
860 "content:\"|01 02 03 04|\"; "
861 "byte_extract:1,2,one,string,dec,relative; "
862 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
871 static int PayloadTestSig22(
void)
874 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
875 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
878 uint16_t buflen =
sizeof(buf);
883 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
884 "content:\"|01 02 03 04|\"; "
885 "byte_extract:1,2,one,string,dec,relative; "
886 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
895 static int PayloadTestSig23(
void)
898 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
899 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
902 uint16_t buflen =
sizeof(buf);
907 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
908 "content:\"|01 02 03 04|\"; "
909 "byte_extract:1,2,one,string,dec,relative; "
910 "byte_extract:1,3,two,string,dec,relative; "
911 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
920 static int PayloadTestSig24(
void)
923 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
924 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
927 uint16_t buflen =
sizeof(buf);
932 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
933 "content:\"|01 02 03 04|\"; "
934 "byte_extract:1,2,one,string,dec,relative; "
935 "byte_jump:1,one,string,dec,relative; "
936 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
948 static int PayloadTestSig25(
void)
951 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
952 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
955 uint16_t buflen =
sizeof(buf);
960 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
961 "content:\"|35 07 08 09|\"; "
962 "byte_extract:1,-4,one,string,dec,relative; "
963 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
975 static int PayloadTestSig26(
void)
978 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
979 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
982 uint16_t buflen =
sizeof(buf);
987 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
988 "content:\"|35 07 08 09|\"; "
989 "byte_extract:1,-3000,one,string,dec,relative; "
990 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1002 static int PayloadTestSig27(
void)
1004 uint8_t buf[] =
"dummypayload";
1005 uint16_t buflen =
sizeof(buf) - 1;
1010 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
1024 static int PayloadTestSig28(
void)
1026 uint8_t buf[] =
"dummypayload";
1027 uint16_t buflen =
sizeof(buf) - 1;
1032 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1033 "offset:4; depth:12; sid:1;)";
1046 static int PayloadTestSig29(
void)
1048 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1049 uint16_t buflen = strlen((
char *)buf);
1054 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1055 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1064 static int PayloadTestSig30(
void)
1066 uint8_t *buf = (uint8_t *)
1067 "xyonexxxxxxtwojunkonetwo";
1068 uint16_t buflen = strlen((
char *)buf);
1073 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1082 static int PayloadTestSig31(
void)
1084 uint8_t *buf = (uint8_t *)
1085 "xyonexxxxxxtwojunkonetwo";
1086 uint16_t buflen = strlen((
char *)buf);
1091 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1103 static int PayloadTestSig32(
void)
1105 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1106 uint16_t buflen = strlen((
char *)buf);
1111 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1112 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1124 static int PayloadTestSig33(
void)
1126 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1127 uint16_t buflen = strlen((
char *)buf);
1132 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1133 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1145 static int PayloadTestSig34(
void)
1147 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1148 uint16_t buflen = strlen((
char *)buf);
1153 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1154 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18