suricata
detect-engine-payload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Performs payload matching functions
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-engine.h"
33 #include "detect-parse.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-payload.h"
38 
39 #include "stream.h"
40 #include "stream-tcp.h"
41 
42 #include "util-debug.h"
43 #include "util-print.h"
44 
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "util-validate.h"
48 
49 #include "util-mpm-ac.h"
50 
51 struct StreamMpmData {
53  const MpmCtx *mpm_ctx;
54 };
55 
56 static int StreamMpmFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
57 {
58  struct StreamMpmData *smd = cb_data;
59  if (data_len >= smd->mpm_ctx->minlen) {
60 #ifdef DEBUG
61  smd->det_ctx->stream_mpm_cnt++;
62  smd->det_ctx->stream_mpm_size += data_len;
63 #endif
64  (void)mpm_table[smd->mpm_ctx->mpm_type].Search(smd->mpm_ctx,
65  &smd->det_ctx->mtcs, &smd->det_ctx->pmq,
66  data, data_len);
67  }
68  return 0;
69 }
70 
71 static void PrefilterPktStream(DetectEngineThreadCtx *det_ctx,
72  Packet *p, const void *pectx)
73 {
74  SCEnter();
75 
76  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
77 
78  /* for established packets inspect any stream we may have queued up */
80  SCLogDebug("PRE det_ctx->raw_stream_progress %"PRIu64,
81  det_ctx->raw_stream_progress);
82  struct StreamMpmData stream_mpm_data = { det_ctx, mpm_ctx };
84  StreamMpmFunc, &stream_mpm_data,
85  &det_ctx->raw_stream_progress,
86  false /* mpm doesn't use min inspect depth */);
87  SCLogDebug("POST det_ctx->raw_stream_progress %"PRIu64,
88  det_ctx->raw_stream_progress);
89  } else {
90  SCLogDebug("NOT p->flags & PKT_DETECT_HAS_STREAMDATA");
91  }
92 
93  /* packets that have not been added to the stream will be inspected
94  * as if they are stream chunks */
96  {
97  if (p->payload_len >= mpm_ctx->minlen) {
98 #ifdef DEBUG
99  det_ctx->payload_mpm_cnt++;
100  det_ctx->payload_mpm_size += p->payload_len;
101 #endif
102  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
103  &det_ctx->mtc, &det_ctx->pmq,
104  p->payload, p->payload_len);
105  }
106  }
107 }
108 
110  SigGroupHead *sgh, MpmCtx *mpm_ctx)
111 {
112  return PrefilterAppendPayloadEngine(de_ctx, sgh,
113  PrefilterPktStream, mpm_ctx, NULL, "stream");
114 }
115 
116 static void PrefilterPktPayload(DetectEngineThreadCtx *det_ctx,
117  Packet *p, const void *pectx)
118 {
119  SCEnter();
120 
121  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
122  if (p->payload_len < mpm_ctx->minlen)
123  SCReturn;
124 
125  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
126  &det_ctx->mtc, &det_ctx->pmq,
127  p->payload, p->payload_len);
128 }
129 
131  SigGroupHead *sgh, MpmCtx *mpm_ctx)
132 {
133  return PrefilterAppendPayloadEngine(de_ctx, sgh,
134  PrefilterPktPayload, mpm_ctx, NULL, "payload");
135 }
136 
137 
138 /**
139  * \brief Do the content inspection & validation for a signature
140  *
141  * \param de_ctx Detection engine context
142  * \param det_ctx Detection engine thread context
143  * \param s Signature to inspect
144  * \param f flow (for pcre flowvar storage)
145  * \param p Packet
146  *
147  * \retval 0 no match
148  * \retval 1 match
149  */
151  DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
152 {
153  SCEnter();
154  int r = 0;
155 
156  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
157  SCReturnInt(0);
158  }
159 #ifdef DEBUG
160  det_ctx->payload_persig_cnt++;
161  det_ctx->payload_persig_size += p->payload_len;
162 #endif
163  det_ctx->buffer_offset = 0;
164  det_ctx->discontinue_matching = 0;
165  det_ctx->inspection_recursion_counter = 0;
166  det_ctx->replist = NULL;
167 
168  r = DetectEngineContentInspection(de_ctx, det_ctx,
170  p, f, p->payload, p->payload_len, 0,
172  if (r == 1) {
173  SCReturnInt(1);
174  }
175  SCReturnInt(0);
176 }
177 
178 /**
179  * \brief Do the content inspection & validation for a sigmatch list
180  *
181  * \param de_ctx Detection engine context
182  * \param det_ctx Detection engine thread context
183  * \param s Signature to inspect
184  * \param smd array of matches to eval
185  * \param f flow (for pcre flowvar storage)
186  * \param p Packet
187  *
188  * \retval 0 no match
189  * \retval 1 match
190  */
191 static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
192  DetectEngineThreadCtx *det_ctx,
193  const Signature *s, const SigMatchData *smd,
194  Flow *f, Packet *p)
195 {
196  SCEnter();
197  int r = 0;
198 
199  if (smd == NULL) {
200  SCReturnInt(0);
201  }
202 #ifdef DEBUG
203  det_ctx->payload_persig_cnt++;
204  det_ctx->payload_persig_size += p->payload_len;
205 #endif
206  det_ctx->buffer_offset = 0;
207  det_ctx->discontinue_matching = 0;
208  det_ctx->inspection_recursion_counter = 0;
209  det_ctx->replist = NULL;
210 
211  r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
212  p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
214  if (r == 1) {
215  SCReturnInt(1);
216  }
217  SCReturnInt(0);
218 }
219 
223  const Signature *s;
224  Flow *f;
225 };
226 
227 static int StreamContentInspectFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
228 {
229  SCEnter();
230  int r = 0;
231  struct StreamContentInspectData *smd = cb_data;
232 #ifdef DEBUG
233  smd->det_ctx->stream_persig_cnt++;
234  smd->det_ctx->stream_persig_size += data_len;
235 #endif
236  smd->det_ctx->buffer_offset = 0;
237  smd->det_ctx->discontinue_matching = 0;
239 
241  smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
242  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
244  if (r == 1) {
245  SCReturnInt(1);
246  }
247 
248  SCReturnInt(0);
249 }
250 
251 /**
252  * \brief Do the content inspection & validation for a signature
253  * on the raw stream
254  *
255  * \param de_ctx Detection engine context
256  * \param det_ctx Detection engine thread context
257  * \param s Signature to inspect
258  * \param f flow (for pcre flowvar storage)
259  *
260  * \retval 0 no match
261  * \retval 1 match
262  */
264  DetectEngineThreadCtx *det_ctx, const Signature *s,
265  Flow *f, Packet *p)
266 {
267  SCEnter();
268  SCLogDebug("FLUSH? %s", (s->flags & SIG_FLAG_FLUSH)?"true":"false");
269  uint64_t unused;
270  struct StreamContentInspectData inspect_data = { de_ctx, det_ctx, s, f };
271  int r = StreamReassembleRaw(f->protoctx, p,
272  StreamContentInspectFunc, &inspect_data,
273  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
274  return r;
275 }
276 
280  const Signature *s;
282  Flow *f;
283 };
284 
285 static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
286 {
287  SCEnter();
288  int r = 0;
289  struct StreamContentInspectEngineData *smd = cb_data;
290 #ifdef DEBUG
291  smd->det_ctx->stream_persig_cnt++;
292  smd->det_ctx->stream_persig_size += data_len;
293 #endif
294  smd->det_ctx->buffer_offset = 0;
295  smd->det_ctx->discontinue_matching = 0;
297 
299  smd->s, smd->smd,
300  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
302  if (r == 1) {
303  SCReturnInt(1);
304  }
305 
306  SCReturnInt(0);
307 }
308 
309 /**
310  * \brief inspect engine for stateful rules
311  *
312  * Caches results as it may be called multiple times if we inspect
313  * multiple transactions in one packet.
314  *
315  * Returns "can't match" if depth is reached.
316  */
318  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
319  const Signature *s, const SigMatchData *smd,
320  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
321 {
322  Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
323 
324  /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
325  * we can get called for UDP. Then we simply inspect the packet payload */
326  if (p->proto == IPPROTO_UDP) {
327  return DetectEngineInspectStreamUDPPayload(de_ctx,
328  det_ctx, s, smd, f, p);
329  /* for other non-TCP protocols we assume match */
330  } else if (p->proto != IPPROTO_TCP)
332 
333  TcpSession *ssn = f->protoctx;
334  if (ssn == NULL)
336 
337  SCLogDebug("pre-inspect det_ctx->raw_stream_progress %"PRIu64" FLUSH? %s",
338  det_ctx->raw_stream_progress,
339  (s->flags & SIG_FLAG_FLUSH)?"true":"false");
340  uint64_t unused;
341  struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, smd, f };
342  int match = StreamReassembleRaw(f->protoctx, p,
343  StreamContentInspectEngineFunc, &inspect_data,
344  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
345 
346  bool is_last = false;
347  if (flags & STREAM_TOSERVER) {
348  TcpStream *stream = &ssn->client;
350  is_last = true;
351  } else {
352  TcpStream *stream = &ssn->server;
354  is_last = true;
355  }
356 
357  SCLogDebug("%s ran stream for sid %u on packet %"PRIu64" and we %s",
358  is_last? "LAST:" : "normal:", s->id, p->pcap_cnt,
359  match ? "matched" : "didn't match");
360 
361  if (match) {
363  } else {
364  if (is_last) {
365  //SCLogNotice("last, so DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
367  }
368  /* TODO maybe we can set 'CANT_MATCH' for EOF too? */
370  }
371 }
372 
373 #ifdef UNITTESTS
374 
375 /** \test Not the first but the second occurence of "abc" should be used
376  * for the 2nd match */
377 static int PayloadTestSig01 (void)
378 {
379  uint8_t *buf = (uint8_t *)
380  "abcabcd";
381  uint16_t buflen = strlen((char *)buf);
382  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
383  int result = 0;
384 
385  char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
386  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
387  result = 0;
388  goto end;
389  }
390 
391  result = 1;
392 end:
393  if (p != NULL)
394  UTHFreePacket(p);
395  return result;
396 }
397 
398 /** \test Nocase matching */
399 static int PayloadTestSig02 (void)
400 {
401  uint8_t *buf = (uint8_t *)
402  "abcaBcd";
403  uint16_t buflen = strlen((char *)buf);
404  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
405  int result = 0;
406 
407  char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
408  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
409  result = 0;
410  goto end;
411  }
412 
413  result = 1;
414 end:
415  if (p != NULL)
416  UTHFreePacket(p);
417  return result;
418 }
419 
420 /** \test Negative distance matching */
421 static int PayloadTestSig03 (void)
422 {
423  uint8_t *buf = (uint8_t *)
424  "abcaBcd";
425  uint16_t buflen = strlen((char *)buf);
426  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
427  int result = 0;
428 
429  char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
430  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
431  result = 0;
432  goto end;
433  }
434 
435  result = 1;
436 end:
437  if (p != NULL)
438  UTHFreePacket(p);
439  return result;
440 }
441 
442 /**
443  * \test Test multiple relative matches.
444  */
445 static int PayloadTestSig04(void)
446 {
447  uint8_t *buf = (uint8_t *)"now this is is big big string now";
448  uint16_t buflen = strlen((char *)buf);
449  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
450  int result = 0;
451 
452  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
453  "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
454  "content:\"string\"; within:8; sid:1;)";
455  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
456  result = 0;
457  goto end;
458  }
459 
460  result = 1;
461 end:
462  if (p != NULL)
463  UTHFreePacket(p);
464  return result;
465 }
466 
467 /**
468  * \test Test multiple relative matches.
469  */
470 static int PayloadTestSig05(void)
471 {
472  uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
473  uint16_t buflen = strlen((char *)buf);
474  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
475  int result = 0;
476 
477  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
478  "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
479  "content:\"string\"; within:8; sid:1;)";
480  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
481  result = 0;
482  goto end;
483  }
484 
485  result = 1;
486 end:
487  if (p != NULL)
488  UTHFreePacket(p);
489  return result;
490 }
491 
492 /**
493  * \test Test multiple relative matches.
494  */
495 static int PayloadTestSig06(void)
496 {
497  uint8_t *buf = (uint8_t *)"this this now is is big string now";
498  uint16_t buflen = strlen((char *)buf);
499  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
500  int result = 0;
501 
502  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
503  "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
504  "content:\"string\"; within:8; sid:1;)";
505  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
506  result = 0;
507  goto end;
508  }
509 
510  result = 1;
511 end:
512  if (p != NULL)
513  UTHFreePacket(p);
514  return result;
515 }
516 
517 /**
518  * \test Test multiple relative matches.
519  */
520 static int PayloadTestSig07(void)
521 {
522  uint8_t *buf = (uint8_t *)" thus thus is a big";
523  uint16_t buflen = strlen((char *)buf);
524  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
525  int result = 0;
526 
527  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
528  "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
529 
530  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
531  result = 0;
532  goto end;
533  }
534 
535  result = 1;
536 end:
537  if (p != NULL)
538  UTHFreePacket(p);
539  return result;
540 }
541 
542 /**
543  * \test Test multiple relative matches with negative matches
544  * and show the need for det_ctx->discontinue_matching.
545  */
546 static int PayloadTestSig08(void)
547 {
548  uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
549  uint16_t buflen = strlen((char *)buf);
550  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
551  int result = 0;
552 
553  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
554  "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
555 
556  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1) {
557  goto end;
558  }
559 
560  result = 1;
561 end:
562  if (p != NULL)
563  UTHFreePacket(p);
564  return result;
565 }
566 
567 /**
568  * \test Test pcre recursive matching.
569  */
570 static int PayloadTestSig09(void)
571 {
572  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
573  uint16_t buflen = strlen((char *)buf);
574  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
575  int result = 0;
576 
577  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
578  "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
579 
580  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
581  result = 0;
582  goto end;
583  }
584 
585  result = 1;
586 end:
587  if (p != NULL)
588  UTHFreePacket(p);
589  return result;
590 }
591 
592 /**
593  * \test Test invalid sig.
594  */
595 static int PayloadTestSig10(void)
596 {
597  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
598  uint16_t buflen = strlen((char *)buf);
599  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
600  int result = 0;
601 
602  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
603  "byte_test:4,>,2,0,relative; sid:11;)";
604 
605  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
606  result = 0;
607  goto end;
608  }
609 
610  result = 1;
611 end:
612  if (p != NULL)
613  UTHFreePacket(p);
614  return result;
615 }
616 
617 /**
618  * \test Test invalid sig.
619  */
620 static int PayloadTestSig11(void)
621 {
622  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
623  uint16_t buflen = strlen((char *)buf);
624  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
625  int result = 0;
626 
627  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
628  "byte_jump:1,0,relative; sid:11;)";
629 
630  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
631  result = 0;
632  goto end;
633  }
634 
635  result = 1;
636 end:
637  if (p != NULL)
638  UTHFreePacket(p);
639  return result;
640 }
641 
642 /**
643  * \test Test invalid sig.
644  */
645 static int PayloadTestSig12(void)
646 {
647  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
648  uint16_t buflen = strlen((char *)buf);
649  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
650  int result = 0;
651 
652  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
653  "isdataat:10,relative; sid:11;)";
654 
655  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
656  result = 0;
657  goto end;
658  }
659 
660  result = 1;
661 end:
662  if (p != NULL)
663  UTHFreePacket(p);
664  return result;
665 }
666 
667 /**
668  * \test Used to check the working of recursion_limit counter.
669  */
670 static int PayloadTestSig13(void)
671 {
672  uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
673  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
674  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
675  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
676  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
677  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
678  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
679  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
680  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
681  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
682  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
683  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
684  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
685  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
686  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
687  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
688  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
689  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
690  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
691  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
692  uint16_t buflen = strlen((char *)buf);
693  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
694  int result = 0;
695  uint16_t mpm_type = mpm_default_matcher;
696 
697  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
698  "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
699  "byte_test:1,>,200,0,relative; sid:1;)";
700 
701  struct timeval tv_start, tv_end, tv_diff;
702 
703  gettimeofday(&tv_start, NULL);
704 
705  do {
706  DecodeThreadVars dtv;
707  ThreadVars th_v;
708  DetectEngineThreadCtx *det_ctx = NULL;
709 
710  memset(&dtv, 0, sizeof(DecodeThreadVars));
711  memset(&th_v, 0, sizeof(th_v));
712 
714  if (de_ctx == NULL) {
715  printf("de_ctx == NULL: ");
716  goto end;
717  }
718  de_ctx->inspection_recursion_limit = 3000;
719 
720  de_ctx->flags |= DE_QUIET;
721  de_ctx->mpm_matcher = mpm_type;
722 
723  de_ctx->sig_list = SigInit(de_ctx, sig);
724  if (de_ctx->sig_list == NULL) {
725  printf("signature == NULL: ");
726  goto end;
727  }
728 
729  SigGroupBuild(de_ctx);
730  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
731 
732  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
733  if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
734  goto end;
735  }
736 
737  result = 1;
738  end:
739  SigGroupCleanup(de_ctx);
740  SigCleanSignatures(de_ctx);
741 
742  if (det_ctx != NULL)
743  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
744 
745  if (de_ctx != NULL)
746  DetectEngineCtxFree(de_ctx);
747  } while (0);
748 
749  gettimeofday(&tv_end, NULL);
750 
751  tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
752  tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
753 
754  printf("%ld.%06ld\n", (long int)tv_diff.tv_sec, (long int)tv_diff.tv_usec);
755 
756  result = 1;
757 
758  if (p != NULL)
759  UTHFreePacket(p);
760  return result;
761 }
762 
763 /**
764  * \test normal & negated matching, both absolute and relative
765  */
766 static int PayloadTestSig14(void)
767 {
768  uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
769  uint16_t buflen = strlen((char *)buf);
770  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
771  int result = 0;
772 
773  char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
774 
775  //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
776 
777  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
778  goto end;
779  }
780 
781  result = 1;
782 end:
783  if (p != NULL)
784  UTHFreePacket(p);
785  return result;
786 }
787 
788 static int PayloadTestSig15(void)
789 {
790  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
791  uint16_t buflen = strlen((char *)buf);
792  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
793  int result = 0;
794 
795  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
796  "content:\"nova\"; isdataat:18,relative; sid:1;)";
797 
798  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
799  result = 0;
800  goto end;
801  }
802 
803  result = 1;
804 
805 end:
806  if (p != NULL)
807  UTHFreePacket(p);
808  return result;
809 }
810 
811 static int PayloadTestSig16(void)
812 {
813  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
814  uint16_t buflen = strlen((char *)buf);
815  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
816  int result = 0;
817 
818  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
819  "content:\"nova\"; isdataat:!20,relative; sid:1;)";
820 
821  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
822  result = 0;
823  goto end;
824  }
825 
826  result = 1;
827 
828 end:
829  if (p != NULL)
830  UTHFreePacket(p);
831  return result;
832 }
833 
834 static int PayloadTestSig17(void)
835 {
836  uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
837  uint16_t buflen = 9;
838  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
839  int result = 0;
840 
841  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
842  "content:\"%\"; depth:4; offset:0; "
843  "content:\"%\"; within:2; distance:1; sid:1;)";
844 
845  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
846  result = 0;
847  goto end;
848  }
849 
850  result = 1;
851 
852 end:
853  if (p != NULL)
854  UTHFreePacket(p);
855  return result;
856 }
857 
858 static int PayloadTestSig18(void)
859 {
860  uint8_t buf[] = {
861  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
862  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
863  0x0E, 0x0F,
864  };
865  uint16_t buflen = sizeof(buf);
866  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
867  int result = 0;
868 
869  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
870  "content:\"|01 02 03 04|\"; "
871  "byte_extract:1,2,one,string,dec,relative; "
872  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
873 
874  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
875  result = 0;
876  goto end;
877  }
878 
879  result = 1;
880 
881 end:
882  if (p != NULL)
883  UTHFreePacket(p);
884  return result;
885 }
886 
887 static int PayloadTestSig19(void)
888 {
889  uint8_t buf[] = {
890  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
891  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
892  0x0E, 0x0F,
893  };
894  uint16_t buflen = sizeof(buf);
895  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
896  int result = 0;
897 
898  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
899  "content:\"|01 02 03 04|\"; "
900  "byte_extract:1,2,one,string,hex,relative; "
901  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
902 
903  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
904  result = 0;
905  goto end;
906  }
907 
908  result = 1;
909 
910 end:
911  if (p != NULL)
912  UTHFreePacket(p);
913  return result;
914 }
915 
916 static int PayloadTestSig20(void)
917 {
918  uint8_t buf[] = {
919  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
920  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
921  0x0E, 0x0F,
922  };
923  uint16_t buflen = sizeof(buf);
924  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
925  int result = 0;
926 
927  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
928  "content:\"|01 02 03 04|\"; "
929  "byte_extract:1,2,one,string,dec,relative; "
930  "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
931 
932  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
933  result = 0;
934  goto end;
935  }
936 
937  result = 1;
938 
939 end:
940  if (p != NULL)
941  UTHFreePacket(p);
942  return result;
943 }
944 
945 static int PayloadTestSig21(void)
946 {
947  uint8_t buf[] = {
948  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
949  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
950  0x0E, 0x0F,
951  };
952  uint16_t buflen = sizeof(buf);
953  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
954  int result = 0;
955 
956  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
957  "content:\"|01 02 03 04|\"; "
958  "byte_extract:1,2,one,string,dec,relative; "
959  "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
960 
961  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
962  result = 0;
963  goto end;
964  }
965 
966  result = 1;
967 
968 end:
969  if (p != NULL)
970  UTHFreePacket(p);
971  return result;
972 }
973 
974 static int PayloadTestSig22(void)
975 {
976  uint8_t buf[] = {
977  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
978  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
979  0x0E, 0x0F,
980  };
981  uint16_t buflen = sizeof(buf);
982  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
983  int result = 0;
984 
985  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
986  "content:\"|01 02 03 04|\"; "
987  "byte_extract:1,2,one,string,dec,relative; "
988  "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
989 
990  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
991  result = 0;
992  goto end;
993  }
994 
995  result = 1;
996 
997 end:
998  if (p != NULL)
999  UTHFreePacket(p);
1000  return result;
1001 }
1002 
1003 static int PayloadTestSig23(void)
1004 {
1005  uint8_t buf[] = {
1006  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
1007  0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
1008  0x32, 0x0F,
1009  };
1010  uint16_t buflen = sizeof(buf);
1011  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1012  int result = 0;
1013 
1014  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1015  "content:\"|01 02 03 04|\"; "
1016  "byte_extract:1,2,one,string,dec,relative; "
1017  "byte_extract:1,3,two,string,dec,relative; "
1018  "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
1019 
1020  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1021  result = 0;
1022  goto end;
1023  }
1024 
1025  result = 1;
1026 
1027 end:
1028  if (p != NULL)
1029  UTHFreePacket(p);
1030  return result;
1031 }
1032 
1033 static int PayloadTestSig24(void)
1034 {
1035  uint8_t buf[] = {
1036  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
1037  0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
1038  0x0E, 0x0F,
1039  };
1040  uint16_t buflen = sizeof(buf);
1041  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1042  int result = 0;
1043 
1044  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1045  "content:\"|01 02 03 04|\"; "
1046  "byte_extract:1,2,one,string,dec,relative; "
1047  "byte_jump:1,one,string,dec,relative; "
1048  "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
1049 
1050  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1051  result = 0;
1052  goto end;
1053  }
1054 
1055  result = 1;
1056 
1057 end:
1058  if (p != NULL)
1059  UTHFreePacket(p);
1060  return result;
1061 }
1062 
1063 /*
1064  * \test Test negative byte extract.
1065  */
1066 static int PayloadTestSig25(void)
1067 {
1068  uint8_t buf[] = {
1069  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
1070  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1071  0x0E, 0x0F,
1072  };
1073  uint16_t buflen = sizeof(buf);
1074  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1075  int result = 0;
1076 
1077  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1078  "content:\"|35 07 08 09|\"; "
1079  "byte_extract:1,-4,one,string,dec,relative; "
1080  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1081 
1082  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1083  result = 0;
1084  goto end;
1085  }
1086 
1087  result = 1;
1088 
1089 end:
1090  if (p != NULL)
1091  UTHFreePacket(p);
1092  return result;
1093 }
1094 
1095 /*
1096  * \test Test negative byte extract.
1097  */
1098 static int PayloadTestSig26(void)
1099 {
1100  uint8_t buf[] = {
1101  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
1102  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1103  0x0E, 0x0F,
1104  };
1105  uint16_t buflen = sizeof(buf);
1106  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1107  int result = 0;
1108 
1109  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1110  "content:\"|35 07 08 09|\"; "
1111  "byte_extract:1,-3000,one,string,dec,relative; "
1112  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1113 
1114  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 0) {
1115  result = 0;
1116  goto end;
1117  }
1118 
1119  result = 1;
1120 
1121 end:
1122  if (p != NULL)
1123  UTHFreePacket(p);
1124  return result;
1125 }
1126 
1127 /*
1128  * \test Test packet/stream sigs
1129  */
1130 static int PayloadTestSig27(void)
1131 {
1132  uint8_t buf[] = "dummypayload";
1133  uint16_t buflen = sizeof(buf) - 1;
1134  int result = 0;
1135 
1136  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1137 
1138  char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
1139  "depth:5; sid:1;)";
1140 
1141  p->flags |= PKT_STREAM_ADD;
1142  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1)
1143  goto end;
1144 
1145  result = 1;
1146 
1147 end:
1148  if (p != NULL)
1149  UTHFreePacket(p);
1150  return result;
1151 }
1152 
1153 /*
1154  * \test Test packet/stream sigs
1155  */
1156 static int PayloadTestSig28(void)
1157 {
1158  uint8_t buf[] = "dummypayload";
1159  uint16_t buflen = sizeof(buf) - 1;
1160  int result = 0;
1161 
1162  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1163 
1164  char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
1165  "offset:4; depth:12; sid:1;)";
1166 
1167  p->flags |= PKT_STREAM_ADD;
1168  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1)
1169  goto end;
1170 
1171  result = 1;
1172 
1173 end:
1174  if (p != NULL)
1175  UTHFreePacket(p);
1176  return result;
1177 }
1178 
1179 /**
1180  * \test Test pcre recursive matching - bug #529
1181  */
1182 static int PayloadTestSig29(void)
1183 {
1184  uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
1185  uint16_t buflen = strlen((char *)buf);
1186  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1187  int result = 0;
1188 
1189  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1190  "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1191 
1192  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
1193  result = 0;
1194  goto end;
1195  }
1196 
1197  result = 1;
1198 end:
1199  if (p != NULL)
1200  UTHFreePacket(p);
1201  return result;
1202 }
1203 
1204 static int PayloadTestSig30(void)
1205 {
1206  uint8_t *buf = (uint8_t *)
1207  "xyonexxxxxxtwojunkonetwo";
1208  uint16_t buflen = strlen((char *)buf);
1209  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1210  int result = 0;
1211 
1212  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1213  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1214  result = 0;
1215  goto end;
1216  }
1217 
1218  result = 1;
1219 end:
1220  if (p != NULL)
1221  UTHFreePacket(p);
1222  return result;
1223 }
1224 
1225 static int PayloadTestSig31(void)
1226 {
1227  uint8_t *buf = (uint8_t *)
1228  "xyonexxxxxxtwojunkonetwo";
1229  uint16_t buflen = strlen((char *)buf);
1230  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1231  int result = 0;
1232 
1233  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1234  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1235  result = 0;
1236  goto end;
1237  }
1238 
1239  result = 1;
1240 end:
1241  if (p != NULL)
1242  UTHFreePacket(p);
1243  return result;
1244 }
1245 
1246 /**
1247  * \test Test byte_jump.
1248  */
1249 static int PayloadTestSig32(void)
1250 {
1251  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1252  uint16_t buflen = strlen((char *)buf);
1253  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1254  int result = 0;
1255 
1256  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1257  "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1258 
1259  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1260  goto end;
1261 
1262  result = 1;
1263 end:
1264  if (p != NULL)
1265  UTHFreePacket(p);
1266  return result;
1267 }
1268 
1269 /**
1270  * \test Test byte_test.
1271  */
1272 static int PayloadTestSig33(void)
1273 {
1274  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1275  uint16_t buflen = strlen((char *)buf);
1276  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1277  int result = 0;
1278 
1279  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1280  "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1281 
1282  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1283  goto end;
1284 
1285  result = 1;
1286 end:
1287  if (p != NULL)
1288  UTHFreePacket(p);
1289  return result;
1290 }
1291 
1292 /**
1293  * \test Test byte_extract.
1294  */
1295 static int PayloadTestSig34(void)
1296 {
1297  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1298  uint16_t buflen = strlen((char *)buf);
1299  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1300  int result = 0;
1301 
1302  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1303  "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1304 
1305  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1306  goto end;
1307 
1308  result = 1;
1309 end:
1310  if (p != NULL)
1311  UTHFreePacket(p);
1312  return result;
1313 }
1314 
1315 #endif /* UNITTESTS */
1316 
1318 {
1319 #ifdef UNITTESTS
1320  UtRegisterTest("PayloadTestSig01", PayloadTestSig01);
1321  UtRegisterTest("PayloadTestSig02", PayloadTestSig02);
1322  UtRegisterTest("PayloadTestSig03", PayloadTestSig03);
1323  UtRegisterTest("PayloadTestSig04", PayloadTestSig04);
1324  UtRegisterTest("PayloadTestSig05", PayloadTestSig05);
1325  UtRegisterTest("PayloadTestSig06", PayloadTestSig06);
1326  UtRegisterTest("PayloadTestSig07", PayloadTestSig07);
1327  UtRegisterTest("PayloadTestSig08", PayloadTestSig08);
1328  UtRegisterTest("PayloadTestSig09", PayloadTestSig09);
1329  UtRegisterTest("PayloadTestSig10", PayloadTestSig10);
1330  UtRegisterTest("PayloadTestSig11", PayloadTestSig11);
1331  UtRegisterTest("PayloadTestSig12", PayloadTestSig12);
1332  UtRegisterTest("PayloadTestSig13", PayloadTestSig13);
1333  UtRegisterTest("PayloadTestSig14", PayloadTestSig14);
1334  UtRegisterTest("PayloadTestSig15", PayloadTestSig15);
1335  UtRegisterTest("PayloadTestSig16", PayloadTestSig16);
1336  UtRegisterTest("PayloadTestSig17", PayloadTestSig17);
1337 
1338  UtRegisterTest("PayloadTestSig18", PayloadTestSig18);
1339  UtRegisterTest("PayloadTestSig19", PayloadTestSig19);
1340  UtRegisterTest("PayloadTestSig20", PayloadTestSig20);
1341  UtRegisterTest("PayloadTestSig21", PayloadTestSig21);
1342  UtRegisterTest("PayloadTestSig22", PayloadTestSig22);
1343  UtRegisterTest("PayloadTestSig23", PayloadTestSig23);
1344  UtRegisterTest("PayloadTestSig24", PayloadTestSig24);
1345  UtRegisterTest("PayloadTestSig25", PayloadTestSig25);
1346  UtRegisterTest("PayloadTestSig26", PayloadTestSig26);
1347  UtRegisterTest("PayloadTestSig27", PayloadTestSig27);
1348  UtRegisterTest("PayloadTestSig28", PayloadTestSig28);
1349  UtRegisterTest("PayloadTestSig29", PayloadTestSig29);
1350 
1351  UtRegisterTest("PayloadTestSig30", PayloadTestSig30);
1352  UtRegisterTest("PayloadTestSig31", PayloadTestSig31);
1353  UtRegisterTest("PayloadTestSig32", PayloadTestSig32);
1354  UtRegisterTest("PayloadTestSig33", PayloadTestSig33);
1355  UtRegisterTest("PayloadTestSig34", PayloadTestSig34);
1356 #endif /* UNITTESTS */
1357 
1358  return;
1359 }
MpmThreadCtx mtcs
Definition: detect.h:1101
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:445
uint16_t minlen
Definition: util-mpm.h:99
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint16_t discontinue_matching
Definition: detect.h:1067
uint32_t flags
Definition: detect.h:523
uint32_t id
Definition: detect.h:555
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Signature * sig_list
Definition: detect.h:767
void PayloadRegisterTests(void)
DetectReplaceList * replist
Definition: detect.h:1115
Data needed for Match()
Definition: detect.h:327
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
Definition: detect.h:1336
MpmThreadCtx mtc
Definition: detect.h:1099
const MpmCtx * mpm_ctx
uint64_t pcap_cnt
Definition: decode.h:561
uint32_t buffer_offset
Definition: detect.h:1032
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:522
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineInspectStream(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
#define DE_QUIET
Definition: detect.h:292
uint8_t proto
Definition: decode.h:430
uint8_t flags
Definition: detect.h:762
#define DETECT_ENGINE_INSPECT_SIG_MATCH
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Data structures and function prototypes for keeping state for the detection engine.
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1123
#define SIG_FLAG_FLUSH
Definition: detect.h:228
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint8_t mpm_type
Definition: util-mpm.h:90
uint16_t mpm_matcher
Definition: detect.h:810
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
#define SCEnter(...)
Definition: util-debug.h:337
PrefilterRuleStore pmq
Definition: detect.h:1102
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:575
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define SCReturnInt(x)
Definition: util-debug.h:341
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
int mpm_default_matcher
Definition: util-mpm.h:170
uint64_t raw_stream_progress
Definition: detect.h:1028
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
DetectEngineThreadCtx * det_ctx
uint16_t tx_id
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
#define PKT_STREAM_ADD
Definition: decode.h:1090
#define STREAM_TOSERVER
Definition: stream.h:31
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
int inspection_recursion_counter
Definition: detect.h:1079
#define DETECT_CI_FLAGS_SINGLE
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx * det_ctx
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1087
uint32_t flags
Definition: decode.h:443
uint16_t payload_len
Definition: decode.h:541
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:540
int inspection_recursion_limit
Definition: detect.h:833
DetectEngineCtx * DetectEngineCtxInit(void)