56 static int StreamMpmFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
62 smd->
det_ctx->stream_mpm_size += data_len;
72 Packet *p,
const void *pectx)
80 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
84 StreamMpmFunc, &stream_mpm_data,
87 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
90 SCLogDebug(
"NOT p->flags & PKT_DETECT_HAS_STREAMDATA");
113 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
117 Packet *p,
const void *pectx)
134 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
227 static int StreamContentInspectFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
233 smd->
det_ctx->stream_persig_cnt++;
234 smd->
det_ctx->stream_persig_size += data_len;
242 NULL, smd->
f, (uint8_t *)data, data_len, 0, 0,
272 StreamContentInspectFunc, &inspect_data,
285 static int StreamContentInspectEngineFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
291 smd->det_ctx->stream_persig_cnt++;
292 smd->det_ctx->stream_persig_size += data_len;
294 smd->det_ctx->buffer_offset = 0;
295 smd->det_ctx->discontinue_matching = 0;
296 smd->det_ctx->inspection_recursion_counter = 0;
300 NULL,
smd->f, (uint8_t *)data, data_len, 0, 0,
320 Flow *
f, uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
326 if (p->
proto == IPPROTO_UDP) {
327 return DetectEngineInspectStreamUDPPayload(
de_ctx,
330 }
else if (p->
proto != IPPROTO_TCP)
337 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
343 StreamContentInspectEngineFunc, &inspect_data,
346 bool is_last =
false;
357 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
359 match ?
"matched" :
"didn't match");
377 static int PayloadTestSig01 (
void)
379 uint8_t *buf = (uint8_t *)
381 uint16_t buflen = strlen((
char *)buf);
385 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
399 static int PayloadTestSig02 (
void)
401 uint8_t *buf = (uint8_t *)
403 uint16_t buflen = strlen((
char *)buf);
407 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
421 static int PayloadTestSig03 (
void)
423 uint8_t *buf = (uint8_t *)
425 uint16_t buflen = strlen((
char *)buf);
429 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
445 static int PayloadTestSig04(
void)
447 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
448 uint16_t buflen = strlen((
char *)buf);
452 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
453 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
454 "content:\"string\"; within:8; sid:1;)";
470 static int PayloadTestSig05(
void)
472 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
473 uint16_t buflen = strlen((
char *)buf);
477 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
478 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
479 "content:\"string\"; within:8; sid:1;)";
495 static int PayloadTestSig06(
void)
497 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
498 uint16_t buflen = strlen((
char *)buf);
502 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
503 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
504 "content:\"string\"; within:8; sid:1;)";
520 static int PayloadTestSig07(
void)
522 uint8_t *buf = (uint8_t *)
" thus thus is a big";
523 uint16_t buflen = strlen((
char *)buf);
527 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
528 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
546 static int PayloadTestSig08(
void)
548 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
549 uint16_t buflen = strlen((
char *)buf);
553 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
554 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
570 static int PayloadTestSig09(
void)
572 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
573 uint16_t buflen = strlen((
char *)buf);
577 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
578 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
595 static int PayloadTestSig10(
void)
597 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
598 uint16_t buflen = strlen((
char *)buf);
602 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
603 "byte_test:4,>,2,0,relative; sid:11;)";
620 static int PayloadTestSig11(
void)
622 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
623 uint16_t buflen = strlen((
char *)buf);
627 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
628 "byte_jump:1,0,relative; sid:11;)";
645 static int PayloadTestSig12(
void)
647 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
648 uint16_t buflen = strlen((
char *)buf);
652 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
653 "isdataat:10,relative; sid:11;)";
670 static int PayloadTestSig13(
void)
672 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
673 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
674 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
675 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
676 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
677 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
678 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
679 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
680 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
681 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
682 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
683 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
684 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
685 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
686 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
687 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
688 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
689 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
690 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
691 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
692 uint16_t buflen = strlen((
char *)buf);
697 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
698 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
699 "byte_test:1,>,200,0,relative; sid:1;)";
701 struct timeval tv_start, tv_end, tv_diff;
703 gettimeofday(&tv_start, NULL);
711 memset(&th_v, 0,
sizeof(th_v));
715 printf(
"de_ctx == NULL: ");
725 printf(
"signature == NULL: ");
749 gettimeofday(&tv_end, NULL);
751 tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
752 tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
754 printf(
"%ld.%06ld\n", (
long int)tv_diff.tv_sec, (
long int)tv_diff.tv_usec);
766 static int PayloadTestSig14(
void)
768 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
769 uint16_t buflen = strlen((
char *)buf);
773 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
788 static int PayloadTestSig15(
void)
790 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
791 uint16_t buflen = strlen((
char *)buf);
795 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
796 "content:\"nova\"; isdataat:18,relative; sid:1;)";
811 static int PayloadTestSig16(
void)
813 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
814 uint16_t buflen = strlen((
char *)buf);
818 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
819 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
834 static int PayloadTestSig17(
void)
836 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
841 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
842 "content:\"%\"; depth:4; offset:0; "
843 "content:\"%\"; within:2; distance:1; sid:1;)";
858 static int PayloadTestSig18(
void)
861 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
862 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
865 uint16_t buflen =
sizeof(buf);
869 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
870 "content:\"|01 02 03 04|\"; "
871 "byte_extract:1,2,one,string,dec,relative; "
872 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
887 static int PayloadTestSig19(
void)
890 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
891 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
894 uint16_t buflen =
sizeof(buf);
898 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
899 "content:\"|01 02 03 04|\"; "
900 "byte_extract:1,2,one,string,hex,relative; "
901 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
916 static int PayloadTestSig20(
void)
919 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
920 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
923 uint16_t buflen =
sizeof(buf);
927 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
928 "content:\"|01 02 03 04|\"; "
929 "byte_extract:1,2,one,string,dec,relative; "
930 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
945 static int PayloadTestSig21(
void)
948 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
949 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
952 uint16_t buflen =
sizeof(buf);
956 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
957 "content:\"|01 02 03 04|\"; "
958 "byte_extract:1,2,one,string,dec,relative; "
959 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
974 static int PayloadTestSig22(
void)
977 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
978 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
981 uint16_t buflen =
sizeof(buf);
985 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
986 "content:\"|01 02 03 04|\"; "
987 "byte_extract:1,2,one,string,dec,relative; "
988 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
1003 static int PayloadTestSig23(
void)
1006 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
1007 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
1010 uint16_t buflen =
sizeof(buf);
1014 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1015 "content:\"|01 02 03 04|\"; "
1016 "byte_extract:1,2,one,string,dec,relative; "
1017 "byte_extract:1,3,two,string,dec,relative; "
1018 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
1033 static int PayloadTestSig24(
void)
1036 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
1037 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
1040 uint16_t buflen =
sizeof(buf);
1044 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1045 "content:\"|01 02 03 04|\"; "
1046 "byte_extract:1,2,one,string,dec,relative; "
1047 "byte_jump:1,one,string,dec,relative; "
1048 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
1066 static int PayloadTestSig25(
void)
1069 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
1070 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1073 uint16_t buflen =
sizeof(buf);
1077 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1078 "content:\"|35 07 08 09|\"; "
1079 "byte_extract:1,-4,one,string,dec,relative; "
1080 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1098 static int PayloadTestSig26(
void)
1101 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
1102 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1105 uint16_t buflen =
sizeof(buf);
1109 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1110 "content:\"|35 07 08 09|\"; "
1111 "byte_extract:1,-3000,one,string,dec,relative; "
1112 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1130 static int PayloadTestSig27(
void)
1132 uint8_t buf[] =
"dummypayload";
1133 uint16_t buflen =
sizeof(buf) - 1;
1138 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
1156 static int PayloadTestSig28(
void)
1158 uint8_t buf[] =
"dummypayload";
1159 uint16_t buflen =
sizeof(buf) - 1;
1164 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1165 "offset:4; depth:12; sid:1;)";
1182 static int PayloadTestSig29(
void)
1184 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1185 uint16_t buflen = strlen((
char *)buf);
1189 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1190 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1204 static int PayloadTestSig30(
void)
1206 uint8_t *buf = (uint8_t *)
1207 "xyonexxxxxxtwojunkonetwo";
1208 uint16_t buflen = strlen((
char *)buf);
1212 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1225 static int PayloadTestSig31(
void)
1227 uint8_t *buf = (uint8_t *)
1228 "xyonexxxxxxtwojunkonetwo";
1229 uint16_t buflen = strlen((
char *)buf);
1233 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1249 static int PayloadTestSig32(
void)
1251 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1252 uint16_t buflen = strlen((
char *)buf);
1256 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1257 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1272 static int PayloadTestSig33(
void)
1274 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1275 uint16_t buflen = strlen((
char *)buf);
1279 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1280 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1295 static int PayloadTestSig34(
void)
1297 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1298 uint16_t buflen = strlen((
char *)buf);
1302 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1303 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18