suricata
detect-engine-payload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Performs payload matching functions
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-engine.h"
33 #include "detect-parse.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-payload.h"
38 
39 #include "stream.h"
40 #include "stream-tcp.h"
41 
42 #include "util-debug.h"
43 #include "util-print.h"
44 
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "util-validate.h"
48 
49 #include "util-mpm-ac.h"
50 
51 struct StreamMpmData {
53  const MpmCtx *mpm_ctx;
54 };
55 
56 static int StreamMpmFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
57 {
58  struct StreamMpmData *smd = cb_data;
59  if (data_len >= smd->mpm_ctx->minlen) {
60 #ifdef DEBUG
61  smd->det_ctx->stream_mpm_cnt++;
62  smd->det_ctx->stream_mpm_size += data_len;
63 #endif
64  (void)mpm_table[smd->mpm_ctx->mpm_type].Search(smd->mpm_ctx,
65  &smd->det_ctx->mtcs, &smd->det_ctx->pmq,
66  data, data_len);
67  }
68  return 0;
69 }
70 
71 static void PrefilterPktStream(DetectEngineThreadCtx *det_ctx,
72  Packet *p, const void *pectx)
73 {
74  SCEnter();
75 
76  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
77 
78  /* for established packets inspect any stream we may have queued up */
80  SCLogDebug("PRE det_ctx->raw_stream_progress %"PRIu64,
81  det_ctx->raw_stream_progress);
82  struct StreamMpmData stream_mpm_data = { det_ctx, mpm_ctx };
84  StreamMpmFunc, &stream_mpm_data,
85  &det_ctx->raw_stream_progress,
86  false /* mpm doesn't use min inspect depth */);
87  SCLogDebug("POST det_ctx->raw_stream_progress %"PRIu64,
88  det_ctx->raw_stream_progress);
89  } else {
90  SCLogDebug("NOT p->flags & PKT_DETECT_HAS_STREAMDATA");
91  }
92 
93  /* packets that have not been added to the stream will be inspected
94  * as if they are stream chunks */
96  {
97  if (p->payload_len >= mpm_ctx->minlen) {
98 #ifdef DEBUG
99  det_ctx->payload_mpm_cnt++;
100  det_ctx->payload_mpm_size += p->payload_len;
101 #endif
102  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
103  &det_ctx->mtc, &det_ctx->pmq,
104  p->payload, p->payload_len);
105  }
106  }
107 }
108 
110  SigGroupHead *sgh, MpmCtx *mpm_ctx)
111 {
112  return PrefilterAppendPayloadEngine(de_ctx, sgh,
113  PrefilterPktStream, mpm_ctx, NULL, "stream");
114 }
115 
116 static void PrefilterPktPayload(DetectEngineThreadCtx *det_ctx,
117  Packet *p, const void *pectx)
118 {
119  SCEnter();
120 
121  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
122  if (p->payload_len < mpm_ctx->minlen)
123  SCReturn;
124 
125  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
126  &det_ctx->mtc, &det_ctx->pmq,
127  p->payload, p->payload_len);
128 }
129 
131  SigGroupHead *sgh, MpmCtx *mpm_ctx)
132 {
133  return PrefilterAppendPayloadEngine(de_ctx, sgh,
134  PrefilterPktPayload, mpm_ctx, NULL, "payload");
135 }
136 
137 
138 /**
139  * \brief Do the content inspection & validation for a signature
140  *
141  * \param de_ctx Detection engine context
142  * \param det_ctx Detection engine thread context
143  * \param s Signature to inspect
144  * \param f flow (for pcre flowvar storage)
145  * \param p Packet
146  *
147  * \retval 0 no match
148  * \retval 1 match
149  */
151  DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
152 {
153  SCEnter();
154  int r = 0;
155 
156  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
157  SCReturnInt(0);
158  }
159 #ifdef DEBUG
160  det_ctx->payload_persig_cnt++;
161  det_ctx->payload_persig_size += p->payload_len;
162 #endif
163  det_ctx->buffer_offset = 0;
164  det_ctx->discontinue_matching = 0;
165  det_ctx->inspection_recursion_counter = 0;
166  det_ctx->replist = NULL;
167 
171  if (r == 1) {
172  SCReturnInt(1);
173  }
174  SCReturnInt(0);
175 }
176 
177 /**
178  * \brief Do the content inspection & validation for a sigmatch list
179  *
180  * \param de_ctx Detection engine context
181  * \param det_ctx Detection engine thread context
182  * \param s Signature to inspect
183  * \param smd array of matches to eval
184  * \param f flow (for pcre flowvar storage)
185  * \param p Packet
186  *
187  * \retval 0 no match
188  * \retval 1 match
189  */
190 static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
191  DetectEngineThreadCtx *det_ctx,
192  const Signature *s, const SigMatchData *smd,
193  Flow *f, Packet *p)
194 {
195  SCEnter();
196  int r = 0;
197 
198  if (smd == NULL) {
199  SCReturnInt(0);
200  }
201 #ifdef DEBUG
202  det_ctx->payload_persig_cnt++;
203  det_ctx->payload_persig_size += p->payload_len;
204 #endif
205  det_ctx->buffer_offset = 0;
206  det_ctx->discontinue_matching = 0;
207  det_ctx->inspection_recursion_counter = 0;
208  det_ctx->replist = NULL;
209 
210  r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
213  if (r == 1) {
214  SCReturnInt(1);
215  }
216  SCReturnInt(0);
217 }
218 
222  const Signature *s;
223  Flow *f;
224 };
225 
226 static int StreamContentInspectFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
227 {
228  SCEnter();
229  int r = 0;
230  struct StreamContentInspectData *smd = cb_data;
231 #ifdef DEBUG
232  smd->det_ctx->stream_persig_cnt++;
233  smd->det_ctx->stream_persig_size += data_len;
234 #endif
235  smd->det_ctx->buffer_offset = 0;
236  smd->det_ctx->discontinue_matching = 0;
238 
240  smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
241  smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
243  if (r == 1) {
244  SCReturnInt(1);
245  }
246 
247  SCReturnInt(0);
248 }
249 
250 /**
251  * \brief Do the content inspection & validation for a signature
252  * on the raw stream
253  *
254  * \param de_ctx Detection engine context
255  * \param det_ctx Detection engine thread context
256  * \param s Signature to inspect
257  * \param f flow (for pcre flowvar storage)
258  *
259  * \retval 0 no match
260  * \retval 1 match
261  */
263  DetectEngineThreadCtx *det_ctx, const Signature *s,
264  Flow *f, Packet *p)
265 {
266  SCEnter();
267 
268  uint64_t unused;
269  struct StreamContentInspectData inspect_data = { de_ctx, det_ctx, s, f };
270  int r = StreamReassembleRaw(f->protoctx, p,
271  StreamContentInspectFunc, &inspect_data,
272  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
273  return r;
274 }
275 
279  const Signature *s;
281  Flow *f;
282 };
283 
284 static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
285 {
286  SCEnter();
287  int r = 0;
288  struct StreamContentInspectEngineData *smd = cb_data;
289 #ifdef DEBUG
290  smd->det_ctx->stream_persig_cnt++;
291  smd->det_ctx->stream_persig_size += data_len;
292 #endif
293  smd->det_ctx->buffer_offset = 0;
294  smd->det_ctx->discontinue_matching = 0;
296 
298  smd->s, smd->smd,
299  smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
301  if (r == 1) {
302  SCReturnInt(1);
303  }
304 
305  SCReturnInt(0);
306 }
307 
308 /**
309  * \brief inspect engine for stateful rules
310  *
311  * Caches results as it may be called multiple times if we inspect
312  * multiple transactions in one packet.
313  *
314  * Returns "can't match" if depth is reached.
315  */
317  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
318  const Signature *s, const SigMatchData *smd,
319  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
320 {
321  Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
322 
323  /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
324  * we can get called for UDP. Then we simply inspect the packet payload */
325  if (p->proto == IPPROTO_UDP) {
326  return DetectEngineInspectStreamUDPPayload(de_ctx,
327  det_ctx, s, smd, f, p);
328  /* for other non-TCP protocols we assume match */
329  } else if (p->proto != IPPROTO_TCP)
331 
332  TcpSession *ssn = f->protoctx;
333  if (ssn == NULL)
335 
336  SCLogDebug("pre-inspect det_ctx->raw_stream_progress %"PRIu64,
337  det_ctx->raw_stream_progress);
338  uint64_t unused;
339  struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, smd, f };
340  int match = StreamReassembleRaw(f->protoctx, p,
341  StreamContentInspectEngineFunc, &inspect_data,
342  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
343 
344  bool is_last = false;
345  if (flags & STREAM_TOSERVER) {
346  TcpStream *stream = &ssn->client;
348  is_last = true;
349  } else {
350  TcpStream *stream = &ssn->server;
352  is_last = true;
353  }
354 
355  SCLogDebug("%s ran stream for sid %u on packet %"PRIu64" and we %s",
356  is_last? "LAST:" : "normal:", s->id, p->pcap_cnt,
357  match ? "matched" : "didn't match");
358 
359  if (match) {
361  } else {
362  if (is_last) {
363  //SCLogNotice("last, so DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
365  }
366  /* TODO maybe we can set 'CANT_MATCH' for EOF too? */
368  }
369 }
370 
371 #ifdef UNITTESTS
372 
373 /** \test Not the first but the second occurence of "abc" should be used
374  * for the 2nd match */
375 static int PayloadTestSig01 (void)
376 {
377  uint8_t *buf = (uint8_t *)
378  "abcabcd";
379  uint16_t buflen = strlen((char *)buf);
380  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
381  int result = 0;
382 
383  char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
384  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
385  result = 0;
386  goto end;
387  }
388 
389  result = 1;
390 end:
391  if (p != NULL)
392  UTHFreePacket(p);
393  return result;
394 }
395 
396 /** \test Nocase matching */
397 static int PayloadTestSig02 (void)
398 {
399  uint8_t *buf = (uint8_t *)
400  "abcaBcd";
401  uint16_t buflen = strlen((char *)buf);
402  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
403  int result = 0;
404 
405  char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
406  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
407  result = 0;
408  goto end;
409  }
410 
411  result = 1;
412 end:
413  if (p != NULL)
414  UTHFreePacket(p);
415  return result;
416 }
417 
418 /** \test Negative distance matching */
419 static int PayloadTestSig03 (void)
420 {
421  uint8_t *buf = (uint8_t *)
422  "abcaBcd";
423  uint16_t buflen = strlen((char *)buf);
424  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
425  int result = 0;
426 
427  char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
428  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
429  result = 0;
430  goto end;
431  }
432 
433  result = 1;
434 end:
435  if (p != NULL)
436  UTHFreePacket(p);
437  return result;
438 }
439 
440 /**
441  * \test Test multiple relative matches.
442  */
443 static int PayloadTestSig04(void)
444 {
445  uint8_t *buf = (uint8_t *)"now this is is big big string now";
446  uint16_t buflen = strlen((char *)buf);
447  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
448  int result = 0;
449 
450  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
451  "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
452  "content:\"string\"; within:8; sid:1;)";
453  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
454  result = 0;
455  goto end;
456  }
457 
458  result = 1;
459 end:
460  if (p != NULL)
461  UTHFreePacket(p);
462  return result;
463 }
464 
465 /**
466  * \test Test multiple relative matches.
467  */
468 static int PayloadTestSig05(void)
469 {
470  uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
471  uint16_t buflen = strlen((char *)buf);
472  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
473  int result = 0;
474 
475  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
476  "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
477  "content:\"string\"; within:8; sid:1;)";
478  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
479  result = 0;
480  goto end;
481  }
482 
483  result = 1;
484 end:
485  if (p != NULL)
486  UTHFreePacket(p);
487  return result;
488 }
489 
490 /**
491  * \test Test multiple relative matches.
492  */
493 static int PayloadTestSig06(void)
494 {
495  uint8_t *buf = (uint8_t *)"this this now is is big string now";
496  uint16_t buflen = strlen((char *)buf);
497  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
498  int result = 0;
499 
500  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
501  "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
502  "content:\"string\"; within:8; sid:1;)";
503  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
504  result = 0;
505  goto end;
506  }
507 
508  result = 1;
509 end:
510  if (p != NULL)
511  UTHFreePacket(p);
512  return result;
513 }
514 
515 /**
516  * \test Test multiple relative matches.
517  */
518 static int PayloadTestSig07(void)
519 {
520  uint8_t *buf = (uint8_t *)" thus thus is a big";
521  uint16_t buflen = strlen((char *)buf);
522  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
523  int result = 0;
524 
525  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
526  "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
527 
528  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
529  result = 0;
530  goto end;
531  }
532 
533  result = 1;
534 end:
535  if (p != NULL)
536  UTHFreePacket(p);
537  return result;
538 }
539 
540 /**
541  * \test Test multiple relative matches with negative matches
542  * and show the need for det_ctx->discontinue_matching.
543  */
544 static int PayloadTestSig08(void)
545 {
546  uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
547  uint16_t buflen = strlen((char *)buf);
548  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
549  int result = 0;
550 
551  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
552  "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
553 
554  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1) {
555  goto end;
556  }
557 
558  result = 1;
559 end:
560  if (p != NULL)
561  UTHFreePacket(p);
562  return result;
563 }
564 
565 /**
566  * \test Test pcre recursive matching.
567  */
568 static int PayloadTestSig09(void)
569 {
570  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
571  uint16_t buflen = strlen((char *)buf);
572  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
573  int result = 0;
574 
575  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
576  "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
577 
578  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
579  result = 0;
580  goto end;
581  }
582 
583  result = 1;
584 end:
585  if (p != NULL)
586  UTHFreePacket(p);
587  return result;
588 }
589 
590 /**
591  * \test Test invalid sig.
592  */
593 static int PayloadTestSig10(void)
594 {
595  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
596  uint16_t buflen = strlen((char *)buf);
597  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
598  int result = 0;
599 
600  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
601  "byte_test:4,>,2,0,relative; sid:11;)";
602 
603  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
604  result = 0;
605  goto end;
606  }
607 
608  result = 1;
609 end:
610  if (p != NULL)
611  UTHFreePacket(p);
612  return result;
613 }
614 
615 /**
616  * \test Test invalid sig.
617  */
618 static int PayloadTestSig11(void)
619 {
620  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
621  uint16_t buflen = strlen((char *)buf);
622  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
623  int result = 0;
624 
625  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
626  "byte_jump:1,0,relative; sid:11;)";
627 
628  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
629  result = 0;
630  goto end;
631  }
632 
633  result = 1;
634 end:
635  if (p != NULL)
636  UTHFreePacket(p);
637  return result;
638 }
639 
640 /**
641  * \test Test invalid sig.
642  */
643 static int PayloadTestSig12(void)
644 {
645  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
646  uint16_t buflen = strlen((char *)buf);
647  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
648  int result = 0;
649 
650  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
651  "isdataat:10,relative; sid:11;)";
652 
653  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
654  result = 0;
655  goto end;
656  }
657 
658  result = 1;
659 end:
660  if (p != NULL)
661  UTHFreePacket(p);
662  return result;
663 }
664 
665 /**
666  * \test Used to check the working of recursion_limit counter.
667  */
668 static int PayloadTestSig13(void)
669 {
670  uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
671  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
672  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
673  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
674  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
675  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
676  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
677  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
678  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
679  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
680  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
681  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
682  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
683  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
684  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
685  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
686  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
687  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
688  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
689  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
690  uint16_t buflen = strlen((char *)buf);
691  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
692  int result = 0;
693  uint16_t mpm_type = mpm_default_matcher;
694 
695  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
696  "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
697  "byte_test:1,>,200,0,relative; sid:1;)";
698 
699  struct timeval tv_start, tv_end, tv_diff;
700 
701  gettimeofday(&tv_start, NULL);
702 
703  do {
704  DecodeThreadVars dtv;
705  ThreadVars th_v;
706  DetectEngineThreadCtx *det_ctx = NULL;
707 
708  memset(&dtv, 0, sizeof(DecodeThreadVars));
709  memset(&th_v, 0, sizeof(th_v));
710 
712  if (de_ctx == NULL) {
713  printf("de_ctx == NULL: ");
714  goto end;
715  }
716  de_ctx->inspection_recursion_limit = 3000;
717 
718  de_ctx->flags |= DE_QUIET;
719  de_ctx->mpm_matcher = mpm_type;
720 
721  de_ctx->sig_list = SigInit(de_ctx, sig);
722  if (de_ctx->sig_list == NULL) {
723  printf("signature == NULL: ");
724  goto end;
725  }
726 
727  SigGroupBuild(de_ctx);
728  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
729 
730  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
731  if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
732  goto end;
733  }
734 
735  result = 1;
736  end:
737  SigGroupCleanup(de_ctx);
738  SigCleanSignatures(de_ctx);
739 
740  if (det_ctx != NULL)
741  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
742 
743  if (de_ctx != NULL)
744  DetectEngineCtxFree(de_ctx);
745  } while (0);
746 
747  gettimeofday(&tv_end, NULL);
748 
749  tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
750  tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
751 
752  printf("%ld.%06ld\n", (long int)tv_diff.tv_sec, (long int)tv_diff.tv_usec);
753 
754  result = 1;
755 
756  if (p != NULL)
757  UTHFreePacket(p);
758  return result;
759 }
760 
761 /**
762  * \test normal & negated matching, both absolute and relative
763  */
764 static int PayloadTestSig14(void)
765 {
766  uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
767  uint16_t buflen = strlen((char *)buf);
768  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
769  int result = 0;
770 
771  char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
772 
773  //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
774 
775  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
776  goto end;
777  }
778 
779  result = 1;
780 end:
781  if (p != NULL)
782  UTHFreePacket(p);
783  return result;
784 }
785 
786 static int PayloadTestSig15(void)
787 {
788  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
789  uint16_t buflen = strlen((char *)buf);
790  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
791  int result = 0;
792 
793  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
794  "content:\"nova\"; isdataat:18,relative; sid:1;)";
795 
796  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
797  result = 0;
798  goto end;
799  }
800 
801  result = 1;
802 
803 end:
804  if (p != NULL)
805  UTHFreePacket(p);
806  return result;
807 }
808 
809 static int PayloadTestSig16(void)
810 {
811  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
812  uint16_t buflen = strlen((char *)buf);
813  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
814  int result = 0;
815 
816  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
817  "content:\"nova\"; isdataat:!20,relative; sid:1;)";
818 
819  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
820  result = 0;
821  goto end;
822  }
823 
824  result = 1;
825 
826 end:
827  if (p != NULL)
828  UTHFreePacket(p);
829  return result;
830 }
831 
832 static int PayloadTestSig17(void)
833 {
834  uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
835  uint16_t buflen = 9;
836  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
837  int result = 0;
838 
839  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
840  "content:\"%\"; depth:4; offset:0; "
841  "content:\"%\"; within:2; distance:1; sid:1;)";
842 
843  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
844  result = 0;
845  goto end;
846  }
847 
848  result = 1;
849 
850 end:
851  if (p != NULL)
852  UTHFreePacket(p);
853  return result;
854 }
855 
856 static int PayloadTestSig18(void)
857 {
858  uint8_t buf[] = {
859  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
860  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
861  0x0E, 0x0F,
862  };
863  uint16_t buflen = sizeof(buf);
864  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
865  int result = 0;
866 
867  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
868  "content:\"|01 02 03 04|\"; "
869  "byte_extract:1,2,one,string,dec,relative; "
870  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
871 
872  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
873  result = 0;
874  goto end;
875  }
876 
877  result = 1;
878 
879 end:
880  if (p != NULL)
881  UTHFreePacket(p);
882  return result;
883 }
884 
885 static int PayloadTestSig19(void)
886 {
887  uint8_t buf[] = {
888  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
889  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
890  0x0E, 0x0F,
891  };
892  uint16_t buflen = sizeof(buf);
893  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
894  int result = 0;
895 
896  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
897  "content:\"|01 02 03 04|\"; "
898  "byte_extract:1,2,one,string,hex,relative; "
899  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
900 
901  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
902  result = 0;
903  goto end;
904  }
905 
906  result = 1;
907 
908 end:
909  if (p != NULL)
910  UTHFreePacket(p);
911  return result;
912 }
913 
914 static int PayloadTestSig20(void)
915 {
916  uint8_t buf[] = {
917  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
918  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
919  0x0E, 0x0F,
920  };
921  uint16_t buflen = sizeof(buf);
922  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
923  int result = 0;
924 
925  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
926  "content:\"|01 02 03 04|\"; "
927  "byte_extract:1,2,one,string,dec,relative; "
928  "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
929 
930  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
931  result = 0;
932  goto end;
933  }
934 
935  result = 1;
936 
937 end:
938  if (p != NULL)
939  UTHFreePacket(p);
940  return result;
941 }
942 
943 static int PayloadTestSig21(void)
944 {
945  uint8_t buf[] = {
946  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
947  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
948  0x0E, 0x0F,
949  };
950  uint16_t buflen = sizeof(buf);
951  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
952  int result = 0;
953 
954  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
955  "content:\"|01 02 03 04|\"; "
956  "byte_extract:1,2,one,string,dec,relative; "
957  "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
958 
959  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
960  result = 0;
961  goto end;
962  }
963 
964  result = 1;
965 
966 end:
967  if (p != NULL)
968  UTHFreePacket(p);
969  return result;
970 }
971 
972 static int PayloadTestSig22(void)
973 {
974  uint8_t buf[] = {
975  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
976  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
977  0x0E, 0x0F,
978  };
979  uint16_t buflen = sizeof(buf);
980  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
981  int result = 0;
982 
983  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
984  "content:\"|01 02 03 04|\"; "
985  "byte_extract:1,2,one,string,dec,relative; "
986  "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
987 
988  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
989  result = 0;
990  goto end;
991  }
992 
993  result = 1;
994 
995 end:
996  if (p != NULL)
997  UTHFreePacket(p);
998  return result;
999 }
1000 
1001 static int PayloadTestSig23(void)
1002 {
1003  uint8_t buf[] = {
1004  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
1005  0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
1006  0x32, 0x0F,
1007  };
1008  uint16_t buflen = sizeof(buf);
1009  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1010  int result = 0;
1011 
1012  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1013  "content:\"|01 02 03 04|\"; "
1014  "byte_extract:1,2,one,string,dec,relative; "
1015  "byte_extract:1,3,two,string,dec,relative; "
1016  "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
1017 
1018  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1019  result = 0;
1020  goto end;
1021  }
1022 
1023  result = 1;
1024 
1025 end:
1026  if (p != NULL)
1027  UTHFreePacket(p);
1028  return result;
1029 }
1030 
1031 static int PayloadTestSig24(void)
1032 {
1033  uint8_t buf[] = {
1034  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
1035  0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
1036  0x0E, 0x0F,
1037  };
1038  uint16_t buflen = sizeof(buf);
1039  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1040  int result = 0;
1041 
1042  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1043  "content:\"|01 02 03 04|\"; "
1044  "byte_extract:1,2,one,string,dec,relative; "
1045  "byte_jump:1,one,string,dec,relative; "
1046  "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
1047 
1048  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1049  result = 0;
1050  goto end;
1051  }
1052 
1053  result = 1;
1054 
1055 end:
1056  if (p != NULL)
1057  UTHFreePacket(p);
1058  return result;
1059 }
1060 
1061 /*
1062  * \test Test negative byte extract.
1063  */
1064 static int PayloadTestSig25(void)
1065 {
1066  uint8_t buf[] = {
1067  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
1068  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1069  0x0E, 0x0F,
1070  };
1071  uint16_t buflen = sizeof(buf);
1072  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1073  int result = 0;
1074 
1075  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1076  "content:\"|35 07 08 09|\"; "
1077  "byte_extract:1,-4,one,string,dec,relative; "
1078  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1079 
1080  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1081  result = 0;
1082  goto end;
1083  }
1084 
1085  result = 1;
1086 
1087 end:
1088  if (p != NULL)
1089  UTHFreePacket(p);
1090  return result;
1091 }
1092 
1093 /*
1094  * \test Test negative byte extract.
1095  */
1096 static int PayloadTestSig26(void)
1097 {
1098  uint8_t buf[] = {
1099  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
1100  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1101  0x0E, 0x0F,
1102  };
1103  uint16_t buflen = sizeof(buf);
1104  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1105  int result = 0;
1106 
1107  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1108  "content:\"|35 07 08 09|\"; "
1109  "byte_extract:1,-3000,one,string,dec,relative; "
1110  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1111 
1112  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 0) {
1113  result = 0;
1114  goto end;
1115  }
1116 
1117  result = 1;
1118 
1119 end:
1120  if (p != NULL)
1121  UTHFreePacket(p);
1122  return result;
1123 }
1124 
1125 /*
1126  * \test Test packet/stream sigs
1127  */
1128 static int PayloadTestSig27(void)
1129 {
1130  uint8_t buf[] = "dummypayload";
1131  uint16_t buflen = sizeof(buf) - 1;
1132  int result = 0;
1133 
1134  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1135 
1136  char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
1137  "depth:5; sid:1;)";
1138 
1139  p->flags |= PKT_STREAM_ADD;
1140  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1)
1141  goto end;
1142 
1143  result = 1;
1144 
1145 end:
1146  if (p != NULL)
1147  UTHFreePacket(p);
1148  return result;
1149 }
1150 
1151 /*
1152  * \test Test packet/stream sigs
1153  */
1154 static int PayloadTestSig28(void)
1155 {
1156  uint8_t buf[] = "dummypayload";
1157  uint16_t buflen = sizeof(buf) - 1;
1158  int result = 0;
1159 
1160  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1161 
1162  char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
1163  "offset:4; depth:12; sid:1;)";
1164 
1165  p->flags |= PKT_STREAM_ADD;
1166  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1)
1167  goto end;
1168 
1169  result = 1;
1170 
1171 end:
1172  if (p != NULL)
1173  UTHFreePacket(p);
1174  return result;
1175 }
1176 
1177 /**
1178  * \test Test pcre recursive matching - bug #529
1179  */
1180 static int PayloadTestSig29(void)
1181 {
1182  uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
1183  uint16_t buflen = strlen((char *)buf);
1184  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1185  int result = 0;
1186 
1187  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1188  "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1189 
1190  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
1191  result = 0;
1192  goto end;
1193  }
1194 
1195  result = 1;
1196 end:
1197  if (p != NULL)
1198  UTHFreePacket(p);
1199  return result;
1200 }
1201 
1202 static int PayloadTestSig30(void)
1203 {
1204  uint8_t *buf = (uint8_t *)
1205  "xyonexxxxxxtwojunkonetwo";
1206  uint16_t buflen = strlen((char *)buf);
1207  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1208  int result = 0;
1209 
1210  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1211  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1212  result = 0;
1213  goto end;
1214  }
1215 
1216  result = 1;
1217 end:
1218  if (p != NULL)
1219  UTHFreePacket(p);
1220  return result;
1221 }
1222 
1223 static int PayloadTestSig31(void)
1224 {
1225  uint8_t *buf = (uint8_t *)
1226  "xyonexxxxxxtwojunkonetwo";
1227  uint16_t buflen = strlen((char *)buf);
1228  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1229  int result = 0;
1230 
1231  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1232  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1233  result = 0;
1234  goto end;
1235  }
1236 
1237  result = 1;
1238 end:
1239  if (p != NULL)
1240  UTHFreePacket(p);
1241  return result;
1242 }
1243 
1244 /**
1245  * \test Test byte_jump.
1246  */
1247 static int PayloadTestSig32(void)
1248 {
1249  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1250  uint16_t buflen = strlen((char *)buf);
1251  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1252  int result = 0;
1253 
1254  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1255  "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1256 
1257  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1258  goto end;
1259 
1260  result = 1;
1261 end:
1262  if (p != NULL)
1263  UTHFreePacket(p);
1264  return result;
1265 }
1266 
1267 /**
1268  * \test Test byte_test.
1269  */
1270 static int PayloadTestSig33(void)
1271 {
1272  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1273  uint16_t buflen = strlen((char *)buf);
1274  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1275  int result = 0;
1276 
1277  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1278  "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1279 
1280  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1281  goto end;
1282 
1283  result = 1;
1284 end:
1285  if (p != NULL)
1286  UTHFreePacket(p);
1287  return result;
1288 }
1289 
1290 /**
1291  * \test Test byte_extract.
1292  */
1293 static int PayloadTestSig34(void)
1294 {
1295  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1296  uint16_t buflen = strlen((char *)buf);
1297  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1298  int result = 0;
1299 
1300  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1301  "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1302 
1303  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1304  goto end;
1305 
1306  result = 1;
1307 end:
1308  if (p != NULL)
1309  UTHFreePacket(p);
1310  return result;
1311 }
1312 
1313 #endif /* UNITTESTS */
1314 
1316 {
1317 #ifdef UNITTESTS
1318  UtRegisterTest("PayloadTestSig01", PayloadTestSig01);
1319  UtRegisterTest("PayloadTestSig02", PayloadTestSig02);
1320  UtRegisterTest("PayloadTestSig03", PayloadTestSig03);
1321  UtRegisterTest("PayloadTestSig04", PayloadTestSig04);
1322  UtRegisterTest("PayloadTestSig05", PayloadTestSig05);
1323  UtRegisterTest("PayloadTestSig06", PayloadTestSig06);
1324  UtRegisterTest("PayloadTestSig07", PayloadTestSig07);
1325  UtRegisterTest("PayloadTestSig08", PayloadTestSig08);
1326  UtRegisterTest("PayloadTestSig09", PayloadTestSig09);
1327  UtRegisterTest("PayloadTestSig10", PayloadTestSig10);
1328  UtRegisterTest("PayloadTestSig11", PayloadTestSig11);
1329  UtRegisterTest("PayloadTestSig12", PayloadTestSig12);
1330  UtRegisterTest("PayloadTestSig13", PayloadTestSig13);
1331  UtRegisterTest("PayloadTestSig14", PayloadTestSig14);
1332  UtRegisterTest("PayloadTestSig15", PayloadTestSig15);
1333  UtRegisterTest("PayloadTestSig16", PayloadTestSig16);
1334  UtRegisterTest("PayloadTestSig17", PayloadTestSig17);
1335 
1336  UtRegisterTest("PayloadTestSig18", PayloadTestSig18);
1337  UtRegisterTest("PayloadTestSig19", PayloadTestSig19);
1338  UtRegisterTest("PayloadTestSig20", PayloadTestSig20);
1339  UtRegisterTest("PayloadTestSig21", PayloadTestSig21);
1340  UtRegisterTest("PayloadTestSig22", PayloadTestSig22);
1341  UtRegisterTest("PayloadTestSig23", PayloadTestSig23);
1342  UtRegisterTest("PayloadTestSig24", PayloadTestSig24);
1343  UtRegisterTest("PayloadTestSig25", PayloadTestSig25);
1344  UtRegisterTest("PayloadTestSig26", PayloadTestSig26);
1345  UtRegisterTest("PayloadTestSig27", PayloadTestSig27);
1346  UtRegisterTest("PayloadTestSig28", PayloadTestSig28);
1347  UtRegisterTest("PayloadTestSig29", PayloadTestSig29);
1348 
1349  UtRegisterTest("PayloadTestSig30", PayloadTestSig30);
1350  UtRegisterTest("PayloadTestSig31", PayloadTestSig31);
1351  UtRegisterTest("PayloadTestSig32", PayloadTestSig32);
1352  UtRegisterTest("PayloadTestSig33", PayloadTestSig33);
1353  UtRegisterTest("PayloadTestSig34", PayloadTestSig34);
1354 #endif /* UNITTESTS */
1355 
1356  return;
1357 }
MpmThreadCtx mtcs
Definition: detect.h:1063
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:443
uint16_t minlen
Definition: util-mpm.h:99
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint16_t discontinue_matching
Definition: detect.h:1029
uint32_t flags
Definition: detect.h:496
uint32_t id
Definition: detect.h:528
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Signature * sig_list
Definition: detect.h:729
void PayloadRegisterTests(void)
DetectReplaceList * replist
Definition: detect.h:1077
Data needed for Match()
Definition: detect.h:331
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
Definition: detect.h:1298
MpmThreadCtx mtc
Definition: detect.h:1061
const MpmCtx * mpm_ctx
uint64_t pcap_cnt
Definition: decode.h:561
uint32_t buffer_offset
Definition: detect.h:994
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:495
void * protoctx
Definition: flow.h:395
main detection engine ctx
Definition: detect.h:723
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineInspectStream(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
#define DE_QUIET
Definition: detect.h:296
uint8_t proto
Definition: decode.h:428
uint8_t flags
Definition: detect.h:724
#define DETECT_ENGINE_INSPECT_SIG_MATCH
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Data structures and function prototypes for keeping state for the detection engine.
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1122
#define SIG_FLAG_FLUSH
Definition: detect.h:233
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint8_t mpm_type
Definition: util-mpm.h:90
uint16_t mpm_matcher
Definition: detect.h:772
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
#define SCEnter(...)
Definition: util-debug.h:337
PrefilterRuleStore pmq
Definition: detect.h:1064
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:547
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define SCReturnInt(x)
Definition: util-debug.h:341
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
int mpm_default_matcher
Definition: util-mpm.h:170
uint64_t raw_stream_progress
Definition: detect.h:990
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
DetectEngineThreadCtx * det_ctx
uint16_t tx_id
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode, void *data)
Run the actual payload match functions.
#define PKT_STREAM_ADD
Definition: decode.h:1089
#define STREAM_TOSERVER
Definition: stream.h:31
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
int inspection_recursion_counter
Definition: detect.h:1041
#define DETECT_CI_FLAGS_SINGLE
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx * det_ctx
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1086
uint32_t flags
Definition: decode.h:441
uint16_t payload_len
Definition: decode.h:541
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Flow data structure.
Definition: flow.h:324
uint8_t * payload
Definition: decode.h:540
int inspection_recursion_limit
Definition: detect.h:795
DetectEngineCtx * DetectEngineCtxInit(void)