58 static int StreamMpmFunc(
59 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
65 smd->
det_ctx->stream_mpm_size += data_len;
75 Packet *p,
const void *pectx)
83 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
87 StreamMpmFunc, &stream_mpm_data,
90 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
113 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
117 Packet *p,
const void *pectx)
136 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
215 static int StreamContentInspectFunc(
216 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
221 smd->
det_ctx->stream_persig_cnt++;
222 smd->
det_ctx->stream_persig_size += data_len;
257 StreamContentInspectFunc, &inspect_data,
270 static int StreamContentInspectEngineFunc(
271 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
276 smd->det_ctx->stream_persig_cnt++;
277 smd->det_ctx->stream_persig_size += data_len;
281 NULL,
smd->f, data, data_len, 0, 0,
300 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
306 if (p->
proto == IPPROTO_UDP) {
309 }
else if (p->
proto != IPPROTO_TCP)
316 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
322 StreamContentInspectEngineFunc, &inspect_data,
325 bool is_last =
false;
326 if (
flags & STREAM_TOSERVER) {
336 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
338 match ?
"matched" :
"didn't match");
357 static int PayloadTestSig01 (
void)
359 uint8_t *buf = (uint8_t *)
361 uint16_t buflen = strlen((
char *)buf);
366 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
376 static int PayloadTestSig02 (
void)
378 uint8_t *buf = (uint8_t *)
380 uint16_t buflen = strlen((
char *)buf);
385 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
395 static int PayloadTestSig03 (
void)
397 uint8_t *buf = (uint8_t *)
399 uint16_t buflen = strlen((
char *)buf);
404 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
416 static int PayloadTestSig04(
void)
418 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
419 uint16_t buflen = strlen((
char *)buf);
424 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
425 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
426 "content:\"string\"; within:8; sid:1;)";
438 static int PayloadTestSig05(
void)
440 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
441 uint16_t buflen = strlen((
char *)buf);
446 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
447 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
448 "content:\"string\"; within:8; sid:1;)";
460 static int PayloadTestSig06(
void)
462 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
463 uint16_t buflen = strlen((
char *)buf);
468 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
469 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
470 "content:\"string\"; within:8; sid:1;)";
482 static int PayloadTestSig07(
void)
484 uint8_t *buf = (uint8_t *)
" thus thus is a big";
485 uint16_t buflen = strlen((
char *)buf);
490 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
491 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
504 static int PayloadTestSig08(
void)
506 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
507 uint16_t buflen = strlen((
char *)buf);
512 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
513 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
525 static int PayloadTestSig09(
void)
527 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
528 uint16_t buflen = strlen((
char *)buf);
533 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
534 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
546 static int PayloadTestSig10(
void)
548 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
549 uint16_t buflen = strlen((
char *)buf);
554 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
555 "byte_test:4,>,2,0,relative; sid:11;)";
567 static int PayloadTestSig11(
void)
569 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
570 uint16_t buflen = strlen((
char *)buf);
575 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
576 "byte_jump:1,0,relative; sid:11;)";
588 static int PayloadTestSig12(
void)
590 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
591 uint16_t buflen = strlen((
char *)buf);
596 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
597 "isdataat:10,relative; sid:11;)";
609 static int PayloadTestSig13(
void)
611 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
612 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
613 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
614 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
615 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
616 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
617 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
618 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
619 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
620 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
621 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
622 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
623 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
624 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
625 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
626 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
627 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
628 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
632 uint16_t buflen = strlen((
char *)buf);
638 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
639 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
640 "byte_test:1,>,200,0,relative; sid:1;)";
647 memset(&th_v, 0,
sizeof(th_v));
675 static int PayloadTestSig14(
void)
677 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
678 uint16_t buflen = strlen((
char *)buf);
683 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
694 static int PayloadTestSig15(
void)
696 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
697 uint16_t buflen = strlen((
char *)buf);
702 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
703 "content:\"nova\"; isdataat:18,relative; sid:1;)";
712 static int PayloadTestSig16(
void)
714 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
715 uint16_t buflen = strlen((
char *)buf);
720 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
721 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
730 static int PayloadTestSig17(
void)
732 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
738 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
739 "content:\"%\"; depth:4; offset:0; "
740 "content:\"%\"; within:2; distance:1; sid:1;)";
749 static int PayloadTestSig18(
void)
752 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
753 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
756 uint16_t buflen =
sizeof(buf);
761 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
762 "content:\"|01 02 03 04|\"; "
763 "byte_extract:1,2,one,string,dec,relative; "
764 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
773 static int PayloadTestSig19(
void)
776 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
777 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
780 uint16_t buflen =
sizeof(buf);
785 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
786 "content:\"|01 02 03 04|\"; "
787 "byte_extract:1,2,one,string,hex,relative; "
788 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
797 static int PayloadTestSig20(
void)
800 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
801 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
804 uint16_t buflen =
sizeof(buf);
809 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
810 "content:\"|01 02 03 04|\"; "
811 "byte_extract:1,2,one,string,dec,relative; "
812 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
821 static int PayloadTestSig21(
void)
824 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
825 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
828 uint16_t buflen =
sizeof(buf);
833 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
834 "content:\"|01 02 03 04|\"; "
835 "byte_extract:1,2,one,string,dec,relative; "
836 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
845 static int PayloadTestSig22(
void)
848 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
849 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
852 uint16_t buflen =
sizeof(buf);
857 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
858 "content:\"|01 02 03 04|\"; "
859 "byte_extract:1,2,one,string,dec,relative; "
860 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
869 static int PayloadTestSig23(
void)
872 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
873 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
876 uint16_t buflen =
sizeof(buf);
881 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
882 "content:\"|01 02 03 04|\"; "
883 "byte_extract:1,2,one,string,dec,relative; "
884 "byte_extract:1,3,two,string,dec,relative; "
885 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
894 static int PayloadTestSig24(
void)
897 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
898 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
901 uint16_t buflen =
sizeof(buf);
906 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
907 "content:\"|01 02 03 04|\"; "
908 "byte_extract:1,2,one,string,dec,relative; "
909 "byte_jump:1,one,string,dec,relative; "
910 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
922 static int PayloadTestSig25(
void)
925 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
926 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
929 uint16_t buflen =
sizeof(buf);
934 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
935 "content:\"|35 07 08 09|\"; "
936 "byte_extract:1,-4,one,string,dec,relative; "
937 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
949 static int PayloadTestSig26(
void)
952 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
953 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
956 uint16_t buflen =
sizeof(buf);
961 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
962 "content:\"|35 07 08 09|\"; "
963 "byte_extract:1,-3000,one,string,dec,relative; "
964 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
976 static int PayloadTestSig27(
void)
978 uint8_t buf[] =
"dummypayload";
979 uint16_t buflen =
sizeof(buf) - 1;
984 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
998 static int PayloadTestSig28(
void)
1000 uint8_t buf[] =
"dummypayload";
1001 uint16_t buflen =
sizeof(buf) - 1;
1006 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1007 "offset:4; depth:12; sid:1;)";
1020 static int PayloadTestSig29(
void)
1022 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1023 uint16_t buflen = strlen((
char *)buf);
1028 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1029 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1038 static int PayloadTestSig30(
void)
1040 uint8_t *buf = (uint8_t *)
1041 "xyonexxxxxxtwojunkonetwo";
1042 uint16_t buflen = strlen((
char *)buf);
1047 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1056 static int PayloadTestSig31(
void)
1058 uint8_t *buf = (uint8_t *)
1059 "xyonexxxxxxtwojunkonetwo";
1060 uint16_t buflen = strlen((
char *)buf);
1065 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1077 static int PayloadTestSig32(
void)
1079 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1080 uint16_t buflen = strlen((
char *)buf);
1085 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1086 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1098 static int PayloadTestSig33(
void)
1100 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1101 uint16_t buflen = strlen((
char *)buf);
1106 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1107 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1119 static int PayloadTestSig34(
void)
1121 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1122 uint16_t buflen = strlen((
char *)buf);
1127 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1128 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18