57 static int StreamMpmFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
63 smd->
det_ctx->stream_mpm_size += data_len;
73 Packet *p,
const void *pectx)
81 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
85 StreamMpmFunc, &stream_mpm_data,
88 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
110 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
114 Packet *p,
const void *pectx)
131 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
224 static int StreamContentInspectFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
230 smd->
det_ctx->stream_persig_cnt++;
231 smd->
det_ctx->stream_persig_size += data_len;
239 NULL, smd->
f, (uint8_t *)data, data_len, 0, 0,
269 StreamContentInspectFunc, &inspect_data,
282 static int StreamContentInspectEngineFunc(
void *cb_data,
const uint8_t *data,
const uint32_t data_len)
288 smd->det_ctx->stream_persig_cnt++;
289 smd->det_ctx->stream_persig_size += data_len;
291 smd->det_ctx->buffer_offset = 0;
292 smd->det_ctx->discontinue_matching = 0;
293 smd->det_ctx->inspection_recursion_counter = 0;
297 NULL,
smd->f, (uint8_t *)data, data_len, 0, 0,
316 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
322 if (p->
proto == IPPROTO_UDP) {
325 }
else if (p->
proto != IPPROTO_TCP)
332 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
338 StreamContentInspectEngineFunc, &inspect_data,
341 bool is_last =
false;
342 if (
flags & STREAM_TOSERVER) {
352 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
354 match ?
"matched" :
"didn't match");
372 static int PayloadTestSig01 (
void)
374 uint8_t *buf = (uint8_t *)
376 uint16_t buflen = strlen((
char *)buf);
381 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
391 static int PayloadTestSig02 (
void)
393 uint8_t *buf = (uint8_t *)
395 uint16_t buflen = strlen((
char *)buf);
400 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
410 static int PayloadTestSig03 (
void)
412 uint8_t *buf = (uint8_t *)
414 uint16_t buflen = strlen((
char *)buf);
419 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
431 static int PayloadTestSig04(
void)
433 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
434 uint16_t buflen = strlen((
char *)buf);
439 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
440 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
441 "content:\"string\"; within:8; sid:1;)";
453 static int PayloadTestSig05(
void)
455 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
456 uint16_t buflen = strlen((
char *)buf);
461 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
462 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
463 "content:\"string\"; within:8; sid:1;)";
475 static int PayloadTestSig06(
void)
477 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
478 uint16_t buflen = strlen((
char *)buf);
483 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
484 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
485 "content:\"string\"; within:8; sid:1;)";
497 static int PayloadTestSig07(
void)
499 uint8_t *buf = (uint8_t *)
" thus thus is a big";
500 uint16_t buflen = strlen((
char *)buf);
505 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
506 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
519 static int PayloadTestSig08(
void)
521 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
522 uint16_t buflen = strlen((
char *)buf);
527 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
528 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
540 static int PayloadTestSig09(
void)
542 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
543 uint16_t buflen = strlen((
char *)buf);
548 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
549 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
561 static int PayloadTestSig10(
void)
563 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
564 uint16_t buflen = strlen((
char *)buf);
569 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
570 "byte_test:4,>,2,0,relative; sid:11;)";
582 static int PayloadTestSig11(
void)
584 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
585 uint16_t buflen = strlen((
char *)buf);
590 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
591 "byte_jump:1,0,relative; sid:11;)";
603 static int PayloadTestSig12(
void)
605 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
606 uint16_t buflen = strlen((
char *)buf);
611 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
612 "isdataat:10,relative; sid:11;)";
624 static int PayloadTestSig13(
void)
626 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
627 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
628 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
631 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
632 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
633 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
634 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
635 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
636 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
637 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
638 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
639 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
640 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
641 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
642 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
643 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
644 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
645 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
647 uint16_t buflen = strlen((
char *)buf);
653 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
654 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
655 "byte_test:1,>,200,0,relative; sid:1;)";
662 memset(&th_v, 0,
sizeof(th_v));
693 static int PayloadTestSig14(
void)
695 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
696 uint16_t buflen = strlen((
char *)buf);
701 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
712 static int PayloadTestSig15(
void)
714 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
715 uint16_t buflen = strlen((
char *)buf);
720 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
721 "content:\"nova\"; isdataat:18,relative; sid:1;)";
730 static int PayloadTestSig16(
void)
732 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
733 uint16_t buflen = strlen((
char *)buf);
738 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
739 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
748 static int PayloadTestSig17(
void)
750 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
756 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
757 "content:\"%\"; depth:4; offset:0; "
758 "content:\"%\"; within:2; distance:1; sid:1;)";
767 static int PayloadTestSig18(
void)
770 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
771 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
774 uint16_t buflen =
sizeof(buf);
779 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
780 "content:\"|01 02 03 04|\"; "
781 "byte_extract:1,2,one,string,dec,relative; "
782 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
791 static int PayloadTestSig19(
void)
794 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
795 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
798 uint16_t buflen =
sizeof(buf);
803 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
804 "content:\"|01 02 03 04|\"; "
805 "byte_extract:1,2,one,string,hex,relative; "
806 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
815 static int PayloadTestSig20(
void)
818 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
819 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
822 uint16_t buflen =
sizeof(buf);
827 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
828 "content:\"|01 02 03 04|\"; "
829 "byte_extract:1,2,one,string,dec,relative; "
830 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
839 static int PayloadTestSig21(
void)
842 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
843 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
846 uint16_t buflen =
sizeof(buf);
851 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
852 "content:\"|01 02 03 04|\"; "
853 "byte_extract:1,2,one,string,dec,relative; "
854 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
863 static int PayloadTestSig22(
void)
866 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
867 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
870 uint16_t buflen =
sizeof(buf);
875 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
876 "content:\"|01 02 03 04|\"; "
877 "byte_extract:1,2,one,string,dec,relative; "
878 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
887 static int PayloadTestSig23(
void)
890 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
891 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
894 uint16_t buflen =
sizeof(buf);
899 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
900 "content:\"|01 02 03 04|\"; "
901 "byte_extract:1,2,one,string,dec,relative; "
902 "byte_extract:1,3,two,string,dec,relative; "
903 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
912 static int PayloadTestSig24(
void)
915 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
916 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
919 uint16_t buflen =
sizeof(buf);
924 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
925 "content:\"|01 02 03 04|\"; "
926 "byte_extract:1,2,one,string,dec,relative; "
927 "byte_jump:1,one,string,dec,relative; "
928 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
940 static int PayloadTestSig25(
void)
943 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
944 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
947 uint16_t buflen =
sizeof(buf);
952 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
953 "content:\"|35 07 08 09|\"; "
954 "byte_extract:1,-4,one,string,dec,relative; "
955 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
967 static int PayloadTestSig26(
void)
970 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
971 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
974 uint16_t buflen =
sizeof(buf);
979 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
980 "content:\"|35 07 08 09|\"; "
981 "byte_extract:1,-3000,one,string,dec,relative; "
982 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
994 static int PayloadTestSig27(
void)
996 uint8_t buf[] =
"dummypayload";
997 uint16_t buflen =
sizeof(buf) - 1;
1002 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
1016 static int PayloadTestSig28(
void)
1018 uint8_t buf[] =
"dummypayload";
1019 uint16_t buflen =
sizeof(buf) - 1;
1024 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1025 "offset:4; depth:12; sid:1;)";
1038 static int PayloadTestSig29(
void)
1040 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1041 uint16_t buflen = strlen((
char *)buf);
1046 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1047 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1056 static int PayloadTestSig30(
void)
1058 uint8_t *buf = (uint8_t *)
1059 "xyonexxxxxxtwojunkonetwo";
1060 uint16_t buflen = strlen((
char *)buf);
1065 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1074 static int PayloadTestSig31(
void)
1076 uint8_t *buf = (uint8_t *)
1077 "xyonexxxxxxtwojunkonetwo";
1078 uint16_t buflen = strlen((
char *)buf);
1083 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1095 static int PayloadTestSig32(
void)
1097 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1098 uint16_t buflen = strlen((
char *)buf);
1103 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1104 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1116 static int PayloadTestSig33(
void)
1118 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1119 uint16_t buflen = strlen((
char *)buf);
1124 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1125 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1137 static int PayloadTestSig34(
void)
1139 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1140 uint16_t buflen = strlen((
char *)buf);
1145 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1146 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18