suricata
detect-engine-payload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Performs payload matching functions
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 
29 #include "decode.h"
30 
31 #include "detect.h"
32 #include "detect-engine.h"
33 #include "detect-parse.h"
36 #include "detect-engine-state.h"
37 #include "detect-engine-payload.h"
38 
39 #include "stream.h"
40 #include "stream-tcp.h"
41 
42 #include "util-debug.h"
43 #include "util-print.h"
44 
45 #include "util-unittest.h"
46 #include "util-unittest-helper.h"
47 #include "util-validate.h"
48 
49 #include "util-mpm-ac.h"
50 
51 struct StreamMpmData {
53  const MpmCtx *mpm_ctx;
54 };
55 
56 static int StreamMpmFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
57 {
58  struct StreamMpmData *smd = cb_data;
59  if (data_len >= smd->mpm_ctx->minlen) {
60 #ifdef DEBUG
61  smd->det_ctx->stream_mpm_cnt++;
62  smd->det_ctx->stream_mpm_size += data_len;
63 #endif
64  (void)mpm_table[smd->mpm_ctx->mpm_type].Search(smd->mpm_ctx,
65  &smd->det_ctx->mtcs, &smd->det_ctx->pmq,
66  data, data_len);
67  }
68  return 0;
69 }
70 
71 static void PrefilterPktStream(DetectEngineThreadCtx *det_ctx,
72  Packet *p, const void *pectx)
73 {
74  SCEnter();
75 
76  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
77 
78  /* for established packets inspect any stream we may have queued up */
80  SCLogDebug("PRE det_ctx->raw_stream_progress %"PRIu64,
81  det_ctx->raw_stream_progress);
82  struct StreamMpmData stream_mpm_data = { det_ctx, mpm_ctx };
84  StreamMpmFunc, &stream_mpm_data,
85  &det_ctx->raw_stream_progress,
86  false /* mpm doesn't use min inspect depth */);
87  SCLogDebug("POST det_ctx->raw_stream_progress %"PRIu64,
88  det_ctx->raw_stream_progress);
89  } else {
90  SCLogDebug("NOT p->flags & PKT_DETECT_HAS_STREAMDATA");
91  }
92 
93  /* packets that have not been added to the stream will be inspected
94  * as if they are stream chunks */
96  {
97  if (p->payload_len >= mpm_ctx->minlen) {
98 #ifdef DEBUG
99  det_ctx->payload_mpm_cnt++;
100  det_ctx->payload_mpm_size += p->payload_len;
101 #endif
102  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
103  &det_ctx->mtc, &det_ctx->pmq,
104  p->payload, p->payload_len);
105  }
106  }
107 }
108 
110  SigGroupHead *sgh, MpmCtx *mpm_ctx)
111 {
112  return PrefilterAppendPayloadEngine(de_ctx, sgh,
113  PrefilterPktStream, mpm_ctx, NULL, "stream");
114 }
115 
116 static void PrefilterPktPayload(DetectEngineThreadCtx *det_ctx,
117  Packet *p, const void *pectx)
118 {
119  SCEnter();
120 
121  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
122  if (p->payload_len < mpm_ctx->minlen)
123  SCReturn;
124 
125  (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
126  &det_ctx->mtc, &det_ctx->pmq,
127  p->payload, p->payload_len);
128 }
129 
131  SigGroupHead *sgh, MpmCtx *mpm_ctx)
132 {
133  return PrefilterAppendPayloadEngine(de_ctx, sgh,
134  PrefilterPktPayload, mpm_ctx, NULL, "payload");
135 }
136 
137 
138 /**
139  * \brief Do the content inspection & validation for a signature
140  *
141  * \param de_ctx Detection engine context
142  * \param det_ctx Detection engine thread context
143  * \param s Signature to inspect
144  * \param f flow (for pcre flowvar storage)
145  * \param p Packet
146  *
147  * \retval 0 no match
148  * \retval 1 match
149  */
151  DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
152 {
153  SCEnter();
154  int r = 0;
155 
156  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
157  SCReturnInt(0);
158  }
159 #ifdef DEBUG
160  det_ctx->payload_persig_cnt++;
161  det_ctx->payload_persig_size += p->payload_len;
162 #endif
163  det_ctx->buffer_offset = 0;
164  det_ctx->discontinue_matching = 0;
165  det_ctx->inspection_recursion_counter = 0;
166  det_ctx->replist = NULL;
167 
168  r = DetectEngineContentInspection(de_ctx, det_ctx,
170  p, f, p->payload, p->payload_len, 0,
172  if (r == 1) {
173  SCReturnInt(1);
174  }
175  SCReturnInt(0);
176 }
177 
178 /**
179  * \brief Do the content inspection & validation for a sigmatch list
180  *
181  * \param de_ctx Detection engine context
182  * \param det_ctx Detection engine thread context
183  * \param s Signature to inspect
184  * \param smd array of matches to eval
185  * \param f flow (for pcre flowvar storage)
186  * \param p Packet
187  *
188  * \retval 0 no match
189  * \retval 1 match
190  */
191 static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
192  DetectEngineThreadCtx *det_ctx,
193  const Signature *s, const SigMatchData *smd,
194  Flow *f, Packet *p)
195 {
196  SCEnter();
197  int r = 0;
198 
199  if (smd == NULL) {
200  SCReturnInt(0);
201  }
202 #ifdef DEBUG
203  det_ctx->payload_persig_cnt++;
204  det_ctx->payload_persig_size += p->payload_len;
205 #endif
206  det_ctx->buffer_offset = 0;
207  det_ctx->discontinue_matching = 0;
208  det_ctx->inspection_recursion_counter = 0;
209  det_ctx->replist = NULL;
210 
211  r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
212  p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
214  if (r == 1) {
215  SCReturnInt(1);
216  }
217  SCReturnInt(0);
218 }
219 
223  const Signature *s;
224  Flow *f;
225 };
226 
227 static int StreamContentInspectFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
228 {
229  SCEnter();
230  int r = 0;
231  struct StreamContentInspectData *smd = cb_data;
232 #ifdef DEBUG
233  smd->det_ctx->stream_persig_cnt++;
234  smd->det_ctx->stream_persig_size += data_len;
235 #endif
236  smd->det_ctx->buffer_offset = 0;
237  smd->det_ctx->discontinue_matching = 0;
239 
241  smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
242  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
244  if (r == 1) {
245  SCReturnInt(1);
246  }
247 
248  SCReturnInt(0);
249 }
250 
251 /**
252  * \brief Do the content inspection & validation for a signature
253  * on the raw stream
254  *
255  * \param de_ctx Detection engine context
256  * \param det_ctx Detection engine thread context
257  * \param s Signature to inspect
258  * \param f flow (for pcre flowvar storage)
259  *
260  * \retval 0 no match
261  * \retval 1 match
262  */
264  DetectEngineThreadCtx *det_ctx, const Signature *s,
265  Flow *f, Packet *p)
266 {
267  SCEnter();
268 
269  uint64_t unused;
270  struct StreamContentInspectData inspect_data = { de_ctx, det_ctx, s, f };
271  int r = StreamReassembleRaw(f->protoctx, p,
272  StreamContentInspectFunc, &inspect_data,
273  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
274  return r;
275 }
276 
280  const Signature *s;
282  Flow *f;
283 };
284 
285 static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
286 {
287  SCEnter();
288  int r = 0;
289  struct StreamContentInspectEngineData *smd = cb_data;
290 #ifdef DEBUG
291  smd->det_ctx->stream_persig_cnt++;
292  smd->det_ctx->stream_persig_size += data_len;
293 #endif
294  smd->det_ctx->buffer_offset = 0;
295  smd->det_ctx->discontinue_matching = 0;
297 
299  smd->s, smd->smd,
300  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
302  if (r == 1) {
303  SCReturnInt(1);
304  }
305 
306  SCReturnInt(0);
307 }
308 
309 /**
310  * \brief inspect engine for stateful rules
311  *
312  * Caches results as it may be called multiple times if we inspect
313  * multiple transactions in one packet.
314  *
315  * Returns "can't match" if depth is reached.
316  */
318  DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
319  const Signature *s, const SigMatchData *smd,
320  Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
321 {
322  Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
323 
324  /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
325  * we can get called for UDP. Then we simply inspect the packet payload */
326  if (p->proto == IPPROTO_UDP) {
327  return DetectEngineInspectStreamUDPPayload(de_ctx,
328  det_ctx, s, smd, f, p);
329  /* for other non-TCP protocols we assume match */
330  } else if (p->proto != IPPROTO_TCP)
332 
333  TcpSession *ssn = f->protoctx;
334  if (ssn == NULL)
336 
337  SCLogDebug("pre-inspect det_ctx->raw_stream_progress %"PRIu64,
338  det_ctx->raw_stream_progress);
339  uint64_t unused;
340  struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, smd, f };
341  int match = StreamReassembleRaw(f->protoctx, p,
342  StreamContentInspectEngineFunc, &inspect_data,
343  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
344 
345  bool is_last = false;
346  if (flags & STREAM_TOSERVER) {
347  TcpStream *stream = &ssn->client;
349  is_last = true;
350  } else {
351  TcpStream *stream = &ssn->server;
353  is_last = true;
354  }
355 
356  SCLogDebug("%s ran stream for sid %u on packet %"PRIu64" and we %s",
357  is_last? "LAST:" : "normal:", s->id, p->pcap_cnt,
358  match ? "matched" : "didn't match");
359 
360  if (match) {
362  } else {
363  if (is_last) {
364  //SCLogNotice("last, so DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
366  }
367  /* TODO maybe we can set 'CANT_MATCH' for EOF too? */
369  }
370 }
371 
372 #ifdef UNITTESTS
373 
374 /** \test Not the first but the second occurence of "abc" should be used
375  * for the 2nd match */
376 static int PayloadTestSig01 (void)
377 {
378  uint8_t *buf = (uint8_t *)
379  "abcabcd";
380  uint16_t buflen = strlen((char *)buf);
381  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
382  int result = 0;
383 
384  char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
385  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
386  result = 0;
387  goto end;
388  }
389 
390  result = 1;
391 end:
392  if (p != NULL)
393  UTHFreePacket(p);
394  return result;
395 }
396 
397 /** \test Nocase matching */
398 static int PayloadTestSig02 (void)
399 {
400  uint8_t *buf = (uint8_t *)
401  "abcaBcd";
402  uint16_t buflen = strlen((char *)buf);
403  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
404  int result = 0;
405 
406  char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
407  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
408  result = 0;
409  goto end;
410  }
411 
412  result = 1;
413 end:
414  if (p != NULL)
415  UTHFreePacket(p);
416  return result;
417 }
418 
419 /** \test Negative distance matching */
420 static int PayloadTestSig03 (void)
421 {
422  uint8_t *buf = (uint8_t *)
423  "abcaBcd";
424  uint16_t buflen = strlen((char *)buf);
425  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
426  int result = 0;
427 
428  char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
429  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
430  result = 0;
431  goto end;
432  }
433 
434  result = 1;
435 end:
436  if (p != NULL)
437  UTHFreePacket(p);
438  return result;
439 }
440 
441 /**
442  * \test Test multiple relative matches.
443  */
444 static int PayloadTestSig04(void)
445 {
446  uint8_t *buf = (uint8_t *)"now this is is big big string now";
447  uint16_t buflen = strlen((char *)buf);
448  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
449  int result = 0;
450 
451  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
452  "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
453  "content:\"string\"; within:8; sid:1;)";
454  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
455  result = 0;
456  goto end;
457  }
458 
459  result = 1;
460 end:
461  if (p != NULL)
462  UTHFreePacket(p);
463  return result;
464 }
465 
466 /**
467  * \test Test multiple relative matches.
468  */
469 static int PayloadTestSig05(void)
470 {
471  uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
472  uint16_t buflen = strlen((char *)buf);
473  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
474  int result = 0;
475 
476  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
477  "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
478  "content:\"string\"; within:8; sid:1;)";
479  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
480  result = 0;
481  goto end;
482  }
483 
484  result = 1;
485 end:
486  if (p != NULL)
487  UTHFreePacket(p);
488  return result;
489 }
490 
491 /**
492  * \test Test multiple relative matches.
493  */
494 static int PayloadTestSig06(void)
495 {
496  uint8_t *buf = (uint8_t *)"this this now is is big string now";
497  uint16_t buflen = strlen((char *)buf);
498  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
499  int result = 0;
500 
501  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
502  "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
503  "content:\"string\"; within:8; sid:1;)";
504  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
505  result = 0;
506  goto end;
507  }
508 
509  result = 1;
510 end:
511  if (p != NULL)
512  UTHFreePacket(p);
513  return result;
514 }
515 
516 /**
517  * \test Test multiple relative matches.
518  */
519 static int PayloadTestSig07(void)
520 {
521  uint8_t *buf = (uint8_t *)" thus thus is a big";
522  uint16_t buflen = strlen((char *)buf);
523  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
524  int result = 0;
525 
526  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
527  "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
528 
529  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
530  result = 0;
531  goto end;
532  }
533 
534  result = 1;
535 end:
536  if (p != NULL)
537  UTHFreePacket(p);
538  return result;
539 }
540 
541 /**
542  * \test Test multiple relative matches with negative matches
543  * and show the need for det_ctx->discontinue_matching.
544  */
545 static int PayloadTestSig08(void)
546 {
547  uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
548  uint16_t buflen = strlen((char *)buf);
549  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
550  int result = 0;
551 
552  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
553  "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
554 
555  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1) {
556  goto end;
557  }
558 
559  result = 1;
560 end:
561  if (p != NULL)
562  UTHFreePacket(p);
563  return result;
564 }
565 
566 /**
567  * \test Test pcre recursive matching.
568  */
569 static int PayloadTestSig09(void)
570 {
571  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
572  uint16_t buflen = strlen((char *)buf);
573  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
574  int result = 0;
575 
576  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
577  "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
578 
579  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
580  result = 0;
581  goto end;
582  }
583 
584  result = 1;
585 end:
586  if (p != NULL)
587  UTHFreePacket(p);
588  return result;
589 }
590 
591 /**
592  * \test Test invalid sig.
593  */
594 static int PayloadTestSig10(void)
595 {
596  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
597  uint16_t buflen = strlen((char *)buf);
598  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
599  int result = 0;
600 
601  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
602  "byte_test:4,>,2,0,relative; sid:11;)";
603 
604  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
605  result = 0;
606  goto end;
607  }
608 
609  result = 1;
610 end:
611  if (p != NULL)
612  UTHFreePacket(p);
613  return result;
614 }
615 
616 /**
617  * \test Test invalid sig.
618  */
619 static int PayloadTestSig11(void)
620 {
621  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
622  uint16_t buflen = strlen((char *)buf);
623  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
624  int result = 0;
625 
626  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
627  "byte_jump:1,0,relative; sid:11;)";
628 
629  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
630  result = 0;
631  goto end;
632  }
633 
634  result = 1;
635 end:
636  if (p != NULL)
637  UTHFreePacket(p);
638  return result;
639 }
640 
641 /**
642  * \test Test invalid sig.
643  */
644 static int PayloadTestSig12(void)
645 {
646  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
647  uint16_t buflen = strlen((char *)buf);
648  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
649  int result = 0;
650 
651  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
652  "isdataat:10,relative; sid:11;)";
653 
654  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
655  result = 0;
656  goto end;
657  }
658 
659  result = 1;
660 end:
661  if (p != NULL)
662  UTHFreePacket(p);
663  return result;
664 }
665 
666 /**
667  * \test Used to check the working of recursion_limit counter.
668  */
669 static int PayloadTestSig13(void)
670 {
671  uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
672  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
673  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
674  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
675  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
676  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
677  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
678  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
679  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
680  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
681  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
682  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
683  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
684  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
685  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
686  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
687  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
688  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
689  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
690  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
691  uint16_t buflen = strlen((char *)buf);
692  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
693  int result = 0;
694  uint16_t mpm_type = mpm_default_matcher;
695 
696  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
697  "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
698  "byte_test:1,>,200,0,relative; sid:1;)";
699 
700  struct timeval tv_start, tv_end, tv_diff;
701 
702  gettimeofday(&tv_start, NULL);
703 
704  do {
705  DecodeThreadVars dtv;
706  ThreadVars th_v;
707  DetectEngineThreadCtx *det_ctx = NULL;
708 
709  memset(&dtv, 0, sizeof(DecodeThreadVars));
710  memset(&th_v, 0, sizeof(th_v));
711 
713  if (de_ctx == NULL) {
714  printf("de_ctx == NULL: ");
715  goto end;
716  }
717  de_ctx->inspection_recursion_limit = 3000;
718 
719  de_ctx->flags |= DE_QUIET;
720  de_ctx->mpm_matcher = mpm_type;
721 
722  de_ctx->sig_list = SigInit(de_ctx, sig);
723  if (de_ctx->sig_list == NULL) {
724  printf("signature == NULL: ");
725  goto end;
726  }
727 
728  SigGroupBuild(de_ctx);
729  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
730 
731  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
732  if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
733  goto end;
734  }
735 
736  result = 1;
737  end:
738  SigGroupCleanup(de_ctx);
739  SigCleanSignatures(de_ctx);
740 
741  if (det_ctx != NULL)
742  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
743 
744  if (de_ctx != NULL)
745  DetectEngineCtxFree(de_ctx);
746  } while (0);
747 
748  gettimeofday(&tv_end, NULL);
749 
750  tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
751  tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
752 
753  printf("%ld.%06ld\n", (long int)tv_diff.tv_sec, (long int)tv_diff.tv_usec);
754 
755  result = 1;
756 
757  if (p != NULL)
758  UTHFreePacket(p);
759  return result;
760 }
761 
762 /**
763  * \test normal & negated matching, both absolute and relative
764  */
765 static int PayloadTestSig14(void)
766 {
767  uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
768  uint16_t buflen = strlen((char *)buf);
769  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
770  int result = 0;
771 
772  char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
773 
774  //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
775 
776  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
777  goto end;
778  }
779 
780  result = 1;
781 end:
782  if (p != NULL)
783  UTHFreePacket(p);
784  return result;
785 }
786 
787 static int PayloadTestSig15(void)
788 {
789  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
790  uint16_t buflen = strlen((char *)buf);
791  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
792  int result = 0;
793 
794  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
795  "content:\"nova\"; isdataat:18,relative; sid:1;)";
796 
797  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
798  result = 0;
799  goto end;
800  }
801 
802  result = 1;
803 
804 end:
805  if (p != NULL)
806  UTHFreePacket(p);
807  return result;
808 }
809 
810 static int PayloadTestSig16(void)
811 {
812  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
813  uint16_t buflen = strlen((char *)buf);
814  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
815  int result = 0;
816 
817  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
818  "content:\"nova\"; isdataat:!20,relative; sid:1;)";
819 
820  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
821  result = 0;
822  goto end;
823  }
824 
825  result = 1;
826 
827 end:
828  if (p != NULL)
829  UTHFreePacket(p);
830  return result;
831 }
832 
833 static int PayloadTestSig17(void)
834 {
835  uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
836  uint16_t buflen = 9;
837  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
838  int result = 0;
839 
840  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
841  "content:\"%\"; depth:4; offset:0; "
842  "content:\"%\"; within:2; distance:1; sid:1;)";
843 
844  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
845  result = 0;
846  goto end;
847  }
848 
849  result = 1;
850 
851 end:
852  if (p != NULL)
853  UTHFreePacket(p);
854  return result;
855 }
856 
857 static int PayloadTestSig18(void)
858 {
859  uint8_t buf[] = {
860  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
861  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
862  0x0E, 0x0F,
863  };
864  uint16_t buflen = sizeof(buf);
865  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
866  int result = 0;
867 
868  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
869  "content:\"|01 02 03 04|\"; "
870  "byte_extract:1,2,one,string,dec,relative; "
871  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
872 
873  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
874  result = 0;
875  goto end;
876  }
877 
878  result = 1;
879 
880 end:
881  if (p != NULL)
882  UTHFreePacket(p);
883  return result;
884 }
885 
886 static int PayloadTestSig19(void)
887 {
888  uint8_t buf[] = {
889  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
890  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
891  0x0E, 0x0F,
892  };
893  uint16_t buflen = sizeof(buf);
894  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
895  int result = 0;
896 
897  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
898  "content:\"|01 02 03 04|\"; "
899  "byte_extract:1,2,one,string,hex,relative; "
900  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
901 
902  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
903  result = 0;
904  goto end;
905  }
906 
907  result = 1;
908 
909 end:
910  if (p != NULL)
911  UTHFreePacket(p);
912  return result;
913 }
914 
915 static int PayloadTestSig20(void)
916 {
917  uint8_t buf[] = {
918  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
919  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
920  0x0E, 0x0F,
921  };
922  uint16_t buflen = sizeof(buf);
923  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
924  int result = 0;
925 
926  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
927  "content:\"|01 02 03 04|\"; "
928  "byte_extract:1,2,one,string,dec,relative; "
929  "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
930 
931  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
932  result = 0;
933  goto end;
934  }
935 
936  result = 1;
937 
938 end:
939  if (p != NULL)
940  UTHFreePacket(p);
941  return result;
942 }
943 
944 static int PayloadTestSig21(void)
945 {
946  uint8_t buf[] = {
947  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
948  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
949  0x0E, 0x0F,
950  };
951  uint16_t buflen = sizeof(buf);
952  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
953  int result = 0;
954 
955  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
956  "content:\"|01 02 03 04|\"; "
957  "byte_extract:1,2,one,string,dec,relative; "
958  "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
959 
960  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
961  result = 0;
962  goto end;
963  }
964 
965  result = 1;
966 
967 end:
968  if (p != NULL)
969  UTHFreePacket(p);
970  return result;
971 }
972 
973 static int PayloadTestSig22(void)
974 {
975  uint8_t buf[] = {
976  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
977  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
978  0x0E, 0x0F,
979  };
980  uint16_t buflen = sizeof(buf);
981  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
982  int result = 0;
983 
984  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
985  "content:\"|01 02 03 04|\"; "
986  "byte_extract:1,2,one,string,dec,relative; "
987  "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
988 
989  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
990  result = 0;
991  goto end;
992  }
993 
994  result = 1;
995 
996 end:
997  if (p != NULL)
998  UTHFreePacket(p);
999  return result;
1000 }
1001 
1002 static int PayloadTestSig23(void)
1003 {
1004  uint8_t buf[] = {
1005  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
1006  0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
1007  0x32, 0x0F,
1008  };
1009  uint16_t buflen = sizeof(buf);
1010  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1011  int result = 0;
1012 
1013  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1014  "content:\"|01 02 03 04|\"; "
1015  "byte_extract:1,2,one,string,dec,relative; "
1016  "byte_extract:1,3,two,string,dec,relative; "
1017  "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
1018 
1019  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1020  result = 0;
1021  goto end;
1022  }
1023 
1024  result = 1;
1025 
1026 end:
1027  if (p != NULL)
1028  UTHFreePacket(p);
1029  return result;
1030 }
1031 
1032 static int PayloadTestSig24(void)
1033 {
1034  uint8_t buf[] = {
1035  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
1036  0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
1037  0x0E, 0x0F,
1038  };
1039  uint16_t buflen = sizeof(buf);
1040  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1041  int result = 0;
1042 
1043  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1044  "content:\"|01 02 03 04|\"; "
1045  "byte_extract:1,2,one,string,dec,relative; "
1046  "byte_jump:1,one,string,dec,relative; "
1047  "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
1048 
1049  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1050  result = 0;
1051  goto end;
1052  }
1053 
1054  result = 1;
1055 
1056 end:
1057  if (p != NULL)
1058  UTHFreePacket(p);
1059  return result;
1060 }
1061 
1062 /*
1063  * \test Test negative byte extract.
1064  */
1065 static int PayloadTestSig25(void)
1066 {
1067  uint8_t buf[] = {
1068  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
1069  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1070  0x0E, 0x0F,
1071  };
1072  uint16_t buflen = sizeof(buf);
1073  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1074  int result = 0;
1075 
1076  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1077  "content:\"|35 07 08 09|\"; "
1078  "byte_extract:1,-4,one,string,dec,relative; "
1079  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1080 
1081  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1082  result = 0;
1083  goto end;
1084  }
1085 
1086  result = 1;
1087 
1088 end:
1089  if (p != NULL)
1090  UTHFreePacket(p);
1091  return result;
1092 }
1093 
1094 /*
1095  * \test Test negative byte extract.
1096  */
1097 static int PayloadTestSig26(void)
1098 {
1099  uint8_t buf[] = {
1100  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
1101  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
1102  0x0E, 0x0F,
1103  };
1104  uint16_t buflen = sizeof(buf);
1105  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1106  int result = 0;
1107 
1108  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1109  "content:\"|35 07 08 09|\"; "
1110  "byte_extract:1,-3000,one,string,dec,relative; "
1111  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
1112 
1113  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 0) {
1114  result = 0;
1115  goto end;
1116  }
1117 
1118  result = 1;
1119 
1120 end:
1121  if (p != NULL)
1122  UTHFreePacket(p);
1123  return result;
1124 }
1125 
1126 /*
1127  * \test Test packet/stream sigs
1128  */
1129 static int PayloadTestSig27(void)
1130 {
1131  uint8_t buf[] = "dummypayload";
1132  uint16_t buflen = sizeof(buf) - 1;
1133  int result = 0;
1134 
1135  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1136 
1137  char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
1138  "depth:5; sid:1;)";
1139 
1140  p->flags |= PKT_STREAM_ADD;
1141  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1)
1142  goto end;
1143 
1144  result = 1;
1145 
1146 end:
1147  if (p != NULL)
1148  UTHFreePacket(p);
1149  return result;
1150 }
1151 
1152 /*
1153  * \test Test packet/stream sigs
1154  */
1155 static int PayloadTestSig28(void)
1156 {
1157  uint8_t buf[] = "dummypayload";
1158  uint16_t buflen = sizeof(buf) - 1;
1159  int result = 0;
1160 
1161  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1162 
1163  char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
1164  "offset:4; depth:12; sid:1;)";
1165 
1166  p->flags |= PKT_STREAM_ADD;
1167  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) != 1)
1168  goto end;
1169 
1170  result = 1;
1171 
1172 end:
1173  if (p != NULL)
1174  UTHFreePacket(p);
1175  return result;
1176 }
1177 
1178 /**
1179  * \test Test pcre recursive matching - bug #529
1180  */
1181 static int PayloadTestSig29(void)
1182 {
1183  uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
1184  uint16_t buflen = strlen((char *)buf);
1185  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1186  int result = 0;
1187 
1188  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1189  "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1190 
1191  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 1) {
1192  result = 0;
1193  goto end;
1194  }
1195 
1196  result = 1;
1197 end:
1198  if (p != NULL)
1199  UTHFreePacket(p);
1200  return result;
1201 }
1202 
1203 static int PayloadTestSig30(void)
1204 {
1205  uint8_t *buf = (uint8_t *)
1206  "xyonexxxxxxtwojunkonetwo";
1207  uint16_t buflen = strlen((char *)buf);
1208  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1209  int result = 0;
1210 
1211  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1212  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1213  result = 0;
1214  goto end;
1215  }
1216 
1217  result = 1;
1218 end:
1219  if (p != NULL)
1220  UTHFreePacket(p);
1221  return result;
1222 }
1223 
1224 static int PayloadTestSig31(void)
1225 {
1226  uint8_t *buf = (uint8_t *)
1227  "xyonexxxxxxtwojunkonetwo";
1228  uint16_t buflen = strlen((char *)buf);
1229  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
1230  int result = 0;
1231 
1232  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1233  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0) {
1234  result = 0;
1235  goto end;
1236  }
1237 
1238  result = 1;
1239 end:
1240  if (p != NULL)
1241  UTHFreePacket(p);
1242  return result;
1243 }
1244 
1245 /**
1246  * \test Test byte_jump.
1247  */
1248 static int PayloadTestSig32(void)
1249 {
1250  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1251  uint16_t buflen = strlen((char *)buf);
1252  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1253  int result = 0;
1254 
1255  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1256  "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1257 
1258  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1259  goto end;
1260 
1261  result = 1;
1262 end:
1263  if (p != NULL)
1264  UTHFreePacket(p);
1265  return result;
1266 }
1267 
1268 /**
1269  * \test Test byte_test.
1270  */
1271 static int PayloadTestSig33(void)
1272 {
1273  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1274  uint16_t buflen = strlen((char *)buf);
1275  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1276  int result = 0;
1277 
1278  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1279  "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1280 
1281  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1282  goto end;
1283 
1284  result = 1;
1285 end:
1286  if (p != NULL)
1287  UTHFreePacket(p);
1288  return result;
1289 }
1290 
1291 /**
1292  * \test Test byte_extract.
1293  */
1294 static int PayloadTestSig34(void)
1295 {
1296  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1297  uint16_t buflen = strlen((char *)buf);
1298  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1299  int result = 0;
1300 
1301  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1302  "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1303 
1304  if (UTHPacketMatchSigMpm(p, sig, mpm_default_matcher) == 0)
1305  goto end;
1306 
1307  result = 1;
1308 end:
1309  if (p != NULL)
1310  UTHFreePacket(p);
1311  return result;
1312 }
1313 
1314 #endif /* UNITTESTS */
1315 
1317 {
1318 #ifdef UNITTESTS
1319  UtRegisterTest("PayloadTestSig01", PayloadTestSig01);
1320  UtRegisterTest("PayloadTestSig02", PayloadTestSig02);
1321  UtRegisterTest("PayloadTestSig03", PayloadTestSig03);
1322  UtRegisterTest("PayloadTestSig04", PayloadTestSig04);
1323  UtRegisterTest("PayloadTestSig05", PayloadTestSig05);
1324  UtRegisterTest("PayloadTestSig06", PayloadTestSig06);
1325  UtRegisterTest("PayloadTestSig07", PayloadTestSig07);
1326  UtRegisterTest("PayloadTestSig08", PayloadTestSig08);
1327  UtRegisterTest("PayloadTestSig09", PayloadTestSig09);
1328  UtRegisterTest("PayloadTestSig10", PayloadTestSig10);
1329  UtRegisterTest("PayloadTestSig11", PayloadTestSig11);
1330  UtRegisterTest("PayloadTestSig12", PayloadTestSig12);
1331  UtRegisterTest("PayloadTestSig13", PayloadTestSig13);
1332  UtRegisterTest("PayloadTestSig14", PayloadTestSig14);
1333  UtRegisterTest("PayloadTestSig15", PayloadTestSig15);
1334  UtRegisterTest("PayloadTestSig16", PayloadTestSig16);
1335  UtRegisterTest("PayloadTestSig17", PayloadTestSig17);
1336 
1337  UtRegisterTest("PayloadTestSig18", PayloadTestSig18);
1338  UtRegisterTest("PayloadTestSig19", PayloadTestSig19);
1339  UtRegisterTest("PayloadTestSig20", PayloadTestSig20);
1340  UtRegisterTest("PayloadTestSig21", PayloadTestSig21);
1341  UtRegisterTest("PayloadTestSig22", PayloadTestSig22);
1342  UtRegisterTest("PayloadTestSig23", PayloadTestSig23);
1343  UtRegisterTest("PayloadTestSig24", PayloadTestSig24);
1344  UtRegisterTest("PayloadTestSig25", PayloadTestSig25);
1345  UtRegisterTest("PayloadTestSig26", PayloadTestSig26);
1346  UtRegisterTest("PayloadTestSig27", PayloadTestSig27);
1347  UtRegisterTest("PayloadTestSig28", PayloadTestSig28);
1348  UtRegisterTest("PayloadTestSig29", PayloadTestSig29);
1349 
1350  UtRegisterTest("PayloadTestSig30", PayloadTestSig30);
1351  UtRegisterTest("PayloadTestSig31", PayloadTestSig31);
1352  UtRegisterTest("PayloadTestSig32", PayloadTestSig32);
1353  UtRegisterTest("PayloadTestSig33", PayloadTestSig33);
1354  UtRegisterTest("PayloadTestSig34", PayloadTestSig34);
1355 #endif /* UNITTESTS */
1356 
1357  return;
1358 }
MpmThreadCtx mtcs
Definition: detect.h:1094
uint16_t flags
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:445
uint16_t minlen
Definition: util-mpm.h:99
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint16_t discontinue_matching
Definition: detect.h:1060
uint32_t flags
Definition: detect.h:518
uint32_t id
Definition: detect.h:550
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Signature * sig_list
Definition: detect.h:762
void PayloadRegisterTests(void)
DetectReplaceList * replist
Definition: detect.h:1108
Data needed for Match()
Definition: detect.h:322
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Container for matching data for a signature group.
Definition: detect.h:1329
MpmThreadCtx mtc
Definition: detect.h:1092
const MpmCtx * mpm_ctx
uint64_t pcap_cnt
Definition: decode.h:561
uint32_t buffer_offset
Definition: detect.h:1025
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:517
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:756
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineInspectStream(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
#define DE_QUIET
Definition: detect.h:287
uint8_t proto
Definition: decode.h:430
uint8_t flags
Definition: detect.h:757
#define DETECT_ENGINE_INSPECT_SIG_MATCH
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Data structures and function prototypes for keeping state for the detection engine.
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1120
#define SIG_FLAG_FLUSH
Definition: detect.h:224
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
uint8_t mpm_type
Definition: util-mpm.h:90
uint16_t mpm_matcher
Definition: detect.h:805
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
#define SCEnter(...)
Definition: util-debug.h:337
PrefilterRuleStore pmq
Definition: detect.h:1095
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:570
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define SCReturnInt(x)
Definition: util-debug.h:341
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
int mpm_default_matcher
Definition: util-mpm.h:170
uint64_t raw_stream_progress
Definition: detect.h:1021
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.h:169
DetectEngineThreadCtx * det_ctx
uint16_t tx_id
#define PKT_STREAM_ADD
Definition: decode.h:1087
#define STREAM_TOSERVER
Definition: stream.h:31
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
int inspection_recursion_counter
Definition: detect.h:1072
#define DETECT_CI_FLAGS_SINGLE
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:162
#define SCReturn
Definition: util-debug.h:339
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx * det_ctx
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1084
uint32_t flags
Definition: decode.h:443
uint16_t payload_len
Definition: decode.h:541
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Flow data structure.
Definition: flow.h:325
uint8_t * payload
Definition: decode.h:540
int inspection_recursion_limit
Definition: detect.h:828
DetectEngineCtx * DetectEngineCtxInit(void)