suricata
detect-engine-payload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Performs payload matching functions
24  */
25 
26 #include "suricata-common.h"
27 #include "suricata.h"
28 #include "rust.h"
29 
30 #include "decode.h"
31 
32 #include "detect.h"
33 #include "detect-engine.h"
34 #include "detect-parse.h"
37 #include "detect-engine-state.h"
38 #include "detect-engine-payload.h"
39 
40 #include "stream.h"
41 #include "stream-tcp.h"
42 
43 #include "util-debug.h"
44 #include "util-print.h"
45 
46 #include "util-unittest.h"
47 #include "util-unittest-helper.h"
48 #include "util-validate.h"
49 
50 #include "util-mpm-ac.h"
51 
52 struct StreamMpmData {
54  const MpmCtx *mpm_ctx;
55 };
56 
57 static int StreamMpmFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
58 {
59  struct StreamMpmData *smd = cb_data;
60  if (data_len >= smd->mpm_ctx->minlen) {
61 #ifdef DEBUG
62  smd->det_ctx->stream_mpm_cnt++;
63  smd->det_ctx->stream_mpm_size += data_len;
64 #endif
65  (void)mpm_table[smd->mpm_ctx->mpm_type].Search(smd->mpm_ctx,
66  &smd->det_ctx->mtcs, &smd->det_ctx->pmq,
67  data, data_len);
68  }
69  return 0;
70 }
71 
72 static void PrefilterPktStream(DetectEngineThreadCtx *det_ctx,
73  Packet *p, const void *pectx)
74 {
75  SCEnter();
76 
77  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
78 
79  /* for established packets inspect any stream we may have queued up */
81  SCLogDebug("PRE det_ctx->raw_stream_progress %"PRIu64,
83  struct StreamMpmData stream_mpm_data = { det_ctx, mpm_ctx };
85  StreamMpmFunc, &stream_mpm_data,
87  false /* mpm doesn't use min inspect depth */);
88  SCLogDebug("POST det_ctx->raw_stream_progress %"PRIu64,
90 
91  /* packets that have not been added to the stream will be inspected as if they are stream
92  * chunks */
93  } else if ((p->flags & (PKT_NOPAYLOAD_INSPECTION | PKT_STREAM_ADD)) == 0) {
94  if (p->payload_len >= mpm_ctx->minlen) {
95 #ifdef DEBUG
96  det_ctx->payload_mpm_cnt++;
97  det_ctx->payload_mpm_size += p->payload_len;
98 #endif
100  &det_ctx->mtc, &det_ctx->pmq,
101  p->payload, p->payload_len);
102  }
103  }
104 }
105 
107  SigGroupHead *sgh, MpmCtx *mpm_ctx)
108 {
110  PrefilterPktStream, mpm_ctx, NULL, "stream");
111 }
112 
113 static void PrefilterPktPayload(DetectEngineThreadCtx *det_ctx,
114  Packet *p, const void *pectx)
115 {
116  SCEnter();
117 
118  const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
119  if (p->payload_len < mpm_ctx->minlen)
120  SCReturn;
121 
123  &det_ctx->mtc, &det_ctx->pmq,
124  p->payload, p->payload_len);
125 }
126 
128  SigGroupHead *sgh, MpmCtx *mpm_ctx)
129 {
131  PrefilterPktPayload, mpm_ctx, NULL, "payload");
132 }
133 
134 
135 /**
136  * \brief Do the content inspection & validation for a signature
137  *
138  * \param de_ctx Detection engine context
139  * \param det_ctx Detection engine thread context
140  * \param s Signature to inspect
141  * \param f flow (for pcre flowvar storage)
142  * \param p Packet
143  *
144  * \retval 0 no match
145  * \retval 1 match
146  */
149 {
150  SCEnter();
151  int r = 0;
152 
153  if (s->sm_arrays[DETECT_SM_LIST_PMATCH] == NULL) {
154  SCReturnInt(0);
155  }
156 #ifdef DEBUG
157  det_ctx->payload_persig_cnt++;
158  det_ctx->payload_persig_size += p->payload_len;
159 #endif
160  det_ctx->buffer_offset = 0;
163  det_ctx->replist = NULL;
164 
167  p, f, p->payload, p->payload_len, 0,
169  if (r == 1) {
170  SCReturnInt(1);
171  }
172  SCReturnInt(0);
173 }
174 
175 /**
176  * \brief Do the content inspection & validation for a sigmatch list
177  *
178  * \param de_ctx Detection engine context
179  * \param det_ctx Detection engine thread context
180  * \param s Signature to inspect
181  * \param smd array of matches to eval
182  * \param f flow (for pcre flowvar storage)
183  * \param p Packet
184  *
185  * \retval 0 no match
186  * \retval 1 match
187  */
188 static int DetectEngineInspectStreamUDPPayload(DetectEngineCtx *de_ctx,
190  const Signature *s, const SigMatchData *smd,
191  Flow *f, Packet *p)
192 {
193  SCEnter();
194  int r = 0;
195 
196  if (smd == NULL) {
197  SCReturnInt(0);
198  }
199 #ifdef DEBUG
200  det_ctx->payload_persig_cnt++;
201  det_ctx->payload_persig_size += p->payload_len;
202 #endif
203  det_ctx->buffer_offset = 0;
206  det_ctx->replist = NULL;
207 
209  p, f, p->payload, p->payload_len, 0, DETECT_CI_FLAGS_SINGLE,
211  if (r == 1) {
212  SCReturnInt(1);
213  }
214  SCReturnInt(0);
215 }
216 
220  const Signature *s;
221  Flow *f;
222 };
223 
224 static int StreamContentInspectFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
225 {
226  SCEnter();
227  int r = 0;
228  struct StreamContentInspectData *smd = cb_data;
229 #ifdef DEBUG
230  smd->det_ctx->stream_persig_cnt++;
231  smd->det_ctx->stream_persig_size += data_len;
232 #endif
233  smd->det_ctx->buffer_offset = 0;
234  smd->det_ctx->discontinue_matching = 0;
236 
238  smd->s, smd->s->sm_arrays[DETECT_SM_LIST_PMATCH],
239  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, //TODO
241  if (r == 1) {
242  SCReturnInt(1);
243  }
244 
245  SCReturnInt(0);
246 }
247 
248 /**
249  * \brief Do the content inspection & validation for a signature
250  * on the raw stream
251  *
252  * \param de_ctx Detection engine context
253  * \param det_ctx Detection engine thread context
254  * \param s Signature to inspect
255  * \param f flow (for pcre flowvar storage)
256  *
257  * \retval 0 no match
258  * \retval 1 match
259  */
262  Flow *f, Packet *p)
263 {
264  SCEnter();
265  SCLogDebug("FLUSH? %s", (s->flags & SIG_FLAG_FLUSH)?"true":"false");
266  uint64_t unused;
267  struct StreamContentInspectData inspect_data = { de_ctx, det_ctx, s, f };
268  int r = StreamReassembleRaw(f->protoctx, p,
269  StreamContentInspectFunc, &inspect_data,
270  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
271  return r;
272 }
273 
277  const Signature *s;
279  Flow *f;
280 };
281 
282 static int StreamContentInspectEngineFunc(void *cb_data, const uint8_t *data, const uint32_t data_len)
283 {
284  SCEnter();
285  int r = 0;
286  struct StreamContentInspectEngineData *smd = cb_data;
287 #ifdef DEBUG
288  smd->det_ctx->stream_persig_cnt++;
289  smd->det_ctx->stream_persig_size += data_len;
290 #endif
291  smd->det_ctx->buffer_offset = 0;
292  smd->det_ctx->discontinue_matching = 0;
293  smd->det_ctx->inspection_recursion_counter = 0;
294 
295  r = DetectEngineContentInspection(smd->de_ctx, smd->det_ctx,
296  smd->s, smd->smd,
297  NULL, smd->f, (uint8_t *)data, data_len, 0, 0, // TODO
299  if (r == 1) {
300  SCReturnInt(1);
301  }
302 
303  SCReturnInt(0);
304 }
305 
306 /**
307  * \brief inspect engine for stateful rules
308  *
309  * Caches results as it may be called multiple times if we inspect
310  * multiple transactions in one packet.
311  *
312  * Returns "can't match" if depth is reached.
313  */
315  const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f,
316  uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
317 {
318  Packet *p = det_ctx->p; /* TODO: get rid of this HACK */
319 
320  /* in certain sigs, e.g. 'alert dns', which apply to both tcp and udp
321  * we can get called for UDP. Then we simply inspect the packet payload */
322  if (p->proto == IPPROTO_UDP) {
323  return DetectEngineInspectStreamUDPPayload(de_ctx, det_ctx, s, engine->smd, f, p);
324  /* for other non-TCP protocols we assume match */
325  } else if (p->proto != IPPROTO_TCP)
327 
328  TcpSession *ssn = f->protoctx;
329  if (ssn == NULL)
331 
332  SCLogDebug("pre-inspect det_ctx->raw_stream_progress %"PRIu64" FLUSH? %s",
334  (s->flags & SIG_FLAG_FLUSH)?"true":"false");
335  uint64_t unused;
336  struct StreamContentInspectEngineData inspect_data = { de_ctx, det_ctx, s, engine->smd, f };
337  int match = StreamReassembleRaw(f->protoctx, p,
338  StreamContentInspectEngineFunc, &inspect_data,
339  &unused, ((s->flags & SIG_FLAG_FLUSH) != 0));
340 
341  bool is_last = false;
342  if (flags & STREAM_TOSERVER) {
343  TcpStream *stream = &ssn->client;
345  is_last = true;
346  } else {
347  TcpStream *stream = &ssn->server;
349  is_last = true;
350  }
351 
352  SCLogDebug("%s ran stream for sid %u on packet %"PRIu64" and we %s",
353  is_last? "LAST:" : "normal:", s->id, p->pcap_cnt,
354  match ? "matched" : "didn't match");
355 
356  if (match) {
358  } else {
359  if (is_last) {
360  //SCLogNotice("last, so DETECT_ENGINE_INSPECT_SIG_CANT_MATCH");
362  }
363  /* TODO maybe we can set 'CANT_MATCH' for EOF too? */
365  }
366 }
367 
368 #ifdef UNITTESTS
369 
370 /** \test Not the first but the second occurence of "abc" should be used
371  * for the 2nd match */
372 static int PayloadTestSig01 (void)
373 {
374  uint8_t *buf = (uint8_t *)
375  "abcabcd";
376  uint16_t buflen = strlen((char *)buf);
377  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
378 
379  FAIL_IF_NULL(p);
380 
381  char sig[] = "alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
382 
384 
385  UTHFreePacket(p);
386 
387  PASS;
388 }
389 
390 /** \test Nocase matching */
391 static int PayloadTestSig02 (void)
392 {
393  uint8_t *buf = (uint8_t *)
394  "abcaBcd";
395  uint16_t buflen = strlen((char *)buf);
396  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
397 
398  FAIL_IF_NULL(p);
399 
400  char sig[] = "alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
401 
403 
404  UTHFreePacket(p);
405 
406  PASS;
407 }
408 
409 /** \test Negative distance matching */
410 static int PayloadTestSig03 (void)
411 {
412  uint8_t *buf = (uint8_t *)
413  "abcaBcd";
414  uint16_t buflen = strlen((char *)buf);
415  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
416 
417  FAIL_IF_NULL(p);
418 
419  char sig[] = "alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
420 
422 
423  UTHFreePacket(p);
424 
425  PASS;
426 }
427 
428 /**
429  * \test Test multiple relative matches.
430  */
431 static int PayloadTestSig04(void)
432 {
433  uint8_t *buf = (uint8_t *)"now this is is big big string now";
434  uint16_t buflen = strlen((char *)buf);
435  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
436 
437  FAIL_IF_NULL(p);
438 
439  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
440  "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
441  "content:\"string\"; within:8; sid:1;)";
442 
444 
445  UTHFreePacket(p);
446 
447  PASS;
448 }
449 
450 /**
451  * \test Test multiple relative matches.
452  */
453 static int PayloadTestSig05(void)
454 {
455  uint8_t *buf = (uint8_t *)"now this is is is big big big string now";
456  uint16_t buflen = strlen((char *)buf);
457  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
458 
459  FAIL_IF_NULL(p);
460 
461  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
462  "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
463  "content:\"string\"; within:8; sid:1;)";
464 
466 
467  UTHFreePacket(p);
468 
469  PASS;
470 }
471 
472 /**
473  * \test Test multiple relative matches.
474  */
475 static int PayloadTestSig06(void)
476 {
477  uint8_t *buf = (uint8_t *)"this this now is is big string now";
478  uint16_t buflen = strlen((char *)buf);
479  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
480 
481  FAIL_IF_NULL(p);
482 
483  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
484  "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
485  "content:\"string\"; within:8; sid:1;)";
486 
488 
489  UTHFreePacket(p);
490 
491  PASS;
492 }
493 
494 /**
495  * \test Test multiple relative matches.
496  */
497 static int PayloadTestSig07(void)
498 {
499  uint8_t *buf = (uint8_t *)" thus thus is a big";
500  uint16_t buflen = strlen((char *)buf);
501  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
502 
503  FAIL_IF_NULL(p);
504 
505  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
506  "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
507 
509 
510  UTHFreePacket(p);
511 
512  PASS;
513 }
514 
515 /**
516  * \test Test multiple relative matches with negative matches
517  * and show the need for det_ctx->discontinue_matching.
518  */
519 static int PayloadTestSig08(void)
520 {
521  uint8_t *buf = (uint8_t *)"we need to fix this and yes fix this now";
522  uint16_t buflen = strlen((char *)buf);
523  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
524 
525  FAIL_IF_NULL(p);
526 
527  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
528  "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
529 
531 
532  UTHFreePacket(p);
533 
534  PASS;
535 }
536 
537 /**
538  * \test Test pcre recursive matching.
539  */
540 static int PayloadTestSig09(void)
541 {
542  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
543  uint16_t buflen = strlen((char *)buf);
544  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
545 
546  FAIL_IF_NULL(p);
547 
548  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
549  "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
550 
552 
553  UTHFreePacket(p);
554 
555  PASS;
556 }
557 
558 /**
559  * \test Test invalid sig.
560  */
561 static int PayloadTestSig10(void)
562 {
563  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
564  uint16_t buflen = strlen((char *)buf);
565  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
566 
567  FAIL_IF_NULL(p);
568 
569  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
570  "byte_test:4,>,2,0,relative; sid:11;)";
571 
573 
574  UTHFreePacket(p);
575 
576  PASS;
577 }
578 
579 /**
580  * \test Test invalid sig.
581  */
582 static int PayloadTestSig11(void)
583 {
584  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
585  uint16_t buflen = strlen((char *)buf);
586  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
587 
588  FAIL_IF_NULL(p);
589 
590  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
591  "byte_jump:1,0,relative; sid:11;)";
592 
594 
595  UTHFreePacket(p);
596 
597  PASS;
598 }
599 
600 /**
601  * \test Test invalid sig.
602  */
603 static int PayloadTestSig12(void)
604 {
605  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
606  uint16_t buflen = strlen((char *)buf);
607  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
608 
609  FAIL_IF_NULL(p);
610 
611  char sig[] = "alert udp any any -> any any (msg:\"crash\"; "
612  "isdataat:10,relative; sid:11;)";
613 
615 
616  UTHFreePacket(p);
617 
618  PASS;
619 }
620 
621 /**
622  * \test Used to check the working of recursion_limit counter.
623  */
624 static int PayloadTestSig13(void)
625 {
626  uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
627  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
628  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
631  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
632  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
633  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
634  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
635  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
636  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
637  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
638  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
639  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
640  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
641  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
642  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
643  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
644  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
645  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
646 
647  uint16_t buflen = strlen((char *)buf);
648  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
649  uint16_t mpm_type = mpm_default_matcher;
650 
651  FAIL_IF_NULL(p);
652 
653  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
654  "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
655  "byte_test:1,>,200,0,relative; sid:1;)";
656 
658  ThreadVars th_v;
660 
661  memset(&dtv, 0, sizeof(DecodeThreadVars));
662  memset(&th_v, 0, sizeof(th_v));
663 
666 
668 
669  de_ctx->flags |= DE_QUIET;
670  de_ctx->mpm_matcher = mpm_type;
671 
672  de_ctx->sig_list = SigInit(de_ctx, sig);
674 
676  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
677 
678  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
679 
681 
682  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
684 
685  UTHFreePacket(p);
686 
687  PASS;
688 }
689 
690 /**
691  * \test normal & negated matching, both absolute and relative
692  */
693 static int PayloadTestSig14(void)
694 {
695  uint8_t *buf = (uint8_t *)"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
696  uint16_t buflen = strlen((char *)buf);
697  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
698 
699  FAIL_IF_NULL(p);
700 
701  char sig[] = "alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
702 
703  //char sig[] = "alert tcp any any -> any any (content:\"User-Agent: Mozilla/5.0 (Macintosh; \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
704 
706 
707  UTHFreePacket(p);
708 
709  PASS;
710 }
711 
712 static int PayloadTestSig15(void)
713 {
714  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
715  uint16_t buflen = strlen((char *)buf);
716  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
717 
718  FAIL_IF_NULL(p);
719 
720  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
721  "content:\"nova\"; isdataat:18,relative; sid:1;)";
722 
724 
725  UTHFreePacket(p);
726 
727  PASS;
728 }
729 
730 static int PayloadTestSig16(void)
731 {
732  uint8_t *buf = (uint8_t *)"this is a super duper nova in super nova now";
733  uint16_t buflen = strlen((char *)buf);
734  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
735 
736  FAIL_IF_NULL(p);
737 
738  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
739  "content:\"nova\"; isdataat:!20,relative; sid:1;)";
740 
742 
743  UTHFreePacket(p);
744 
745  PASS;
746 }
747 
748 static int PayloadTestSig17(void)
749 {
750  uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
751  uint16_t buflen = 9;
752  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
753 
754  FAIL_IF_NULL(p);
755 
756  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
757  "content:\"%\"; depth:4; offset:0; "
758  "content:\"%\"; within:2; distance:1; sid:1;)";
759 
761 
762  UTHFreePacket(p);
763 
764  PASS;
765 }
766 
767 static int PayloadTestSig18(void)
768 {
769  uint8_t buf[] = {
770  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
771  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
772  0x0E, 0x0F,
773  };
774  uint16_t buflen = sizeof(buf);
775  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
776 
777  FAIL_IF_NULL(p);
778 
779  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
780  "content:\"|01 02 03 04|\"; "
781  "byte_extract:1,2,one,string,dec,relative; "
782  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
783 
785 
786  UTHFreePacket(p);
787 
788  PASS;
789 }
790 
791 static int PayloadTestSig19(void)
792 {
793  uint8_t buf[] = {
794  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
795  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
796  0x0E, 0x0F,
797  };
798  uint16_t buflen = sizeof(buf);
799  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
800 
801  FAIL_IF_NULL(p);
802 
803  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
804  "content:\"|01 02 03 04|\"; "
805  "byte_extract:1,2,one,string,hex,relative; "
806  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
807 
809 
810  UTHFreePacket(p);
811 
812  PASS;
813 }
814 
815 static int PayloadTestSig20(void)
816 {
817  uint8_t buf[] = {
818  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
819  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
820  0x0E, 0x0F,
821  };
822  uint16_t buflen = sizeof(buf);
823  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
824 
825  FAIL_IF_NULL(p);
826 
827  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
828  "content:\"|01 02 03 04|\"; "
829  "byte_extract:1,2,one,string,dec,relative; "
830  "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
831 
833 
834  UTHFreePacket(p);
835 
836  PASS;
837 }
838 
839 static int PayloadTestSig21(void)
840 {
841  uint8_t buf[] = {
842  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
843  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
844  0x0E, 0x0F,
845  };
846  uint16_t buflen = sizeof(buf);
847  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
848 
849  FAIL_IF_NULL(p);
850 
851  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
852  "content:\"|01 02 03 04|\"; "
853  "byte_extract:1,2,one,string,dec,relative; "
854  "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
855 
857 
858  UTHFreePacket(p);
859 
860  PASS;
861 }
862 
863 static int PayloadTestSig22(void)
864 {
865  uint8_t buf[] = {
866  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36, /* the last byte is 2 */
867  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
868  0x0E, 0x0F,
869  };
870  uint16_t buflen = sizeof(buf);
871  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
872 
873  FAIL_IF_NULL(p);
874 
875  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
876  "content:\"|01 02 03 04|\"; "
877  "byte_extract:1,2,one,string,dec,relative; "
878  "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
879 
881 
882  UTHFreePacket(p);
883 
884  PASS;
885 }
886 
887 static int PayloadTestSig23(void)
888 {
889  uint8_t buf[] = {
890  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
891  0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
892  0x32, 0x0F,
893  };
894  uint16_t buflen = sizeof(buf);
895  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
896 
897  FAIL_IF_NULL(p);
898 
899  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
900  "content:\"|01 02 03 04|\"; "
901  "byte_extract:1,2,one,string,dec,relative; "
902  "byte_extract:1,3,two,string,dec,relative; "
903  "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
904 
906 
907  UTHFreePacket(p);
908 
909  PASS;
910 }
911 
912 static int PayloadTestSig24(void)
913 {
914  uint8_t buf[] = {
915  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32, /* the last byte is 2 */
916  0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
917  0x0E, 0x0F,
918  };
919  uint16_t buflen = sizeof(buf);
920  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
921 
922  FAIL_IF_NULL(p);
923 
924  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
925  "content:\"|01 02 03 04|\"; "
926  "byte_extract:1,2,one,string,dec,relative; "
927  "byte_jump:1,one,string,dec,relative; "
928  "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
929 
931 
932  UTHFreePacket(p);
933 
934  PASS;
935 }
936 
937 /*
938  * \test Test negative byte extract.
939  */
940 static int PayloadTestSig25(void)
941 {
942  uint8_t buf[] = {
943  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
944  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
945  0x0E, 0x0F,
946  };
947  uint16_t buflen = sizeof(buf);
948  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
949 
950  FAIL_IF_NULL(p);
951 
952  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
953  "content:\"|35 07 08 09|\"; "
954  "byte_extract:1,-4,one,string,dec,relative; "
955  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
956 
958 
959  UTHFreePacket(p);
960 
961  PASS;
962 }
963 
964 /*
965  * \test Test negative byte extract.
966  */
967 static int PayloadTestSig26(void)
968 {
969  uint8_t buf[] = {
970  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
971  0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
972  0x0E, 0x0F,
973  };
974  uint16_t buflen = sizeof(buf);
975  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
976 
977  FAIL_IF_NULL(p);
978 
979  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
980  "content:\"|35 07 08 09|\"; "
981  "byte_extract:1,-3000,one,string,dec,relative; "
982  "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
983 
985 
986  UTHFreePacket(p);
987 
988  PASS;
989 }
990 
991 /*
992  * \test Test packet/stream sigs
993  */
994 static int PayloadTestSig27(void)
995 {
996  uint8_t buf[] = "dummypayload";
997  uint16_t buflen = sizeof(buf) - 1;
998  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
999 
1000  FAIL_IF_NULL(p);
1001 
1002  char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
1003  "depth:5; sid:1;)";
1004 
1005  p->flags |= PKT_STREAM_ADD;
1007 
1008  UTHFreePacket(p);
1009 
1010  PASS;
1011 }
1012 
1013 /*
1014  * \test Test packet/stream sigs
1015  */
1016 static int PayloadTestSig28(void)
1017 {
1018  uint8_t buf[] = "dummypayload";
1019  uint16_t buflen = sizeof(buf) - 1;
1020  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1021 
1022  FAIL_IF_NULL(p);
1023 
1024  char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
1025  "offset:4; depth:12; sid:1;)";
1026 
1027  p->flags |= PKT_STREAM_ADD;
1029 
1030  UTHFreePacket(p);
1031 
1032  PASS;
1033 }
1034 
1035 /**
1036  * \test Test pcre recursive matching - bug #529
1037  */
1038 static int PayloadTestSig29(void)
1039 {
1040  uint8_t *buf = (uint8_t *)"this is a super dupernova in super nova now";
1041  uint16_t buflen = strlen((char *)buf);
1042  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1043 
1044  FAIL_IF_NULL(p);
1045 
1046  char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
1047  "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1048 
1050 
1051  UTHFreePacket(p);
1052 
1053  PASS;
1054 }
1055 
1056 static int PayloadTestSig30(void)
1057 {
1058  uint8_t *buf = (uint8_t *)
1059  "xyonexxxxxxtwojunkonetwo";
1060  uint16_t buflen = strlen((char *)buf);
1061  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1062 
1063  FAIL_IF_NULL(p);
1064 
1065  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1066 
1068 
1069  UTHFreePacket(p);
1070 
1071  PASS;
1072 }
1073 
1074 static int PayloadTestSig31(void)
1075 {
1076  uint8_t *buf = (uint8_t *)
1077  "xyonexxxxxxtwojunkonetwo";
1078  uint16_t buflen = strlen((char *)buf);
1079  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1080 
1081  FAIL_IF_NULL(p);
1082 
1083  char sig[] = "alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1084 
1086 
1087  UTHFreePacket(p);
1088 
1089  PASS;
1090 }
1091 
1092 /**
1093  * \test Test byte_jump.
1094  */
1095 static int PayloadTestSig32(void)
1096 {
1097  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1098  uint16_t buflen = strlen((char *)buf);
1099  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1100 
1101  FAIL_IF_NULL(p);
1102 
1103  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1104  "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1105 
1107 
1108  UTHFreePacket(p);
1109 
1110  PASS;
1111 }
1112 
1113 /**
1114  * \test Test byte_test.
1115  */
1116 static int PayloadTestSig33(void)
1117 {
1118  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1119  uint16_t buflen = strlen((char *)buf);
1120  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1121 
1122  FAIL_IF_NULL(p);
1123 
1124  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1125  "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1126 
1128 
1129  UTHFreePacket(p);
1130 
1131  PASS;
1132 }
1133 
1134 /**
1135  * \test Test byte_extract.
1136  */
1137 static int PayloadTestSig34(void)
1138 {
1139  uint8_t *buf = (uint8_t *)"dummy2xxcardmessage";
1140  uint16_t buflen = strlen((char *)buf);
1141  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1142 
1143  FAIL_IF_NULL(p);
1144 
1145  char sig[] = "alert tcp any any -> any any (msg:\"crash\"; "
1146  "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1147 
1149 
1150  UTHFreePacket(p);
1151 
1152  PASS;
1153 }
1154 
1155 #endif /* UNITTESTS */
1156 
1158 {
1159 #ifdef UNITTESTS
1160  UtRegisterTest("PayloadTestSig01", PayloadTestSig01);
1161  UtRegisterTest("PayloadTestSig02", PayloadTestSig02);
1162  UtRegisterTest("PayloadTestSig03", PayloadTestSig03);
1163  UtRegisterTest("PayloadTestSig04", PayloadTestSig04);
1164  UtRegisterTest("PayloadTestSig05", PayloadTestSig05);
1165  UtRegisterTest("PayloadTestSig06", PayloadTestSig06);
1166  UtRegisterTest("PayloadTestSig07", PayloadTestSig07);
1167  UtRegisterTest("PayloadTestSig08", PayloadTestSig08);
1168  UtRegisterTest("PayloadTestSig09", PayloadTestSig09);
1169  UtRegisterTest("PayloadTestSig10", PayloadTestSig10);
1170  UtRegisterTest("PayloadTestSig11", PayloadTestSig11);
1171  UtRegisterTest("PayloadTestSig12", PayloadTestSig12);
1172  UtRegisterTest("PayloadTestSig13", PayloadTestSig13);
1173  UtRegisterTest("PayloadTestSig14", PayloadTestSig14);
1174  UtRegisterTest("PayloadTestSig15", PayloadTestSig15);
1175  UtRegisterTest("PayloadTestSig16", PayloadTestSig16);
1176  UtRegisterTest("PayloadTestSig17", PayloadTestSig17);
1177 
1178  UtRegisterTest("PayloadTestSig18", PayloadTestSig18);
1179  UtRegisterTest("PayloadTestSig19", PayloadTestSig19);
1180  UtRegisterTest("PayloadTestSig20", PayloadTestSig20);
1181  UtRegisterTest("PayloadTestSig21", PayloadTestSig21);
1182  UtRegisterTest("PayloadTestSig22", PayloadTestSig22);
1183  UtRegisterTest("PayloadTestSig23", PayloadTestSig23);
1184  UtRegisterTest("PayloadTestSig24", PayloadTestSig24);
1185  UtRegisterTest("PayloadTestSig25", PayloadTestSig25);
1186  UtRegisterTest("PayloadTestSig26", PayloadTestSig26);
1187  UtRegisterTest("PayloadTestSig27", PayloadTestSig27);
1188  UtRegisterTest("PayloadTestSig28", PayloadTestSig28);
1189  UtRegisterTest("PayloadTestSig29", PayloadTestSig29);
1190 
1191  UtRegisterTest("PayloadTestSig30", PayloadTestSig30);
1192  UtRegisterTest("PayloadTestSig31", PayloadTestSig31);
1193  UtRegisterTest("PayloadTestSig32", PayloadTestSig32);
1194  UtRegisterTest("PayloadTestSig33", PayloadTestSig33);
1195  UtRegisterTest("PayloadTestSig34", PayloadTestSig34);
1196 #endif /* UNITTESTS */
1197 
1198  return;
1199 }
DetectEngineAppInspectionEngine_
Definition: detect.h:398
Packet_::proto
uint8_t proto
Definition: decode.h:442
TcpStream_
Definition: stream-tcp-private.h:94
MpmCtx_::mpm_type
uint8_t mpm_type
Definition: util-mpm.h:90
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1078
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
StreamContentInspectEngineData::de_ctx
DetectEngineCtx * de_ctx
Definition: detect-engine-payload.c:275
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
StreamReassembleRaw
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
Definition: stream-tcp-reassemble.c:1779
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1407
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:581
Packet_::payload
uint8_t * payload
Definition: decode.h:560
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:455
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2108
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1149
DetectEngineCtx_::inspection_recursion_limit
int inspection_recursion_limit
Definition: detect.h:874
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:801
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:821
DetectEngineInspectStream
int DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
Definition: detect-engine-payload.c:314
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
DetectEngineThreadCtx_::p
Packet * p
Definition: detect.h:1121
rust.h
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
TcpStream_::flags
uint16_t flags
Definition: stream-tcp-private.h:95
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1775
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:601
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1150
DetectEngineContentInspection
int DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, uint32_t buffer_len, uint32_t stream_start_offset, uint8_t flags, uint8_t inspection_mode)
Run the actual payload match functions.
Definition: detect-engine-content-inspection.c:102
detect-engine-payload.h
Flow_::protoctx
void * protoctx
Definition: flow.h:451
SigMatchData_
Data needed for Match()
Definition: detect.h:330
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:851
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:561
STREAMTCP_STREAM_FLAG_DEPTH_REACHED
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
Definition: stream-tcp-private.h:204
detect-engine-prefilter.h
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
mpm_default_matcher
uint16_t mpm_default_matcher
Definition: util-mpm.c:49
DetectEngineThreadCtx_::mtcs
MpmThreadCtx mtcs
Definition: detect.h:1148
DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
Definition: detect-engine-content-inspection.h:34
StreamMpmData::mpm_ctx
const MpmCtx * mpm_ctx
Definition: detect-engine-payload.c:54
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineInspectPacketPayload
int DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
Definition: detect-engine-payload.c:147
DetectEngineThreadCtx_
Definition: detect.h:1050
StreamContentInspectData::de_ctx
DetectEngineCtx * de_ctx
Definition: detect-engine-payload.c:218
PKT_STREAM_ADD
#define PKT_STREAM_ADD
Definition: decode.h:1156
StreamMpmData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:53
SIG_FLAG_FLUSH
#define SIG_FLAG_FLUSH
Definition: detect.h:228
DetectEngineInspectStreamPayload
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
Definition: detect-engine-payload.c:260
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
StreamContentInspectEngineData::s
const Signature * s
Definition: detect-engine-payload.c:277
DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_MATCH
Definition: detect-engine-state.h:39
PKT_DETECT_HAS_STREAMDATA
#define PKT_DETECT_HAS_STREAMDATA
Definition: decode.h:1200
MpmCtx_::minlen
uint16_t minlen
Definition: util-mpm.h:99
DetectEngineThreadCtx_::raw_stream_progress
uint64_t raw_stream_progress
Definition: detect.h:1074
SCReturn
#define SCReturn
Definition: util-debug.h:302
Signature_::flags
uint32_t flags
Definition: detect.h:547
stream.h
Packet_
Definition: decode.h:420
PrefilterPktPayloadRegister
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:127
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
util-mpm-ac.h
MpmTableElmt_::Search
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Definition: util-mpm.h:165
DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
Definition: detect-engine-state.h:40
DetectEngineThreadCtx_::mtc
MpmThreadCtx mtc
Definition: detect.h:1146
StreamContentInspectData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:219
StreamContentInspectData::f
Flow * f
Definition: detect-engine-payload.c:221
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1932
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
detect-engine-content-inspection.h
DetectEngineThreadCtx_::discontinue_matching
uint16_t discontinue_matching
Definition: detect.h:1113
DetectEngineAppInspectionEngine_::smd
SigMatchData * smd
Definition: detect.h:415
Packet_::flow
struct Flow_ * flow
Definition: decode.h:457
StreamMpmData
Definition: detect-engine-payload.c:52
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3147
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DETECT_CI_FLAGS_SINGLE
#define DETECT_CI_FLAGS_SINGLE
Definition: detect-engine-content-inspection.h:47
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3355
DetectEngineThreadCtx_::inspection_recursion_counter
int inspection_recursion_counter
Definition: detect.h:1126
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:807
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:272
DETECT_ENGINE_INSPECT_SIG_NO_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
Definition: detect-engine-state.h:38
util-validate.h
StreamContentInspectEngineData
Definition: detect-engine-payload.c:274
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:271
StreamContentInspectData
Definition: detect-engine-payload.c:217
StreamContentInspectEngineData::f
Flow * f
Definition: detect-engine-payload.c:279
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:647
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
PrefilterAppendPayloadEngine
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, void(*PrefilterFunc)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), void *pectx, void(*FreeFunc)(void *pectx), const char *name)
Definition: detect-engine-prefilter.c:236
Signature_::id
uint32_t id
Definition: detect.h:580
StreamContentInspectEngineData::det_ctx
DetectEngineThreadCtx * det_ctx
Definition: detect-engine-payload.c:276
detect-parse.h
Signature_
Signature container.
Definition: detect.h:546
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
Definition: detect-engine-content-inspection.h:32
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2397
mpm_table
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
Definition: util-mpm.c:48
suricata.h
StreamContentInspectData::s
const Signature * s
Definition: detect-engine-payload.c:220
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:802
DetectEngineThreadCtx_::replist
DetectReplaceList * replist
Definition: detect.h:1162
MpmCtx_
Definition: util-mpm.h:88
TcpSession_
Definition: stream-tcp-private.h:260
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
PrefilterPktStreamRegister
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
Definition: detect-engine-payload.c:106
StreamContentInspectEngineData::smd
const SigMatchData * smd
Definition: detect-engine-payload.c:278
PayloadRegisterTests
void PayloadRegisterTests(void)
Definition: detect-engine-payload.c:1157