58 static int StreamMpmFunc(
59 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
65 smd->
det_ctx->stream_mpm_size += data_len;
75 Packet *p,
const void *pectx)
83 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
87 StreamMpmFunc, &stream_mpm_data,
90 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
113 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
117 Packet *p,
const void *pectx)
136 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
215 static int StreamContentInspectFunc(
216 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
221 smd->
det_ctx->stream_persig_cnt++;
222 smd->
det_ctx->stream_persig_size += data_len;
257 StreamContentInspectFunc, &inspect_data,
270 static int StreamContentInspectEngineFunc(
271 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
276 smd->det_ctx->stream_persig_cnt++;
277 smd->det_ctx->stream_persig_size += data_len;
281 NULL,
smd->f, data, data_len, 0, 0,
300 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
306 if (p->
proto == IPPROTO_UDP) {
309 }
else if (p->
proto != IPPROTO_TCP)
316 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
322 StreamContentInspectEngineFunc, &inspect_data,
325 bool is_last =
false;
326 if (
flags & STREAM_TOSERVER) {
336 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
338 match ?
"matched" :
"didn't match");
357 static int PayloadTestSig01 (
void)
359 uint8_t *buf = (uint8_t *)
361 uint16_t buflen = strlen((
char *)buf);
366 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
376 static int PayloadTestSig02 (
void)
378 uint8_t *buf = (uint8_t *)
380 uint16_t buflen = strlen((
char *)buf);
385 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
395 static int PayloadTestSig03 (
void)
397 uint8_t *buf = (uint8_t *)
399 uint16_t buflen = strlen((
char *)buf);
404 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
416 static int PayloadTestSig04(
void)
418 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
419 uint16_t buflen = strlen((
char *)buf);
424 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
425 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
426 "content:\"string\"; within:8; sid:1;)";
438 static int PayloadTestSig05(
void)
440 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
441 uint16_t buflen = strlen((
char *)buf);
446 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
447 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
448 "content:\"string\"; within:8; sid:1;)";
460 static int PayloadTestSig06(
void)
462 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
463 uint16_t buflen = strlen((
char *)buf);
468 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
469 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
470 "content:\"string\"; within:8; sid:1;)";
482 static int PayloadTestSig07(
void)
484 uint8_t *buf = (uint8_t *)
" thus thus is a big";
485 uint16_t buflen = strlen((
char *)buf);
490 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
491 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
504 static int PayloadTestSig08(
void)
506 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
507 uint16_t buflen = strlen((
char *)buf);
512 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
513 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
525 static int PayloadTestSig09(
void)
527 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
528 uint16_t buflen = strlen((
char *)buf);
533 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
534 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
546 static int PayloadTestSig10(
void)
548 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
549 uint16_t buflen = strlen((
char *)buf);
554 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
555 "byte_test:4,>,2,0,relative; sid:11;)";
567 static int PayloadTestSig11(
void)
569 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
570 uint16_t buflen = strlen((
char *)buf);
575 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
576 "byte_jump:1,0,relative; sid:11;)";
588 static int PayloadTestSig12(
void)
590 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
591 uint16_t buflen = strlen((
char *)buf);
596 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
597 "isdataat:10,relative; sid:11;)";
609 static int PayloadTestSig13(
void)
611 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
612 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
613 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
614 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
615 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
616 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
617 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
618 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
619 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
620 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
621 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
622 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
623 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
624 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
625 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
626 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
627 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
628 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
632 uint16_t buflen = strlen((
char *)buf);
638 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
639 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
640 "byte_test:1,>,200,0,relative; sid:1;)";
647 memset(&th_v, 0,
sizeof(th_v));
674 static int PayloadTestSig14(
void)
676 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
677 uint16_t buflen = strlen((
char *)buf);
682 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
693 static int PayloadTestSig15(
void)
695 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
696 uint16_t buflen = strlen((
char *)buf);
701 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
702 "content:\"nova\"; isdataat:18,relative; sid:1;)";
711 static int PayloadTestSig16(
void)
713 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
714 uint16_t buflen = strlen((
char *)buf);
719 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
720 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
729 static int PayloadTestSig17(
void)
731 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
737 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
738 "content:\"%\"; depth:4; offset:0; "
739 "content:\"%\"; within:2; distance:1; sid:1;)";
748 static int PayloadTestSig18(
void)
751 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
752 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
755 uint16_t buflen =
sizeof(buf);
760 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
761 "content:\"|01 02 03 04|\"; "
762 "byte_extract:1,2,one,string,dec,relative; "
763 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
772 static int PayloadTestSig19(
void)
775 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
776 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
779 uint16_t buflen =
sizeof(buf);
784 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
785 "content:\"|01 02 03 04|\"; "
786 "byte_extract:1,2,one,string,hex,relative; "
787 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
796 static int PayloadTestSig20(
void)
799 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
800 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
803 uint16_t buflen =
sizeof(buf);
808 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
809 "content:\"|01 02 03 04|\"; "
810 "byte_extract:1,2,one,string,dec,relative; "
811 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
820 static int PayloadTestSig21(
void)
823 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
824 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
827 uint16_t buflen =
sizeof(buf);
832 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
833 "content:\"|01 02 03 04|\"; "
834 "byte_extract:1,2,one,string,dec,relative; "
835 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
844 static int PayloadTestSig22(
void)
847 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
848 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
851 uint16_t buflen =
sizeof(buf);
856 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
857 "content:\"|01 02 03 04|\"; "
858 "byte_extract:1,2,one,string,dec,relative; "
859 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
868 static int PayloadTestSig23(
void)
871 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
872 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
875 uint16_t buflen =
sizeof(buf);
880 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
881 "content:\"|01 02 03 04|\"; "
882 "byte_extract:1,2,one,string,dec,relative; "
883 "byte_extract:1,3,two,string,dec,relative; "
884 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
893 static int PayloadTestSig24(
void)
896 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
897 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
900 uint16_t buflen =
sizeof(buf);
905 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
906 "content:\"|01 02 03 04|\"; "
907 "byte_extract:1,2,one,string,dec,relative; "
908 "byte_jump:1,one,string,dec,relative; "
909 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
921 static int PayloadTestSig25(
void)
924 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
925 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
928 uint16_t buflen =
sizeof(buf);
933 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
934 "content:\"|35 07 08 09|\"; "
935 "byte_extract:1,-4,one,string,dec,relative; "
936 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
948 static int PayloadTestSig26(
void)
951 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
952 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
955 uint16_t buflen =
sizeof(buf);
960 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
961 "content:\"|35 07 08 09|\"; "
962 "byte_extract:1,-3000,one,string,dec,relative; "
963 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
975 static int PayloadTestSig27(
void)
977 uint8_t buf[] =
"dummypayload";
978 uint16_t buflen =
sizeof(buf) - 1;
983 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
997 static int PayloadTestSig28(
void)
999 uint8_t buf[] =
"dummypayload";
1000 uint16_t buflen =
sizeof(buf) - 1;
1005 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1006 "offset:4; depth:12; sid:1;)";
1019 static int PayloadTestSig29(
void)
1021 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1022 uint16_t buflen = strlen((
char *)buf);
1027 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1028 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1037 static int PayloadTestSig30(
void)
1039 uint8_t *buf = (uint8_t *)
1040 "xyonexxxxxxtwojunkonetwo";
1041 uint16_t buflen = strlen((
char *)buf);
1046 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1055 static int PayloadTestSig31(
void)
1057 uint8_t *buf = (uint8_t *)
1058 "xyonexxxxxxtwojunkonetwo";
1059 uint16_t buflen = strlen((
char *)buf);
1064 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1076 static int PayloadTestSig32(
void)
1078 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1079 uint16_t buflen = strlen((
char *)buf);
1084 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1085 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1097 static int PayloadTestSig33(
void)
1099 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1100 uint16_t buflen = strlen((
char *)buf);
1105 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1106 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1118 static int PayloadTestSig34(
void)
1120 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1121 uint16_t buflen = strlen((
char *)buf);
1126 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1127 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
1.8.18