suricata
detect-engine-sigorder.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Signature ordering part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "detect-xbits.h"
29 #include "detect-flowbits.h"
30 #include "detect-flowint.h"
31 #include "detect-parse.h"
32 #include "detect-engine-sigorder.h"
33 #include "detect-pcre.h"
34 #include "detect-engine-build.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 #include "util-debug.h"
39 #include "util-action.h"
40 #include "action-globals.h"
41 #include "flow-util.h"
42 #include "util-validate.h"
43 
44 #define DETECT_FLOWVAR_NOT_USED 1
45 #define DETECT_FLOWVAR_TYPE_READ 2
46 #define DETECT_FLOWVAR_TYPE_SET_READ 3
47 #define DETECT_FLOWVAR_TYPE_SET 4
48 
49 #define DETECT_PKTVAR_NOT_USED 1
50 #define DETECT_PKTVAR_TYPE_READ 2
51 #define DETECT_PKTVAR_TYPE_SET_READ 3
52 #define DETECT_PKTVAR_TYPE_SET 4
53 
54 #define DETECT_FLOWBITS_NOT_USED 1
55 #define DETECT_FLOWBITS_TYPE_READ 2
56 #define DETECT_FLOWBITS_TYPE_SET_READ 3
57 #define DETECT_FLOWBITS_TYPE_SET 4
58 
59 #define DETECT_FLOWINT_NOT_USED 1
60 #define DETECT_FLOWINT_TYPE_READ 2
61 #define DETECT_FLOWINT_TYPE_SET_READ 3
62 #define DETECT_FLOWINT_TYPE_SET 4
63 
64 #define DETECT_XBITS_NOT_USED 1
65 #define DETECT_XBITS_TYPE_READ 2
66 #define DETECT_XBITS_TYPE_SET_READ 3
67 #define DETECT_XBITS_TYPE_SET 4
68 
69 /**
70  * \brief Different kinds of helper data that can be used by the signature
71  * ordering module. Used by the "user" field in SCSigSignatureWrapper
72  */
73 typedef enum {
82 
83 /**
84  * \brief Signature wrapper used by signature ordering module while ordering
85  * signatures
86  */
87 typedef struct SCSigSignatureWrapper_ {
88  /* the wrapped signature */
90 
91  /* user data that is to be associated with this sigwrapper */
93 
96 
97 /**
98  * \brief Structure holding the signature ordering function used by the
99  * signature ordering module
100  */
101 typedef struct SCSigOrderFunc_ {
102  /* Pointer to the Signature Ordering function */
104 
107 
108 /**
109  * \brief Registers a keyword-based, signature ordering function
110  *
111  * \param de_ctx Pointer to the detection engine context from which the
112  * signatures have to be ordered.
113  * \param FuncPtr Pointer to the signature ordering function. The prototype of
114  * the signature ordering function should accept a pointer to a
115  * SCSigSignatureWrapper as its argument and shouldn't return
116  * anything
117  */
118 static void SCSigRegisterSignatureOrderingFunc(DetectEngineCtx *de_ctx,
120 {
121  SCSigOrderFunc *curr = NULL;
122  SCSigOrderFunc *prev = NULL;
123  SCSigOrderFunc *temp = NULL;
124 
125  curr = de_ctx->sc_sig_order_funcs;
126 
127  /* Walk to the end of the list, and leave prev pointing at the
128  last element. */
129  prev = curr;
130  while (curr != NULL) {
131  if (curr->SWCompare == SWCompare) {
132  /* Already specified this compare */
133  return;
134  }
135  prev = curr;
136  curr = curr->next;
137  }
138 
139  if ((temp = SCCalloc(1, sizeof(SCSigOrderFunc))) == NULL) {
140  FatalError("Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
141  }
142 
143  temp->SWCompare = SWCompare;
144 
145  /* Append the new compare function at the end of the list. */
146  if (prev == NULL)
147  de_ctx->sc_sig_order_funcs = temp;
148  else
149  prev->next = temp;
150 }
151 
152 /**
153  * \brief Returns the flowbit type set for this signature. If more than one
154  * flowbit has been set for the same rule, we return the flowbit type of
155  * the maximum priority/value, where priority/value is maximum for the
156  * ones that set the value and the lowest for ones that read the value.
157  * If no flowbit has been set for the rule, we return 0, which indicates
158  * the least value amongst flowbit types.
159  *
160  * \param sig Pointer to the Signature from which the flowbit value has to be
161  * returned.
162  *
163  * \retval flowbits The flowbits type for this signature if it is set; if it is
164  * not set, return 0
165  */
166 static inline int SCSigGetFlowbitsType(Signature *sig)
167 {
168  DetectFlowbitsData *fb = NULL;
169  int flowbits_user_type = DETECT_FLOWBITS_NOT_USED;
170  int read = 0;
171  int write = 0;
173 
174  while (sm != NULL) {
175  if (sm->type == DETECT_FLOWBITS) {
176  fb = (DetectFlowbitsData *)sm->ctx;
177  if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET ||
179  read++;
180  } else {
181 #ifdef DEBUG
182  BUG_ON(1);
183 #endif
184  }
185  }
186 
187  sm = sm->next;
188  }
189 
191  while (sm != NULL) {
192  if (sm->type == DETECT_FLOWBITS) {
193  fb = (DetectFlowbitsData *)sm->ctx;
195  write++;
196  } else {
197 #ifdef DEBUG
198  BUG_ON(1);
199 #endif
200  }
201  }
202 
203  sm = sm->next;
204  }
205 
206  if (read > 0 && write == 0) {
207  flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
208  } else if (read == 0 && write > 0) {
209  flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
210  } else if (read > 0 && write > 0) {
211  flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
212  }
213 
214  SCLogDebug("Sig %s typeval %d", sig->msg, flowbits_user_type);
215 
216  return flowbits_user_type;
217 }
218 
219 static inline int SCSigGetFlowintType(Signature *sig)
220 {
221  DetectFlowintData *fi = NULL;
222  int flowint_user_type = DETECT_FLOWINT_NOT_USED;
223  int read = 0;
224  int write = 0;
226 
227  while (sm != NULL) {
228  if (sm->type == DETECT_FLOWINT) {
229  fi = (DetectFlowintData *)sm->ctx;
235  read++;
236  } else {
237 #ifdef DEBUG
238  BUG_ON(1);
239 #endif
240  }
241  }
242 
243  sm = sm->next;
244  }
245 
247  while (sm != NULL) {
248  if (sm->type == DETECT_FLOWINT) {
249  fi = (DetectFlowintData *)sm->ctx;
250  if (fi->modifier == FLOWINT_MODIFIER_SET ||
253  write++;
254  } else {
255 #ifdef DEBUG
256  BUG_ON(1);
257 #endif
258  }
259  }
260 
261  sm = sm->next;
262  }
263 
264  if (read > 0 && write == 0) {
265  flowint_user_type = DETECT_FLOWINT_TYPE_READ;
266  } else if (read == 0 && write > 0) {
267  flowint_user_type = DETECT_FLOWINT_TYPE_SET;
268  } else if (read > 0 && write > 0) {
269  flowint_user_type = DETECT_FLOWINT_TYPE_SET_READ;
270  }
271 
272  SCLogDebug("Sig %s typeval %d", sig->msg, flowint_user_type);
273 
274  return flowint_user_type;
275 }
276 
277 /**
278  * \brief Returns whether the flowvar set for this rule, sets the flowvar or
279  * reads the flowvar. If the rule sets the flowvar the function returns
280  * DETECT_FLOWVAR_TYPE_SET(3), if it reads the flowvar the function
281  * returns DETECT_FLOWVAR_TYPE_READ(2), and if flowvar is not used in this
282  * rule the function returns DETECT_FLOWVAR_NOT_USED(1)
283  *
284  * \param sig Pointer to the Signature from which the flowvar type has to be
285  * returned.
286  *
287  * \retval type DETECT_FLOWVAR_TYPE_SET(3) if the rule sets the flowvar,
288  * DETECT_FLOWVAR_TYPE_READ(2) if it reads, and
289  * DETECT_FLOWVAR_NOT_USED(1) if flowvar is not used.
290  */
291 static inline int SCSigGetFlowvarType(Signature *sig)
292 {
293  DetectPcreData *pd = NULL;
295  int read = 0;
296  int write = 0;
298 
299  while (sm != NULL) {
300  pd = (DetectPcreData *)sm->ctx;
301  if (sm->type == DETECT_PCRE) {
302  uint8_t x;
303  for (x = 0; x < pd->idx; x++) {
304  if (pd->captypes[x] == VAR_TYPE_FLOW_VAR) {
305  write++;
306  break;
307  }
308  }
309  }
310 
311  sm = sm->next;
312  }
313 
315  pd = NULL;
316  while (sm != NULL) {
317  if (sm->type == DETECT_FLOWVAR) {
318  read++;
319  }
320 
321  sm = sm->next;
322  }
323 
324  if (read > 0 && write == 0) {
326  } else if (read == 0 && write > 0) {
328  } else if (read > 0 && write > 0) {
330  }
331 
332  return type;
333 }
334 
335 /**
336  * \brief Returns whether the pktvar set for this rule, sets the flowvar or
337  * reads the pktvar. If the rule sets the pktvar the function returns
338  * DETECT_PKTVAR_TYPE_SET(3), if it reads the pktvar the function
339  * returns DETECT_PKTVAR_TYPE_READ(2), and if pktvar is not used in this
340  * rule the function returns DETECT_PKTVAR_NOT_USED(1)
341  *
342  * \param sig Pointer to the Signature from which the pktvar type has to be
343  * returned.
344  *
345  * \retval type DETECT_PKTVAR_TYPE_SET(3) if the rule sets the flowvar,
346  * DETECT_PKTVAR_TYPE_READ(2) if it reads, and
347  * DETECT_PKTVAR_NOT_USED(1) if pktvar is not used.
348  */
349 static inline int SCSigGetPktvarType(Signature *sig)
350 {
351  DetectPcreData *pd = NULL;
353  int read = 0;
354  int write = 0;
356 
357  while (sm != NULL) {
358  pd = (DetectPcreData *)sm->ctx;
359  if (sm->type == DETECT_PCRE) {
360  uint8_t x;
361  for (x = 0; x < pd->idx; x++) {
362  if (pd->captypes[x] == VAR_TYPE_PKT_VAR) {
363  write++;
364  break;
365  }
366  }
367  }
368 
369  sm = sm->next;
370  }
371 
373  pd = NULL;
374  while (sm != NULL) {
375  if (sm->type == DETECT_PKTVAR) {
376  read++;
377  }
378 
379  sm = sm->next;
380  }
381 
382  if (read > 0 && write == 0) {
384  } else if (read == 0 && write > 0) {
386  } else if (read > 0 && write > 0) {
388  }
389 
390  return type;
391 }
392 
393 /**
394  * \brief Returns the xbit type set for this signature. If more than one
395  * xbit has been set for the same rule, we return the xbit type of
396  * the maximum priority/value, where priority/value is maximum for the
397  * ones that set the value and the lowest for ones that read the value.
398  * If no xbit has been set for the rule, we return 0, which indicates
399  * the least value amongst xbit types.
400  *
401  * \param sig Pointer to the Signature from which the xbit value has to be
402  * returned.
403  *
404  * \retval xbits The xbits type for this signature if it is set; if it is
405  * not set, return 0
406  */
407 static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type)
408 {
409  DetectXbitsData *fb = NULL;
410  int xbits_user_type = DETECT_XBITS_NOT_USED;
411  int read = 0;
412  int write = 0;
414 
415  while (sm != NULL) {
416  if (sm->type == DETECT_XBITS) {
417  fb = (DetectXbitsData *)sm->ctx;
418  if (fb->type == type) {
419  if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET ||
420  fb->cmd == DETECT_XBITS_CMD_ISSET) {
421  read++;
422  } else {
423 #ifdef DEBUG
424  BUG_ON(1);
425 #endif
426  }
427  }
428  }
429 
430  sm = sm->next;
431  }
432 
434  while (sm != NULL) {
435  if (sm->type == DETECT_HOSTBITS) {
436  fb = (DetectXbitsData *)sm->ctx;
437  if (fb->type == type) {
438  if (fb->cmd == DETECT_XBITS_CMD_SET ||
439  fb->cmd == DETECT_XBITS_CMD_UNSET ||
440  fb->cmd == DETECT_XBITS_CMD_TOGGLE) {
441  write++;
442  } else {
443 #ifdef DEBUG
444  BUG_ON(1);
445 #endif
446  }
447  }
448  }
449 
450  sm = sm->next;
451  }
452 
453  if (read > 0 && write == 0) {
454  xbits_user_type = DETECT_XBITS_TYPE_READ;
455  } else if (read == 0 && write > 0) {
456  xbits_user_type = DETECT_XBITS_TYPE_SET;
457  } else if (read > 0 && write > 0) {
458  xbits_user_type = DETECT_XBITS_TYPE_SET_READ;
459  }
460 
461  SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type);
462 
463  return xbits_user_type;
464 }
465 
466 /**
467  * \brief Processes the flowbits data for this signature and caches it for
468  * future use. This is needed to optimize the sig_ordering module.
469  *
470  * \param sw The sigwrapper/signature for which the flowbits data has to be
471  * cached
472  */
473 static inline void SCSigProcessUserDataForFlowbits(SCSigSignatureWrapper *sw)
474 {
475  sw->user[DETECT_SIGORDER_FLOWBITS] = SCSigGetFlowbitsType(sw->sig);
476 }
477 
478 /**
479  * \brief Processes the flowvar data for this signature and caches it for
480  * future use. This is needed to optimize the sig_ordering module.
481  *
482  * \param sw The sigwrapper/signature for which the flowvar data has to be
483  * cached
484  */
485 static inline void SCSigProcessUserDataForFlowvar(SCSigSignatureWrapper *sw)
486 {
487  sw->user[DETECT_SIGORDER_FLOWVAR] = SCSigGetFlowvarType(sw->sig);
488 }
489 
490 static inline void SCSigProcessUserDataForFlowint(SCSigSignatureWrapper *sw)
491 {
492  sw->user[DETECT_SIGORDER_FLOWINT] = SCSigGetFlowintType(sw->sig);
493 }
494 
495 /**
496  * \brief Processes the pktvar data for this signature and caches it for
497  * future use. This is needed to optimize the sig_ordering module.
498  *
499  * \param sw The sigwrapper/signature for which the pktvar data has to be
500  * cached
501  */
502 static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw)
503 {
504  sw->user[DETECT_SIGORDER_PKTVAR] = SCSigGetPktvarType(sw->sig);
505 }
506 
507 /**
508  * \brief Processes the hostbits data for this signature and caches it for
509  * future use. This is needed to optimize the sig_ordering module.
510  *
511  * \param sw The sigwrapper/signature for which the hostbits data has to be
512  * cached
513  */
514 static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw)
515 {
516  sw->user[DETECT_SIGORDER_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT);
517 }
518 
519 /**
520  * \brief Processes the hostbits data for this signature and caches it for
521  * future use. This is needed to optimize the sig_ordering module.
522  *
523  * \param sw The sigwrapper/signature for which the hostbits data has to be
524  * cached
525  */
526 static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw)
527 {
528  sw->user[DETECT_SIGORDER_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT);
529 }
530 
531 /* Return 1 if sw1 comes before sw2 in the final list. */
532 static int SCSigLessThan(SCSigSignatureWrapper *sw1,
534  SCSigOrderFunc *cmp_func_list)
535 {
536  SCSigOrderFunc *funcs = cmp_func_list;
537 
538  while (funcs != NULL) {
539  int delta = funcs->SWCompare(sw1, sw2);
540  if (delta > 0)
541  return 1;
542  else if (delta < 0)
543  return 0;
544 
545  funcs = funcs->next;
546  }
547  // They are equal, so use sid as the final decider.
548  return sw1->sig->id < sw2->sig->id;
549 }
550 
551 /* Merge sort based on a list of compare functions
552  * debug asserts are here to guide scan-build */
553 static SCSigSignatureWrapper *SCSigOrder(SCSigSignatureWrapper *sw,
554  SCSigOrderFunc *cmp_func_list)
555 {
556  DEBUG_VALIDATE_BUG_ON(sw == NULL);
557 
558  SCSigSignatureWrapper *subA = NULL;
559  SCSigSignatureWrapper *subB = NULL;
560  SCSigSignatureWrapper *first;
561  SCSigSignatureWrapper *second;
562  SCSigSignatureWrapper *result = NULL;
563  SCSigSignatureWrapper *last = NULL;
564  SCSigSignatureWrapper *new = NULL;
565 
566  /* Divide input list into two sub-lists. */
567  while (sw != NULL) {
568  first = sw;
569  sw = sw->next;
570  /* Push the first element onto sub-list A */
571  first->next = subA;
572  subA = first;
573 
574  if (sw == NULL)
575  break;
576  second = sw;
577  sw = sw->next;
578  /* Push the second element onto sub-list B */
579  second->next = subB;
580  subB = second;
581  }
582  if (subB == NULL) {
583  /* Only zero or one element on the list. */
584  return subA;
585  }
586  DEBUG_VALIDATE_BUG_ON(subA == NULL);
587 
588  /* Now sort each list */
589  subA = SCSigOrder(subA, cmp_func_list);
590  subB = SCSigOrder(subB, cmp_func_list);
591  DEBUG_VALIDATE_BUG_ON(subA == NULL);
592  DEBUG_VALIDATE_BUG_ON(subB == NULL);
593 
594  /* Merge the two sorted lists. */
595  while (subA != NULL && subB != NULL) {
596  if (SCSigLessThan(subA, subB, cmp_func_list)) {
597  new = subA;
598  subA = subA->next;
599  } else {
600  new = subB;
601  subB = subB->next;
602  }
603  /* Push onto the end of the output list. */
604  new->next = NULL;
605  if (result == NULL) {
606  result = new;
607  last = new;
608  } else {
609  last->next = new;
610  last = new;
611  }
612  }
613  /* Attach the rest of any remaining list. Only one can be non-NULL here. */
614  if (subA == NULL)
615  last->next = subB;
616  else if (subB == NULL)
617  last->next = subA;
618 
619  return result;
620 }
621 
622 /**
623  * \brief Orders an incoming Signature based on its action
624  *
625  * \param de_ctx Pointer to the detection engine context from which the
626  * signatures have to be ordered.
627  * \param sw The new signature that has to be ordered based on its action
628  */
629 static int SCSigOrderByActionCompare(SCSigSignatureWrapper *sw1,
631 {
632  return ActionOrderVal(sw2->sig->action) - ActionOrderVal(sw1->sig->action);
633 }
634 
635 /**
636  * \brief Orders an incoming Signature based on its flowbits type
637  *
638  * \param de_ctx Pointer to the detection engine context from which the
639  * signatures have to be ordered.
640  * \param sw The new signature that has to be ordered based on its flowbits
641  */
642 static int SCSigOrderByFlowbitsCompare(SCSigSignatureWrapper *sw1,
644 {
646 }
647 
648 /**
649  * \brief Orders an incoming Signature based on its flowvar type
650  *
651  * \param de_ctx Pointer to the detection engine context from which the
652  * signatures have to be ordered.
653  * \param sw The new signature that has to be ordered based on its flowvar
654  */
655 static int SCSigOrderByFlowvarCompare(SCSigSignatureWrapper *sw1,
657 {
659 }
660 
661 /**
662  * \brief Orders an incoming Signature based on its pktvar type
663  *
664  * \param de_ctx Pointer to the detection engine context from which the
665  * signatures have to be ordered.
666  * \param sw The new signature that has to be ordered based on its pktvar
667  */
668 static int SCSigOrderByPktvarCompare(SCSigSignatureWrapper *sw1,
670 {
672 }
673 
674 static int SCSigOrderByFlowintCompare(SCSigSignatureWrapper *sw1,
676 {
678 }
679 
680 /**
681  * \brief Orders an incoming Signature based on its hostbits type
682  *
683  * \param de_ctx Pointer to the detection engine context from which the
684  * signatures have to be ordered.
685  * \param sw The new signature that has to be ordered based on its hostbits
686  */
687 static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1,
689 {
691 }
692 
693 /**
694  * \brief Orders an incoming Signature based on its ippairbits (xbits) type
695  *
696  * \param de_ctx Pointer to the detection engine context from which the
697  * signatures have to be ordered.
698  * \param sw The new signature that has to be ordered based on its bits
699  */
700 static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1,
702 {
704 }
705 
706 /**
707  * \brief Orders an incoming Signature based on its priority type
708  *
709  * \param de_ctx Pointer to the detection engine context from which the
710  * signatures have to be ordered.
711  * \param sw The new signature that has to be ordered based on its priority
712  */
713 static int SCSigOrderByPriorityCompare(SCSigSignatureWrapper *sw1,
715 {
716  if (sw1->sig->prio > sw2->sig->prio) {
717  return -1;
718  } else if (sw1->sig->prio < sw2->sig->prio) {
719  return 1;
720  }
721  return 0;
722 }
723 
724 static int SCSigOrderByIId(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2)
725 {
726  if (sw1->sig->iid > sw2->sig->iid) {
727  return -1;
728  } else if (sw1->sig->iid < sw2->sig->iid) {
729  return 1;
730  }
731  return 0;
732 }
733 
734 /* sort by:
735  * alproto, progress, iid
736  */
737 static int SCSigOrderByAppFirewall(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2)
738 {
739  int sw1dir = (sw1->sig->flags & SIG_FLAG_TOSERVER) != 0 ? 0 : 1;
740  int sw2dir = (sw2->sig->flags & SIG_FLAG_TOSERVER) != 0 ? 0 : 1;
741 
742  if (sw1dir > sw2dir) {
743  return -1;
744  } else if (sw1dir < sw2dir) {
745  return 1;
746  }
747 
748  if (sw1->sig->alproto > sw2->sig->alproto) {
749  return -1;
750  } else if (sw1->sig->alproto < sw2->sig->alproto) {
751  return 1;
752  }
753 
754  if (sw1->sig->app_progress_hook > sw2->sig->app_progress_hook) {
755  return -1;
756  } else if (sw1->sig->app_progress_hook < sw2->sig->app_progress_hook) {
757  return 1;
758  }
759 
760  if (sw1->sig->iid > sw2->sig->iid) {
761  return -1;
762  } else if (sw1->sig->iid < sw2->sig->iid) {
763  return 1;
764  }
765  return 0;
766 }
767 
768 /**
769  * \brief Creates a Wrapper around the Signature
770  *
771  * \param Pointer to the Signature to be wrapped
772  *
773  * \retval sw Pointer to the wrapper that holds the signature
774  */
775 static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig)
776 {
777  SCSigSignatureWrapper *sw = NULL;
778 
779  if ((sw = SCCalloc(1, sizeof(SCSigSignatureWrapper))) == NULL)
780  return NULL;
781 
782  sw->sig = sig;
783 
784  /* Process data from the signature into a cache for further use by the
785  * sig_ordering module */
786  SCSigProcessUserDataForFlowbits(sw);
787  SCSigProcessUserDataForFlowvar(sw);
788  SCSigProcessUserDataForFlowint(sw);
789  SCSigProcessUserDataForPktvar(sw);
790  SCSigProcessUserDataForHostbits(sw);
791  SCSigProcessUserDataForIPPairbits(sw);
792 
793  return sw;
794 }
795 
796 /**
797  * \brief Orders the signatures
798  *
799  * \param de_ctx Pointer to the Detection Engine Context that holds the
800  * signatures to be ordered
801  */
803 {
804  if (de_ctx->sig_list == NULL) {
805  SCLogDebug("no signatures to order");
806  return 0;
807  }
808 
809  int retval = 0;
810  SCLogDebug("ordering signatures in memory");
811  SCSigSignatureWrapper *sigw = NULL;
812  SCSigSignatureWrapper *td_sigw_list = NULL; /* unified td list */
813 
814  SCSigSignatureWrapper *fw_pf_sigw_list = NULL; /* hook: packet_filter */
815  SCSigSignatureWrapper *fw_af_sigw_list = NULL; /* hook: app_filter */
816 
817  Signature *sig = de_ctx->sig_list;
818  while (sig != NULL) {
819  sigw = SCSigAllocSignatureWrapper(sig);
820  if (sigw == NULL) {
821  SCLogError("failed to alloc signature wrapper for rule ordering");
822  retval = -1;
823  goto cleanup;
824  }
825 
826  /* Push signature wrapper onto a list, order doesn't matter here. */
827  if (sig->init_data->firewall_rule) {
828  if (sig->type == SIG_TYPE_PKT) {
829  sigw->next = fw_pf_sigw_list;
830  fw_pf_sigw_list = sigw;
831  } else {
832  // TODO review types.
833  sigw->next = fw_af_sigw_list;
834  fw_af_sigw_list = sigw;
835  }
836  } else {
837  sigw->next = td_sigw_list;
838  td_sigw_list = sigw;
839  }
840  sig = sig->next;
841  }
842 
843  /* despite having Append in the name, the new Sig/Rule funcs actually prepend with some special
844  * logic around bidir sigs. So to respect the firewall rule order, we sort this part of the list
845  * by the add order. */
846  if (fw_pf_sigw_list) {
847  SCSigOrderFunc OrderFn = { .SWCompare = SCSigOrderByIId, .next = NULL };
848  fw_pf_sigw_list = SCSigOrder(fw_pf_sigw_list, &OrderFn);
849  }
850  if (fw_af_sigw_list) {
851  SCSigOrderFunc OrderFn = { .SWCompare = SCSigOrderByAppFirewall, .next = NULL };
852  fw_af_sigw_list = SCSigOrder(fw_af_sigw_list, &OrderFn);
853  }
854  if (td_sigw_list) {
855  /* Sort the list */
856  td_sigw_list = SCSigOrder(td_sigw_list, de_ctx->sc_sig_order_funcs);
857  }
858  /* Recreate the sig list in order */
859  de_ctx->sig_list = NULL;
860 
861 cleanup:
862  /* firewall list for hook packet_filter */
863  for (sigw = fw_pf_sigw_list; sigw != NULL;) {
864  SCLogDebug("post-sort packet_filter: sid %u", sigw->sig->id);
865  sigw->sig->next = NULL;
866  if (de_ctx->sig_list == NULL) {
867  /* First entry on the list */
868  de_ctx->sig_list = sigw->sig;
869  sig = de_ctx->sig_list;
870  } else {
871  sig->next = sigw->sig;
872  sig = sig->next;
873  }
874 
875  SCSigSignatureWrapper *sigw_to_free = sigw;
876  sigw = sigw->next;
877  SCFree(sigw_to_free);
878  }
879  /* firewall list for hook app_filter */
880  for (sigw = fw_af_sigw_list; sigw != NULL;) {
881  SCLogDebug("post-sort app_filter: sid %u", sigw->sig->id);
882  sigw->sig->next = NULL;
883  if (de_ctx->sig_list == NULL) {
884  /* First entry on the list */
885  de_ctx->sig_list = sigw->sig;
886  sig = de_ctx->sig_list;
887  } else {
888  sig->next = sigw->sig;
889  sig = sig->next;
890  }
891 
892  SCSigSignatureWrapper *sigw_to_free = sigw;
893  sigw = sigw->next;
894  SCFree(sigw_to_free);
895  }
896  /* threat detect list for hook app_td */
897  for (sigw = td_sigw_list; sigw != NULL;) {
898  sigw->sig->next = NULL;
899  if (de_ctx->sig_list == NULL) {
900  /* First entry on the list */
901  de_ctx->sig_list = sigw->sig;
902  sig = de_ctx->sig_list;
903  } else {
904  sig->next = sigw->sig;
905  sig = sig->next;
906  }
907 
908  SCSigSignatureWrapper *sigw_to_free = sigw;
909  sigw = sigw->next;
910  SCFree(sigw_to_free);
911  }
912  return retval;
913 }
914 
915 /**
916  * \brief Lets you register the Signature ordering functions. The order in
917  * which the functions are registered shows the priority. The first
918  * function registered provides more priority than the function
919  * registered after it. To add a new registration function, register
920  * it by listing it in the correct position in the below sequence,
921  * based on the priority you would want to offer to that keyword.
922  *
923  * \param de_ctx Pointer to the detection engine context from which the
924  * signatures have to be ordered.
925  */
927 {
928  SCLogDebug("registering signature ordering functions");
929 
930  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
931  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
932  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowintCompare);
933  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
934  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
935  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare);
936  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare);
937  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
938 }
939 
940 /**
941  * \brief De-registers all the signature ordering functions registered
942  *
943  * \param de_ctx Pointer to the detection engine context from which the
944  * signatures were ordered.
945  */
947 {
948  SCSigOrderFunc *funcs;
949  void *temp;
950 
951  /* clean the memory alloted to the signature ordering funcs */
952  funcs = de_ctx->sc_sig_order_funcs;
953  while (funcs != NULL) {
954  temp = funcs;
955  funcs = funcs->next;
956  SCFree(temp);
957  }
958  de_ctx->sc_sig_order_funcs = NULL;
959 }
960 
961 /**********Unittests**********/
962 
967 
968 #ifdef UNITTESTS
969 
970 static int SCSigOrderingTest01(void)
971 {
972  SCSigOrderFunc *temp = NULL;
973  int i = 0;
974 
977 
978  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
979  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
980  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
981  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
982  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
983  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
984  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
985  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
986  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
987  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
988  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
989 
990  temp = de_ctx->sc_sig_order_funcs;
991  while (temp != NULL) {
992  i++;
993  temp = temp->next;
994  }
995 
997 
998  FAIL_IF_NOT(i == 5);
999 
1000  PASS;
1001 }
1002 
1003 static int SCSigOrderingTest02(void)
1004 {
1005  Signature *sig = NULL;
1006 
1008  FAIL_IF(de_ctx == NULL);
1009 
1011  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1012  FAIL_IF_NULL(sig);
1013 
1015  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
1016  FAIL_IF_NULL(sig);
1017 
1019  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
1020  FAIL_IF_NULL(sig);
1021 
1023  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
1024  FAIL_IF_NULL(sig);
1025 
1027  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
1028  FAIL_IF_NULL(sig);
1029 
1031  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
1032  FAIL_IF_NULL(sig);
1033 
1035  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
1036  FAIL_IF_NULL(sig);
1037 
1039  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1040  FAIL_IF_NULL(sig);
1041 
1043  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
1044  FAIL_IF_NULL(sig);
1045 
1047  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1048  FAIL_IF_NULL(sig);
1049 
1051  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1052  FAIL_IF_NULL(sig);
1053 
1055  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1056  FAIL_IF_NULL(sig);
1057 
1059  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
1060  FAIL_IF_NULL(sig);
1061 
1063  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
1064  FAIL_IF_NULL(sig);
1065 
1066  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1067  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1068  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1069  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1070  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1072 
1073  sig = de_ctx->sig_list;
1074 
1075 #ifdef DEBUG
1076  while (sig != NULL) {
1077  printf("sid: %d\n", sig->id);
1078  sig = sig->next;
1079  }
1080 #endif
1081 
1082  sig = de_ctx->sig_list;
1083 
1084  /* pass */
1085  FAIL_IF_NOT(sig->id == 6);
1086  sig = sig->next;
1087  FAIL_IF_NOT(sig->id == 4);
1088  sig = sig->next;
1089  FAIL_IF_NOT(sig->id == 8);
1090  sig = sig->next;
1091  FAIL_IF_NOT(sig->id == 7);
1092  sig = sig->next;
1093  FAIL_IF_NOT(sig->id == 10);
1094  sig = sig->next;
1095 
1096  /* drops */
1097  FAIL_IF_NOT(sig->id == 9);
1098  sig = sig->next;
1099  FAIL_IF_NOT(sig->id == 13);
1100  sig = sig->next;
1101  FAIL_IF_NOT(sig->id == 2);
1102  sig = sig->next;
1103  FAIL_IF_NOT(sig->id == 3);
1104  sig = sig->next;
1105 
1106  /* alerts */
1107  FAIL_IF_NOT(sig->id == 14);
1108  sig = sig->next;
1109  FAIL_IF_NOT(sig->id == 5);
1110  sig = sig->next;
1111  FAIL_IF_NOT(sig->id == 1);
1112  sig = sig->next;
1113  FAIL_IF_NOT(sig->id == 11);
1114  sig = sig->next;
1115  FAIL_IF_NOT(sig->id == 12);
1116  sig = sig->next;
1117 
1119  PASS;
1120 }
1121 
1122 static int SCSigOrderingTest03(void)
1123 {
1124  Signature *sig = NULL;
1125 
1128 
1130  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1131  "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1132  FAIL_IF_NULL(sig);
1133 
1135  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1136  "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1137  FAIL_IF_NULL(sig);
1138 
1140  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1141  "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1142  "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1143  FAIL_IF_NULL(sig);
1144 
1146  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1147  "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1148  "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1149  FAIL_IF_NULL(sig);
1150 
1152  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1153  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1154  FAIL_IF_NULL(sig);
1155 
1157  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1158  "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1159  "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1160  FAIL_IF_NULL(sig);
1161 
1163  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1164  "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1165  "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1166  FAIL_IF_NULL(sig);
1167 
1169  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1170  "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:unset,TEST.one; rev:4; priority:1; "
1171  "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1172  FAIL_IF_NULL(sig);
1173 
1175  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1176  "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1177  "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1178  FAIL_IF_NULL(sig);
1179 
1181  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1182  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1183  FAIL_IF_NULL(sig);
1184 
1186  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1187  "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1188  FAIL_IF_NULL(sig);
1189 
1191  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1192  "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1193  FAIL_IF_NULL(sig);
1194 
1196  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1197  "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1198  FAIL_IF_NULL(sig);
1199 
1201  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1202  "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1203  FAIL_IF_NULL(sig);
1204 
1205  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1206  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1207  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1208  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1209  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1211 
1212  sig = de_ctx->sig_list;
1213 
1214 #ifdef DEBUG
1215  while (sig != NULL) {
1216  printf("sid: %d\n", sig->id);
1217  sig = sig->next;
1218  }
1219 #endif
1220 
1221  sig = de_ctx->sig_list;
1222 
1223  FAIL_IF_NOT(sig->id == 3);
1224  sig = sig->next;
1225 
1226  FAIL_IF_NOT(sig->id == 8);
1227  sig = sig->next;
1228  FAIL_IF_NOT(sig->id == 9);
1229  sig = sig->next;
1230  FAIL_IF_NOT(sig->id == 7);
1231  sig = sig->next;
1232  FAIL_IF_NOT(sig->id == 14);
1233  sig = sig->next;
1234  FAIL_IF_NOT(sig->id == 6);
1235  sig = sig->next;
1236  FAIL_IF_NOT(sig->id == 4);
1237  sig = sig->next;
1238  FAIL_IF_NOT(sig->id == 13);
1239  sig = sig->next;
1240  FAIL_IF_NOT(sig->id == 2);
1241  sig = sig->next;
1242  FAIL_IF_NOT(sig->id == 5);
1243  sig = sig->next;
1244  FAIL_IF_NOT(sig->id == 1);
1245  sig = sig->next;
1246  FAIL_IF_NOT(sig->id == 10);
1247  sig = sig->next;
1248  FAIL_IF_NOT(sig->id == 11);
1249  sig = sig->next;
1250  FAIL_IF_NOT(sig->id == 12);
1251 
1252  sig = sig->next;
1253 
1255 
1256  PASS;
1257 }
1258 
1259 static int SCSigOrderingTest04(void)
1260 {
1261 
1262  Signature *sig = NULL;
1263 
1265  FAIL_IF(de_ctx == NULL);
1266 
1268  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1269  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1270  FAIL_IF_NULL(sig);
1271 
1273  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1274  "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1275  "offset:10; rev:4; priority:3; sid:2;)");
1276  FAIL_IF_NULL(sig);
1277 
1279  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1280  "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1281  "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1282  FAIL_IF_NULL(sig);
1283 
1285  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1286  "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1287  "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1288  FAIL_IF_NULL(sig);
1289 
1291  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1292  "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1293  "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1294  FAIL_IF_NULL(sig);
1295 
1297  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1298  "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1299  "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1300  FAIL_IF_NULL(sig);
1301 
1303  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1304  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1305  "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1306  FAIL_IF_NULL(sig);
1307 
1309  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1310  "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1311  "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1312  FAIL_IF_NULL(sig);
1313 
1315  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1316  "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1317  "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1318  FAIL_IF_NULL(sig);
1319 
1320  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1321  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1322  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1323  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1324  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1326 
1327  sig = de_ctx->sig_list;
1328 
1329 #ifdef DEBUG
1330  while (sig != NULL) {
1331  printf("sid: %d\n", sig->id);
1332  sig = sig->next;
1333  }
1334 #endif
1335 
1336  sig = de_ctx->sig_list;
1337 
1338  /* flowvar set */
1339  sig = sig->next;
1340  FAIL_IF_NOT(sig->id == 3);
1341  sig = sig->next;
1342  FAIL_IF_NOT(sig->id == 4);
1343  sig = sig->next;
1344  FAIL_IF_NOT(sig->id == 7);
1345  sig = sig->next;
1346  FAIL_IF_NOT(sig->id == 8);
1347  sig = sig->next;
1348  FAIL_IF_NOT(sig->id == 9);
1349  sig = sig->next;
1350 
1351  /* pktvar */
1352 
1353  FAIL_IF_NOT(sig->id == 5);
1354  sig = sig->next;
1355  FAIL_IF_NOT(sig->id == 6);
1356  sig = sig->next;
1357 
1358  FAIL_IF_NOT(sig->id == 1);
1359  sig = sig->next;
1360 
1362 
1363  PASS;
1364 }
1365 
1366 static int SCSigOrderingTest05(void)
1367 {
1368  Signature *sig = NULL;
1369 
1371  FAIL_IF(de_ctx == NULL);
1372 
1374  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1375  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1376  FAIL_IF_NULL(sig);
1377 
1379  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1380  "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1381  "offset:10; rev:4; priority:3; sid:2;)");
1382  FAIL_IF_NULL(sig);
1383 
1385  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1386  "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1387  "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1388  FAIL_IF_NULL(sig);
1389 
1391  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1392  "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1393  "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1394  FAIL_IF_NULL(sig);
1395 
1397  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1398  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1399  FAIL_IF_NULL(sig);
1400 
1402  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1403  "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1404  FAIL_IF_NULL(sig);
1405 
1407  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1408  "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1409  "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1410  FAIL_IF_NULL(sig);
1411 
1413  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1414  "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1415  "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1416  FAIL_IF_NULL(sig);
1417 
1418  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1419  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1420  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1421  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1422  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1424 
1425  sig = de_ctx->sig_list;
1426 
1427  //#ifdef DEBUG
1428  while (sig != NULL) {
1429  printf("sid: %d\n", sig->id);
1430  sig = sig->next;
1431  }
1432  //#endif
1433 
1434  sig = de_ctx->sig_list;
1435 
1436  /* pktvar set */
1437  FAIL_IF_NOT(sig->id == 2);
1438  sig = sig->next;
1439  FAIL_IF_NOT(sig->id == 3);
1440  sig = sig->next;
1441  FAIL_IF_NOT(sig->id == 4);
1442  sig = sig->next;
1443  /* pktvar read */
1444  FAIL_IF_NOT(sig->id == 7);
1445  sig = sig->next;
1446  FAIL_IF_NOT(sig->id == 8);
1447  sig = sig->next;
1448  FAIL_IF_NOT(sig->id == 1);
1449  sig = sig->next;
1450  FAIL_IF_NOT(sig->id == 5);
1451  sig = sig->next;
1452  FAIL_IF_NOT(sig->id == 6);
1453  sig = sig->next;
1454 
1456 
1457  PASS;
1458 }
1459 
1460 static int SCSigOrderingTest06(void)
1461 {
1462 
1463  Signature *sig = NULL;
1464 
1467 
1469  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1470  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1471  FAIL_IF_NULL(sig);
1472 
1474  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1475  "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1476  FAIL_IF_NULL(sig);
1477 
1479  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1480  "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1481  FAIL_IF_NULL(sig);
1482 
1484  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1485  "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1486  FAIL_IF_NULL(sig);
1487 
1489  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1490  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1491  FAIL_IF_NULL(sig);
1492 
1494  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1495  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1496  FAIL_IF_NULL(sig);
1498  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1499  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1500  FAIL_IF_NULL(sig);
1501 
1503  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1504  "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1505  FAIL_IF_NULL(sig);
1506 
1507  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1508  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1509  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1510  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1511  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1513 
1514  sig = de_ctx->sig_list;
1515 
1516 #ifdef DEBUG
1517  while (sig != NULL) {
1518  printf("sid: %d\n", sig->id);
1519  sig = sig->next;
1520  }
1521 #endif
1522 
1523  sig = de_ctx->sig_list;
1524 
1525  FAIL_IF_NOT(sig->id == 6);
1526  sig = sig->next;
1527  FAIL_IF_NOT(sig->id == 2);
1528  sig = sig->next;
1529  FAIL_IF_NOT(sig->id == 4);
1530  sig = sig->next;
1531  FAIL_IF_NOT(sig->id == 5);
1532  sig = sig->next;
1533  FAIL_IF_NOT(sig->id == 7);
1534  sig = sig->next;
1535  FAIL_IF_NOT(sig->id == 8);
1536  sig = sig->next;
1537  FAIL_IF_NOT(sig->id == 1);
1538  sig = sig->next;
1539  FAIL_IF_NOT(sig->id == 3);
1540  sig = sig->next;
1541 
1543 
1544  PASS;
1545 }
1546 static int SCSigOrderingTest07(void)
1547 {
1548 
1549  Signature *sig = NULL;
1550 
1552  FAIL_IF(de_ctx == NULL);
1553 
1555  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1556  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1557  FAIL_IF_NULL(sig);
1558 
1560  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1561  "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1562  FAIL_IF_NULL(sig);
1563 
1565  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1566  "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1567  FAIL_IF_NULL(sig);
1568 
1570  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1571  "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1572  FAIL_IF_NULL(sig);
1573 
1575  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1576  "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1577  FAIL_IF_NULL(sig);
1578 
1580  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1581  "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1582  FAIL_IF_NULL(sig);
1583 
1585  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1586  "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1587  FAIL_IF_NULL(sig);
1588 
1590  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1591  "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1592  FAIL_IF_NULL(sig);
1593 
1594  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1595  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1596  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1597  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1598  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1600 
1601  sig = de_ctx->sig_list;
1602 
1603 #ifdef DEBUG
1604  while (sig != NULL) {
1605  printf("sid: %d\n", sig->id);
1606  sig = sig->next;
1607  }
1608 #endif
1609 
1610  sig = de_ctx->sig_list;
1611 
1612  FAIL_IF_NOT(sig->id == 2);
1613  sig = sig->next;
1614  FAIL_IF_NOT(sig->id == 4);
1615  sig = sig->next;
1616  FAIL_IF_NOT(sig->id == 5);
1617  sig = sig->next;
1618  FAIL_IF_NOT(sig->id == 7);
1619  sig = sig->next;
1620  FAIL_IF_NOT(sig->id == 6);
1621  sig = sig->next;
1622  FAIL_IF_NOT(sig->id == 8);
1623  sig = sig->next;
1624  FAIL_IF_NOT(sig->id == 1);
1625  sig = sig->next;
1626  FAIL_IF_NOT(sig->id == 3);
1627  sig = sig->next;
1628 
1630 
1631  PASS;
1632 }
1633 
1634 /**
1635  * \test Order with a different Action priority
1636  * (as specified from config)
1637  */
1638 static int SCSigOrderingTest08(void)
1639 {
1640 #ifdef HAVE_LIBNET11
1641 
1642  Signature *sig = NULL;
1643  extern uint8_t action_order_sigs[4];
1644 
1645  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1650 
1652  FAIL_IF(de_ctx == NULL);
1653 
1655  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1656  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1657  FAIL_IF_NULL(sig);
1658 
1660  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1661  "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1662  FAIL_IF_NULL(sig);
1663 
1665  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1666  "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1667  FAIL_IF_NULL(sig);
1668 
1670  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1671  "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1672  FAIL_IF_NULL(sig);
1673 
1675  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1676  "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1677  FAIL_IF_NULL(sig);
1678 
1680  "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1681  "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1682  FAIL_IF_NULL(sig);
1683 
1685  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1686  "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1687  FAIL_IF_NULL(sig);
1688 
1690  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1691  "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1692  FAIL_IF_NULL(sig);
1693 
1694  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1695  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1696  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1697  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1698  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1700 
1701  sig = de_ctx->sig_list;
1702 
1703 #ifdef DEBUG
1704  while (sig != NULL) {
1705  printf("sid: %d\n", sig->id);
1706  sig = sig->next;
1707  }
1708 #endif
1709 
1710  sig = de_ctx->sig_list;
1711 
1712  FAIL_IF_NOT(sig->id == 6);
1713  sig = sig->next;
1714  FAIL_IF_NOT(sig->id == 8);
1715  sig = sig->next;
1716  FAIL_IF_NOT(sig->id == 1);
1717  sig = sig->next;
1718  FAIL_IF_NOT(sig->id == 3);
1719  sig = sig->next;
1720  FAIL_IF_NOT(sig->id == 2);
1721  sig = sig->next;
1722  FAIL_IF_NOT(sig->id == 4);
1723  sig = sig->next;
1724  FAIL_IF_NOT(sig->id == 5);
1725  sig = sig->next;
1726  FAIL_IF_NOT(sig->id == 7);
1727  sig = sig->next;
1728 
1729  /* Restore the default pre-order definition */
1734 
1736 
1737 #endif
1738  PASS;
1739 }
1740 
1741 /**
1742  * \test Order with a different Action priority
1743  * (as specified from config)
1744  */
1745 static int SCSigOrderingTest09(void)
1746 {
1747 
1748  Signature *sig = NULL;
1749  extern uint8_t action_order_sigs[4];
1750 
1751  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1756 
1758  FAIL_IF(de_ctx == NULL);
1759 
1761  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1762  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1763  FAIL_IF_NULL(sig);
1764 
1766  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1767  "content:\"220\"; offset:10; priority:2; sid:2;)");
1768  FAIL_IF_NULL(sig);
1769 
1771  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1772  "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1773  FAIL_IF_NULL(sig);
1774 
1776  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1777  "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1778  FAIL_IF_NULL(sig);
1779 
1781  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1782  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1783  FAIL_IF_NULL(sig);
1784 
1786  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1787  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1788  FAIL_IF_NULL(sig);
1789 
1791  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1792  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1793  FAIL_IF_NULL(sig);
1794 
1796  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1797  "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1798  FAIL_IF_NULL(sig);
1799 
1800  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1801  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1802  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1803  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1804  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1806 
1807  sig = de_ctx->sig_list;
1808 
1809 #ifdef DEBUG
1810  while (sig != NULL) {
1811  printf("sid: %d\n", sig->id);
1812  sig = sig->next;
1813  }
1814 #endif
1815 
1816  sig = de_ctx->sig_list;
1817 
1818  FAIL_IF_NOT(sig->id == 6);
1819  sig = sig->next;
1820  FAIL_IF_NOT(sig->id == 7);
1821  sig = sig->next;
1822  FAIL_IF_NOT(sig->id == 8);
1823  sig = sig->next;
1824  FAIL_IF_NOT(sig->id == 1);
1825  sig = sig->next;
1826  FAIL_IF_NOT(sig->id == 3);
1827  sig = sig->next;
1828  FAIL_IF_NOT(sig->id == 2);
1829  sig = sig->next;
1830  FAIL_IF_NOT(sig->id == 4);
1831  sig = sig->next;
1832  FAIL_IF_NOT(sig->id == 5);
1833  sig = sig->next;
1834 
1835  /* Restore the default pre-order definition */
1840 
1842  PASS;
1843 }
1844 
1845 /**
1846  * \test Order with a different Action priority
1847  * (as specified from config)
1848  */
1849 static int SCSigOrderingTest10(void)
1850 {
1851 
1852  Signature *sig = NULL;
1853  extern uint8_t action_order_sigs[4];
1854 
1855  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1860 
1862  FAIL_IF(de_ctx == NULL);
1863 
1865  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1866  "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1867  FAIL_IF_NULL(sig);
1868 
1870  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1871  "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1872  FAIL_IF_NULL(sig);
1873 
1875  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1876  "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1877  FAIL_IF_NULL(sig);
1878 
1880  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1881  "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1882  FAIL_IF_NULL(sig);
1883 
1885  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1886  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1887  FAIL_IF_NULL(sig);
1888 
1890  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1891  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1892  FAIL_IF_NULL(sig);
1893 
1895  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1896  "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1897  FAIL_IF_NULL(sig);
1898 
1900  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1901  "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1902  FAIL_IF_NULL(sig);
1903 
1904  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1905  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1906  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1907  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1908  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1910 
1911  sig = de_ctx->sig_list;
1912 
1913 #ifdef DEBUG
1914  while (sig != NULL) {
1915  printf("sid: %d\n", sig->id);
1916  sig = sig->next;
1917  }
1918 #endif
1919 
1920  sig = de_ctx->sig_list;
1921 
1922  FAIL_IF_NOT(sig->id == 2);
1923  sig = sig->next;
1924  FAIL_IF_NOT(sig->id == 4);
1925  sig = sig->next;
1926  FAIL_IF_NOT(sig->id == 5);
1927  sig = sig->next;
1928  FAIL_IF_NOT(sig->id == 8);
1929  sig = sig->next;
1930  FAIL_IF_NOT(sig->id == 1);
1931  sig = sig->next;
1932  FAIL_IF_NOT(sig->id == 3);
1933  sig = sig->next;
1934  FAIL_IF_NOT(sig->id == 6);
1935  sig = sig->next;
1936  FAIL_IF_NOT(sig->id == 7);
1937  sig = sig->next;
1938 
1939  /* Restore the default pre-order definition */
1944 
1946  PASS;
1947 }
1948 
1949 static int SCSigOrderingTest11(void)
1950 {
1951 
1952  Signature *sig = NULL;
1953 
1955  FAIL_IF(de_ctx == NULL);
1956 
1958  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1959  "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1960  FAIL_IF_NULL(sig);
1961 
1963  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1964  "flowbits:unset,myflow2; rev:4; sid:2;)");
1965  FAIL_IF_NULL(sig);
1966 
1968  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1969  "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1970  FAIL_IF_NULL(sig);
1971 
1972  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1973  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1974  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1975  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1976  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1978 
1979  sig = de_ctx->sig_list;
1980 
1981 #ifdef DEBUG
1982  while (sig != NULL) {
1983  printf("sid: %d\n", sig->id);
1984  sig = sig->next;
1985  }
1986 #endif
1987 
1988  sig = de_ctx->sig_list;
1989 
1990  FAIL_IF_NOT(sig->id == 2);
1991  sig = sig->next;
1992  FAIL_IF_NOT(sig->id == 3);
1993  sig = sig->next;
1994  FAIL_IF_NOT(sig->id == 1);
1995  sig = sig->next;
1996 
1998  PASS;
1999 }
2000 
2001 static int SCSigOrderingTest12(void)
2002 {
2003  Signature *sig = NULL;
2004  Packet *p = NULL;
2005  uint8_t buf[] = "test message";
2006  Flow f;
2007  memset(&f, 0, sizeof(f));
2008  FLOW_INITIALIZE(&f);
2009  f.flags |= FLOW_IPV4;
2011  f.proto = IPPROTO_TCP;
2012 
2014  FAIL_IF(de_ctx == NULL);
2015  de_ctx->flags |= DE_QUIET;
2016 
2017  const char *sigs[2];
2018  sigs[0] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
2019  sigs[1] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
2020  UTHAppendSigs(de_ctx, sigs, 2);
2021 
2022  sig = de_ctx->sig_list;
2023  FAIL_IF_NULL(sig);
2024  FAIL_IF_NULL(sig->next);
2025  FAIL_IF_NOT_NULL(sig->next->next);
2026  FAIL_IF(de_ctx->signum != 2);
2027 
2029  p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_TCP);
2030  FAIL_IF_NULL(p);
2031 
2032  p->flow = &f;
2036 
2037  UTHMatchPackets(de_ctx, &p, 1);
2038 
2039  uint32_t sids[2] = {1, 2};
2040  uint32_t results[2] = {1, 1};
2041  FAIL_IF_NOT(UTHCheckPacketMatchResults(p, sids, results, 2));
2042 
2043  UTHFreePackets(&p, 1);
2044  FLOW_DESTROY(&f);
2045 
2047  FlowShutdown();
2048  PASS;
2049 }
2050 
2051 /** \test Bug 1061 */
2052 static int SCSigOrderingTest13(void)
2053 {
2054 
2055  Signature *sig = NULL;
2056 
2058  FAIL_IF(de_ctx == NULL);
2059 
2060  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
2061  FAIL_IF_NULL(sig);
2062  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:set,bit1; flowbits:set,bit2; sid:7;)");
2063  FAIL_IF_NULL(sig);
2064  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
2065  FAIL_IF_NULL(sig);
2066 
2067  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
2069 
2070 #ifdef DEBUG
2071  sig = de_ctx->sig_list;
2072  while (sig != NULL) {
2073  printf("sid: %d\n", sig->id);
2074  sig = sig->next;
2075  }
2076 #endif
2077 
2078  sig = de_ctx->sig_list;
2079 
2080  FAIL_IF_NOT(sig->id == 7);
2081  sig = sig->next;
2082  FAIL_IF_NOT(sig->id == 6);
2083  sig = sig->next;
2084  FAIL_IF_NOT(sig->id == 5);
2085  sig = sig->next;
2086 
2088  PASS;
2089 }
2090 
2091 #endif
2092 
2094 {
2095 
2096 #ifdef UNITTESTS
2097  UtRegisterTest("SCSigOrderingTest01", SCSigOrderingTest01);
2098  UtRegisterTest("SCSigOrderingTest02", SCSigOrderingTest02);
2099  UtRegisterTest("SCSigOrderingTest03", SCSigOrderingTest03);
2100  UtRegisterTest("SCSigOrderingTest04", SCSigOrderingTest04);
2101  UtRegisterTest("SCSigOrderingTest05", SCSigOrderingTest05);
2102  UtRegisterTest("SCSigOrderingTest06", SCSigOrderingTest06);
2103  UtRegisterTest("SCSigOrderingTest07", SCSigOrderingTest07);
2104  UtRegisterTest("SCSigOrderingTest08", SCSigOrderingTest08);
2105  UtRegisterTest("SCSigOrderingTest09", SCSigOrderingTest09);
2106  UtRegisterTest("SCSigOrderingTest10", SCSigOrderingTest10);
2107  UtRegisterTest("SCSigOrderingTest11", SCSigOrderingTest11);
2108  UtRegisterTest("SCSigOrderingTest12", SCSigOrderingTest12);
2109  UtRegisterTest("SCSigOrderingTest13", SCSigOrderingTest13);
2110 #endif
2111 }
DetectPcreData_::idx
uint8_t idx
Definition: detect-pcre.h:53
DETECT_SIGORDER_IPPAIRBITS
@ DETECT_SIGORDER_IPPAIRBITS
Definition: detect-engine-sigorder.c:79
SCSigSignatureWrapper
struct SCSigSignatureWrapper_ SCSigSignatureWrapper
Signature wrapper used by signature ordering module while ordering signatures.
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:649
DETECT_FLOWINT_TYPE_SET
#define DETECT_FLOWINT_TYPE_SET
Definition: detect-engine-sigorder.c:62
Flow_::flags
uint64_t flags
Definition: flow.h:403
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1310
flow-util.h
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:2131
FLOWINT_MODIFIER_ADD
@ FLOWINT_MODIFIER_ADD
Definition: detect-flowint.h:31
SCSigOrderFunc_::next
struct SCSigOrderFunc_ * next
Definition: detect-engine-sigorder.c:105
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOWINT_TYPE_READ
#define DETECT_FLOWINT_TYPE_READ
Definition: detect-engine-sigorder.c:60
Signature_::app_progress_hook
uint8_t app_progress_hook
Definition: detect.h:712
Signature_::alproto
AppProto alproto
Definition: detect.h:680
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
FLOWINT_MODIFIER_NE
@ FLOWINT_MODIFIER_NE
Definition: detect-flowint.h:38
Flow_::proto
uint8_t proto
Definition: flow.h:376
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:30
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:561
type
uint8_t type
Definition: decode-sctp.h:0
Flow_
Flow data structure.
Definition: flow.h:354
ActionOrderVal
uint8_t ActionOrderVal(uint8_t action)
Return the priority associated to an action (to order sigs as specified at config) action_order_sigs ...
Definition: util-action.c:53
DetectSigorderUserDataType
DetectSigorderUserDataType
Different kinds of helper data that can be used by the signature ordering module. Used by the "user" ...
Definition: detect-engine-sigorder.c:73
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
DetectFlowintData_
Definition: detect-flowint.h:61
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:43
DETECT_SIGORDER_FLOWBITS
@ DETECT_SIGORDER_FLOWBITS
Definition: detect-engine-sigorder.c:74
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:36
DETECT_XBITS_TYPE_SET_READ
#define DETECT_XBITS_TYPE_SET_READ
Definition: detect-engine-sigorder.c:66
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2759
SCSigSignatureWrapper_::next
struct SCSigSignatureWrapper_ * next
Definition: detect-engine-sigorder.c:94
detect-flowint.h
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:946
UTHCheckPacketMatchResults
int UTHCheckPacketMatchResults(Packet *p, uint32_t sids[], uint32_t results[], int numsigs)
UTHCheckPacketMatches: function to check if a packet match some sids.
Definition: util-unittest-helper.c:620
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:231
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
DETECT_PKTVAR_TYPE_READ
#define DETECT_PKTVAR_TYPE_READ
Definition: detect-engine-sigorder.c:50
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:243
SCSigRegisterSignatureOrderingTests
void SCSigRegisterSignatureOrderingTests(void)
Definition: detect-engine-sigorder.c:2093
SCSigOrderSignatures
int SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:802
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:31
p
Packet * p
Definition: fuzz_iprep.c:21
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3600
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:546
action_order_sigs
uint8_t action_order_sigs[4]
Definition: util-action.c:40
SCSigSignatureWrapper_::sig
Signature * sig
Definition: detect-engine-sigorder.c:89
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
DetectXbitsData_
Definition: detect-xbits.h:41
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:70
Signature_::next
struct Signature_ * next
Definition: detect.h:757
DetectFlowbitsData_
Definition: detect-flowbits.h:34
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:577
UTHMatchPackets
int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets)
Definition: util-unittest-helper.c:729
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:127
DETECT_FLOWVAR_TYPE_SET
#define DETECT_FLOWVAR_TYPE_SET
Definition: detect-engine-sigorder.c:47
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:270
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_XBITS_TYPE_READ
#define DETECT_XBITS_TYPE_READ
Definition: detect-engine-sigorder.c:65
SIG_TYPE_PKT
@ SIG_TYPE_PKT
Definition: detect.h:72
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:69
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:67
SCSigOrderFunc
struct SCSigOrderFunc_ SCSigOrderFunc
Structure holding the signature ordering function used by the signature ordering module.
detect.h
DETECT_FLOWBITS_TYPE_SET_READ
#define DETECT_FLOWBITS_TYPE_SET_READ
Definition: detect-engine-sigorder.c:56
DETECT_SIGORDER_FLOWINT
@ DETECT_SIGORDER_FLOWINT
Definition: detect-engine-sigorder.c:77
SCSigSignatureWrapper_
Signature wrapper used by signature ordering module while ordering signatures.
Definition: detect-engine-sigorder.c:87
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered s...
Definition: detect-engine-sigorder.c:926
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
DETECT_XBITS_NOT_USED
#define DETECT_XBITS_NOT_USED
Definition: detect-engine-sigorder.c:64
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:71
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
Signature_::action
uint8_t action
Definition: detect.h:690
DETECT_FLOWVAR_TYPE_READ
#define DETECT_FLOWVAR_TYPE_READ
Definition: detect-engine-sigorder.c:45
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:47
DETECT_SIGORDER_PKTVAR
@ DETECT_SIGORDER_PKTVAR
Definition: detect-engine-sigorder.c:76
Signature_::flags
uint32_t flags
Definition: detect.h:676
DETECT_PKTVAR_NOT_USED
#define DETECT_PKTVAR_NOT_USED
Definition: detect-engine-sigorder.c:49
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:515
detect-engine-build.h
FLOWINT_MODIFIER_LE
@ FLOWINT_MODIFIER_LE
Definition: detect-flowint.h:36
DETECT_SIGORDER_HOSTBITS
@ DETECT_SIGORDER_HOSTBITS
Definition: detect-engine-sigorder.c:78
SCSigOrderFunc_
Structure holding the signature ordering function used by the signature ordering module.
Definition: detect-engine-sigorder.c:101
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
DetectFlowintData_::modifier
uint8_t modifier
Definition: detect-flowint.h:70
DETECT_FLOWBITS_NOT_USED
#define DETECT_FLOWBITS_NOT_USED
Definition: detect-engine-sigorder.c:54
util-action.h
DETECT_PKTVAR_TYPE_SET
#define DETECT_PKTVAR_TYPE_SET
Definition: detect-engine-sigorder.c:52
detect-flowbits.h
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:78
FLOWINT_MODIFIER_GT
@ FLOWINT_MODIFIER_GT
Definition: detect-flowint.h:40
DETECT_SIGORDER_FLOWVAR
@ DETECT_SIGORDER_FLOWVAR
Definition: detect-engine-sigorder.c:75
DetectPcreData_::captypes
uint8_t captypes[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:54
FLOWINT_MODIFIER_LT
@ FLOWINT_MODIFIER_LT
Definition: detect-flowint.h:35
Packet_::flow
struct Flow_ * flow
Definition: decode.h:563
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
FLOWINT_MODIFIER_SET
@ FLOWINT_MODIFIER_SET
Definition: detect-flowint.h:30
FLOWINT_MODIFIER_ISSET
@ FLOWINT_MODIFIER_ISSET
Definition: detect-flowint.h:42
SigMatch_::type
uint16_t type
Definition: detect.h:357
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:721
DETECT_FLOWINT_NOT_USED
#define DETECT_FLOWINT_NOT_USED
Definition: detect-engine-sigorder.c:59
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DETECT_FLOWINT_TYPE_SET_READ
#define DETECT_FLOWINT_TYPE_SET_READ
Definition: detect-engine-sigorder.c:61
FatalError
#define FatalError(...)
Definition: util-debug.h:517
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:982
FLOWINT_MODIFIER_ISNOTSET
@ FLOWINT_MODIFIER_ISNOTSET
Definition: detect-flowint.h:43
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:66
Signature_::prio
int prio
Definition: detect.h:723
DETECT_XBITS_TYPE_SET
#define DETECT_XBITS_TYPE_SET
Definition: detect-engine-sigorder.c:67
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:41
util-validate.h
detect-engine-sigorder.h
SignatureInitData_::firewall_rule
bool firewall_rule
Definition: detect.h:671
SCSigOrderFunc_::SWCompare
int(* SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2)
Definition: detect-engine-sigorder.c:103
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
Signature_::iid
SigIntId iid
Definition: detect.h:687
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_FLOWVAR_TYPE_SET_READ
#define DETECT_FLOWVAR_TYPE_SET_READ
Definition: detect-engine-sigorder.c:46
Signature_::id
uint32_t id
Definition: detect.h:720
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:29
detect-parse.h
Signature_
Signature container.
Definition: detect.h:675
SigMatch_
a single match condition for a signature
Definition: detect.h:356
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
DETECT_PKTVAR_TYPE_SET_READ
#define DETECT_PKTVAR_TYPE_SET_READ
Definition: detect-engine-sigorder.c:51
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:233
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2720
VarTypes
VarTypes
Definition: util-var.h:28
DetectPcreData_
Definition: detect-pcre.h:48
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:975
UTHAppendSigs
int UTHAppendSigs(DetectEngineCtx *de_ctx, const char *sigs[], int numsigs)
UTHAppendSigs: Add sigs to the detection_engine checking for errors.
Definition: util-unittest-helper.c:653
FLOWINT_MODIFIER_EQ
@ FLOWINT_MODIFIER_EQ
Definition: detect-flowint.h:37
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
Signature_::msg
char * msg
Definition: detect.h:743
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
VAR_TYPE_IPPAIR_BIT
@ VAR_TYPE_IPPAIR_BIT
Definition: util-var.h:45
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Signature_::type
enum SignatureType type
Definition: detect.h:678
DETECT_FLOWBITS_TYPE_SET
#define DETECT_FLOWBITS_TYPE_SET
Definition: detect-engine-sigorder.c:57
DETECT_SIGORDER_MAX
@ DETECT_SIGORDER_MAX
Definition: detect-engine-sigorder.c:80
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:994
DETECT_FLOWVAR_NOT_USED
#define DETECT_FLOWVAR_NOT_USED
Definition: detect-engine-sigorder.c:44
SCSigSignatureWrapper_::user
int user[DETECT_SIGORDER_MAX]
Definition: detect-engine-sigorder.c:92
FLOWINT_MODIFIER_SUB
@ FLOWINT_MODIFIER_SUB
Definition: detect-flowint.h:32
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1306
DetectEngineCtx_::sc_sig_order_funcs
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:997
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
FLOWINT_MODIFIER_GE
@ FLOWINT_MODIFIER_GE
Definition: detect-flowint.h:39
DETECT_PKTVAR
@ DETECT_PKTVAR
Definition: detect-engine-register.h:72
DETECT_FLOWBITS_TYPE_READ
#define DETECT_FLOWBITS_TYPE_READ
Definition: detect-engine-sigorder.c:55
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:455