suricata
detect-engine-sigorder.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Signature ordering part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "detect-xbits.h"
29 #include "detect-flowbits.h"
30 #include "detect-flowint.h"
31 #include "detect-parse.h"
32 #include "detect-engine-sigorder.h"
33 #include "detect-pcre.h"
34 #include "detect-engine-build.h"
35 
36 #include "util-unittest.h"
37 #include "util-unittest-helper.h"
38 #include "util-debug.h"
39 #include "util-action.h"
40 #include "action-globals.h"
41 #include "flow-util.h"
42 
43 #define DETECT_FLOWVAR_NOT_USED 1
44 #define DETECT_FLOWVAR_TYPE_READ 2
45 #define DETECT_FLOWVAR_TYPE_SET_READ 3
46 #define DETECT_FLOWVAR_TYPE_SET 4
47 
48 #define DETECT_PKTVAR_NOT_USED 1
49 #define DETECT_PKTVAR_TYPE_READ 2
50 #define DETECT_PKTVAR_TYPE_SET_READ 3
51 #define DETECT_PKTVAR_TYPE_SET 4
52 
53 #define DETECT_FLOWBITS_NOT_USED 1
54 #define DETECT_FLOWBITS_TYPE_READ 2
55 #define DETECT_FLOWBITS_TYPE_SET_READ 3
56 #define DETECT_FLOWBITS_TYPE_SET 4
57 
58 #define DETECT_FLOWINT_NOT_USED 1
59 #define DETECT_FLOWINT_TYPE_READ 2
60 #define DETECT_FLOWINT_TYPE_SET_READ 3
61 #define DETECT_FLOWINT_TYPE_SET 4
62 
63 #define DETECT_XBITS_NOT_USED 1
64 #define DETECT_XBITS_TYPE_READ 2
65 #define DETECT_XBITS_TYPE_SET_READ 3
66 #define DETECT_XBITS_TYPE_SET 4
67 
68 
69 /**
70  * \brief Registers a keyword-based, signature ordering function
71  *
72  * \param de_ctx Pointer to the detection engine context from which the
73  * signatures have to be ordered.
74  * \param FuncPtr Pointer to the signature ordering function. The prototype of
75  * the signature ordering function should accept a pointer to a
76  * SCSigSignatureWrapper as its argument and shouldn't return
77  * anything
78  */
79 static void SCSigRegisterSignatureOrderingFunc(DetectEngineCtx *de_ctx,
80  int (*SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2))
81 {
82  SCSigOrderFunc *curr = NULL;
83  SCSigOrderFunc *prev = NULL;
84  SCSigOrderFunc *temp = NULL;
85 
86  curr = de_ctx->sc_sig_order_funcs;
87 
88  /* Walk to the end of the list, and leave prev pointing at the
89  last element. */
90  prev = curr;
91  while (curr != NULL) {
92  if (curr->SWCompare == SWCompare) {
93  /* Already specified this compare */
94  return;
95  }
96  prev = curr;
97  curr = curr->next;
98  }
99 
100  if ( (temp = SCMalloc(sizeof(SCSigOrderFunc))) == NULL) {
102  "Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
103  }
104  memset(temp, 0, sizeof(SCSigOrderFunc));
105 
106  temp->SWCompare = SWCompare;
107 
108  /* Append the new compare function at the end of the list. */
109  if (prev == NULL)
110  de_ctx->sc_sig_order_funcs = temp;
111  else
112  prev->next = temp;
113 
114  return;
115 }
116 
117 /**
118  * \brief Returns the flowbit type set for this signature. If more than one
119  * flowbit has been set for the same rule, we return the flowbit type of
120  * the maximum priority/value, where priority/value is maximum for the
121  * ones that set the value and the lowest for ones that read the value.
122  * If no flowbit has been set for the rule, we return 0, which indicates
123  * the least value amongst flowbit types.
124  *
125  * \param sig Pointer to the Signature from which the flowbit value has to be
126  * returned.
127  *
128  * \retval flowbits The flowbits type for this signature if it is set; if it is
129  * not set, return 0
130  */
131 static inline int SCSigGetFlowbitsType(Signature *sig)
132 {
133  DetectFlowbitsData *fb = NULL;
134  int flowbits_user_type = DETECT_FLOWBITS_NOT_USED;
135  int read = 0;
136  int write = 0;
138 
139  while (sm != NULL) {
140  if (sm->type == DETECT_FLOWBITS) {
141  fb = (DetectFlowbitsData *)sm->ctx;
142  if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET ||
144  read++;
145  } else {
146 #ifdef DEBUG
147  BUG_ON(1);
148 #endif
149  }
150  }
151 
152  sm = sm->next;
153  }
154 
156  while (sm != NULL) {
157  if (sm->type == DETECT_FLOWBITS) {
158  fb = (DetectFlowbitsData *)sm->ctx;
159  if (fb->cmd == DETECT_FLOWBITS_CMD_SET ||
162  write++;
163  } else {
164 #ifdef DEBUG
165  BUG_ON(1);
166 #endif
167  }
168  }
169 
170  sm = sm->next;
171  }
172 
173  if (read > 0 && write == 0) {
174  flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
175  } else if (read == 0 && write > 0) {
176  flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
177  } else if (read > 0 && write > 0) {
178  flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
179  }
180 
181  SCLogDebug("Sig %s typeval %d", sig->msg, flowbits_user_type);
182 
183  return flowbits_user_type;
184 }
185 
186 static inline int SCSigGetFlowintType(Signature *sig)
187 {
188  DetectFlowintData *fi = NULL;
189  int flowint_user_type = DETECT_FLOWINT_NOT_USED;
190  int read = 0;
191  int write = 0;
193 
194  while (sm != NULL) {
195  if (sm->type == DETECT_FLOWINT) {
196  fi = (DetectFlowintData *)sm->ctx;
197  if (fi->modifier == FLOWINT_MODIFIER_LT ||
198  fi->modifier == FLOWINT_MODIFIER_LE ||
199  fi->modifier == FLOWINT_MODIFIER_EQ ||
200  fi->modifier == FLOWINT_MODIFIER_NE ||
201  fi->modifier == FLOWINT_MODIFIER_GE ||
202  fi->modifier == FLOWINT_MODIFIER_GT ||
205  read++;
206  } else {
207 #ifdef DEBUG
208  BUG_ON(1);
209 #endif
210  }
211  }
212 
213  sm = sm->next;
214  }
215 
217  while (sm != NULL) {
218  if (sm->type == DETECT_FLOWINT) {
219  fi = (DetectFlowintData *)sm->ctx;
220  if (fi->modifier == FLOWINT_MODIFIER_SET ||
223  write++;
224  } else {
225 #ifdef DEBUG
226  BUG_ON(1);
227 #endif
228  }
229  }
230 
231  sm = sm->next;
232  }
233 
234  if (read > 0 && write == 0) {
235  flowint_user_type = DETECT_FLOWINT_TYPE_READ;
236  } else if (read == 0 && write > 0) {
237  flowint_user_type = DETECT_FLOWINT_TYPE_SET;
238  } else if (read > 0 && write > 0) {
239  flowint_user_type = DETECT_FLOWINT_TYPE_SET_READ;
240  }
241 
242  SCLogDebug("Sig %s typeval %d", sig->msg, flowint_user_type);
243 
244  return flowint_user_type;
245 }
246 
247 /**
248  * \brief Returns whether the flowvar set for this rule, sets the flowvar or
249  * reads the flowvar. If the rule sets the flowvar the function returns
250  * DETECT_FLOWVAR_TYPE_SET(3), if it reads the flowvar the function
251  * returns DETECT_FLOWVAR_TYPE_READ(2), and if flowvar is not used in this
252  * rule the function returns DETECT_FLOWVAR_NOT_USED(1)
253  *
254  * \param sig Pointer to the Signature from which the flowvar type has to be
255  * returned.
256  *
257  * \retval type DETECT_FLOWVAR_TYPE_SET(3) if the rule sets the flowvar,
258  * DETECT_FLOWVAR_TYPE_READ(2) if it reads, and
259  * DETECT_FLOWVAR_NOT_USED(1) if flowvar is not used.
260  */
261 static inline int SCSigGetFlowvarType(Signature *sig)
262 {
263  DetectPcreData *pd = NULL;
265  int read = 0;
266  int write = 0;
268 
269  while (sm != NULL) {
270  pd = (DetectPcreData *)sm->ctx;
271  if (sm->type == DETECT_PCRE) {
272  uint8_t x;
273  for (x = 0; x < pd->idx; x++) {
274  if (pd->captypes[x] == VAR_TYPE_FLOW_VAR) {
275  write++;
276  break;
277  }
278  }
279  }
280 
281  sm = sm->next;
282  }
283 
285  pd = NULL;
286  while (sm != NULL) {
287  if (sm->type == DETECT_FLOWVAR) {
288  read++;
289  }
290 
291  sm = sm->next;
292  }
293 
294  if (read > 0 && write == 0) {
296  } else if (read == 0 && write > 0) {
298  } else if (read > 0 && write > 0) {
300  }
301 
302  return type;
303 }
304 
305 /**
306  * \brief Returns whether the pktvar set for this rule, sets the flowvar or
307  * reads the pktvar. If the rule sets the pktvar the function returns
308  * DETECT_PKTVAR_TYPE_SET(3), if it reads the pktvar the function
309  * returns DETECT_PKTVAR_TYPE_READ(2), and if pktvar is not used in this
310  * rule the function returns DETECT_PKTVAR_NOT_USED(1)
311  *
312  * \param sig Pointer to the Signature from which the pktvar type has to be
313  * returned.
314  *
315  * \retval type DETECT_PKTVAR_TYPE_SET(3) if the rule sets the flowvar,
316  * DETECT_PKTVAR_TYPE_READ(2) if it reads, and
317  * DETECT_PKTVAR_NOT_USED(1) if pktvar is not used.
318  */
319 static inline int SCSigGetPktvarType(Signature *sig)
320 {
321  DetectPcreData *pd = NULL;
323  int read = 0;
324  int write = 0;
326 
327  while (sm != NULL) {
328  pd = (DetectPcreData *)sm->ctx;
329  if (sm->type == DETECT_PCRE) {
330  uint8_t x;
331  for (x = 0; x < pd->idx; x++) {
332  if (pd->captypes[x] == VAR_TYPE_PKT_VAR) {
333  write++;
334  break;
335  }
336  }
337  }
338 
339  sm = sm->next;
340  }
341 
343  pd = NULL;
344  while (sm != NULL) {
345  if (sm->type == DETECT_PKTVAR) {
346  read++;
347  }
348 
349  sm = sm->next;
350  }
351 
352  if (read > 0 && write == 0) {
354  } else if (read == 0 && write > 0) {
356  } else if (read > 0 && write > 0) {
358  }
359 
360  return type;
361 }
362 
363 /**
364  * \brief Returns the xbit type set for this signature. If more than one
365  * xbit has been set for the same rule, we return the xbit type of
366  * the maximum priority/value, where priority/value is maximum for the
367  * ones that set the value and the lowest for ones that read the value.
368  * If no xbit has been set for the rule, we return 0, which indicates
369  * the least value amongst xbit types.
370  *
371  * \param sig Pointer to the Signature from which the xbit value has to be
372  * returned.
373  *
374  * \retval xbits The xbits type for this signature if it is set; if it is
375  * not set, return 0
376  */
377 static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type)
378 {
379  DetectXbitsData *fb = NULL;
380  int xbits_user_type = DETECT_XBITS_NOT_USED;
381  int read = 0;
382  int write = 0;
384 
385  while (sm != NULL) {
386  if (sm->type == DETECT_XBITS) {
387  fb = (DetectXbitsData *)sm->ctx;
388  if (fb->type == type) {
389  if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET ||
390  fb->cmd == DETECT_XBITS_CMD_ISSET) {
391  read++;
392  } else {
393 #ifdef DEBUG
394  BUG_ON(1);
395 #endif
396  }
397  }
398  }
399 
400  sm = sm->next;
401  }
402 
404  while (sm != NULL) {
405  if (sm->type == DETECT_HOSTBITS) {
406  fb = (DetectXbitsData *)sm->ctx;
407  if (fb->type == type) {
408  if (fb->cmd == DETECT_XBITS_CMD_SET ||
409  fb->cmd == DETECT_XBITS_CMD_UNSET ||
410  fb->cmd == DETECT_XBITS_CMD_TOGGLE) {
411  write++;
412  } else {
413 #ifdef DEBUG
414  BUG_ON(1);
415 #endif
416  }
417  }
418  }
419 
420  sm = sm->next;
421  }
422 
423  if (read > 0 && write == 0) {
424  xbits_user_type = DETECT_XBITS_TYPE_READ;
425  } else if (read == 0 && write > 0) {
426  xbits_user_type = DETECT_XBITS_TYPE_SET;
427  } else if (read > 0 && write > 0) {
428  xbits_user_type = DETECT_XBITS_TYPE_SET_READ;
429  }
430 
431  SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type);
432 
433  return xbits_user_type;
434 }
435 
436 /**
437  * \brief Processes the flowbits data for this signature and caches it for
438  * future use. This is needed to optimize the sig_ordering module.
439  *
440  * \param sw The sigwrapper/signature for which the flowbits data has to be
441  * cached
442  */
443 static inline void SCSigProcessUserDataForFlowbits(SCSigSignatureWrapper *sw)
444 {
445  sw->user[SC_RADIX_USER_DATA_FLOWBITS] = SCSigGetFlowbitsType(sw->sig);
446 }
447 
448 /**
449  * \brief Processes the flowvar data for this signature and caches it for
450  * future use. This is needed to optimize the sig_ordering module.
451  *
452  * \param sw The sigwrapper/signature for which the flowvar data has to be
453  * cached
454  */
455 static inline void SCSigProcessUserDataForFlowvar(SCSigSignatureWrapper *sw)
456 {
457  sw->user[SC_RADIX_USER_DATA_FLOWVAR] = SCSigGetFlowvarType(sw->sig);
458 }
459 
460 static inline void SCSigProcessUserDataForFlowint(SCSigSignatureWrapper *sw)
461 {
462  sw->user[SC_RADIX_USER_DATA_FLOWINT] = SCSigGetFlowintType(sw->sig);
463 }
464 
465 /**
466  * \brief Processes the pktvar data for this signature and caches it for
467  * future use. This is needed to optimize the sig_ordering module.
468  *
469  * \param sw The sigwrapper/signature for which the pktvar data has to be
470  * cached
471  */
472 static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw)
473 {
474  sw->user[SC_RADIX_USER_DATA_PKTVAR] = SCSigGetPktvarType(sw->sig);
475 }
476 
477 /**
478  * \brief Processes the hostbits data for this signature and caches it for
479  * future use. This is needed to optimize the sig_ordering module.
480  *
481  * \param sw The sigwrapper/signature for which the hostbits data has to be
482  * cached
483  */
484 static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw)
485 {
486  sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT);
487 }
488 
489 /**
490  * \brief Processes the hostbits data for this signature and caches it for
491  * future use. This is needed to optimize the sig_ordering module.
492  *
493  * \param sw The sigwrapper/signature for which the hostbits data has to be
494  * cached
495  */
496 static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw)
497 {
498  sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT);
499 }
500 
501 /* Return 1 if sw1 comes before sw2 in the final list. */
502 static int SCSigLessThan(SCSigSignatureWrapper *sw1,
504  SCSigOrderFunc *cmp_func_list)
505 {
506  SCSigOrderFunc *funcs = cmp_func_list;
507 
508  while (funcs != NULL) {
509  int delta = funcs->SWCompare(sw1, sw2);
510  if (delta > 0)
511  return 1;
512  else if (delta < 0)
513  return 0;
514 
515  funcs = funcs->next;
516  }
517  // They are equal, so use sid as the final decider.
518  return sw1->sig->id < sw2->sig->id;
519 }
520 
521 /* Merge sort based on a list of compare functions */
522 static SCSigSignatureWrapper *SCSigOrder(SCSigSignatureWrapper *sw,
523  SCSigOrderFunc *cmp_func_list)
524 {
525  SCSigSignatureWrapper *subA = NULL;
526  SCSigSignatureWrapper *subB = NULL;
527  SCSigSignatureWrapper *first;
528  SCSigSignatureWrapper *second;
529  SCSigSignatureWrapper *result = NULL;
530  SCSigSignatureWrapper *last = NULL;
531  SCSigSignatureWrapper *new = NULL;
532 
533  /* Divide input list into two sub-lists. */
534  while (sw != NULL) {
535  first = sw;
536  sw = sw->next;
537  /* Push the first element onto sub-list A */
538  first->next = subA;
539  subA = first;
540 
541  if (sw == NULL)
542  break;
543  second = sw;
544  sw = sw->next;
545  /* Push the second element onto sub-list B */
546  second->next = subB;
547  subB = second;
548  }
549  if (subB == NULL) {
550  /* Only zero or one element on the list. */
551  return subA;
552  }
553 
554  /* Now sort each list */
555  subA = SCSigOrder(subA, cmp_func_list);
556  subB = SCSigOrder(subB, cmp_func_list);
557 
558  /* Merge the two sorted lists. */
559  while (subA != NULL && subB != NULL) {
560  if (SCSigLessThan(subA, subB, cmp_func_list)) {
561  new = subA;
562  subA = subA->next;
563  } else {
564  new = subB;
565  subB = subB->next;
566  }
567  /* Push onto the end of the output list. */
568  new->next = NULL;
569  if (result == NULL) {
570  result = new;
571  last = new;
572  } else {
573  last->next = new;
574  last = new;
575  }
576  }
577  /* Attach the rest of any remaining list. Only one can be non-NULL here. */
578  if (subA == NULL)
579  last->next = subB;
580  else if (subB == NULL)
581  last->next = subA;
582 
583  return result;
584 }
585 
586 /**
587  * \brief Orders an incoming Signature based on its action
588  *
589  * \param de_ctx Pointer to the detection engine context from which the
590  * signatures have to be ordered.
591  * \param sw The new signature that has to be ordered based on its action
592  */
593 static int SCSigOrderByActionCompare(SCSigSignatureWrapper *sw1,
595 {
596  return ActionOrderVal(sw2->sig->action) - ActionOrderVal(sw1->sig->action);
597 }
598 
599 /**
600  * \brief Orders an incoming Signature based on its flowbits type
601  *
602  * \param de_ctx Pointer to the detection engine context from which the
603  * signatures have to be ordered.
604  * \param sw The new signature that has to be ordered based on its flowbits
605  */
606 static int SCSigOrderByFlowbitsCompare(SCSigSignatureWrapper *sw1,
608 {
609  return sw1->user[SC_RADIX_USER_DATA_FLOWBITS] -
611 }
612 
613 /**
614  * \brief Orders an incoming Signature based on its flowvar type
615  *
616  * \param de_ctx Pointer to the detection engine context from which the
617  * signatures have to be ordered.
618  * \param sw The new signature that has to be ordered based on its flowvar
619  */
620 static int SCSigOrderByFlowvarCompare(SCSigSignatureWrapper *sw1,
622 {
623  return sw1->user[SC_RADIX_USER_DATA_FLOWVAR] -
625 }
626 
627 /**
628  * \brief Orders an incoming Signature based on its pktvar type
629  *
630  * \param de_ctx Pointer to the detection engine context from which the
631  * signatures have to be ordered.
632  * \param sw The new signature that has to be ordered based on its pktvar
633  */
634 static int SCSigOrderByPktvarCompare(SCSigSignatureWrapper *sw1,
636 {
637  return sw1->user[SC_RADIX_USER_DATA_PKTVAR] -
639 }
640 
641 static int SCSigOrderByFlowintCompare(SCSigSignatureWrapper *sw1,
643 {
644  return sw1->user[SC_RADIX_USER_DATA_FLOWINT] -
646 }
647 
648 /**
649  * \brief Orders an incoming Signature based on its hostbits type
650  *
651  * \param de_ctx Pointer to the detection engine context from which the
652  * signatures have to be ordered.
653  * \param sw The new signature that has to be ordered based on its hostbits
654  */
655 static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1,
657 {
658  return sw1->user[SC_RADIX_USER_DATA_HOSTBITS] -
660 }
661 
662 /**
663  * \brief Orders an incoming Signature based on its ippairbits (xbits) type
664  *
665  * \param de_ctx Pointer to the detection engine context from which the
666  * signatures have to be ordered.
667  * \param sw The new signature that has to be ordered based on its bits
668  */
669 static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1,
671 {
672  return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] -
674 }
675 
676 /**
677  * \brief Orders an incoming Signature based on its priority type
678  *
679  * \param de_ctx Pointer to the detection engine context from which the
680  * signatures have to be ordered.
681  * \param sw The new signature that has to be ordered based on its priority
682  */
683 static int SCSigOrderByPriorityCompare(SCSigSignatureWrapper *sw1,
685 {
686  if (sw1->sig->prio > sw2->sig->prio) {
687  return -1;
688  } else if (sw1->sig->prio < sw2->sig->prio) {
689  return 1;
690  }
691  return 0;
692 }
693 
694 /**
695  * \brief Creates a Wrapper around the Signature
696  *
697  * \param Pointer to the Signature to be wrapped
698  *
699  * \retval sw Pointer to the wrapper that holds the signature
700  */
701 static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig)
702 {
703  SCSigSignatureWrapper *sw = NULL;
704 
705  if ( (sw = SCMalloc(sizeof(SCSigSignatureWrapper))) == NULL)
706  return NULL;
707  memset(sw, 0, sizeof(SCSigSignatureWrapper));
708 
709  sw->sig = sig;
710 
711  /* Process data from the signature into a cache for further use by the
712  * sig_ordering module */
713  SCSigProcessUserDataForFlowbits(sw);
714  SCSigProcessUserDataForFlowvar(sw);
715  SCSigProcessUserDataForFlowint(sw);
716  SCSigProcessUserDataForPktvar(sw);
717  SCSigProcessUserDataForHostbits(sw);
718  SCSigProcessUserDataForIPPairbits(sw);
719 
720  return sw;
721 }
722 
723 /**
724  * \brief Orders the signatures
725  *
726  * \param de_ctx Pointer to the Detection Engine Context that holds the
727  * signatures to be ordered
728  */
730 {
731  Signature *sig = NULL;
732  SCSigSignatureWrapper *sigw = NULL;
733  SCSigSignatureWrapper *sigw_list = NULL;
734 
735  int i = 0;
736  SCLogDebug("ordering signatures in memory");
737 
738  sig = de_ctx->sig_list;
739  while (sig != NULL) {
740  sigw = SCSigAllocSignatureWrapper(sig);
741  /* Push signature wrapper onto a list, order doesn't matter here. */
742  sigw->next = sigw_list;
743  sigw_list = sigw;
744 
745  sig = sig->next;
746  i++;
747  }
748 
749  /* Sort the list */
750  sigw_list = SCSigOrder(sigw_list, de_ctx->sc_sig_order_funcs);
751 
752  SCLogDebug("Total Signatures to be processed by the"
753  "sigordering module: %d", i);
754 
755  /* Recreate the sig list in order */
756  de_ctx->sig_list = NULL;
757  sigw = sigw_list;
758  i = 0;
759  while (sigw != NULL) {
760  i++;
761  sigw->sig->next = NULL;
762  if (de_ctx->sig_list == NULL) {
763  /* First entry on the list */
764  de_ctx->sig_list = sigw->sig;
765  sig = de_ctx->sig_list;
766  } else {
767  sig->next = sigw->sig;
768  sig = sig->next;
769  }
770  SCSigSignatureWrapper *sigw_to_free = sigw;
771  sigw = sigw->next;
772  SCFree(sigw_to_free);
773  }
774 
775  SCLogDebug("total signatures reordered by the sigordering module: %d", i);
776 }
777 
778 /**
779  * \brief Lets you register the Signature ordering functions. The order in
780  * which the functions are registered shows the priority. The first
781  * function registered provides more priority than the function
782  * registered after it. To add a new registration function, register
783  * it by listing it in the correct position in the below sequence,
784  * based on the priority you would want to offer to that keyword.
785  *
786  * \param de_ctx Pointer to the detection engine context from which the
787  * signatures have to be ordered.
788  */
790 {
791  SCLogDebug("registering signature ordering functions");
792 
793  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
794  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
795  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowintCompare);
796  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
797  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
798  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare);
799  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare);
800  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
801 }
802 
803 /**
804  * \brief De-registers all the signature ordering functions registered
805  *
806  * \param de_ctx Pointer to the detection engine context from which the
807  * signatures were ordered.
808  */
810 {
811  SCSigOrderFunc *funcs;
812  void *temp;
813 
814  /* clean the memory alloted to the signature ordering funcs */
815  funcs = de_ctx->sc_sig_order_funcs;
816  while (funcs != NULL) {
817  temp = funcs;
818  funcs = funcs->next;
819  SCFree(temp);
820  }
821  de_ctx->sc_sig_order_funcs = NULL;
822 }
823 
824 /**********Unittests**********/
825 
827 Signature *SigInit(DetectEngineCtx *, const char *);
830 
831 #ifdef UNITTESTS
832 
833 static int SCSigOrderingTest01(void)
834 {
835  SCSigOrderFunc *temp = NULL;
836  int i = 0;
837 
839  if (de_ctx == NULL)
840  goto end;
841 
842  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
843  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
844  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
845  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
846  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
847  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
848  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
849  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
850  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
851  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
852  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
853 
854  temp = de_ctx->sc_sig_order_funcs;
855  while (temp != NULL) {
856  i++;
857  temp = temp->next;
858  }
859 
861 
862  return (i == 5);
863  end:
864  return 0;
865 }
866 
867 static int SCSigOrderingTest02(void)
868 {
869  Signature *sig = NULL;
870 
872  FAIL_IF(de_ctx == NULL);
873 
875  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
876  FAIL_IF_NULL(sig);
877 
879  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
880  FAIL_IF_NULL(sig);
881 
883  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
884  FAIL_IF_NULL(sig);
885 
887  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
888  FAIL_IF_NULL(sig);
889 
891  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
892  FAIL_IF_NULL(sig);
893 
895  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
896  FAIL_IF_NULL(sig);
897 
899  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
900  FAIL_IF_NULL(sig);
901 
903  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
904  FAIL_IF_NULL(sig);
905 
907  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
908  FAIL_IF_NULL(sig);
909 
911  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
912  FAIL_IF_NULL(sig);
913 
915  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
916  FAIL_IF_NULL(sig);
917 
919  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
920  FAIL_IF_NULL(sig);
921 
923  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
924  FAIL_IF_NULL(sig);
925 
927  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
928  FAIL_IF_NULL(sig);
929 
930  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
931  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
932  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
933  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
934  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
936 
937  sig = de_ctx->sig_list;
938 
939 #ifdef DEBUG
940  while (sig != NULL) {
941  printf("sid: %d\n", sig->id);
942  sig = sig->next;
943  }
944 #endif
945 
946  sig = de_ctx->sig_list;
947 
948  /* pass */
949  FAIL_IF_NOT(sig->id == 6);
950  sig = sig->next;
951  FAIL_IF_NOT(sig->id == 4);
952  sig = sig->next;
953  FAIL_IF_NOT(sig->id == 8);
954  sig = sig->next;
955  FAIL_IF_NOT(sig->id == 7);
956  sig = sig->next;
957  FAIL_IF_NOT(sig->id == 10);
958  sig = sig->next;
959 
960  /* drops */
961  FAIL_IF_NOT(sig->id == 9);
962  sig = sig->next;
963  FAIL_IF_NOT(sig->id == 13);
964  sig = sig->next;
965  FAIL_IF_NOT(sig->id == 2);
966  sig = sig->next;
967  FAIL_IF_NOT(sig->id == 3);
968  sig = sig->next;
969 
970  /* alerts */
971  FAIL_IF_NOT(sig->id == 14);
972  sig = sig->next;
973  FAIL_IF_NOT(sig->id == 5);
974  sig = sig->next;
975  FAIL_IF_NOT(sig->id == 1);
976  sig = sig->next;
977  FAIL_IF_NOT(sig->id == 11);
978  sig = sig->next;
979  FAIL_IF_NOT(sig->id == 12);
980  sig = sig->next;
981 
983  PASS;
984 }
985 
986 static int SCSigOrderingTest03(void)
987 {
988  int result = 0;
989  Signature *prevsig = NULL, *sig = NULL;
990 
992  if (de_ctx == NULL)
993  goto end;
994 
995  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
996  if (sig == NULL) {
997  goto end;
998  }
999  prevsig = sig;
1000  de_ctx->sig_list = sig;
1001 
1002  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1003  if (sig == NULL) {
1004  goto end;
1005  }
1006  prevsig->next = sig;
1007  prevsig = sig;
1008 
1009  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1010  if (sig == NULL) {
1011  goto end;
1012  }
1013  prevsig->next = sig;
1014  prevsig = sig;
1015 
1016  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1017  if (sig == NULL) {
1018  goto end;
1019  }
1020  prevsig->next = sig;
1021  prevsig = sig;
1022 
1023  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1024  if (sig == NULL) {
1025  goto end;
1026  }
1027  prevsig->next = sig;
1028  prevsig = sig;
1029 
1030  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1031  if (sig == NULL) {
1032  goto end;
1033  }
1034  prevsig->next = sig;
1035  prevsig = sig;
1036 
1037  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1038  if (sig == NULL) {
1039  goto end;
1040  }
1041  prevsig->next = sig;
1042  prevsig = sig;
1043 
1044  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1045  if (sig == NULL) {
1046  goto end;
1047  }
1048  prevsig->next = sig;
1049  prevsig = sig;
1050 
1051 
1052  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1053  if (sig == NULL) {
1054  goto end;
1055  }
1056  prevsig->next = sig;
1057  prevsig = sig;
1058 
1059  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1060  if (sig == NULL) {
1061  goto end;
1062  }
1063  prevsig->next = sig;
1064  prevsig = sig;
1065 
1066  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1067  if (sig == NULL) {
1068  goto end;
1069  }
1070  prevsig->next = sig;
1071  prevsig = sig;
1072 
1073  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1074  if (sig == NULL) {
1075  goto end;
1076  }
1077  prevsig->next = sig;
1078  prevsig = sig;
1079 
1080  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1081  if (sig == NULL) {
1082  goto end;
1083  }
1084  prevsig->next = sig;
1085  prevsig = sig;
1086 
1087  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1088  if (sig == NULL) {
1089  goto end;
1090  }
1091  prevsig->next = sig;
1092  prevsig = sig;
1093 
1094  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1095  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1096  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1097  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1098  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1100 
1101  result = 1;
1102 
1103  sig = de_ctx->sig_list;
1104 
1105 #ifdef DEBUG
1106  while (sig != NULL) {
1107  printf("sid: %d\n", sig->id);
1108  sig = sig->next;
1109  }
1110 #endif
1111 
1112  sig = de_ctx->sig_list;
1113 
1114  result &= (sig->id == 3);
1115  sig = sig->next;
1116  result &= (sig->id == 8);
1117  sig = sig->next;
1118  result &= (sig->id == 9);
1119  sig = sig->next;
1120  result &= (sig->id == 7);
1121  sig = sig->next;
1122  result &= (sig->id == 14);
1123  sig = sig->next;
1124  result &= (sig->id == 6);
1125  sig = sig->next;
1126  result &= (sig->id == 4);
1127  sig = sig->next;
1128  result &= (sig->id == 13);
1129  sig = sig->next;
1130  result &= (sig->id == 2);
1131  sig = sig->next;
1132  result &= (sig->id == 5);
1133  sig = sig->next;
1134  result &= (sig->id == 1);
1135  sig = sig->next;
1136  result &= (sig->id == 10);
1137  sig = sig->next;
1138  result &= (sig->id == 11);
1139  sig = sig->next;
1140  result &= (sig->id == 12);
1141  sig = sig->next;
1142 
1143 end:
1144  if (de_ctx != NULL)
1146  return result;
1147 }
1148 
1149 static int SCSigOrderingTest04(void)
1150 {
1151  int result = 0;
1152  Signature *prevsig = NULL, *sig = NULL;
1153 
1155  if (de_ctx == NULL)
1156  goto end;
1157 
1158  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1159  if (sig == NULL) {
1160  goto end;
1161  }
1162  prevsig = sig;
1163  de_ctx->sig_list = sig;
1164 
1165  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; rev:4; priority:3; sid:2;)");
1166  if (sig == NULL) {
1167  goto end;
1168  }
1169  prevsig->next = sig;
1170  prevsig = sig;
1171 
1172  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1173  if (sig == NULL) {
1174  goto end;
1175  }
1176  prevsig->next = sig;
1177  prevsig = sig;
1178 
1179  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1180  if (sig == NULL) {
1181  goto end;
1182  }
1183  prevsig->next = sig;
1184  prevsig = sig;
1185 
1186  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1187  if (sig == NULL) {
1188  goto end;
1189  }
1190  prevsig->next = sig;
1191  prevsig = sig;
1192 
1193  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1194  if (sig == NULL) {
1195  goto end;
1196  }
1197  prevsig->next = sig;
1198  prevsig = sig;
1199 
1200  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1201  if (sig == NULL) {
1202  goto end;
1203  }
1204  prevsig->next = sig;
1205  prevsig = sig;
1206 
1207  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1208  if (sig == NULL) {
1209  goto end;
1210  }
1211  prevsig->next = sig;
1212  prevsig = sig;
1213 
1214  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1215  if (sig == NULL) {
1216  goto end;
1217  }
1218  prevsig->next = sig;
1219  prevsig = sig;
1220 
1221  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1222  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1223  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1224  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1225  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1227 
1228  result = 1;
1229 
1230  sig = de_ctx->sig_list;
1231 
1232 #ifdef DEBUG
1233  while (sig != NULL) {
1234  printf("sid: %d\n", sig->id);
1235  sig = sig->next;
1236  }
1237 #endif
1238 
1239  sig = de_ctx->sig_list;
1240 
1241  /* flowvar set */
1242  result &= (sig->id == 2);
1243  sig = sig->next;
1244  result &= (sig->id == 3);
1245  sig = sig->next;
1246  result &= (sig->id == 4);
1247  sig = sig->next;
1248  result &= (sig->id == 7);
1249  sig = sig->next;
1250  result &= (sig->id == 8);
1251  sig = sig->next;
1252  result &= (sig->id == 9);
1253  sig = sig->next;
1254 
1255  /* pktvar */
1256  result &= (sig->id == 5);
1257  sig = sig->next;
1258  result &= (sig->id == 6);
1259  sig = sig->next;
1260 
1261  result &= (sig->id == 1);
1262  sig = sig->next;
1263 
1264 end:
1265  if (de_ctx)
1267  return result;
1268 }
1269 
1270 static int SCSigOrderingTest05(void)
1271 {
1272  int result = 0;
1273  Signature *prevsig = NULL, *sig = NULL;
1274 
1276  if (de_ctx == NULL)
1277  goto end;
1278 
1279  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1280  if (sig == NULL) {
1281  goto end;
1282  }
1283  prevsig = sig;
1284  de_ctx->sig_list = sig;
1285 
1286  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; rev:4; priority:3; sid:2;)");
1287  if (sig == NULL) {
1288  goto end;
1289  }
1290  prevsig->next = sig;
1291  prevsig = sig;
1292 
1293  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1294  if (sig == NULL) {
1295  goto end;
1296  }
1297  prevsig->next = sig;
1298  prevsig = sig;
1299 
1300  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1301  if (sig == NULL) {
1302  goto end;
1303  }
1304  prevsig->next = sig;
1305  prevsig = sig;
1306 
1307  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1308  if (sig == NULL) {
1309  goto end;
1310  }
1311  prevsig->next = sig;
1312  prevsig = sig;
1313 
1314  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1315  if (sig == NULL) {
1316  goto end;
1317  }
1318  prevsig->next = sig;
1319  prevsig = sig;
1320 
1321  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1322  if (sig == NULL) {
1323  goto end;
1324  }
1325  prevsig->next = sig;
1326  prevsig = sig;
1327  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1328  if (sig == NULL) {
1329  goto end;
1330  }
1331  prevsig->next = sig;
1332  prevsig = sig;
1333 
1334 
1335  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1336  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1337  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1338  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1339  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1341 
1342  result = 1;
1343 
1344  sig = de_ctx->sig_list;
1345 
1346  //#ifdef DEBUG
1347  while (sig != NULL) {
1348  printf("sid: %d\n", sig->id);
1349  sig = sig->next;
1350  }
1351  //#endif
1352 
1353  sig = de_ctx->sig_list;
1354 
1355  /* pktvar set */
1356  result &= (sig->id == 2);
1357  sig = sig->next;
1358  result &= (sig->id == 3);
1359  sig = sig->next;
1360  result &= (sig->id == 4);
1361  sig = sig->next;
1362  /* pktvar read */
1363  result &= (sig->id == 7);
1364  sig = sig->next;
1365  result &= (sig->id == 8);
1366  sig = sig->next;
1367 
1368  result &= (sig->id == 1);
1369  sig = sig->next;
1370  result &= (sig->id == 5);
1371  sig = sig->next;
1372  result &= (sig->id == 6);
1373  sig = sig->next;
1374 
1375 end:
1376  if (de_ctx != NULL)
1378  return result;
1379 }
1380 
1381 static int SCSigOrderingTest06(void)
1382 {
1383  int result = 0;
1384  Signature *prevsig = NULL, *sig = NULL;
1385 
1387  if (de_ctx == NULL)
1388  goto end;
1389 
1390  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1391  if (sig == NULL) {
1392  goto end;
1393  }
1394  prevsig = sig;
1395  de_ctx->sig_list = sig;
1396 
1397  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1398  if (sig == NULL) {
1399  goto end;
1400  }
1401  prevsig->next = sig;
1402  prevsig = sig;
1403 
1404  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1405  if (sig == NULL) {
1406  goto end;
1407  }
1408  prevsig->next = sig;
1409  prevsig = sig;
1410 
1411  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1412  if (sig == NULL) {
1413  goto end;
1414  }
1415  prevsig->next = sig;
1416  prevsig = sig;
1417 
1418  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1419  if (sig == NULL) {
1420  goto end;
1421  }
1422  prevsig->next = sig;
1423  prevsig = sig;
1424 
1425  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1426  if (sig == NULL) {
1427  goto end;
1428  }
1429  prevsig->next = sig;
1430  prevsig = sig;
1431 
1432  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1433  if (sig == NULL) {
1434  goto end;
1435  }
1436  prevsig->next = sig;
1437  prevsig = sig;
1438 
1439  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1440  if (sig == NULL) {
1441  goto end;
1442  }
1443  prevsig->next = sig;
1444  prevsig = sig;
1445 
1446  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1447  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1448  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1449  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1450  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1452 
1453 
1454  result = 1;
1455 
1456  sig = de_ctx->sig_list;
1457 
1458 #ifdef DEBUG
1459  while (sig != NULL) {
1460  printf("sid: %d\n", sig->id);
1461  sig = sig->next;
1462  }
1463 #endif
1464 
1465  sig = de_ctx->sig_list;
1466 
1467  result &= (sig->id == 6);
1468  sig = sig->next;
1469  result &= (sig->id == 2);
1470  sig = sig->next;
1471  result &= (sig->id == 4);
1472  sig = sig->next;
1473  result &= (sig->id == 5);
1474  sig = sig->next;
1475  result &= (sig->id == 7);
1476  sig = sig->next;
1477  result &= (sig->id == 8);
1478  sig = sig->next;
1479  result &= (sig->id == 1);
1480  sig = sig->next;
1481  result &= (sig->id == 3);
1482  sig = sig->next;
1483 
1484 
1485 end:
1486  if (de_ctx != NULL)
1488  return result;
1489 }
1490 
1491 static int SCSigOrderingTest07(void)
1492 {
1493  int result = 0;
1494  Signature *prevsig = NULL, *sig = NULL;
1495 
1497  if (de_ctx == NULL)
1498  goto end;
1499 
1500  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1501  if (sig == NULL) {
1502  goto end;
1503  }
1504  prevsig = sig;
1505  de_ctx->sig_list = sig;
1506 
1507  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1508  if (sig == NULL) {
1509  goto end;
1510  }
1511  prevsig->next = sig;
1512  prevsig = sig;
1513 
1514  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1515  if (sig == NULL) {
1516  goto end;
1517  }
1518  prevsig->next = sig;
1519  prevsig = sig;
1520 
1521  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1522  if (sig == NULL) {
1523  goto end;
1524  }
1525  prevsig->next = sig;
1526  prevsig = sig;
1527 
1528  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1529  if (sig == NULL) {
1530  goto end;
1531  }
1532  prevsig->next = sig;
1533  prevsig = sig;
1534 
1535  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1536  if (sig == NULL) {
1537  goto end;
1538  }
1539  prevsig->next = sig;
1540  prevsig = sig;
1541 
1542  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1543  if (sig == NULL) {
1544  goto end;
1545  }
1546  prevsig->next = sig;
1547  prevsig = sig;
1548 
1549  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1550  if (sig == NULL) {
1551  goto end;
1552  }
1553  prevsig->next = sig;
1554  prevsig = sig;
1555 
1556  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1557  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1558  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1559  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1560  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1562 
1563  result = 1;
1564 
1565  sig = de_ctx->sig_list;
1566 
1567 #ifdef DEBUG
1568  while (sig != NULL) {
1569  printf("sid: %d\n", sig->id);
1570  sig = sig->next;
1571  }
1572 #endif
1573 
1574  sig = de_ctx->sig_list;
1575 
1576  result &= (sig->id == 2);
1577  sig = sig->next;
1578  result &= (sig->id == 4);
1579  sig = sig->next;
1580  result &= (sig->id == 5);
1581  sig = sig->next;
1582  result &= (sig->id == 7);
1583  sig = sig->next;
1584  result &= (sig->id == 6);
1585  sig = sig->next;
1586  result &= (sig->id == 8);
1587  sig = sig->next;
1588  result &= (sig->id == 1);
1589  sig = sig->next;
1590  result &= (sig->id == 3);
1591  sig = sig->next;
1592 
1593 end:
1594  if (de_ctx != NULL)
1596  return result;
1597 }
1598 
1599 /**
1600  * \test Order with a different Action priority
1601  * (as specified from config)
1602  */
1603 static int SCSigOrderingTest08(void)
1604 {
1605 #ifdef HAVE_LIBNET11
1606  int result = 0;
1607  Signature *prevsig = NULL, *sig = NULL;
1608  extern uint8_t action_order_sigs[4];
1609 
1610  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1615 
1617  if (de_ctx == NULL)
1618  goto end;
1619 
1620  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1621  if (sig == NULL) {
1622  goto end;
1623  }
1624  prevsig = sig;
1625  de_ctx->sig_list = sig;
1626 
1627  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1628  if (sig == NULL) {
1629  goto end;
1630  }
1631  prevsig->next = sig;
1632  prevsig = sig;
1633 
1634  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1635  if (sig == NULL) {
1636  goto end;
1637  }
1638  prevsig->next = sig;
1639  prevsig = sig;
1640 
1641  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1642  if (sig == NULL) {
1643  goto end;
1644  }
1645  prevsig->next = sig;
1646  prevsig = sig;
1647 
1648  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1649  if (sig == NULL) {
1650  goto end;
1651  }
1652  prevsig->next = sig;
1653  prevsig = sig;
1654 
1655  sig = SigInit(de_ctx, "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1656  if (sig == NULL) {
1657  goto end;
1658  }
1659  prevsig->next = sig;
1660  prevsig = sig;
1661 
1662  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1663  if (sig == NULL) {
1664  goto end;
1665  }
1666  prevsig->next = sig;
1667  prevsig = sig;
1668 
1669  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1670  if (sig == NULL) {
1671  goto end;
1672  }
1673  prevsig->next = sig;
1674  prevsig = sig;
1675 
1676  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1677  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1678  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1679  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1680  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1682 
1683  result = 1;
1684 
1685  sig = de_ctx->sig_list;
1686 
1687 #ifdef DEBUG
1688  while (sig != NULL) {
1689  printf("sid: %d\n", sig->id);
1690  sig = sig->next;
1691  }
1692 #endif
1693 
1694  sig = de_ctx->sig_list;
1695 
1696  result &= (sig->id == 6);
1697  sig = sig->next;
1698  result &= (sig->id == 8);
1699  sig = sig->next;
1700  result &= (sig->id == 1);
1701  sig = sig->next;
1702  result &= (sig->id == 3);
1703  sig = sig->next;
1704  result &= (sig->id == 2);
1705  sig = sig->next;
1706  result &= (sig->id == 4);
1707  sig = sig->next;
1708  result &= (sig->id == 5);
1709  sig = sig->next;
1710  result &= (sig->id == 7);
1711  sig = sig->next;
1712 
1713 end:
1714  /* Restore the default pre-order definition */
1719  if (de_ctx != NULL)
1721  return result;
1722 #else
1723  return 1;
1724 #endif
1725 }
1726 
1727 /**
1728  * \test Order with a different Action priority
1729  * (as specified from config)
1730  */
1731 static int SCSigOrderingTest09(void)
1732 {
1733  int result = 0;
1734  Signature *prevsig = NULL, *sig = NULL;
1735  extern uint8_t action_order_sigs[4];
1736 
1737  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1742 
1744  if (de_ctx == NULL)
1745  goto end;
1746 
1747  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1748  if (sig == NULL) {
1749  goto end;
1750  }
1751  prevsig = sig;
1752  de_ctx->sig_list = sig;
1753 
1754  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; priority:2; sid:2;)");
1755  if (sig == NULL) {
1756  goto end;
1757  }
1758  prevsig->next = sig;
1759  prevsig = sig;
1760 
1761  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1762  if (sig == NULL) {
1763  goto end;
1764  }
1765  prevsig->next = sig;
1766  prevsig = sig;
1767 
1768  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1769  if (sig == NULL) {
1770  goto end;
1771  }
1772  prevsig->next = sig;
1773  prevsig = sig;
1774 
1775  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1776  if (sig == NULL) {
1777  goto end;
1778  }
1779  prevsig->next = sig;
1780  prevsig = sig;
1781 
1782  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1783  if (sig == NULL) {
1784  goto end;
1785  }
1786  prevsig->next = sig;
1787  prevsig = sig;
1788 
1789  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1790  if (sig == NULL) {
1791  goto end;
1792  }
1793  prevsig->next = sig;
1794  prevsig = sig;
1795 
1796  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1797  if (sig == NULL) {
1798  goto end;
1799  }
1800  prevsig->next = sig;
1801  prevsig = sig;
1802 
1803  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1804  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1805  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1806  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1807  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1809 
1810  result = 1;
1811 
1812  sig = de_ctx->sig_list;
1813 
1814 #ifdef DEBUG
1815  while (sig != NULL) {
1816  printf("sid: %d\n", sig->id);
1817  sig = sig->next;
1818  }
1819 #endif
1820 
1821  sig = de_ctx->sig_list;
1822 
1823  result &= (sig->id == 6);
1824  sig = sig->next;
1825  result &= (sig->id == 7);
1826  sig = sig->next;
1827  result &= (sig->id == 8);
1828  sig = sig->next;
1829  result &= (sig->id == 1);
1830  sig = sig->next;
1831  result &= (sig->id == 3);
1832  sig = sig->next;
1833  result &= (sig->id == 2);
1834  sig = sig->next;
1835  result &= (sig->id == 4);
1836  sig = sig->next;
1837  result &= (sig->id == 5);
1838  sig = sig->next;
1839 
1840 end:
1841  /* Restore the default pre-order definition */
1846  if (de_ctx != NULL)
1848  return result;
1849 }
1850 
1851 /**
1852  * \test Order with a different Action priority
1853  * (as specified from config)
1854  */
1855 static int SCSigOrderingTest10(void)
1856 {
1857  int result = 0;
1858  Signature *prevsig = NULL, *sig = NULL;
1859  extern uint8_t action_order_sigs[4];
1860 
1861  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1866 
1868  if (de_ctx == NULL)
1869  goto end;
1870 
1871  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1872  if (sig == NULL) {
1873  goto end;
1874  }
1875  prevsig = sig;
1876  de_ctx->sig_list = sig;
1877 
1878  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1879  if (sig == NULL) {
1880  goto end;
1881  }
1882  prevsig->next = sig;
1883  prevsig = sig;
1884 
1885  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1886  if (sig == NULL) {
1887  goto end;
1888  }
1889  prevsig->next = sig;
1890  prevsig = sig;
1891 
1892  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1893  if (sig == NULL) {
1894  goto end;
1895  }
1896  prevsig->next = sig;
1897  prevsig = sig;
1898 
1899  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1900  if (sig == NULL) {
1901  goto end;
1902  }
1903  prevsig->next = sig;
1904  prevsig = sig;
1905 
1906  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1907  if (sig == NULL) {
1908  goto end;
1909  }
1910  prevsig->next = sig;
1911  prevsig = sig;
1912 
1913  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1914  if (sig == NULL) {
1915  goto end;
1916  }
1917  prevsig->next = sig;
1918  prevsig = sig;
1919 
1920  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1921  if (sig == NULL) {
1922  goto end;
1923  }
1924  prevsig->next = sig;
1925  prevsig = sig;
1926 
1927  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1928  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1929  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1930  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1931  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1933 
1934  result = 1;
1935 
1936  sig = de_ctx->sig_list;
1937 
1938 #ifdef DEBUG
1939  while (sig != NULL) {
1940  printf("sid: %d\n", sig->id);
1941  sig = sig->next;
1942  }
1943 #endif
1944 
1945  sig = de_ctx->sig_list;
1946 
1947  result &= (sig->id == 2);
1948  sig = sig->next;
1949  result &= (sig->id == 4);
1950  sig = sig->next;
1951  result &= (sig->id == 5);
1952  sig = sig->next;
1953  result &= (sig->id == 8);
1954  sig = sig->next;
1955  result &= (sig->id == 1);
1956  sig = sig->next;
1957  result &= (sig->id == 3);
1958  sig = sig->next;
1959  result &= (sig->id == 6);
1960  sig = sig->next;
1961  result &= (sig->id == 7);
1962  sig = sig->next;
1963 
1964 end:
1965  /* Restore the default pre-order definition */
1970  if (de_ctx != NULL)
1972  return result;
1973 }
1974 
1975 static int SCSigOrderingTest11(void)
1976 {
1977  int result = 0;
1978  Signature *prevsig = NULL, *sig = NULL;
1979 
1981  if (de_ctx == NULL)
1982  goto end;
1983 
1984  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; flowbits:isnotset,myflow1; rev:4; sid:1;)");
1985  if (sig == NULL) {
1986  goto end;
1987  }
1988  prevsig = sig;
1989  de_ctx->sig_list = sig;
1990 
1991  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; flowbits:toggle,myflow2; rev:4; sid:2;)");
1992  if (sig == NULL) {
1993  goto end;
1994  }
1995  prevsig->next = sig;
1996  prevsig = sig;
1997 
1998  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1999  if (sig == NULL) {
2000  goto end;
2001  }
2002  prevsig->next = sig;
2003 
2004  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
2005  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
2006  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
2007  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
2008  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
2010 
2011  result = 1;
2012 
2013  sig = de_ctx->sig_list;
2014 
2015 #ifdef DEBUG
2016  while (sig != NULL) {
2017  printf("sid: %d\n", sig->id);
2018  sig = sig->next;
2019  }
2020 #endif
2021 
2022  sig = de_ctx->sig_list;
2023 
2024  result &= (sig->id == 2);
2025  sig = sig->next;
2026  result &= (sig->id == 3);
2027  sig = sig->next;
2028  result &= (sig->id == 1);
2029  sig = sig->next;
2030 
2031 end:
2032  if (de_ctx != NULL)
2034  return result;
2035 }
2036 
2037 static int SCSigOrderingTest12(void)
2038 {
2039  Signature *sig = NULL;
2040  Packet *p = NULL;
2041  uint8_t buf[] = "test message";
2042  int result = 0;
2043  Flow f;
2044 
2045  FLOW_INITIALIZE(&f);
2046  f.flags |= FLOW_IPV4;
2048  f.proto = IPPROTO_TCP;
2049 
2051  if (de_ctx == NULL)
2052  goto end;
2053  de_ctx->flags |= DE_QUIET;
2054 
2055  const char *sigs[2];
2056  sigs[0] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
2057  sigs[1] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
2058  UTHAppendSigs(de_ctx, sigs, 2);
2059 
2060  sig = de_ctx->sig_list;
2061  if (sig == NULL)
2062  goto end;
2063  if (sig->next == NULL)
2064  goto end;
2065  if (sig->next->next != NULL)
2066  goto end;
2067  if (de_ctx->signum != 2)
2068  goto end;
2069 
2071  p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_TCP);
2072  if (p == NULL) {
2073  printf("Error building packet.");
2074  goto end;
2075  }
2076  p->flow = &f;
2080 
2081  UTHMatchPackets(de_ctx, &p, 1);
2082 
2083  uint32_t sids[2] = {1, 2};
2084  uint32_t results[2] = {1, 1};
2085  result = UTHCheckPacketMatchResults(p, sids, results, 2);
2086 
2087 end:
2088  if (p != NULL)
2089  SCFree(p);
2090  if (de_ctx != NULL) {
2094  }
2095  FlowShutdown();
2096 
2097  return result;
2098 }
2099 
2100 /** \test Bug 1061 */
2101 static int SCSigOrderingTest13(void)
2102 {
2103  int result = 0;
2104  Signature *sig = NULL;
2105 
2107  if (de_ctx == NULL)
2108  goto end;
2109 
2110  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
2111  if (sig == NULL) {
2112  goto end;
2113  }
2114  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:set,bit1; flowbits:set,bit2; sid:7;)");
2115  if (sig == NULL) {
2116  goto end;
2117  }
2118  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
2119  if (sig == NULL) {
2120  goto end;
2121  }
2122 
2123  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
2125 
2126  result = 1;
2127 
2128 #ifdef DEBUG
2129  sig = de_ctx->sig_list;
2130  while (sig != NULL) {
2131  printf("sid: %d\n", sig->id);
2132  sig = sig->next;
2133  }
2134 #endif
2135 
2136  sig = de_ctx->sig_list;
2137 
2138  result &= (sig->id == 7);
2139  sig = sig->next;
2140  result &= (sig->id == 6);
2141  sig = sig->next;
2142  result &= (sig->id == 5);
2143  sig = sig->next;
2144 
2145 end:
2146  if (de_ctx != NULL)
2148  return result;
2149 }
2150 
2151 #endif
2152 
2154 {
2155 
2156 #ifdef UNITTESTS
2157  UtRegisterTest("SCSigOrderingTest01", SCSigOrderingTest01);
2158  UtRegisterTest("SCSigOrderingTest02", SCSigOrderingTest02);
2159  UtRegisterTest("SCSigOrderingTest03", SCSigOrderingTest03);
2160  UtRegisterTest("SCSigOrderingTest04", SCSigOrderingTest04);
2161  UtRegisterTest("SCSigOrderingTest05", SCSigOrderingTest05);
2162  UtRegisterTest("SCSigOrderingTest06", SCSigOrderingTest06);
2163  UtRegisterTest("SCSigOrderingTest07", SCSigOrderingTest07);
2164  UtRegisterTest("SCSigOrderingTest08", SCSigOrderingTest08);
2165  UtRegisterTest("SCSigOrderingTest09", SCSigOrderingTest09);
2166  UtRegisterTest("SCSigOrderingTest10", SCSigOrderingTest10);
2167  UtRegisterTest("SCSigOrderingTest11", SCSigOrderingTest11);
2168  UtRegisterTest("SCSigOrderingTest12", SCSigOrderingTest12);
2169  UtRegisterTest("SCSigOrderingTest13", SCSigOrderingTest13);
2170 #endif
2171 }
DetectPcreData_::idx
uint8_t idx
Definition: detect-pcre.h:48
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_FLOWINT_TYPE_SET
#define DETECT_FLOWINT_TYPE_SET
Definition: detect-engine-sigorder.c:61
SC_RADIX_USER_DATA_PKTVAR
@ SC_RADIX_USER_DATA_PKTVAR
Definition: detect-engine-sigorder.h:34
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:996
FLOWINT_MODIFIER_ADD
@ FLOWINT_MODIFIER_ADD
Definition: detect-flowint.h:31
flow-util.h
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1392
SCSigOrderFunc_::next
struct SCSigOrderFunc_ * next
Definition: detect-engine-sigorder.h:73
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOWINT_TYPE_READ
#define DETECT_FLOWINT_TYPE_READ
Definition: detect-engine-sigorder.c:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
Flow_::proto
uint8_t proto
Definition: flow.h:378
FLOWINT_MODIFIER_NE
@ FLOWINT_MODIFIER_NE
Definition: detect-flowint.h:38
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:31
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:460
Flow_
Flow data structure.
Definition: flow.h:356
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
results
struct DetectRfbSecresult_ results[]
ActionOrderVal
uint8_t ActionOrderVal(uint8_t action)
Return the priority associated to an action (to order sigs as specified at config) action_order_sigs ...
Definition: util-action.c:53
FLOWINT_MODIFIER_LE
@ FLOWINT_MODIFIER_LE
Definition: detect-flowint.h:36
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
DetectFlowintData_
Definition: detect-flowint.h:62
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:38
DETECT_XBITS_TYPE_SET_READ
#define DETECT_XBITS_TYPE_SET_READ
Definition: detect-engine-sigorder.c:65
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2445
SCSigSignatureWrapper_::next
struct SCSigSignatureWrapper_ * next
Definition: detect-engine-sigorder.h:61
detect-flowint.h
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:809
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:226
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
DETECT_PKTVAR_TYPE_READ
#define DETECT_PKTVAR_TYPE_READ
Definition: detect-engine-sigorder.c:49
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:339
SCSigRegisterSignatureOrderingTests
void SCSigRegisterSignatureOrderingTests(void)
Definition: detect-engine-sigorder.c:2153
FLOWINT_MODIFIER_NOTSET
@ FLOWINT_MODIFIER_NOTSET
Definition: detect-flowint.h:43
DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_TOGGLE
Definition: detect-flowbits.h:29
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:32
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:456
action_order_sigs
uint8_t action_order_sigs[4]
Definition: util-action.c:40
SCSigSignatureWrapper_::sig
Signature * sig
Definition: detect-engine-sigorder.h:47
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:96
DetectXbitsData_
Definition: detect-xbits.h:42
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:91
Signature_::next
struct Signature_ * next
Definition: detect.h:613
DetectFlowbitsData_
Definition: detect-flowbits.h:36
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
UTHMatchPackets
int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets)
Definition: util-unittest-helper.c:751
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:87
DETECT_FLOWVAR_TYPE_SET
#define DETECT_FLOWVAR_TYPE_SET
Definition: detect-engine-sigorder.c:46
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_XBITS_TYPE_READ
#define DETECT_XBITS_TYPE_READ
Definition: detect-engine-sigorder.c:64
util-debug.h
type
uint8_t type
Definition: decode-icmpv4.h:0
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:87
FLOWINT_MODIFIER_GT
@ FLOWINT_MODIFIER_GT
Definition: detect-flowint.h:40
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:85
SCSigOrderSignatures
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:729
detect.h
DETECT_FLOWBITS_TYPE_SET_READ
#define DETECT_FLOWBITS_TYPE_SET_READ
Definition: detect-engine-sigorder.c:55
UTHCheckPacketMatchResults
int UTHCheckPacketMatchResults(Packet *p, uint32_t sids[], uint32_t results[], int numsids)
UTHCheckPacketMatches: function to check if a packet match some sids.
Definition: util-unittest-helper.c:645
SCSigSignatureWrapper_
Signature wrapper used by signature ordering module while ordering signatures.
Definition: detect-engine-sigorder.h:45
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered s...
Definition: detect-engine-sigorder.c:789
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
DETECT_XBITS_NOT_USED
#define DETECT_XBITS_NOT_USED
Definition: detect-engine-sigorder.c:63
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:249
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2022
Signature_::action
uint8_t action
Definition: detect.h:553
DETECT_FLOWVAR_TYPE_READ
#define DETECT_FLOWVAR_TYPE_READ
Definition: detect-engine-sigorder.c:44
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
DETECT_PKTVAR_NOT_USED
#define DETECT_PKTVAR_NOT_USED
Definition: detect-engine-sigorder.c:48
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:425
detect-engine-build.h
SCSigOrderFunc_
Structure holding the signature ordering function used by the signature ordering module.
Definition: detect-engine-sigorder.h:69
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
DetectFlowintData_::modifier
uint8_t modifier
Definition: detect-flowint.h:71
DETECT_FLOWBITS_NOT_USED
#define DETECT_FLOWBITS_NOT_USED
Definition: detect-engine-sigorder.c:53
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:533
util-action.h
FLOWINT_MODIFIER_EQ
@ FLOWINT_MODIFIER_EQ
Definition: detect-flowint.h:37
DETECT_PKTVAR_TYPE_SET
#define DETECT_PKTVAR_TYPE_SET
Definition: detect-engine-sigorder.c:51
FLOWINT_MODIFIER_SET
@ FLOWINT_MODIFIER_SET
Definition: detect-flowint.h:30
detect-flowbits.h
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:64
SC_RADIX_USER_DATA_IPPAIRBITS
@ SC_RADIX_USER_DATA_IPPAIRBITS
Definition: detect-engine-sigorder.h:37
FLOWINT_MODIFIER_SUB
@ FLOWINT_MODIFIER_SUB
Definition: detect-flowint.h:32
FLOWINT_MODIFIER_GE
@ FLOWINT_MODIFIER_GE
Definition: detect-flowint.h:39
SC_RADIX_USER_DATA_FLOWBITS
@ SC_RADIX_USER_DATA_FLOWBITS
Definition: detect-engine-sigorder.h:32
DetectPcreData_::captypes
uint8_t captypes[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:49
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flow
struct Flow_ * flow
Definition: decode.h:462
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:690
DETECT_FLOWINT_NOT_USED
#define DETECT_FLOWINT_NOT_USED
Definition: detect-engine-sigorder.c:58
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DETECT_FLOWINT_TYPE_SET_READ
#define DETECT_FLOWINT_TYPE_SET_READ
Definition: detect-engine-sigorder.c:60
FatalError
#define FatalError(x,...)
Definition: util-debug.h:530
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:90
Signature_::prio
int prio
Definition: detect.h:576
DETECT_XBITS_TYPE_SET
#define DETECT_XBITS_TYPE_SET
Definition: detect-engine-sigorder.c:66
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCSigOrderFunc_::SWCompare
int(* SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2)
Definition: detect-engine-sigorder.h:71
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_FLOWVAR_TYPE_SET_READ
#define DETECT_FLOWVAR_TYPE_SET_READ
Definition: detect-engine-sigorder.c:45
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
Signature_::id
uint32_t id
Definition: detect.h:573
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:30
Flow_::flags
uint32_t flags
Definition: flow.h:434
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:37
DETECT_PKTVAR_TYPE_SET_READ
#define DETECT_PKTVAR_TYPE_SET_READ
Definition: detect-engine-sigorder.c:50
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:228
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2406
SC_RADIX_USER_DATA_FLOWINT
@ SC_RADIX_USER_DATA_FLOWINT
Definition: detect-engine-sigorder.h:35
VarTypes
VarTypes
Definition: util-var.h:27
SCSigSignatureWrapper_::user
int user[SC_RADIX_USER_DATA_MAX]
Definition: detect-engine-sigorder.h:59
DetectPcreData_
Definition: detect-pcre.h:42
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:40
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
FLOWINT_MODIFIER_ISSET
@ FLOWINT_MODIFIER_ISSET
Definition: detect-flowint.h:42
UTHAppendSigs
int UTHAppendSigs(DetectEngineCtx *de_ctx, const char *sigs[], int numsigs)
UTHAppendSigs: Add sigs to the detection_engine checking for errors.
Definition: util-unittest-helper.c:679
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
Signature_::msg
char * msg
Definition: detect.h:599
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
VAR_TYPE_IPPAIR_BIT
@ VAR_TYPE_IPPAIR_BIT
Definition: util-var.h:43
SC_RADIX_USER_DATA_HOSTBITS
@ SC_RADIX_USER_DATA_HOSTBITS
Definition: detect-engine-sigorder.h:36
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
SC_RADIX_USER_DATA_FLOWVAR
@ SC_RADIX_USER_DATA_FLOWVAR
Definition: detect-engine-sigorder.h:33
DETECT_FLOWBITS_TYPE_SET
#define DETECT_FLOWBITS_TYPE_SET
Definition: detect-engine-sigorder.c:56
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:803
DETECT_FLOWVAR_NOT_USED
#define DETECT_FLOWVAR_NOT_USED
Definition: detect-engine-sigorder.c:43
FLOWINT_MODIFIER_LT
@ FLOWINT_MODIFIER_LT
Definition: detect-flowint.h:35
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:32
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:993
DetectEngineCtx_::sc_sig_order_funcs
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:810
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
DETECT_PKTVAR
@ DETECT_PKTVAR
Definition: detect-engine-register.h:88
DETECT_FLOWBITS_TYPE_READ
#define DETECT_FLOWBITS_TYPE_READ
Definition: detect-engine-sigorder.c:54