44 #define DETECT_FLOWVAR_NOT_USED 1
45 #define DETECT_FLOWVAR_TYPE_READ 2
46 #define DETECT_FLOWVAR_TYPE_SET_READ 3
47 #define DETECT_FLOWVAR_TYPE_SET 4
49 #define DETECT_PKTVAR_NOT_USED 1
50 #define DETECT_PKTVAR_TYPE_READ 2
51 #define DETECT_PKTVAR_TYPE_SET_READ 3
52 #define DETECT_PKTVAR_TYPE_SET 4
54 #define DETECT_FLOWBITS_NOT_USED 1
55 #define DETECT_FLOWBITS_TYPE_READ 2
56 #define DETECT_FLOWBITS_TYPE_SET_READ 3
57 #define DETECT_FLOWBITS_TYPE_SET 4
59 #define DETECT_FLOWINT_NOT_USED 1
60 #define DETECT_FLOWINT_TYPE_READ 2
61 #define DETECT_FLOWINT_TYPE_SET_READ 3
62 #define DETECT_FLOWINT_TYPE_SET 4
64 #define DETECT_XBITS_NOT_USED 1
65 #define DETECT_XBITS_TYPE_READ 2
66 #define DETECT_XBITS_TYPE_SET_READ 3
67 #define DETECT_XBITS_TYPE_SET 4
130 while (curr != NULL) {
140 FatalError(
"Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
166 static inline int SCSigGetFlowbitsType(
Signature *sig)
208 if (read > 0 && write == 0) {
210 }
else if (read == 0 && write > 0) {
212 }
else if (read > 0 && write > 0) {
216 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowbits_user_type);
218 return flowbits_user_type;
221 static inline int SCSigGetFlowintType(
Signature *sig)
266 if (read > 0 && write == 0) {
268 }
else if (read == 0 && write > 0) {
270 }
else if (read > 0 && write > 0) {
274 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowint_user_type);
276 return flowint_user_type;
293 static inline int SCSigGetFlowvarType(
Signature *sig)
305 for (x = 0; x < pd->
idx; x++) {
326 if (read > 0 && write == 0) {
328 }
else if (read == 0 && write > 0) {
330 }
else if (read > 0 && write > 0) {
351 static inline int SCSigGetPktvarType(
Signature *sig)
363 for (x = 0; x < pd->
idx; x++) {
384 if (read > 0 && write == 0) {
386 }
else if (read == 0 && write > 0) {
388 }
else if (read > 0 && write > 0) {
455 if (read > 0 && write == 0) {
457 }
else if (read == 0 && write > 0) {
459 }
else if (read > 0 && write > 0) {
465 return xbits_user_type;
540 while (funcs != NULL) {
591 subA = SCSigOrder(subA, cmp_func_list);
592 subB = SCSigOrder(subB, cmp_func_list);
597 while (subA != NULL && subB != NULL) {
598 if (SCSigLessThan(subA, subB, cmp_func_list)) {
607 if (result == NULL) {
618 else if (subB == NULL)
744 if (sw1dir > sw2dir) {
746 }
else if (sw1dir < sw2dir) {
788 SCSigProcessUserDataForFlowbits(sw);
789 SCSigProcessUserDataForFlowvar(sw);
790 SCSigProcessUserDataForFlowint(sw);
791 SCSigProcessUserDataForPktvar(sw);
792 SCSigProcessUserDataForHostbits(sw);
793 SCSigProcessUserDataForIPPairbits(sw);
819 while (sig != NULL) {
820 sigw = SCSigAllocSignatureWrapper(sig);
824 sigw->
next = fw_pf_sigw_list;
825 fw_pf_sigw_list = sigw;
828 sigw->
next = fw_af_sigw_list;
829 fw_af_sigw_list = sigw;
832 sigw->
next = td_sigw_list;
841 if (fw_pf_sigw_list) {
843 fw_pf_sigw_list = SCSigOrder(fw_pf_sigw_list, &OrderFn);
845 if (fw_af_sigw_list) {
847 fw_af_sigw_list = SCSigOrder(fw_af_sigw_list, &OrderFn);
857 for (sigw = fw_pf_sigw_list; sigw != NULL;) {
874 for (sigw = fw_af_sigw_list; sigw != NULL;) {
891 for (sigw = td_sigw_list; sigw != NULL;) {
921 SCLogDebug(
"registering signature ordering functions");
923 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
924 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
925 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowintCompare);
926 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
927 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
928 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByHostbitsCompare);
929 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByIPPairbitsCompare);
930 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
946 while (funcs != NULL) {
963 static int SCSigOrderingTest01(
void)
971 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
972 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
973 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
974 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
975 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
976 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
977 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
978 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
979 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
980 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
981 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
984 while (temp != NULL) {
996 static int SCSigOrderingTest02(
void)
1004 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1008 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
1012 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
1016 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
1020 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
1024 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
1028 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
1032 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1036 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
1040 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1044 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1048 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1052 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
1056 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
1059 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1060 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1061 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1062 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1063 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1069 while (sig != NULL) {
1070 printf(
"sid: %d\n", sig->
id);
1115 static int SCSigOrderingTest03(
void)
1123 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1124 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1128 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1129 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1133 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1134 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1135 "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1139 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1140 "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1141 "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1145 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1146 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1150 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1151 "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1152 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1156 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1157 "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1158 "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1162 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1163 "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; "
1164 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1168 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1169 "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1170 "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1174 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1175 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1179 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1180 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1184 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1185 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1189 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1190 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1194 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1195 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1198 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1199 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1200 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1201 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1202 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1208 while (sig != NULL) {
1209 printf(
"sid: %d\n", sig->
id);
1252 static int SCSigOrderingTest04(
void)
1261 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1262 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1266 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1267 "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1268 "offset:10; rev:4; priority:3; sid:2;)");
1272 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1273 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1274 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1278 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1279 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1280 "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1284 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1285 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1286 "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1290 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1291 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1292 "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1296 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1297 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1298 "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1302 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1303 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1304 "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1308 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1309 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1310 "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1313 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1314 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1315 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1316 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1317 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1323 while (sig != NULL) {
1324 printf(
"sid: %d\n", sig->
id);
1359 static int SCSigOrderingTest05(
void)
1367 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1368 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1372 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1373 "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1374 "offset:10; rev:4; priority:3; sid:2;)");
1378 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1379 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1380 "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1384 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1385 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1386 "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1390 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1391 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1395 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1396 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1400 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1401 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1402 "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1406 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1407 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1408 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1411 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1412 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1413 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1414 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1415 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1421 while (sig != NULL) {
1422 printf(
"sid: %d\n", sig->
id);
1453 static int SCSigOrderingTest06(
void)
1462 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1463 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1467 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1468 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1472 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1473 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1477 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1478 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1482 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1483 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1487 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1488 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1491 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1492 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1496 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1497 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1500 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1501 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1502 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1503 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1504 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1510 while (sig != NULL) {
1511 printf(
"sid: %d\n", sig->
id);
1539 static int SCSigOrderingTest07(
void)
1548 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1549 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1553 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1554 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1558 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1559 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1563 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1564 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1568 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1569 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1573 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1574 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1578 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1579 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1583 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1584 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1587 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1588 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1589 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1590 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1591 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1597 while (sig != NULL) {
1598 printf(
"sid: %d\n", sig->
id);
1631 static int SCSigOrderingTest08(
void)
1633 #ifdef HAVE_LIBNET11
1648 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1649 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1653 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1654 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1658 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1659 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1663 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1664 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1668 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1669 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1673 "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1674 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1678 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1679 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1683 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1684 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1687 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1688 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1689 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1690 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1691 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1697 while (sig != NULL) {
1698 printf(
"sid: %d\n", sig->
id);
1738 static int SCSigOrderingTest09(
void)
1754 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1755 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1759 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1760 "content:\"220\"; offset:10; priority:2; sid:2;)");
1764 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1765 "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1769 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1770 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1774 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1775 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1779 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1780 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1784 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1785 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1789 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1790 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1793 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1794 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1795 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1796 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1797 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1803 while (sig != NULL) {
1804 printf(
"sid: %d\n", sig->
id);
1842 static int SCSigOrderingTest10(
void)
1858 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1859 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1863 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1864 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1868 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1869 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1873 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1874 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1878 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1879 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1883 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1884 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1888 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1889 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1893 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1894 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1897 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1898 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1899 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1900 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1901 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1907 while (sig != NULL) {
1908 printf(
"sid: %d\n", sig->
id);
1942 static int SCSigOrderingTest11(
void)
1951 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1952 "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1956 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; "
1957 "flowbits:toggle,myflow2; rev:4; sid:2;)");
1961 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1962 "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1965 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1966 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1967 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1968 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1969 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1975 while (sig != NULL) {
1976 printf(
"sid: %d\n", sig->
id);
1994 static int SCSigOrderingTest12(
void)
1998 uint8_t buf[] =
"test message";
2004 f.
proto = IPPROTO_TCP;
2010 const char *sigs[2];
2011 sigs[0] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
2012 sigs[1] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
2032 uint32_t sids[2] = {1, 2};
2033 uint32_t results[2] = {1, 1};
2046 static int SCSigOrderingTest13(
void)
2054 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
2058 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
2061 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
2066 while (sig != NULL) {
2067 printf(
"sid: %d\n", sig->
id);