44 #define DETECT_FLOWVAR_NOT_USED 1
45 #define DETECT_FLOWVAR_TYPE_READ 2
46 #define DETECT_FLOWVAR_TYPE_SET_READ 3
47 #define DETECT_FLOWVAR_TYPE_SET 4
49 #define DETECT_PKTVAR_NOT_USED 1
50 #define DETECT_PKTVAR_TYPE_READ 2
51 #define DETECT_PKTVAR_TYPE_SET_READ 3
52 #define DETECT_PKTVAR_TYPE_SET 4
54 #define DETECT_FLOWBITS_NOT_USED 1
55 #define DETECT_FLOWBITS_TYPE_READ 2
56 #define DETECT_FLOWBITS_TYPE_SET_READ 3
57 #define DETECT_FLOWBITS_TYPE_SET 4
59 #define DETECT_FLOWINT_NOT_USED 1
60 #define DETECT_FLOWINT_TYPE_READ 2
61 #define DETECT_FLOWINT_TYPE_SET_READ 3
62 #define DETECT_FLOWINT_TYPE_SET 4
64 #define DETECT_XBITS_NOT_USED 1
65 #define DETECT_XBITS_TYPE_READ 2
66 #define DETECT_XBITS_TYPE_SET_READ 3
67 #define DETECT_XBITS_TYPE_SET 4
130 while (curr != NULL) {
140 FatalError(
"Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
166 static inline int SCSigGetFlowbitsType(
Signature *sig)
206 if (read > 0 && write == 0) {
208 }
else if (read == 0 && write > 0) {
210 }
else if (read > 0 && write > 0) {
214 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowbits_user_type);
216 return flowbits_user_type;
219 static inline int SCSigGetFlowintType(
Signature *sig)
264 if (read > 0 && write == 0) {
266 }
else if (read == 0 && write > 0) {
268 }
else if (read > 0 && write > 0) {
272 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowint_user_type);
274 return flowint_user_type;
291 static inline int SCSigGetFlowvarType(
Signature *sig)
303 for (x = 0; x < pd->
idx; x++) {
324 if (read > 0 && write == 0) {
326 }
else if (read == 0 && write > 0) {
328 }
else if (read > 0 && write > 0) {
349 static inline int SCSigGetPktvarType(
Signature *sig)
361 for (x = 0; x < pd->
idx; x++) {
382 if (read > 0 && write == 0) {
384 }
else if (read == 0 && write > 0) {
386 }
else if (read > 0 && write > 0) {
453 if (read > 0 && write == 0) {
455 }
else if (read == 0 && write > 0) {
457 }
else if (read > 0 && write > 0) {
463 return xbits_user_type;
538 while (funcs != NULL) {
589 subA = SCSigOrder(subA, cmp_func_list);
590 subB = SCSigOrder(subB, cmp_func_list);
595 while (subA != NULL && subB != NULL) {
596 if (SCSigLessThan(subA, subB, cmp_func_list)) {
605 if (result == NULL) {
616 else if (subB == NULL)
742 if (sw1dir > sw2dir) {
744 }
else if (sw1dir < sw2dir) {
786 SCSigProcessUserDataForFlowbits(sw);
787 SCSigProcessUserDataForFlowvar(sw);
788 SCSigProcessUserDataForFlowint(sw);
789 SCSigProcessUserDataForPktvar(sw);
790 SCSigProcessUserDataForHostbits(sw);
791 SCSigProcessUserDataForIPPairbits(sw);
818 while (sig != NULL) {
819 sigw = SCSigAllocSignatureWrapper(sig);
821 SCLogError(
"failed to alloc signature wrapper for rule ordering");
829 sigw->
next = fw_pf_sigw_list;
830 fw_pf_sigw_list = sigw;
833 sigw->
next = fw_af_sigw_list;
834 fw_af_sigw_list = sigw;
837 sigw->
next = td_sigw_list;
846 if (fw_pf_sigw_list) {
848 fw_pf_sigw_list = SCSigOrder(fw_pf_sigw_list, &OrderFn);
850 if (fw_af_sigw_list) {
852 fw_af_sigw_list = SCSigOrder(fw_af_sigw_list, &OrderFn);
863 for (sigw = fw_pf_sigw_list; sigw != NULL;) {
880 for (sigw = fw_af_sigw_list; sigw != NULL;) {
897 for (sigw = td_sigw_list; sigw != NULL;) {
928 SCLogDebug(
"registering signature ordering functions");
930 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
931 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
932 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowintCompare);
933 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
934 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
935 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByHostbitsCompare);
936 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByIPPairbitsCompare);
937 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
953 while (funcs != NULL) {
970 static int SCSigOrderingTest01(
void)
978 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
979 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
980 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
981 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
982 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
983 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
984 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
985 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
986 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
987 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
988 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
991 while (temp != NULL) {
1003 static int SCSigOrderingTest02(
void)
1011 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1015 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
1019 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
1023 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
1027 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
1031 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
1035 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
1039 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1043 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
1047 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1051 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1055 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1059 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
1063 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
1066 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1067 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1068 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1069 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1070 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1076 while (sig != NULL) {
1077 printf(
"sid: %d\n", sig->
id);
1122 static int SCSigOrderingTest03(
void)
1130 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1131 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1135 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1136 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1140 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1141 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1142 "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1146 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1147 "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1148 "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1152 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1153 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1157 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1158 "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1159 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1163 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1164 "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1165 "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1169 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1170 "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:unset,TEST.one; rev:4; priority:1; "
1171 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1175 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1176 "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1177 "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1181 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1182 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1186 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1187 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1191 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1192 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1196 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1197 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1201 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1202 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1205 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1206 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1207 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1208 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1209 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1215 while (sig != NULL) {
1216 printf(
"sid: %d\n", sig->
id);
1259 static int SCSigOrderingTest04(
void)
1268 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1269 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1273 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1274 "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1275 "offset:10; rev:4; priority:3; sid:2;)");
1279 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1280 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1281 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1285 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1286 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1287 "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1291 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1292 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1293 "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1297 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1298 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1299 "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1303 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1304 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1305 "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1309 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1310 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1311 "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1315 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1316 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1317 "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1320 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1321 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1322 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1323 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1324 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1330 while (sig != NULL) {
1331 printf(
"sid: %d\n", sig->
id);
1366 static int SCSigOrderingTest05(
void)
1374 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1375 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1379 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1380 "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1381 "offset:10; rev:4; priority:3; sid:2;)");
1385 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1386 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1387 "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1391 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1392 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1393 "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1397 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1398 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1402 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1403 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1407 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1408 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1409 "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1413 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1414 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1415 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1418 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1419 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1420 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1421 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1422 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1428 while (sig != NULL) {
1429 printf(
"sid: %d\n", sig->
id);
1460 static int SCSigOrderingTest06(
void)
1469 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1470 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1474 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1475 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1479 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1480 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1484 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1485 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1489 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1490 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1494 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1495 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1498 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1499 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1503 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1504 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1507 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1508 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1509 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1510 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1511 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1517 while (sig != NULL) {
1518 printf(
"sid: %d\n", sig->
id);
1546 static int SCSigOrderingTest07(
void)
1555 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1556 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1560 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1561 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1565 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1566 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1570 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1571 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1575 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1576 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1580 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1581 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1585 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1586 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1590 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1591 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1594 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1595 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1596 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1597 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1598 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1604 while (sig != NULL) {
1605 printf(
"sid: %d\n", sig->
id);
1638 static int SCSigOrderingTest08(
void)
1640 #ifdef HAVE_LIBNET11
1655 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1656 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1660 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1661 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1665 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1666 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1670 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1671 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1675 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1676 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1680 "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1681 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1685 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1686 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1690 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1691 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1694 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1695 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1696 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1697 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1698 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1704 while (sig != NULL) {
1705 printf(
"sid: %d\n", sig->
id);
1745 static int SCSigOrderingTest09(
void)
1761 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1762 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1766 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1767 "content:\"220\"; offset:10; priority:2; sid:2;)");
1771 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1772 "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1776 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1777 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1781 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1782 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1786 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1787 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1791 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1792 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1796 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1797 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1800 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1801 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1802 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1803 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1804 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1810 while (sig != NULL) {
1811 printf(
"sid: %d\n", sig->
id);
1849 static int SCSigOrderingTest10(
void)
1865 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1866 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1870 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1871 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1875 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1876 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1880 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1881 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1885 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1886 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1890 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1891 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1895 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1896 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1900 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1901 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1904 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1905 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1906 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1907 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1908 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1914 while (sig != NULL) {
1915 printf(
"sid: %d\n", sig->
id);
1949 static int SCSigOrderingTest11(
void)
1958 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1959 "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1963 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1964 "flowbits:unset,myflow2; rev:4; sid:2;)");
1968 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1969 "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1972 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1973 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1974 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1975 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1976 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1982 while (sig != NULL) {
1983 printf(
"sid: %d\n", sig->
id);
2001 static int SCSigOrderingTest12(
void)
2005 uint8_t buf[] =
"test message";
2007 memset(&f, 0,
sizeof(f));
2011 f.
proto = IPPROTO_TCP;
2017 const char *sigs[2];
2018 sigs[0] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
2019 sigs[1] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
2039 uint32_t sids[2] = {1, 2};
2040 uint32_t results[2] = {1, 1};
2052 static int SCSigOrderingTest13(
void)
2060 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
2064 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
2067 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
2072 while (sig != NULL) {
2073 printf(
"sid: %d\n", sig->
id);