44 #define DETECT_FLOWVAR_NOT_USED 1
45 #define DETECT_FLOWVAR_TYPE_READ 2
46 #define DETECT_FLOWVAR_TYPE_SET_READ 3
47 #define DETECT_FLOWVAR_TYPE_SET 4
49 #define DETECT_PKTVAR_NOT_USED 1
50 #define DETECT_PKTVAR_TYPE_READ 2
51 #define DETECT_PKTVAR_TYPE_SET_READ 3
52 #define DETECT_PKTVAR_TYPE_SET 4
54 #define DETECT_FLOWBITS_NOT_USED 1
55 #define DETECT_FLOWBITS_TYPE_READ 2
56 #define DETECT_FLOWBITS_TYPE_SET_READ 3
57 #define DETECT_FLOWBITS_TYPE_SET 4
59 #define DETECT_FLOWINT_NOT_USED 1
60 #define DETECT_FLOWINT_TYPE_READ 2
61 #define DETECT_FLOWINT_TYPE_SET_READ 3
62 #define DETECT_FLOWINT_TYPE_SET 4
64 #define DETECT_XBITS_NOT_USED 1
65 #define DETECT_XBITS_TYPE_READ 2
66 #define DETECT_XBITS_TYPE_SET_READ 3
67 #define DETECT_XBITS_TYPE_SET 4
130 while (curr != NULL) {
140 FatalError(
"Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
166 static inline int SCSigGetFlowbitsType(
Signature *sig)
208 if (read > 0 && write == 0) {
210 }
else if (read == 0 && write > 0) {
212 }
else if (read > 0 && write > 0) {
216 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowbits_user_type);
218 return flowbits_user_type;
221 static inline int SCSigGetFlowintType(
Signature *sig)
269 if (read > 0 && write == 0) {
271 }
else if (read == 0 && write > 0) {
273 }
else if (read > 0 && write > 0) {
277 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowint_user_type);
279 return flowint_user_type;
296 static inline int SCSigGetFlowvarType(
Signature *sig)
308 for (x = 0; x < pd->
idx; x++) {
329 if (read > 0 && write == 0) {
331 }
else if (read == 0 && write > 0) {
333 }
else if (read > 0 && write > 0) {
354 static inline int SCSigGetPktvarType(
Signature *sig)
366 for (x = 0; x < pd->
idx; x++) {
387 if (read > 0 && write == 0) {
389 }
else if (read == 0 && write > 0) {
391 }
else if (read > 0 && write > 0) {
458 if (read > 0 && write == 0) {
460 }
else if (read == 0 && write > 0) {
462 }
else if (read > 0 && write > 0) {
468 return xbits_user_type;
543 while (funcs != NULL) {
594 subA = SCSigOrder(subA, cmp_func_list);
595 subB = SCSigOrder(subB, cmp_func_list);
600 while (subA != NULL && subB != NULL) {
601 if (SCSigLessThan(subA, subB, cmp_func_list)) {
610 if (result == NULL) {
621 else if (subB == NULL)
747 SCSigProcessUserDataForFlowbits(sw);
748 SCSigProcessUserDataForFlowvar(sw);
749 SCSigProcessUserDataForFlowint(sw);
750 SCSigProcessUserDataForPktvar(sw);
751 SCSigProcessUserDataForHostbits(sw);
752 SCSigProcessUserDataForIPPairbits(sw);
779 while (sig != NULL) {
780 sigw = SCSigAllocSignatureWrapper(sig);
782 sigw->
next = sigw_list;
794 SCLogDebug(
"Total Signatures to be processed by the"
795 "sigordering module: %d", i);
803 while (sigw != NULL) {
821 SCLogDebug(
"total signatures reordered by the sigordering module: %d", i);
837 SCLogDebug(
"registering signature ordering functions");
839 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
840 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
841 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowintCompare);
842 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
843 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
844 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByHostbitsCompare);
845 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByIPPairbitsCompare);
846 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
862 while (funcs != NULL) {
879 static int SCSigOrderingTest01(
void)
887 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
888 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
889 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
890 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
891 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
892 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
893 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
894 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
895 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
896 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
897 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
900 while (temp != NULL) {
912 static int SCSigOrderingTest02(
void)
920 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
924 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
928 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
932 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
936 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
940 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
944 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
948 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
952 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
956 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
960 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
964 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
968 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
972 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
975 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
976 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
977 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
978 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
979 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
985 while (sig != NULL) {
986 printf(
"sid: %d\n", sig->
id);
1031 static int SCSigOrderingTest03(
void)
1039 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1040 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1044 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1045 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1049 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1050 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1051 "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1055 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1056 "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1057 "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1061 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1062 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1066 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1067 "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1068 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1072 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1073 "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1074 "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1078 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1079 "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; "
1080 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1084 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1085 "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1086 "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1090 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1091 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1095 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1096 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1100 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1101 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1105 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1106 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1110 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1111 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1114 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1115 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1116 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1117 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1118 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1124 while (sig != NULL) {
1125 printf(
"sid: %d\n", sig->
id);
1168 static int SCSigOrderingTest04(
void)
1177 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1178 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1182 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1183 "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1184 "offset:10; rev:4; priority:3; sid:2;)");
1188 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1189 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1190 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1194 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1195 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1196 "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1200 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1201 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1202 "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1206 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1207 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1208 "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1212 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1213 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1214 "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1218 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1219 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1220 "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1224 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1225 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1226 "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1229 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1230 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1231 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1232 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1233 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1239 while (sig != NULL) {
1240 printf(
"sid: %d\n", sig->
id);
1275 static int SCSigOrderingTest05(
void)
1283 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1284 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1288 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1289 "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1290 "offset:10; rev:4; priority:3; sid:2;)");
1294 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1295 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1296 "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1300 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1301 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1302 "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1306 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1307 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1311 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1312 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1316 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1317 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1318 "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1322 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1323 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1324 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1327 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1328 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1329 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1330 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1331 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1337 while (sig != NULL) {
1338 printf(
"sid: %d\n", sig->
id);
1369 static int SCSigOrderingTest06(
void)
1378 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1379 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1383 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1384 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1388 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1389 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1393 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1394 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1398 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1399 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1403 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1404 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1407 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1408 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1412 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1413 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1416 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1417 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1418 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1419 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1420 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1426 while (sig != NULL) {
1427 printf(
"sid: %d\n", sig->
id);
1455 static int SCSigOrderingTest07(
void)
1464 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1465 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1469 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1470 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1474 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1475 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1479 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1480 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1484 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1485 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1489 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1490 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1494 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1495 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1499 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1500 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1503 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1504 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1505 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1506 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1507 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1513 while (sig != NULL) {
1514 printf(
"sid: %d\n", sig->
id);
1547 static int SCSigOrderingTest08(
void)
1549 #ifdef HAVE_LIBNET11
1564 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1565 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1569 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1570 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1574 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1575 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1579 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1580 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1584 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1585 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1589 "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1590 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1594 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1595 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1599 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1600 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1603 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1604 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1605 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1606 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1607 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1613 while (sig != NULL) {
1614 printf(
"sid: %d\n", sig->
id);
1654 static int SCSigOrderingTest09(
void)
1670 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1671 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1675 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1676 "content:\"220\"; offset:10; priority:2; sid:2;)");
1680 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1681 "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1685 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1686 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1690 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1691 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1695 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1696 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1700 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1701 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1705 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1706 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1709 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1710 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1711 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1712 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1713 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1719 while (sig != NULL) {
1720 printf(
"sid: %d\n", sig->
id);
1758 static int SCSigOrderingTest10(
void)
1774 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1775 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1779 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1780 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1784 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1785 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1789 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1790 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1794 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1795 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1799 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1800 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1804 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1805 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1809 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1810 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1813 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1814 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1815 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1816 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1817 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1823 while (sig != NULL) {
1824 printf(
"sid: %d\n", sig->
id);
1858 static int SCSigOrderingTest11(
void)
1867 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1868 "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1872 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; "
1873 "flowbits:toggle,myflow2; rev:4; sid:2;)");
1877 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1878 "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1881 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1882 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1883 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1884 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1885 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1891 while (sig != NULL) {
1892 printf(
"sid: %d\n", sig->
id);
1910 static int SCSigOrderingTest12(
void)
1914 uint8_t buf[] =
"test message";
1920 f.
proto = IPPROTO_TCP;
1926 const char *sigs[2];
1927 sigs[0] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
1928 sigs[1] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
1948 uint32_t sids[2] = {1, 2};
1949 uint32_t results[2] = {1, 1};
1962 static int SCSigOrderingTest13(
void)
1970 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
1974 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
1977 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1982 while (sig != NULL) {
1983 printf(
"sid: %d\n", sig->
id);