suricata
detect-engine-sigorder.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  *
23  * Signature ordering part of the detection engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "detect-xbits.h"
29 #include "detect-flowbits.h"
30 #include "detect-flowint.h"
31 #include "detect-parse.h"
32 #include "detect-engine-sigorder.h"
33 #include "detect-pcre.h"
34 
35 #include "util-unittest.h"
36 #include "util-unittest-helper.h"
37 #include "util-debug.h"
38 #include "util-action.h"
39 #include "action-globals.h"
40 #include "flow-util.h"
41 
42 #define DETECT_FLOWVAR_NOT_USED 1
43 #define DETECT_FLOWVAR_TYPE_READ 2
44 #define DETECT_FLOWVAR_TYPE_SET_READ 3
45 #define DETECT_FLOWVAR_TYPE_SET 4
46 
47 #define DETECT_PKTVAR_NOT_USED 1
48 #define DETECT_PKTVAR_TYPE_READ 2
49 #define DETECT_PKTVAR_TYPE_SET_READ 3
50 #define DETECT_PKTVAR_TYPE_SET 4
51 
52 #define DETECT_FLOWBITS_NOT_USED 1
53 #define DETECT_FLOWBITS_TYPE_READ 2
54 #define DETECT_FLOWBITS_TYPE_SET_READ 3
55 #define DETECT_FLOWBITS_TYPE_SET 4
56 
57 #define DETECT_FLOWINT_NOT_USED 1
58 #define DETECT_FLOWINT_TYPE_READ 2
59 #define DETECT_FLOWINT_TYPE_SET_READ 3
60 #define DETECT_FLOWINT_TYPE_SET 4
61 
62 #define DETECT_XBITS_NOT_USED 1
63 #define DETECT_XBITS_TYPE_READ 2
64 #define DETECT_XBITS_TYPE_SET_READ 3
65 #define DETECT_XBITS_TYPE_SET 4
66 
67 
68 /**
69  * \brief Registers a keyword-based, signature ordering function
70  *
71  * \param de_ctx Pointer to the detection engine context from which the
72  * signatures have to be ordered.
73  * \param FuncPtr Pointer to the signature ordering function. The prototype of
74  * the signature ordering function should accept a pointer to a
75  * SCSigSignatureWrapper as its argument and shouldn't return
76  * anything
77  */
78 static void SCSigRegisterSignatureOrderingFunc(DetectEngineCtx *de_ctx,
79  int (*SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2))
80 {
81  SCSigOrderFunc *curr = NULL;
82  SCSigOrderFunc *prev = NULL;
83  SCSigOrderFunc *temp = NULL;
84 
85  curr = de_ctx->sc_sig_order_funcs;
86 
87  /* Walk to the end of the list, and leave prev pointing at the
88  last element. */
89  prev = curr;
90  while (curr != NULL) {
91  if (curr->SWCompare == SWCompare) {
92  /* Already specified this compare */
93  return;
94  }
95  prev = curr;
96  curr = curr->next;
97  }
98 
99  if ( (temp = SCMalloc(sizeof(SCSigOrderFunc))) == NULL) {
101  "Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
102  }
103  memset(temp, 0, sizeof(SCSigOrderFunc));
104 
105  temp->SWCompare = SWCompare;
106 
107  /* Append the new compare function at the end of the list. */
108  if (prev == NULL)
109  de_ctx->sc_sig_order_funcs = temp;
110  else
111  prev->next = temp;
112 
113  return;
114 }
115 
116 /**
117  * \brief Returns the flowbit type set for this signature. If more than one
118  * flowbit has been set for the same rule, we return the flowbit type of
119  * the maximum priority/value, where priority/value is maximum for the
120  * ones that set the value and the lowest for ones that read the value.
121  * If no flowbit has been set for the rule, we return 0, which indicates
122  * the least value amongst flowbit types.
123  *
124  * \param sig Pointer to the Signature from which the flowbit value has to be
125  * returned.
126  *
127  * \retval flowbits The flowbits type for this signature if it is set; if it is
128  * not set, return 0
129  */
130 static inline int SCSigGetFlowbitsType(Signature *sig)
131 {
132  DetectFlowbitsData *fb = NULL;
133  int flowbits_user_type = DETECT_FLOWBITS_NOT_USED;
134  int read = 0;
135  int write = 0;
137 
138  while (sm != NULL) {
139  if (sm->type == DETECT_FLOWBITS) {
140  fb = (DetectFlowbitsData *)sm->ctx;
141  if (fb->cmd == DETECT_FLOWBITS_CMD_ISNOTSET ||
143  read++;
144  } else {
145 #ifdef DEBUG
146  BUG_ON(1);
147 #endif
148  }
149  }
150 
151  sm = sm->next;
152  }
153 
155  while (sm != NULL) {
156  if (sm->type == DETECT_FLOWBITS) {
157  fb = (DetectFlowbitsData *)sm->ctx;
158  if (fb->cmd == DETECT_FLOWBITS_CMD_SET ||
161  write++;
162  } else {
163 #ifdef DEBUG
164  BUG_ON(1);
165 #endif
166  }
167  }
168 
169  sm = sm->next;
170  }
171 
172  if (read > 0 && write == 0) {
173  flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
174  } else if (read == 0 && write > 0) {
175  flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
176  } else if (read > 0 && write > 0) {
177  flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
178  }
179 
180  SCLogDebug("Sig %s typeval %d", sig->msg, flowbits_user_type);
181 
182  return flowbits_user_type;
183 }
184 
185 static inline int SCSigGetFlowintType(Signature *sig)
186 {
187  DetectFlowintData *fi = NULL;
188  int flowint_user_type = DETECT_FLOWINT_NOT_USED;
189  int read = 0;
190  int write = 0;
192 
193  while (sm != NULL) {
194  if (sm->type == DETECT_FLOWINT) {
195  fi = (DetectFlowintData *)sm->ctx;
196  if (fi->modifier == FLOWINT_MODIFIER_LT ||
197  fi->modifier == FLOWINT_MODIFIER_LE ||
198  fi->modifier == FLOWINT_MODIFIER_EQ ||
199  fi->modifier == FLOWINT_MODIFIER_NE ||
200  fi->modifier == FLOWINT_MODIFIER_GE ||
201  fi->modifier == FLOWINT_MODIFIER_GT ||
204  read++;
205  } else {
206 #ifdef DEBUG
207  BUG_ON(1);
208 #endif
209  }
210  }
211 
212  sm = sm->next;
213  }
214 
216  while (sm != NULL) {
217  if (sm->type == DETECT_FLOWINT) {
218  fi = (DetectFlowintData *)sm->ctx;
219  if (fi->modifier == FLOWINT_MODIFIER_SET ||
222  write++;
223  } else {
224 #ifdef DEBUG
225  BUG_ON(1);
226 #endif
227  }
228  }
229 
230  sm = sm->next;
231  }
232 
233  if (read > 0 && write == 0) {
234  flowint_user_type = DETECT_FLOWINT_TYPE_READ;
235  } else if (read == 0 && write > 0) {
236  flowint_user_type = DETECT_FLOWINT_TYPE_SET;
237  } else if (read > 0 && write > 0) {
238  flowint_user_type = DETECT_FLOWINT_TYPE_SET_READ;
239  }
240 
241  SCLogDebug("Sig %s typeval %d", sig->msg, flowint_user_type);
242 
243  return flowint_user_type;
244 }
245 
246 /**
247  * \brief Returns whether the flowvar set for this rule, sets the flowvar or
248  * reads the flowvar. If the rule sets the flowvar the function returns
249  * DETECT_FLOWVAR_TYPE_SET(3), if it reads the flowvar the function
250  * returns DETECT_FLOWVAR_TYPE_READ(2), and if flowvar is not used in this
251  * rule the function returns DETECT_FLOWVAR_NOT_USED(1)
252  *
253  * \param sig Pointer to the Signature from which the flowvar type has to be
254  * returned.
255  *
256  * \retval type DETECT_FLOWVAR_TYPE_SET(3) if the rule sets the flowvar,
257  * DETECT_FLOWVAR_TYPE_READ(2) if it reads, and
258  * DETECT_FLOWVAR_NOT_USED(1) if flowvar is not used.
259  */
260 static inline int SCSigGetFlowvarType(Signature *sig)
261 {
262  DetectPcreData *pd = NULL;
264  int read = 0;
265  int write = 0;
267 
268  while (sm != NULL) {
269  pd = (DetectPcreData *)sm->ctx;
270  if (sm->type == DETECT_PCRE) {
271  uint8_t x;
272  for (x = 0; x < pd->idx; x++) {
273  if (pd->captypes[x] == VAR_TYPE_FLOW_VAR) {
274  write++;
275  break;
276  }
277  }
278  }
279 
280  sm = sm->next;
281  }
282 
284  pd = NULL;
285  while (sm != NULL) {
286  if (sm->type == DETECT_FLOWVAR) {
287  read++;
288  }
289 
290  sm = sm->next;
291  }
292 
293  if (read > 0 && write == 0) {
295  } else if (read == 0 && write > 0) {
297  } else if (read > 0 && write > 0) {
299  }
300 
301  return type;
302 }
303 
304 /**
305  * \brief Returns whether the pktvar set for this rule, sets the flowvar or
306  * reads the pktvar. If the rule sets the pktvar the function returns
307  * DETECT_PKTVAR_TYPE_SET(3), if it reads the pktvar the function
308  * returns DETECT_PKTVAR_TYPE_READ(2), and if pktvar is not used in this
309  * rule the function returns DETECT_PKTVAR_NOT_USED(1)
310  *
311  * \param sig Pointer to the Signature from which the pktvar type has to be
312  * returned.
313  *
314  * \retval type DETECT_PKTVAR_TYPE_SET(3) if the rule sets the flowvar,
315  * DETECT_PKTVAR_TYPE_READ(2) if it reads, and
316  * DETECT_PKTVAR_NOT_USED(1) if pktvar is not used.
317  */
318 static inline int SCSigGetPktvarType(Signature *sig)
319 {
320  DetectPcreData *pd = NULL;
322  int read = 0;
323  int write = 0;
325 
326  while (sm != NULL) {
327  pd = (DetectPcreData *)sm->ctx;
328  if (sm->type == DETECT_PCRE) {
329  uint8_t x;
330  for (x = 0; x < pd->idx; x++) {
331  if (pd->captypes[x] == VAR_TYPE_PKT_VAR) {
332  write++;
333  break;
334  }
335  }
336  }
337 
338  sm = sm->next;
339  }
340 
342  pd = NULL;
343  while (sm != NULL) {
344  if (sm->type == DETECT_PKTVAR) {
345  read++;
346  }
347 
348  sm = sm->next;
349  }
350 
351  if (read > 0 && write == 0) {
353  } else if (read == 0 && write > 0) {
355  } else if (read > 0 && write > 0) {
357  }
358 
359  return type;
360 }
361 
362 /**
363  * \brief Returns the xbit type set for this signature. If more than one
364  * xbit has been set for the same rule, we return the xbit type of
365  * the maximum priority/value, where priority/value is maximum for the
366  * ones that set the value and the lowest for ones that read the value.
367  * If no xbit has been set for the rule, we return 0, which indicates
368  * the least value amongst xbit types.
369  *
370  * \param sig Pointer to the Signature from which the xbit value has to be
371  * returned.
372  *
373  * \retval xbits The xbits type for this signature if it is set; if it is
374  * not set, return 0
375  */
376 static inline int SCSigGetXbitsType(Signature *sig, enum VarTypes type)
377 {
378  DetectXbitsData *fb = NULL;
379  int xbits_user_type = DETECT_XBITS_NOT_USED;
380  int read = 0;
381  int write = 0;
383 
384  while (sm != NULL) {
385  if (sm->type == DETECT_XBITS) {
386  fb = (DetectXbitsData *)sm->ctx;
387  if (fb->type == type) {
388  if (fb->cmd == DETECT_XBITS_CMD_ISNOTSET ||
389  fb->cmd == DETECT_XBITS_CMD_ISSET) {
390  read++;
391  } else {
392 #ifdef DEBUG
393  BUG_ON(1);
394 #endif
395  }
396  }
397  }
398 
399  sm = sm->next;
400  }
401 
403  while (sm != NULL) {
404  if (sm->type == DETECT_HOSTBITS) {
405  fb = (DetectXbitsData *)sm->ctx;
406  if (fb->type == type) {
407  if (fb->cmd == DETECT_XBITS_CMD_SET ||
408  fb->cmd == DETECT_XBITS_CMD_UNSET ||
409  fb->cmd == DETECT_XBITS_CMD_TOGGLE) {
410  write++;
411  } else {
412 #ifdef DEBUG
413  BUG_ON(1);
414 #endif
415  }
416  }
417  }
418 
419  sm = sm->next;
420  }
421 
422  if (read > 0 && write == 0) {
423  xbits_user_type = DETECT_XBITS_TYPE_READ;
424  } else if (read == 0 && write > 0) {
425  xbits_user_type = DETECT_XBITS_TYPE_SET;
426  } else if (read > 0 && write > 0) {
427  xbits_user_type = DETECT_XBITS_TYPE_SET_READ;
428  }
429 
430  SCLogDebug("Sig %s typeval %d", sig->msg, xbits_user_type);
431 
432  return xbits_user_type;
433 }
434 
435 /**
436  * \brief Processes the flowbits data for this signature and caches it for
437  * future use. This is needed to optimize the sig_ordering module.
438  *
439  * \param sw The sigwrapper/signature for which the flowbits data has to be
440  * cached
441  */
442 static inline void SCSigProcessUserDataForFlowbits(SCSigSignatureWrapper *sw)
443 {
444  sw->user[SC_RADIX_USER_DATA_FLOWBITS] = SCSigGetFlowbitsType(sw->sig);
445 }
446 
447 /**
448  * \brief Processes the flowvar data for this signature and caches it for
449  * future use. This is needed to optimize the sig_ordering module.
450  *
451  * \param sw The sigwrapper/signature for which the flowvar data has to be
452  * cached
453  */
454 static inline void SCSigProcessUserDataForFlowvar(SCSigSignatureWrapper *sw)
455 {
456  sw->user[SC_RADIX_USER_DATA_FLOWVAR] = SCSigGetFlowvarType(sw->sig);
457 }
458 
459 static inline void SCSigProcessUserDataForFlowint(SCSigSignatureWrapper *sw)
460 {
461  sw->user[SC_RADIX_USER_DATA_FLOWINT] = SCSigGetFlowintType(sw->sig);
462 }
463 
464 /**
465  * \brief Processes the pktvar data for this signature and caches it for
466  * future use. This is needed to optimize the sig_ordering module.
467  *
468  * \param sw The sigwrapper/signature for which the pktvar data has to be
469  * cached
470  */
471 static inline void SCSigProcessUserDataForPktvar(SCSigSignatureWrapper *sw)
472 {
473  sw->user[SC_RADIX_USER_DATA_PKTVAR] = SCSigGetPktvarType(sw->sig);
474 }
475 
476 /**
477  * \brief Processes the hostbits data for this signature and caches it for
478  * future use. This is needed to optimize the sig_ordering module.
479  *
480  * \param sw The sigwrapper/signature for which the hostbits data has to be
481  * cached
482  */
483 static inline void SCSigProcessUserDataForHostbits(SCSigSignatureWrapper *sw)
484 {
485  sw->user[SC_RADIX_USER_DATA_HOSTBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_HOST_BIT);
486 }
487 
488 /**
489  * \brief Processes the hostbits data for this signature and caches it for
490  * future use. This is needed to optimize the sig_ordering module.
491  *
492  * \param sw The sigwrapper/signature for which the hostbits data has to be
493  * cached
494  */
495 static inline void SCSigProcessUserDataForIPPairbits(SCSigSignatureWrapper *sw)
496 {
497  sw->user[SC_RADIX_USER_DATA_IPPAIRBITS] = SCSigGetXbitsType(sw->sig, VAR_TYPE_IPPAIR_BIT);
498 }
499 
500 /* Return 1 if sw1 comes before sw2 in the final list. */
501 static int SCSigLessThan(SCSigSignatureWrapper *sw1,
503  SCSigOrderFunc *cmp_func_list)
504 {
505  SCSigOrderFunc *funcs = cmp_func_list;
506 
507  while (funcs != NULL) {
508  int delta = funcs->SWCompare(sw1, sw2);
509  if (delta > 0)
510  return 1;
511  else if (delta < 0)
512  return 0;
513 
514  funcs = funcs->next;
515  }
516  // They are equal, so use sid as the final decider.
517  return sw1->sig->id < sw2->sig->id;
518 }
519 
520 /* Merge sort based on a list of compare functions */
521 static SCSigSignatureWrapper *SCSigOrder(SCSigSignatureWrapper *sw,
522  SCSigOrderFunc *cmp_func_list)
523 {
524  SCSigSignatureWrapper *subA = NULL;
525  SCSigSignatureWrapper *subB = NULL;
526  SCSigSignatureWrapper *first;
527  SCSigSignatureWrapper *second;
528  SCSigSignatureWrapper *result = NULL;
529  SCSigSignatureWrapper *last = NULL;
530  SCSigSignatureWrapper *new = NULL;
531 
532  /* Divide input list into two sub-lists. */
533  while (sw != NULL) {
534  first = sw;
535  sw = sw->next;
536  /* Push the first element onto sub-list A */
537  first->next = subA;
538  subA = first;
539 
540  if (sw == NULL)
541  break;
542  second = sw;
543  sw = sw->next;
544  /* Push the second element onto sub-list B */
545  second->next = subB;
546  subB = second;
547  }
548  if (subB == NULL) {
549  /* Only zero or one element on the list. */
550  return subA;
551  }
552 
553  /* Now sort each list */
554  subA = SCSigOrder(subA, cmp_func_list);
555  subB = SCSigOrder(subB, cmp_func_list);
556 
557  /* Merge the two sorted lists. */
558  while (subA != NULL && subB != NULL) {
559  if (SCSigLessThan(subA, subB, cmp_func_list)) {
560  new = subA;
561  subA = subA->next;
562  } else {
563  new = subB;
564  subB = subB->next;
565  }
566  /* Push onto the end of the output list. */
567  new->next = NULL;
568  if (result == NULL) {
569  result = new;
570  last = new;
571  } else {
572  last->next = new;
573  last = new;
574  }
575  }
576  /* Attach the rest of any remaining list. Only one can be non-NULL here. */
577  if (subA == NULL)
578  last->next = subB;
579  else if (subB == NULL)
580  last->next = subA;
581 
582  return result;
583 }
584 
585 /**
586  * \brief Orders an incoming Signature based on its action
587  *
588  * \param de_ctx Pointer to the detection engine context from which the
589  * signatures have to be ordered.
590  * \param sw The new signature that has to be ordered based on its action
591  */
592 static int SCSigOrderByActionCompare(SCSigSignatureWrapper *sw1,
594 {
595  return ActionOrderVal(sw2->sig->action) - ActionOrderVal(sw1->sig->action);
596 }
597 
598 /**
599  * \brief Orders an incoming Signature based on its flowbits type
600  *
601  * \param de_ctx Pointer to the detection engine context from which the
602  * signatures have to be ordered.
603  * \param sw The new signature that has to be ordered based on its flowbits
604  */
605 static int SCSigOrderByFlowbitsCompare(SCSigSignatureWrapper *sw1,
607 {
608  return sw1->user[SC_RADIX_USER_DATA_FLOWBITS] -
610 }
611 
612 /**
613  * \brief Orders an incoming Signature based on its flowvar type
614  *
615  * \param de_ctx Pointer to the detection engine context from which the
616  * signatures have to be ordered.
617  * \param sw The new signature that has to be ordered based on its flowvar
618  */
619 static int SCSigOrderByFlowvarCompare(SCSigSignatureWrapper *sw1,
621 {
622  return sw1->user[SC_RADIX_USER_DATA_FLOWVAR] -
624 }
625 
626 /**
627  * \brief Orders an incoming Signature based on its pktvar type
628  *
629  * \param de_ctx Pointer to the detection engine context from which the
630  * signatures have to be ordered.
631  * \param sw The new signature that has to be ordered based on its pktvar
632  */
633 static int SCSigOrderByPktvarCompare(SCSigSignatureWrapper *sw1,
635 {
636  return sw1->user[SC_RADIX_USER_DATA_PKTVAR] -
638 }
639 
640 static int SCSigOrderByFlowintCompare(SCSigSignatureWrapper *sw1,
642 {
643  return sw1->user[SC_RADIX_USER_DATA_FLOWINT] -
645 }
646 
647 /**
648  * \brief Orders an incoming Signature based on its hostbits type
649  *
650  * \param de_ctx Pointer to the detection engine context from which the
651  * signatures have to be ordered.
652  * \param sw The new signature that has to be ordered based on its hostbits
653  */
654 static int SCSigOrderByHostbitsCompare(SCSigSignatureWrapper *sw1,
656 {
657  return sw1->user[SC_RADIX_USER_DATA_HOSTBITS] -
659 }
660 
661 /**
662  * \brief Orders an incoming Signature based on its ippairbits (xbits) type
663  *
664  * \param de_ctx Pointer to the detection engine context from which the
665  * signatures have to be ordered.
666  * \param sw The new signature that has to be ordered based on its bits
667  */
668 static int SCSigOrderByIPPairbitsCompare(SCSigSignatureWrapper *sw1,
670 {
671  return sw1->user[SC_RADIX_USER_DATA_IPPAIRBITS] -
673 }
674 
675 /**
676  * \brief Orders an incoming Signature based on its priority type
677  *
678  * \param de_ctx Pointer to the detection engine context from which the
679  * signatures have to be ordered.
680  * \param sw The new signature that has to be ordered based on its priority
681  */
682 static int SCSigOrderByPriorityCompare(SCSigSignatureWrapper *sw1,
684 {
685  if (sw1->sig->prio > sw2->sig->prio) {
686  return -1;
687  } else if (sw1->sig->prio < sw2->sig->prio) {
688  return 1;
689  }
690  return 0;
691 }
692 
693 /**
694  * \brief Creates a Wrapper around the Signature
695  *
696  * \param Pointer to the Signature to be wrapped
697  *
698  * \retval sw Pointer to the wrapper that holds the signature
699  */
700 static inline SCSigSignatureWrapper *SCSigAllocSignatureWrapper(Signature *sig)
701 {
702  SCSigSignatureWrapper *sw = NULL;
703 
704  if ( (sw = SCMalloc(sizeof(SCSigSignatureWrapper))) == NULL)
705  return NULL;
706  memset(sw, 0, sizeof(SCSigSignatureWrapper));
707 
708  sw->sig = sig;
709 
710  /* Process data from the signature into a cache for further use by the
711  * sig_ordering module */
712  SCSigProcessUserDataForFlowbits(sw);
713  SCSigProcessUserDataForFlowvar(sw);
714  SCSigProcessUserDataForFlowint(sw);
715  SCSigProcessUserDataForPktvar(sw);
716  SCSigProcessUserDataForHostbits(sw);
717  SCSigProcessUserDataForIPPairbits(sw);
718 
719  return sw;
720 }
721 
722 /**
723  * \brief Orders the signatures
724  *
725  * \param de_ctx Pointer to the Detection Engine Context that holds the
726  * signatures to be ordered
727  */
729 {
730  Signature *sig = NULL;
731  SCSigSignatureWrapper *sigw = NULL;
732  SCSigSignatureWrapper *sigw_list = NULL;
733 
734  int i = 0;
735  SCLogDebug("ordering signatures in memory");
736 
737  sig = de_ctx->sig_list;
738  while (sig != NULL) {
739  sigw = SCSigAllocSignatureWrapper(sig);
740  /* Push signature wrapper onto a list, order doesn't matter here. */
741  sigw->next = sigw_list;
742  sigw_list = sigw;
743 
744  sig = sig->next;
745  i++;
746  }
747 
748  /* Sort the list */
749  sigw_list = SCSigOrder(sigw_list, de_ctx->sc_sig_order_funcs);
750 
751  SCLogDebug("Total Signatures to be processed by the"
752  "sigordering module: %d", i);
753 
754  /* Recreate the sig list in order */
755  de_ctx->sig_list = NULL;
756  sigw = sigw_list;
757  i = 0;
758  while (sigw != NULL) {
759  i++;
760  sigw->sig->next = NULL;
761  if (de_ctx->sig_list == NULL) {
762  /* First entry on the list */
763  de_ctx->sig_list = sigw->sig;
764  sig = de_ctx->sig_list;
765  } else {
766  sig->next = sigw->sig;
767  sig = sig->next;
768  }
769  SCSigSignatureWrapper *sigw_to_free = sigw;
770  sigw = sigw->next;
771  SCFree(sigw_to_free);
772  }
773 
774  SCLogDebug("total signatures reordered by the sigordering module: %d", i);
775 }
776 
777 /**
778  * \brief Lets you register the Signature ordering functions. The order in
779  * which the functions are registered, show the priority. The first
780  * function registered provides more priority than the function
781  * registered after it. To add a new registration function, register
782  * it by listing it in the correct position in the below sequence,
783  * based on the priority you would want to offer to that keyword.
784  *
785  * \param de_ctx Pointer to the detection engine context from which the
786  * signatures have to be ordered.
787  */
789 {
790  SCLogDebug("registering signature ordering functions");
791 
792  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
793  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
794  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowintCompare);
795  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
796  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
797  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByHostbitsCompare);
798  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByIPPairbitsCompare);
799  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
800 }
801 
802 /**
803  * \brief De-registers all the signature ordering functions registered
804  *
805  * \param de_ctx Pointer to the detection engine context from which the
806  * signatures were ordered.
807  */
809 {
810  SCSigOrderFunc *funcs;
811  void *temp;
812 
813  /* clean the memory alloted to the signature ordering funcs */
814  funcs = de_ctx->sc_sig_order_funcs;
815  while (funcs != NULL) {
816  temp = funcs;
817  funcs = funcs->next;
818  SCFree(temp);
819  }
820  de_ctx->sc_sig_order_funcs = NULL;
821 }
822 
823 /**********Unittests**********/
824 
826 Signature *SigInit(DetectEngineCtx *, const char *);
829 
830 #ifdef UNITTESTS
831 
832 static int SCSigOrderingTest01(void)
833 {
834  SCSigOrderFunc *temp = NULL;
835  int i = 0;
836 
838  if (de_ctx == NULL)
839  goto end;
840 
841  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
842  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
843  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
844  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
845  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
846  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
847  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
848  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
849  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
850  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
851  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
852 
853  temp = de_ctx->sc_sig_order_funcs;
854  while (temp != NULL) {
855  i++;
856  temp = temp->next;
857  }
858 
860 
861  return (i == 5);
862  end:
863  return 0;
864 }
865 
866 static int SCSigOrderingTest02(void)
867 {
868  Signature *sig = NULL;
869 
871  FAIL_IF(de_ctx == NULL);
872 
874  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
875  FAIL_IF_NULL(sig);
876 
878  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
879  FAIL_IF_NULL(sig);
880 
882  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
883  FAIL_IF_NULL(sig);
884 
886  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
887  FAIL_IF_NULL(sig);
888 
890  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
891  FAIL_IF_NULL(sig);
892 
894  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
895  FAIL_IF_NULL(sig);
896 
898  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
899  FAIL_IF_NULL(sig);
900 
902  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
903  FAIL_IF_NULL(sig);
904 
906  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
907  FAIL_IF_NULL(sig);
908 
910  "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
911  FAIL_IF_NULL(sig);
912 
914  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
915  FAIL_IF_NULL(sig);
916 
918  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
919  FAIL_IF_NULL(sig);
920 
922  "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
923  FAIL_IF_NULL(sig);
924 
926  "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
927  FAIL_IF_NULL(sig);
928 
929  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
930  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
931  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
932  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
933  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
935 
936  sig = de_ctx->sig_list;
937 
938 #ifdef DEBUG
939  while (sig != NULL) {
940  printf("sid: %d\n", sig->id);
941  sig = sig->next;
942  }
943 #endif
944 
945  sig = de_ctx->sig_list;
946 
947  /* pass */
948  FAIL_IF_NOT(sig->id == 6);
949  sig = sig->next;
950  FAIL_IF_NOT(sig->id == 4);
951  sig = sig->next;
952  FAIL_IF_NOT(sig->id == 8);
953  sig = sig->next;
954  FAIL_IF_NOT(sig->id == 7);
955  sig = sig->next;
956  FAIL_IF_NOT(sig->id == 10);
957  sig = sig->next;
958 
959  /* drops */
960  FAIL_IF_NOT(sig->id == 9);
961  sig = sig->next;
962  FAIL_IF_NOT(sig->id == 13);
963  sig = sig->next;
964  FAIL_IF_NOT(sig->id == 2);
965  sig = sig->next;
966  FAIL_IF_NOT(sig->id == 3);
967  sig = sig->next;
968 
969  /* alerts */
970  FAIL_IF_NOT(sig->id == 14);
971  sig = sig->next;
972  FAIL_IF_NOT(sig->id == 5);
973  sig = sig->next;
974  FAIL_IF_NOT(sig->id == 1);
975  sig = sig->next;
976  FAIL_IF_NOT(sig->id == 11);
977  sig = sig->next;
978  FAIL_IF_NOT(sig->id == 12);
979  sig = sig->next;
980 
982  PASS;
983 }
984 
985 static int SCSigOrderingTest03(void)
986 {
987  int result = 0;
988  Signature *prevsig = NULL, *sig = NULL;
989 
991  if (de_ctx == NULL)
992  goto end;
993 
994  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
995  if (sig == NULL) {
996  goto end;
997  }
998  prevsig = sig;
999  de_ctx->sig_list = sig;
1000 
1001  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1002  if (sig == NULL) {
1003  goto end;
1004  }
1005  prevsig->next = sig;
1006  prevsig = sig;
1007 
1008  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1009  if (sig == NULL) {
1010  goto end;
1011  }
1012  prevsig->next = sig;
1013  prevsig = sig;
1014 
1015  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1016  if (sig == NULL) {
1017  goto end;
1018  }
1019  prevsig->next = sig;
1020  prevsig = sig;
1021 
1022  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1023  if (sig == NULL) {
1024  goto end;
1025  }
1026  prevsig->next = sig;
1027  prevsig = sig;
1028 
1029  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1030  if (sig == NULL) {
1031  goto end;
1032  }
1033  prevsig->next = sig;
1034  prevsig = sig;
1035 
1036  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1037  if (sig == NULL) {
1038  goto end;
1039  }
1040  prevsig->next = sig;
1041  prevsig = sig;
1042 
1043  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1044  if (sig == NULL) {
1045  goto end;
1046  }
1047  prevsig->next = sig;
1048  prevsig = sig;
1049 
1050 
1051  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1052  if (sig == NULL) {
1053  goto end;
1054  }
1055  prevsig->next = sig;
1056  prevsig = sig;
1057 
1058  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1059  if (sig == NULL) {
1060  goto end;
1061  }
1062  prevsig->next = sig;
1063  prevsig = sig;
1064 
1065  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1066  if (sig == NULL) {
1067  goto end;
1068  }
1069  prevsig->next = sig;
1070  prevsig = sig;
1071 
1072  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1073  if (sig == NULL) {
1074  goto end;
1075  }
1076  prevsig->next = sig;
1077  prevsig = sig;
1078 
1079  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1080  if (sig == NULL) {
1081  goto end;
1082  }
1083  prevsig->next = sig;
1084  prevsig = sig;
1085 
1086  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1087  if (sig == NULL) {
1088  goto end;
1089  }
1090  prevsig->next = sig;
1091  prevsig = sig;
1092 
1093  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1094  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1095  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1096  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1097  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1099 
1100  result = 1;
1101 
1102  sig = de_ctx->sig_list;
1103 
1104 #ifdef DEBUG
1105  while (sig != NULL) {
1106  printf("sid: %d\n", sig->id);
1107  sig = sig->next;
1108  }
1109 #endif
1110 
1111  sig = de_ctx->sig_list;
1112 
1113  result &= (sig->id == 3);
1114  sig = sig->next;
1115  result &= (sig->id == 8);
1116  sig = sig->next;
1117  result &= (sig->id == 9);
1118  sig = sig->next;
1119  result &= (sig->id == 7);
1120  sig = sig->next;
1121  result &= (sig->id == 14);
1122  sig = sig->next;
1123  result &= (sig->id == 6);
1124  sig = sig->next;
1125  result &= (sig->id == 4);
1126  sig = sig->next;
1127  result &= (sig->id == 13);
1128  sig = sig->next;
1129  result &= (sig->id == 2);
1130  sig = sig->next;
1131  result &= (sig->id == 5);
1132  sig = sig->next;
1133  result &= (sig->id == 1);
1134  sig = sig->next;
1135  result &= (sig->id == 10);
1136  sig = sig->next;
1137  result &= (sig->id == 11);
1138  sig = sig->next;
1139  result &= (sig->id == 12);
1140  sig = sig->next;
1141 
1142 end:
1143  if (de_ctx != NULL)
1145  return result;
1146 }
1147 
1148 static int SCSigOrderingTest04(void)
1149 {
1150  int result = 0;
1151  Signature *prevsig = NULL, *sig = NULL;
1152 
1154  if (de_ctx == NULL)
1155  goto end;
1156 
1157  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1158  if (sig == NULL) {
1159  goto end;
1160  }
1161  prevsig = sig;
1162  de_ctx->sig_list = sig;
1163 
1164  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; rev:4; priority:3; sid:2;)");
1165  if (sig == NULL) {
1166  goto end;
1167  }
1168  prevsig->next = sig;
1169  prevsig = sig;
1170 
1171  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1172  if (sig == NULL) {
1173  goto end;
1174  }
1175  prevsig->next = sig;
1176  prevsig = sig;
1177 
1178  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1179  if (sig == NULL) {
1180  goto end;
1181  }
1182  prevsig->next = sig;
1183  prevsig = sig;
1184 
1185  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1186  if (sig == NULL) {
1187  goto end;
1188  }
1189  prevsig->next = sig;
1190  prevsig = sig;
1191 
1192  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1193  if (sig == NULL) {
1194  goto end;
1195  }
1196  prevsig->next = sig;
1197  prevsig = sig;
1198 
1199  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1200  if (sig == NULL) {
1201  goto end;
1202  }
1203  prevsig->next = sig;
1204  prevsig = sig;
1205 
1206  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1207  if (sig == NULL) {
1208  goto end;
1209  }
1210  prevsig->next = sig;
1211  prevsig = sig;
1212 
1213  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1214  if (sig == NULL) {
1215  goto end;
1216  }
1217  prevsig->next = sig;
1218  prevsig = sig;
1219 
1220  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1221  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1222  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1223  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1224  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1226 
1227  result = 1;
1228 
1229  sig = de_ctx->sig_list;
1230 
1231 #ifdef DEBUG
1232  while (sig != NULL) {
1233  printf("sid: %d\n", sig->id);
1234  sig = sig->next;
1235  }
1236 #endif
1237 
1238  sig = de_ctx->sig_list;
1239 
1240  /* flowvar set */
1241  result &= (sig->id == 2);
1242  sig = sig->next;
1243  result &= (sig->id == 3);
1244  sig = sig->next;
1245  result &= (sig->id == 4);
1246  sig = sig->next;
1247  result &= (sig->id == 7);
1248  sig = sig->next;
1249  result &= (sig->id == 8);
1250  sig = sig->next;
1251  result &= (sig->id == 9);
1252  sig = sig->next;
1253 
1254  /* pktvar */
1255  result &= (sig->id == 5);
1256  sig = sig->next;
1257  result &= (sig->id == 6);
1258  sig = sig->next;
1259 
1260  result &= (sig->id == 1);
1261  sig = sig->next;
1262 
1263 end:
1264  if (de_ctx)
1266  return result;
1267 }
1268 
1269 static int SCSigOrderingTest05(void)
1270 {
1271  int result = 0;
1272  Signature *prevsig = NULL, *sig = NULL;
1273 
1275  if (de_ctx == NULL)
1276  goto end;
1277 
1278  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1279  if (sig == NULL) {
1280  goto end;
1281  }
1282  prevsig = sig;
1283  de_ctx->sig_list = sig;
1284 
1285  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; rev:4; priority:3; sid:2;)");
1286  if (sig == NULL) {
1287  goto end;
1288  }
1289  prevsig->next = sig;
1290  prevsig = sig;
1291 
1292  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1293  if (sig == NULL) {
1294  goto end;
1295  }
1296  prevsig->next = sig;
1297  prevsig = sig;
1298 
1299  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1300  if (sig == NULL) {
1301  goto end;
1302  }
1303  prevsig->next = sig;
1304  prevsig = sig;
1305 
1306  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1307  if (sig == NULL) {
1308  goto end;
1309  }
1310  prevsig->next = sig;
1311  prevsig = sig;
1312 
1313  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1314  if (sig == NULL) {
1315  goto end;
1316  }
1317  prevsig->next = sig;
1318  prevsig = sig;
1319 
1320  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1321  if (sig == NULL) {
1322  goto end;
1323  }
1324  prevsig->next = sig;
1325  prevsig = sig;
1326  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1327  if (sig == NULL) {
1328  goto end;
1329  }
1330  prevsig->next = sig;
1331  prevsig = sig;
1332 
1333 
1334  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1335  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1336  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1337  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1338  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1340 
1341  result = 1;
1342 
1343  sig = de_ctx->sig_list;
1344 
1345  //#ifdef DEBUG
1346  while (sig != NULL) {
1347  printf("sid: %d\n", sig->id);
1348  sig = sig->next;
1349  }
1350  //#endif
1351 
1352  sig = de_ctx->sig_list;
1353 
1354  /* pktvar set */
1355  result &= (sig->id == 2);
1356  sig = sig->next;
1357  result &= (sig->id == 3);
1358  sig = sig->next;
1359  result &= (sig->id == 4);
1360  sig = sig->next;
1361  /* pktvar read */
1362  result &= (sig->id == 7);
1363  sig = sig->next;
1364  result &= (sig->id == 8);
1365  sig = sig->next;
1366 
1367  result &= (sig->id == 1);
1368  sig = sig->next;
1369  result &= (sig->id == 5);
1370  sig = sig->next;
1371  result &= (sig->id == 6);
1372  sig = sig->next;
1373 
1374 end:
1375  if (de_ctx != NULL)
1377  return result;
1378 }
1379 
1380 static int SCSigOrderingTest06(void)
1381 {
1382  int result = 0;
1383  Signature *prevsig = NULL, *sig = NULL;
1384 
1386  if (de_ctx == NULL)
1387  goto end;
1388 
1389  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1390  if (sig == NULL) {
1391  goto end;
1392  }
1393  prevsig = sig;
1394  de_ctx->sig_list = sig;
1395 
1396  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1397  if (sig == NULL) {
1398  goto end;
1399  }
1400  prevsig->next = sig;
1401  prevsig = sig;
1402 
1403  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1404  if (sig == NULL) {
1405  goto end;
1406  }
1407  prevsig->next = sig;
1408  prevsig = sig;
1409 
1410  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1411  if (sig == NULL) {
1412  goto end;
1413  }
1414  prevsig->next = sig;
1415  prevsig = sig;
1416 
1417  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1418  if (sig == NULL) {
1419  goto end;
1420  }
1421  prevsig->next = sig;
1422  prevsig = sig;
1423 
1424  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1425  if (sig == NULL) {
1426  goto end;
1427  }
1428  prevsig->next = sig;
1429  prevsig = sig;
1430 
1431  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1432  if (sig == NULL) {
1433  goto end;
1434  }
1435  prevsig->next = sig;
1436  prevsig = sig;
1437 
1438  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1439  if (sig == NULL) {
1440  goto end;
1441  }
1442  prevsig->next = sig;
1443  prevsig = sig;
1444 
1445  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1446  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1447  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1448  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1449  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1451 
1452 
1453  result = 1;
1454 
1455  sig = de_ctx->sig_list;
1456 
1457 #ifdef DEBUG
1458  while (sig != NULL) {
1459  printf("sid: %d\n", sig->id);
1460  sig = sig->next;
1461  }
1462 #endif
1463 
1464  sig = de_ctx->sig_list;
1465 
1466  result &= (sig->id == 6);
1467  sig = sig->next;
1468  result &= (sig->id == 2);
1469  sig = sig->next;
1470  result &= (sig->id == 4);
1471  sig = sig->next;
1472  result &= (sig->id == 5);
1473  sig = sig->next;
1474  result &= (sig->id == 7);
1475  sig = sig->next;
1476  result &= (sig->id == 8);
1477  sig = sig->next;
1478  result &= (sig->id == 1);
1479  sig = sig->next;
1480  result &= (sig->id == 3);
1481  sig = sig->next;
1482 
1483 
1484 end:
1485  if (de_ctx != NULL)
1487  return result;
1488 }
1489 
1490 static int SCSigOrderingTest07(void)
1491 {
1492  int result = 0;
1493  Signature *prevsig = NULL, *sig = NULL;
1494 
1496  if (de_ctx == NULL)
1497  goto end;
1498 
1499  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1500  if (sig == NULL) {
1501  goto end;
1502  }
1503  prevsig = sig;
1504  de_ctx->sig_list = sig;
1505 
1506  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1507  if (sig == NULL) {
1508  goto end;
1509  }
1510  prevsig->next = sig;
1511  prevsig = sig;
1512 
1513  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1514  if (sig == NULL) {
1515  goto end;
1516  }
1517  prevsig->next = sig;
1518  prevsig = sig;
1519 
1520  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1521  if (sig == NULL) {
1522  goto end;
1523  }
1524  prevsig->next = sig;
1525  prevsig = sig;
1526 
1527  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1528  if (sig == NULL) {
1529  goto end;
1530  }
1531  prevsig->next = sig;
1532  prevsig = sig;
1533 
1534  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1535  if (sig == NULL) {
1536  goto end;
1537  }
1538  prevsig->next = sig;
1539  prevsig = sig;
1540 
1541  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1542  if (sig == NULL) {
1543  goto end;
1544  }
1545  prevsig->next = sig;
1546  prevsig = sig;
1547 
1548  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1549  if (sig == NULL) {
1550  goto end;
1551  }
1552  prevsig->next = sig;
1553  prevsig = sig;
1554 
1555  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1556  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1557  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1558  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1559  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1561 
1562  result = 1;
1563 
1564  sig = de_ctx->sig_list;
1565 
1566 #ifdef DEBUG
1567  while (sig != NULL) {
1568  printf("sid: %d\n", sig->id);
1569  sig = sig->next;
1570  }
1571 #endif
1572 
1573  sig = de_ctx->sig_list;
1574 
1575  result &= (sig->id == 2);
1576  sig = sig->next;
1577  result &= (sig->id == 4);
1578  sig = sig->next;
1579  result &= (sig->id == 5);
1580  sig = sig->next;
1581  result &= (sig->id == 7);
1582  sig = sig->next;
1583  result &= (sig->id == 6);
1584  sig = sig->next;
1585  result &= (sig->id == 8);
1586  sig = sig->next;
1587  result &= (sig->id == 1);
1588  sig = sig->next;
1589  result &= (sig->id == 3);
1590  sig = sig->next;
1591 
1592 end:
1593  if (de_ctx != NULL)
1595  return result;
1596 }
1597 
1598 /**
1599  * \test Order with a different Action priority
1600  * (as specified from config)
1601  */
1602 static int SCSigOrderingTest08(void)
1603 {
1604 #ifdef HAVE_LIBNET11
1605  int result = 0;
1606  Signature *prevsig = NULL, *sig = NULL;
1607  extern uint8_t action_order_sigs[4];
1608 
1609  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1614 
1616  if (de_ctx == NULL)
1617  goto end;
1618 
1619  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1620  if (sig == NULL) {
1621  goto end;
1622  }
1623  prevsig = sig;
1624  de_ctx->sig_list = sig;
1625 
1626  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1627  if (sig == NULL) {
1628  goto end;
1629  }
1630  prevsig->next = sig;
1631  prevsig = sig;
1632 
1633  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1634  if (sig == NULL) {
1635  goto end;
1636  }
1637  prevsig->next = sig;
1638  prevsig = sig;
1639 
1640  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1641  if (sig == NULL) {
1642  goto end;
1643  }
1644  prevsig->next = sig;
1645  prevsig = sig;
1646 
1647  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1648  if (sig == NULL) {
1649  goto end;
1650  }
1651  prevsig->next = sig;
1652  prevsig = sig;
1653 
1654  sig = SigInit(de_ctx, "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1655  if (sig == NULL) {
1656  goto end;
1657  }
1658  prevsig->next = sig;
1659  prevsig = sig;
1660 
1661  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1662  if (sig == NULL) {
1663  goto end;
1664  }
1665  prevsig->next = sig;
1666  prevsig = sig;
1667 
1668  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1669  if (sig == NULL) {
1670  goto end;
1671  }
1672  prevsig->next = sig;
1673  prevsig = sig;
1674 
1675  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1676  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1677  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1678  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1679  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1681 
1682  result = 1;
1683 
1684  sig = de_ctx->sig_list;
1685 
1686 #ifdef DEBUG
1687  while (sig != NULL) {
1688  printf("sid: %d\n", sig->id);
1689  sig = sig->next;
1690  }
1691 #endif
1692 
1693  sig = de_ctx->sig_list;
1694 
1695  result &= (sig->id == 6);
1696  sig = sig->next;
1697  result &= (sig->id == 8);
1698  sig = sig->next;
1699  result &= (sig->id == 1);
1700  sig = sig->next;
1701  result &= (sig->id == 3);
1702  sig = sig->next;
1703  result &= (sig->id == 2);
1704  sig = sig->next;
1705  result &= (sig->id == 4);
1706  sig = sig->next;
1707  result &= (sig->id == 5);
1708  sig = sig->next;
1709  result &= (sig->id == 7);
1710  sig = sig->next;
1711 
1712 end:
1713  /* Restore the default pre-order definition */
1718  if (de_ctx != NULL)
1720  return result;
1721 #else
1722  return 1;
1723 #endif
1724 }
1725 
1726 /**
1727  * \test Order with a different Action priority
1728  * (as specified from config)
1729  */
1730 static int SCSigOrderingTest09(void)
1731 {
1732  int result = 0;
1733  Signature *prevsig = NULL, *sig = NULL;
1734  extern uint8_t action_order_sigs[4];
1735 
1736  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1741 
1743  if (de_ctx == NULL)
1744  goto end;
1745 
1746  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1747  if (sig == NULL) {
1748  goto end;
1749  }
1750  prevsig = sig;
1751  de_ctx->sig_list = sig;
1752 
1753  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; priority:2; sid:2;)");
1754  if (sig == NULL) {
1755  goto end;
1756  }
1757  prevsig->next = sig;
1758  prevsig = sig;
1759 
1760  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1761  if (sig == NULL) {
1762  goto end;
1763  }
1764  prevsig->next = sig;
1765  prevsig = sig;
1766 
1767  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1768  if (sig == NULL) {
1769  goto end;
1770  }
1771  prevsig->next = sig;
1772  prevsig = sig;
1773 
1774  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1775  if (sig == NULL) {
1776  goto end;
1777  }
1778  prevsig->next = sig;
1779  prevsig = sig;
1780 
1781  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1782  if (sig == NULL) {
1783  goto end;
1784  }
1785  prevsig->next = sig;
1786  prevsig = sig;
1787 
1788  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1789  if (sig == NULL) {
1790  goto end;
1791  }
1792  prevsig->next = sig;
1793  prevsig = sig;
1794 
1795  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1796  if (sig == NULL) {
1797  goto end;
1798  }
1799  prevsig->next = sig;
1800  prevsig = sig;
1801 
1802  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1803  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1804  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1805  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1806  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1808 
1809  result = 1;
1810 
1811  sig = de_ctx->sig_list;
1812 
1813 #ifdef DEBUG
1814  while (sig != NULL) {
1815  printf("sid: %d\n", sig->id);
1816  sig = sig->next;
1817  }
1818 #endif
1819 
1820  sig = de_ctx->sig_list;
1821 
1822  result &= (sig->id == 6);
1823  sig = sig->next;
1824  result &= (sig->id == 7);
1825  sig = sig->next;
1826  result &= (sig->id == 8);
1827  sig = sig->next;
1828  result &= (sig->id == 1);
1829  sig = sig->next;
1830  result &= (sig->id == 3);
1831  sig = sig->next;
1832  result &= (sig->id == 2);
1833  sig = sig->next;
1834  result &= (sig->id == 4);
1835  sig = sig->next;
1836  result &= (sig->id == 5);
1837  sig = sig->next;
1838 
1839 end:
1840  /* Restore the default pre-order definition */
1845  if (de_ctx != NULL)
1847  return result;
1848 }
1849 
1850 /**
1851  * \test Order with a different Action priority
1852  * (as specified from config)
1853  */
1854 static int SCSigOrderingTest10(void)
1855 {
1856  int result = 0;
1857  Signature *prevsig = NULL, *sig = NULL;
1858  extern uint8_t action_order_sigs[4];
1859 
1860  /* Let's change the order. Default is pass, drop, reject, alert (pass has highest prio) */
1865 
1867  if (de_ctx == NULL)
1868  goto end;
1869 
1870  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1871  if (sig == NULL) {
1872  goto end;
1873  }
1874  prevsig = sig;
1875  de_ctx->sig_list = sig;
1876 
1877  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1878  if (sig == NULL) {
1879  goto end;
1880  }
1881  prevsig->next = sig;
1882  prevsig = sig;
1883 
1884  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1885  if (sig == NULL) {
1886  goto end;
1887  }
1888  prevsig->next = sig;
1889  prevsig = sig;
1890 
1891  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1892  if (sig == NULL) {
1893  goto end;
1894  }
1895  prevsig->next = sig;
1896  prevsig = sig;
1897 
1898  sig = SigInit(de_ctx, "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1899  if (sig == NULL) {
1900  goto end;
1901  }
1902  prevsig->next = sig;
1903  prevsig = sig;
1904 
1905  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1906  if (sig == NULL) {
1907  goto end;
1908  }
1909  prevsig->next = sig;
1910  prevsig = sig;
1911 
1912  sig = SigInit(de_ctx, "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1913  if (sig == NULL) {
1914  goto end;
1915  }
1916  prevsig->next = sig;
1917  prevsig = sig;
1918 
1919  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1920  if (sig == NULL) {
1921  goto end;
1922  }
1923  prevsig->next = sig;
1924  prevsig = sig;
1925 
1926  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
1927  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
1928  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
1929  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
1930  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
1932 
1933  result = 1;
1934 
1935  sig = de_ctx->sig_list;
1936 
1937 #ifdef DEBUG
1938  while (sig != NULL) {
1939  printf("sid: %d\n", sig->id);
1940  sig = sig->next;
1941  }
1942 #endif
1943 
1944  sig = de_ctx->sig_list;
1945 
1946  result &= (sig->id == 2);
1947  sig = sig->next;
1948  result &= (sig->id == 4);
1949  sig = sig->next;
1950  result &= (sig->id == 5);
1951  sig = sig->next;
1952  result &= (sig->id == 8);
1953  sig = sig->next;
1954  result &= (sig->id == 1);
1955  sig = sig->next;
1956  result &= (sig->id == 3);
1957  sig = sig->next;
1958  result &= (sig->id == 6);
1959  sig = sig->next;
1960  result &= (sig->id == 7);
1961  sig = sig->next;
1962 
1963 end:
1964  /* Restore the default pre-order definition */
1969  if (de_ctx != NULL)
1971  return result;
1972 }
1973 
1974 static int SCSigOrderingTest11(void)
1975 {
1976  int result = 0;
1977  Signature *prevsig = NULL, *sig = NULL;
1978 
1980  if (de_ctx == NULL)
1981  goto end;
1982 
1983  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; flowbits:isnotset,myflow1; rev:4; sid:1;)");
1984  if (sig == NULL) {
1985  goto end;
1986  }
1987  prevsig = sig;
1988  de_ctx->sig_list = sig;
1989 
1990  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; flowbits:toggle,myflow2; rev:4; sid:2;)");
1991  if (sig == NULL) {
1992  goto end;
1993  }
1994  prevsig->next = sig;
1995  prevsig = sig;
1996 
1997  sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1998  if (sig == NULL) {
1999  goto end;
2000  }
2001  prevsig->next = sig;
2002 
2003  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByActionCompare);
2004  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
2005  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowvarCompare);
2006  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPktvarCompare);
2007  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByPriorityCompare);
2009 
2010  result = 1;
2011 
2012  sig = de_ctx->sig_list;
2013 
2014 #ifdef DEBUG
2015  while (sig != NULL) {
2016  printf("sid: %d\n", sig->id);
2017  sig = sig->next;
2018  }
2019 #endif
2020 
2021  sig = de_ctx->sig_list;
2022 
2023  result &= (sig->id == 2);
2024  sig = sig->next;
2025  result &= (sig->id == 3);
2026  sig = sig->next;
2027  result &= (sig->id == 1);
2028  sig = sig->next;
2029 
2030 end:
2031  if (de_ctx != NULL)
2033  return result;
2034 }
2035 
2036 static int SCSigOrderingTest12(void)
2037 {
2038  Signature *sig = NULL;
2039  Packet *p = NULL;
2040  uint8_t buf[] = "test message";
2041  int result = 0;
2042  Flow f;
2043 
2044  FLOW_INITIALIZE(&f);
2045  f.flags |= FLOW_IPV4;
2047  f.proto = IPPROTO_TCP;
2048 
2050  if (de_ctx == NULL)
2051  goto end;
2052  de_ctx->flags |= DE_QUIET;
2053 
2054  const char *sigs[2];
2055  sigs[0] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
2056  sigs[1] = "alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
2057  UTHAppendSigs(de_ctx, sigs, 2);
2058 
2059  sig = de_ctx->sig_list;
2060  if (sig == NULL)
2061  goto end;
2062  if (sig->next == NULL)
2063  goto end;
2064  if (sig->next->next != NULL)
2065  goto end;
2066  if (de_ctx->signum != 2)
2067  goto end;
2068 
2070  p = UTHBuildPacket(buf, sizeof(buf), IPPROTO_TCP);
2071  if (p == NULL) {
2072  printf("Error building packet.");
2073  goto end;
2074  }
2075  p->flow = &f;
2079 
2080  UTHMatchPackets(de_ctx, &p, 1);
2081 
2082  uint32_t sids[2] = {1, 2};
2083  uint32_t results[2] = {1, 1};
2084  result = UTHCheckPacketMatchResults(p, sids, results, 2);
2085 
2086 end:
2087  if (p != NULL)
2088  SCFree(p);
2089  if (de_ctx != NULL) {
2093  }
2094  FlowShutdown();
2095 
2096  return result;
2097 }
2098 
2099 /** \test Bug 1061 */
2100 static int SCSigOrderingTest13(void)
2101 {
2102  int result = 0;
2103  Signature *sig = NULL;
2104 
2106  if (de_ctx == NULL)
2107  goto end;
2108 
2109  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
2110  if (sig == NULL) {
2111  goto end;
2112  }
2113  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:set,bit1; flowbits:set,bit2; sid:7;)");
2114  if (sig == NULL) {
2115  goto end;
2116  }
2117  sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
2118  if (sig == NULL) {
2119  goto end;
2120  }
2121 
2122  SCSigRegisterSignatureOrderingFunc(de_ctx, SCSigOrderByFlowbitsCompare);
2124 
2125  result = 1;
2126 
2127 #ifdef DEBUG
2128  sig = de_ctx->sig_list;
2129  while (sig != NULL) {
2130  printf("sid: %d\n", sig->id);
2131  sig = sig->next;
2132  }
2133 #endif
2134 
2135  sig = de_ctx->sig_list;
2136 
2137  result &= (sig->id == 7);
2138  sig = sig->next;
2139  result &= (sig->id == 6);
2140  sig = sig->next;
2141  result &= (sig->id == 5);
2142  sig = sig->next;
2143 
2144 end:
2145  if (de_ctx != NULL)
2147  return result;
2148 }
2149 
2150 #endif
2151 
2153 {
2154 
2155 #ifdef UNITTESTS
2156  UtRegisterTest("SCSigOrderingTest01", SCSigOrderingTest01);
2157  UtRegisterTest("SCSigOrderingTest02", SCSigOrderingTest02);
2158  UtRegisterTest("SCSigOrderingTest03", SCSigOrderingTest03);
2159  UtRegisterTest("SCSigOrderingTest04", SCSigOrderingTest04);
2160  UtRegisterTest("SCSigOrderingTest05", SCSigOrderingTest05);
2161  UtRegisterTest("SCSigOrderingTest06", SCSigOrderingTest06);
2162  UtRegisterTest("SCSigOrderingTest07", SCSigOrderingTest07);
2163  UtRegisterTest("SCSigOrderingTest08", SCSigOrderingTest08);
2164  UtRegisterTest("SCSigOrderingTest09", SCSigOrderingTest09);
2165  UtRegisterTest("SCSigOrderingTest10", SCSigOrderingTest10);
2166  UtRegisterTest("SCSigOrderingTest11", SCSigOrderingTest11);
2167  UtRegisterTest("SCSigOrderingTest12", SCSigOrderingTest12);
2168  UtRegisterTest("SCSigOrderingTest13", SCSigOrderingTest13);
2169 #endif
2170 }
DetectPcreData_::idx
uint8_t idx
Definition: detect-pcre.h:49
FLOWINT_MODIFIER_LE
@ FLOWINT_MODIFIER_LE
Definition: detect-flowint.h:36
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DETECT_FLOWINT_TYPE_SET
#define DETECT_FLOWINT_TYPE_SET
Definition: detect-engine-sigorder.c:60
SC_RADIX_USER_DATA_PKTVAR
@ SC_RADIX_USER_DATA_PKTVAR
Definition: detect-engine-sigorder.h:34
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1109
flow-util.h
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1381
SCSigOrderFunc_::next
struct SCSigOrderFunc_ * next
Definition: detect-engine-sigorder.h:73
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_FLOWINT_TYPE_READ
#define DETECT_FLOWINT_TYPE_READ
Definition: detect-engine-sigorder.c:58
FLOWINT_MODIFIER_GT
@ FLOWINT_MODIFIER_GT
Definition: detect-flowint.h:40
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Flow_::proto
uint8_t proto
Definition: flow.h:365
DETECT_FLOWBITS_CMD_ISNOTSET
#define DETECT_FLOWBITS_CMD_ISNOTSET
Definition: detect-flowbits.h:31
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:449
Flow_
Flow data structure.
Definition: flow.h:347
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2056
results
struct DetectRfbSecresult_ results[]
ActionOrderVal
uint8_t ActionOrderVal(uint8_t action)
Return the priority associated to an action (to order sigs as specified at config) action_order_sigs ...
Definition: util-action.c:53
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:516
DetectFlowintData_
Definition: detect-flowint.h:62
DetectXbitsData_::cmd
uint8_t cmd
Definition: detect-xbits.h:44
FLOWINT_MODIFIER_ISSET
@ FLOWINT_MODIFIER_ISSET
Definition: detect-flowint.h:42
FLOWINT_MODIFIER_SUB
@ FLOWINT_MODIFIER_SUB
Definition: detect-flowint.h:32
DetectFlowbitsData_::cmd
uint8_t cmd
Definition: detect-flowbits.h:38
DETECT_XBITS_TYPE_SET_READ
#define DETECT_XBITS_TYPE_SET_READ
Definition: detect-engine-sigorder.c:64
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
SCSigSignatureWrapper_::next
struct SCSigSignatureWrapper_ * next
Definition: detect-engine-sigorder.h:61
detect-flowint.h
SCSigSignatureOrderingModuleCleanup
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
Definition: detect-engine-sigorder.c:808
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:219
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
DETECT_PKTVAR_TYPE_READ
#define DETECT_PKTVAR_TYPE_READ
Definition: detect-engine-sigorder.c:48
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SCSigRegisterSignatureOrderingTests
void SCSigRegisterSignatureOrderingTests(void)
Definition: detect-engine-sigorder.c:2152
DETECT_FLOWBITS_CMD_TOGGLE
#define DETECT_FLOWBITS_CMD_TOGGLE
Definition: detect-flowbits.h:29
DETECT_FLOWBITS_CMD_ISSET
#define DETECT_FLOWBITS_CMD_ISSET
Definition: detect-flowbits.h:32
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
action_order_sigs
uint8_t action_order_sigs[4]
Definition: util-action.c:40
SCSigSignatureWrapper_::sig
Signature * sig
Definition: detect-engine-sigorder.h:47
detect-pcre.h
FLOWINT_MODIFIER_NOTSET
@ FLOWINT_MODIFIER_NOTSET
Definition: detect-flowint.h:43
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:95
DetectXbitsData_
Definition: detect-xbits.h:42
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DETECT_HOSTBITS
@ DETECT_HOSTBITS
Definition: detect-engine-register.h:88
Signature_::next
struct Signature_ * next
Definition: detect.h:600
DetectFlowbitsData_
Definition: detect-flowbits.h:36
UTHMatchPackets
int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets)
Definition: util-unittest-helper.c:770
DETECT_SM_LIST_POSTMATCH
@ DETECT_SM_LIST_POSTMATCH
Definition: detect.h:98
DETECT_FLOWVAR_TYPE_SET
#define DETECT_FLOWVAR_TYPE_SET
Definition: detect-engine-sigorder.c:45
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
detect-xbits.h
DETECT_XBITS_CMD_ISNOTSET
#define DETECT_XBITS_CMD_ISNOTSET
Definition: detect-xbits.h:30
DETECT_XBITS_TYPE_READ
#define DETECT_XBITS_TYPE_READ
Definition: detect-engine-sigorder.c:63
util-debug.h
type
uint8_t type
Definition: decode-icmpv4.h:0
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DETECT_FLOWINT
@ DETECT_FLOWINT
Definition: detect-engine-register.h:84
DETECT_FLOWVAR
@ DETECT_FLOWVAR
Definition: detect-engine-register.h:82
SCSigOrderSignatures
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:728
detect.h
DETECT_FLOWBITS_TYPE_SET_READ
#define DETECT_FLOWBITS_TYPE_SET_READ
Definition: detect-engine-sigorder.c:54
UTHCheckPacketMatchResults
int UTHCheckPacketMatchResults(Packet *p, uint32_t sids[], uint32_t results[], int numsids)
UTHCheckPacketMatches: function to check if a packet match some sids.
Definition: util-unittest-helper.c:647
SCSigSignatureWrapper_
Signature wrapper used by signature ordering module while ordering signatures.
Definition: detect-engine-sigorder.h:45
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered,...
Definition: detect-engine-sigorder.c:788
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:324
FLOWINT_MODIFIER_GE
@ FLOWINT_MODIFIER_GE
Definition: detect-flowint.h:39
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
DETECT_XBITS_NOT_USED
#define DETECT_XBITS_NOT_USED
Definition: detect-engine-sigorder.c:62
DETECT_XBITS
@ DETECT_XBITS
Definition: detect-engine-register.h:236
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:282
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1953
Signature_::action
uint8_t action
Definition: detect.h:541
FLOWINT_MODIFIER_LT
@ FLOWINT_MODIFIER_LT
Definition: detect-flowint.h:35
DETECT_FLOWVAR_TYPE_READ
#define DETECT_FLOWVAR_TYPE_READ
Definition: detect-engine-sigorder.c:43
DetectXbitsData_::type
enum VarTypes type
Definition: detect-xbits.h:48
FLOWINT_MODIFIER_EQ
@ FLOWINT_MODIFIER_EQ
Definition: detect-flowint.h:37
DETECT_PKTVAR_NOT_USED
#define DETECT_PKTVAR_NOT_USED
Definition: detect-engine-sigorder.c:47
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
Packet_
Definition: decode.h:414
SCSigOrderFunc_
Structure holding the signature ordering function used by the signature ordering module.
Definition: detect-engine-sigorder.h:69
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:597
DetectFlowintData_::modifier
uint8_t modifier
Definition: detect-flowint.h:71
DETECT_FLOWBITS_NOT_USED
#define DETECT_FLOWBITS_NOT_USED
Definition: detect-engine-sigorder.c:52
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:522
util-action.h
DETECT_PKTVAR_TYPE_SET
#define DETECT_PKTVAR_TYPE_SET
Definition: detect-engine-sigorder.c:50
detect-flowbits.h
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:61
SC_RADIX_USER_DATA_IPPAIRBITS
@ SC_RADIX_USER_DATA_IPPAIRBITS
Definition: detect-engine-sigorder.h:37
FLOWINT_MODIFIER_SET
@ FLOWINT_MODIFIER_SET
Definition: detect-flowint.h:30
SC_RADIX_USER_DATA_FLOWBITS
@ SC_RADIX_USER_DATA_FLOWBITS
Definition: detect-engine-sigorder.h:32
DetectPcreData_::captypes
uint8_t captypes[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:50
SigMatch_::type
uint8_t type
Definition: detect.h:321
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2361
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
FLOWINT_MODIFIER_ADD
@ FLOWINT_MODIFIER_ADD
Definition: detect-flowint.h:31
suricata-common.h
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:644
DETECT_FLOWINT_NOT_USED
#define DETECT_FLOWINT_NOT_USED
Definition: detect-engine-sigorder.c:57
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DETECT_FLOWINT_TYPE_SET_READ
#define DETECT_FLOWINT_TYPE_SET_READ
Definition: detect-engine-sigorder.c:59
FLOWINT_MODIFIER_NE
@ FLOWINT_MODIFIER_NE
Definition: detect-flowint.h:38
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:773
DETECT_FLOWBITS
@ DETECT_FLOWBITS
Definition: detect-engine-register.h:87
Signature_::prio
int prio
Definition: detect.h:564
DETECT_XBITS_TYPE_SET
#define DETECT_XBITS_TYPE_SET
Definition: detect-engine-sigorder.c:65
VAR_TYPE_HOST_BIT
@ VAR_TYPE_HOST_BIT
Definition: util-var.h:39
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCSigOrderFunc_::SWCompare
int(* SWCompare)(SCSigSignatureWrapper *sw1, SCSigSignatureWrapper *sw2)
Definition: detect-engine-sigorder.h:71
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DETECT_FLOWVAR_TYPE_SET_READ
#define DETECT_FLOWVAR_TYPE_SET_READ
Definition: detect-engine-sigorder.c:44
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
Signature_::id
uint32_t id
Definition: detect.h:561
DETECT_FLOWBITS_CMD_UNSET
#define DETECT_FLOWBITS_CMD_UNSET
Definition: detect-flowbits.h:30
Flow_::flags
uint32_t flags
Definition: flow.h:421
detect-parse.h
Signature_
Signature container.
Definition: detect.h:528
SigMatch_
a single match condition for a signature
Definition: detect.h:320
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:37
DETECT_PKTVAR_TYPE_SET_READ
#define DETECT_PKTVAR_TYPE_SET_READ
Definition: detect-engine-sigorder.c:49
DETECT_XBITS_CMD_ISSET
#define DETECT_XBITS_CMD_ISSET
Definition: detect-xbits.h:31
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:221
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
SC_RADIX_USER_DATA_FLOWINT
@ SC_RADIX_USER_DATA_FLOWINT
Definition: detect-engine-sigorder.h:35
VarTypes
VarTypes
Definition: util-var.h:27
SCSigSignatureWrapper_::user
int user[SC_RADIX_USER_DATA_MAX]
Definition: detect-engine-sigorder.h:59
DetectPcreData_
Definition: detect-pcre.h:39
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:39
DETECT_XBITS_CMD_SET
#define DETECT_XBITS_CMD_SET
Definition: detect-xbits.h:27
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:768
UTHAppendSigs
int UTHAppendSigs(DetectEngineCtx *de_ctx, const char *sigs[], int numsigs)
UTHAppendSigs: Add sigs to the detection_engine checking for errors.
Definition: util-unittest-helper.c:681
DETECT_XBITS_CMD_TOGGLE
#define DETECT_XBITS_CMD_TOGGLE
Definition: detect-xbits.h:28
Signature_::msg
char * msg
Definition: detect.h:586
DETECT_XBITS_CMD_UNSET
#define DETECT_XBITS_CMD_UNSET
Definition: detect-xbits.h:29
VAR_TYPE_IPPAIR_BIT
@ VAR_TYPE_IPPAIR_BIT
Definition: util-var.h:43
SC_RADIX_USER_DATA_HOSTBITS
@ SC_RADIX_USER_DATA_HOSTBITS
Definition: detect-engine-sigorder.h:36
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SC_RADIX_USER_DATA_FLOWVAR
@ SC_RADIX_USER_DATA_FLOWVAR
Definition: detect-engine-sigorder.h:33
DETECT_FLOWBITS_TYPE_SET
#define DETECT_FLOWBITS_TYPE_SET
Definition: detect-engine-sigorder.c:55
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:786
DETECT_FLOWVAR_NOT_USED
#define DETECT_FLOWVAR_NOT_USED
Definition: detect-engine-sigorder.c:42
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:32
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1107
DetectEngineCtx_::sc_sig_order_funcs
struct SCSigOrderFunc_ * sc_sig_order_funcs
Definition: detect.h:793
DETECT_FLOWBITS_CMD_SET
#define DETECT_FLOWBITS_CMD_SET
Definition: detect-flowbits.h:28
DETECT_PKTVAR
@ DETECT_PKTVAR
Definition: detect-engine-register.h:85
DETECT_FLOWBITS_TYPE_READ
#define DETECT_FLOWBITS_TYPE_READ
Definition: detect-engine-sigorder.c:53