43 #define DETECT_FLOWVAR_NOT_USED 1
44 #define DETECT_FLOWVAR_TYPE_READ 2
45 #define DETECT_FLOWVAR_TYPE_SET_READ 3
46 #define DETECT_FLOWVAR_TYPE_SET 4
48 #define DETECT_PKTVAR_NOT_USED 1
49 #define DETECT_PKTVAR_TYPE_READ 2
50 #define DETECT_PKTVAR_TYPE_SET_READ 3
51 #define DETECT_PKTVAR_TYPE_SET 4
53 #define DETECT_FLOWBITS_NOT_USED 1
54 #define DETECT_FLOWBITS_TYPE_READ 2
55 #define DETECT_FLOWBITS_TYPE_SET_READ 3
56 #define DETECT_FLOWBITS_TYPE_SET 4
58 #define DETECT_FLOWINT_NOT_USED 1
59 #define DETECT_FLOWINT_TYPE_READ 2
60 #define DETECT_FLOWINT_TYPE_SET_READ 3
61 #define DETECT_FLOWINT_TYPE_SET 4
63 #define DETECT_XBITS_NOT_USED 1
64 #define DETECT_XBITS_TYPE_READ 2
65 #define DETECT_XBITS_TYPE_SET_READ 3
66 #define DETECT_XBITS_TYPE_SET 4
91 while (curr != NULL) {
101 FatalError(
"Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
130 static inline int SCSigGetFlowbitsType(
Signature *sig)
172 if (read > 0 && write == 0) {
174 }
else if (read == 0 && write > 0) {
176 }
else if (read > 0 && write > 0) {
180 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowbits_user_type);
182 return flowbits_user_type;
185 static inline int SCSigGetFlowintType(
Signature *sig)
233 if (read > 0 && write == 0) {
235 }
else if (read == 0 && write > 0) {
237 }
else if (read > 0 && write > 0) {
241 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowint_user_type);
243 return flowint_user_type;
260 static inline int SCSigGetFlowvarType(
Signature *sig)
272 for (x = 0; x < pd->
idx; x++) {
293 if (read > 0 && write == 0) {
295 }
else if (read == 0 && write > 0) {
297 }
else if (read > 0 && write > 0) {
318 static inline int SCSigGetPktvarType(
Signature *sig)
330 for (x = 0; x < pd->
idx; x++) {
351 if (read > 0 && write == 0) {
353 }
else if (read == 0 && write > 0) {
355 }
else if (read > 0 && write > 0) {
422 if (read > 0 && write == 0) {
424 }
else if (read == 0 && write > 0) {
426 }
else if (read > 0 && write > 0) {
432 return xbits_user_type;
507 while (funcs != NULL) {
554 subA = SCSigOrder(subA, cmp_func_list);
555 subB = SCSigOrder(subB, cmp_func_list);
558 while (subA != NULL && subB != NULL) {
559 if (SCSigLessThan(subA, subB, cmp_func_list)) {
568 if (result == NULL) {
579 else if (subB == NULL)
712 SCSigProcessUserDataForFlowbits(sw);
713 SCSigProcessUserDataForFlowvar(sw);
714 SCSigProcessUserDataForFlowint(sw);
715 SCSigProcessUserDataForPktvar(sw);
716 SCSigProcessUserDataForHostbits(sw);
717 SCSigProcessUserDataForIPPairbits(sw);
739 while (sig != NULL) {
740 sigw = SCSigAllocSignatureWrapper(sig);
742 sigw->
next = sigw_list;
754 SCLogDebug(
"Total Signatures to be processed by the"
755 "sigordering module: %d", i);
763 while (sigw != NULL) {
781 SCLogDebug(
"total signatures reordered by the sigordering module: %d", i);
797 SCLogDebug(
"registering signature ordering functions");
799 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
800 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
801 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowintCompare);
802 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
803 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
804 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByHostbitsCompare);
805 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByIPPairbitsCompare);
806 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
822 while (funcs != NULL) {
839 static int SCSigOrderingTest01(
void)
847 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
848 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
849 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
850 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
851 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
852 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
853 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
854 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
855 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
856 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
857 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
860 while (temp != NULL) {
872 static int SCSigOrderingTest02(
void)
880 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
884 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
888 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
892 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
896 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
900 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
904 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
908 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
912 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
916 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
920 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
924 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
928 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
932 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
935 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
936 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
937 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
938 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
939 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
945 while (sig != NULL) {
946 printf(
"sid: %d\n", sig->
id);
991 static int SCSigOrderingTest03(
void)
999 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1000 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1004 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1005 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1009 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1010 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1011 "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1015 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1016 "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1017 "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1021 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1022 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1026 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1027 "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1028 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1032 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1033 "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1034 "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1038 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1039 "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; "
1040 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1044 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1045 "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1046 "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1050 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1051 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1055 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1056 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1060 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1061 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1065 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1066 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1070 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1071 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1074 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1075 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1076 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1077 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1078 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1084 while (sig != NULL) {
1085 printf(
"sid: %d\n", sig->
id);
1128 static int SCSigOrderingTest04(
void)
1137 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1138 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1142 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1143 "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1144 "offset:10; rev:4; priority:3; sid:2;)");
1148 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1149 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1150 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1154 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1155 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1156 "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1160 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1161 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1162 "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1166 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1167 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1168 "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1172 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1173 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1174 "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1178 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1179 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1180 "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1184 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1185 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1186 "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1189 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1190 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1191 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1192 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1193 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1199 while (sig != NULL) {
1200 printf(
"sid: %d\n", sig->
id);
1235 static int SCSigOrderingTest05(
void)
1243 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1244 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1248 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1249 "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1250 "offset:10; rev:4; priority:3; sid:2;)");
1254 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1255 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1256 "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1260 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1261 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1262 "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1266 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1267 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1271 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1272 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1276 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1277 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1278 "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1282 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1283 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1284 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1287 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1288 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1289 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1290 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1291 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1297 while (sig != NULL) {
1298 printf(
"sid: %d\n", sig->
id);
1329 static int SCSigOrderingTest06(
void)
1338 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1339 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1343 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1344 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1348 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1349 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1353 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1354 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1358 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1359 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1363 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1364 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1367 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1368 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1372 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1373 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1376 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1377 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1378 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1379 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1380 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1386 while (sig != NULL) {
1387 printf(
"sid: %d\n", sig->
id);
1415 static int SCSigOrderingTest07(
void)
1424 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1425 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1429 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1430 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1434 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1435 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1439 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1440 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1444 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1445 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1449 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1450 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1454 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1455 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1459 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1460 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1463 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1464 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1465 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1466 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1467 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1473 while (sig != NULL) {
1474 printf(
"sid: %d\n", sig->
id);
1507 static int SCSigOrderingTest08(
void)
1509 #ifdef HAVE_LIBNET11
1524 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1525 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1529 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1530 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1534 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1535 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1539 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1540 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1544 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1545 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1549 "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1550 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1554 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1555 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1559 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1560 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1563 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1564 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1565 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1566 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1567 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1573 while (sig != NULL) {
1574 printf(
"sid: %d\n", sig->
id);
1614 static int SCSigOrderingTest09(
void)
1630 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1631 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1635 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1636 "content:\"220\"; offset:10; priority:2; sid:2;)");
1640 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1641 "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1645 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1646 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1650 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1651 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1655 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1656 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1660 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1661 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1665 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1666 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1669 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1670 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1671 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1672 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1673 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1679 while (sig != NULL) {
1680 printf(
"sid: %d\n", sig->
id);
1718 static int SCSigOrderingTest10(
void)
1734 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1735 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1739 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1740 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1744 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1745 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1749 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1750 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1754 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1755 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1759 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1760 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1764 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1765 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1769 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1770 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1773 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1774 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1775 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1776 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1777 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1783 while (sig != NULL) {
1784 printf(
"sid: %d\n", sig->
id);
1818 static int SCSigOrderingTest11(
void)
1827 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1828 "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1832 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; "
1833 "flowbits:toggle,myflow2; rev:4; sid:2;)");
1837 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1838 "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1841 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1842 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1843 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1844 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1845 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1851 while (sig != NULL) {
1852 printf(
"sid: %d\n", sig->
id);
1870 static int SCSigOrderingTest12(
void)
1874 uint8_t buf[] =
"test message";
1880 f.
proto = IPPROTO_TCP;
1886 const char *sigs[2];
1887 sigs[0] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
1888 sigs[1] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
1908 uint32_t sids[2] = {1, 2};
1922 static int SCSigOrderingTest13(
void)
1930 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
1934 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
1937 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1942 while (sig != NULL) {
1943 printf(
"sid: %d\n", sig->
id);