44 #define DETECT_FLOWVAR_NOT_USED 1
45 #define DETECT_FLOWVAR_TYPE_READ 2
46 #define DETECT_FLOWVAR_TYPE_SET_READ 3
47 #define DETECT_FLOWVAR_TYPE_SET 4
49 #define DETECT_PKTVAR_NOT_USED 1
50 #define DETECT_PKTVAR_TYPE_READ 2
51 #define DETECT_PKTVAR_TYPE_SET_READ 3
52 #define DETECT_PKTVAR_TYPE_SET 4
54 #define DETECT_FLOWBITS_NOT_USED 1
55 #define DETECT_FLOWBITS_TYPE_READ 2
56 #define DETECT_FLOWBITS_TYPE_SET_READ 3
57 #define DETECT_FLOWBITS_TYPE_SET 4
59 #define DETECT_FLOWINT_NOT_USED 1
60 #define DETECT_FLOWINT_TYPE_READ 2
61 #define DETECT_FLOWINT_TYPE_SET_READ 3
62 #define DETECT_FLOWINT_TYPE_SET 4
64 #define DETECT_XBITS_NOT_USED 1
65 #define DETECT_XBITS_TYPE_READ 2
66 #define DETECT_XBITS_TYPE_SET_READ 3
67 #define DETECT_XBITS_TYPE_SET 4
92 while (curr != NULL) {
102 FatalError(
"Fatal error encountered in SCSigRegisterSignatureOrderingFunc. Exiting...");
131 static inline int SCSigGetFlowbitsType(
Signature *sig)
173 if (read > 0 && write == 0) {
175 }
else if (read == 0 && write > 0) {
177 }
else if (read > 0 && write > 0) {
181 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowbits_user_type);
183 return flowbits_user_type;
186 static inline int SCSigGetFlowintType(
Signature *sig)
234 if (read > 0 && write == 0) {
236 }
else if (read == 0 && write > 0) {
238 }
else if (read > 0 && write > 0) {
242 SCLogDebug(
"Sig %s typeval %d", sig->
msg, flowint_user_type);
244 return flowint_user_type;
261 static inline int SCSigGetFlowvarType(
Signature *sig)
273 for (x = 0; x < pd->
idx; x++) {
294 if (read > 0 && write == 0) {
296 }
else if (read == 0 && write > 0) {
298 }
else if (read > 0 && write > 0) {
319 static inline int SCSigGetPktvarType(
Signature *sig)
331 for (x = 0; x < pd->
idx; x++) {
352 if (read > 0 && write == 0) {
354 }
else if (read == 0 && write > 0) {
356 }
else if (read > 0 && write > 0) {
423 if (read > 0 && write == 0) {
425 }
else if (read == 0 && write > 0) {
427 }
else if (read > 0 && write > 0) {
433 return xbits_user_type;
508 while (funcs != NULL) {
559 subA = SCSigOrder(subA, cmp_func_list);
560 subB = SCSigOrder(subB, cmp_func_list);
565 while (subA != NULL && subB != NULL) {
566 if (SCSigLessThan(subA, subB, cmp_func_list)) {
575 if (result == NULL) {
586 else if (subB == NULL)
719 SCSigProcessUserDataForFlowbits(sw);
720 SCSigProcessUserDataForFlowvar(sw);
721 SCSigProcessUserDataForFlowint(sw);
722 SCSigProcessUserDataForPktvar(sw);
723 SCSigProcessUserDataForHostbits(sw);
724 SCSigProcessUserDataForIPPairbits(sw);
751 while (sig != NULL) {
752 sigw = SCSigAllocSignatureWrapper(sig);
754 sigw->
next = sigw_list;
766 SCLogDebug(
"Total Signatures to be processed by the"
767 "sigordering module: %d", i);
775 while (sigw != NULL) {
793 SCLogDebug(
"total signatures reordered by the sigordering module: %d", i);
809 SCLogDebug(
"registering signature ordering functions");
811 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
812 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
813 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowintCompare);
814 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
815 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
816 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByHostbitsCompare);
817 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByIPPairbitsCompare);
818 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
834 while (funcs != NULL) {
851 static int SCSigOrderingTest01(
void)
859 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
860 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
861 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
862 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
863 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
864 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
865 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
866 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
867 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
868 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
869 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
872 while (temp != NULL) {
884 static int SCSigOrderingTest02(
void)
892 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
896 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:2;)");
900 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:3;)");
904 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; flowvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:4;)");
908 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:5;)");
912 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:6;)");
916 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:7;)");
920 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
924 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; flowbits:set,TEST.one; flowbits:noalert; sid:9;)");
928 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
932 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
936 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
940 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; pktvar:http_host,\"www.oisf.net\"; priority:2; flowbits:isnotset,TEST.two; sid:13;)");
944 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; flowbits:set,TEST.two; sid:14;)");
947 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
948 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
949 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
950 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
951 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
957 while (sig != NULL) {
958 printf(
"sid: %d\n", sig->
id);
1003 static int SCSigOrderingTest03(
void)
1011 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1012 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:1;)");
1016 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1017 "offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:2;)");
1021 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1022 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; "
1023 "flowbits:unset,TEST.one; rev:4; priority:2; sid:3;)");
1027 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1028 "offset:0; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1029 "flowbits:isset,TEST.one; rev:4; priority:1; sid:4;)");
1033 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1034 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; priority:2; sid:5;)");
1038 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1039 "content:\"220\"; offset:10; flowbits:isnotset,TEST.one; pcre:\"/^User-Agent: "
1040 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; sid:6;)");
1044 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1045 "content:\"220\"; offset:10; depth:4; pcre:\"/220[- ]/\"; "
1046 "flowbits:unset,TEST.one; rev:4; priority:3; sid:7;)");
1050 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1051 "offset:10; depth:4; pcre:\"/220[- ]/\"; flowbits:toggle,TEST.one; rev:4; priority:1; "
1052 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1056 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1057 "content:\"220\"; offset:10; depth:4; rev:4; flowbits:set,TEST.one; "
1058 "flowbits:noalert; pktvar:http_host,\"www.oisf.net\"; sid:9;)");
1062 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1063 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:10;)");
1067 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1068 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:11;)");
1072 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1073 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:12;)");
1077 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1078 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:isnotset,TEST.one; sid:13;)");
1082 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1083 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; flowbits:set,TEST.one; sid:14;)");
1086 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1087 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1088 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1089 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1090 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1096 while (sig != NULL) {
1097 printf(
"sid: %d\n", sig->
id);
1140 static int SCSigOrderingTest04(
void)
1149 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1150 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1154 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1155 "pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1156 "offset:10; rev:4; priority:3; sid:2;)");
1160 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1161 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1162 "(?P<flow_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1166 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1167 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<flow_http_host>.*)\\r\\n/m\"; rev:4; "
1168 "priority:3; flowvar:http_host,\"www.oisf.net\"; sid:4;)");
1172 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1173 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1174 "pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1178 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1179 "offset:11; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; "
1180 "pktvar:http_host,\"www.oisf.net\"; rev:4; priority:1; sid:6;)");
1184 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1185 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; flowvar:http_host,\"www.oisf.net\"; "
1186 "pktvar:http_host,\"www.oisf.net\"; priority:1; sid:7;)");
1190 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1191 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1192 "flowvar:http_host,\"www.oisf.net\"; sid:8;)");
1196 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1197 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1198 "flowvar:http_host,\"www.oisf.net\"; sid:9;)");
1201 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1202 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1203 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1204 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1205 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1211 while (sig != NULL) {
1212 printf(
"sid: %d\n", sig->
id);
1247 static int SCSigOrderingTest05(
void)
1255 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1256 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1260 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1261 "pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; content:\"220\"; "
1262 "offset:10; rev:4; priority:3; sid:2;)");
1266 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1267 "content:\"220\"; offset:10; depth:4; pcre:\"/^User-Agent: "
1268 "(?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; priority:3; sid:3;)");
1272 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1273 "offset:10; depth:4; pcre:\"/^User-Agent: (?P<pkt_http_host>.*)\\r\\n/m\"; rev:4; "
1274 "priority:3; pktvar:http_host,\"www.oisf.net\"; sid:4;)");
1278 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1279 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:3; sid:5;)");
1283 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1284 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:6;)");
1288 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1289 "content:\"220\"; offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; "
1290 "pktvar:http_host,\"www.oisf.net\"; sid:7;)");
1294 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1295 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; "
1296 "pktvar:http_host,\"www.oisf.net\"; sid:8;)");
1299 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1300 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1301 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1302 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1303 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1309 while (sig != NULL) {
1310 printf(
"sid: %d\n", sig->
id);
1341 static int SCSigOrderingTest06(
void)
1350 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1351 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1355 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1356 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1360 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1361 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1365 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; "
1366 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1370 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1371 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1375 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1376 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1379 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1380 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1384 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering\"; content:\"220\"; "
1385 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1388 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1389 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1390 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1391 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1392 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1398 while (sig != NULL) {
1399 printf(
"sid: %d\n", sig->
id);
1427 static int SCSigOrderingTest07(
void)
1436 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1437 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1441 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1442 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1446 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1447 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1451 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1452 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1456 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1457 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1461 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1462 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1466 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1467 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4; priority:2;)");
1471 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1472 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1475 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1476 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1477 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1478 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1479 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1485 while (sig != NULL) {
1486 printf(
"sid: %d\n", sig->
id);
1519 static int SCSigOrderingTest08(
void)
1521 #ifdef HAVE_LIBNET11
1536 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1537 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1; rev:4;)");
1541 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1542 "content:\"220\"; offset:10; sid:2; rev:4; priority:2;)");
1546 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1547 "content:\"220\"; offset:10; depth:4; sid:3; rev:4; priority:3;)");
1551 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1552 "content:\"220\"; offset:10; depth:4; sid:4; rev:4; priority:2;)");
1556 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1557 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:5; rev:4; priority:2;)");
1561 "reject tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1562 "offset:11; depth:4; pcre:\"/220[- ]/\"; sid:6; rev:4; priority:1;)");
1566 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; "
1567 "content:\"220\"; offset:11; depth:4; pcre:\"/220[- ]/\"; sid:7; rev:4;)");
1571 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1572 "offset:12; depth:4; pcre:\"/220[- ]/\"; sid:8; rev:4; priority:2;)");
1575 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1576 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1577 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1578 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1579 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1585 while (sig != NULL) {
1586 printf(
"sid: %d\n", sig->
id);
1626 static int SCSigOrderingTest09(
void)
1642 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1643 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:1;)");
1647 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1648 "content:\"220\"; offset:10; priority:2; sid:2;)");
1652 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1653 "content:\"220\"; offset:10; depth:4; priority:3; sid:3;)");
1657 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1658 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1662 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1663 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1667 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1668 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1672 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1673 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1677 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1678 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1681 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1682 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1683 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1684 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1685 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1691 while (sig != NULL) {
1692 printf(
"sid: %d\n", sig->
id);
1730 static int SCSigOrderingTest10(
void)
1746 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1747 "content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; rev:4; sid:1;)");
1751 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1752 "content:\"220\"; offset:10; rev:4; priority:2; sid:2;)");
1756 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; "
1757 "content:\"220\"; offset:10; depth:4; rev:4; priority:3; sid:3;)");
1761 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; "
1762 "content:\"220\"; offset:10; depth:4; rev:4; priority:2; sid:4;)");
1766 "pass tcp any !21:902 -> any any (msg:\"Testing sigordering pass\"; content:\"220\"; "
1767 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:5;)");
1771 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering drop\"; content:\"220\"; "
1772 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:1; sid:6;)");
1776 "drop tcp any !21:902 -> any any (msg:\"Testing sigordering reject\"; content:\"220\"; "
1777 "offset:11; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:7;)");
1781 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering alert\"; content:\"220\"; "
1782 "offset:12; depth:4; pcre:\"/220[- ]/\"; rev:4; priority:2; sid:8;)");
1785 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1786 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1787 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1788 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1789 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1795 while (sig != NULL) {
1796 printf(
"sid: %d\n", sig->
id);
1830 static int SCSigOrderingTest11(
void)
1839 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering set\"; "
1840 "flowbits:isnotset,myflow1; rev:4; sid:1;)");
1844 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering toggle\"; "
1845 "flowbits:toggle,myflow2; rev:4; sid:2;)");
1849 "alert tcp any !21:902 -> any any (msg:\"Testing sigordering unset\"; "
1850 "flowbits:isset, myflow1; flowbits:unset,myflow2; rev:4; priority:3; sid:3;)");
1853 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByActionCompare);
1854 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1855 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowvarCompare);
1856 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPktvarCompare);
1857 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByPriorityCompare);
1863 while (sig != NULL) {
1864 printf(
"sid: %d\n", sig->
id);
1882 static int SCSigOrderingTest12(
void)
1886 uint8_t buf[] =
"test message";
1892 f.
proto = IPPROTO_TCP;
1898 const char *sigs[2];
1899 sigs[0] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:isset,one; flowbits:set,two; sid:1;)";
1900 sigs[1] =
"alert tcp any any -> any any (content:\"test\"; dsize:>0; flowbits:set,one; sid:2;)";
1920 uint32_t sids[2] = {1, 2};
1934 static int SCSigOrderingTest13(
void)
1942 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:set,bit2; flowbits:set,bit3; sid:6;)");
1946 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (flowbits:isset,bit1; flowbits:isset,bit2; flowbits:isset,bit3; sid:5;)");
1949 SCSigRegisterSignatureOrderingFunc(
de_ctx, SCSigOrderByFlowbitsCompare);
1954 while (sig != NULL) {
1955 printf(
"sid: %d\n", sig->
id);