50 #define PARSE_REGEX "^\\s*([a-zA-Z][\\w\\d_./]+)\\s*,\\s*([+=-]{1}|==|!=|<|<=|>|>=|isset|notset)\\s*,?\\s*([a-zA-Z][\\w\\d]+|[\\d]{1,10})?\\s*$"
60 static void DetectFlowintRegisterTests(
void);
229 char *varname = NULL;
232 int ret = 0,
res = 0;
235 unsigned long long value_long = 0;
239 if (ret < 3 || ret > 4) {
246 if (
res < 0 || str_ptr == NULL) {
250 varname = (
char *)str_ptr;
253 if (
res < 0 || str_ptr == NULL) {
257 modstr = (
char *)str_ptr;
260 if (strcmp(
"=", modstr) == 0)
262 if (strcmp(
"+", modstr) == 0)
264 if (strcmp(
"-", modstr) == 0)
267 if (strcmp(
"<", modstr) == 0)
269 if (strcmp(
"<=", modstr) == 0)
271 if (strcmp(
"!=", modstr) == 0)
273 if (strcmp(
"==", modstr) == 0)
275 if (strcmp(
">=", modstr) == 0)
277 if (strcmp(
">", modstr) == 0)
279 if (strcmp(
"isset", modstr) == 0)
281 if (strcmp(
"notset", modstr) == 0)
299 varval = (
char *)str_ptr;
300 if (
res < 0 || varval == NULL || strcmp(varval,
"") == 0) {
305 if (varval[0] >=
'0' && varval[0] <=
'9') {
307 value_long = atoll(varval);
308 if (value_long > UINT32_MAX) {
309 SCLogDebug(
"DetectFlowintParse: Cannot load this value."
310 " Values should be between 0 and %"PRIu32, UINT32_MAX);
336 pcre_free_substring(varname);
337 pcre_free_substring(modstr);
339 pcre_free_substring(varval);
343 pcre_free_substring(varname);
345 pcre_free_substring(varval);
347 pcre_free_substring(modstr);
368 sfd = DetectFlowintParse(
de_ctx, rawstr);
419 if (sfd->
name != NULL)
435 SCLogDebug(
"DetectFlowintPrintData: Error, DetectFlowintData == NULL!");
439 SCLogDebug(
"Varname: %s, modifier: %"PRIu8
", idx: %"PRIu32
" Target: ",
450 SCLogDebug(
"DetectFlowintPrintData: Error, Targettype not known!");
458 static int DetectFlowintTestParseVal01(
void)
468 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,35");
469 DetectFlowintPrintData(sfd);
470 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
485 static int DetectFlowintTestParseVar01(
void)
495 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,targetvar");
496 DetectFlowintPrintData(sfd);
497 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
515 static int DetectFlowintTestParseVal02(
void)
525 sfd = DetectFlowintParse(
de_ctx,
"myvar,+,35");
526 DetectFlowintPrintData(sfd);
527 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
542 static int DetectFlowintTestParseVar02(
void)
552 sfd = DetectFlowintParse(
de_ctx,
"myvar,+,targetvar");
553 DetectFlowintPrintData(sfd);
554 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
572 static int DetectFlowintTestParseVal03(
void)
582 sfd = DetectFlowintParse(
de_ctx,
"myvar,-,35");
583 DetectFlowintPrintData(sfd);
584 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
599 static int DetectFlowintTestParseVar03(
void)
609 sfd = DetectFlowintParse(
de_ctx,
"myvar,-,targetvar");
610 DetectFlowintPrintData(sfd);
611 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
630 static int DetectFlowintTestParseVal04(
void)
640 sfd = DetectFlowintParse(
de_ctx,
"myvar,==,35");
641 DetectFlowintPrintData(sfd);
642 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
657 static int DetectFlowintTestParseVar04(
void)
667 sfd = DetectFlowintParse(
de_ctx,
"myvar,==,targetvar");
668 DetectFlowintPrintData(sfd);
669 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
687 static int DetectFlowintTestParseVal05(
void)
697 sfd = DetectFlowintParse(
de_ctx,
"myvar,!=,35");
698 DetectFlowintPrintData(sfd);
699 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
714 static int DetectFlowintTestParseVar05(
void)
724 sfd = DetectFlowintParse(
de_ctx,
"myvar,!=,targetvar");
725 DetectFlowintPrintData(sfd);
726 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
744 static int DetectFlowintTestParseVal06(
void)
754 sfd = DetectFlowintParse(
de_ctx,
"myvar, >,35");
755 DetectFlowintPrintData(sfd);
756 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
771 static int DetectFlowintTestParseVar06(
void)
781 sfd = DetectFlowintParse(
de_ctx,
"myvar, >,targetvar");
782 DetectFlowintPrintData(sfd);
783 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
801 static int DetectFlowintTestParseVal07(
void)
811 sfd = DetectFlowintParse(
de_ctx,
"myvar, >= ,35");
812 DetectFlowintPrintData(sfd);
813 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
828 static int DetectFlowintTestParseVar07(
void)
838 sfd = DetectFlowintParse(
de_ctx,
"myvar, >= ,targetvar");
839 DetectFlowintPrintData(sfd);
840 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
858 static int DetectFlowintTestParseVal08(
void)
868 sfd = DetectFlowintParse(
de_ctx,
"myvar, <= ,35");
869 DetectFlowintPrintData(sfd);
870 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
885 static int DetectFlowintTestParseVar08(
void)
895 sfd = DetectFlowintParse(
de_ctx,
"myvar, <= ,targetvar");
896 DetectFlowintPrintData(sfd);
897 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
915 static int DetectFlowintTestParseVal09(
void)
925 sfd = DetectFlowintParse(
de_ctx,
"myvar, < ,35");
926 DetectFlowintPrintData(sfd);
927 if (sfd != NULL && sfd->
target.
value == 35 && !strcmp(sfd->
name,
"myvar")
942 static int DetectFlowintTestParseVar09(
void)
952 sfd = DetectFlowintParse(
de_ctx,
"myvar, < ,targetvar");
953 DetectFlowintPrintData(sfd);
954 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
972 static int DetectFlowintTestParseIsset10(
void)
982 sfd = DetectFlowintParse(
de_ctx,
"myvar, isset");
983 DetectFlowintPrintData(sfd);
984 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
994 sfd = DetectFlowintParse(
de_ctx,
"myvar, notset");
995 DetectFlowintPrintData(sfd);
996 if (sfd != NULL && !strcmp(sfd->
name,
"myvar")
1015 static int DetectFlowintTestParseInvalidSyntaxis01(
void)
1025 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,9999999999");
1027 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,9532458716234857");
1032 sfd = DetectFlowintParse(
de_ctx,
"myvar,=,45targetvar");
1034 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=,45targetvar ");
1039 sfd = DetectFlowintParse(
de_ctx,
"657myvar,=,targetvar");
1041 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at 657myvar,=,targetvar ");
1046 sfd = DetectFlowintParse(
de_ctx,
"myvar,=<,targetvar");
1048 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,=<,targetvar ");
1053 sfd = DetectFlowintParse(
de_ctx,
"myvar,===,targetvar");
1055 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,===,targetvar ");
1060 sfd = DetectFlowintParse(
de_ctx,
"myvar,==");
1062 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,==");
1067 sfd = DetectFlowintParse(
de_ctx,
"myvar,");
1069 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar,");
1074 sfd = DetectFlowintParse(
de_ctx,
"myvar");
1076 SCLogDebug(
"DetectFlowintTestParseInvalidSyntaxis01: ERROR: invalid option at myvar");
1101 static int DetectFlowintTestPacket01Real(
void)
1106 memset(&th_v, 0,
sizeof(th_v));
1113 const char *sigs[5];
1114 sigs[0] =
"alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint:myvar,=,1; flowint:maxvar,=,6; sid:101;)";
1115 sigs[1] =
"alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint: myvar,+,2; sid:102;)";
1116 sigs[2] =
"alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar,==,3; flowint: cntpackets, =, 0; sid:103;)";
1117 sigs[3] =
"alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: myvar,==,3; flowint: cntpackets, +, 1; noalert;sid:104;)";
1118 sigs[4] =
"alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, ==, maxvar; sid:105;)";
1130 f->
proto = IPPROTO_TCP;
1174 static int DetectFlowintTestPacket02Real(
void)
1179 memset(&th_v, 0,
sizeof(th_v));
1186 const char *sigs[5];
1187 sigs[0] =
"alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)";
1188 sigs[1] =
"alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)";
1189 sigs[2] =
"alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)";
1190 sigs[3] =
"alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)";
1191 sigs[4] =
"alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)";
1203 f->
proto = IPPROTO_TCP;
1247 static int DetectFlowintTestPacket03Real(
void)
1252 memset(&th_v, 0,
sizeof(th_v));
1259 const char *sigs[3];
1260 sigs[0] =
"alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)";
1261 sigs[1] =
"alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)";
1262 sigs[2] =
"alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)";
1274 f->
proto = IPPROTO_TCP;
1309 void DetectFlowintRegisterTests(
void)
1311 UtRegisterTest(
"DetectFlowintTestParseVal01", DetectFlowintTestParseVal01);
1312 UtRegisterTest(
"DetectFlowintTestParseVar01", DetectFlowintTestParseVar01);
1313 UtRegisterTest(
"DetectFlowintTestParseVal02", DetectFlowintTestParseVal02);
1314 UtRegisterTest(
"DetectFlowintTestParseVar02", DetectFlowintTestParseVar02);
1315 UtRegisterTest(
"DetectFlowintTestParseVal03", DetectFlowintTestParseVal03);
1316 UtRegisterTest(
"DetectFlowintTestParseVar03", DetectFlowintTestParseVar03);
1317 UtRegisterTest(
"DetectFlowintTestParseVal04", DetectFlowintTestParseVal04);
1318 UtRegisterTest(
"DetectFlowintTestParseVar04", DetectFlowintTestParseVar04);
1319 UtRegisterTest(
"DetectFlowintTestParseVal05", DetectFlowintTestParseVal05);
1320 UtRegisterTest(
"DetectFlowintTestParseVar05", DetectFlowintTestParseVar05);
1321 UtRegisterTest(
"DetectFlowintTestParseVal06", DetectFlowintTestParseVal06);
1322 UtRegisterTest(
"DetectFlowintTestParseVar06", DetectFlowintTestParseVar06);
1323 UtRegisterTest(
"DetectFlowintTestParseVal07", DetectFlowintTestParseVal07);
1324 UtRegisterTest(
"DetectFlowintTestParseVar07", DetectFlowintTestParseVar07);
1325 UtRegisterTest(
"DetectFlowintTestParseVal08", DetectFlowintTestParseVal08);
1326 UtRegisterTest(
"DetectFlowintTestParseVar08", DetectFlowintTestParseVar08);
1327 UtRegisterTest(
"DetectFlowintTestParseVal09", DetectFlowintTestParseVal09);
1328 UtRegisterTest(
"DetectFlowintTestParseVar09", DetectFlowintTestParseVar09);
1330 DetectFlowintTestParseIsset10);
1332 DetectFlowintTestParseInvalidSyntaxis01);
1334 DetectFlowintTestPacket01Real);
1336 DetectFlowintTestPacket02Real);
1338 DetectFlowintTestPacket03Real);