suricata
detect-ipproto.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the ip_proto keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-ipproto.h"
32 
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 
37 #include "detect-engine-siggroup.h"
38 #include "detect-engine-address.h"
39 
40 #include "util-byte.h"
41 #include "util-unittest.h"
42 #include "util-unittest-helper.h"
43 
44 #include "util-debug.h"
45 
46 /**
47  * \brief Regex for parsing our options
48  */
49 #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$"
50 
51 static DetectParseRegex parse_regex;
52 
53 static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *);
54 static void DetectIPProtoRegisterTests(void);
55 static void DetectIPProtoFree(DetectEngineCtx *, void *);
56 
58 {
59  sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
60  sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
61  sigmatch_table[DETECT_IPPROTO].url = "/rules/header-keywords.html#ip-proto";
63  sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
64  sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree;
65  sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests;
67 
68  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
69 }
70 
71 /**
72  * \internal
73  * \brief Parse ip_proto options string.
74  *
75  * \param optstr Options string to parse
76  *
77  * \return New ip_proto data structure
78  */
79 static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
80 {
81  DetectIPProtoData *data = NULL;
82  char *args[2] = { NULL, NULL };
83  int ret = 0, res = 0;
84  int ov[MAX_SUBSTRINGS];
85  int i;
86  const char *str_ptr;
87 
88  /* Execute the regex and populate args with captures. */
89  ret = DetectParsePcreExec(&parse_regex, optstr, 0, 0, ov, MAX_SUBSTRINGS);
90  if (ret != 3) {
91  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret"
92  "%" PRId32 ", string %s", ret, optstr);
93  goto error;
94  }
95 
96  for (i = 0; i < (ret - 1); i++) {
97  res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS,
98  i + 1, &str_ptr);
99  if (res < 0) {
100  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
101  goto error;
102  }
103  args[i] = (char *)str_ptr;
104  }
105 
106  /* Initialize the data */
107  data = SCMalloc(sizeof(DetectIPProtoData));
108  if (unlikely(data == NULL))
109  goto error;
110  data->op = DETECT_IPPROTO_OP_EQ;
111  data->proto = 0;
112 
113  /* Operator */
114  if (*(args[0]) != '\0') {
115  data->op = *(args[0]);
116  }
117 
118  /* Protocol name/number */
119  if (!isdigit((unsigned char)*(args[1]))) {
120  struct protoent *pent = getprotobyname(args[1]);
121  if (pent == NULL) {
122  SCLogError(SC_ERR_INVALID_VALUE, "Malformed protocol name: %s",
123  str_ptr);
124  goto error;
125  }
126  data->proto = (uint8_t)pent->p_proto;
127  }
128  else {
129  if (StringParseUint8(&data->proto, 10, 0, args[1]) <= 0) {
130  SCLogError(SC_ERR_INVALID_VALUE, "Malformed protocol number: %s",
131  str_ptr);
132  goto error;
133  }
134  }
135 
136  for (i = 0; i < (ret - 1); i++){
137  if (args[i] != NULL)
138  SCFree(args[i]);
139  }
140 
141  return data;
142 
143 error:
144  for (i = 0; i < (ret - 1) && i < 2; i++){
145  if (args[i] != NULL)
146  SCFree(args[i]);
147  }
148  if (data != NULL)
149  SCFree(data);
150 
151  return NULL;
152 }
153 
154 static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op)
155 {
157  DetectIPProtoData *data;
158 
159  while (sm != NULL) {
160  if (sm->type == DETECT_IPPROTO) {
161  data = (DetectIPProtoData *)sm->ctx;
162  if (data->op == op)
163  return 1;
164  }
165  sm = sm->next;
166  }
167 
168  return 0;
169 }
170 
171 /**
172  * \internal
173  * \brief Setup ip_proto keyword.
174  *
175  * \param de_ctx Detection engine context
176  * \param s Signature
177  * \param optstr Options string
178  *
179  * \return Non-zero on error
180  */
181 static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
182 {
183  SigMatch *sm = NULL;
184  int i;
185 
186  DetectIPProtoData *data = DetectIPProtoParse(optstr);
187  if (data == NULL) {
188  return -1;
189  }
190 
191  /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield
192  * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto
193  * will refined the protocol list and thus it needs to reset the bitfield to zero
194  * before setting the value specified by the ip_proto keyword.
195  */
198  memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
200  } else {
201  /* The ipproto engine has a relationship with the protocol that is
202  * set after the action and also the app protocol(that can also be
203  * set through the app-layer-protocol.
204  * An ip_proto keyword can be used only with alert ip, which if
205  * not true we error out on the sig. And hence the init_flag to
206  * indicate this. */
208  SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature can use "
209  "ip_proto keyword only when we use alert ip, "
210  "in which case the _ANY flag is set on the sig "
211  "and the if condition should match.");
212  goto error;
213  }
214  }
215 
216  int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ);
217  int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT);
218  int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT);
219  int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT);
220 
221  switch (data->op) {
223  if (eq_set || gt_set || lt_set || not_set) {
224  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
225  "ipproto without any operators attached to "
226  "them in the same sig");
227  goto error;
228  }
229  s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
230  break;
231 
233  if (eq_set || gt_set) {
234  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or gt "
235  "ipproto along with a greater than ipproto in the "
236  "same sig ");
237  goto error;
238  }
239  if (!lt_set && !not_set) {
240  s->proto.proto[data->proto / 8] = 0xfe << (data->proto % 8);
241  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
242  s->proto.proto[i] = 0xff;
243  }
244  } else if (lt_set && !not_set) {
246  while (temp_sm != NULL) {
247  if (temp_sm->type == DETECT_IPPROTO) {
248  break;
249  }
250  temp_sm = temp_sm->next;
251  }
252  if (temp_sm != NULL) {
253  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
254  if (data_temp->proto <= data->proto) {
255  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
256  "both gt and lt ipprotos, with the lt being "
257  "lower than gt value");
258  goto error;
259  } else {
260  for (i = 0; i < (data->proto / 8); i++) {
261  s->proto.proto[i] = 0;
262  }
263  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
264  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
265  s->proto.proto[i] &= 0xff;
266  }
267  }
268  }
269  } else if (!lt_set && not_set) {
270  for (i = 0; i < (data->proto / 8); i++) {
271  s->proto.proto[i] = 0;
272  }
273  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
274  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
275  s->proto.proto[i] &= 0xff;
276  }
277  } else {
278  DetectIPProtoData *data_temp;
280  while (temp_sm != NULL) {
281  if (temp_sm->type == DETECT_IPPROTO &&
282  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) {
283  break;
284  }
285  temp_sm = temp_sm->next;
286  }
287  if (temp_sm != NULL) {
288  data_temp = (DetectIPProtoData *)temp_sm->ctx;
289  if (data_temp->proto <= data->proto) {
290  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
291  "both gt and lt ipprotos, with the lt being "
292  "lower than gt value");
293  goto error;
294  } else {
295  for (i = 0; i < (data->proto / 8); i++) {
296  s->proto.proto[i] = 0;
297  }
298  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
299  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
300  s->proto.proto[i] &= 0xff;
301  }
302  }
303  }
304  }
305  break;
306 
308  if (eq_set || lt_set) {
309  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or lt "
310  "ipproto along with a less than ipproto in the "
311  "same sig ");
312  goto error;
313  }
314  if (!gt_set && !not_set) {
315  for (i = 0; i < (data->proto / 8); i++) {
316  s->proto.proto[i] = 0xff;
317  }
318  s->proto.proto[data->proto / 8] = ~(0xff << (data->proto % 8));
319  } else if (gt_set && !not_set) {
321  while (temp_sm != NULL) {
322  if (temp_sm->type == DETECT_IPPROTO) {
323  break;
324  }
325  temp_sm = temp_sm->next;
326  }
327  if (temp_sm != NULL) {
328  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
329  if (data_temp->proto >= data->proto) {
330  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a have "
331  "both gt and lt ipprotos, with the lt being "
332  "lower than gt value");
333  goto error;
334  } else {
335  for (i = 0; i < (data->proto / 8); i++) {
336  s->proto.proto[i] &= 0xff;
337  }
338  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
339  for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
340  s->proto.proto[i] = 0;
341  }
342  }
343  }
344  } else if (!gt_set && not_set) {
345  for (i = 0; i < (data->proto / 8); i++) {
346  s->proto.proto[i] &= 0xFF;
347  }
348  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
349  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
350  s->proto.proto[i] = 0;
351  }
352  } else {
353  DetectIPProtoData *data_temp;
355  while (temp_sm != NULL) {
356  if (temp_sm->type == DETECT_IPPROTO &&
357  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) {
358  break;
359  }
360  temp_sm = temp_sm->next;
361  }
362  if (temp_sm != NULL) {
363  data_temp = (DetectIPProtoData *)temp_sm->ctx;
364  if (data_temp->proto >= data->proto) {
365  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
366  "both gt and lt ipprotos, with the lt being "
367  "lower than gt value");
368  goto error;
369  } else {
370  for (i = 0; i < (data->proto / 8); i++) {
371  s->proto.proto[i] &= 0xFF;
372  }
373  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
374  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
375  s->proto.proto[i] = 0;
376  }
377  }
378  }
379  }
380  break;
381 
383  if (eq_set) {
384  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
385  "ipproto along with a not ipproto in the "
386  "same sig ");
387  goto error;
388  }
389  if (!gt_set && !lt_set && !not_set) {
390  for (i = 0; i < (data->proto / 8); i++) {
391  s->proto.proto[i] = 0xff;
392  }
393  s->proto.proto[data->proto / 8] = ~(1 << (data->proto % 8));
394  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
395  s->proto.proto[i] = 0xff;
396  }
397  } else {
398  for (i = 0; i < (data->proto / 8); i++) {
399  s->proto.proto[i] &= 0xff;
400  }
401  s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
402  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
403  s->proto.proto[i] &= 0xff;
404  }
405  }
406  break;
407  }
408 
409  sm = SigMatchAlloc();
410  if (sm == NULL)
411  goto error;
412  sm->type = DETECT_IPPROTO;
413  sm->ctx = (void *)data;
416 
417  return 0;
418 
419  error:
420 
421  DetectIPProtoFree(de_ctx, data);
422  return -1;
423 }
424 
425 
427 {
429 
430  while (sm != NULL) {
431  if (sm->type != DETECT_IPPROTO) {
432  sm = sm->next;
433  continue;
434  }
435  SigMatch *tmp_sm = sm->next;
437  SigMatchFree(de_ctx, sm);
438  sm = tmp_sm;
439  }
440 
441  return;
442 }
443 
444 static void DetectIPProtoFree(DetectEngineCtx *de_ctx, void *ptr)
445 {
446  DetectIPProtoData *data = (DetectIPProtoData *)ptr;
447  if (data) {
448  SCFree(data);
449  }
450 }
451 
452 /* UNITTESTS */
453 #ifdef UNITTESTS
454 
455 /**
456  * \test DetectIPProtoTestParse01 is a test for an invalid proto number
457  */
458 static int DetectIPProtoTestParse01(void)
459 {
460  DetectIPProtoData *data = DetectIPProtoParse("999");
461  FAIL_IF_NOT(data == NULL);
462  PASS;
463 }
464 
465 /**
466  * \test DetectIPProtoTestParse02 is a test for an invalid proto name
467  */
468 static int DetectIPProtoTestParse02(void)
469 {
470  DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek");
471  FAIL_IF_NOT(data == NULL);
472  PASS;
473 }
474 
475 /**
476  * \test DetectIPProtoTestSetup01 is a test for a protocol number
477  */
478 static int DetectIPProtoTestSetup01(void)
479 {
480  const char *value_str = "14";
481  int value = atoi(value_str);
482  int i;
483 
484  Signature *sig = SigAlloc();
485  FAIL_IF_NULL(sig);
486 
488  sig->proto.flags |= DETECT_PROTO_ANY;
489  DetectIPProtoSetup(NULL, sig, value_str);
490  for (i = 0; i < (value / 8); i++) {
491  FAIL_IF(sig->proto.proto[i] != 0);
492  }
493  FAIL_IF(sig->proto.proto[value / 8] != 0x40);
494  for (i = (value / 8) + 1; i < (256 / 8); i++) {
495  FAIL_IF(sig->proto.proto[i] != 0);
496  }
497  SigFree(NULL, sig);
498  PASS;
499 }
500 
501 /**
502  * \test DetectIPProtoTestSetup02 is a test for a protocol name
503  */
504 static int DetectIPProtoTestSetup02(void)
505 {
506  int result = 0;
507  Signature *sig = NULL;
508  const char *value_str = "tcp";
509  struct protoent *pent = getprotobyname(value_str);
510  if (pent == NULL) {
511  goto end;
512  }
513  uint8_t value = (uint8_t)pent->p_proto;
514  int i;
515 
516  if ((sig = SigAlloc()) == NULL)
517  goto end;
518 
520  sig->proto.flags |= DETECT_PROTO_ANY;
521  DetectIPProtoSetup(NULL, sig, value_str);
522  for (i = 0; i < (value / 8); i++) {
523  if (sig->proto.proto[i] != 0)
524  goto end;
525  }
526  if (sig->proto.proto[value / 8] != 0x40) {
527  goto end;
528  }
529  for (i = (value / 8) + 1; i < (256 / 8); i++) {
530  if (sig->proto.proto[i] != 0)
531  goto end;
532  }
533 
534  result = 1;
535 
536  end:
537  if (sig != NULL)
538  SigFree(NULL, sig);
539  return result;
540 }
541 
542 /**
543  * \test DetectIPProtoTestSetup03 is a test for a < operator
544  */
545 static int DetectIPProtoTestSetup03(void)
546 {
547  int result = 0;
548  Signature *sig;
549  const char *value_str = "<14";
550  int value = 14;
551  int i;
552 
553  if ((sig = SigAlloc()) == NULL)
554  goto end;
555 
557  sig->proto.flags |= DETECT_PROTO_ANY;
558  DetectIPProtoSetup(NULL, sig, value_str);
559  for (i = 0; i < (value / 8); i++) {
560  if (sig->proto.proto[i] != 0xFF)
561  goto end;
562  }
563  if (sig->proto.proto[value / 8] != 0x3F) {
564  goto end;
565  }
566  for (i = (value / 8) + 1; i < (256 / 8); i++) {
567  if (sig->proto.proto[i] != 0)
568  goto end;
569  }
570 
571  result = 1;
572 
573  end:
574  SigFree(NULL, sig);
575  return result;
576 }
577 
578 /**
579  * \test DetectIPProtoTestSetup04 is a test for a > operator
580  */
581 static int DetectIPProtoTestSetup04(void)
582 {
583  int result = 0;
584  Signature *sig;
585  const char *value_str = ">14";
586  int value = 14;
587  int i;
588 
589  if ((sig = SigAlloc()) == NULL)
590  goto end;
591 
593  sig->proto.flags |= DETECT_PROTO_ANY;
594  DetectIPProtoSetup(NULL, sig, value_str);
595  for (i = 0; i < (value / 8); i++) {
596  if (sig->proto.proto[i] != 0)
597  goto end;
598  }
599  if (sig->proto.proto[value / 8] != 0x80) {
600  goto end;
601  }
602  for (i = (value / 8) + 1; i < (256 / 8); i++) {
603  if (sig->proto.proto[i] != 0xFF)
604  goto end;
605  }
606 
607  result = 1;
608 
609  end:
610  SigFree(NULL, sig);
611  return result;
612 }
613 
614 /**
615  * \test DetectIPProtoTestSetup05 is a test for a ! operator
616  */
617 static int DetectIPProtoTestSetup05(void)
618 {
619  int result = 0;
620  Signature *sig;
621  const char *value_str = "!14";
622  int value = 14;
623  int i;
624 
625  if ((sig = SigAlloc()) == NULL)
626  goto end;
627 
629  sig->proto.flags |= DETECT_PROTO_ANY;
630  DetectIPProtoSetup(NULL, sig, value_str);
631  for (i = 0; i < (value / 8); i++) {
632  if (sig->proto.proto[i] != 0xFF)
633  goto end;
634  }
635  if (sig->proto.proto[value / 8] != 0xBF) {
636  goto end;
637  }
638  for (i = (value / 8) + 1; i < (256 / 8); i++) {
639  if (sig->proto.proto[i] != 0xFF)
640  goto end;
641  }
642 
643  result = 1;
644 
645  end:
646  SigFree(NULL, sig);
647  return result;
648 }
649 
650 /**
651  * \test Negative test.
652  */
653 static int DetectIPProtoTestSetup06(void)
654 {
655  int result = 0;
656  Signature *sig;
657  const char *value1_str = "14";
658  const char *value2_str = "15";
659 
660  if ((sig = SigAlloc()) == NULL)
661  goto end;
662 
664  sig->proto.flags |= DETECT_PROTO_ANY;
665  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
666  goto end;
667  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
668  goto end;
669 
670  result = 1;
671 
672  end:
673  SigFree(NULL, sig);
674  return result;
675 }
676 
677 /**
678  * \test Negative test.
679  */
680 static int DetectIPProtoTestSetup07(void)
681 {
682  int result = 0;
683  Signature *sig;
684  const char *value1_str = "14";
685  const char *value2_str = "<15";
686 
687  if ((sig = SigAlloc()) == NULL)
688  goto end;
689 
691  sig->proto.flags |= DETECT_PROTO_ANY;
692  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
693  goto end;
694  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
695  goto end;
696 
697  result = 1;
698 
699  end:
700  SigFree(NULL, sig);
701  return result;
702 }
703 
704 /**
705  * \test Negative test.
706  */
707 static int DetectIPProtoTestSetup08(void)
708 {
709  int result = 0;
710  Signature *sig;
711  const char *value1_str = "14";
712  const char *value2_str = ">15";
713 
714  if ((sig = SigAlloc()) == NULL)
715  goto end;
716 
718  sig->proto.flags |= DETECT_PROTO_ANY;
719  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
720  goto end;
721  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
722  goto end;
723 
724  result = 1;
725 
726  end:
727  SigFree(NULL, sig);
728  return result;
729 }
730 
731 /**
732  * \test Negative test.
733  */
734 static int DetectIPProtoTestSetup09(void)
735 {
736  int result = 0;
737  Signature *sig;
738  const char *value1_str = "14";
739  const char *value2_str = "!15";
740 
741  if ((sig = SigAlloc()) == NULL)
742  goto end;
743 
745  sig->proto.flags |= DETECT_PROTO_ANY;
746  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
747  goto end;
748  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
749  goto end;
750 
751  result = 1;
752 
753  end:
754  SigFree(NULL, sig);
755  return result;
756 }
757 
758 /**
759  * \test Negative test.
760  */
761 static int DetectIPProtoTestSetup10(void)
762 {
763  int result = 0;
764  Signature *sig;
765  const char *value1_str = ">14";
766  const char *value2_str = "15";
767 
768  if ((sig = SigAlloc()) == NULL)
769  goto end;
770 
772  sig->proto.flags |= DETECT_PROTO_ANY;
773  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
774  goto end;
775  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
776  goto end;
777 
778  result = 1;
779 
780  end:
781  SigFree(NULL, sig);
782  return result;
783 }
784 
785 /**
786  * \test Negative test.
787  */
788 static int DetectIPProtoTestSetup11(void)
789 {
790  int result = 0;
791  Signature *sig;
792  const char *value1_str = "<14";
793  const char *value2_str = "15";
794 
795  if ((sig = SigAlloc()) == NULL)
796  goto end;
797 
799  sig->proto.flags |= DETECT_PROTO_ANY;
800  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
801  goto end;
802  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
803  goto end;
804 
805  result = 1;
806 
807  end:
808  SigFree(NULL, sig);
809  return result;
810 }
811 
812 /**
813  * \test Negative test.
814  */
815 static int DetectIPProtoTestSetup12(void)
816 {
817  int result = 0;
818  Signature *sig;
819  const char *value1_str = "!14";
820  const char *value2_str = "15";
821 
822  if ((sig = SigAlloc()) == NULL)
823  goto end;
824 
826  sig->proto.flags |= DETECT_PROTO_ANY;
827  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
828  goto end;
829  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
830  goto end;
831 
832  result = 1;
833 
834  end:
835  SigFree(NULL, sig);
836  return result;
837 }
838 
839 /**
840  * \test Negative test.
841  */
842 static int DetectIPProtoTestSetup13(void)
843 {
844  int result = 0;
845  Signature *sig;
846  const char *value1_str = ">14";
847  const char *value2_str = ">15";
848 
849  if ((sig = SigAlloc()) == NULL)
850  goto end;
851 
853  sig->proto.flags |= DETECT_PROTO_ANY;
854  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
855  goto end;
856  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
857  goto end;
858 
859  result = 1;
860 
861  end:
862  SigFree(NULL, sig);
863  return result;
864 }
865 
866 static int DetectIPProtoTestSetup14(void)
867 {
868  int result = 0;
869  Signature *sig;
870  const char *value1_str = "<14";
871  const char *value2_str = "<15";
872 
873  if ((sig = SigAlloc()) == NULL)
874  goto end;
875 
877  sig->proto.flags |= DETECT_PROTO_ANY;
878  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
879  goto end;
880  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
881  goto end;
882 
883  result = 1;
884 
885  end:
886  SigFree(NULL, sig);
887  return result;
888 }
889 
890 static int DetectIPProtoTestSetup15(void)
891 {
892  int result = 0;
893  Signature *sig;
894  const char *value1_str = "<14";
895  int value1 = 14;
896  const char *value2_str = ">34";
897  int i;
898 
899  if ((sig = SigAlloc()) == NULL)
900  goto end;
901 
903  sig->proto.flags |= DETECT_PROTO_ANY;
904  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
905  goto end;
906  for (i = 0; i < (value1 / 8); i++) {
907  if (sig->proto.proto[i] != 0xFF)
908  goto end;
909  }
910  if (sig->proto.proto[value1 / 8] != 0x3F) {
911  goto end;
912  }
913  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
914  if (sig->proto.proto[i] != 0)
915  goto end;
916  }
917  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
918  goto end;
919 
920  result = 1;
921 
922  end:
923  SigFree(NULL, sig);
924  return result;
925 
926 }
927 
928 static int DetectIPProtoTestSetup16(void)
929 {
930  int result = 0;
931  Signature *sig;
932  const char *value1_str = "<14";
933  const char *value2_str = ">34";
934  int value2 = 34;
935  int i;
936 
937  if ((sig = SigAlloc()) == NULL)
938  goto end;
939 
941  sig->proto.flags |= DETECT_PROTO_ANY;
942  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
943  goto end;
944  for (i = 0; i < (value2 / 8); i++) {
945  if (sig->proto.proto[i] != 0)
946  goto end;
947  }
948  if (sig->proto.proto[value2 / 8] != 0xF8) {
949  goto end;
950  }
951  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
952  if (sig->proto.proto[i] != 0xFF)
953  goto end;
954  }
955  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
956  goto end;
957 
958  result = 1;
959 
960  end:
961  SigFree(NULL, sig);
962  return result;
963 
964 }
965 
966 static int DetectIPProtoTestSetup17(void)
967 {
968  int result = 0;
969  Signature *sig;
970  const char *value1_str = "<11";
971  int value1 = 11;
972  const char *value2_str = ">13";
973  int i;
974 
975  if ((sig = SigAlloc()) == NULL)
976  goto end;
977 
979  sig->proto.flags |= DETECT_PROTO_ANY;
980  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
981  goto end;
982  for (i = 0; i < (value1 / 8); i++) {
983  if (sig->proto.proto[i] != 0xFF)
984  goto end;
985  }
986  if (sig->proto.proto[value1 / 8] != 0x07) {
987  goto end;
988  }
989  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
990  if (sig->proto.proto[i] != 0)
991  goto end;
992  }
993  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
994  goto end;
995 
996  result = 1;
997 
998  end:
999  SigFree(NULL, sig);
1000  return result;
1001 
1002 }
1003 
1004 static int DetectIPProtoTestSetup18(void)
1005 {
1006  int result = 0;
1007  Signature *sig;
1008  const char *value1_str = "<11";
1009  const char *value2_str = ">13";
1010  int value2 = 13;
1011  int i;
1012 
1013  if ((sig = SigAlloc()) == NULL)
1014  goto end;
1015 
1017  sig->proto.flags |= DETECT_PROTO_ANY;
1018  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1019  goto end;
1020  for (i = 0; i < (value2 / 8); i++) {
1021  if (sig->proto.proto[i] != 0)
1022  goto end;
1023  }
1024  if (sig->proto.proto[value2 / 8] != 0xC0) {
1025  goto end;
1026  }
1027  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1028  if (sig->proto.proto[i] != 0xFF)
1029  goto end;
1030  }
1031  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1032  goto end;
1033 
1034  result = 1;
1035 
1036  end:
1037  SigFree(NULL, sig);
1038  return result;
1039 
1040 }
1041 
1042 static int DetectIPProtoTestSetup19(void)
1043 {
1044  int result = 0;
1045  Signature *sig;
1046  const char *value1_str = "<11";
1047  int value1 = 11;
1048  const char *value2_str = "!13";
1049  const char *value3_str = ">36";
1050  int i;
1051 
1052  if ((sig = SigAlloc()) == NULL)
1053  goto end;
1054 
1056  sig->proto.flags |= DETECT_PROTO_ANY;
1057  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1058  goto end;
1059  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1060  goto end;
1061  for (i = 0; i < (value1 / 8); i++) {
1062  if (sig->proto.proto[i] != 0xFF)
1063  goto end;
1064  }
1065  if (sig->proto.proto[value1 / 8] != 0x07) {
1066  goto end;
1067  }
1068  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1069  if (sig->proto.proto[i] != 0)
1070  goto end;
1071  }
1072  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1073  goto end;
1074 
1075  result = 1;
1076 
1077  end:
1078  SigFree(NULL, sig);
1079  return result;
1080 }
1081 
1082 static int DetectIPProtoTestSetup20(void)
1083 {
1084  int result = 0;
1085  Signature *sig;
1086  const char *value1_str = "<11";
1087  int value1 = 11;
1088  const char *value3_str = ">36";
1089  int i;
1090 
1091  if ((sig = SigAlloc()) == NULL)
1092  goto end;
1093 
1095  sig->proto.flags |= DETECT_PROTO_ANY;
1096  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1097  goto end;
1098  for (i = 0; i < (value1 / 8); i++) {
1099  if (sig->proto.proto[i] != 0xFF)
1100  goto end;
1101  }
1102  if (sig->proto.proto[value1 / 8] != 0x07) {
1103  goto end;
1104  }
1105  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1106  if (sig->proto.proto[i] != 0)
1107  goto end;
1108  }
1109  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1110  goto end;
1111 
1112  result = 1;
1113 
1114  end:
1115  SigFree(NULL, sig);
1116  return result;
1117 }
1118 
1119 static int DetectIPProtoTestSetup21(void)
1120 {
1121  int result = 0;
1122  Signature *sig;
1123  const char *value1_str = "<11";
1124  int value1 = 11;
1125  const char *value2_str = "!13";
1126  const char *value3_str = ">36";
1127  int i;
1128 
1129  if ((sig = SigAlloc()) == NULL)
1130  goto end;
1131 
1133  sig->proto.flags |= DETECT_PROTO_ANY;
1134  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1135  goto end;
1136  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1137  goto end;
1138  for (i = 0; i < (value1 / 8); i++) {
1139  if (sig->proto.proto[i] != 0xFF)
1140  goto end;
1141  }
1142  if (sig->proto.proto[value1 / 8] != 0x07) {
1143  goto end;
1144  }
1145  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1146  if (sig->proto.proto[i] != 0)
1147  goto end;
1148  }
1149  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1150  goto end;
1151 
1152  result = 1;
1153 
1154  end:
1155  SigFree(NULL, sig);
1156  return result;
1157 }
1158 
1159 static int DetectIPProtoTestSetup22(void)
1160 {
1161  int result = 0;
1162  Signature *sig;
1163  const char *value1_str = "<11";
1164  const char *value2_str = "!13";
1165  const char *value3_str = ">36";
1166  int value3 = 36;
1167  int i;
1168 
1169  if ((sig = SigAlloc()) == NULL)
1170  goto end;
1171 
1173  sig->proto.flags |= DETECT_PROTO_ANY;
1174  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1175  goto end;
1176  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1177  goto end;
1178  for (i = 0; i < (value3 / 8); i++) {
1179  if (sig->proto.proto[i] != 0)
1180  goto end;
1181  }
1182  if (sig->proto.proto[value3 / 8] != 0xE0) {
1183  goto end;
1184  }
1185  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1186  if (sig->proto.proto[i] != 0xFF)
1187  goto end;
1188  }
1189  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1190  goto end;
1191 
1192  result = 1;
1193 
1194  end:
1195  SigFree(NULL, sig);
1196  return result;
1197 }
1198 
1199 static int DetectIPProtoTestSetup23(void)
1200 {
1201  int result = 0;
1202  Signature *sig;
1203  const char *value1_str = "<11";
1204  const char *value3_str = ">36";
1205  int value3 = 36;
1206  int i;
1207 
1208  if ((sig = SigAlloc()) == NULL)
1209  goto end;
1210 
1212  sig->proto.flags |= DETECT_PROTO_ANY;
1213  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1214  goto end;
1215  for (i = 0; i < (value3 / 8); i++) {
1216  if (sig->proto.proto[i] != 0)
1217  goto end;
1218  }
1219  if (sig->proto.proto[value3 / 8] != 0xE0) {
1220  goto end;
1221  }
1222  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1223  if (sig->proto.proto[i] != 0xFF)
1224  goto end;
1225  }
1226  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1227  goto end;
1228 
1229  result = 1;
1230 
1231  end:
1232  SigFree(NULL, sig);
1233  return result;
1234 }
1235 
1236 static int DetectIPProtoTestSetup24(void)
1237 {
1238  int result = 0;
1239  Signature *sig;
1240  const char *value1_str = "<11";
1241  const char *value2_str = "!13";
1242  const char *value3_str = ">36";
1243  int value3 = 36;
1244  int i;
1245 
1246  if ((sig = SigAlloc()) == NULL)
1247  goto end;
1248 
1250  sig->proto.flags |= DETECT_PROTO_ANY;
1251  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1252  goto end;
1253  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1254  goto end;
1255  for (i = 0; i < (value3 / 8); i++) {
1256  if (sig->proto.proto[i] != 0)
1257  goto end;
1258  }
1259  if (sig->proto.proto[value3 / 8] != 0xE0) {
1260  goto end;
1261  }
1262  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1263  if (sig->proto.proto[i] != 0xFF)
1264  goto end;
1265  }
1266  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1267  goto end;
1268 
1269  result = 1;
1270 
1271  end:
1272  SigFree(NULL, sig);
1273  return result;
1274 }
1275 
1276 static int DetectIPProtoTestSetup33(void)
1277 {
1278  int result = 0;
1279  Signature *sig;
1280  const char *value1_str = "<11";
1281  int value1 = 11;
1282  const char *value2_str = "!34";
1283  const char *value3_str = ">36";
1284  int i;
1285 
1286  if ((sig = SigAlloc()) == NULL)
1287  goto end;
1288 
1290  sig->proto.flags |= DETECT_PROTO_ANY;
1291  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1292  goto end;
1293  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1294  goto end;
1295  for (i = 0; i < (value1 / 8); i++) {
1296  if (sig->proto.proto[i] != 0xFF)
1297  goto end;
1298  }
1299  if (sig->proto.proto[value1 / 8] != 0x07) {
1300  goto end;
1301  }
1302  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1303  if (sig->proto.proto[i] != 0)
1304  goto end;
1305  }
1306  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1307  goto end;
1308 
1309  result = 1;
1310 
1311  end:
1312  SigFree(NULL, sig);
1313  return result;
1314 }
1315 
1316 static int DetectIPProtoTestSetup34(void)
1317 {
1318  int result = 0;
1319  Signature *sig;
1320  const char *value1_str = "<11";
1321  int value1 = 11;
1322  const char *value2_str = "!34";
1323  const char *value3_str = ">36";
1324  int value3 = 36;
1325  int i;
1326 
1327  if ((sig = SigAlloc()) == NULL)
1328  goto end;
1329 
1331  sig->proto.flags |= DETECT_PROTO_ANY;
1332  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1333  goto end;
1334  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1335  goto end;
1336  for (i = 0; i < (value1 / 8); i++) {
1337  if (sig->proto.proto[i] != 0)
1338  goto end;
1339  }
1340  if (sig->proto.proto[value3 / 8] != 0xE0) {
1341  goto end;
1342  }
1343  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1344  if (sig->proto.proto[i] != 0xFF)
1345  goto end;
1346  }
1347  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1348  goto end;
1349 
1350  result = 1;
1351 
1352  end:
1353  SigFree(NULL, sig);
1354  return result;
1355 }
1356 
1357 static int DetectIPProtoTestSetup36(void)
1358 {
1359  int result = 0;
1360  Signature *sig;
1361  const char *value1_str = "<11";
1362  const char *value2_str = "!34";
1363  const char *value3_str = ">36";
1364  int value3 = 36;
1365  int i;
1366 
1367  if ((sig = SigAlloc()) == NULL)
1368  goto end;
1369 
1371  sig->proto.flags |= DETECT_PROTO_ANY;
1372  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1373  goto end;
1374  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1375  goto end;
1376  for (i = 0; i < (value3 / 8); i++) {
1377  if (sig->proto.proto[i] != 0)
1378  goto end;
1379  }
1380  if (sig->proto.proto[value3 / 8] != 0xE0) {
1381  goto end;
1382  }
1383  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1384  if (sig->proto.proto[i] != 0xFF)
1385  goto end;
1386  }
1387  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1388  goto end;
1389 
1390  result = 1;
1391 
1392  end:
1393  SigFree(NULL, sig);
1394  return result;
1395 }
1396 
1397 static int DetectIPProtoTestSetup43(void)
1398 {
1399  int result = 0;
1400  Signature *sig;
1401  const char *value1_str = "!4";
1402  int value1 = 4;
1403  const char *value2_str = "<13";
1404  int value2 = 13;
1405  const char *value3_str = ">34";
1406  int i;
1407 
1408  if ((sig = SigAlloc()) == NULL)
1409  goto end;
1410 
1412  sig->proto.flags |= DETECT_PROTO_ANY;
1413  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1414  goto end;
1415  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1416  goto end;
1417  if (sig->proto.proto[value1 / 8] != 0xEF) {
1418  goto end;
1419  }
1420  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1421  if (sig->proto.proto[i] != 0xFF)
1422  goto end;
1423  }
1424  if (sig->proto.proto[value2 / 8] != 0x1F) {
1425  goto end;
1426  }
1427  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1428  if (sig->proto.proto[i] != 0)
1429  goto end;
1430  }
1431  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1432  goto end;
1433 
1434  result = 1;
1435 
1436  end:
1437  SigFree(NULL, sig);
1438  return result;
1439 }
1440 
1441 static int DetectIPProtoTestSetup44(void)
1442 {
1443  int result = 0;
1444  Signature *sig;
1445  const char *value1_str = "!4";
1446  const char *value2_str = "<13";
1447  const char *value3_str = ">34";
1448  int value3 = 34;
1449  int i;
1450 
1451  if ((sig = SigAlloc()) == NULL)
1452  goto end;
1453 
1455  sig->proto.flags |= DETECT_PROTO_ANY;
1456  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1457  goto end;
1458  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1459  goto end;
1460  for (i = 0; i < (value3 / 8); i++) {
1461  if (sig->proto.proto[i] != 0)
1462  goto end;
1463  }
1464  if (sig->proto.proto[value3 / 8] != 0xF8) {
1465  goto end;
1466  }
1467  for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
1468  if (sig->proto.proto[i] != 0xFF)
1469  goto end;
1470  }
1471  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1472  goto end;
1473 
1474  result = 1;
1475 
1476  end:
1477  SigFree(NULL, sig);
1478  return result;
1479 }
1480 
1481 static int DetectIPProtoTestSetup45(void)
1482 {
1483  int result = 0;
1484  Signature *sig;
1485  const char *value1_str = "!4";
1486  int value1 = 4;
1487  const char *value2_str = "<13";
1488  int value2 = 13;
1489  const char *value3_str = ">34";
1490  int i;
1491 
1492  if ((sig = SigAlloc()) == NULL)
1493  goto end;
1494 
1496  sig->proto.flags |= DETECT_PROTO_ANY;
1497  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1498  goto end;
1499  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1500  goto end;
1501  if (sig->proto.proto[value1 / 8] != 0xEF) {
1502  goto end;
1503  }
1504  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1505  if (sig->proto.proto[i] != 0xFF)
1506  goto end;
1507  }
1508  if (sig->proto.proto[value2 / 8] != 0x1F) {
1509  goto end;
1510  }
1511  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1512  if (sig->proto.proto[i] != 0)
1513  goto end;
1514  }
1515  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1516  goto end;
1517 
1518  result = 1;
1519 
1520  end:
1521  SigFree(NULL, sig);
1522  return result;
1523 }
1524 
1525 static int DetectIPProtoTestSetup56(void)
1526 {
1527  int result = 0;
1528  Signature *sig;
1529  const char *value1_str = "<13";
1530  int value1 = 13;
1531  const char *value2_str = ">34";
1532  const char *value3_str = "!37";
1533  int i;
1534 
1535  if ((sig = SigAlloc()) == NULL)
1536  goto end;
1537 
1539  sig->proto.flags |= DETECT_PROTO_ANY;
1540  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1541  goto end;
1542  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1543  goto end;
1544  for (i = 0; i < (value1 / 8); i++) {
1545  if (sig->proto.proto[i] != 0xFF)
1546  goto end;
1547  }
1548  if (sig->proto.proto[value1 / 8] != 0x1F) {
1549  goto end;
1550  }
1551  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1552  if (sig->proto.proto[i] != 0)
1553  goto end;
1554  }
1555  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1556  goto end;
1557 
1558  result = 1;
1559 
1560  end:
1561  SigFree(NULL, sig);
1562  return result;
1563 }
1564 
1565 static int DetectIPProtoTestSetup75(void)
1566 {
1567  int result = 0;
1568  Signature *sig;
1569  const char *value1_str = "!8";
1570  const char *value2_str = ">10";
1571  int value2 = 10;
1572  int i;
1573 
1574  if ((sig = SigAlloc()) == NULL)
1575  goto end;
1576 
1578  sig->proto.flags |= DETECT_PROTO_ANY;
1579  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1580  goto end;
1581  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1582  goto end;
1583  for (i = 0; i < (value2 / 8); i++) {
1584  if (sig->proto.proto[i] != 0)
1585  goto end;
1586  }
1587  if (sig->proto.proto[value2 / 8] != 0xF8) {
1588  goto end;
1589  }
1590  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1591  if (sig->proto.proto[i] != 0xFF)
1592  goto end;
1593  }
1594 
1595  result = 1;
1596 
1597  end:
1598  SigFree(NULL, sig);
1599  return result;
1600 }
1601 
1602 static int DetectIPProtoTestSetup76(void)
1603 {
1604  int result = 0;
1605  Signature *sig;
1606  const char *value1_str = "!8";
1607  const char *value2_str = ">10";
1608  int value2 = 10;
1609  int i;
1610 
1611  if ((sig = SigAlloc()) == NULL)
1612  goto end;
1613 
1615  sig->proto.flags |= DETECT_PROTO_ANY;
1616  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1617  goto end;
1618  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1619  goto end;
1620  for (i = 0; i < (value2 / 8); i++) {
1621  if (sig->proto.proto[i] != 0)
1622  goto end;
1623  }
1624  if (sig->proto.proto[value2 / 8] != 0xF8) {
1625  goto end;
1626  }
1627  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1628  if (sig->proto.proto[i] != 0xFF)
1629  goto end;
1630  }
1631 
1632  result = 1;
1633 
1634  end:
1635  SigFree(NULL, sig);
1636  return result;
1637 }
1638 
1639 static int DetectIPProtoTestSetup129(void)
1640 {
1641  int result = 0;
1642  Signature *sig;
1643  const char *value1_str = "<10";
1644  int value1 = 10;
1645  const char *value2_str = ">10";
1646  int i;
1647 
1648  if ((sig = SigAlloc()) == NULL)
1649  goto end;
1650 
1652  sig->proto.flags |= DETECT_PROTO_ANY;
1653  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1654  goto end;
1655  for (i = 0; i < (value1 / 8); i++) {
1656  if (sig->proto.proto[i] != 0xFF)
1657  goto end;
1658  }
1659  if (sig->proto.proto[value1 / 8] != 0x03) {
1660  goto end;
1661  }
1662  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1663  if (sig->proto.proto[i] != 0)
1664  goto end;
1665  }
1666  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1667  goto end;
1668 
1669  result = 1;
1670 
1671  end:
1672  SigFree(NULL, sig);
1673  return result;
1674 }
1675 
1676 static int DetectIPProtoTestSetup130(void)
1677 {
1678  int result = 0;
1679  Signature *sig;
1680  const char *value1_str = "<10";
1681  const char *value2_str = ">10";
1682  int value2 = 10;
1683  int i;
1684 
1685  if ((sig = SigAlloc()) == NULL)
1686  goto end;
1687 
1689  sig->proto.flags |= DETECT_PROTO_ANY;
1690  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1691  goto end;
1692  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1693  goto end;
1694  for (i = 0; i < (value2 / 8); i++) {
1695  if (sig->proto.proto[i] != 0)
1696  goto end;
1697  }
1698  if (sig->proto.proto[value2 / 8] != 0xF8) {
1699  goto end;
1700  }
1701  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1702  if (sig->proto.proto[i] != 0xFF)
1703  goto end;
1704  }
1705 
1706  result = 1;
1707 
1708  end:
1709  SigFree(NULL, sig);
1710  return result;
1711 }
1712 
1713 static int DetectIPProtoTestSetup131(void)
1714 {
1715  int result = 0;
1716  Signature *sig;
1717  const char *value1_str = "<10";
1718  int value1 = 10;
1719  const char *value2_str = "!10";
1720  int i;
1721 
1722  if ((sig = SigAlloc()) == NULL)
1723  goto end;
1724 
1726  sig->proto.flags |= DETECT_PROTO_ANY;
1727  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1728  goto end;
1729  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1730  goto end;
1731  for (i = 0; i < (value1 / 8); i++) {
1732  if (sig->proto.proto[i] != 0xFF)
1733  goto end;
1734  }
1735  if (sig->proto.proto[value1 / 8] != 0x03) {
1736  goto end;
1737  }
1738  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1739  if (sig->proto.proto[i] != 0x0)
1740  goto end;
1741  }
1742 
1743  result = 1;
1744 
1745  end:
1746  SigFree(NULL, sig);
1747  return result;
1748 }
1749 
1750 static int DetectIPProtoTestSetup132(void)
1751 {
1752  int result = 0;
1753  Signature *sig;
1754  const char *value1_str = "<10";
1755  int value1 = 10;
1756  const char *value2_str = "!10";
1757  int i;
1758 
1759  if ((sig = SigAlloc()) == NULL)
1760  goto end;
1761 
1763  sig->proto.flags |= DETECT_PROTO_ANY;
1764  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1765  goto end;
1766  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1767  goto end;
1768  for (i = 0; i < (value1 / 8); i++) {
1769  if (sig->proto.proto[i] != 0xFF)
1770  goto end;
1771  }
1772  if (sig->proto.proto[value1 / 8] != 0x03) {
1773  goto end;
1774  }
1775  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1776  if (sig->proto.proto[i] != 0x0)
1777  goto end;
1778  }
1779 
1780  result = 1;
1781 
1782  end:
1783  SigFree(NULL, sig);
1784  return result;
1785 }
1786 
1787 static int DetectIPProtoTestSetup145(void)
1788 {
1789  int result = 0;
1790  Signature *sig;
1791  const char *value1_str = "!4";
1792  const char *value2_str = ">8";
1793  const char *value3_str = "!10";
1794  const char *value4_str = "!14";
1795  const char *value5_str = "!27";
1796  const char *value6_str = "!29";
1797  const char *value7_str = "!30";
1798  const char *value8_str = "!34";
1799  const char *value9_str = "<36";
1800  const char *value10_str = "!38";
1801  int value10 = 38;
1802 
1803  int i;
1804 
1805  if ((sig = SigAlloc()) == NULL)
1806  goto end;
1807 
1809  sig->proto.flags |= DETECT_PROTO_ANY;
1810  if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
1811  goto end;
1812  if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
1813  goto end;
1814  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1815  goto end;
1816  if (DetectIPProtoSetup(NULL, sig, value10_str) != 0)
1817  goto end;
1818  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1819  goto end;
1820  if (DetectIPProtoSetup(NULL, sig, value6_str) != 0)
1821  goto end;
1822  if (DetectIPProtoSetup(NULL, sig, value9_str) != 0)
1823  goto end;
1824  if (DetectIPProtoSetup(NULL, sig, value4_str) != 0)
1825  goto end;
1826  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1827  goto end;
1828  if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
1829  goto end;
1830  if (sig->proto.proto[0] != 0) {
1831  goto end;
1832  }
1833  if (sig->proto.proto[1] != 0xBA) {
1834  goto end;
1835  }
1836  if (sig->proto.proto[2] != 0xFF) {
1837  goto end;
1838  }
1839  if (sig->proto.proto[3] != 0x97) {
1840  goto end;
1841  }
1842  if (sig->proto.proto[4] != 0x0B) {
1843  goto end;
1844  }
1845  for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
1846  if (sig->proto.proto[i] != 0)
1847  goto end;
1848  }
1849 
1850  result = 1;
1851 
1852  end:
1853  SigFree(NULL, sig);
1854  return result;
1855 }
1856 
1857 static int DetectIPProtoTestSig1(void)
1858 {
1859  int result = 0;
1860  uint8_t *buf = (uint8_t *)
1861  "GET /one/ HTTP/1.1\r\n"
1862  "Host: one.example.org\r\n"
1863  "\r\n";
1864  uint16_t buflen = strlen((char *)buf);
1865  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1866  if (p == NULL)
1867  return 0;
1868 
1869  const char *sigs[4];
1870  sigs[0] = "alert ip any any -> any any "
1871  "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)";
1872  sigs[1] = "alert ip any any -> any any "
1873  "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)";
1874  sigs[2] = "alert ip any any -> any any "
1875  "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)";
1876  sigs[3] = "alert ip any any -> any any "
1877  "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)";
1878 
1879  /* sids to match */
1880  uint32_t sid[4] = {1, 2, 3, 4};
1881  /* expected matches for each sid within this packet we are testing */
1882  uint32_t results[4] = {0, 1, 1, 1};
1883 
1884  /* remember that UTHGenericTest expect the first parameter
1885  * as an array of packet pointers. And also a bidimensional array of results
1886  * For example:
1887  * results[numpacket][position] should hold the number of times
1888  * that the sid at sid[position] matched that packet (should be always 1..)
1889  * But here we built it as unidimensional array
1890  */
1891  result = UTHGenericTest(&p, 1, sigs, sid, results, 4);
1892 
1893  UTHFreePacket(p);
1894  return result;
1895 }
1896 
1897 static int DetectIPProtoTestSig2(void)
1898 {
1899  int result = 0;
1900 
1901  uint8_t raw_eth[] = {
1902  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1903  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1904  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1905  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1906  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1907  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1908  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1909  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1910  0x4a, 0xea, 0x7a, 0x8e,
1911  };
1912 
1914  if (unlikely(p == NULL))
1915  return 0;
1916  memset(p, 0, SIZE_OF_PACKET);
1917 
1919  ThreadVars th_v;
1920  DetectEngineThreadCtx *det_ctx = NULL;
1921 
1922  p->proto = 0;
1923  memset(&dtv, 0, sizeof(DecodeThreadVars));
1924  memset(&th_v, 0, sizeof(th_v));
1925 
1927  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
1928 
1930  if (de_ctx == NULL) {
1931  goto end;
1932  }
1933 
1935  de_ctx->flags |= DE_QUIET;
1936 
1938  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
1939  "ip_proto:!103; sid:1;)");
1940  if (de_ctx->sig_list == NULL) {
1941  result = 0;
1942  goto end;
1943  }
1944 
1946  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1947 
1948  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1949  if (PacketAlertCheck(p, 1) == 0) {
1950  result = 1;
1951  goto end;
1952  } else {
1953  result = 0;
1954  }
1955 
1958 
1959  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1961  FlowShutdown();
1962 
1963  SCFree(p);
1964  return result;
1965 
1966 end:
1967  if (de_ctx) {
1970  }
1971 
1972  if (det_ctx)
1973  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1974  if (de_ctx)
1976 
1977  FlowShutdown();
1978  SCFree(p);
1979 
1980  return result;
1981 }
1982 
1983 static int DetectIPProtoTestSig3(void)
1984 {
1985  int result = 0;
1986 
1987  uint8_t raw_eth[] = {
1988  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1989  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1990  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1991  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1992  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1993  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1994  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1995  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1996  0x4a, 0xea, 0x7a, 0x8e,
1997  };
1998 
1999  Packet *p = UTHBuildPacket((uint8_t *)"boom", 4, IPPROTO_TCP);
2000  if (p == NULL)
2001  return 0;
2002 
2004  ThreadVars th_v;
2005  DetectEngineThreadCtx *det_ctx = NULL;
2006 
2007  p->proto = 0;
2008  memset(&dtv, 0, sizeof(DecodeThreadVars));
2009  memset(&th_v, 0, sizeof(th_v));
2010 
2012  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
2013 
2015  if (de_ctx == NULL) {
2016  goto end;
2017  }
2018 
2020  de_ctx->flags |= DE_QUIET;
2021 
2023  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
2024  "ip_proto:103; sid:1;)");
2025  if (de_ctx->sig_list == NULL) {
2026  result = 0;
2027  goto end;
2028  }
2029 
2031  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2032 
2033  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2034  if (!PacketAlertCheck(p, 1)) {
2035  result = 0;
2036  goto end;
2037  } else {
2038  result = 1;
2039  }
2040 
2043 
2044  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2046  FlowShutdown();
2047 
2048  SCFree(p);
2049  return result;
2050 
2051 end:
2052  if (de_ctx) {
2055  }
2056 
2057  if (det_ctx)
2058  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2059  if (de_ctx)
2061 
2062  FlowShutdown();
2063  SCFree(p);
2064 
2065  return result;
2066 }
2067 
2068 #endif /* UNITTESTS */
2069 
2070 /**
2071  * \internal
2072  * \brief Register ip_proto tests.
2073  */
2074 static void DetectIPProtoRegisterTests(void)
2075 {
2076 #ifdef UNITTESTS
2077  UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01);
2078  UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02);
2079  UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01);
2080  UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02);
2081  UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03);
2082  UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04);
2083  UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05);
2084  UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06);
2085  UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07);
2086  UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08);
2087  UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09);
2088  UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10);
2089  UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11);
2090  UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12);
2091  UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13);
2092  UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14);
2093  UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15);
2094  UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16);
2095  UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17);
2096  UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18);
2097  UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19);
2098  UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20);
2099  UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21);
2100  UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22);
2101  UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23);
2102  UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24);
2103  UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33);
2104  UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34);
2105  UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36);
2106  UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43);
2107  UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44);
2108  UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45);
2109  UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56);
2110  UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75);
2111  UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76);
2112  UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129);
2113  UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130);
2114  UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131);
2115  UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132);
2116  UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145);
2117 
2118  UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1);
2119  UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2);
2120  UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3);
2121 #endif /* UNITTESTS */
2122 }
DetectIPProtoRemoveAllSMs
void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-ipproto.c:426
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
Packet_::proto
uint8_t proto
Definition: decode.h:433
detect-engine.h
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
Definition: detect-parse.c:387
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1192
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:34
detect-engine-siggroup.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1377
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1382
DetectIPProtoRegister
void DetectIPProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-ipproto.c:57
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
results
struct DetectRfbSecresult_ results[]
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:27
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:530
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:486
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:810
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1004
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2446
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:322
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:621
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
Signature_::flags
uint32_t flags
Definition: detect.h:523
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2378
Packet_
Definition: decode.h:411
detect-ipproto.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:591
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
DETECT_IPPROTO_OP_GT
#define DETECT_IPPROTO_OP_GT
Definition: detect-ipproto.h:31
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:516
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
Definition: detect.h:260
DETECT_IPPROTO_OP_EQ
#define DETECT_IPPROTO_OP_EQ
Definition: detect-ipproto.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:38
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:33
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2734
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:539
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2942
DETECT_IPPROTO_OP_LT
#define DETECT_IPPROTO_OP_LT
Definition: detect-ipproto.h:30
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:685
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
DetectIPProtoData_::op
uint8_t op
Definition: detect-ipproto.h:35
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:603
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:625
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.c:49
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
StringParseUint8
int StringParseUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:344
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
DetectIPProtoData_
Definition: detect-ipproto.h:34
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:38
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-ipproto.c:49
DETECT_IPPROTO_OP_NOT
#define DETECT_IPPROTO_OP_NOT
Definition: detect-ipproto.h:29
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1254
DETECT_IPPROTO
@ DETECT_IPPROTO
Definition: detect-engine-register.h:76
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:41
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
DetectIPProtoData_::proto
uint8_t proto
Definition: detect-ipproto.h:36
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223