suricata
detect-ipproto.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the ip_proto keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-ipproto.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-build.h"
36 
37 #include "detect-engine-siggroup.h"
38 #include "detect-engine-address.h"
39 
40 #include "util-byte.h"
41 #include "util-proto-name.h"
42 #include "util-unittest.h"
43 #include "util-unittest-helper.h"
44 
45 #include "util-debug.h"
46 
47 /**
48  * \brief Regex for parsing our options
49  */
50 #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$"
51 
52 static DetectParseRegex parse_regex;
53 
54 static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectIPProtoRegisterTests(void);
57 #endif
58 static void DetectIPProtoFree(DetectEngineCtx *, void *);
59 
60 void DetectIPProtoRegister(void)
61 {
62  sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
63  sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
64  sigmatch_table[DETECT_IPPROTO].url = "/rules/header-keywords.html#ip-proto";
65  sigmatch_table[DETECT_IPPROTO].Match = NULL;
66  sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
67  sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree;
68 #ifdef UNITTESTS
69  sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests;
70 #endif
71  sigmatch_table[DETECT_IPPROTO].flags = SIGMATCH_QUOTES_OPTIONAL;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 /**
77  * \internal
78  * \brief Parse ip_proto options string.
79  *
80  * \param optstr Options string to parse
81  *
82  * \return New ip_proto data structure
83  */
84 static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
85 {
86  DetectIPProtoData *data = NULL;
87  char *args[2] = { NULL, NULL };
88  int res = 0;
89  size_t pcre2_len;
90  int i;
91  const char *str_ptr;
92 
93  /* Execute the regex and populate args with captures. */
94  pcre2_match_data *match = NULL;
95  int ret = DetectParsePcreExec(&parse_regex, &match, optstr, 0, 0);
96  if (ret != 3) {
97  SCLogError("pcre_exec parse error, ret"
98  "%" PRId32 ", string %s",
99  ret, optstr);
100  goto error;
101  }
102 
103  for (i = 0; i < (ret - 1); i++) {
104  res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
105  if (res < 0) {
106  SCLogError("pcre2_substring_get_bynumber failed");
107  goto error;
108  }
109  args[i] = (char *)str_ptr;
110  }
111 
112  /* Initialize the data */
113  data = SCMalloc(sizeof(DetectIPProtoData));
114  if (unlikely(data == NULL))
115  goto error;
116  data->op = DETECT_IPPROTO_OP_EQ;
117  data->proto = 0;
118 
119  /* Operator */
120  if (*(args[0]) != '\0') {
121  data->op = *(args[0]);
122  }
123 
124  /* Protocol name/number */
125  if (!isdigit((unsigned char)*(args[1]))) {
126  uint8_t proto;
127  if (!SCGetProtoByName(args[1], &proto)) {
128  SCLogError("Unknown protocol name: \"%s\"", str_ptr);
129  goto error;
130  }
131  data->proto = proto;
132  }
133  else {
134  if (StringParseUint8(&data->proto, 10, 0, args[1]) <= 0) {
135  SCLogError("Malformed protocol number: %s", str_ptr);
136  goto error;
137  }
138  }
139 
140  for (i = 0; i < (ret - 1); i++){
141  if (args[i] != NULL)
142  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
143  }
144 
145  pcre2_match_data_free(match);
146  return data;
147 
148 error:
149  if (match) {
150  pcre2_match_data_free(match);
151  }
152  for (i = 0; i < (ret - 1) && i < 2; i++){
153  if (args[i] != NULL)
154  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
155  }
156  if (data != NULL)
157  SCFree(data);
158 
159  return NULL;
160 }
161 
162 static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op)
163 {
164  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
165  DetectIPProtoData *data;
166 
167  while (sm != NULL) {
168  if (sm->type == DETECT_IPPROTO) {
169  data = (DetectIPProtoData *)sm->ctx;
170  if (data->op == op)
171  return 1;
172  }
173  sm = sm->next;
174  }
175 
176  return 0;
177 }
178 
179 /**
180  * \internal
181  * \brief Setup ip_proto keyword.
182  *
183  * \param de_ctx Detection engine context
184  * \param s Signature
185  * \param optstr Options string
186  *
187  * \return Non-zero on error
188  */
189 static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
190 {
191  SigMatch *sm = NULL;
192  int i;
193 
194  DetectIPProtoData *data = DetectIPProtoParse(optstr);
195  if (data == NULL) {
196  return -1;
197  }
198 
199  /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield
200  * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto
201  * will refined the protocol list and thus it needs to reset the bitfield to zero
202  * before setting the value specified by the ip_proto keyword.
203  */
204  if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
205  s->proto.flags &= ~DETECT_PROTO_ANY;
206  memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
207  s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
208  } else {
209  /* The ipproto engine has a relationship with the protocol that is
210  * set after the action and also the app protocol(that can also be
211  * set through the app-layer-protocol.
212  * An ip_proto keyword can be used only with alert ip, which if
213  * not true we error out on the sig. And hence the init_flag to
214  * indicate this. */
215  if (!(s->init_data->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) {
216  SCLogError("Signature can use "
217  "ip_proto keyword only when we use alert ip, "
218  "in which case the _ANY flag is set on the sig "
219  "and the if condition should match.");
220  goto error;
221  }
222  }
223 
224  int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ);
225  int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT);
226  int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT);
227  int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT);
228 
229  switch (data->op) {
230  case DETECT_IPPROTO_OP_EQ:
231  if (eq_set || gt_set || lt_set || not_set) {
232  SCLogError("can't use a eq "
233  "ipproto without any operators attached to "
234  "them in the same sig");
235  goto error;
236  }
237  s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
238  break;
239 
240  case DETECT_IPPROTO_OP_GT:
241  if (eq_set || gt_set) {
242  SCLogError("can't use a eq or gt "
243  "ipproto along with a greater than ipproto in the "
244  "same sig ");
245  goto error;
246  }
247  if (!lt_set && !not_set) {
248  s->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8));
249  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
250  s->proto.proto[i] = 0xff;
251  }
252  } else if (lt_set && !not_set) {
253  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
254  while (temp_sm != NULL) {
255  if (temp_sm->type == DETECT_IPPROTO) {
256  break;
257  }
258  temp_sm = temp_sm->next;
259  }
260  if (temp_sm != NULL) {
261  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
262  if (data_temp->proto <= data->proto) {
263  SCLogError("can't have "
264  "both gt and lt ipprotos, with the lt being "
265  "lower than gt value");
266  goto error;
267  } else {
268  for (i = 0; i < (data->proto / 8); i++) {
269  s->proto.proto[i] = 0;
270  }
271  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
272  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
273  s->proto.proto[i] &= 0xff;
274  }
275  }
276  }
277  } else if (!lt_set && not_set) {
278  for (i = 0; i < (data->proto / 8); i++) {
279  s->proto.proto[i] = 0;
280  }
281  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
282  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
283  s->proto.proto[i] &= 0xff;
284  }
285  } else {
286  DetectIPProtoData *data_temp;
287  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
288  while (temp_sm != NULL) {
289  if (temp_sm->type == DETECT_IPPROTO &&
290  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) {
291  break;
292  }
293  temp_sm = temp_sm->next;
294  }
295  if (temp_sm != NULL) {
296  data_temp = (DetectIPProtoData *)temp_sm->ctx;
297  if (data_temp->proto <= data->proto) {
298  SCLogError("can't have "
299  "both gt and lt ipprotos, with the lt being "
300  "lower than gt value");
301  goto error;
302  } else {
303  for (i = 0; i < (data->proto / 8); i++) {
304  s->proto.proto[i] = 0;
305  }
306  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
307  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
308  s->proto.proto[i] &= 0xff;
309  }
310  }
311  }
312  }
313  break;
314 
315  case DETECT_IPPROTO_OP_LT:
316  if (eq_set || lt_set) {
317  SCLogError("can't use a eq or lt "
318  "ipproto along with a less than ipproto in the "
319  "same sig ");
320  goto error;
321  }
322  if (!gt_set && !not_set) {
323  for (i = 0; i < (data->proto / 8); i++) {
324  s->proto.proto[i] = 0xff;
325  }
326  s->proto.proto[data->proto / 8] = (uint8_t)(~(0xff << (data->proto % 8)));
327  } else if (gt_set && !not_set) {
328  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
329  while (temp_sm != NULL) {
330  if (temp_sm->type == DETECT_IPPROTO) {
331  break;
332  }
333  temp_sm = temp_sm->next;
334  }
335  if (temp_sm != NULL) {
336  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
337  if (data_temp->proto >= data->proto) {
338  SCLogError("can't use a have "
339  "both gt and lt ipprotos, with the lt being "
340  "lower than gt value");
341  goto error;
342  } else {
343  for (i = 0; i < (data->proto / 8); i++) {
344  s->proto.proto[i] &= 0xff;
345  }
346  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
347  for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
348  s->proto.proto[i] = 0;
349  }
350  }
351  }
352  } else if (!gt_set && not_set) {
353  for (i = 0; i < (data->proto / 8); i++) {
354  s->proto.proto[i] &= 0xFF;
355  }
356  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
357  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
358  s->proto.proto[i] = 0;
359  }
360  } else {
361  DetectIPProtoData *data_temp;
362  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
363  while (temp_sm != NULL) {
364  if (temp_sm->type == DETECT_IPPROTO &&
365  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) {
366  break;
367  }
368  temp_sm = temp_sm->next;
369  }
370  if (temp_sm != NULL) {
371  data_temp = (DetectIPProtoData *)temp_sm->ctx;
372  if (data_temp->proto >= data->proto) {
373  SCLogError("can't have "
374  "both gt and lt ipprotos, with the lt being "
375  "lower than gt value");
376  goto error;
377  } else {
378  for (i = 0; i < (data->proto / 8); i++) {
379  s->proto.proto[i] &= 0xFF;
380  }
381  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
382  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
383  s->proto.proto[i] = 0;
384  }
385  }
386  }
387  }
388  break;
389 
390  case DETECT_IPPROTO_OP_NOT:
391  if (eq_set) {
392  SCLogError("can't use a eq "
393  "ipproto along with a not ipproto in the "
394  "same sig ");
395  goto error;
396  }
397  if (!gt_set && !lt_set && !not_set) {
398  for (i = 0; i < (data->proto / 8); i++) {
399  s->proto.proto[i] = 0xff;
400  }
401  s->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8)));
402  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
403  s->proto.proto[i] = 0xff;
404  }
405  } else {
406  for (i = 0; i < (data->proto / 8); i++) {
407  s->proto.proto[i] &= 0xff;
408  }
409  s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
410  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
411  s->proto.proto[i] &= 0xff;
412  }
413  }
414  break;
415  }
416 
417  sm = SigMatchAlloc();
418  if (sm == NULL)
419  goto error;
420  sm->type = DETECT_IPPROTO;
421  sm->ctx = (void *)data;
422  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
423  s->flags |= SIG_FLAG_REQUIRE_PACKET;
424 
425  return 0;
426 
427  error:
428 
429  DetectIPProtoFree(de_ctx, data);
430  return -1;
431 }
432 
433 
434 void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
435 {
436  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
437 
438  while (sm != NULL) {
439  if (sm->type != DETECT_IPPROTO) {
440  sm = sm->next;
441  continue;
442  }
443  SigMatch *tmp_sm = sm->next;
444  SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_MATCH);
445  SigMatchFree(de_ctx, sm);
446  sm = tmp_sm;
447  }
448 
449  return;
450 }
451 
452 static void DetectIPProtoFree(DetectEngineCtx *de_ctx, void *ptr)
453 {
454  DetectIPProtoData *data = (DetectIPProtoData *)ptr;
455  if (data) {
456  SCFree(data);
457  }
458 }
459 
460 /* UNITTESTS */
461 #ifdef UNITTESTS
462 #include "detect-engine-alert.h"
463 
464 /**
465  * \test DetectIPProtoTestParse01 is a test for an invalid proto number
466  */
467 static int DetectIPProtoTestParse01(void)
468 {
469  DetectIPProtoData *data = DetectIPProtoParse("999");
470  FAIL_IF_NOT(data == NULL);
471  PASS;
472 }
473 
474 /**
475  * \test DetectIPProtoTestParse02 is a test for an invalid proto name
476  */
477 static int DetectIPProtoTestParse02(void)
478 {
479  DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek");
480  FAIL_IF_NOT(data == NULL);
481  PASS;
482 }
483 
484 /**
485  * \test DetectIPProtoTestSetup01 is a test for a protocol number
486  */
487 static int DetectIPProtoTestSetup01(void)
488 {
489  const char *value_str = "14";
490  int value;
491  FAIL_IF(StringParseInt32(&value, 10, 0, (const char *)value_str) < 0);
492  int i;
493 
494  Signature *sig = SigAlloc();
495  FAIL_IF_NULL(sig);
496 
497  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
498  sig->proto.flags |= DETECT_PROTO_ANY;
499  DetectIPProtoSetup(NULL, sig, value_str);
500  for (i = 0; i < (value / 8); i++) {
501  FAIL_IF(sig->proto.proto[i] != 0);
502  }
503  FAIL_IF(sig->proto.proto[value / 8] != 0x40);
504  for (i = (value / 8) + 1; i < (256 / 8); i++) {
505  FAIL_IF(sig->proto.proto[i] != 0);
506  }
507  SigFree(NULL, sig);
508  PASS;
509 }
510 
511 /**
512  * \test DetectIPProtoTestSetup02 is a test for a protocol name
513  */
514 static int DetectIPProtoTestSetup02(void)
515 {
516  int result = 0;
517  Signature *sig = NULL;
518  const char *value_str = "tcp";
519  struct protoent *pent = getprotobyname(value_str);
520  if (pent == NULL) {
521  goto end;
522  }
523  uint8_t value = (uint8_t)pent->p_proto;
524  int i;
525 
526  if ((sig = SigAlloc()) == NULL)
527  goto end;
528 
529  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
530  sig->proto.flags |= DETECT_PROTO_ANY;
531  DetectIPProtoSetup(NULL, sig, value_str);
532  for (i = 0; i < (value / 8); i++) {
533  if (sig->proto.proto[i] != 0)
534  goto end;
535  }
536  if (sig->proto.proto[value / 8] != 0x40) {
537  goto end;
538  }
539  for (i = (value / 8) + 1; i < (256 / 8); i++) {
540  if (sig->proto.proto[i] != 0)
541  goto end;
542  }
543 
544  result = 1;
545 
546  end:
547  if (sig != NULL)
548  SigFree(NULL, sig);
549  return result;
550 }
551 
552 /**
553  * \test DetectIPProtoTestSetup03 is a test for a < operator
554  */
555 static int DetectIPProtoTestSetup03(void)
556 {
557  int result = 0;
558  Signature *sig;
559  const char *value_str = "<14";
560  int value = 14;
561  int i;
562 
563  if ((sig = SigAlloc()) == NULL)
564  goto end;
565 
566  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
567  sig->proto.flags |= DETECT_PROTO_ANY;
568  DetectIPProtoSetup(NULL, sig, value_str);
569  for (i = 0; i < (value / 8); i++) {
570  if (sig->proto.proto[i] != 0xFF)
571  goto end;
572  }
573  if (sig->proto.proto[value / 8] != 0x3F) {
574  goto end;
575  }
576  for (i = (value / 8) + 1; i < (256 / 8); i++) {
577  if (sig->proto.proto[i] != 0)
578  goto end;
579  }
580 
581  result = 1;
582 
583  end:
584  SigFree(NULL, sig);
585  return result;
586 }
587 
588 /**
589  * \test DetectIPProtoTestSetup04 is a test for a > operator
590  */
591 static int DetectIPProtoTestSetup04(void)
592 {
593  int result = 0;
594  Signature *sig;
595  const char *value_str = ">14";
596  int value = 14;
597  int i;
598 
599  if ((sig = SigAlloc()) == NULL)
600  goto end;
601 
602  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
603  sig->proto.flags |= DETECT_PROTO_ANY;
604  DetectIPProtoSetup(NULL, sig, value_str);
605  for (i = 0; i < (value / 8); i++) {
606  if (sig->proto.proto[i] != 0)
607  goto end;
608  }
609  if (sig->proto.proto[value / 8] != 0x80) {
610  goto end;
611  }
612  for (i = (value / 8) + 1; i < (256 / 8); i++) {
613  if (sig->proto.proto[i] != 0xFF)
614  goto end;
615  }
616 
617  result = 1;
618 
619  end:
620  SigFree(NULL, sig);
621  return result;
622 }
623 
624 /**
625  * \test DetectIPProtoTestSetup05 is a test for a ! operator
626  */
627 static int DetectIPProtoTestSetup05(void)
628 {
629  int result = 0;
630  Signature *sig;
631  const char *value_str = "!14";
632  int value = 14;
633  int i;
634 
635  if ((sig = SigAlloc()) == NULL)
636  goto end;
637 
638  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
639  sig->proto.flags |= DETECT_PROTO_ANY;
640  DetectIPProtoSetup(NULL, sig, value_str);
641  for (i = 0; i < (value / 8); i++) {
642  if (sig->proto.proto[i] != 0xFF)
643  goto end;
644  }
645  if (sig->proto.proto[value / 8] != 0xBF) {
646  goto end;
647  }
648  for (i = (value / 8) + 1; i < (256 / 8); i++) {
649  if (sig->proto.proto[i] != 0xFF)
650  goto end;
651  }
652 
653  result = 1;
654 
655  end:
656  SigFree(NULL, sig);
657  return result;
658 }
659 
660 /**
661  * \test Negative test.
662  */
663 static int DetectIPProtoTestSetup06(void)
664 {
665  int result = 0;
666  Signature *sig;
667  const char *value1_str = "14";
668  const char *value2_str = "15";
669 
670  if ((sig = SigAlloc()) == NULL)
671  goto end;
672 
673  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
674  sig->proto.flags |= DETECT_PROTO_ANY;
675  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
676  goto end;
677  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
678  goto end;
679 
680  result = 1;
681 
682  end:
683  SigFree(NULL, sig);
684  return result;
685 }
686 
687 /**
688  * \test Negative test.
689  */
690 static int DetectIPProtoTestSetup07(void)
691 {
692  int result = 0;
693  Signature *sig;
694  const char *value1_str = "14";
695  const char *value2_str = "<15";
696 
697  if ((sig = SigAlloc()) == NULL)
698  goto end;
699 
700  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
701  sig->proto.flags |= DETECT_PROTO_ANY;
702  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
703  goto end;
704  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
705  goto end;
706 
707  result = 1;
708 
709  end:
710  SigFree(NULL, sig);
711  return result;
712 }
713 
714 /**
715  * \test Negative test.
716  */
717 static int DetectIPProtoTestSetup08(void)
718 {
719  int result = 0;
720  Signature *sig;
721  const char *value1_str = "14";
722  const char *value2_str = ">15";
723 
724  if ((sig = SigAlloc()) == NULL)
725  goto end;
726 
727  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
728  sig->proto.flags |= DETECT_PROTO_ANY;
729  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
730  goto end;
731  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
732  goto end;
733 
734  result = 1;
735 
736  end:
737  SigFree(NULL, sig);
738  return result;
739 }
740 
741 /**
742  * \test Negative test.
743  */
744 static int DetectIPProtoTestSetup09(void)
745 {
746  int result = 0;
747  Signature *sig;
748  const char *value1_str = "14";
749  const char *value2_str = "!15";
750 
751  if ((sig = SigAlloc()) == NULL)
752  goto end;
753 
754  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
755  sig->proto.flags |= DETECT_PROTO_ANY;
756  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
757  goto end;
758  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
759  goto end;
760 
761  result = 1;
762 
763  end:
764  SigFree(NULL, sig);
765  return result;
766 }
767 
768 /**
769  * \test Negative test.
770  */
771 static int DetectIPProtoTestSetup10(void)
772 {
773  int result = 0;
774  Signature *sig;
775  const char *value1_str = ">14";
776  const char *value2_str = "15";
777 
778  if ((sig = SigAlloc()) == NULL)
779  goto end;
780 
781  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
782  sig->proto.flags |= DETECT_PROTO_ANY;
783  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
784  goto end;
785  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
786  goto end;
787 
788  result = 1;
789 
790  end:
791  SigFree(NULL, sig);
792  return result;
793 }
794 
795 /**
796  * \test Negative test.
797  */
798 static int DetectIPProtoTestSetup11(void)
799 {
800  int result = 0;
801  Signature *sig;
802  const char *value1_str = "<14";
803  const char *value2_str = "15";
804 
805  if ((sig = SigAlloc()) == NULL)
806  goto end;
807 
808  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
809  sig->proto.flags |= DETECT_PROTO_ANY;
810  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
811  goto end;
812  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
813  goto end;
814 
815  result = 1;
816 
817  end:
818  SigFree(NULL, sig);
819  return result;
820 }
821 
822 /**
823  * \test Negative test.
824  */
825 static int DetectIPProtoTestSetup12(void)
826 {
827  int result = 0;
828  Signature *sig;
829  const char *value1_str = "!14";
830  const char *value2_str = "15";
831 
832  if ((sig = SigAlloc()) == NULL)
833  goto end;
834 
835  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
836  sig->proto.flags |= DETECT_PROTO_ANY;
837  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
838  goto end;
839  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
840  goto end;
841 
842  result = 1;
843 
844  end:
845  SigFree(NULL, sig);
846  return result;
847 }
848 
849 /**
850  * \test Negative test.
851  */
852 static int DetectIPProtoTestSetup13(void)
853 {
854  int result = 0;
855  Signature *sig;
856  const char *value1_str = ">14";
857  const char *value2_str = ">15";
858 
859  if ((sig = SigAlloc()) == NULL)
860  goto end;
861 
862  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
863  sig->proto.flags |= DETECT_PROTO_ANY;
864  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
865  goto end;
866  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
867  goto end;
868 
869  result = 1;
870 
871  end:
872  SigFree(NULL, sig);
873  return result;
874 }
875 
876 static int DetectIPProtoTestSetup14(void)
877 {
878  int result = 0;
879  Signature *sig;
880  const char *value1_str = "<14";
881  const char *value2_str = "<15";
882 
883  if ((sig = SigAlloc()) == NULL)
884  goto end;
885 
886  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
887  sig->proto.flags |= DETECT_PROTO_ANY;
888  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
889  goto end;
890  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
891  goto end;
892 
893  result = 1;
894 
895  end:
896  SigFree(NULL, sig);
897  return result;
898 }
899 
900 static int DetectIPProtoTestSetup15(void)
901 {
902  int result = 0;
903  Signature *sig;
904  const char *value1_str = "<14";
905  int value1 = 14;
906  const char *value2_str = ">34";
907  int i;
908 
909  if ((sig = SigAlloc()) == NULL)
910  goto end;
911 
912  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
913  sig->proto.flags |= DETECT_PROTO_ANY;
914  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
915  goto end;
916  for (i = 0; i < (value1 / 8); i++) {
917  if (sig->proto.proto[i] != 0xFF)
918  goto end;
919  }
920  if (sig->proto.proto[value1 / 8] != 0x3F) {
921  goto end;
922  }
923  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
924  if (sig->proto.proto[i] != 0)
925  goto end;
926  }
927  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
928  goto end;
929 
930  result = 1;
931 
932  end:
933  SigFree(NULL, sig);
934  return result;
935 
936 }
937 
938 static int DetectIPProtoTestSetup16(void)
939 {
940  int result = 0;
941  Signature *sig;
942  const char *value1_str = "<14";
943  const char *value2_str = ">34";
944  int value2 = 34;
945  int i;
946 
947  if ((sig = SigAlloc()) == NULL)
948  goto end;
949 
950  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
951  sig->proto.flags |= DETECT_PROTO_ANY;
952  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
953  goto end;
954  for (i = 0; i < (value2 / 8); i++) {
955  if (sig->proto.proto[i] != 0)
956  goto end;
957  }
958  if (sig->proto.proto[value2 / 8] != 0xF8) {
959  goto end;
960  }
961  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
962  if (sig->proto.proto[i] != 0xFF)
963  goto end;
964  }
965  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
966  goto end;
967 
968  result = 1;
969 
970  end:
971  SigFree(NULL, sig);
972  return result;
973 
974 }
975 
976 static int DetectIPProtoTestSetup17(void)
977 {
978  int result = 0;
979  Signature *sig;
980  const char *value1_str = "<11";
981  int value1 = 11;
982  const char *value2_str = ">13";
983  int i;
984 
985  if ((sig = SigAlloc()) == NULL)
986  goto end;
987 
988  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
989  sig->proto.flags |= DETECT_PROTO_ANY;
990  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
991  goto end;
992  for (i = 0; i < (value1 / 8); i++) {
993  if (sig->proto.proto[i] != 0xFF)
994  goto end;
995  }
996  if (sig->proto.proto[value1 / 8] != 0x07) {
997  goto end;
998  }
999  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1000  if (sig->proto.proto[i] != 0)
1001  goto end;
1002  }
1003  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1004  goto end;
1005 
1006  result = 1;
1007 
1008  end:
1009  SigFree(NULL, sig);
1010  return result;
1011 
1012 }
1013 
1014 static int DetectIPProtoTestSetup18(void)
1015 {
1016  int result = 0;
1017  Signature *sig;
1018  const char *value1_str = "<11";
1019  const char *value2_str = ">13";
1020  int value2 = 13;
1021  int i;
1022 
1023  if ((sig = SigAlloc()) == NULL)
1024  goto end;
1025 
1026  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1027  sig->proto.flags |= DETECT_PROTO_ANY;
1028  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1029  goto end;
1030  for (i = 0; i < (value2 / 8); i++) {
1031  if (sig->proto.proto[i] != 0)
1032  goto end;
1033  }
1034  if (sig->proto.proto[value2 / 8] != 0xC0) {
1035  goto end;
1036  }
1037  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1038  if (sig->proto.proto[i] != 0xFF)
1039  goto end;
1040  }
1041  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1042  goto end;
1043 
1044  result = 1;
1045 
1046  end:
1047  SigFree(NULL, sig);
1048  return result;
1049 
1050 }
1051 
1052 static int DetectIPProtoTestSetup19(void)
1053 {
1054  int result = 0;
1055  Signature *sig;
1056  const char *value1_str = "<11";
1057  int value1 = 11;
1058  const char *value2_str = "!13";
1059  const char *value3_str = ">36";
1060  int i;
1061 
1062  if ((sig = SigAlloc()) == NULL)
1063  goto end;
1064 
1065  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1066  sig->proto.flags |= DETECT_PROTO_ANY;
1067  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1068  goto end;
1069  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1070  goto end;
1071  for (i = 0; i < (value1 / 8); i++) {
1072  if (sig->proto.proto[i] != 0xFF)
1073  goto end;
1074  }
1075  if (sig->proto.proto[value1 / 8] != 0x07) {
1076  goto end;
1077  }
1078  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1079  if (sig->proto.proto[i] != 0)
1080  goto end;
1081  }
1082  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1083  goto end;
1084 
1085  result = 1;
1086 
1087  end:
1088  SigFree(NULL, sig);
1089  return result;
1090 }
1091 
1092 static int DetectIPProtoTestSetup20(void)
1093 {
1094  int result = 0;
1095  Signature *sig;
1096  const char *value1_str = "<11";
1097  int value1 = 11;
1098  const char *value3_str = ">36";
1099  int i;
1100 
1101  if ((sig = SigAlloc()) == NULL)
1102  goto end;
1103 
1104  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1105  sig->proto.flags |= DETECT_PROTO_ANY;
1106  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1107  goto end;
1108  for (i = 0; i < (value1 / 8); i++) {
1109  if (sig->proto.proto[i] != 0xFF)
1110  goto end;
1111  }
1112  if (sig->proto.proto[value1 / 8] != 0x07) {
1113  goto end;
1114  }
1115  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1116  if (sig->proto.proto[i] != 0)
1117  goto end;
1118  }
1119  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1120  goto end;
1121 
1122  result = 1;
1123 
1124  end:
1125  SigFree(NULL, sig);
1126  return result;
1127 }
1128 
1129 static int DetectIPProtoTestSetup21(void)
1130 {
1131  int result = 0;
1132  Signature *sig;
1133  const char *value1_str = "<11";
1134  int value1 = 11;
1135  const char *value2_str = "!13";
1136  const char *value3_str = ">36";
1137  int i;
1138 
1139  if ((sig = SigAlloc()) == NULL)
1140  goto end;
1141 
1142  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1143  sig->proto.flags |= DETECT_PROTO_ANY;
1144  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1145  goto end;
1146  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1147  goto end;
1148  for (i = 0; i < (value1 / 8); i++) {
1149  if (sig->proto.proto[i] != 0xFF)
1150  goto end;
1151  }
1152  if (sig->proto.proto[value1 / 8] != 0x07) {
1153  goto end;
1154  }
1155  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1156  if (sig->proto.proto[i] != 0)
1157  goto end;
1158  }
1159  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1160  goto end;
1161 
1162  result = 1;
1163 
1164  end:
1165  SigFree(NULL, sig);
1166  return result;
1167 }
1168 
1169 static int DetectIPProtoTestSetup22(void)
1170 {
1171  int result = 0;
1172  Signature *sig;
1173  const char *value1_str = "<11";
1174  const char *value2_str = "!13";
1175  const char *value3_str = ">36";
1176  int value3 = 36;
1177  int i;
1178 
1179  if ((sig = SigAlloc()) == NULL)
1180  goto end;
1181 
1182  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1183  sig->proto.flags |= DETECT_PROTO_ANY;
1184  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1185  goto end;
1186  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1187  goto end;
1188  for (i = 0; i < (value3 / 8); i++) {
1189  if (sig->proto.proto[i] != 0)
1190  goto end;
1191  }
1192  if (sig->proto.proto[value3 / 8] != 0xE0) {
1193  goto end;
1194  }
1195  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1196  if (sig->proto.proto[i] != 0xFF)
1197  goto end;
1198  }
1199  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1200  goto end;
1201 
1202  result = 1;
1203 
1204  end:
1205  SigFree(NULL, sig);
1206  return result;
1207 }
1208 
1209 static int DetectIPProtoTestSetup23(void)
1210 {
1211  int result = 0;
1212  Signature *sig;
1213  const char *value1_str = "<11";
1214  const char *value3_str = ">36";
1215  int value3 = 36;
1216  int i;
1217 
1218  if ((sig = SigAlloc()) == NULL)
1219  goto end;
1220 
1221  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1222  sig->proto.flags |= DETECT_PROTO_ANY;
1223  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1224  goto end;
1225  for (i = 0; i < (value3 / 8); i++) {
1226  if (sig->proto.proto[i] != 0)
1227  goto end;
1228  }
1229  if (sig->proto.proto[value3 / 8] != 0xE0) {
1230  goto end;
1231  }
1232  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1233  if (sig->proto.proto[i] != 0xFF)
1234  goto end;
1235  }
1236  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1237  goto end;
1238 
1239  result = 1;
1240 
1241  end:
1242  SigFree(NULL, sig);
1243  return result;
1244 }
1245 
1246 static int DetectIPProtoTestSetup24(void)
1247 {
1248  int result = 0;
1249  Signature *sig;
1250  const char *value1_str = "<11";
1251  const char *value2_str = "!13";
1252  const char *value3_str = ">36";
1253  int value3 = 36;
1254  int i;
1255 
1256  if ((sig = SigAlloc()) == NULL)
1257  goto end;
1258 
1259  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1260  sig->proto.flags |= DETECT_PROTO_ANY;
1261  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1262  goto end;
1263  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1264  goto end;
1265  for (i = 0; i < (value3 / 8); i++) {
1266  if (sig->proto.proto[i] != 0)
1267  goto end;
1268  }
1269  if (sig->proto.proto[value3 / 8] != 0xE0) {
1270  goto end;
1271  }
1272  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1273  if (sig->proto.proto[i] != 0xFF)
1274  goto end;
1275  }
1276  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1277  goto end;
1278 
1279  result = 1;
1280 
1281  end:
1282  SigFree(NULL, sig);
1283  return result;
1284 }
1285 
1286 static int DetectIPProtoTestSetup33(void)
1287 {
1288  int result = 0;
1289  Signature *sig;
1290  const char *value1_str = "<11";
1291  int value1 = 11;
1292  const char *value2_str = "!34";
1293  const char *value3_str = ">36";
1294  int i;
1295 
1296  if ((sig = SigAlloc()) == NULL)
1297  goto end;
1298 
1299  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1300  sig->proto.flags |= DETECT_PROTO_ANY;
1301  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1302  goto end;
1303  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1304  goto end;
1305  for (i = 0; i < (value1 / 8); i++) {
1306  if (sig->proto.proto[i] != 0xFF)
1307  goto end;
1308  }
1309  if (sig->proto.proto[value1 / 8] != 0x07) {
1310  goto end;
1311  }
1312  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1313  if (sig->proto.proto[i] != 0)
1314  goto end;
1315  }
1316  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1317  goto end;
1318 
1319  result = 1;
1320 
1321  end:
1322  SigFree(NULL, sig);
1323  return result;
1324 }
1325 
1326 static int DetectIPProtoTestSetup34(void)
1327 {
1328  int result = 0;
1329  Signature *sig;
1330  const char *value1_str = "<11";
1331  int value1 = 11;
1332  const char *value2_str = "!34";
1333  const char *value3_str = ">36";
1334  int value3 = 36;
1335  int i;
1336 
1337  if ((sig = SigAlloc()) == NULL)
1338  goto end;
1339 
1340  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1341  sig->proto.flags |= DETECT_PROTO_ANY;
1342  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1343  goto end;
1344  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1345  goto end;
1346  for (i = 0; i < (value1 / 8); i++) {
1347  if (sig->proto.proto[i] != 0)
1348  goto end;
1349  }
1350  if (sig->proto.proto[value3 / 8] != 0xE0) {
1351  goto end;
1352  }
1353  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1354  if (sig->proto.proto[i] != 0xFF)
1355  goto end;
1356  }
1357  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1358  goto end;
1359 
1360  result = 1;
1361 
1362  end:
1363  SigFree(NULL, sig);
1364  return result;
1365 }
1366 
1367 static int DetectIPProtoTestSetup36(void)
1368 {
1369  int result = 0;
1370  Signature *sig;
1371  const char *value1_str = "<11";
1372  const char *value2_str = "!34";
1373  const char *value3_str = ">36";
1374  int value3 = 36;
1375  int i;
1376 
1377  if ((sig = SigAlloc()) == NULL)
1378  goto end;
1379 
1380  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1381  sig->proto.flags |= DETECT_PROTO_ANY;
1382  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1383  goto end;
1384  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1385  goto end;
1386  for (i = 0; i < (value3 / 8); i++) {
1387  if (sig->proto.proto[i] != 0)
1388  goto end;
1389  }
1390  if (sig->proto.proto[value3 / 8] != 0xE0) {
1391  goto end;
1392  }
1393  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1394  if (sig->proto.proto[i] != 0xFF)
1395  goto end;
1396  }
1397  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1398  goto end;
1399 
1400  result = 1;
1401 
1402  end:
1403  SigFree(NULL, sig);
1404  return result;
1405 }
1406 
1407 static int DetectIPProtoTestSetup43(void)
1408 {
1409  int result = 0;
1410  Signature *sig;
1411  const char *value1_str = "!4";
1412  int value1 = 4;
1413  const char *value2_str = "<13";
1414  int value2 = 13;
1415  const char *value3_str = ">34";
1416  int i;
1417 
1418  if ((sig = SigAlloc()) == NULL)
1419  goto end;
1420 
1421  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1422  sig->proto.flags |= DETECT_PROTO_ANY;
1423  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1424  goto end;
1425  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1426  goto end;
1427  if (sig->proto.proto[value1 / 8] != 0xEF) {
1428  goto end;
1429  }
1430  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1431  if (sig->proto.proto[i] != 0xFF)
1432  goto end;
1433  }
1434  if (sig->proto.proto[value2 / 8] != 0x1F) {
1435  goto end;
1436  }
1437  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1438  if (sig->proto.proto[i] != 0)
1439  goto end;
1440  }
1441  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1442  goto end;
1443 
1444  result = 1;
1445 
1446  end:
1447  SigFree(NULL, sig);
1448  return result;
1449 }
1450 
1451 static int DetectIPProtoTestSetup44(void)
1452 {
1453  int result = 0;
1454  Signature *sig;
1455  const char *value1_str = "!4";
1456  const char *value2_str = "<13";
1457  const char *value3_str = ">34";
1458  int value3 = 34;
1459  int i;
1460 
1461  if ((sig = SigAlloc()) == NULL)
1462  goto end;
1463 
1464  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1465  sig->proto.flags |= DETECT_PROTO_ANY;
1466  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1467  goto end;
1468  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1469  goto end;
1470  for (i = 0; i < (value3 / 8); i++) {
1471  if (sig->proto.proto[i] != 0)
1472  goto end;
1473  }
1474  if (sig->proto.proto[value3 / 8] != 0xF8) {
1475  goto end;
1476  }
1477  for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
1478  if (sig->proto.proto[i] != 0xFF)
1479  goto end;
1480  }
1481  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1482  goto end;
1483 
1484  result = 1;
1485 
1486  end:
1487  SigFree(NULL, sig);
1488  return result;
1489 }
1490 
1491 static int DetectIPProtoTestSetup45(void)
1492 {
1493  int result = 0;
1494  Signature *sig;
1495  const char *value1_str = "!4";
1496  int value1 = 4;
1497  const char *value2_str = "<13";
1498  int value2 = 13;
1499  const char *value3_str = ">34";
1500  int i;
1501 
1502  if ((sig = SigAlloc()) == NULL)
1503  goto end;
1504 
1505  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1506  sig->proto.flags |= DETECT_PROTO_ANY;
1507  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1508  goto end;
1509  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1510  goto end;
1511  if (sig->proto.proto[value1 / 8] != 0xEF) {
1512  goto end;
1513  }
1514  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1515  if (sig->proto.proto[i] != 0xFF)
1516  goto end;
1517  }
1518  if (sig->proto.proto[value2 / 8] != 0x1F) {
1519  goto end;
1520  }
1521  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1522  if (sig->proto.proto[i] != 0)
1523  goto end;
1524  }
1525  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1526  goto end;
1527 
1528  result = 1;
1529 
1530  end:
1531  SigFree(NULL, sig);
1532  return result;
1533 }
1534 
1535 static int DetectIPProtoTestSetup56(void)
1536 {
1537  int result = 0;
1538  Signature *sig;
1539  const char *value1_str = "<13";
1540  int value1 = 13;
1541  const char *value2_str = ">34";
1542  const char *value3_str = "!37";
1543  int i;
1544 
1545  if ((sig = SigAlloc()) == NULL)
1546  goto end;
1547 
1548  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1549  sig->proto.flags |= DETECT_PROTO_ANY;
1550  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1551  goto end;
1552  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1553  goto end;
1554  for (i = 0; i < (value1 / 8); i++) {
1555  if (sig->proto.proto[i] != 0xFF)
1556  goto end;
1557  }
1558  if (sig->proto.proto[value1 / 8] != 0x1F) {
1559  goto end;
1560  }
1561  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1562  if (sig->proto.proto[i] != 0)
1563  goto end;
1564  }
1565  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1566  goto end;
1567 
1568  result = 1;
1569 
1570  end:
1571  SigFree(NULL, sig);
1572  return result;
1573 }
1574 
1575 static int DetectIPProtoTestSetup75(void)
1576 {
1577  int result = 0;
1578  Signature *sig;
1579  const char *value1_str = "!8";
1580  const char *value2_str = ">10";
1581  int value2 = 10;
1582  int i;
1583 
1584  if ((sig = SigAlloc()) == NULL)
1585  goto end;
1586 
1587  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1588  sig->proto.flags |= DETECT_PROTO_ANY;
1589  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1590  goto end;
1591  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1592  goto end;
1593  for (i = 0; i < (value2 / 8); i++) {
1594  if (sig->proto.proto[i] != 0)
1595  goto end;
1596  }
1597  if (sig->proto.proto[value2 / 8] != 0xF8) {
1598  goto end;
1599  }
1600  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1601  if (sig->proto.proto[i] != 0xFF)
1602  goto end;
1603  }
1604 
1605  result = 1;
1606 
1607  end:
1608  SigFree(NULL, sig);
1609  return result;
1610 }
1611 
1612 static int DetectIPProtoTestSetup76(void)
1613 {
1614  int result = 0;
1615  Signature *sig;
1616  const char *value1_str = "!8";
1617  const char *value2_str = ">10";
1618  int value2 = 10;
1619  int i;
1620 
1621  if ((sig = SigAlloc()) == NULL)
1622  goto end;
1623 
1624  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1625  sig->proto.flags |= DETECT_PROTO_ANY;
1626  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1627  goto end;
1628  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1629  goto end;
1630  for (i = 0; i < (value2 / 8); i++) {
1631  if (sig->proto.proto[i] != 0)
1632  goto end;
1633  }
1634  if (sig->proto.proto[value2 / 8] != 0xF8) {
1635  goto end;
1636  }
1637  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1638  if (sig->proto.proto[i] != 0xFF)
1639  goto end;
1640  }
1641 
1642  result = 1;
1643 
1644  end:
1645  SigFree(NULL, sig);
1646  return result;
1647 }
1648 
1649 static int DetectIPProtoTestSetup129(void)
1650 {
1651  int result = 0;
1652  Signature *sig;
1653  const char *value1_str = "<10";
1654  int value1 = 10;
1655  const char *value2_str = ">10";
1656  int i;
1657 
1658  if ((sig = SigAlloc()) == NULL)
1659  goto end;
1660 
1661  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1662  sig->proto.flags |= DETECT_PROTO_ANY;
1663  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1664  goto end;
1665  for (i = 0; i < (value1 / 8); i++) {
1666  if (sig->proto.proto[i] != 0xFF)
1667  goto end;
1668  }
1669  if (sig->proto.proto[value1 / 8] != 0x03) {
1670  goto end;
1671  }
1672  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1673  if (sig->proto.proto[i] != 0)
1674  goto end;
1675  }
1676  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1677  goto end;
1678 
1679  result = 1;
1680 
1681  end:
1682  SigFree(NULL, sig);
1683  return result;
1684 }
1685 
1686 static int DetectIPProtoTestSetup130(void)
1687 {
1688  int result = 0;
1689  Signature *sig;
1690  const char *value1_str = "<10";
1691  const char *value2_str = ">10";
1692  int value2 = 10;
1693  int i;
1694 
1695  if ((sig = SigAlloc()) == NULL)
1696  goto end;
1697 
1698  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1699  sig->proto.flags |= DETECT_PROTO_ANY;
1700  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1701  goto end;
1702  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1703  goto end;
1704  for (i = 0; i < (value2 / 8); i++) {
1705  if (sig->proto.proto[i] != 0)
1706  goto end;
1707  }
1708  if (sig->proto.proto[value2 / 8] != 0xF8) {
1709  goto end;
1710  }
1711  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1712  if (sig->proto.proto[i] != 0xFF)
1713  goto end;
1714  }
1715 
1716  result = 1;
1717 
1718  end:
1719  SigFree(NULL, sig);
1720  return result;
1721 }
1722 
1723 static int DetectIPProtoTestSetup131(void)
1724 {
1725  int result = 0;
1726  Signature *sig;
1727  const char *value1_str = "<10";
1728  int value1 = 10;
1729  const char *value2_str = "!10";
1730  int i;
1731 
1732  if ((sig = SigAlloc()) == NULL)
1733  goto end;
1734 
1735  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1736  sig->proto.flags |= DETECT_PROTO_ANY;
1737  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1738  goto end;
1739  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1740  goto end;
1741  for (i = 0; i < (value1 / 8); i++) {
1742  if (sig->proto.proto[i] != 0xFF)
1743  goto end;
1744  }
1745  if (sig->proto.proto[value1 / 8] != 0x03) {
1746  goto end;
1747  }
1748  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1749  if (sig->proto.proto[i] != 0x0)
1750  goto end;
1751  }
1752 
1753  result = 1;
1754 
1755  end:
1756  SigFree(NULL, sig);
1757  return result;
1758 }
1759 
1760 static int DetectIPProtoTestSetup132(void)
1761 {
1762  int result = 0;
1763  Signature *sig;
1764  const char *value1_str = "<10";
1765  int value1 = 10;
1766  const char *value2_str = "!10";
1767  int i;
1768 
1769  if ((sig = SigAlloc()) == NULL)
1770  goto end;
1771 
1772  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1773  sig->proto.flags |= DETECT_PROTO_ANY;
1774  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1775  goto end;
1776  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1777  goto end;
1778  for (i = 0; i < (value1 / 8); i++) {
1779  if (sig->proto.proto[i] != 0xFF)
1780  goto end;
1781  }
1782  if (sig->proto.proto[value1 / 8] != 0x03) {
1783  goto end;
1784  }
1785  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1786  if (sig->proto.proto[i] != 0x0)
1787  goto end;
1788  }
1789 
1790  result = 1;
1791 
1792  end:
1793  SigFree(NULL, sig);
1794  return result;
1795 }
1796 
1797 static int DetectIPProtoTestSetup145(void)
1798 {
1799  int result = 0;
1800  Signature *sig;
1801  const char *value1_str = "!4";
1802  const char *value2_str = ">8";
1803  const char *value3_str = "!10";
1804  const char *value4_str = "!14";
1805  const char *value5_str = "!27";
1806  const char *value6_str = "!29";
1807  const char *value7_str = "!30";
1808  const char *value8_str = "!34";
1809  const char *value9_str = "<36";
1810  const char *value10_str = "!38";
1811  int value10 = 38;
1812 
1813  int i;
1814 
1815  if ((sig = SigAlloc()) == NULL)
1816  goto end;
1817 
1818  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1819  sig->proto.flags |= DETECT_PROTO_ANY;
1820  if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
1821  goto end;
1822  if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
1823  goto end;
1824  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1825  goto end;
1826  if (DetectIPProtoSetup(NULL, sig, value10_str) != 0)
1827  goto end;
1828  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1829  goto end;
1830  if (DetectIPProtoSetup(NULL, sig, value6_str) != 0)
1831  goto end;
1832  if (DetectIPProtoSetup(NULL, sig, value9_str) != 0)
1833  goto end;
1834  if (DetectIPProtoSetup(NULL, sig, value4_str) != 0)
1835  goto end;
1836  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1837  goto end;
1838  if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
1839  goto end;
1840  if (sig->proto.proto[0] != 0) {
1841  goto end;
1842  }
1843  if (sig->proto.proto[1] != 0xBA) {
1844  goto end;
1845  }
1846  if (sig->proto.proto[2] != 0xFF) {
1847  goto end;
1848  }
1849  if (sig->proto.proto[3] != 0x97) {
1850  goto end;
1851  }
1852  if (sig->proto.proto[4] != 0x0B) {
1853  goto end;
1854  }
1855  for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
1856  if (sig->proto.proto[i] != 0)
1857  goto end;
1858  }
1859 
1860  result = 1;
1861 
1862  end:
1863  SigFree(NULL, sig);
1864  return result;
1865 }
1866 
1867 static int DetectIPProtoTestSig1(void)
1868 {
1869  int result = 0;
1870  uint8_t *buf = (uint8_t *)
1871  "GET /one/ HTTP/1.1\r\n"
1872  "Host: one.example.org\r\n"
1873  "\r\n";
1874  uint16_t buflen = strlen((char *)buf);
1875  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1876  if (p == NULL)
1877  return 0;
1878 
1879  const char *sigs[4];
1880  sigs[0] = "alert ip any any -> any any "
1881  "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)";
1882  sigs[1] = "alert ip any any -> any any "
1883  "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)";
1884  sigs[2] = "alert ip any any -> any any "
1885  "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)";
1886  sigs[3] = "alert ip any any -> any any "
1887  "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)";
1888 
1889  /* sids to match */
1890  uint32_t sid[4] = {1, 2, 3, 4};
1891  /* expected matches for each sid within this packet we are testing */
1892  uint32_t results[4] = {0, 1, 1, 1};
1893 
1894  /* remember that UTHGenericTest expect the first parameter
1895  * as an array of packet pointers. And also a bidimensional array of results
1896  * For example:
1897  * results[numpacket][position] should hold the number of times
1898  * that the sid at sid[position] matched that packet (should be always 1..)
1899  * But here we built it as unidimensional array
1900  */
1901  result = UTHGenericTest(&p, 1, sigs, sid, results, 4);
1902 
1903  UTHFreePacket(p);
1904  return result;
1905 }
1906 
1907 static int DetectIPProtoTestSig2(void)
1908 {
1909  int result = 0;
1910 
1911  uint8_t raw_eth[] = {
1912  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1913  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1914  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1915  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1916  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1917  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1918  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1919  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1920  0x4a, 0xea, 0x7a, 0x8e,
1921  };
1922 
1923  Packet *p = PacketGetFromAlloc();
1924  if (unlikely(p == NULL))
1925  return 0;
1926 
1927  DecodeThreadVars dtv;
1928  ThreadVars th_v;
1929  DetectEngineThreadCtx *det_ctx = NULL;
1930 
1931  p->proto = 0;
1932  memset(&dtv, 0, sizeof(DecodeThreadVars));
1933  memset(&th_v, 0, sizeof(th_v));
1934 
1935  FlowInitConfig(FLOW_QUIET);
1936  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
1937 
1938  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1939  if (de_ctx == NULL) {
1940  goto end;
1941  }
1942 
1943  de_ctx->mpm_matcher = mpm_default_matcher;
1944  de_ctx->flags |= DE_QUIET;
1945 
1946  de_ctx->sig_list = SigInit(de_ctx,
1947  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
1948  "ip_proto:!103; sid:1;)");
1949  if (de_ctx->sig_list == NULL) {
1950  result = 0;
1951  goto end;
1952  }
1953 
1954  SigGroupBuild(de_ctx);
1955  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1956 
1957  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1958  if (PacketAlertCheck(p, 1) == 0) {
1959  result = 1;
1960  goto end;
1961  } else {
1962  result = 0;
1963  }
1964 
1965  SigGroupCleanup(de_ctx);
1966  SigCleanSignatures(de_ctx);
1967 
1968  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1969  DetectEngineCtxFree(de_ctx);
1970  FlowShutdown();
1971 
1972  SCFree(p);
1973  return result;
1974 
1975 end:
1976  if (de_ctx) {
1977  SigGroupCleanup(de_ctx);
1978  SigCleanSignatures(de_ctx);
1979  }
1980 
1981  if (det_ctx)
1982  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1983  if (de_ctx)
1984  DetectEngineCtxFree(de_ctx);
1985 
1986  FlowShutdown();
1987  SCFree(p);
1988 
1989  return result;
1990 }
1991 
1992 static int DetectIPProtoTestSig3(void)
1993 {
1994  int result = 0;
1995 
1996  uint8_t raw_eth[] = {
1997  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1998  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1999  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
2000  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
2001  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
2002  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
2003  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
2004  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
2005  0x4a, 0xea, 0x7a, 0x8e,
2006  };
2007 
2008  Packet *p = UTHBuildPacket((uint8_t *)"boom", 4, IPPROTO_TCP);
2009  if (p == NULL)
2010  return 0;
2011 
2012  DecodeThreadVars dtv;
2013  ThreadVars th_v;
2014  DetectEngineThreadCtx *det_ctx = NULL;
2015 
2016  p->proto = 0;
2017  memset(&dtv, 0, sizeof(DecodeThreadVars));
2018  memset(&th_v, 0, sizeof(th_v));
2019 
2020  FlowInitConfig(FLOW_QUIET);
2021  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
2022 
2023  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2024  if (de_ctx == NULL) {
2025  goto end;
2026  }
2027 
2028  de_ctx->mpm_matcher = mpm_default_matcher;
2029  de_ctx->flags |= DE_QUIET;
2030 
2031  de_ctx->sig_list = SigInit(de_ctx,
2032  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
2033  "ip_proto:103; sid:1;)");
2034  if (de_ctx->sig_list == NULL) {
2035  result = 0;
2036  goto end;
2037  }
2038 
2039  SigGroupBuild(de_ctx);
2040  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2041 
2042  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2043  if (!PacketAlertCheck(p, 1)) {
2044  result = 0;
2045  goto end;
2046  } else {
2047  result = 1;
2048  }
2049 
2050  SigGroupCleanup(de_ctx);
2051  SigCleanSignatures(de_ctx);
2052 
2053  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2054  DetectEngineCtxFree(de_ctx);
2055  FlowShutdown();
2056 
2057  SCFree(p);
2058  return result;
2059 
2060 end:
2061  if (de_ctx) {
2062  SigGroupCleanup(de_ctx);
2063  SigCleanSignatures(de_ctx);
2064  }
2065 
2066  if (det_ctx)
2067  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2068  if (de_ctx)
2069  DetectEngineCtxFree(de_ctx);
2070 
2071  FlowShutdown();
2072  SCFree(p);
2073 
2074  return result;
2075 }
2076 
2077 /**
2078  * \internal
2079  * \brief Register ip_proto tests.
2080  */
2081 static void DetectIPProtoRegisterTests(void)
2082 {
2083  UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01);
2084  UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02);
2085  UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01);
2086  UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02);
2087  UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03);
2088  UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04);
2089  UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05);
2090  UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06);
2091  UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07);
2092  UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08);
2093  UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09);
2094  UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10);
2095  UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11);
2096  UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12);
2097  UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13);
2098  UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14);
2099  UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15);
2100  UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16);
2101  UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17);
2102  UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18);
2103  UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19);
2104  UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20);
2105  UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21);
2106  UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22);
2107  UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23);
2108  UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24);
2109  UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33);
2110  UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34);
2111  UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36);
2112  UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43);
2113  UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44);
2114  UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45);
2115  UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56);
2116  UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75);
2117  UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76);
2118  UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129);
2119  UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130);
2120  UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131);
2121  UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132);
2122  UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145);
2123 
2124  UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1);
2125  UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2);
2126  UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3);
2127 }
2128 #endif /* UNITTESTS */
DetectIPProtoRemoveAllSMs
void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-ipproto.c:434
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1287
Packet_::proto
uint8_t proto
Definition: decode.h:452
detect-engine.h
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
Definition: detect-parse.c:507
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:437
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:566
SigTableElmt_::desc
const char * desc
Definition: detect.h:1286
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:337
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1274
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:34
detect-engine-siggroup.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1284
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1594
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1478
DetectIPProtoRegister
void DetectIPProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-ipproto.c:60
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
results
struct DetectRfbSecresult_ results[]
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1278
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:826
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:27
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2592
DE_QUIET
#define DE_QUIET
Definition: detect.h:314
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1824
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:536
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2623
proto
uint8_t proto
Definition: decode-template.h:0
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:622
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1269
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:549
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1074
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2747
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:344
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:829
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:108
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2264
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:343
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2042
Signature_::flags
uint32_t flags
Definition: detect.h:582
Packet_
Definition: decode.h:430
detect-engine-build.h
detect-engine-alert.h
detect-ipproto.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:653
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1252
DETECT_IPPROTO_OP_GT
#define DETECT_IPPROTO_OP_GT
Definition: detect-ipproto.h:31
util-proto-name.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:322
SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
Definition: detect.h:278
DETECT_IPPROTO_OP_EQ
#define DETECT_IPPROTO_OP_EQ
Definition: detect-ipproto.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1973
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:38
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:33
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3308
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:600
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3522
SigMatch_::type
uint16_t type
Definition: detect.h:341
DETECT_IPPROTO_OP_LT
#define DETECT_IPPROTO_OP_LT
Definition: detect-ipproto.h:30
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:697
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:834
DetectIPProtoData_::op
uint8_t op
Definition: detect-ipproto.h:35
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
Definition: util-unittest-helper.c:604
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:668
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
detect-parse.h
Signature_
Signature container.
Definition: detect.h:581
SigMatch_
a single match condition for a signature
Definition: detect.h:340
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2553
DetectIPProtoData_
Definition: detect-ipproto.h:34
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:41
SCGetProtoByName
bool SCGetProtoByName(const char *protoname, uint8_t *proto_number)
Function to return the protocol number for a named protocol. Note that protocol name aliases are hono...
Definition: util-proto-name.c:467
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-ipproto.c:50
DETECT_IPPROTO_OP_NOT
#define DETECT_IPPROTO_OP_NOT
Definition: detect-ipproto.h:29
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:828
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1479
DETECT_IPPROTO
@ DETECT_IPPROTO
Definition: detect-engine-register.h:80
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1276
DetectIPProtoData_::proto
uint8_t proto
Definition: detect-ipproto.h:36
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:242