suricata
detect-ipproto.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the ip_proto keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-ipproto.h"
32 
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 
37 #include "detect-engine-siggroup.h"
38 #include "detect-engine-address.h"
39 
40 #include "util-byte.h"
41 #include "util-proto-name.h"
42 #include "util-unittest.h"
43 #include "util-unittest-helper.h"
44 
45 #include "util-debug.h"
46 
47 /**
48  * \brief Regex for parsing our options
49  */
50 #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$"
51 
52 static DetectParseRegex parse_regex;
53 
54 static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectIPProtoRegisterTests(void);
57 #endif
58 static void DetectIPProtoFree(DetectEngineCtx *, void *);
59 
60 void DetectIPProtoRegister(void)
61 {
62  sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
63  sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
64  sigmatch_table[DETECT_IPPROTO].url = "/rules/header-keywords.html#ip-proto";
65  sigmatch_table[DETECT_IPPROTO].Match = NULL;
66  sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
67  sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree;
68 #ifdef UNITTESTS
69  sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests;
70 #endif
71  sigmatch_table[DETECT_IPPROTO].flags = SIGMATCH_QUOTES_OPTIONAL;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 /**
77  * \internal
78  * \brief Parse ip_proto options string.
79  *
80  * \param optstr Options string to parse
81  *
82  * \return New ip_proto data structure
83  */
84 static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
85 {
86  DetectIPProtoData *data = NULL;
87  char *args[2] = { NULL, NULL };
88  int ret = 0, res = 0;
89  size_t pcre2_len;
90  int i;
91  const char *str_ptr;
92 
93  /* Execute the regex and populate args with captures. */
94  ret = DetectParsePcreExec(&parse_regex, optstr, 0, 0);
95  if (ret != 3) {
96  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret"
97  "%" PRId32 ", string %s", ret, optstr);
98  goto error;
99  }
100 
101  for (i = 0; i < (ret - 1); i++) {
102  res = pcre2_substring_get_bynumber(
103  parse_regex.match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
104  if (res < 0) {
105  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
106  goto error;
107  }
108  args[i] = (char *)str_ptr;
109  }
110 
111  /* Initialize the data */
112  data = SCMalloc(sizeof(DetectIPProtoData));
113  if (unlikely(data == NULL))
114  goto error;
115  data->op = DETECT_IPPROTO_OP_EQ;
116  data->proto = 0;
117 
118  /* Operator */
119  if (*(args[0]) != '\0') {
120  data->op = *(args[0]);
121  }
122 
123  /* Protocol name/number */
124  if (!isdigit((unsigned char)*(args[1]))) {
125  uint8_t proto;
126  if (!SCGetProtoByName(args[1], &proto)) {
127  SCLogError(SC_ERR_INVALID_VALUE, "Unknown protocol name: \"%s\"", str_ptr);
128  goto error;
129  }
130  data->proto = proto;
131  }
132  else {
133  if (StringParseUint8(&data->proto, 10, 0, args[1]) <= 0) {
134  SCLogError(SC_ERR_INVALID_VALUE, "Malformed protocol number: %s",
135  str_ptr);
136  goto error;
137  }
138  }
139 
140  for (i = 0; i < (ret - 1); i++){
141  if (args[i] != NULL)
142  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
143  }
144 
145  return data;
146 
147 error:
148  for (i = 0; i < (ret - 1) && i < 2; i++){
149  if (args[i] != NULL)
150  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
151  }
152  if (data != NULL)
153  SCFree(data);
154 
155  return NULL;
156 }
157 
158 static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op)
159 {
160  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
161  DetectIPProtoData *data;
162 
163  while (sm != NULL) {
164  if (sm->type == DETECT_IPPROTO) {
165  data = (DetectIPProtoData *)sm->ctx;
166  if (data->op == op)
167  return 1;
168  }
169  sm = sm->next;
170  }
171 
172  return 0;
173 }
174 
175 /**
176  * \internal
177  * \brief Setup ip_proto keyword.
178  *
179  * \param de_ctx Detection engine context
180  * \param s Signature
181  * \param optstr Options string
182  *
183  * \return Non-zero on error
184  */
185 static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
186 {
187  SigMatch *sm = NULL;
188  int i;
189 
190  DetectIPProtoData *data = DetectIPProtoParse(optstr);
191  if (data == NULL) {
192  return -1;
193  }
194 
195  /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield
196  * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto
197  * will refined the protocol list and thus it needs to reset the bitfield to zero
198  * before setting the value specified by the ip_proto keyword.
199  */
200  if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
201  s->proto.flags &= ~DETECT_PROTO_ANY;
202  memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
203  s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
204  } else {
205  /* The ipproto engine has a relationship with the protocol that is
206  * set after the action and also the app protocol(that can also be
207  * set through the app-layer-protocol.
208  * An ip_proto keyword can be used only with alert ip, which if
209  * not true we error out on the sig. And hence the init_flag to
210  * indicate this. */
211  if (!(s->init_data->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) {
212  SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature can use "
213  "ip_proto keyword only when we use alert ip, "
214  "in which case the _ANY flag is set on the sig "
215  "and the if condition should match.");
216  goto error;
217  }
218  }
219 
220  int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ);
221  int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT);
222  int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT);
223  int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT);
224 
225  switch (data->op) {
226  case DETECT_IPPROTO_OP_EQ:
227  if (eq_set || gt_set || lt_set || not_set) {
228  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
229  "ipproto without any operators attached to "
230  "them in the same sig");
231  goto error;
232  }
233  s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
234  break;
235 
236  case DETECT_IPPROTO_OP_GT:
237  if (eq_set || gt_set) {
238  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or gt "
239  "ipproto along with a greater than ipproto in the "
240  "same sig ");
241  goto error;
242  }
243  if (!lt_set && !not_set) {
244  s->proto.proto[data->proto / 8] = 0xfe << (data->proto % 8);
245  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
246  s->proto.proto[i] = 0xff;
247  }
248  } else if (lt_set && !not_set) {
249  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
250  while (temp_sm != NULL) {
251  if (temp_sm->type == DETECT_IPPROTO) {
252  break;
253  }
254  temp_sm = temp_sm->next;
255  }
256  if (temp_sm != NULL) {
257  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
258  if (data_temp->proto <= data->proto) {
259  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
260  "both gt and lt ipprotos, with the lt being "
261  "lower than gt value");
262  goto error;
263  } else {
264  for (i = 0; i < (data->proto / 8); i++) {
265  s->proto.proto[i] = 0;
266  }
267  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
268  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
269  s->proto.proto[i] &= 0xff;
270  }
271  }
272  }
273  } else if (!lt_set && not_set) {
274  for (i = 0; i < (data->proto / 8); i++) {
275  s->proto.proto[i] = 0;
276  }
277  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
278  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
279  s->proto.proto[i] &= 0xff;
280  }
281  } else {
282  DetectIPProtoData *data_temp;
283  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
284  while (temp_sm != NULL) {
285  if (temp_sm->type == DETECT_IPPROTO &&
286  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) {
287  break;
288  }
289  temp_sm = temp_sm->next;
290  }
291  if (temp_sm != NULL) {
292  data_temp = (DetectIPProtoData *)temp_sm->ctx;
293  if (data_temp->proto <= data->proto) {
294  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
295  "both gt and lt ipprotos, with the lt being "
296  "lower than gt value");
297  goto error;
298  } else {
299  for (i = 0; i < (data->proto / 8); i++) {
300  s->proto.proto[i] = 0;
301  }
302  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
303  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
304  s->proto.proto[i] &= 0xff;
305  }
306  }
307  }
308  }
309  break;
310 
311  case DETECT_IPPROTO_OP_LT:
312  if (eq_set || lt_set) {
313  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or lt "
314  "ipproto along with a less than ipproto in the "
315  "same sig ");
316  goto error;
317  }
318  if (!gt_set && !not_set) {
319  for (i = 0; i < (data->proto / 8); i++) {
320  s->proto.proto[i] = 0xff;
321  }
322  s->proto.proto[data->proto / 8] = ~(0xff << (data->proto % 8));
323  } else if (gt_set && !not_set) {
324  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
325  while (temp_sm != NULL) {
326  if (temp_sm->type == DETECT_IPPROTO) {
327  break;
328  }
329  temp_sm = temp_sm->next;
330  }
331  if (temp_sm != NULL) {
332  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
333  if (data_temp->proto >= data->proto) {
334  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a have "
335  "both gt and lt ipprotos, with the lt being "
336  "lower than gt value");
337  goto error;
338  } else {
339  for (i = 0; i < (data->proto / 8); i++) {
340  s->proto.proto[i] &= 0xff;
341  }
342  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
343  for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
344  s->proto.proto[i] = 0;
345  }
346  }
347  }
348  } else if (!gt_set && not_set) {
349  for (i = 0; i < (data->proto / 8); i++) {
350  s->proto.proto[i] &= 0xFF;
351  }
352  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
353  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
354  s->proto.proto[i] = 0;
355  }
356  } else {
357  DetectIPProtoData *data_temp;
358  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
359  while (temp_sm != NULL) {
360  if (temp_sm->type == DETECT_IPPROTO &&
361  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) {
362  break;
363  }
364  temp_sm = temp_sm->next;
365  }
366  if (temp_sm != NULL) {
367  data_temp = (DetectIPProtoData *)temp_sm->ctx;
368  if (data_temp->proto >= data->proto) {
369  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
370  "both gt and lt ipprotos, with the lt being "
371  "lower than gt value");
372  goto error;
373  } else {
374  for (i = 0; i < (data->proto / 8); i++) {
375  s->proto.proto[i] &= 0xFF;
376  }
377  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
378  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
379  s->proto.proto[i] = 0;
380  }
381  }
382  }
383  }
384  break;
385 
386  case DETECT_IPPROTO_OP_NOT:
387  if (eq_set) {
388  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
389  "ipproto along with a not ipproto in the "
390  "same sig ");
391  goto error;
392  }
393  if (!gt_set && !lt_set && !not_set) {
394  for (i = 0; i < (data->proto / 8); i++) {
395  s->proto.proto[i] = 0xff;
396  }
397  s->proto.proto[data->proto / 8] = ~(1 << (data->proto % 8));
398  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
399  s->proto.proto[i] = 0xff;
400  }
401  } else {
402  for (i = 0; i < (data->proto / 8); i++) {
403  s->proto.proto[i] &= 0xff;
404  }
405  s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
406  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
407  s->proto.proto[i] &= 0xff;
408  }
409  }
410  break;
411  }
412 
413  sm = SigMatchAlloc();
414  if (sm == NULL)
415  goto error;
416  sm->type = DETECT_IPPROTO;
417  sm->ctx = (void *)data;
418  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
419  s->flags |= SIG_FLAG_REQUIRE_PACKET;
420 
421  return 0;
422 
423  error:
424 
425  DetectIPProtoFree(de_ctx, data);
426  return -1;
427 }
428 
429 
430 void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
431 {
432  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
433 
434  while (sm != NULL) {
435  if (sm->type != DETECT_IPPROTO) {
436  sm = sm->next;
437  continue;
438  }
439  SigMatch *tmp_sm = sm->next;
440  SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_MATCH);
441  SigMatchFree(de_ctx, sm);
442  sm = tmp_sm;
443  }
444 
445  return;
446 }
447 
448 static void DetectIPProtoFree(DetectEngineCtx *de_ctx, void *ptr)
449 {
450  DetectIPProtoData *data = (DetectIPProtoData *)ptr;
451  if (data) {
452  SCFree(data);
453  }
454 }
455 
456 /* UNITTESTS */
457 #ifdef UNITTESTS
458 
459 /**
460  * \test DetectIPProtoTestParse01 is a test for an invalid proto number
461  */
462 static int DetectIPProtoTestParse01(void)
463 {
464  DetectIPProtoData *data = DetectIPProtoParse("999");
465  FAIL_IF_NOT(data == NULL);
466  PASS;
467 }
468 
469 /**
470  * \test DetectIPProtoTestParse02 is a test for an invalid proto name
471  */
472 static int DetectIPProtoTestParse02(void)
473 {
474  DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek");
475  FAIL_IF_NOT(data == NULL);
476  PASS;
477 }
478 
479 /**
480  * \test DetectIPProtoTestSetup01 is a test for a protocol number
481  */
482 static int DetectIPProtoTestSetup01(void)
483 {
484  const char *value_str = "14";
485  int value;
486  FAIL_IF(StringParseInt32(&value, 10, 0, (const char *)value_str) < 0);
487  int i;
488 
489  Signature *sig = SigAlloc();
490  FAIL_IF_NULL(sig);
491 
492  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
493  sig->proto.flags |= DETECT_PROTO_ANY;
494  DetectIPProtoSetup(NULL, sig, value_str);
495  for (i = 0; i < (value / 8); i++) {
496  FAIL_IF(sig->proto.proto[i] != 0);
497  }
498  FAIL_IF(sig->proto.proto[value / 8] != 0x40);
499  for (i = (value / 8) + 1; i < (256 / 8); i++) {
500  FAIL_IF(sig->proto.proto[i] != 0);
501  }
502  SigFree(NULL, sig);
503  PASS;
504 }
505 
506 /**
507  * \test DetectIPProtoTestSetup02 is a test for a protocol name
508  */
509 static int DetectIPProtoTestSetup02(void)
510 {
511  int result = 0;
512  Signature *sig = NULL;
513  const char *value_str = "tcp";
514  struct protoent *pent = getprotobyname(value_str);
515  if (pent == NULL) {
516  goto end;
517  }
518  uint8_t value = (uint8_t)pent->p_proto;
519  int i;
520 
521  if ((sig = SigAlloc()) == NULL)
522  goto end;
523 
524  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
525  sig->proto.flags |= DETECT_PROTO_ANY;
526  DetectIPProtoSetup(NULL, sig, value_str);
527  for (i = 0; i < (value / 8); i++) {
528  if (sig->proto.proto[i] != 0)
529  goto end;
530  }
531  if (sig->proto.proto[value / 8] != 0x40) {
532  goto end;
533  }
534  for (i = (value / 8) + 1; i < (256 / 8); i++) {
535  if (sig->proto.proto[i] != 0)
536  goto end;
537  }
538 
539  result = 1;
540 
541  end:
542  if (sig != NULL)
543  SigFree(NULL, sig);
544  return result;
545 }
546 
547 /**
548  * \test DetectIPProtoTestSetup03 is a test for a < operator
549  */
550 static int DetectIPProtoTestSetup03(void)
551 {
552  int result = 0;
553  Signature *sig;
554  const char *value_str = "<14";
555  int value = 14;
556  int i;
557 
558  if ((sig = SigAlloc()) == NULL)
559  goto end;
560 
561  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
562  sig->proto.flags |= DETECT_PROTO_ANY;
563  DetectIPProtoSetup(NULL, sig, value_str);
564  for (i = 0; i < (value / 8); i++) {
565  if (sig->proto.proto[i] != 0xFF)
566  goto end;
567  }
568  if (sig->proto.proto[value / 8] != 0x3F) {
569  goto end;
570  }
571  for (i = (value / 8) + 1; i < (256 / 8); i++) {
572  if (sig->proto.proto[i] != 0)
573  goto end;
574  }
575 
576  result = 1;
577 
578  end:
579  SigFree(NULL, sig);
580  return result;
581 }
582 
583 /**
584  * \test DetectIPProtoTestSetup04 is a test for a > operator
585  */
586 static int DetectIPProtoTestSetup04(void)
587 {
588  int result = 0;
589  Signature *sig;
590  const char *value_str = ">14";
591  int value = 14;
592  int i;
593 
594  if ((sig = SigAlloc()) == NULL)
595  goto end;
596 
597  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
598  sig->proto.flags |= DETECT_PROTO_ANY;
599  DetectIPProtoSetup(NULL, sig, value_str);
600  for (i = 0; i < (value / 8); i++) {
601  if (sig->proto.proto[i] != 0)
602  goto end;
603  }
604  if (sig->proto.proto[value / 8] != 0x80) {
605  goto end;
606  }
607  for (i = (value / 8) + 1; i < (256 / 8); i++) {
608  if (sig->proto.proto[i] != 0xFF)
609  goto end;
610  }
611 
612  result = 1;
613 
614  end:
615  SigFree(NULL, sig);
616  return result;
617 }
618 
619 /**
620  * \test DetectIPProtoTestSetup05 is a test for a ! operator
621  */
622 static int DetectIPProtoTestSetup05(void)
623 {
624  int result = 0;
625  Signature *sig;
626  const char *value_str = "!14";
627  int value = 14;
628  int i;
629 
630  if ((sig = SigAlloc()) == NULL)
631  goto end;
632 
633  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
634  sig->proto.flags |= DETECT_PROTO_ANY;
635  DetectIPProtoSetup(NULL, sig, value_str);
636  for (i = 0; i < (value / 8); i++) {
637  if (sig->proto.proto[i] != 0xFF)
638  goto end;
639  }
640  if (sig->proto.proto[value / 8] != 0xBF) {
641  goto end;
642  }
643  for (i = (value / 8) + 1; i < (256 / 8); i++) {
644  if (sig->proto.proto[i] != 0xFF)
645  goto end;
646  }
647 
648  result = 1;
649 
650  end:
651  SigFree(NULL, sig);
652  return result;
653 }
654 
655 /**
656  * \test Negative test.
657  */
658 static int DetectIPProtoTestSetup06(void)
659 {
660  int result = 0;
661  Signature *sig;
662  const char *value1_str = "14";
663  const char *value2_str = "15";
664 
665  if ((sig = SigAlloc()) == NULL)
666  goto end;
667 
668  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
669  sig->proto.flags |= DETECT_PROTO_ANY;
670  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
671  goto end;
672  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
673  goto end;
674 
675  result = 1;
676 
677  end:
678  SigFree(NULL, sig);
679  return result;
680 }
681 
682 /**
683  * \test Negative test.
684  */
685 static int DetectIPProtoTestSetup07(void)
686 {
687  int result = 0;
688  Signature *sig;
689  const char *value1_str = "14";
690  const char *value2_str = "<15";
691 
692  if ((sig = SigAlloc()) == NULL)
693  goto end;
694 
695  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
696  sig->proto.flags |= DETECT_PROTO_ANY;
697  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
698  goto end;
699  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
700  goto end;
701 
702  result = 1;
703 
704  end:
705  SigFree(NULL, sig);
706  return result;
707 }
708 
709 /**
710  * \test Negative test.
711  */
712 static int DetectIPProtoTestSetup08(void)
713 {
714  int result = 0;
715  Signature *sig;
716  const char *value1_str = "14";
717  const char *value2_str = ">15";
718 
719  if ((sig = SigAlloc()) == NULL)
720  goto end;
721 
722  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
723  sig->proto.flags |= DETECT_PROTO_ANY;
724  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
725  goto end;
726  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
727  goto end;
728 
729  result = 1;
730 
731  end:
732  SigFree(NULL, sig);
733  return result;
734 }
735 
736 /**
737  * \test Negative test.
738  */
739 static int DetectIPProtoTestSetup09(void)
740 {
741  int result = 0;
742  Signature *sig;
743  const char *value1_str = "14";
744  const char *value2_str = "!15";
745 
746  if ((sig = SigAlloc()) == NULL)
747  goto end;
748 
749  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
750  sig->proto.flags |= DETECT_PROTO_ANY;
751  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
752  goto end;
753  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
754  goto end;
755 
756  result = 1;
757 
758  end:
759  SigFree(NULL, sig);
760  return result;
761 }
762 
763 /**
764  * \test Negative test.
765  */
766 static int DetectIPProtoTestSetup10(void)
767 {
768  int result = 0;
769  Signature *sig;
770  const char *value1_str = ">14";
771  const char *value2_str = "15";
772 
773  if ((sig = SigAlloc()) == NULL)
774  goto end;
775 
776  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
777  sig->proto.flags |= DETECT_PROTO_ANY;
778  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
779  goto end;
780  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
781  goto end;
782 
783  result = 1;
784 
785  end:
786  SigFree(NULL, sig);
787  return result;
788 }
789 
790 /**
791  * \test Negative test.
792  */
793 static int DetectIPProtoTestSetup11(void)
794 {
795  int result = 0;
796  Signature *sig;
797  const char *value1_str = "<14";
798  const char *value2_str = "15";
799 
800  if ((sig = SigAlloc()) == NULL)
801  goto end;
802 
803  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
804  sig->proto.flags |= DETECT_PROTO_ANY;
805  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
806  goto end;
807  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
808  goto end;
809 
810  result = 1;
811 
812  end:
813  SigFree(NULL, sig);
814  return result;
815 }
816 
817 /**
818  * \test Negative test.
819  */
820 static int DetectIPProtoTestSetup12(void)
821 {
822  int result = 0;
823  Signature *sig;
824  const char *value1_str = "!14";
825  const char *value2_str = "15";
826 
827  if ((sig = SigAlloc()) == NULL)
828  goto end;
829 
830  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
831  sig->proto.flags |= DETECT_PROTO_ANY;
832  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
833  goto end;
834  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
835  goto end;
836 
837  result = 1;
838 
839  end:
840  SigFree(NULL, sig);
841  return result;
842 }
843 
844 /**
845  * \test Negative test.
846  */
847 static int DetectIPProtoTestSetup13(void)
848 {
849  int result = 0;
850  Signature *sig;
851  const char *value1_str = ">14";
852  const char *value2_str = ">15";
853 
854  if ((sig = SigAlloc()) == NULL)
855  goto end;
856 
857  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
858  sig->proto.flags |= DETECT_PROTO_ANY;
859  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
860  goto end;
861  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
862  goto end;
863 
864  result = 1;
865 
866  end:
867  SigFree(NULL, sig);
868  return result;
869 }
870 
871 static int DetectIPProtoTestSetup14(void)
872 {
873  int result = 0;
874  Signature *sig;
875  const char *value1_str = "<14";
876  const char *value2_str = "<15";
877 
878  if ((sig = SigAlloc()) == NULL)
879  goto end;
880 
881  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
882  sig->proto.flags |= DETECT_PROTO_ANY;
883  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
884  goto end;
885  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
886  goto end;
887 
888  result = 1;
889 
890  end:
891  SigFree(NULL, sig);
892  return result;
893 }
894 
895 static int DetectIPProtoTestSetup15(void)
896 {
897  int result = 0;
898  Signature *sig;
899  const char *value1_str = "<14";
900  int value1 = 14;
901  const char *value2_str = ">34";
902  int i;
903 
904  if ((sig = SigAlloc()) == NULL)
905  goto end;
906 
907  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
908  sig->proto.flags |= DETECT_PROTO_ANY;
909  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
910  goto end;
911  for (i = 0; i < (value1 / 8); i++) {
912  if (sig->proto.proto[i] != 0xFF)
913  goto end;
914  }
915  if (sig->proto.proto[value1 / 8] != 0x3F) {
916  goto end;
917  }
918  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
919  if (sig->proto.proto[i] != 0)
920  goto end;
921  }
922  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
923  goto end;
924 
925  result = 1;
926 
927  end:
928  SigFree(NULL, sig);
929  return result;
930 
931 }
932 
933 static int DetectIPProtoTestSetup16(void)
934 {
935  int result = 0;
936  Signature *sig;
937  const char *value1_str = "<14";
938  const char *value2_str = ">34";
939  int value2 = 34;
940  int i;
941 
942  if ((sig = SigAlloc()) == NULL)
943  goto end;
944 
945  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
946  sig->proto.flags |= DETECT_PROTO_ANY;
947  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
948  goto end;
949  for (i = 0; i < (value2 / 8); i++) {
950  if (sig->proto.proto[i] != 0)
951  goto end;
952  }
953  if (sig->proto.proto[value2 / 8] != 0xF8) {
954  goto end;
955  }
956  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
957  if (sig->proto.proto[i] != 0xFF)
958  goto end;
959  }
960  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
961  goto end;
962 
963  result = 1;
964 
965  end:
966  SigFree(NULL, sig);
967  return result;
968 
969 }
970 
971 static int DetectIPProtoTestSetup17(void)
972 {
973  int result = 0;
974  Signature *sig;
975  const char *value1_str = "<11";
976  int value1 = 11;
977  const char *value2_str = ">13";
978  int i;
979 
980  if ((sig = SigAlloc()) == NULL)
981  goto end;
982 
983  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
984  sig->proto.flags |= DETECT_PROTO_ANY;
985  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
986  goto end;
987  for (i = 0; i < (value1 / 8); i++) {
988  if (sig->proto.proto[i] != 0xFF)
989  goto end;
990  }
991  if (sig->proto.proto[value1 / 8] != 0x07) {
992  goto end;
993  }
994  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
995  if (sig->proto.proto[i] != 0)
996  goto end;
997  }
998  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
999  goto end;
1000 
1001  result = 1;
1002 
1003  end:
1004  SigFree(NULL, sig);
1005  return result;
1006 
1007 }
1008 
1009 static int DetectIPProtoTestSetup18(void)
1010 {
1011  int result = 0;
1012  Signature *sig;
1013  const char *value1_str = "<11";
1014  const char *value2_str = ">13";
1015  int value2 = 13;
1016  int i;
1017 
1018  if ((sig = SigAlloc()) == NULL)
1019  goto end;
1020 
1021  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1022  sig->proto.flags |= DETECT_PROTO_ANY;
1023  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1024  goto end;
1025  for (i = 0; i < (value2 / 8); i++) {
1026  if (sig->proto.proto[i] != 0)
1027  goto end;
1028  }
1029  if (sig->proto.proto[value2 / 8] != 0xC0) {
1030  goto end;
1031  }
1032  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1033  if (sig->proto.proto[i] != 0xFF)
1034  goto end;
1035  }
1036  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1037  goto end;
1038 
1039  result = 1;
1040 
1041  end:
1042  SigFree(NULL, sig);
1043  return result;
1044 
1045 }
1046 
1047 static int DetectIPProtoTestSetup19(void)
1048 {
1049  int result = 0;
1050  Signature *sig;
1051  const char *value1_str = "<11";
1052  int value1 = 11;
1053  const char *value2_str = "!13";
1054  const char *value3_str = ">36";
1055  int i;
1056 
1057  if ((sig = SigAlloc()) == NULL)
1058  goto end;
1059 
1060  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1061  sig->proto.flags |= DETECT_PROTO_ANY;
1062  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1063  goto end;
1064  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1065  goto end;
1066  for (i = 0; i < (value1 / 8); i++) {
1067  if (sig->proto.proto[i] != 0xFF)
1068  goto end;
1069  }
1070  if (sig->proto.proto[value1 / 8] != 0x07) {
1071  goto end;
1072  }
1073  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1074  if (sig->proto.proto[i] != 0)
1075  goto end;
1076  }
1077  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1078  goto end;
1079 
1080  result = 1;
1081 
1082  end:
1083  SigFree(NULL, sig);
1084  return result;
1085 }
1086 
1087 static int DetectIPProtoTestSetup20(void)
1088 {
1089  int result = 0;
1090  Signature *sig;
1091  const char *value1_str = "<11";
1092  int value1 = 11;
1093  const char *value3_str = ">36";
1094  int i;
1095 
1096  if ((sig = SigAlloc()) == NULL)
1097  goto end;
1098 
1099  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1100  sig->proto.flags |= DETECT_PROTO_ANY;
1101  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1102  goto end;
1103  for (i = 0; i < (value1 / 8); i++) {
1104  if (sig->proto.proto[i] != 0xFF)
1105  goto end;
1106  }
1107  if (sig->proto.proto[value1 / 8] != 0x07) {
1108  goto end;
1109  }
1110  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1111  if (sig->proto.proto[i] != 0)
1112  goto end;
1113  }
1114  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1115  goto end;
1116 
1117  result = 1;
1118 
1119  end:
1120  SigFree(NULL, sig);
1121  return result;
1122 }
1123 
1124 static int DetectIPProtoTestSetup21(void)
1125 {
1126  int result = 0;
1127  Signature *sig;
1128  const char *value1_str = "<11";
1129  int value1 = 11;
1130  const char *value2_str = "!13";
1131  const char *value3_str = ">36";
1132  int i;
1133 
1134  if ((sig = SigAlloc()) == NULL)
1135  goto end;
1136 
1137  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1138  sig->proto.flags |= DETECT_PROTO_ANY;
1139  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1140  goto end;
1141  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1142  goto end;
1143  for (i = 0; i < (value1 / 8); i++) {
1144  if (sig->proto.proto[i] != 0xFF)
1145  goto end;
1146  }
1147  if (sig->proto.proto[value1 / 8] != 0x07) {
1148  goto end;
1149  }
1150  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1151  if (sig->proto.proto[i] != 0)
1152  goto end;
1153  }
1154  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1155  goto end;
1156 
1157  result = 1;
1158 
1159  end:
1160  SigFree(NULL, sig);
1161  return result;
1162 }
1163 
1164 static int DetectIPProtoTestSetup22(void)
1165 {
1166  int result = 0;
1167  Signature *sig;
1168  const char *value1_str = "<11";
1169  const char *value2_str = "!13";
1170  const char *value3_str = ">36";
1171  int value3 = 36;
1172  int i;
1173 
1174  if ((sig = SigAlloc()) == NULL)
1175  goto end;
1176 
1177  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1178  sig->proto.flags |= DETECT_PROTO_ANY;
1179  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1180  goto end;
1181  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1182  goto end;
1183  for (i = 0; i < (value3 / 8); i++) {
1184  if (sig->proto.proto[i] != 0)
1185  goto end;
1186  }
1187  if (sig->proto.proto[value3 / 8] != 0xE0) {
1188  goto end;
1189  }
1190  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1191  if (sig->proto.proto[i] != 0xFF)
1192  goto end;
1193  }
1194  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1195  goto end;
1196 
1197  result = 1;
1198 
1199  end:
1200  SigFree(NULL, sig);
1201  return result;
1202 }
1203 
1204 static int DetectIPProtoTestSetup23(void)
1205 {
1206  int result = 0;
1207  Signature *sig;
1208  const char *value1_str = "<11";
1209  const char *value3_str = ">36";
1210  int value3 = 36;
1211  int i;
1212 
1213  if ((sig = SigAlloc()) == NULL)
1214  goto end;
1215 
1216  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1217  sig->proto.flags |= DETECT_PROTO_ANY;
1218  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1219  goto end;
1220  for (i = 0; i < (value3 / 8); i++) {
1221  if (sig->proto.proto[i] != 0)
1222  goto end;
1223  }
1224  if (sig->proto.proto[value3 / 8] != 0xE0) {
1225  goto end;
1226  }
1227  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1228  if (sig->proto.proto[i] != 0xFF)
1229  goto end;
1230  }
1231  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1232  goto end;
1233 
1234  result = 1;
1235 
1236  end:
1237  SigFree(NULL, sig);
1238  return result;
1239 }
1240 
1241 static int DetectIPProtoTestSetup24(void)
1242 {
1243  int result = 0;
1244  Signature *sig;
1245  const char *value1_str = "<11";
1246  const char *value2_str = "!13";
1247  const char *value3_str = ">36";
1248  int value3 = 36;
1249  int i;
1250 
1251  if ((sig = SigAlloc()) == NULL)
1252  goto end;
1253 
1254  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1255  sig->proto.flags |= DETECT_PROTO_ANY;
1256  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1257  goto end;
1258  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1259  goto end;
1260  for (i = 0; i < (value3 / 8); i++) {
1261  if (sig->proto.proto[i] != 0)
1262  goto end;
1263  }
1264  if (sig->proto.proto[value3 / 8] != 0xE0) {
1265  goto end;
1266  }
1267  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1268  if (sig->proto.proto[i] != 0xFF)
1269  goto end;
1270  }
1271  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1272  goto end;
1273 
1274  result = 1;
1275 
1276  end:
1277  SigFree(NULL, sig);
1278  return result;
1279 }
1280 
1281 static int DetectIPProtoTestSetup33(void)
1282 {
1283  int result = 0;
1284  Signature *sig;
1285  const char *value1_str = "<11";
1286  int value1 = 11;
1287  const char *value2_str = "!34";
1288  const char *value3_str = ">36";
1289  int i;
1290 
1291  if ((sig = SigAlloc()) == NULL)
1292  goto end;
1293 
1294  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1295  sig->proto.flags |= DETECT_PROTO_ANY;
1296  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1297  goto end;
1298  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1299  goto end;
1300  for (i = 0; i < (value1 / 8); i++) {
1301  if (sig->proto.proto[i] != 0xFF)
1302  goto end;
1303  }
1304  if (sig->proto.proto[value1 / 8] != 0x07) {
1305  goto end;
1306  }
1307  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1308  if (sig->proto.proto[i] != 0)
1309  goto end;
1310  }
1311  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1312  goto end;
1313 
1314  result = 1;
1315 
1316  end:
1317  SigFree(NULL, sig);
1318  return result;
1319 }
1320 
1321 static int DetectIPProtoTestSetup34(void)
1322 {
1323  int result = 0;
1324  Signature *sig;
1325  const char *value1_str = "<11";
1326  int value1 = 11;
1327  const char *value2_str = "!34";
1328  const char *value3_str = ">36";
1329  int value3 = 36;
1330  int i;
1331 
1332  if ((sig = SigAlloc()) == NULL)
1333  goto end;
1334 
1335  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1336  sig->proto.flags |= DETECT_PROTO_ANY;
1337  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1338  goto end;
1339  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1340  goto end;
1341  for (i = 0; i < (value1 / 8); i++) {
1342  if (sig->proto.proto[i] != 0)
1343  goto end;
1344  }
1345  if (sig->proto.proto[value3 / 8] != 0xE0) {
1346  goto end;
1347  }
1348  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1349  if (sig->proto.proto[i] != 0xFF)
1350  goto end;
1351  }
1352  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1353  goto end;
1354 
1355  result = 1;
1356 
1357  end:
1358  SigFree(NULL, sig);
1359  return result;
1360 }
1361 
1362 static int DetectIPProtoTestSetup36(void)
1363 {
1364  int result = 0;
1365  Signature *sig;
1366  const char *value1_str = "<11";
1367  const char *value2_str = "!34";
1368  const char *value3_str = ">36";
1369  int value3 = 36;
1370  int i;
1371 
1372  if ((sig = SigAlloc()) == NULL)
1373  goto end;
1374 
1375  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1376  sig->proto.flags |= DETECT_PROTO_ANY;
1377  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1378  goto end;
1379  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1380  goto end;
1381  for (i = 0; i < (value3 / 8); i++) {
1382  if (sig->proto.proto[i] != 0)
1383  goto end;
1384  }
1385  if (sig->proto.proto[value3 / 8] != 0xE0) {
1386  goto end;
1387  }
1388  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1389  if (sig->proto.proto[i] != 0xFF)
1390  goto end;
1391  }
1392  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1393  goto end;
1394 
1395  result = 1;
1396 
1397  end:
1398  SigFree(NULL, sig);
1399  return result;
1400 }
1401 
1402 static int DetectIPProtoTestSetup43(void)
1403 {
1404  int result = 0;
1405  Signature *sig;
1406  const char *value1_str = "!4";
1407  int value1 = 4;
1408  const char *value2_str = "<13";
1409  int value2 = 13;
1410  const char *value3_str = ">34";
1411  int i;
1412 
1413  if ((sig = SigAlloc()) == NULL)
1414  goto end;
1415 
1416  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1417  sig->proto.flags |= DETECT_PROTO_ANY;
1418  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1419  goto end;
1420  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1421  goto end;
1422  if (sig->proto.proto[value1 / 8] != 0xEF) {
1423  goto end;
1424  }
1425  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1426  if (sig->proto.proto[i] != 0xFF)
1427  goto end;
1428  }
1429  if (sig->proto.proto[value2 / 8] != 0x1F) {
1430  goto end;
1431  }
1432  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1433  if (sig->proto.proto[i] != 0)
1434  goto end;
1435  }
1436  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1437  goto end;
1438 
1439  result = 1;
1440 
1441  end:
1442  SigFree(NULL, sig);
1443  return result;
1444 }
1445 
1446 static int DetectIPProtoTestSetup44(void)
1447 {
1448  int result = 0;
1449  Signature *sig;
1450  const char *value1_str = "!4";
1451  const char *value2_str = "<13";
1452  const char *value3_str = ">34";
1453  int value3 = 34;
1454  int i;
1455 
1456  if ((sig = SigAlloc()) == NULL)
1457  goto end;
1458 
1459  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1460  sig->proto.flags |= DETECT_PROTO_ANY;
1461  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1462  goto end;
1463  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1464  goto end;
1465  for (i = 0; i < (value3 / 8); i++) {
1466  if (sig->proto.proto[i] != 0)
1467  goto end;
1468  }
1469  if (sig->proto.proto[value3 / 8] != 0xF8) {
1470  goto end;
1471  }
1472  for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
1473  if (sig->proto.proto[i] != 0xFF)
1474  goto end;
1475  }
1476  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1477  goto end;
1478 
1479  result = 1;
1480 
1481  end:
1482  SigFree(NULL, sig);
1483  return result;
1484 }
1485 
1486 static int DetectIPProtoTestSetup45(void)
1487 {
1488  int result = 0;
1489  Signature *sig;
1490  const char *value1_str = "!4";
1491  int value1 = 4;
1492  const char *value2_str = "<13";
1493  int value2 = 13;
1494  const char *value3_str = ">34";
1495  int i;
1496 
1497  if ((sig = SigAlloc()) == NULL)
1498  goto end;
1499 
1500  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1501  sig->proto.flags |= DETECT_PROTO_ANY;
1502  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1503  goto end;
1504  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1505  goto end;
1506  if (sig->proto.proto[value1 / 8] != 0xEF) {
1507  goto end;
1508  }
1509  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1510  if (sig->proto.proto[i] != 0xFF)
1511  goto end;
1512  }
1513  if (sig->proto.proto[value2 / 8] != 0x1F) {
1514  goto end;
1515  }
1516  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1517  if (sig->proto.proto[i] != 0)
1518  goto end;
1519  }
1520  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1521  goto end;
1522 
1523  result = 1;
1524 
1525  end:
1526  SigFree(NULL, sig);
1527  return result;
1528 }
1529 
1530 static int DetectIPProtoTestSetup56(void)
1531 {
1532  int result = 0;
1533  Signature *sig;
1534  const char *value1_str = "<13";
1535  int value1 = 13;
1536  const char *value2_str = ">34";
1537  const char *value3_str = "!37";
1538  int i;
1539 
1540  if ((sig = SigAlloc()) == NULL)
1541  goto end;
1542 
1543  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1544  sig->proto.flags |= DETECT_PROTO_ANY;
1545  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1546  goto end;
1547  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1548  goto end;
1549  for (i = 0; i < (value1 / 8); i++) {
1550  if (sig->proto.proto[i] != 0xFF)
1551  goto end;
1552  }
1553  if (sig->proto.proto[value1 / 8] != 0x1F) {
1554  goto end;
1555  }
1556  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1557  if (sig->proto.proto[i] != 0)
1558  goto end;
1559  }
1560  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1561  goto end;
1562 
1563  result = 1;
1564 
1565  end:
1566  SigFree(NULL, sig);
1567  return result;
1568 }
1569 
1570 static int DetectIPProtoTestSetup75(void)
1571 {
1572  int result = 0;
1573  Signature *sig;
1574  const char *value1_str = "!8";
1575  const char *value2_str = ">10";
1576  int value2 = 10;
1577  int i;
1578 
1579  if ((sig = SigAlloc()) == NULL)
1580  goto end;
1581 
1582  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1583  sig->proto.flags |= DETECT_PROTO_ANY;
1584  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1585  goto end;
1586  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1587  goto end;
1588  for (i = 0; i < (value2 / 8); i++) {
1589  if (sig->proto.proto[i] != 0)
1590  goto end;
1591  }
1592  if (sig->proto.proto[value2 / 8] != 0xF8) {
1593  goto end;
1594  }
1595  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1596  if (sig->proto.proto[i] != 0xFF)
1597  goto end;
1598  }
1599 
1600  result = 1;
1601 
1602  end:
1603  SigFree(NULL, sig);
1604  return result;
1605 }
1606 
1607 static int DetectIPProtoTestSetup76(void)
1608 {
1609  int result = 0;
1610  Signature *sig;
1611  const char *value1_str = "!8";
1612  const char *value2_str = ">10";
1613  int value2 = 10;
1614  int i;
1615 
1616  if ((sig = SigAlloc()) == NULL)
1617  goto end;
1618 
1619  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1620  sig->proto.flags |= DETECT_PROTO_ANY;
1621  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1622  goto end;
1623  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1624  goto end;
1625  for (i = 0; i < (value2 / 8); i++) {
1626  if (sig->proto.proto[i] != 0)
1627  goto end;
1628  }
1629  if (sig->proto.proto[value2 / 8] != 0xF8) {
1630  goto end;
1631  }
1632  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1633  if (sig->proto.proto[i] != 0xFF)
1634  goto end;
1635  }
1636 
1637  result = 1;
1638 
1639  end:
1640  SigFree(NULL, sig);
1641  return result;
1642 }
1643 
1644 static int DetectIPProtoTestSetup129(void)
1645 {
1646  int result = 0;
1647  Signature *sig;
1648  const char *value1_str = "<10";
1649  int value1 = 10;
1650  const char *value2_str = ">10";
1651  int i;
1652 
1653  if ((sig = SigAlloc()) == NULL)
1654  goto end;
1655 
1656  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1657  sig->proto.flags |= DETECT_PROTO_ANY;
1658  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1659  goto end;
1660  for (i = 0; i < (value1 / 8); i++) {
1661  if (sig->proto.proto[i] != 0xFF)
1662  goto end;
1663  }
1664  if (sig->proto.proto[value1 / 8] != 0x03) {
1665  goto end;
1666  }
1667  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1668  if (sig->proto.proto[i] != 0)
1669  goto end;
1670  }
1671  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1672  goto end;
1673 
1674  result = 1;
1675 
1676  end:
1677  SigFree(NULL, sig);
1678  return result;
1679 }
1680 
1681 static int DetectIPProtoTestSetup130(void)
1682 {
1683  int result = 0;
1684  Signature *sig;
1685  const char *value1_str = "<10";
1686  const char *value2_str = ">10";
1687  int value2 = 10;
1688  int i;
1689 
1690  if ((sig = SigAlloc()) == NULL)
1691  goto end;
1692 
1693  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1694  sig->proto.flags |= DETECT_PROTO_ANY;
1695  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1696  goto end;
1697  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1698  goto end;
1699  for (i = 0; i < (value2 / 8); i++) {
1700  if (sig->proto.proto[i] != 0)
1701  goto end;
1702  }
1703  if (sig->proto.proto[value2 / 8] != 0xF8) {
1704  goto end;
1705  }
1706  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1707  if (sig->proto.proto[i] != 0xFF)
1708  goto end;
1709  }
1710 
1711  result = 1;
1712 
1713  end:
1714  SigFree(NULL, sig);
1715  return result;
1716 }
1717 
1718 static int DetectIPProtoTestSetup131(void)
1719 {
1720  int result = 0;
1721  Signature *sig;
1722  const char *value1_str = "<10";
1723  int value1 = 10;
1724  const char *value2_str = "!10";
1725  int i;
1726 
1727  if ((sig = SigAlloc()) == NULL)
1728  goto end;
1729 
1730  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1731  sig->proto.flags |= DETECT_PROTO_ANY;
1732  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1733  goto end;
1734  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1735  goto end;
1736  for (i = 0; i < (value1 / 8); i++) {
1737  if (sig->proto.proto[i] != 0xFF)
1738  goto end;
1739  }
1740  if (sig->proto.proto[value1 / 8] != 0x03) {
1741  goto end;
1742  }
1743  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1744  if (sig->proto.proto[i] != 0x0)
1745  goto end;
1746  }
1747 
1748  result = 1;
1749 
1750  end:
1751  SigFree(NULL, sig);
1752  return result;
1753 }
1754 
1755 static int DetectIPProtoTestSetup132(void)
1756 {
1757  int result = 0;
1758  Signature *sig;
1759  const char *value1_str = "<10";
1760  int value1 = 10;
1761  const char *value2_str = "!10";
1762  int i;
1763 
1764  if ((sig = SigAlloc()) == NULL)
1765  goto end;
1766 
1767  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1768  sig->proto.flags |= DETECT_PROTO_ANY;
1769  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1770  goto end;
1771  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1772  goto end;
1773  for (i = 0; i < (value1 / 8); i++) {
1774  if (sig->proto.proto[i] != 0xFF)
1775  goto end;
1776  }
1777  if (sig->proto.proto[value1 / 8] != 0x03) {
1778  goto end;
1779  }
1780  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1781  if (sig->proto.proto[i] != 0x0)
1782  goto end;
1783  }
1784 
1785  result = 1;
1786 
1787  end:
1788  SigFree(NULL, sig);
1789  return result;
1790 }
1791 
1792 static int DetectIPProtoTestSetup145(void)
1793 {
1794  int result = 0;
1795  Signature *sig;
1796  const char *value1_str = "!4";
1797  const char *value2_str = ">8";
1798  const char *value3_str = "!10";
1799  const char *value4_str = "!14";
1800  const char *value5_str = "!27";
1801  const char *value6_str = "!29";
1802  const char *value7_str = "!30";
1803  const char *value8_str = "!34";
1804  const char *value9_str = "<36";
1805  const char *value10_str = "!38";
1806  int value10 = 38;
1807 
1808  int i;
1809 
1810  if ((sig = SigAlloc()) == NULL)
1811  goto end;
1812 
1813  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1814  sig->proto.flags |= DETECT_PROTO_ANY;
1815  if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
1816  goto end;
1817  if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
1818  goto end;
1819  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1820  goto end;
1821  if (DetectIPProtoSetup(NULL, sig, value10_str) != 0)
1822  goto end;
1823  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1824  goto end;
1825  if (DetectIPProtoSetup(NULL, sig, value6_str) != 0)
1826  goto end;
1827  if (DetectIPProtoSetup(NULL, sig, value9_str) != 0)
1828  goto end;
1829  if (DetectIPProtoSetup(NULL, sig, value4_str) != 0)
1830  goto end;
1831  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1832  goto end;
1833  if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
1834  goto end;
1835  if (sig->proto.proto[0] != 0) {
1836  goto end;
1837  }
1838  if (sig->proto.proto[1] != 0xBA) {
1839  goto end;
1840  }
1841  if (sig->proto.proto[2] != 0xFF) {
1842  goto end;
1843  }
1844  if (sig->proto.proto[3] != 0x97) {
1845  goto end;
1846  }
1847  if (sig->proto.proto[4] != 0x0B) {
1848  goto end;
1849  }
1850  for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
1851  if (sig->proto.proto[i] != 0)
1852  goto end;
1853  }
1854 
1855  result = 1;
1856 
1857  end:
1858  SigFree(NULL, sig);
1859  return result;
1860 }
1861 
1862 static int DetectIPProtoTestSig1(void)
1863 {
1864  int result = 0;
1865  uint8_t *buf = (uint8_t *)
1866  "GET /one/ HTTP/1.1\r\n"
1867  "Host: one.example.org\r\n"
1868  "\r\n";
1869  uint16_t buflen = strlen((char *)buf);
1870  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1871  if (p == NULL)
1872  return 0;
1873 
1874  const char *sigs[4];
1875  sigs[0] = "alert ip any any -> any any "
1876  "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)";
1877  sigs[1] = "alert ip any any -> any any "
1878  "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)";
1879  sigs[2] = "alert ip any any -> any any "
1880  "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)";
1881  sigs[3] = "alert ip any any -> any any "
1882  "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)";
1883 
1884  /* sids to match */
1885  uint32_t sid[4] = {1, 2, 3, 4};
1886  /* expected matches for each sid within this packet we are testing */
1887  uint32_t results[4] = {0, 1, 1, 1};
1888 
1889  /* remember that UTHGenericTest expect the first parameter
1890  * as an array of packet pointers. And also a bidimensional array of results
1891  * For example:
1892  * results[numpacket][position] should hold the number of times
1893  * that the sid at sid[position] matched that packet (should be always 1..)
1894  * But here we built it as unidimensional array
1895  */
1896  result = UTHGenericTest(&p, 1, sigs, sid, results, 4);
1897 
1898  UTHFreePacket(p);
1899  return result;
1900 }
1901 
1902 static int DetectIPProtoTestSig2(void)
1903 {
1904  int result = 0;
1905 
1906  uint8_t raw_eth[] = {
1907  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1908  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1909  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1910  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1911  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1912  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1913  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1914  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1915  0x4a, 0xea, 0x7a, 0x8e,
1916  };
1917 
1918  Packet *p = PacketGetFromAlloc();
1919  if (unlikely(p == NULL))
1920  return 0;
1921 
1922  DecodeThreadVars dtv;
1923  ThreadVars th_v;
1924  DetectEngineThreadCtx *det_ctx = NULL;
1925 
1926  p->proto = 0;
1927  memset(&dtv, 0, sizeof(DecodeThreadVars));
1928  memset(&th_v, 0, sizeof(th_v));
1929 
1930  FlowInitConfig(FLOW_QUIET);
1931  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
1932 
1933  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1934  if (de_ctx == NULL) {
1935  goto end;
1936  }
1937 
1938  de_ctx->mpm_matcher = mpm_default_matcher;
1939  de_ctx->flags |= DE_QUIET;
1940 
1941  de_ctx->sig_list = SigInit(de_ctx,
1942  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
1943  "ip_proto:!103; sid:1;)");
1944  if (de_ctx->sig_list == NULL) {
1945  result = 0;
1946  goto end;
1947  }
1948 
1949  SigGroupBuild(de_ctx);
1950  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1951 
1952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1953  if (PacketAlertCheck(p, 1) == 0) {
1954  result = 1;
1955  goto end;
1956  } else {
1957  result = 0;
1958  }
1959 
1960  SigGroupCleanup(de_ctx);
1961  SigCleanSignatures(de_ctx);
1962 
1963  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1964  DetectEngineCtxFree(de_ctx);
1965  FlowShutdown();
1966 
1967  SCFree(p);
1968  return result;
1969 
1970 end:
1971  if (de_ctx) {
1972  SigGroupCleanup(de_ctx);
1973  SigCleanSignatures(de_ctx);
1974  }
1975 
1976  if (det_ctx)
1977  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1978  if (de_ctx)
1979  DetectEngineCtxFree(de_ctx);
1980 
1981  FlowShutdown();
1982  SCFree(p);
1983 
1984  return result;
1985 }
1986 
1987 static int DetectIPProtoTestSig3(void)
1988 {
1989  int result = 0;
1990 
1991  uint8_t raw_eth[] = {
1992  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1993  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1994  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1995  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1996  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1997  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1998  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1999  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
2000  0x4a, 0xea, 0x7a, 0x8e,
2001  };
2002 
2003  Packet *p = UTHBuildPacket((uint8_t *)"boom", 4, IPPROTO_TCP);
2004  if (p == NULL)
2005  return 0;
2006 
2007  DecodeThreadVars dtv;
2008  ThreadVars th_v;
2009  DetectEngineThreadCtx *det_ctx = NULL;
2010 
2011  p->proto = 0;
2012  memset(&dtv, 0, sizeof(DecodeThreadVars));
2013  memset(&th_v, 0, sizeof(th_v));
2014 
2015  FlowInitConfig(FLOW_QUIET);
2016  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
2017 
2018  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2019  if (de_ctx == NULL) {
2020  goto end;
2021  }
2022 
2023  de_ctx->mpm_matcher = mpm_default_matcher;
2024  de_ctx->flags |= DE_QUIET;
2025 
2026  de_ctx->sig_list = SigInit(de_ctx,
2027  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
2028  "ip_proto:103; sid:1;)");
2029  if (de_ctx->sig_list == NULL) {
2030  result = 0;
2031  goto end;
2032  }
2033 
2034  SigGroupBuild(de_ctx);
2035  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2036 
2037  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2038  if (!PacketAlertCheck(p, 1)) {
2039  result = 0;
2040  goto end;
2041  } else {
2042  result = 1;
2043  }
2044 
2045  SigGroupCleanup(de_ctx);
2046  SigCleanSignatures(de_ctx);
2047 
2048  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2049  DetectEngineCtxFree(de_ctx);
2050  FlowShutdown();
2051 
2052  SCFree(p);
2053  return result;
2054 
2055 end:
2056  if (de_ctx) {
2057  SigGroupCleanup(de_ctx);
2058  SigCleanSignatures(de_ctx);
2059  }
2060 
2061  if (det_ctx)
2062  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2063  if (de_ctx)
2064  DetectEngineCtxFree(de_ctx);
2065 
2066  FlowShutdown();
2067  SCFree(p);
2068 
2069  return result;
2070 }
2071 
2072 /**
2073  * \internal
2074  * \brief Register ip_proto tests.
2075  */
2076 static void DetectIPProtoRegisterTests(void)
2077 {
2078  UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01);
2079  UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02);
2080  UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01);
2081  UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02);
2082  UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03);
2083  UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04);
2084  UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05);
2085  UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06);
2086  UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07);
2087  UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08);
2088  UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09);
2089  UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10);
2090  UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11);
2091  UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12);
2092  UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13);
2093  UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14);
2094  UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15);
2095  UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16);
2096  UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17);
2097  UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18);
2098  UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19);
2099  UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20);
2100  UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21);
2101  UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22);
2102  UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23);
2103  UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24);
2104  UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33);
2105  UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34);
2106  UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36);
2107  UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43);
2108  UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44);
2109  UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45);
2110  UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56);
2111  UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75);
2112  UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76);
2113  UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129);
2114  UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130);
2115  UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131);
2116  UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132);
2117  UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145);
2118 
2119  UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1);
2120  UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2);
2121  UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3);
2122 }
2123 #endif /* UNITTESTS */
DetectIPProtoRemoveAllSMs
void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-ipproto.c:430
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:45
SigTableElmt_::url
const char * url
Definition: detect.h:1270
Packet_::proto
uint8_t proto
Definition: decode.h:449
detect-engine.h
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
Definition: detect-parse.c:387
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1269
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2474
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:250
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1257
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:34
detect-engine-siggroup.h
DetectParseRegex
Definition: detect-parse.h:42
SigTableElmt_::name
const char * name
Definition: detect.h:1267
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1389
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1465
DetectIPProtoRegister
void DetectIPProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-ipproto.c:60
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
results
struct DetectRfbSecresult_ results[]
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1261
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:27
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:511
proto
uint8_t proto
Definition: decode-template.h:0
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:613
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1252
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:861
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:523
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:359
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1060
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2597
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:325
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:89
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
Signature_::flags
uint32_t flags
Definition: detect.h:549
Packet_
Definition: decode.h:427
detect-ipproto.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:619
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1235
DETECT_IPPROTO_OP_GT
#define DETECT_IPPROTO_OP_GT
Definition: detect-ipproto.h:31
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:542
util-proto-name.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
Definition: detect.h:260
DETECT_IPPROTO_OP_EQ
#define DETECT_IPPROTO_OP_EQ
Definition: detect-ipproto.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:38
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:33
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:566
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
SigMatch_::type
uint16_t type
Definition: detect.h:322
DETECT_IPPROTO_OP_LT
#define DETECT_IPPROTO_OP_LT
Definition: detect-ipproto.h:30
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:667
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
DetectIPProtoData_::op
uint8_t op
Definition: detect-ipproto.h:35
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:604
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:654
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
detect-parse.h
Signature_
Signature container.
Definition: detect.h:548
SigMatch_
a single match condition for a signature
Definition: detect.h:321
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
DetectIPProtoData_
Definition: detect-ipproto.h:34
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:42
SCGetProtoByName
bool SCGetProtoByName(const char *protoname, uint8_t *proto_number)
Function to return the protocol number for a named protocol. Note that protocol name aliases are hono...
Definition: util-proto-name.c:467
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-ipproto.c:50
DETECT_IPPROTO_OP_NOT
#define DETECT_IPPROTO_OP_NOT
Definition: detect-ipproto.h:29
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1264
DETECT_IPPROTO
@ DETECT_IPPROTO
Definition: detect-engine-register.h:78
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
debug.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1259
DetectIPProtoData_::proto
uint8_t proto
Definition: detect-ipproto.h:36
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:223