suricata
detect-ipproto.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the ip_proto keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-ipproto.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-build.h"
36 
37 #include "detect-engine-siggroup.h"
38 #include "detect-engine-address.h"
39 
40 #include "util-byte.h"
41 #include "util-proto-name.h"
42 #include "util-unittest.h"
43 #include "util-unittest-helper.h"
44 
45 #include "util-debug.h"
46 
47 /**
48  * \brief Regex for parsing our options
49  */
50 #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$"
51 
52 static DetectParseRegex parse_regex;
53 
54 static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectIPProtoRegisterTests(void);
57 #endif
58 static void DetectIPProtoFree(DetectEngineCtx *, void *);
59 
60 void DetectIPProtoRegister(void)
61 {
62  sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
63  sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
64  sigmatch_table[DETECT_IPPROTO].url = "/rules/header-keywords.html#ip-proto";
65  sigmatch_table[DETECT_IPPROTO].Match = NULL;
66  sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
67  sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree;
68 #ifdef UNITTESTS
69  sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests;
70 #endif
71  sigmatch_table[DETECT_IPPROTO].flags = SIGMATCH_QUOTES_OPTIONAL;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 /**
77  * \internal
78  * \brief Parse ip_proto options string.
79  *
80  * \param optstr Options string to parse
81  *
82  * \return New ip_proto data structure
83  */
84 static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
85 {
86  DetectIPProtoData *data = NULL;
87  char *args[2] = { NULL, NULL };
88  int res = 0;
89  size_t pcre2_len;
90  int i;
91  const char *str_ptr;
92 
93  /* Execute the regex and populate args with captures. */
94  pcre2_match_data *match = NULL;
95  int ret = DetectParsePcreExec(&parse_regex, &match, optstr, 0, 0);
96  if (ret != 3) {
97  SCLogError("pcre_exec parse error, ret"
98  "%" PRId32 ", string %s",
99  ret, optstr);
100  goto error;
101  }
102 
103  for (i = 0; i < (ret - 1); i++) {
104  res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
105  if (res < 0) {
106  SCLogError("pcre2_substring_get_bynumber failed");
107  goto error;
108  }
109  args[i] = (char *)str_ptr;
110  }
111 
112  /* Initialize the data */
113  data = SCMalloc(sizeof(DetectIPProtoData));
114  if (unlikely(data == NULL))
115  goto error;
116  data->op = DETECT_IPPROTO_OP_EQ;
117  data->proto = 0;
118 
119  /* Operator */
120  if (*(args[0]) != '\0') {
121  data->op = *(args[0]);
122  }
123 
124  /* Protocol name/number */
125  if (!isdigit((unsigned char)*(args[1]))) {
126  uint8_t proto;
127  if (!SCGetProtoByName(args[1], &proto)) {
128  SCLogError("Unknown protocol name: \"%s\"", str_ptr);
129  goto error;
130  }
131  data->proto = proto;
132  }
133  else {
134  if (StringParseUint8(&data->proto, 10, 0, args[1]) <= 0) {
135  SCLogError("Malformed protocol number: %s", str_ptr);
136  goto error;
137  }
138  }
139 
140  for (i = 0; i < (ret - 1); i++){
141  if (args[i] != NULL)
142  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
143  }
144 
145  pcre2_match_data_free(match);
146  return data;
147 
148 error:
149  if (match) {
150  pcre2_match_data_free(match);
151  }
152  for (i = 0; i < (ret - 1) && i < 2; i++){
153  if (args[i] != NULL)
154  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
155  }
156  if (data != NULL)
157  SCFree(data);
158 
159  return NULL;
160 }
161 
162 static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op)
163 {
164  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
165  DetectIPProtoData *data;
166 
167  while (sm != NULL) {
168  if (sm->type == DETECT_IPPROTO) {
169  data = (DetectIPProtoData *)sm->ctx;
170  if (data->op == op)
171  return 1;
172  }
173  sm = sm->next;
174  }
175 
176  return 0;
177 }
178 
179 /**
180  * \internal
181  * \brief Setup ip_proto keyword.
182  *
183  * \param de_ctx Detection engine context
184  * \param s Signature
185  * \param optstr Options string
186  *
187  * \return Non-zero on error
188  */
189 static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
190 {
191  int i;
192 
193  DetectIPProtoData *data = DetectIPProtoParse(optstr);
194  if (data == NULL) {
195  return -1;
196  }
197 
198  /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield
199  * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto
200  * will refined the protocol list and thus it needs to reset the bitfield to zero
201  * before setting the value specified by the ip_proto keyword.
202  */
203  if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
204  s->proto.flags &= ~DETECT_PROTO_ANY;
205  memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
206  s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
207  } else {
208  /* The ipproto engine has a relationship with the protocol that is
209  * set after the action and also the app protocol(that can also be
210  * set through the app-layer-protocol.
211  * An ip_proto keyword can be used only with alert ip, which if
212  * not true we error out on the sig. And hence the init_flag to
213  * indicate this. */
214  if (!(s->init_data->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) {
215  SCLogError("Signature can use "
216  "ip_proto keyword only when we use alert ip, "
217  "in which case the _ANY flag is set on the sig "
218  "and the if condition should match.");
219  goto error;
220  }
221  }
222 
223  int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ);
224  int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT);
225  int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT);
226  int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT);
227 
228  switch (data->op) {
229  case DETECT_IPPROTO_OP_EQ:
230  if (eq_set || gt_set || lt_set || not_set) {
231  SCLogError("can't use a eq "
232  "ipproto without any operators attached to "
233  "them in the same sig");
234  goto error;
235  }
236  s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
237  break;
238 
239  case DETECT_IPPROTO_OP_GT:
240  if (eq_set || gt_set) {
241  SCLogError("can't use a eq or gt "
242  "ipproto along with a greater than ipproto in the "
243  "same sig ");
244  goto error;
245  }
246  if (!lt_set && !not_set) {
247  s->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8));
248  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
249  s->proto.proto[i] = 0xff;
250  }
251  } else if (lt_set && !not_set) {
252  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
253  while (temp_sm != NULL) {
254  if (temp_sm->type == DETECT_IPPROTO) {
255  break;
256  }
257  temp_sm = temp_sm->next;
258  }
259  if (temp_sm != NULL) {
260  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
261  if (data_temp->proto <= data->proto) {
262  SCLogError("can't have "
263  "both gt and lt ipprotos, with the lt being "
264  "lower than gt value");
265  goto error;
266  } else {
267  for (i = 0; i < (data->proto / 8); i++) {
268  s->proto.proto[i] = 0;
269  }
270  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
271  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
272  s->proto.proto[i] &= 0xff;
273  }
274  }
275  }
276  } else if (!lt_set && not_set) {
277  for (i = 0; i < (data->proto / 8); i++) {
278  s->proto.proto[i] = 0;
279  }
280  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
281  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
282  s->proto.proto[i] &= 0xff;
283  }
284  } else {
285  DetectIPProtoData *data_temp;
286  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
287  while (temp_sm != NULL) {
288  if (temp_sm->type == DETECT_IPPROTO &&
289  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) {
290  break;
291  }
292  temp_sm = temp_sm->next;
293  }
294  if (temp_sm != NULL) {
295  data_temp = (DetectIPProtoData *)temp_sm->ctx;
296  if (data_temp->proto <= data->proto) {
297  SCLogError("can't have "
298  "both gt and lt ipprotos, with the lt being "
299  "lower than gt value");
300  goto error;
301  } else {
302  for (i = 0; i < (data->proto / 8); i++) {
303  s->proto.proto[i] = 0;
304  }
305  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
306  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
307  s->proto.proto[i] &= 0xff;
308  }
309  }
310  }
311  }
312  break;
313 
314  case DETECT_IPPROTO_OP_LT:
315  if (eq_set || lt_set) {
316  SCLogError("can't use a eq or lt "
317  "ipproto with a less than ipproto in the "
318  "same sig ");
319  goto error;
320  }
321  if (!gt_set && !not_set) {
322  for (i = 0; i < (data->proto / 8); i++) {
323  s->proto.proto[i] = 0xff;
324  }
325  s->proto.proto[data->proto / 8] = (uint8_t)(~(0xff << (data->proto % 8)));
326  } else if (gt_set && !not_set) {
327  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
328  while (temp_sm != NULL) {
329  if (temp_sm->type == DETECT_IPPROTO) {
330  break;
331  }
332  temp_sm = temp_sm->next;
333  }
334  if (temp_sm != NULL) {
335  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
336  if (data_temp->proto >= data->proto) {
337  SCLogError("can't have "
338  "both gt and lt ipprotos, with the lt being "
339  "lower than gt value");
340  goto error;
341  } else {
342  for (i = 0; i < (data->proto / 8); i++) {
343  s->proto.proto[i] &= 0xff;
344  }
345  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
346  for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
347  s->proto.proto[i] = 0;
348  }
349  }
350  }
351  } else if (!gt_set && not_set) {
352  for (i = 0; i < (data->proto / 8); i++) {
353  s->proto.proto[i] &= 0xFF;
354  }
355  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
356  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
357  s->proto.proto[i] = 0;
358  }
359  } else {
360  DetectIPProtoData *data_temp;
361  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
362  while (temp_sm != NULL) {
363  if (temp_sm->type == DETECT_IPPROTO &&
364  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) {
365  break;
366  }
367  temp_sm = temp_sm->next;
368  }
369  if (temp_sm != NULL) {
370  data_temp = (DetectIPProtoData *)temp_sm->ctx;
371  if (data_temp->proto >= data->proto) {
372  SCLogError("can't have "
373  "both gt and lt ipprotos, with the lt being "
374  "lower than gt value");
375  goto error;
376  } else {
377  for (i = 0; i < (data->proto / 8); i++) {
378  s->proto.proto[i] &= 0xFF;
379  }
380  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
381  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
382  s->proto.proto[i] = 0;
383  }
384  }
385  }
386  }
387  break;
388 
389  case DETECT_IPPROTO_OP_NOT:
390  if (eq_set) {
391  SCLogError("can't use a eq "
392  "ipproto along with a not ipproto in the "
393  "same sig ");
394  goto error;
395  }
396  if (!gt_set && !lt_set && !not_set) {
397  for (i = 0; i < (data->proto / 8); i++) {
398  s->proto.proto[i] = 0xff;
399  }
400  s->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8)));
401  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
402  s->proto.proto[i] = 0xff;
403  }
404  } else {
405  for (i = 0; i < (data->proto / 8); i++) {
406  s->proto.proto[i] &= 0xff;
407  }
408  s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
409  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
410  s->proto.proto[i] &= 0xff;
411  }
412  }
413  break;
414  }
415 
416  if (SCSigMatchAppendSMToList(
417  de_ctx, s, DETECT_IPPROTO, (SigMatchCtx *)data, DETECT_SM_LIST_MATCH) == NULL) {
418  goto error;
419  }
420  s->flags |= SIG_FLAG_REQUIRE_PACKET;
421 
422  return 0;
423 
424  error:
425 
426  DetectIPProtoFree(de_ctx, data);
427  return -1;
428 }
429 
430 void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
431 {
432  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
433 
434  while (sm != NULL) {
435  if (sm->type != DETECT_IPPROTO) {
436  sm = sm->next;
437  continue;
438  }
439  SigMatch *tmp_sm = sm->next;
440  SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_MATCH);
441  SigMatchFree(de_ctx, sm);
442  sm = tmp_sm;
443  }
444 }
445 
446 static void DetectIPProtoFree(DetectEngineCtx *de_ctx, void *ptr)
447 {
448  DetectIPProtoData *data = (DetectIPProtoData *)ptr;
449  if (data) {
450  SCFree(data);
451  }
452 }
453 
454 /* UNITTESTS */
455 #ifdef UNITTESTS
456 #include "detect-engine-alert.h"
457 
458 /**
459  * \test DetectIPProtoTestParse01 is a test for an invalid proto number
460  */
461 static int DetectIPProtoTestParse01(void)
462 {
463  DetectIPProtoData *data = DetectIPProtoParse("999");
464  FAIL_IF_NOT(data == NULL);
465  PASS;
466 }
467 
468 /**
469  * \test DetectIPProtoTestParse02 is a test for an invalid proto name
470  */
471 static int DetectIPProtoTestParse02(void)
472 {
473  DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek");
474  FAIL_IF_NOT(data == NULL);
475  PASS;
476 }
477 
478 /**
479  * \test DetectIPProtoTestSetup01 is a test for a protocol number
480  */
481 static int DetectIPProtoTestSetup01(void)
482 {
483  const char *value_str = "14";
484  int value;
485  FAIL_IF(StringParseInt32(&value, 10, 0, (const char *)value_str) < 0);
486  int i;
487 
488  Signature *sig = SigAlloc();
489  FAIL_IF_NULL(sig);
490 
491  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
492  sig->proto.flags |= DETECT_PROTO_ANY;
493  DetectIPProtoSetup(NULL, sig, value_str);
494  for (i = 0; i < (value / 8); i++) {
495  FAIL_IF(sig->proto.proto[i] != 0);
496  }
497  FAIL_IF(sig->proto.proto[value / 8] != 0x40);
498  for (i = (value / 8) + 1; i < (256 / 8); i++) {
499  FAIL_IF(sig->proto.proto[i] != 0);
500  }
501  SigFree(NULL, sig);
502  PASS;
503 }
504 
505 /**
506  * \test DetectIPProtoTestSetup02 is a test for a protocol name
507  */
508 static int DetectIPProtoTestSetup02(void)
509 {
510  int result = 0;
511  Signature *sig = NULL;
512  const char *value_str = "tcp";
513  struct protoent *pent = getprotobyname(value_str);
514  if (pent == NULL) {
515  goto end;
516  }
517  uint8_t value = (uint8_t)pent->p_proto;
518  int i;
519 
520  if ((sig = SigAlloc()) == NULL)
521  goto end;
522 
523  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
524  sig->proto.flags |= DETECT_PROTO_ANY;
525  DetectIPProtoSetup(NULL, sig, value_str);
526  for (i = 0; i < (value / 8); i++) {
527  if (sig->proto.proto[i] != 0)
528  goto end;
529  }
530  if (sig->proto.proto[value / 8] != 0x40) {
531  goto end;
532  }
533  for (i = (value / 8) + 1; i < (256 / 8); i++) {
534  if (sig->proto.proto[i] != 0)
535  goto end;
536  }
537 
538  result = 1;
539 
540  end:
541  if (sig != NULL)
542  SigFree(NULL, sig);
543  return result;
544 }
545 
546 /**
547  * \test DetectIPProtoTestSetup03 is a test for a < operator
548  */
549 static int DetectIPProtoTestSetup03(void)
550 {
551  int result = 0;
552  Signature *sig;
553  const char *value_str = "<14";
554  int value = 14;
555  int i;
556 
557  if ((sig = SigAlloc()) == NULL)
558  goto end;
559 
560  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
561  sig->proto.flags |= DETECT_PROTO_ANY;
562  DetectIPProtoSetup(NULL, sig, value_str);
563  for (i = 0; i < (value / 8); i++) {
564  if (sig->proto.proto[i] != 0xFF)
565  goto end;
566  }
567  if (sig->proto.proto[value / 8] != 0x3F) {
568  goto end;
569  }
570  for (i = (value / 8) + 1; i < (256 / 8); i++) {
571  if (sig->proto.proto[i] != 0)
572  goto end;
573  }
574 
575  result = 1;
576 
577  end:
578  SigFree(NULL, sig);
579  return result;
580 }
581 
582 /**
583  * \test DetectIPProtoTestSetup04 is a test for a > operator
584  */
585 static int DetectIPProtoTestSetup04(void)
586 {
587  int result = 0;
588  Signature *sig;
589  const char *value_str = ">14";
590  int value = 14;
591  int i;
592 
593  if ((sig = SigAlloc()) == NULL)
594  goto end;
595 
596  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
597  sig->proto.flags |= DETECT_PROTO_ANY;
598  DetectIPProtoSetup(NULL, sig, value_str);
599  for (i = 0; i < (value / 8); i++) {
600  if (sig->proto.proto[i] != 0)
601  goto end;
602  }
603  if (sig->proto.proto[value / 8] != 0x80) {
604  goto end;
605  }
606  for (i = (value / 8) + 1; i < (256 / 8); i++) {
607  if (sig->proto.proto[i] != 0xFF)
608  goto end;
609  }
610 
611  result = 1;
612 
613  end:
614  SigFree(NULL, sig);
615  return result;
616 }
617 
618 /**
619  * \test DetectIPProtoTestSetup05 is a test for a ! operator
620  */
621 static int DetectIPProtoTestSetup05(void)
622 {
623  int result = 0;
624  Signature *sig;
625  const char *value_str = "!14";
626  int value = 14;
627  int i;
628 
629  if ((sig = SigAlloc()) == NULL)
630  goto end;
631 
632  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
633  sig->proto.flags |= DETECT_PROTO_ANY;
634  DetectIPProtoSetup(NULL, sig, value_str);
635  for (i = 0; i < (value / 8); i++) {
636  if (sig->proto.proto[i] != 0xFF)
637  goto end;
638  }
639  if (sig->proto.proto[value / 8] != 0xBF) {
640  goto end;
641  }
642  for (i = (value / 8) + 1; i < (256 / 8); i++) {
643  if (sig->proto.proto[i] != 0xFF)
644  goto end;
645  }
646 
647  result = 1;
648 
649  end:
650  SigFree(NULL, sig);
651  return result;
652 }
653 
654 /**
655  * \test Negative test.
656  */
657 static int DetectIPProtoTestSetup06(void)
658 {
659  int result = 0;
660  Signature *sig;
661  const char *value1_str = "14";
662  const char *value2_str = "15";
663 
664  if ((sig = SigAlloc()) == NULL)
665  goto end;
666 
667  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
668  sig->proto.flags |= DETECT_PROTO_ANY;
669  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
670  goto end;
671  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
672  goto end;
673 
674  result = 1;
675 
676  end:
677  SigFree(NULL, sig);
678  return result;
679 }
680 
681 /**
682  * \test Negative test.
683  */
684 static int DetectIPProtoTestSetup07(void)
685 {
686  int result = 0;
687  Signature *sig;
688  const char *value1_str = "14";
689  const char *value2_str = "<15";
690 
691  if ((sig = SigAlloc()) == NULL)
692  goto end;
693 
694  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
695  sig->proto.flags |= DETECT_PROTO_ANY;
696  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
697  goto end;
698  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
699  goto end;
700 
701  result = 1;
702 
703  end:
704  SigFree(NULL, sig);
705  return result;
706 }
707 
708 /**
709  * \test Negative test.
710  */
711 static int DetectIPProtoTestSetup08(void)
712 {
713  int result = 0;
714  Signature *sig;
715  const char *value1_str = "14";
716  const char *value2_str = ">15";
717 
718  if ((sig = SigAlloc()) == NULL)
719  goto end;
720 
721  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
722  sig->proto.flags |= DETECT_PROTO_ANY;
723  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
724  goto end;
725  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
726  goto end;
727 
728  result = 1;
729 
730  end:
731  SigFree(NULL, sig);
732  return result;
733 }
734 
735 /**
736  * \test Negative test.
737  */
738 static int DetectIPProtoTestSetup09(void)
739 {
740  int result = 0;
741  Signature *sig;
742  const char *value1_str = "14";
743  const char *value2_str = "!15";
744 
745  if ((sig = SigAlloc()) == NULL)
746  goto end;
747 
748  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
749  sig->proto.flags |= DETECT_PROTO_ANY;
750  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
751  goto end;
752  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
753  goto end;
754 
755  result = 1;
756 
757  end:
758  SigFree(NULL, sig);
759  return result;
760 }
761 
762 /**
763  * \test Negative test.
764  */
765 static int DetectIPProtoTestSetup10(void)
766 {
767  int result = 0;
768  Signature *sig;
769  const char *value1_str = ">14";
770  const char *value2_str = "15";
771 
772  if ((sig = SigAlloc()) == NULL)
773  goto end;
774 
775  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
776  sig->proto.flags |= DETECT_PROTO_ANY;
777  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
778  goto end;
779  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
780  goto end;
781 
782  result = 1;
783 
784  end:
785  SigFree(NULL, sig);
786  return result;
787 }
788 
789 /**
790  * \test Negative test.
791  */
792 static int DetectIPProtoTestSetup11(void)
793 {
794  int result = 0;
795  Signature *sig;
796  const char *value1_str = "<14";
797  const char *value2_str = "15";
798 
799  if ((sig = SigAlloc()) == NULL)
800  goto end;
801 
802  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
803  sig->proto.flags |= DETECT_PROTO_ANY;
804  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
805  goto end;
806  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
807  goto end;
808 
809  result = 1;
810 
811  end:
812  SigFree(NULL, sig);
813  return result;
814 }
815 
816 /**
817  * \test Negative test.
818  */
819 static int DetectIPProtoTestSetup12(void)
820 {
821  int result = 0;
822  Signature *sig;
823  const char *value1_str = "!14";
824  const char *value2_str = "15";
825 
826  if ((sig = SigAlloc()) == NULL)
827  goto end;
828 
829  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
830  sig->proto.flags |= DETECT_PROTO_ANY;
831  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
832  goto end;
833  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
834  goto end;
835 
836  result = 1;
837 
838  end:
839  SigFree(NULL, sig);
840  return result;
841 }
842 
843 /**
844  * \test Negative test.
845  */
846 static int DetectIPProtoTestSetup13(void)
847 {
848  int result = 0;
849  Signature *sig;
850  const char *value1_str = ">14";
851  const char *value2_str = ">15";
852 
853  if ((sig = SigAlloc()) == NULL)
854  goto end;
855 
856  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
857  sig->proto.flags |= DETECT_PROTO_ANY;
858  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
859  goto end;
860  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
861  goto end;
862 
863  result = 1;
864 
865  end:
866  SigFree(NULL, sig);
867  return result;
868 }
869 
870 static int DetectIPProtoTestSetup14(void)
871 {
872  int result = 0;
873  Signature *sig;
874  const char *value1_str = "<14";
875  const char *value2_str = "<15";
876 
877  if ((sig = SigAlloc()) == NULL)
878  goto end;
879 
880  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
881  sig->proto.flags |= DETECT_PROTO_ANY;
882  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
883  goto end;
884  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
885  goto end;
886 
887  result = 1;
888 
889  end:
890  SigFree(NULL, sig);
891  return result;
892 }
893 
894 static int DetectIPProtoTestSetup15(void)
895 {
896  int result = 0;
897  Signature *sig;
898  const char *value1_str = "<14";
899  int value1 = 14;
900  const char *value2_str = ">34";
901  int i;
902 
903  if ((sig = SigAlloc()) == NULL)
904  goto end;
905 
906  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
907  sig->proto.flags |= DETECT_PROTO_ANY;
908  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
909  goto end;
910  for (i = 0; i < (value1 / 8); i++) {
911  if (sig->proto.proto[i] != 0xFF)
912  goto end;
913  }
914  if (sig->proto.proto[value1 / 8] != 0x3F) {
915  goto end;
916  }
917  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
918  if (sig->proto.proto[i] != 0)
919  goto end;
920  }
921  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
922  goto end;
923 
924  result = 1;
925 
926  end:
927  SigFree(NULL, sig);
928  return result;
929 }
930 
931 static int DetectIPProtoTestSetup16(void)
932 {
933  int result = 0;
934  Signature *sig;
935  const char *value1_str = "<14";
936  const char *value2_str = ">34";
937  int value2 = 34;
938  int i;
939 
940  if ((sig = SigAlloc()) == NULL)
941  goto end;
942 
943  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
944  sig->proto.flags |= DETECT_PROTO_ANY;
945  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
946  goto end;
947  for (i = 0; i < (value2 / 8); i++) {
948  if (sig->proto.proto[i] != 0)
949  goto end;
950  }
951  if (sig->proto.proto[value2 / 8] != 0xF8) {
952  goto end;
953  }
954  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
955  if (sig->proto.proto[i] != 0xFF)
956  goto end;
957  }
958  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
959  goto end;
960 
961  result = 1;
962 
963  end:
964  SigFree(NULL, sig);
965  return result;
966 }
967 
968 static int DetectIPProtoTestSetup17(void)
969 {
970  int result = 0;
971  Signature *sig;
972  const char *value1_str = "<11";
973  int value1 = 11;
974  const char *value2_str = ">13";
975  int i;
976 
977  if ((sig = SigAlloc()) == NULL)
978  goto end;
979 
980  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
981  sig->proto.flags |= DETECT_PROTO_ANY;
982  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
983  goto end;
984  for (i = 0; i < (value1 / 8); i++) {
985  if (sig->proto.proto[i] != 0xFF)
986  goto end;
987  }
988  if (sig->proto.proto[value1 / 8] != 0x07) {
989  goto end;
990  }
991  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
992  if (sig->proto.proto[i] != 0)
993  goto end;
994  }
995  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
996  goto end;
997 
998  result = 1;
999 
1000  end:
1001  SigFree(NULL, sig);
1002  return result;
1003 }
1004 
1005 static int DetectIPProtoTestSetup18(void)
1006 {
1007  int result = 0;
1008  Signature *sig;
1009  const char *value1_str = "<11";
1010  const char *value2_str = ">13";
1011  int value2 = 13;
1012  int i;
1013 
1014  if ((sig = SigAlloc()) == NULL)
1015  goto end;
1016 
1017  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1018  sig->proto.flags |= DETECT_PROTO_ANY;
1019  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1020  goto end;
1021  for (i = 0; i < (value2 / 8); i++) {
1022  if (sig->proto.proto[i] != 0)
1023  goto end;
1024  }
1025  if (sig->proto.proto[value2 / 8] != 0xC0) {
1026  goto end;
1027  }
1028  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1029  if (sig->proto.proto[i] != 0xFF)
1030  goto end;
1031  }
1032  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1033  goto end;
1034 
1035  result = 1;
1036 
1037  end:
1038  SigFree(NULL, sig);
1039  return result;
1040 }
1041 
1042 static int DetectIPProtoTestSetup19(void)
1043 {
1044  int result = 0;
1045  Signature *sig;
1046  const char *value1_str = "<11";
1047  int value1 = 11;
1048  const char *value2_str = "!13";
1049  const char *value3_str = ">36";
1050  int i;
1051 
1052  if ((sig = SigAlloc()) == NULL)
1053  goto end;
1054 
1055  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1056  sig->proto.flags |= DETECT_PROTO_ANY;
1057  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1058  goto end;
1059  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1060  goto end;
1061  for (i = 0; i < (value1 / 8); i++) {
1062  if (sig->proto.proto[i] != 0xFF)
1063  goto end;
1064  }
1065  if (sig->proto.proto[value1 / 8] != 0x07) {
1066  goto end;
1067  }
1068  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1069  if (sig->proto.proto[i] != 0)
1070  goto end;
1071  }
1072  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1073  goto end;
1074 
1075  result = 1;
1076 
1077  end:
1078  SigFree(NULL, sig);
1079  return result;
1080 }
1081 
1082 static int DetectIPProtoTestSetup20(void)
1083 {
1084  int result = 0;
1085  Signature *sig;
1086  const char *value1_str = "<11";
1087  int value1 = 11;
1088  const char *value3_str = ">36";
1089  int i;
1090 
1091  if ((sig = SigAlloc()) == NULL)
1092  goto end;
1093 
1094  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1095  sig->proto.flags |= DETECT_PROTO_ANY;
1096  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1097  goto end;
1098  for (i = 0; i < (value1 / 8); i++) {
1099  if (sig->proto.proto[i] != 0xFF)
1100  goto end;
1101  }
1102  if (sig->proto.proto[value1 / 8] != 0x07) {
1103  goto end;
1104  }
1105  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1106  if (sig->proto.proto[i] != 0)
1107  goto end;
1108  }
1109  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1110  goto end;
1111 
1112  result = 1;
1113 
1114  end:
1115  SigFree(NULL, sig);
1116  return result;
1117 }
1118 
1119 static int DetectIPProtoTestSetup21(void)
1120 {
1121  int result = 0;
1122  Signature *sig;
1123  const char *value1_str = "<11";
1124  int value1 = 11;
1125  const char *value2_str = "!13";
1126  const char *value3_str = ">36";
1127  int i;
1128 
1129  if ((sig = SigAlloc()) == NULL)
1130  goto end;
1131 
1132  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1133  sig->proto.flags |= DETECT_PROTO_ANY;
1134  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1135  goto end;
1136  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1137  goto end;
1138  for (i = 0; i < (value1 / 8); i++) {
1139  if (sig->proto.proto[i] != 0xFF)
1140  goto end;
1141  }
1142  if (sig->proto.proto[value1 / 8] != 0x07) {
1143  goto end;
1144  }
1145  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1146  if (sig->proto.proto[i] != 0)
1147  goto end;
1148  }
1149  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1150  goto end;
1151 
1152  result = 1;
1153 
1154  end:
1155  SigFree(NULL, sig);
1156  return result;
1157 }
1158 
1159 static int DetectIPProtoTestSetup22(void)
1160 {
1161  int result = 0;
1162  Signature *sig;
1163  const char *value1_str = "<11";
1164  const char *value2_str = "!13";
1165  const char *value3_str = ">36";
1166  int value3 = 36;
1167  int i;
1168 
1169  if ((sig = SigAlloc()) == NULL)
1170  goto end;
1171 
1172  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1173  sig->proto.flags |= DETECT_PROTO_ANY;
1174  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1175  goto end;
1176  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1177  goto end;
1178  for (i = 0; i < (value3 / 8); i++) {
1179  if (sig->proto.proto[i] != 0)
1180  goto end;
1181  }
1182  if (sig->proto.proto[value3 / 8] != 0xE0) {
1183  goto end;
1184  }
1185  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1186  if (sig->proto.proto[i] != 0xFF)
1187  goto end;
1188  }
1189  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1190  goto end;
1191 
1192  result = 1;
1193 
1194  end:
1195  SigFree(NULL, sig);
1196  return result;
1197 }
1198 
1199 static int DetectIPProtoTestSetup23(void)
1200 {
1201  int result = 0;
1202  Signature *sig;
1203  const char *value1_str = "<11";
1204  const char *value3_str = ">36";
1205  int value3 = 36;
1206  int i;
1207 
1208  if ((sig = SigAlloc()) == NULL)
1209  goto end;
1210 
1211  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1212  sig->proto.flags |= DETECT_PROTO_ANY;
1213  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1214  goto end;
1215  for (i = 0; i < (value3 / 8); i++) {
1216  if (sig->proto.proto[i] != 0)
1217  goto end;
1218  }
1219  if (sig->proto.proto[value3 / 8] != 0xE0) {
1220  goto end;
1221  }
1222  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1223  if (sig->proto.proto[i] != 0xFF)
1224  goto end;
1225  }
1226  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1227  goto end;
1228 
1229  result = 1;
1230 
1231  end:
1232  SigFree(NULL, sig);
1233  return result;
1234 }
1235 
1236 static int DetectIPProtoTestSetup24(void)
1237 {
1238  int result = 0;
1239  Signature *sig;
1240  const char *value1_str = "<11";
1241  const char *value2_str = "!13";
1242  const char *value3_str = ">36";
1243  int value3 = 36;
1244  int i;
1245 
1246  if ((sig = SigAlloc()) == NULL)
1247  goto end;
1248 
1249  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1250  sig->proto.flags |= DETECT_PROTO_ANY;
1251  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1252  goto end;
1253  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1254  goto end;
1255  for (i = 0; i < (value3 / 8); i++) {
1256  if (sig->proto.proto[i] != 0)
1257  goto end;
1258  }
1259  if (sig->proto.proto[value3 / 8] != 0xE0) {
1260  goto end;
1261  }
1262  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1263  if (sig->proto.proto[i] != 0xFF)
1264  goto end;
1265  }
1266  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1267  goto end;
1268 
1269  result = 1;
1270 
1271  end:
1272  SigFree(NULL, sig);
1273  return result;
1274 }
1275 
1276 static int DetectIPProtoTestSetup33(void)
1277 {
1278  int result = 0;
1279  Signature *sig;
1280  const char *value1_str = "<11";
1281  int value1 = 11;
1282  const char *value2_str = "!34";
1283  const char *value3_str = ">36";
1284  int i;
1285 
1286  if ((sig = SigAlloc()) == NULL)
1287  goto end;
1288 
1289  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1290  sig->proto.flags |= DETECT_PROTO_ANY;
1291  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1292  goto end;
1293  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1294  goto end;
1295  for (i = 0; i < (value1 / 8); i++) {
1296  if (sig->proto.proto[i] != 0xFF)
1297  goto end;
1298  }
1299  if (sig->proto.proto[value1 / 8] != 0x07) {
1300  goto end;
1301  }
1302  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1303  if (sig->proto.proto[i] != 0)
1304  goto end;
1305  }
1306  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1307  goto end;
1308 
1309  result = 1;
1310 
1311  end:
1312  SigFree(NULL, sig);
1313  return result;
1314 }
1315 
1316 static int DetectIPProtoTestSetup34(void)
1317 {
1318  int result = 0;
1319  Signature *sig;
1320  const char *value1_str = "<11";
1321  int value1 = 11;
1322  const char *value2_str = "!34";
1323  const char *value3_str = ">36";
1324  int value3 = 36;
1325  int i;
1326 
1327  if ((sig = SigAlloc()) == NULL)
1328  goto end;
1329 
1330  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1331  sig->proto.flags |= DETECT_PROTO_ANY;
1332  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1333  goto end;
1334  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1335  goto end;
1336  for (i = 0; i < (value1 / 8); i++) {
1337  if (sig->proto.proto[i] != 0)
1338  goto end;
1339  }
1340  if (sig->proto.proto[value3 / 8] != 0xE0) {
1341  goto end;
1342  }
1343  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1344  if (sig->proto.proto[i] != 0xFF)
1345  goto end;
1346  }
1347  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1348  goto end;
1349 
1350  result = 1;
1351 
1352  end:
1353  SigFree(NULL, sig);
1354  return result;
1355 }
1356 
1357 static int DetectIPProtoTestSetup36(void)
1358 {
1359  int result = 0;
1360  Signature *sig;
1361  const char *value1_str = "<11";
1362  const char *value2_str = "!34";
1363  const char *value3_str = ">36";
1364  int value3 = 36;
1365  int i;
1366 
1367  if ((sig = SigAlloc()) == NULL)
1368  goto end;
1369 
1370  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1371  sig->proto.flags |= DETECT_PROTO_ANY;
1372  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1373  goto end;
1374  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1375  goto end;
1376  for (i = 0; i < (value3 / 8); i++) {
1377  if (sig->proto.proto[i] != 0)
1378  goto end;
1379  }
1380  if (sig->proto.proto[value3 / 8] != 0xE0) {
1381  goto end;
1382  }
1383  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1384  if (sig->proto.proto[i] != 0xFF)
1385  goto end;
1386  }
1387  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1388  goto end;
1389 
1390  result = 1;
1391 
1392  end:
1393  SigFree(NULL, sig);
1394  return result;
1395 }
1396 
1397 static int DetectIPProtoTestSetup43(void)
1398 {
1399  int result = 0;
1400  Signature *sig;
1401  const char *value1_str = "!4";
1402  int value1 = 4;
1403  const char *value2_str = "<13";
1404  int value2 = 13;
1405  const char *value3_str = ">34";
1406  int i;
1407 
1408  if ((sig = SigAlloc()) == NULL)
1409  goto end;
1410 
1411  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1412  sig->proto.flags |= DETECT_PROTO_ANY;
1413  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1414  goto end;
1415  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1416  goto end;
1417  if (sig->proto.proto[value1 / 8] != 0xEF) {
1418  goto end;
1419  }
1420  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1421  if (sig->proto.proto[i] != 0xFF)
1422  goto end;
1423  }
1424  if (sig->proto.proto[value2 / 8] != 0x1F) {
1425  goto end;
1426  }
1427  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1428  if (sig->proto.proto[i] != 0)
1429  goto end;
1430  }
1431  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1432  goto end;
1433 
1434  result = 1;
1435 
1436  end:
1437  SigFree(NULL, sig);
1438  return result;
1439 }
1440 
1441 static int DetectIPProtoTestSetup44(void)
1442 {
1443  int result = 0;
1444  Signature *sig;
1445  const char *value1_str = "!4";
1446  const char *value2_str = "<13";
1447  const char *value3_str = ">34";
1448  int value3 = 34;
1449  int i;
1450 
1451  if ((sig = SigAlloc()) == NULL)
1452  goto end;
1453 
1454  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1455  sig->proto.flags |= DETECT_PROTO_ANY;
1456  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1457  goto end;
1458  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1459  goto end;
1460  for (i = 0; i < (value3 / 8); i++) {
1461  if (sig->proto.proto[i] != 0)
1462  goto end;
1463  }
1464  if (sig->proto.proto[value3 / 8] != 0xF8) {
1465  goto end;
1466  }
1467  for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
1468  if (sig->proto.proto[i] != 0xFF)
1469  goto end;
1470  }
1471  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1472  goto end;
1473 
1474  result = 1;
1475 
1476  end:
1477  SigFree(NULL, sig);
1478  return result;
1479 }
1480 
1481 static int DetectIPProtoTestSetup45(void)
1482 {
1483  int result = 0;
1484  Signature *sig;
1485  const char *value1_str = "!4";
1486  int value1 = 4;
1487  const char *value2_str = "<13";
1488  int value2 = 13;
1489  const char *value3_str = ">34";
1490  int i;
1491 
1492  if ((sig = SigAlloc()) == NULL)
1493  goto end;
1494 
1495  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1496  sig->proto.flags |= DETECT_PROTO_ANY;
1497  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1498  goto end;
1499  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1500  goto end;
1501  if (sig->proto.proto[value1 / 8] != 0xEF) {
1502  goto end;
1503  }
1504  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1505  if (sig->proto.proto[i] != 0xFF)
1506  goto end;
1507  }
1508  if (sig->proto.proto[value2 / 8] != 0x1F) {
1509  goto end;
1510  }
1511  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1512  if (sig->proto.proto[i] != 0)
1513  goto end;
1514  }
1515  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1516  goto end;
1517 
1518  result = 1;
1519 
1520  end:
1521  SigFree(NULL, sig);
1522  return result;
1523 }
1524 
1525 static int DetectIPProtoTestSetup56(void)
1526 {
1527  int result = 0;
1528  Signature *sig;
1529  const char *value1_str = "<13";
1530  int value1 = 13;
1531  const char *value2_str = ">34";
1532  const char *value3_str = "!37";
1533  int i;
1534 
1535  if ((sig = SigAlloc()) == NULL)
1536  goto end;
1537 
1538  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1539  sig->proto.flags |= DETECT_PROTO_ANY;
1540  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1541  goto end;
1542  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1543  goto end;
1544  for (i = 0; i < (value1 / 8); i++) {
1545  if (sig->proto.proto[i] != 0xFF)
1546  goto end;
1547  }
1548  if (sig->proto.proto[value1 / 8] != 0x1F) {
1549  goto end;
1550  }
1551  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1552  if (sig->proto.proto[i] != 0)
1553  goto end;
1554  }
1555  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1556  goto end;
1557 
1558  result = 1;
1559 
1560  end:
1561  SigFree(NULL, sig);
1562  return result;
1563 }
1564 
1565 static int DetectIPProtoTestSetup75(void)
1566 {
1567  int result = 0;
1568  Signature *sig;
1569  const char *value1_str = "!8";
1570  const char *value2_str = ">10";
1571  int value2 = 10;
1572  int i;
1573 
1574  if ((sig = SigAlloc()) == NULL)
1575  goto end;
1576 
1577  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1578  sig->proto.flags |= DETECT_PROTO_ANY;
1579  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1580  goto end;
1581  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1582  goto end;
1583  for (i = 0; i < (value2 / 8); i++) {
1584  if (sig->proto.proto[i] != 0)
1585  goto end;
1586  }
1587  if (sig->proto.proto[value2 / 8] != 0xF8) {
1588  goto end;
1589  }
1590  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1591  if (sig->proto.proto[i] != 0xFF)
1592  goto end;
1593  }
1594 
1595  result = 1;
1596 
1597  end:
1598  SigFree(NULL, sig);
1599  return result;
1600 }
1601 
1602 static int DetectIPProtoTestSetup76(void)
1603 {
1604  int result = 0;
1605  Signature *sig;
1606  const char *value1_str = "!8";
1607  const char *value2_str = ">10";
1608  int value2 = 10;
1609  int i;
1610 
1611  if ((sig = SigAlloc()) == NULL)
1612  goto end;
1613 
1614  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1615  sig->proto.flags |= DETECT_PROTO_ANY;
1616  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1617  goto end;
1618  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1619  goto end;
1620  for (i = 0; i < (value2 / 8); i++) {
1621  if (sig->proto.proto[i] != 0)
1622  goto end;
1623  }
1624  if (sig->proto.proto[value2 / 8] != 0xF8) {
1625  goto end;
1626  }
1627  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1628  if (sig->proto.proto[i] != 0xFF)
1629  goto end;
1630  }
1631 
1632  result = 1;
1633 
1634  end:
1635  SigFree(NULL, sig);
1636  return result;
1637 }
1638 
1639 static int DetectIPProtoTestSetup129(void)
1640 {
1641  int result = 0;
1642  Signature *sig;
1643  const char *value1_str = "<10";
1644  int value1 = 10;
1645  const char *value2_str = ">10";
1646  int i;
1647 
1648  if ((sig = SigAlloc()) == NULL)
1649  goto end;
1650 
1651  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1652  sig->proto.flags |= DETECT_PROTO_ANY;
1653  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1654  goto end;
1655  for (i = 0; i < (value1 / 8); i++) {
1656  if (sig->proto.proto[i] != 0xFF)
1657  goto end;
1658  }
1659  if (sig->proto.proto[value1 / 8] != 0x03) {
1660  goto end;
1661  }
1662  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1663  if (sig->proto.proto[i] != 0)
1664  goto end;
1665  }
1666  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1667  goto end;
1668 
1669  result = 1;
1670 
1671  end:
1672  SigFree(NULL, sig);
1673  return result;
1674 }
1675 
1676 static int DetectIPProtoTestSetup130(void)
1677 {
1678  int result = 0;
1679  Signature *sig;
1680  const char *value1_str = "<10";
1681  const char *value2_str = ">10";
1682  int value2 = 10;
1683  int i;
1684 
1685  if ((sig = SigAlloc()) == NULL)
1686  goto end;
1687 
1688  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1689  sig->proto.flags |= DETECT_PROTO_ANY;
1690  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1691  goto end;
1692  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1693  goto end;
1694  for (i = 0; i < (value2 / 8); i++) {
1695  if (sig->proto.proto[i] != 0)
1696  goto end;
1697  }
1698  if (sig->proto.proto[value2 / 8] != 0xF8) {
1699  goto end;
1700  }
1701  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1702  if (sig->proto.proto[i] != 0xFF)
1703  goto end;
1704  }
1705 
1706  result = 1;
1707 
1708  end:
1709  SigFree(NULL, sig);
1710  return result;
1711 }
1712 
1713 static int DetectIPProtoTestSetup131(void)
1714 {
1715  int result = 0;
1716  Signature *sig;
1717  const char *value1_str = "<10";
1718  int value1 = 10;
1719  const char *value2_str = "!10";
1720  int i;
1721 
1722  if ((sig = SigAlloc()) == NULL)
1723  goto end;
1724 
1725  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1726  sig->proto.flags |= DETECT_PROTO_ANY;
1727  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1728  goto end;
1729  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1730  goto end;
1731  for (i = 0; i < (value1 / 8); i++) {
1732  if (sig->proto.proto[i] != 0xFF)
1733  goto end;
1734  }
1735  if (sig->proto.proto[value1 / 8] != 0x03) {
1736  goto end;
1737  }
1738  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1739  if (sig->proto.proto[i] != 0x0)
1740  goto end;
1741  }
1742 
1743  result = 1;
1744 
1745  end:
1746  SigFree(NULL, sig);
1747  return result;
1748 }
1749 
1750 static int DetectIPProtoTestSetup132(void)
1751 {
1752  int result = 0;
1753  Signature *sig;
1754  const char *value1_str = "<10";
1755  int value1 = 10;
1756  const char *value2_str = "!10";
1757  int i;
1758 
1759  if ((sig = SigAlloc()) == NULL)
1760  goto end;
1761 
1762  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1763  sig->proto.flags |= DETECT_PROTO_ANY;
1764  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1765  goto end;
1766  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1767  goto end;
1768  for (i = 0; i < (value1 / 8); i++) {
1769  if (sig->proto.proto[i] != 0xFF)
1770  goto end;
1771  }
1772  if (sig->proto.proto[value1 / 8] != 0x03) {
1773  goto end;
1774  }
1775  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1776  if (sig->proto.proto[i] != 0x0)
1777  goto end;
1778  }
1779 
1780  result = 1;
1781 
1782  end:
1783  SigFree(NULL, sig);
1784  return result;
1785 }
1786 
1787 static int DetectIPProtoTestSetup145(void)
1788 {
1789  int result = 0;
1790  Signature *sig;
1791  const char *value1_str = "!4";
1792  const char *value2_str = ">8";
1793  const char *value3_str = "!10";
1794  const char *value4_str = "!14";
1795  const char *value5_str = "!27";
1796  const char *value6_str = "!29";
1797  const char *value7_str = "!30";
1798  const char *value8_str = "!34";
1799  const char *value9_str = "<36";
1800  const char *value10_str = "!38";
1801  int value10 = 38;
1802 
1803  int i;
1804 
1805  if ((sig = SigAlloc()) == NULL)
1806  goto end;
1807 
1808  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1809  sig->proto.flags |= DETECT_PROTO_ANY;
1810  if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
1811  goto end;
1812  if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
1813  goto end;
1814  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1815  goto end;
1816  if (DetectIPProtoSetup(NULL, sig, value10_str) != 0)
1817  goto end;
1818  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1819  goto end;
1820  if (DetectIPProtoSetup(NULL, sig, value6_str) != 0)
1821  goto end;
1822  if (DetectIPProtoSetup(NULL, sig, value9_str) != 0)
1823  goto end;
1824  if (DetectIPProtoSetup(NULL, sig, value4_str) != 0)
1825  goto end;
1826  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1827  goto end;
1828  if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
1829  goto end;
1830  if (sig->proto.proto[0] != 0) {
1831  goto end;
1832  }
1833  if (sig->proto.proto[1] != 0xBA) {
1834  goto end;
1835  }
1836  if (sig->proto.proto[2] != 0xFF) {
1837  goto end;
1838  }
1839  if (sig->proto.proto[3] != 0x97) {
1840  goto end;
1841  }
1842  if (sig->proto.proto[4] != 0x0B) {
1843  goto end;
1844  }
1845  for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
1846  if (sig->proto.proto[i] != 0)
1847  goto end;
1848  }
1849 
1850  result = 1;
1851 
1852  end:
1853  SigFree(NULL, sig);
1854  return result;
1855 }
1856 
1857 static int DetectIPProtoTestSig1(void)
1858 {
1859  int result = 0;
1860  uint8_t *buf = (uint8_t *)
1861  "GET /one/ HTTP/1.1\r\n"
1862  "Host: one.example.org\r\n"
1863  "\r\n";
1864  uint16_t buflen = strlen((char *)buf);
1865  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1866  if (p == NULL)
1867  return 0;
1868 
1869  const char *sigs[4];
1870  sigs[0] = "alert ip any any -> any any "
1871  "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)";
1872  sigs[1] = "alert ip any any -> any any "
1873  "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)";
1874  sigs[2] = "alert ip any any -> any any "
1875  "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)";
1876  sigs[3] = "alert ip any any -> any any "
1877  "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)";
1878 
1879  /* sids to match */
1880  uint32_t sid[4] = {1, 2, 3, 4};
1881  /* expected matches for each sid within this packet we are testing */
1882  uint32_t results[4] = {0, 1, 1, 1};
1883 
1884  /* remember that UTHGenericTest expect the first parameter
1885  * as an array of packet pointers. And also a bidimensional array of results
1886  * For example:
1887  * results[numpacket][position] should hold the number of times
1888  * that the sid at sid[position] matched that packet (should be always 1..)
1889  * But here we built it as unidimensional array
1890  */
1891  result = UTHGenericTest(&p, 1, sigs, sid, results, 4);
1892 
1893  UTHFreePacket(p);
1894  return result;
1895 }
1896 
1897 static int DetectIPProtoTestSig2(void)
1898 {
1899  int result = 0;
1900 
1901  uint8_t raw_eth[] = {
1902  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1903  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1904  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1905  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1906  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1907  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1908  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1909  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1910  0x4a, 0xea, 0x7a, 0x8e,
1911  };
1912 
1913  Packet *p = PacketGetFromAlloc();
1914  if (unlikely(p == NULL))
1915  return 0;
1916 
1917  DecodeThreadVars dtv;
1918  ThreadVars th_v;
1919  DetectEngineThreadCtx *det_ctx = NULL;
1920 
1921  p->proto = 0;
1922  memset(&dtv, 0, sizeof(DecodeThreadVars));
1923  memset(&th_v, 0, sizeof(th_v));
1924 
1925  FlowInitConfig(FLOW_QUIET);
1926  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
1927 
1928  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1929  if (de_ctx == NULL) {
1930  goto end;
1931  }
1932 
1933  de_ctx->mpm_matcher = mpm_default_matcher;
1934  de_ctx->flags |= DE_QUIET;
1935 
1936  de_ctx->sig_list = SigInit(de_ctx,
1937  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
1938  "ip_proto:!103; sid:1;)");
1939  if (de_ctx->sig_list == NULL) {
1940  result = 0;
1941  goto end;
1942  }
1943 
1944  SigGroupBuild(de_ctx);
1945  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1946 
1947  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1948  if (PacketAlertCheck(p, 1) == 0) {
1949  result = 1;
1950  goto end;
1951  } else {
1952  result = 0;
1953  }
1954 
1955  SigGroupCleanup(de_ctx);
1956  SigCleanSignatures(de_ctx);
1957 
1958  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1959  DetectEngineCtxFree(de_ctx);
1960  FlowShutdown();
1961 
1962  SCFree(p);
1963  return result;
1964 
1965 end:
1966  if (de_ctx) {
1967  SigGroupCleanup(de_ctx);
1968  SigCleanSignatures(de_ctx);
1969  }
1970 
1971  if (det_ctx)
1972  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1973  if (de_ctx)
1974  DetectEngineCtxFree(de_ctx);
1975 
1976  FlowShutdown();
1977  SCFree(p);
1978 
1979  return result;
1980 }
1981 
1982 static int DetectIPProtoTestSig3(void)
1983 {
1984  uint8_t raw_eth[] = {
1985  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1986  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1987  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1988  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1989  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1990  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1991  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1992  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1993  0x4a, 0xea, 0x7a, 0x8e,
1994  };
1995 
1996  Packet *p = PacketGetFromAlloc();
1997  FAIL_IF_NULL(p);
1998 
1999  DecodeThreadVars dtv;
2000  ThreadVars th_v;
2001  DetectEngineThreadCtx *det_ctx = NULL;
2002 
2003  p->proto = 0;
2004  memset(&dtv, 0, sizeof(DecodeThreadVars));
2005  memset(&th_v, 0, sizeof(th_v));
2006 
2007  FlowInitConfig(FLOW_QUIET);
2008  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
2009 
2010  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2011  FAIL_IF(de_ctx == NULL);
2012  de_ctx->mpm_matcher = mpm_default_matcher;
2013  de_ctx->flags |= DE_QUIET;
2014 
2015  Signature *s = DetectEngineAppendSig(de_ctx,
2016  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
2017  "ip_proto:103; sid:1;)");
2018  FAIL_IF_NULL(s);
2019 
2020  SigGroupBuild(de_ctx);
2021  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2022 
2023  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2024  FAIL_IF(!PacketAlertCheck(p, 1));
2025  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2026  DetectEngineCtxFree(de_ctx);
2027  FlowShutdown();
2028 
2029  PacketFree(p);
2030  PASS;
2031 }
2032 
2033 /**
2034  * \internal
2035  * \brief Register ip_proto tests.
2036  */
2037 static void DetectIPProtoRegisterTests(void)
2038 {
2039  UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01);
2040  UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02);
2041  UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01);
2042  UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02);
2043  UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03);
2044  UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04);
2045  UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05);
2046  UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06);
2047  UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07);
2048  UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08);
2049  UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09);
2050  UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10);
2051  UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11);
2052  UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12);
2053  UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13);
2054  UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14);
2055  UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15);
2056  UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16);
2057  UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17);
2058  UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18);
2059  UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19);
2060  UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20);
2061  UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21);
2062  UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22);
2063  UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23);
2064  UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24);
2065  UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33);
2066  UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34);
2067  UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36);
2068  UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43);
2069  UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44);
2070  UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45);
2071  UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56);
2072  UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75);
2073  UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76);
2074  UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129);
2075  UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130);
2076  UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131);
2077  UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132);
2078  UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145);
2079 
2080  UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1);
2081  UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2);
2082  UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3);
2083 }
2084 #endif /* UNITTESTS */
DetectIPProtoRemoveAllSMs
void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-ipproto.c:430
util-byte.h
SigTableElmt_::url
const char * url
Definition: detect.h:1462
Packet_::proto
uint8_t proto
Definition: decode.h:523
detect-engine.h
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
Definition: detect-parse.c:487
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
SigTableElmt_::desc
const char * desc
Definition: detect.h:1461
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:288
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1446
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:32
detect-engine-siggroup.h
DetectParseRegex
Definition: detect-parse.h:93
SigTableElmt_::name
const char * name
Definition: detect.h:1459
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:2057
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1664
DetectIPProtoRegister
void DetectIPProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-ipproto.c:60
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1450
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:28
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2641
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:48
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2420
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:608
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3491
proto
uint8_t proto
Definition: decode-template.h:0
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:622
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3437
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1441
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:361
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:3617
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:388
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3372
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:360
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:935
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:219
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:117
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3095
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:36
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2275
Signature_::flags
uint32_t flags
Definition: detect.h:669
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-engine-alert.h
detect-ipproto.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1421
DETECT_IPPROTO_OP_GT
#define DETECT_IPPROTO_OP_GT
Definition: detect-ipproto.h:31
util-proto-name.h
SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
Definition: detect.h:294
DETECT_IPPROTO_OP_EQ
#define DETECT_IPPROTO_OP_EQ
Definition: detect-ipproto.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2204
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:37
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:31
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:687
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:357
DETECT_IPPROTO_OP_LT
#define DETECT_IPPROTO_OP_LT
Definition: detect-ipproto.h:30
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:691
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3608
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
DetectIPProtoData_::op
uint8_t op
Definition: detect-ipproto.h:35
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perform a generic check taking care of as maximum common unittest eleme...
Definition: util-unittest-helper.c:571
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:267
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
SigMatch_
a single match condition for a signature
Definition: detect.h:356
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2602
DetectIPProtoData_
Definition: detect-ipproto.h:34
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
SCGetProtoByName
bool SCGetProtoByName(const char *protoname, uint8_t *proto_number)
Function to return the protocol number for a named protocol. Note that protocol name aliases are hono...
Definition: util-proto-name.c:466
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-ipproto.c:50
DETECT_IPPROTO_OP_NOT
#define DETECT_IPPROTO_OP_NOT
Definition: detect-ipproto.h:29
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1937
DETECT_IPPROTO
@ DETECT_IPPROTO
Definition: detect-engine-register.h:105
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1448
DetectIPProtoData_::proto
uint8_t proto
Definition: detect-ipproto.h:36
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:254