suricata
detect-ipproto.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the ip_proto keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "detect-ipproto.h"
31 
32 #include "detect-parse.h"
33 #include "detect-engine.h"
34 #include "detect-engine-mpm.h"
35 #include "detect-engine-build.h"
36 
37 #include "detect-engine-siggroup.h"
38 #include "detect-engine-address.h"
39 
40 #include "util-byte.h"
41 #include "util-proto-name.h"
42 #include "util-unittest.h"
43 #include "util-unittest-helper.h"
44 
45 #include "util-debug.h"
46 
47 /**
48  * \brief Regex for parsing our options
49  */
50 #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$"
51 
52 static DetectParseRegex parse_regex;
53 
54 static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *);
55 #ifdef UNITTESTS
56 static void DetectIPProtoRegisterTests(void);
57 #endif
58 static void DetectIPProtoFree(DetectEngineCtx *, void *);
59 
60 void DetectIPProtoRegister(void)
61 {
62  sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
63  sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
64  sigmatch_table[DETECT_IPPROTO].url = "/rules/header-keywords.html#ip-proto";
65  sigmatch_table[DETECT_IPPROTO].Match = NULL;
66  sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
67  sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree;
68 #ifdef UNITTESTS
69  sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests;
70 #endif
71  sigmatch_table[DETECT_IPPROTO].flags = SIGMATCH_QUOTES_OPTIONAL;
72 
73  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
74 }
75 
76 /**
77  * \internal
78  * \brief Parse ip_proto options string.
79  *
80  * \param optstr Options string to parse
81  *
82  * \return New ip_proto data structure
83  */
84 static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
85 {
86  DetectIPProtoData *data = NULL;
87  char *args[2] = { NULL, NULL };
88  int ret = 0, res = 0;
89  size_t pcre2_len;
90  int i;
91  const char *str_ptr;
92 
93  /* Execute the regex and populate args with captures. */
94  ret = DetectParsePcreExec(&parse_regex, optstr, 0, 0);
95  if (ret != 3) {
96  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret"
97  "%" PRId32 ", string %s", ret, optstr);
98  goto error;
99  }
100 
101  for (i = 0; i < (ret - 1); i++) {
102  res = pcre2_substring_get_bynumber(
103  parse_regex.match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
104  if (res < 0) {
105  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre2_substring_get_bynumber failed");
106  goto error;
107  }
108  args[i] = (char *)str_ptr;
109  }
110 
111  /* Initialize the data */
112  data = SCMalloc(sizeof(DetectIPProtoData));
113  if (unlikely(data == NULL))
114  goto error;
115  data->op = DETECT_IPPROTO_OP_EQ;
116  data->proto = 0;
117 
118  /* Operator */
119  if (*(args[0]) != '\0') {
120  data->op = *(args[0]);
121  }
122 
123  /* Protocol name/number */
124  if (!isdigit((unsigned char)*(args[1]))) {
125  uint8_t proto;
126  if (!SCGetProtoByName(args[1], &proto)) {
127  SCLogError(SC_ERR_INVALID_VALUE, "Unknown protocol name: \"%s\"", str_ptr);
128  goto error;
129  }
130  data->proto = proto;
131  }
132  else {
133  if (StringParseUint8(&data->proto, 10, 0, args[1]) <= 0) {
134  SCLogError(SC_ERR_INVALID_VALUE, "Malformed protocol number: %s",
135  str_ptr);
136  goto error;
137  }
138  }
139 
140  for (i = 0; i < (ret - 1); i++){
141  if (args[i] != NULL)
142  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
143  }
144 
145  return data;
146 
147 error:
148  for (i = 0; i < (ret - 1) && i < 2; i++){
149  if (args[i] != NULL)
150  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
151  }
152  if (data != NULL)
153  SCFree(data);
154 
155  return NULL;
156 }
157 
158 static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op)
159 {
160  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
161  DetectIPProtoData *data;
162 
163  while (sm != NULL) {
164  if (sm->type == DETECT_IPPROTO) {
165  data = (DetectIPProtoData *)sm->ctx;
166  if (data->op == op)
167  return 1;
168  }
169  sm = sm->next;
170  }
171 
172  return 0;
173 }
174 
175 /**
176  * \internal
177  * \brief Setup ip_proto keyword.
178  *
179  * \param de_ctx Detection engine context
180  * \param s Signature
181  * \param optstr Options string
182  *
183  * \return Non-zero on error
184  */
185 static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
186 {
187  SigMatch *sm = NULL;
188  int i;
189 
190  DetectIPProtoData *data = DetectIPProtoParse(optstr);
191  if (data == NULL) {
192  return -1;
193  }
194 
195  /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield
196  * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto
197  * will refined the protocol list and thus it needs to reset the bitfield to zero
198  * before setting the value specified by the ip_proto keyword.
199  */
200  if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
201  s->proto.flags &= ~DETECT_PROTO_ANY;
202  memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
203  s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
204  } else {
205  /* The ipproto engine has a relationship with the protocol that is
206  * set after the action and also the app protocol(that can also be
207  * set through the app-layer-protocol.
208  * An ip_proto keyword can be used only with alert ip, which if
209  * not true we error out on the sig. And hence the init_flag to
210  * indicate this. */
211  if (!(s->init_data->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) {
212  SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature can use "
213  "ip_proto keyword only when we use alert ip, "
214  "in which case the _ANY flag is set on the sig "
215  "and the if condition should match.");
216  goto error;
217  }
218  }
219 
220  int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ);
221  int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT);
222  int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT);
223  int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT);
224 
225  switch (data->op) {
226  case DETECT_IPPROTO_OP_EQ:
227  if (eq_set || gt_set || lt_set || not_set) {
228  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
229  "ipproto without any operators attached to "
230  "them in the same sig");
231  goto error;
232  }
233  s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
234  break;
235 
236  case DETECT_IPPROTO_OP_GT:
237  if (eq_set || gt_set) {
238  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or gt "
239  "ipproto along with a greater than ipproto in the "
240  "same sig ");
241  goto error;
242  }
243  if (!lt_set && !not_set) {
244  s->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8));
245  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
246  s->proto.proto[i] = 0xff;
247  }
248  } else if (lt_set && !not_set) {
249  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
250  while (temp_sm != NULL) {
251  if (temp_sm->type == DETECT_IPPROTO) {
252  break;
253  }
254  temp_sm = temp_sm->next;
255  }
256  if (temp_sm != NULL) {
257  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
258  if (data_temp->proto <= data->proto) {
259  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
260  "both gt and lt ipprotos, with the lt being "
261  "lower than gt value");
262  goto error;
263  } else {
264  for (i = 0; i < (data->proto / 8); i++) {
265  s->proto.proto[i] = 0;
266  }
267  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
268  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
269  s->proto.proto[i] &= 0xff;
270  }
271  }
272  }
273  } else if (!lt_set && not_set) {
274  for (i = 0; i < (data->proto / 8); i++) {
275  s->proto.proto[i] = 0;
276  }
277  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
278  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
279  s->proto.proto[i] &= 0xff;
280  }
281  } else {
282  DetectIPProtoData *data_temp;
283  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
284  while (temp_sm != NULL) {
285  if (temp_sm->type == DETECT_IPPROTO &&
286  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) {
287  break;
288  }
289  temp_sm = temp_sm->next;
290  }
291  if (temp_sm != NULL) {
292  data_temp = (DetectIPProtoData *)temp_sm->ctx;
293  if (data_temp->proto <= data->proto) {
294  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
295  "both gt and lt ipprotos, with the lt being "
296  "lower than gt value");
297  goto error;
298  } else {
299  for (i = 0; i < (data->proto / 8); i++) {
300  s->proto.proto[i] = 0;
301  }
302  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
303  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
304  s->proto.proto[i] &= 0xff;
305  }
306  }
307  }
308  }
309  break;
310 
311  case DETECT_IPPROTO_OP_LT:
312  if (eq_set || lt_set) {
313  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or lt "
314  "ipproto along with a less than ipproto in the "
315  "same sig ");
316  goto error;
317  }
318  if (!gt_set && !not_set) {
319  for (i = 0; i < (data->proto / 8); i++) {
320  s->proto.proto[i] = 0xff;
321  }
322  s->proto.proto[data->proto / 8] = (uint8_t)(~(0xff << (data->proto % 8)));
323  } else if (gt_set && !not_set) {
324  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
325  while (temp_sm != NULL) {
326  if (temp_sm->type == DETECT_IPPROTO) {
327  break;
328  }
329  temp_sm = temp_sm->next;
330  }
331  if (temp_sm != NULL) {
332  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
333  if (data_temp->proto >= data->proto) {
334  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a have "
335  "both gt and lt ipprotos, with the lt being "
336  "lower than gt value");
337  goto error;
338  } else {
339  for (i = 0; i < (data->proto / 8); i++) {
340  s->proto.proto[i] &= 0xff;
341  }
342  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
343  for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
344  s->proto.proto[i] = 0;
345  }
346  }
347  }
348  } else if (!gt_set && not_set) {
349  for (i = 0; i < (data->proto / 8); i++) {
350  s->proto.proto[i] &= 0xFF;
351  }
352  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
353  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
354  s->proto.proto[i] = 0;
355  }
356  } else {
357  DetectIPProtoData *data_temp;
358  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
359  while (temp_sm != NULL) {
360  if (temp_sm->type == DETECT_IPPROTO &&
361  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) {
362  break;
363  }
364  temp_sm = temp_sm->next;
365  }
366  if (temp_sm != NULL) {
367  data_temp = (DetectIPProtoData *)temp_sm->ctx;
368  if (data_temp->proto >= data->proto) {
369  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
370  "both gt and lt ipprotos, with the lt being "
371  "lower than gt value");
372  goto error;
373  } else {
374  for (i = 0; i < (data->proto / 8); i++) {
375  s->proto.proto[i] &= 0xFF;
376  }
377  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
378  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
379  s->proto.proto[i] = 0;
380  }
381  }
382  }
383  }
384  break;
385 
386  case DETECT_IPPROTO_OP_NOT:
387  if (eq_set) {
388  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
389  "ipproto along with a not ipproto in the "
390  "same sig ");
391  goto error;
392  }
393  if (!gt_set && !lt_set && !not_set) {
394  for (i = 0; i < (data->proto / 8); i++) {
395  s->proto.proto[i] = 0xff;
396  }
397  s->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8)));
398  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
399  s->proto.proto[i] = 0xff;
400  }
401  } else {
402  for (i = 0; i < (data->proto / 8); i++) {
403  s->proto.proto[i] &= 0xff;
404  }
405  s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
406  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
407  s->proto.proto[i] &= 0xff;
408  }
409  }
410  break;
411  }
412 
413  sm = SigMatchAlloc();
414  if (sm == NULL)
415  goto error;
416  sm->type = DETECT_IPPROTO;
417  sm->ctx = (void *)data;
418  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
419  s->flags |= SIG_FLAG_REQUIRE_PACKET;
420 
421  return 0;
422 
423  error:
424 
425  DetectIPProtoFree(de_ctx, data);
426  return -1;
427 }
428 
429 
430 void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
431 {
432  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
433 
434  while (sm != NULL) {
435  if (sm->type != DETECT_IPPROTO) {
436  sm = sm->next;
437  continue;
438  }
439  SigMatch *tmp_sm = sm->next;
440  SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_MATCH);
441  SigMatchFree(de_ctx, sm);
442  sm = tmp_sm;
443  }
444 
445  return;
446 }
447 
448 static void DetectIPProtoFree(DetectEngineCtx *de_ctx, void *ptr)
449 {
450  DetectIPProtoData *data = (DetectIPProtoData *)ptr;
451  if (data) {
452  SCFree(data);
453  }
454 }
455 
456 /* UNITTESTS */
457 #ifdef UNITTESTS
458 #include "detect-engine-alert.h"
459 
460 /**
461  * \test DetectIPProtoTestParse01 is a test for an invalid proto number
462  */
463 static int DetectIPProtoTestParse01(void)
464 {
465  DetectIPProtoData *data = DetectIPProtoParse("999");
466  FAIL_IF_NOT(data == NULL);
467  PASS;
468 }
469 
470 /**
471  * \test DetectIPProtoTestParse02 is a test for an invalid proto name
472  */
473 static int DetectIPProtoTestParse02(void)
474 {
475  DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek");
476  FAIL_IF_NOT(data == NULL);
477  PASS;
478 }
479 
480 /**
481  * \test DetectIPProtoTestSetup01 is a test for a protocol number
482  */
483 static int DetectIPProtoTestSetup01(void)
484 {
485  const char *value_str = "14";
486  int value;
487  FAIL_IF(StringParseInt32(&value, 10, 0, (const char *)value_str) < 0);
488  int i;
489 
490  Signature *sig = SigAlloc();
491  FAIL_IF_NULL(sig);
492 
493  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
494  sig->proto.flags |= DETECT_PROTO_ANY;
495  DetectIPProtoSetup(NULL, sig, value_str);
496  for (i = 0; i < (value / 8); i++) {
497  FAIL_IF(sig->proto.proto[i] != 0);
498  }
499  FAIL_IF(sig->proto.proto[value / 8] != 0x40);
500  for (i = (value / 8) + 1; i < (256 / 8); i++) {
501  FAIL_IF(sig->proto.proto[i] != 0);
502  }
503  SigFree(NULL, sig);
504  PASS;
505 }
506 
507 /**
508  * \test DetectIPProtoTestSetup02 is a test for a protocol name
509  */
510 static int DetectIPProtoTestSetup02(void)
511 {
512  int result = 0;
513  Signature *sig = NULL;
514  const char *value_str = "tcp";
515  struct protoent *pent = getprotobyname(value_str);
516  if (pent == NULL) {
517  goto end;
518  }
519  uint8_t value = (uint8_t)pent->p_proto;
520  int i;
521 
522  if ((sig = SigAlloc()) == NULL)
523  goto end;
524 
525  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
526  sig->proto.flags |= DETECT_PROTO_ANY;
527  DetectIPProtoSetup(NULL, sig, value_str);
528  for (i = 0; i < (value / 8); i++) {
529  if (sig->proto.proto[i] != 0)
530  goto end;
531  }
532  if (sig->proto.proto[value / 8] != 0x40) {
533  goto end;
534  }
535  for (i = (value / 8) + 1; i < (256 / 8); i++) {
536  if (sig->proto.proto[i] != 0)
537  goto end;
538  }
539 
540  result = 1;
541 
542  end:
543  if (sig != NULL)
544  SigFree(NULL, sig);
545  return result;
546 }
547 
548 /**
549  * \test DetectIPProtoTestSetup03 is a test for a < operator
550  */
551 static int DetectIPProtoTestSetup03(void)
552 {
553  int result = 0;
554  Signature *sig;
555  const char *value_str = "<14";
556  int value = 14;
557  int i;
558 
559  if ((sig = SigAlloc()) == NULL)
560  goto end;
561 
562  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
563  sig->proto.flags |= DETECT_PROTO_ANY;
564  DetectIPProtoSetup(NULL, sig, value_str);
565  for (i = 0; i < (value / 8); i++) {
566  if (sig->proto.proto[i] != 0xFF)
567  goto end;
568  }
569  if (sig->proto.proto[value / 8] != 0x3F) {
570  goto end;
571  }
572  for (i = (value / 8) + 1; i < (256 / 8); i++) {
573  if (sig->proto.proto[i] != 0)
574  goto end;
575  }
576 
577  result = 1;
578 
579  end:
580  SigFree(NULL, sig);
581  return result;
582 }
583 
584 /**
585  * \test DetectIPProtoTestSetup04 is a test for a > operator
586  */
587 static int DetectIPProtoTestSetup04(void)
588 {
589  int result = 0;
590  Signature *sig;
591  const char *value_str = ">14";
592  int value = 14;
593  int i;
594 
595  if ((sig = SigAlloc()) == NULL)
596  goto end;
597 
598  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
599  sig->proto.flags |= DETECT_PROTO_ANY;
600  DetectIPProtoSetup(NULL, sig, value_str);
601  for (i = 0; i < (value / 8); i++) {
602  if (sig->proto.proto[i] != 0)
603  goto end;
604  }
605  if (sig->proto.proto[value / 8] != 0x80) {
606  goto end;
607  }
608  for (i = (value / 8) + 1; i < (256 / 8); i++) {
609  if (sig->proto.proto[i] != 0xFF)
610  goto end;
611  }
612 
613  result = 1;
614 
615  end:
616  SigFree(NULL, sig);
617  return result;
618 }
619 
620 /**
621  * \test DetectIPProtoTestSetup05 is a test for a ! operator
622  */
623 static int DetectIPProtoTestSetup05(void)
624 {
625  int result = 0;
626  Signature *sig;
627  const char *value_str = "!14";
628  int value = 14;
629  int i;
630 
631  if ((sig = SigAlloc()) == NULL)
632  goto end;
633 
634  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
635  sig->proto.flags |= DETECT_PROTO_ANY;
636  DetectIPProtoSetup(NULL, sig, value_str);
637  for (i = 0; i < (value / 8); i++) {
638  if (sig->proto.proto[i] != 0xFF)
639  goto end;
640  }
641  if (sig->proto.proto[value / 8] != 0xBF) {
642  goto end;
643  }
644  for (i = (value / 8) + 1; i < (256 / 8); i++) {
645  if (sig->proto.proto[i] != 0xFF)
646  goto end;
647  }
648 
649  result = 1;
650 
651  end:
652  SigFree(NULL, sig);
653  return result;
654 }
655 
656 /**
657  * \test Negative test.
658  */
659 static int DetectIPProtoTestSetup06(void)
660 {
661  int result = 0;
662  Signature *sig;
663  const char *value1_str = "14";
664  const char *value2_str = "15";
665 
666  if ((sig = SigAlloc()) == NULL)
667  goto end;
668 
669  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
670  sig->proto.flags |= DETECT_PROTO_ANY;
671  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
672  goto end;
673  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
674  goto end;
675 
676  result = 1;
677 
678  end:
679  SigFree(NULL, sig);
680  return result;
681 }
682 
683 /**
684  * \test Negative test.
685  */
686 static int DetectIPProtoTestSetup07(void)
687 {
688  int result = 0;
689  Signature *sig;
690  const char *value1_str = "14";
691  const char *value2_str = "<15";
692 
693  if ((sig = SigAlloc()) == NULL)
694  goto end;
695 
696  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
697  sig->proto.flags |= DETECT_PROTO_ANY;
698  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
699  goto end;
700  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
701  goto end;
702 
703  result = 1;
704 
705  end:
706  SigFree(NULL, sig);
707  return result;
708 }
709 
710 /**
711  * \test Negative test.
712  */
713 static int DetectIPProtoTestSetup08(void)
714 {
715  int result = 0;
716  Signature *sig;
717  const char *value1_str = "14";
718  const char *value2_str = ">15";
719 
720  if ((sig = SigAlloc()) == NULL)
721  goto end;
722 
723  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
724  sig->proto.flags |= DETECT_PROTO_ANY;
725  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
726  goto end;
727  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
728  goto end;
729 
730  result = 1;
731 
732  end:
733  SigFree(NULL, sig);
734  return result;
735 }
736 
737 /**
738  * \test Negative test.
739  */
740 static int DetectIPProtoTestSetup09(void)
741 {
742  int result = 0;
743  Signature *sig;
744  const char *value1_str = "14";
745  const char *value2_str = "!15";
746 
747  if ((sig = SigAlloc()) == NULL)
748  goto end;
749 
750  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
751  sig->proto.flags |= DETECT_PROTO_ANY;
752  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
753  goto end;
754  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
755  goto end;
756 
757  result = 1;
758 
759  end:
760  SigFree(NULL, sig);
761  return result;
762 }
763 
764 /**
765  * \test Negative test.
766  */
767 static int DetectIPProtoTestSetup10(void)
768 {
769  int result = 0;
770  Signature *sig;
771  const char *value1_str = ">14";
772  const char *value2_str = "15";
773 
774  if ((sig = SigAlloc()) == NULL)
775  goto end;
776 
777  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
778  sig->proto.flags |= DETECT_PROTO_ANY;
779  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
780  goto end;
781  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
782  goto end;
783 
784  result = 1;
785 
786  end:
787  SigFree(NULL, sig);
788  return result;
789 }
790 
791 /**
792  * \test Negative test.
793  */
794 static int DetectIPProtoTestSetup11(void)
795 {
796  int result = 0;
797  Signature *sig;
798  const char *value1_str = "<14";
799  const char *value2_str = "15";
800 
801  if ((sig = SigAlloc()) == NULL)
802  goto end;
803 
804  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
805  sig->proto.flags |= DETECT_PROTO_ANY;
806  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
807  goto end;
808  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
809  goto end;
810 
811  result = 1;
812 
813  end:
814  SigFree(NULL, sig);
815  return result;
816 }
817 
818 /**
819  * \test Negative test.
820  */
821 static int DetectIPProtoTestSetup12(void)
822 {
823  int result = 0;
824  Signature *sig;
825  const char *value1_str = "!14";
826  const char *value2_str = "15";
827 
828  if ((sig = SigAlloc()) == NULL)
829  goto end;
830 
831  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
832  sig->proto.flags |= DETECT_PROTO_ANY;
833  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
834  goto end;
835  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
836  goto end;
837 
838  result = 1;
839 
840  end:
841  SigFree(NULL, sig);
842  return result;
843 }
844 
845 /**
846  * \test Negative test.
847  */
848 static int DetectIPProtoTestSetup13(void)
849 {
850  int result = 0;
851  Signature *sig;
852  const char *value1_str = ">14";
853  const char *value2_str = ">15";
854 
855  if ((sig = SigAlloc()) == NULL)
856  goto end;
857 
858  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
859  sig->proto.flags |= DETECT_PROTO_ANY;
860  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
861  goto end;
862  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
863  goto end;
864 
865  result = 1;
866 
867  end:
868  SigFree(NULL, sig);
869  return result;
870 }
871 
872 static int DetectIPProtoTestSetup14(void)
873 {
874  int result = 0;
875  Signature *sig;
876  const char *value1_str = "<14";
877  const char *value2_str = "<15";
878 
879  if ((sig = SigAlloc()) == NULL)
880  goto end;
881 
882  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
883  sig->proto.flags |= DETECT_PROTO_ANY;
884  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
885  goto end;
886  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
887  goto end;
888 
889  result = 1;
890 
891  end:
892  SigFree(NULL, sig);
893  return result;
894 }
895 
896 static int DetectIPProtoTestSetup15(void)
897 {
898  int result = 0;
899  Signature *sig;
900  const char *value1_str = "<14";
901  int value1 = 14;
902  const char *value2_str = ">34";
903  int i;
904 
905  if ((sig = SigAlloc()) == NULL)
906  goto end;
907 
908  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
909  sig->proto.flags |= DETECT_PROTO_ANY;
910  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
911  goto end;
912  for (i = 0; i < (value1 / 8); i++) {
913  if (sig->proto.proto[i] != 0xFF)
914  goto end;
915  }
916  if (sig->proto.proto[value1 / 8] != 0x3F) {
917  goto end;
918  }
919  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
920  if (sig->proto.proto[i] != 0)
921  goto end;
922  }
923  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
924  goto end;
925 
926  result = 1;
927 
928  end:
929  SigFree(NULL, sig);
930  return result;
931 
932 }
933 
934 static int DetectIPProtoTestSetup16(void)
935 {
936  int result = 0;
937  Signature *sig;
938  const char *value1_str = "<14";
939  const char *value2_str = ">34";
940  int value2 = 34;
941  int i;
942 
943  if ((sig = SigAlloc()) == NULL)
944  goto end;
945 
946  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
947  sig->proto.flags |= DETECT_PROTO_ANY;
948  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
949  goto end;
950  for (i = 0; i < (value2 / 8); i++) {
951  if (sig->proto.proto[i] != 0)
952  goto end;
953  }
954  if (sig->proto.proto[value2 / 8] != 0xF8) {
955  goto end;
956  }
957  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
958  if (sig->proto.proto[i] != 0xFF)
959  goto end;
960  }
961  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
962  goto end;
963 
964  result = 1;
965 
966  end:
967  SigFree(NULL, sig);
968  return result;
969 
970 }
971 
972 static int DetectIPProtoTestSetup17(void)
973 {
974  int result = 0;
975  Signature *sig;
976  const char *value1_str = "<11";
977  int value1 = 11;
978  const char *value2_str = ">13";
979  int i;
980 
981  if ((sig = SigAlloc()) == NULL)
982  goto end;
983 
984  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
985  sig->proto.flags |= DETECT_PROTO_ANY;
986  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
987  goto end;
988  for (i = 0; i < (value1 / 8); i++) {
989  if (sig->proto.proto[i] != 0xFF)
990  goto end;
991  }
992  if (sig->proto.proto[value1 / 8] != 0x07) {
993  goto end;
994  }
995  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
996  if (sig->proto.proto[i] != 0)
997  goto end;
998  }
999  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1000  goto end;
1001 
1002  result = 1;
1003 
1004  end:
1005  SigFree(NULL, sig);
1006  return result;
1007 
1008 }
1009 
1010 static int DetectIPProtoTestSetup18(void)
1011 {
1012  int result = 0;
1013  Signature *sig;
1014  const char *value1_str = "<11";
1015  const char *value2_str = ">13";
1016  int value2 = 13;
1017  int i;
1018 
1019  if ((sig = SigAlloc()) == NULL)
1020  goto end;
1021 
1022  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1023  sig->proto.flags |= DETECT_PROTO_ANY;
1024  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1025  goto end;
1026  for (i = 0; i < (value2 / 8); i++) {
1027  if (sig->proto.proto[i] != 0)
1028  goto end;
1029  }
1030  if (sig->proto.proto[value2 / 8] != 0xC0) {
1031  goto end;
1032  }
1033  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1034  if (sig->proto.proto[i] != 0xFF)
1035  goto end;
1036  }
1037  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1038  goto end;
1039 
1040  result = 1;
1041 
1042  end:
1043  SigFree(NULL, sig);
1044  return result;
1045 
1046 }
1047 
1048 static int DetectIPProtoTestSetup19(void)
1049 {
1050  int result = 0;
1051  Signature *sig;
1052  const char *value1_str = "<11";
1053  int value1 = 11;
1054  const char *value2_str = "!13";
1055  const char *value3_str = ">36";
1056  int i;
1057 
1058  if ((sig = SigAlloc()) == NULL)
1059  goto end;
1060 
1061  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1062  sig->proto.flags |= DETECT_PROTO_ANY;
1063  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1064  goto end;
1065  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1066  goto end;
1067  for (i = 0; i < (value1 / 8); i++) {
1068  if (sig->proto.proto[i] != 0xFF)
1069  goto end;
1070  }
1071  if (sig->proto.proto[value1 / 8] != 0x07) {
1072  goto end;
1073  }
1074  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1075  if (sig->proto.proto[i] != 0)
1076  goto end;
1077  }
1078  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1079  goto end;
1080 
1081  result = 1;
1082 
1083  end:
1084  SigFree(NULL, sig);
1085  return result;
1086 }
1087 
1088 static int DetectIPProtoTestSetup20(void)
1089 {
1090  int result = 0;
1091  Signature *sig;
1092  const char *value1_str = "<11";
1093  int value1 = 11;
1094  const char *value3_str = ">36";
1095  int i;
1096 
1097  if ((sig = SigAlloc()) == NULL)
1098  goto end;
1099 
1100  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1101  sig->proto.flags |= DETECT_PROTO_ANY;
1102  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1103  goto end;
1104  for (i = 0; i < (value1 / 8); i++) {
1105  if (sig->proto.proto[i] != 0xFF)
1106  goto end;
1107  }
1108  if (sig->proto.proto[value1 / 8] != 0x07) {
1109  goto end;
1110  }
1111  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1112  if (sig->proto.proto[i] != 0)
1113  goto end;
1114  }
1115  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1116  goto end;
1117 
1118  result = 1;
1119 
1120  end:
1121  SigFree(NULL, sig);
1122  return result;
1123 }
1124 
1125 static int DetectIPProtoTestSetup21(void)
1126 {
1127  int result = 0;
1128  Signature *sig;
1129  const char *value1_str = "<11";
1130  int value1 = 11;
1131  const char *value2_str = "!13";
1132  const char *value3_str = ">36";
1133  int i;
1134 
1135  if ((sig = SigAlloc()) == NULL)
1136  goto end;
1137 
1138  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1139  sig->proto.flags |= DETECT_PROTO_ANY;
1140  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1141  goto end;
1142  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1143  goto end;
1144  for (i = 0; i < (value1 / 8); i++) {
1145  if (sig->proto.proto[i] != 0xFF)
1146  goto end;
1147  }
1148  if (sig->proto.proto[value1 / 8] != 0x07) {
1149  goto end;
1150  }
1151  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1152  if (sig->proto.proto[i] != 0)
1153  goto end;
1154  }
1155  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1156  goto end;
1157 
1158  result = 1;
1159 
1160  end:
1161  SigFree(NULL, sig);
1162  return result;
1163 }
1164 
1165 static int DetectIPProtoTestSetup22(void)
1166 {
1167  int result = 0;
1168  Signature *sig;
1169  const char *value1_str = "<11";
1170  const char *value2_str = "!13";
1171  const char *value3_str = ">36";
1172  int value3 = 36;
1173  int i;
1174 
1175  if ((sig = SigAlloc()) == NULL)
1176  goto end;
1177 
1178  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1179  sig->proto.flags |= DETECT_PROTO_ANY;
1180  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1181  goto end;
1182  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1183  goto end;
1184  for (i = 0; i < (value3 / 8); i++) {
1185  if (sig->proto.proto[i] != 0)
1186  goto end;
1187  }
1188  if (sig->proto.proto[value3 / 8] != 0xE0) {
1189  goto end;
1190  }
1191  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1192  if (sig->proto.proto[i] != 0xFF)
1193  goto end;
1194  }
1195  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1196  goto end;
1197 
1198  result = 1;
1199 
1200  end:
1201  SigFree(NULL, sig);
1202  return result;
1203 }
1204 
1205 static int DetectIPProtoTestSetup23(void)
1206 {
1207  int result = 0;
1208  Signature *sig;
1209  const char *value1_str = "<11";
1210  const char *value3_str = ">36";
1211  int value3 = 36;
1212  int i;
1213 
1214  if ((sig = SigAlloc()) == NULL)
1215  goto end;
1216 
1217  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1218  sig->proto.flags |= DETECT_PROTO_ANY;
1219  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1220  goto end;
1221  for (i = 0; i < (value3 / 8); i++) {
1222  if (sig->proto.proto[i] != 0)
1223  goto end;
1224  }
1225  if (sig->proto.proto[value3 / 8] != 0xE0) {
1226  goto end;
1227  }
1228  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1229  if (sig->proto.proto[i] != 0xFF)
1230  goto end;
1231  }
1232  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1233  goto end;
1234 
1235  result = 1;
1236 
1237  end:
1238  SigFree(NULL, sig);
1239  return result;
1240 }
1241 
1242 static int DetectIPProtoTestSetup24(void)
1243 {
1244  int result = 0;
1245  Signature *sig;
1246  const char *value1_str = "<11";
1247  const char *value2_str = "!13";
1248  const char *value3_str = ">36";
1249  int value3 = 36;
1250  int i;
1251 
1252  if ((sig = SigAlloc()) == NULL)
1253  goto end;
1254 
1255  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1256  sig->proto.flags |= DETECT_PROTO_ANY;
1257  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1258  goto end;
1259  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1260  goto end;
1261  for (i = 0; i < (value3 / 8); i++) {
1262  if (sig->proto.proto[i] != 0)
1263  goto end;
1264  }
1265  if (sig->proto.proto[value3 / 8] != 0xE0) {
1266  goto end;
1267  }
1268  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1269  if (sig->proto.proto[i] != 0xFF)
1270  goto end;
1271  }
1272  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1273  goto end;
1274 
1275  result = 1;
1276 
1277  end:
1278  SigFree(NULL, sig);
1279  return result;
1280 }
1281 
1282 static int DetectIPProtoTestSetup33(void)
1283 {
1284  int result = 0;
1285  Signature *sig;
1286  const char *value1_str = "<11";
1287  int value1 = 11;
1288  const char *value2_str = "!34";
1289  const char *value3_str = ">36";
1290  int i;
1291 
1292  if ((sig = SigAlloc()) == NULL)
1293  goto end;
1294 
1295  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1296  sig->proto.flags |= DETECT_PROTO_ANY;
1297  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1298  goto end;
1299  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1300  goto end;
1301  for (i = 0; i < (value1 / 8); i++) {
1302  if (sig->proto.proto[i] != 0xFF)
1303  goto end;
1304  }
1305  if (sig->proto.proto[value1 / 8] != 0x07) {
1306  goto end;
1307  }
1308  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1309  if (sig->proto.proto[i] != 0)
1310  goto end;
1311  }
1312  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1313  goto end;
1314 
1315  result = 1;
1316 
1317  end:
1318  SigFree(NULL, sig);
1319  return result;
1320 }
1321 
1322 static int DetectIPProtoTestSetup34(void)
1323 {
1324  int result = 0;
1325  Signature *sig;
1326  const char *value1_str = "<11";
1327  int value1 = 11;
1328  const char *value2_str = "!34";
1329  const char *value3_str = ">36";
1330  int value3 = 36;
1331  int i;
1332 
1333  if ((sig = SigAlloc()) == NULL)
1334  goto end;
1335 
1336  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1337  sig->proto.flags |= DETECT_PROTO_ANY;
1338  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1339  goto end;
1340  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1341  goto end;
1342  for (i = 0; i < (value1 / 8); i++) {
1343  if (sig->proto.proto[i] != 0)
1344  goto end;
1345  }
1346  if (sig->proto.proto[value3 / 8] != 0xE0) {
1347  goto end;
1348  }
1349  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1350  if (sig->proto.proto[i] != 0xFF)
1351  goto end;
1352  }
1353  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1354  goto end;
1355 
1356  result = 1;
1357 
1358  end:
1359  SigFree(NULL, sig);
1360  return result;
1361 }
1362 
1363 static int DetectIPProtoTestSetup36(void)
1364 {
1365  int result = 0;
1366  Signature *sig;
1367  const char *value1_str = "<11";
1368  const char *value2_str = "!34";
1369  const char *value3_str = ">36";
1370  int value3 = 36;
1371  int i;
1372 
1373  if ((sig = SigAlloc()) == NULL)
1374  goto end;
1375 
1376  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1377  sig->proto.flags |= DETECT_PROTO_ANY;
1378  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1379  goto end;
1380  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1381  goto end;
1382  for (i = 0; i < (value3 / 8); i++) {
1383  if (sig->proto.proto[i] != 0)
1384  goto end;
1385  }
1386  if (sig->proto.proto[value3 / 8] != 0xE0) {
1387  goto end;
1388  }
1389  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1390  if (sig->proto.proto[i] != 0xFF)
1391  goto end;
1392  }
1393  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1394  goto end;
1395 
1396  result = 1;
1397 
1398  end:
1399  SigFree(NULL, sig);
1400  return result;
1401 }
1402 
1403 static int DetectIPProtoTestSetup43(void)
1404 {
1405  int result = 0;
1406  Signature *sig;
1407  const char *value1_str = "!4";
1408  int value1 = 4;
1409  const char *value2_str = "<13";
1410  int value2 = 13;
1411  const char *value3_str = ">34";
1412  int i;
1413 
1414  if ((sig = SigAlloc()) == NULL)
1415  goto end;
1416 
1417  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1418  sig->proto.flags |= DETECT_PROTO_ANY;
1419  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1420  goto end;
1421  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1422  goto end;
1423  if (sig->proto.proto[value1 / 8] != 0xEF) {
1424  goto end;
1425  }
1426  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1427  if (sig->proto.proto[i] != 0xFF)
1428  goto end;
1429  }
1430  if (sig->proto.proto[value2 / 8] != 0x1F) {
1431  goto end;
1432  }
1433  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1434  if (sig->proto.proto[i] != 0)
1435  goto end;
1436  }
1437  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1438  goto end;
1439 
1440  result = 1;
1441 
1442  end:
1443  SigFree(NULL, sig);
1444  return result;
1445 }
1446 
1447 static int DetectIPProtoTestSetup44(void)
1448 {
1449  int result = 0;
1450  Signature *sig;
1451  const char *value1_str = "!4";
1452  const char *value2_str = "<13";
1453  const char *value3_str = ">34";
1454  int value3 = 34;
1455  int i;
1456 
1457  if ((sig = SigAlloc()) == NULL)
1458  goto end;
1459 
1460  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1461  sig->proto.flags |= DETECT_PROTO_ANY;
1462  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1463  goto end;
1464  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1465  goto end;
1466  for (i = 0; i < (value3 / 8); i++) {
1467  if (sig->proto.proto[i] != 0)
1468  goto end;
1469  }
1470  if (sig->proto.proto[value3 / 8] != 0xF8) {
1471  goto end;
1472  }
1473  for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
1474  if (sig->proto.proto[i] != 0xFF)
1475  goto end;
1476  }
1477  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1478  goto end;
1479 
1480  result = 1;
1481 
1482  end:
1483  SigFree(NULL, sig);
1484  return result;
1485 }
1486 
1487 static int DetectIPProtoTestSetup45(void)
1488 {
1489  int result = 0;
1490  Signature *sig;
1491  const char *value1_str = "!4";
1492  int value1 = 4;
1493  const char *value2_str = "<13";
1494  int value2 = 13;
1495  const char *value3_str = ">34";
1496  int i;
1497 
1498  if ((sig = SigAlloc()) == NULL)
1499  goto end;
1500 
1501  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1502  sig->proto.flags |= DETECT_PROTO_ANY;
1503  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1504  goto end;
1505  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1506  goto end;
1507  if (sig->proto.proto[value1 / 8] != 0xEF) {
1508  goto end;
1509  }
1510  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1511  if (sig->proto.proto[i] != 0xFF)
1512  goto end;
1513  }
1514  if (sig->proto.proto[value2 / 8] != 0x1F) {
1515  goto end;
1516  }
1517  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1518  if (sig->proto.proto[i] != 0)
1519  goto end;
1520  }
1521  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1522  goto end;
1523 
1524  result = 1;
1525 
1526  end:
1527  SigFree(NULL, sig);
1528  return result;
1529 }
1530 
1531 static int DetectIPProtoTestSetup56(void)
1532 {
1533  int result = 0;
1534  Signature *sig;
1535  const char *value1_str = "<13";
1536  int value1 = 13;
1537  const char *value2_str = ">34";
1538  const char *value3_str = "!37";
1539  int i;
1540 
1541  if ((sig = SigAlloc()) == NULL)
1542  goto end;
1543 
1544  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1545  sig->proto.flags |= DETECT_PROTO_ANY;
1546  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1547  goto end;
1548  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1549  goto end;
1550  for (i = 0; i < (value1 / 8); i++) {
1551  if (sig->proto.proto[i] != 0xFF)
1552  goto end;
1553  }
1554  if (sig->proto.proto[value1 / 8] != 0x1F) {
1555  goto end;
1556  }
1557  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1558  if (sig->proto.proto[i] != 0)
1559  goto end;
1560  }
1561  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1562  goto end;
1563 
1564  result = 1;
1565 
1566  end:
1567  SigFree(NULL, sig);
1568  return result;
1569 }
1570 
1571 static int DetectIPProtoTestSetup75(void)
1572 {
1573  int result = 0;
1574  Signature *sig;
1575  const char *value1_str = "!8";
1576  const char *value2_str = ">10";
1577  int value2 = 10;
1578  int i;
1579 
1580  if ((sig = SigAlloc()) == NULL)
1581  goto end;
1582 
1583  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1584  sig->proto.flags |= DETECT_PROTO_ANY;
1585  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1586  goto end;
1587  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1588  goto end;
1589  for (i = 0; i < (value2 / 8); i++) {
1590  if (sig->proto.proto[i] != 0)
1591  goto end;
1592  }
1593  if (sig->proto.proto[value2 / 8] != 0xF8) {
1594  goto end;
1595  }
1596  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1597  if (sig->proto.proto[i] != 0xFF)
1598  goto end;
1599  }
1600 
1601  result = 1;
1602 
1603  end:
1604  SigFree(NULL, sig);
1605  return result;
1606 }
1607 
1608 static int DetectIPProtoTestSetup76(void)
1609 {
1610  int result = 0;
1611  Signature *sig;
1612  const char *value1_str = "!8";
1613  const char *value2_str = ">10";
1614  int value2 = 10;
1615  int i;
1616 
1617  if ((sig = SigAlloc()) == NULL)
1618  goto end;
1619 
1620  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1621  sig->proto.flags |= DETECT_PROTO_ANY;
1622  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1623  goto end;
1624  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1625  goto end;
1626  for (i = 0; i < (value2 / 8); i++) {
1627  if (sig->proto.proto[i] != 0)
1628  goto end;
1629  }
1630  if (sig->proto.proto[value2 / 8] != 0xF8) {
1631  goto end;
1632  }
1633  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1634  if (sig->proto.proto[i] != 0xFF)
1635  goto end;
1636  }
1637 
1638  result = 1;
1639 
1640  end:
1641  SigFree(NULL, sig);
1642  return result;
1643 }
1644 
1645 static int DetectIPProtoTestSetup129(void)
1646 {
1647  int result = 0;
1648  Signature *sig;
1649  const char *value1_str = "<10";
1650  int value1 = 10;
1651  const char *value2_str = ">10";
1652  int i;
1653 
1654  if ((sig = SigAlloc()) == NULL)
1655  goto end;
1656 
1657  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1658  sig->proto.flags |= DETECT_PROTO_ANY;
1659  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1660  goto end;
1661  for (i = 0; i < (value1 / 8); i++) {
1662  if (sig->proto.proto[i] != 0xFF)
1663  goto end;
1664  }
1665  if (sig->proto.proto[value1 / 8] != 0x03) {
1666  goto end;
1667  }
1668  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1669  if (sig->proto.proto[i] != 0)
1670  goto end;
1671  }
1672  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1673  goto end;
1674 
1675  result = 1;
1676 
1677  end:
1678  SigFree(NULL, sig);
1679  return result;
1680 }
1681 
1682 static int DetectIPProtoTestSetup130(void)
1683 {
1684  int result = 0;
1685  Signature *sig;
1686  const char *value1_str = "<10";
1687  const char *value2_str = ">10";
1688  int value2 = 10;
1689  int i;
1690 
1691  if ((sig = SigAlloc()) == NULL)
1692  goto end;
1693 
1694  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1695  sig->proto.flags |= DETECT_PROTO_ANY;
1696  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1697  goto end;
1698  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1699  goto end;
1700  for (i = 0; i < (value2 / 8); i++) {
1701  if (sig->proto.proto[i] != 0)
1702  goto end;
1703  }
1704  if (sig->proto.proto[value2 / 8] != 0xF8) {
1705  goto end;
1706  }
1707  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1708  if (sig->proto.proto[i] != 0xFF)
1709  goto end;
1710  }
1711 
1712  result = 1;
1713 
1714  end:
1715  SigFree(NULL, sig);
1716  return result;
1717 }
1718 
1719 static int DetectIPProtoTestSetup131(void)
1720 {
1721  int result = 0;
1722  Signature *sig;
1723  const char *value1_str = "<10";
1724  int value1 = 10;
1725  const char *value2_str = "!10";
1726  int i;
1727 
1728  if ((sig = SigAlloc()) == NULL)
1729  goto end;
1730 
1731  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1732  sig->proto.flags |= DETECT_PROTO_ANY;
1733  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1734  goto end;
1735  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1736  goto end;
1737  for (i = 0; i < (value1 / 8); i++) {
1738  if (sig->proto.proto[i] != 0xFF)
1739  goto end;
1740  }
1741  if (sig->proto.proto[value1 / 8] != 0x03) {
1742  goto end;
1743  }
1744  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1745  if (sig->proto.proto[i] != 0x0)
1746  goto end;
1747  }
1748 
1749  result = 1;
1750 
1751  end:
1752  SigFree(NULL, sig);
1753  return result;
1754 }
1755 
1756 static int DetectIPProtoTestSetup132(void)
1757 {
1758  int result = 0;
1759  Signature *sig;
1760  const char *value1_str = "<10";
1761  int value1 = 10;
1762  const char *value2_str = "!10";
1763  int i;
1764 
1765  if ((sig = SigAlloc()) == NULL)
1766  goto end;
1767 
1768  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1769  sig->proto.flags |= DETECT_PROTO_ANY;
1770  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1771  goto end;
1772  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1773  goto end;
1774  for (i = 0; i < (value1 / 8); i++) {
1775  if (sig->proto.proto[i] != 0xFF)
1776  goto end;
1777  }
1778  if (sig->proto.proto[value1 / 8] != 0x03) {
1779  goto end;
1780  }
1781  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1782  if (sig->proto.proto[i] != 0x0)
1783  goto end;
1784  }
1785 
1786  result = 1;
1787 
1788  end:
1789  SigFree(NULL, sig);
1790  return result;
1791 }
1792 
1793 static int DetectIPProtoTestSetup145(void)
1794 {
1795  int result = 0;
1796  Signature *sig;
1797  const char *value1_str = "!4";
1798  const char *value2_str = ">8";
1799  const char *value3_str = "!10";
1800  const char *value4_str = "!14";
1801  const char *value5_str = "!27";
1802  const char *value6_str = "!29";
1803  const char *value7_str = "!30";
1804  const char *value8_str = "!34";
1805  const char *value9_str = "<36";
1806  const char *value10_str = "!38";
1807  int value10 = 38;
1808 
1809  int i;
1810 
1811  if ((sig = SigAlloc()) == NULL)
1812  goto end;
1813 
1814  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1815  sig->proto.flags |= DETECT_PROTO_ANY;
1816  if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
1817  goto end;
1818  if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
1819  goto end;
1820  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1821  goto end;
1822  if (DetectIPProtoSetup(NULL, sig, value10_str) != 0)
1823  goto end;
1824  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1825  goto end;
1826  if (DetectIPProtoSetup(NULL, sig, value6_str) != 0)
1827  goto end;
1828  if (DetectIPProtoSetup(NULL, sig, value9_str) != 0)
1829  goto end;
1830  if (DetectIPProtoSetup(NULL, sig, value4_str) != 0)
1831  goto end;
1832  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1833  goto end;
1834  if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
1835  goto end;
1836  if (sig->proto.proto[0] != 0) {
1837  goto end;
1838  }
1839  if (sig->proto.proto[1] != 0xBA) {
1840  goto end;
1841  }
1842  if (sig->proto.proto[2] != 0xFF) {
1843  goto end;
1844  }
1845  if (sig->proto.proto[3] != 0x97) {
1846  goto end;
1847  }
1848  if (sig->proto.proto[4] != 0x0B) {
1849  goto end;
1850  }
1851  for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
1852  if (sig->proto.proto[i] != 0)
1853  goto end;
1854  }
1855 
1856  result = 1;
1857 
1858  end:
1859  SigFree(NULL, sig);
1860  return result;
1861 }
1862 
1863 static int DetectIPProtoTestSig1(void)
1864 {
1865  int result = 0;
1866  uint8_t *buf = (uint8_t *)
1867  "GET /one/ HTTP/1.1\r\n"
1868  "Host: one.example.org\r\n"
1869  "\r\n";
1870  uint16_t buflen = strlen((char *)buf);
1871  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1872  if (p == NULL)
1873  return 0;
1874 
1875  const char *sigs[4];
1876  sigs[0] = "alert ip any any -> any any "
1877  "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)";
1878  sigs[1] = "alert ip any any -> any any "
1879  "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)";
1880  sigs[2] = "alert ip any any -> any any "
1881  "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)";
1882  sigs[3] = "alert ip any any -> any any "
1883  "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)";
1884 
1885  /* sids to match */
1886  uint32_t sid[4] = {1, 2, 3, 4};
1887  /* expected matches for each sid within this packet we are testing */
1888  uint32_t results[4] = {0, 1, 1, 1};
1889 
1890  /* remember that UTHGenericTest expect the first parameter
1891  * as an array of packet pointers. And also a bidimensional array of results
1892  * For example:
1893  * results[numpacket][position] should hold the number of times
1894  * that the sid at sid[position] matched that packet (should be always 1..)
1895  * But here we built it as unidimensional array
1896  */
1897  result = UTHGenericTest(&p, 1, sigs, sid, results, 4);
1898 
1899  UTHFreePacket(p);
1900  return result;
1901 }
1902 
1903 static int DetectIPProtoTestSig2(void)
1904 {
1905  int result = 0;
1906 
1907  uint8_t raw_eth[] = {
1908  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1909  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1910  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1911  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1912  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1913  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1914  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1915  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1916  0x4a, 0xea, 0x7a, 0x8e,
1917  };
1918 
1919  Packet *p = PacketGetFromAlloc();
1920  if (unlikely(p == NULL))
1921  return 0;
1922 
1923  DecodeThreadVars dtv;
1924  ThreadVars th_v;
1925  DetectEngineThreadCtx *det_ctx = NULL;
1926 
1927  p->proto = 0;
1928  memset(&dtv, 0, sizeof(DecodeThreadVars));
1929  memset(&th_v, 0, sizeof(th_v));
1930 
1931  FlowInitConfig(FLOW_QUIET);
1932  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
1933 
1934  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1935  if (de_ctx == NULL) {
1936  goto end;
1937  }
1938 
1939  de_ctx->mpm_matcher = mpm_default_matcher;
1940  de_ctx->flags |= DE_QUIET;
1941 
1942  de_ctx->sig_list = SigInit(de_ctx,
1943  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
1944  "ip_proto:!103; sid:1;)");
1945  if (de_ctx->sig_list == NULL) {
1946  result = 0;
1947  goto end;
1948  }
1949 
1950  SigGroupBuild(de_ctx);
1951  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1952 
1953  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1954  if (PacketAlertCheck(p, 1) == 0) {
1955  result = 1;
1956  goto end;
1957  } else {
1958  result = 0;
1959  }
1960 
1961  SigGroupCleanup(de_ctx);
1962  SigCleanSignatures(de_ctx);
1963 
1964  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1965  DetectEngineCtxFree(de_ctx);
1966  FlowShutdown();
1967 
1968  SCFree(p);
1969  return result;
1970 
1971 end:
1972  if (de_ctx) {
1973  SigGroupCleanup(de_ctx);
1974  SigCleanSignatures(de_ctx);
1975  }
1976 
1977  if (det_ctx)
1978  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1979  if (de_ctx)
1980  DetectEngineCtxFree(de_ctx);
1981 
1982  FlowShutdown();
1983  SCFree(p);
1984 
1985  return result;
1986 }
1987 
1988 static int DetectIPProtoTestSig3(void)
1989 {
1990  int result = 0;
1991 
1992  uint8_t raw_eth[] = {
1993  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1994  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1995  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1996  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1997  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1998  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1999  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
2000  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
2001  0x4a, 0xea, 0x7a, 0x8e,
2002  };
2003 
2004  Packet *p = UTHBuildPacket((uint8_t *)"boom", 4, IPPROTO_TCP);
2005  if (p == NULL)
2006  return 0;
2007 
2008  DecodeThreadVars dtv;
2009  ThreadVars th_v;
2010  DetectEngineThreadCtx *det_ctx = NULL;
2011 
2012  p->proto = 0;
2013  memset(&dtv, 0, sizeof(DecodeThreadVars));
2014  memset(&th_v, 0, sizeof(th_v));
2015 
2016  FlowInitConfig(FLOW_QUIET);
2017  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
2018 
2019  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2020  if (de_ctx == NULL) {
2021  goto end;
2022  }
2023 
2024  de_ctx->mpm_matcher = mpm_default_matcher;
2025  de_ctx->flags |= DE_QUIET;
2026 
2027  de_ctx->sig_list = SigInit(de_ctx,
2028  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
2029  "ip_proto:103; sid:1;)");
2030  if (de_ctx->sig_list == NULL) {
2031  result = 0;
2032  goto end;
2033  }
2034 
2035  SigGroupBuild(de_ctx);
2036  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2037 
2038  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2039  if (!PacketAlertCheck(p, 1)) {
2040  result = 0;
2041  goto end;
2042  } else {
2043  result = 1;
2044  }
2045 
2046  SigGroupCleanup(de_ctx);
2047  SigCleanSignatures(de_ctx);
2048 
2049  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2050  DetectEngineCtxFree(de_ctx);
2051  FlowShutdown();
2052 
2053  SCFree(p);
2054  return result;
2055 
2056 end:
2057  if (de_ctx) {
2058  SigGroupCleanup(de_ctx);
2059  SigCleanSignatures(de_ctx);
2060  }
2061 
2062  if (det_ctx)
2063  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2064  if (de_ctx)
2065  DetectEngineCtxFree(de_ctx);
2066 
2067  FlowShutdown();
2068  SCFree(p);
2069 
2070  return result;
2071 }
2072 
2073 /**
2074  * \internal
2075  * \brief Register ip_proto tests.
2076  */
2077 static void DetectIPProtoRegisterTests(void)
2078 {
2079  UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01);
2080  UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02);
2081  UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01);
2082  UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02);
2083  UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03);
2084  UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04);
2085  UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05);
2086  UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06);
2087  UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07);
2088  UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08);
2089  UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09);
2090  UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10);
2091  UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11);
2092  UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12);
2093  UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13);
2094  UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14);
2095  UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15);
2096  UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16);
2097  UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17);
2098  UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18);
2099  UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19);
2100  UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20);
2101  UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21);
2102  UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22);
2103  UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23);
2104  UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24);
2105  UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33);
2106  UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34);
2107  UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36);
2108  UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43);
2109  UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44);
2110  UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45);
2111  UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56);
2112  UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75);
2113  UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76);
2114  UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129);
2115  UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130);
2116  UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131);
2117  UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132);
2118  UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145);
2119 
2120  UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1);
2121  UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2);
2122  UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3);
2123 }
2124 #endif /* UNITTESTS */
DetectIPProtoRemoveAllSMs
void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-ipproto.c:430
util-byte.h
DetectParseRegex::match
pcre2_match_data * match
Definition: detect-parse.h:47
SigTableElmt_::url
const char * url
Definition: detect.h:1238
Packet_::proto
uint8_t proto
Definition: decode.h:450
detect-engine.h
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
Definition: detect-parse.c:390
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
Definition: detect-parse.c:2488
SigMatchFree
void SigMatchFree(DetectEngineCtx *de_ctx, SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:253
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:34
detect-engine-siggroup.h
DetectParseRegex
Definition: detect-parse.h:44
SigTableElmt_::name
const char * name
Definition: detect.h:1235
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:1392
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1432
DetectIPProtoRegister
void DetectIPProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-ipproto.c:60
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
results
struct DetectRfbSecresult_ results[]
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:27
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2444
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:339
mpm_default_matcher
uint8_t mpm_default_matcher
Definition: util-mpm.c:49
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1788
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:502
proto
uint8_t proto
Definition: decode-template.h:0
StringParseInt32
int StringParseInt32(int32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:613
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
StringParseUint8
int StringParseUint8(uint8_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:359
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1024
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2611
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:317
DetectEngineCtx_::mpm_matcher
uint8_t mpm_matcher
Definition: detect.h:834
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:37
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2022
Signature_::flags
uint32_t flags
Definition: detect.h:540
Packet_
Definition: decode.h:428
detect-engine-build.h
detect-engine-alert.h
detect-ipproto.h
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
DETECT_IPPROTO_OP_GT
#define DETECT_IPPROTO_OP_GT
Definition: detect-ipproto.h:31
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:533
util-proto-name.h
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:238
SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
Definition: detect.h:252
DETECT_IPPROTO_OP_EQ
#define DETECT_IPPROTO_OP_EQ
Definition: detect-ipproto.h:28
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1954
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:38
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:33
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
Signature_::proto
DetectProto proto
Definition: detect.h:557
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
SigMatch_::type
uint16_t type
Definition: detect.h:314
DETECT_IPPROTO_OP_LT
#define DETECT_IPPROTO_OP_LT
Definition: detect-ipproto.h:30
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:690
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
DetectIPProtoData_::op
uint8_t op
Definition: detect-ipproto.h:35
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:606
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:665
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:487
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2405
DetectIPProtoData_
Definition: detect-ipproto.h:34
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:40
SCGetProtoByName
bool SCGetProtoByName(const char *protoname, uint8_t *proto_number)
Function to return the protocol number for a named protocol. Note that protocol name aliases are hono...
Definition: util-proto-name.c:468
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-ipproto.c:50
DETECT_IPPROTO_OP_NOT
#define DETECT_IPPROTO_OP_NOT
Definition: detect-ipproto.h:29
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1267
DETECT_IPPROTO
@ DETECT_IPPROTO
Definition: detect-engine-register.h:80
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:352
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
DetectIPProtoData_::proto
uint8_t proto
Definition: detect-ipproto.h:36
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:215