suricata
detect-ipproto.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Brian Rectanus <brectanu@gmail.com>
22  *
23  * Implements the ip_proto keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "decode.h"
29 #include "detect.h"
30 
31 #include "detect-ipproto.h"
32 
33 #include "detect-parse.h"
34 #include "detect-engine.h"
35 #include "detect-engine-mpm.h"
36 
37 #include "detect-engine-siggroup.h"
38 #include "detect-engine-address.h"
39 
40 #include "util-byte.h"
41 #include "util-unittest.h"
42 #include "util-unittest-helper.h"
43 
44 #include "util-debug.h"
45 
46 /**
47  * \brief Regex for parsing our options
48  */
49 #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$"
50 
51 static pcre *parse_regex;
52 static pcre_extra *parse_regex_study;
53 
54 static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *);
55 static void DetectIPProtoRegisterTests(void);
56 static void DetectIPProtoFree(void *);
57 
58 void DetectIPProtoRegister(void)
59 {
60  sigmatch_table[DETECT_IPPROTO].name = "ip_proto";
61  sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header";
62  sigmatch_table[DETECT_IPPROTO].url = DOC_URL DOC_VERSION "/rules/header-keywords.html#ip-proto";
63  sigmatch_table[DETECT_IPPROTO].Match = NULL;
64  sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup;
65  sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree;
66  sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests;
67  sigmatch_table[DETECT_IPPROTO].flags = SIGMATCH_QUOTES_OPTIONAL;
68 
69  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
70 }
71 
72 /**
73  * \internal
74  * \brief Parse ip_proto options string.
75  *
76  * \param optstr Options string to parse
77  *
78  * \return New ip_proto data structure
79  */
80 static DetectIPProtoData *DetectIPProtoParse(const char *optstr)
81 {
82  DetectIPProtoData *data = NULL;
83  char *args[2] = { NULL, NULL };
84 #define MAX_SUBSTRINGS 30
85  int ret = 0, res = 0;
86  int ov[MAX_SUBSTRINGS];
87  int i;
88  const char *str_ptr;
89 
90  /* Execute the regex and populate args with captures. */
91  ret = pcre_exec(parse_regex, parse_regex_study, optstr,
92  strlen(optstr), 0, 0, ov, MAX_SUBSTRINGS);
93  if (ret != 3) {
94  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret"
95  "%" PRId32 ", string %s", ret, optstr);
96  goto error;
97  }
98 
99  for (i = 0; i < (ret - 1); i++) {
100  res = pcre_get_substring((char *)optstr, ov, MAX_SUBSTRINGS,
101  i + 1, &str_ptr);
102  if (res < 0) {
103  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
104  goto error;
105  }
106  args[i] = (char *)str_ptr;
107  }
108 
109  /* Initialize the data */
110  data = SCMalloc(sizeof(DetectIPProtoData));
111  if (unlikely(data == NULL))
112  goto error;
113  data->op = DETECT_IPPROTO_OP_EQ;
114  data->proto = 0;
115 
116  /* Operator */
117  if (*(args[0]) != '\0') {
118  data->op = *(args[0]);
119  }
120 
121  /* Protocol name/number */
122  if (!isdigit((unsigned char)*(args[1]))) {
123  struct protoent *pent = getprotobyname(args[1]);
124  if (pent == NULL) {
125  SCLogError(SC_ERR_INVALID_VALUE, "Malformed protocol name: %s",
126  str_ptr);
127  goto error;
128  }
129  data->proto = (uint8_t)pent->p_proto;
130  }
131  else {
132  if (ByteExtractStringUint8(&data->proto, 10, 0, args[1]) <= 0) {
133  SCLogError(SC_ERR_INVALID_VALUE, "Malformed protocol number: %s",
134  str_ptr);
135  goto error;
136  }
137  }
138 
139  for (i = 0; i < (ret - 1); i++){
140  if (args[i] != NULL)
141  SCFree(args[i]);
142  }
143 
144  return data;
145 
146 error:
147  for (i = 0; i < (ret - 1) && i < 2; i++){
148  if (args[i] != NULL)
149  SCFree(args[i]);
150  }
151  if (data != NULL)
152  SCFree(data);
153 
154  return NULL;
155 }
156 
157 static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op)
158 {
159  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
160  DetectIPProtoData *data;
161 
162  while (sm != NULL) {
163  if (sm->type == DETECT_IPPROTO) {
164  data = (DetectIPProtoData *)sm->ctx;
165  if (data->op == op)
166  return 1;
167  }
168  sm = sm->next;
169  }
170 
171  return 0;
172 }
173 
174 /**
175  * \internal
176  * \brief Setup ip_proto keyword.
177  *
178  * \param de_ctx Detection engine context
179  * \param s Signature
180  * \param optstr Options string
181  *
182  * \return Non-zero on error
183  */
184 static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr)
185 {
186  SigMatch *sm = NULL;
187  int i;
188 
189  DetectIPProtoData *data = DetectIPProtoParse(optstr);
190  if (data == NULL) {
191  return -1;
192  }
193 
194  /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield
195  * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto
196  * will refined the protocol list and thus it needs to reset the bitfield to zero
197  * before setting the value specified by the ip_proto keyword.
198  */
199  if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) {
200  s->proto.flags &= ~DETECT_PROTO_ANY;
201  memset(s->proto.proto, 0x00, sizeof(s->proto.proto));
202  s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
203  } else {
204  /* The ipproto engine has a relationship with the protocol that is
205  * set after the action and also the app protocol(that can also be
206  * set through the app-layer-protocol.
207  * An ip_proto keyword can be used only with alert ip, which if
208  * not true we error out on the sig. And hence the init_flag to
209  * indicate this. */
210  if (!(s->init_data->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) {
211  SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature can use "
212  "ip_proto keyword only when we use alert ip, "
213  "in which case the _ANY flag is set on the sig "
214  "and the if condition should match.");
215  goto error;
216  }
217  }
218 
219  int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ);
220  int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT);
221  int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT);
222  int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT);
223 
224  switch (data->op) {
225  case DETECT_IPPROTO_OP_EQ:
226  if (eq_set || gt_set || lt_set || not_set) {
227  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
228  "ipproto without any operators attached to "
229  "them in the same sig");
230  goto error;
231  }
232  s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8);
233  break;
234 
235  case DETECT_IPPROTO_OP_GT:
236  if (eq_set || gt_set) {
237  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or gt "
238  "ipproto along with a greater than ipproto in the "
239  "same sig ");
240  goto error;
241  }
242  if (!lt_set && !not_set) {
243  s->proto.proto[data->proto / 8] = 0xfe << (data->proto % 8);
244  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
245  s->proto.proto[i] = 0xff;
246  }
247  } else if (lt_set && !not_set) {
248  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
249  while (temp_sm != NULL) {
250  if (temp_sm->type == DETECT_IPPROTO) {
251  break;
252  }
253  temp_sm = temp_sm->next;
254  }
255  if (temp_sm != NULL) {
256  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
257  if (data_temp->proto <= data->proto) {
258  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
259  "both gt and lt ipprotos, with the lt being "
260  "lower than gt value");
261  goto error;
262  } else {
263  for (i = 0; i < (data->proto / 8); i++) {
264  s->proto.proto[i] = 0;
265  }
266  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
267  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
268  s->proto.proto[i] &= 0xff;
269  }
270  }
271  }
272  } else if (!lt_set && not_set) {
273  for (i = 0; i < (data->proto / 8); i++) {
274  s->proto.proto[i] = 0;
275  }
276  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
277  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
278  s->proto.proto[i] &= 0xff;
279  }
280  } else {
281  DetectIPProtoData *data_temp;
282  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
283  while (temp_sm != NULL) {
284  if (temp_sm->type == DETECT_IPPROTO &&
285  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) {
286  break;
287  }
288  temp_sm = temp_sm->next;
289  }
290  if (temp_sm != NULL) {
291  data_temp = (DetectIPProtoData *)temp_sm->ctx;
292  if (data_temp->proto <= data->proto) {
293  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
294  "both gt and lt ipprotos, with the lt being "
295  "lower than gt value");
296  goto error;
297  } else {
298  for (i = 0; i < (data->proto / 8); i++) {
299  s->proto.proto[i] = 0;
300  }
301  s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8);
302  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
303  s->proto.proto[i] &= 0xff;
304  }
305  }
306  }
307  }
308  break;
309 
310  case DETECT_IPPROTO_OP_LT:
311  if (eq_set || lt_set) {
312  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq or lt "
313  "ipproto along with a less than ipproto in the "
314  "same sig ");
315  goto error;
316  }
317  if (!gt_set && !not_set) {
318  for (i = 0; i < (data->proto / 8); i++) {
319  s->proto.proto[i] = 0xff;
320  }
321  s->proto.proto[data->proto / 8] = ~(0xff << (data->proto % 8));
322  } else if (gt_set && !not_set) {
323  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
324  while (temp_sm != NULL) {
325  if (temp_sm->type == DETECT_IPPROTO) {
326  break;
327  }
328  temp_sm = temp_sm->next;
329  }
330  if (temp_sm != NULL) {
331  DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx;
332  if (data_temp->proto >= data->proto) {
333  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a have "
334  "both gt and lt ipprotos, with the lt being "
335  "lower than gt value");
336  goto error;
337  } else {
338  for (i = 0; i < (data->proto / 8); i++) {
339  s->proto.proto[i] &= 0xff;
340  }
341  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
342  for (i = (data->proto / 8) + 1; i < 256 / 8; i++) {
343  s->proto.proto[i] = 0;
344  }
345  }
346  }
347  } else if (!gt_set && not_set) {
348  for (i = 0; i < (data->proto / 8); i++) {
349  s->proto.proto[i] &= 0xFF;
350  }
351  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
352  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
353  s->proto.proto[i] = 0;
354  }
355  } else {
356  DetectIPProtoData *data_temp;
357  SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
358  while (temp_sm != NULL) {
359  if (temp_sm->type == DETECT_IPPROTO &&
360  ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) {
361  break;
362  }
363  temp_sm = temp_sm->next;
364  }
365  if (temp_sm != NULL) {
366  data_temp = (DetectIPProtoData *)temp_sm->ctx;
367  if (data_temp->proto >= data->proto) {
368  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't have "
369  "both gt and lt ipprotos, with the lt being "
370  "lower than gt value");
371  goto error;
372  } else {
373  for (i = 0; i < (data->proto / 8); i++) {
374  s->proto.proto[i] &= 0xFF;
375  }
376  s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8));
377  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
378  s->proto.proto[i] = 0;
379  }
380  }
381  }
382  }
383  break;
384 
385  case DETECT_IPPROTO_OP_NOT:
386  if (eq_set) {
387  SCLogError(SC_ERR_INVALID_SIGNATURE, "can't use a eq "
388  "ipproto along with a not ipproto in the "
389  "same sig ");
390  goto error;
391  }
392  if (!gt_set && !lt_set && !not_set) {
393  for (i = 0; i < (data->proto / 8); i++) {
394  s->proto.proto[i] = 0xff;
395  }
396  s->proto.proto[data->proto / 8] = ~(1 << (data->proto % 8));
397  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
398  s->proto.proto[i] = 0xff;
399  }
400  } else {
401  for (i = 0; i < (data->proto / 8); i++) {
402  s->proto.proto[i] &= 0xff;
403  }
404  s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8));
405  for (i = (data->proto / 8) + 1; i < (256 / 8); i++) {
406  s->proto.proto[i] &= 0xff;
407  }
408  }
409  break;
410  }
411 
412  sm = SigMatchAlloc();
413  if (sm == NULL)
414  goto error;
415  sm->type = DETECT_IPPROTO;
416  sm->ctx = (void *)data;
417  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH);
418  s->flags |= SIG_FLAG_REQUIRE_PACKET;
419 
420  return 0;
421 
422  error:
423 
424  DetectIPProtoFree(data);
425  return -1;
426 }
427 
428 
429 void DetectIPProtoRemoveAllSMs(Signature *s)
430 {
431  SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
432 
433  while (sm != NULL) {
434  if (sm->type != DETECT_IPPROTO) {
435  sm = sm->next;
436  continue;
437  }
438  SigMatch *tmp_sm = sm->next;
439  SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_MATCH);
440  SigMatchFree(sm);
441  sm = tmp_sm;
442  }
443 
444  return;
445 }
446 
447 static void DetectIPProtoFree(void *ptr)
448 {
449  DetectIPProtoData *data = (DetectIPProtoData *)ptr;
450  if (data) {
451  SCFree(data);
452  }
453 }
454 
455 /* UNITTESTS */
456 #ifdef UNITTESTS
457 
458 /**
459  * \test DetectIPProtoTestParse01 is a test for an invalid proto number
460  */
461 static int DetectIPProtoTestParse01(void)
462 {
463  DetectIPProtoData *data = DetectIPProtoParse("999");
464  FAIL_IF_NOT(data == NULL);
465  PASS;
466 }
467 
468 /**
469  * \test DetectIPProtoTestParse02 is a test for an invalid proto name
470  */
471 static int DetectIPProtoTestParse02(void)
472 {
473  DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek");
474  FAIL_IF_NOT(data == NULL);
475  PASS;
476 }
477 
478 /**
479  * \test DetectIPProtoTestSetup01 is a test for a protocol number
480  */
481 static int DetectIPProtoTestSetup01(void)
482 {
483  const char *value_str = "14";
484  int value = atoi(value_str);
485  int i;
486 
487  Signature *sig = SigAlloc();
488  FAIL_IF_NULL(sig);
489 
490  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
491  sig->proto.flags |= DETECT_PROTO_ANY;
492  DetectIPProtoSetup(NULL, sig, value_str);
493  for (i = 0; i < (value / 8); i++) {
494  FAIL_IF(sig->proto.proto[i] != 0);
495  }
496  FAIL_IF(sig->proto.proto[value / 8] != 0x40);
497  for (i = (value / 8) + 1; i < (256 / 8); i++) {
498  FAIL_IF(sig->proto.proto[i] != 0);
499  }
500  SigFree(sig);
501  PASS;
502 }
503 
504 /**
505  * \test DetectIPProtoTestSetup02 is a test for a protocol name
506  */
507 static int DetectIPProtoTestSetup02(void)
508 {
509  int result = 0;
510  Signature *sig = NULL;
511  const char *value_str = "tcp";
512  struct protoent *pent = getprotobyname(value_str);
513  if (pent == NULL) {
514  goto end;
515  }
516  uint8_t value = (uint8_t)pent->p_proto;
517  int i;
518 
519  if ((sig = SigAlloc()) == NULL)
520  goto end;
521 
522  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
523  sig->proto.flags |= DETECT_PROTO_ANY;
524  DetectIPProtoSetup(NULL, sig, value_str);
525  for (i = 0; i < (value / 8); i++) {
526  if (sig->proto.proto[i] != 0)
527  goto end;
528  }
529  if (sig->proto.proto[value / 8] != 0x40) {
530  goto end;
531  }
532  for (i = (value / 8) + 1; i < (256 / 8); i++) {
533  if (sig->proto.proto[i] != 0)
534  goto end;
535  }
536 
537  result = 1;
538 
539  end:
540  if (sig != NULL)
541  SigFree(sig);
542  return result;
543 }
544 
545 /**
546  * \test DetectIPProtoTestSetup03 is a test for a < operator
547  */
548 static int DetectIPProtoTestSetup03(void)
549 {
550  int result = 0;
551  Signature *sig;
552  const char *value_str = "<14";
553  int value = 14;
554  int i;
555 
556  if ((sig = SigAlloc()) == NULL)
557  goto end;
558 
559  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
560  sig->proto.flags |= DETECT_PROTO_ANY;
561  DetectIPProtoSetup(NULL, sig, value_str);
562  for (i = 0; i < (value / 8); i++) {
563  if (sig->proto.proto[i] != 0xFF)
564  goto end;
565  }
566  if (sig->proto.proto[value / 8] != 0x3F) {
567  goto end;
568  }
569  for (i = (value / 8) + 1; i < (256 / 8); i++) {
570  if (sig->proto.proto[i] != 0)
571  goto end;
572  }
573 
574  result = 1;
575 
576  end:
577  SigFree(sig);
578  return result;
579 }
580 
581 /**
582  * \test DetectIPProtoTestSetup04 is a test for a > operator
583  */
584 static int DetectIPProtoTestSetup04(void)
585 {
586  int result = 0;
587  Signature *sig;
588  const char *value_str = ">14";
589  int value = 14;
590  int i;
591 
592  if ((sig = SigAlloc()) == NULL)
593  goto end;
594 
595  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
596  sig->proto.flags |= DETECT_PROTO_ANY;
597  DetectIPProtoSetup(NULL, sig, value_str);
598  for (i = 0; i < (value / 8); i++) {
599  if (sig->proto.proto[i] != 0)
600  goto end;
601  }
602  if (sig->proto.proto[value / 8] != 0x80) {
603  goto end;
604  }
605  for (i = (value / 8) + 1; i < (256 / 8); i++) {
606  if (sig->proto.proto[i] != 0xFF)
607  goto end;
608  }
609 
610  result = 1;
611 
612  end:
613  SigFree(sig);
614  return result;
615 }
616 
617 /**
618  * \test DetectIPProtoTestSetup05 is a test for a ! operator
619  */
620 static int DetectIPProtoTestSetup05(void)
621 {
622  int result = 0;
623  Signature *sig;
624  const char *value_str = "!14";
625  int value = 14;
626  int i;
627 
628  if ((sig = SigAlloc()) == NULL)
629  goto end;
630 
631  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
632  sig->proto.flags |= DETECT_PROTO_ANY;
633  DetectIPProtoSetup(NULL, sig, value_str);
634  for (i = 0; i < (value / 8); i++) {
635  if (sig->proto.proto[i] != 0xFF)
636  goto end;
637  }
638  if (sig->proto.proto[value / 8] != 0xBF) {
639  goto end;
640  }
641  for (i = (value / 8) + 1; i < (256 / 8); i++) {
642  if (sig->proto.proto[i] != 0xFF)
643  goto end;
644  }
645 
646  result = 1;
647 
648  end:
649  SigFree(sig);
650  return result;
651 }
652 
653 /**
654  * \test Negative test.
655  */
656 static int DetectIPProtoTestSetup06(void)
657 {
658  int result = 0;
659  Signature *sig;
660  const char *value1_str = "14";
661  const char *value2_str = "15";
662 
663  if ((sig = SigAlloc()) == NULL)
664  goto end;
665 
666  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
667  sig->proto.flags |= DETECT_PROTO_ANY;
668  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
669  goto end;
670  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
671  goto end;
672 
673  result = 1;
674 
675  end:
676  SigFree(sig);
677  return result;
678 }
679 
680 /**
681  * \test Negative test.
682  */
683 static int DetectIPProtoTestSetup07(void)
684 {
685  int result = 0;
686  Signature *sig;
687  const char *value1_str = "14";
688  const char *value2_str = "<15";
689 
690  if ((sig = SigAlloc()) == NULL)
691  goto end;
692 
693  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
694  sig->proto.flags |= DETECT_PROTO_ANY;
695  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
696  goto end;
697  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
698  goto end;
699 
700  result = 1;
701 
702  end:
703  SigFree(sig);
704  return result;
705 }
706 
707 /**
708  * \test Negative test.
709  */
710 static int DetectIPProtoTestSetup08(void)
711 {
712  int result = 0;
713  Signature *sig;
714  const char *value1_str = "14";
715  const char *value2_str = ">15";
716 
717  if ((sig = SigAlloc()) == NULL)
718  goto end;
719 
720  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
721  sig->proto.flags |= DETECT_PROTO_ANY;
722  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
723  goto end;
724  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
725  goto end;
726 
727  result = 1;
728 
729  end:
730  SigFree(sig);
731  return result;
732 }
733 
734 /**
735  * \test Negative test.
736  */
737 static int DetectIPProtoTestSetup09(void)
738 {
739  int result = 0;
740  Signature *sig;
741  const char *value1_str = "14";
742  const char *value2_str = "!15";
743 
744  if ((sig = SigAlloc()) == NULL)
745  goto end;
746 
747  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
748  sig->proto.flags |= DETECT_PROTO_ANY;
749  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
750  goto end;
751  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
752  goto end;
753 
754  result = 1;
755 
756  end:
757  SigFree(sig);
758  return result;
759 }
760 
761 /**
762  * \test Negative test.
763  */
764 static int DetectIPProtoTestSetup10(void)
765 {
766  int result = 0;
767  Signature *sig;
768  const char *value1_str = ">14";
769  const char *value2_str = "15";
770 
771  if ((sig = SigAlloc()) == NULL)
772  goto end;
773 
774  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
775  sig->proto.flags |= DETECT_PROTO_ANY;
776  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
777  goto end;
778  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
779  goto end;
780 
781  result = 1;
782 
783  end:
784  SigFree(sig);
785  return result;
786 }
787 
788 /**
789  * \test Negative test.
790  */
791 static int DetectIPProtoTestSetup11(void)
792 {
793  int result = 0;
794  Signature *sig;
795  const char *value1_str = "<14";
796  const char *value2_str = "15";
797 
798  if ((sig = SigAlloc()) == NULL)
799  goto end;
800 
801  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
802  sig->proto.flags |= DETECT_PROTO_ANY;
803  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
804  goto end;
805  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
806  goto end;
807 
808  result = 1;
809 
810  end:
811  SigFree(sig);
812  return result;
813 }
814 
815 /**
816  * \test Negative test.
817  */
818 static int DetectIPProtoTestSetup12(void)
819 {
820  int result = 0;
821  Signature *sig;
822  const char *value1_str = "!14";
823  const char *value2_str = "15";
824 
825  if ((sig = SigAlloc()) == NULL)
826  goto end;
827 
828  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
829  sig->proto.flags |= DETECT_PROTO_ANY;
830  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
831  goto end;
832  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
833  goto end;
834 
835  result = 1;
836 
837  end:
838  SigFree(sig);
839  return result;
840 }
841 
842 /**
843  * \test Negative test.
844  */
845 static int DetectIPProtoTestSetup13(void)
846 {
847  int result = 0;
848  Signature *sig;
849  const char *value1_str = ">14";
850  const char *value2_str = ">15";
851 
852  if ((sig = SigAlloc()) == NULL)
853  goto end;
854 
855  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
856  sig->proto.flags |= DETECT_PROTO_ANY;
857  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
858  goto end;
859  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
860  goto end;
861 
862  result = 1;
863 
864  end:
865  SigFree(sig);
866  return result;
867 }
868 
869 static int DetectIPProtoTestSetup14(void)
870 {
871  int result = 0;
872  Signature *sig;
873  const char *value1_str = "<14";
874  const char *value2_str = "<15";
875 
876  if ((sig = SigAlloc()) == NULL)
877  goto end;
878 
879  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
880  sig->proto.flags |= DETECT_PROTO_ANY;
881  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
882  goto end;
883  if (DetectIPProtoSetup(NULL, sig, value2_str) != -1)
884  goto end;
885 
886  result = 1;
887 
888  end:
889  SigFree(sig);
890  return result;
891 }
892 
893 static int DetectIPProtoTestSetup15(void)
894 {
895  int result = 0;
896  Signature *sig;
897  const char *value1_str = "<14";
898  int value1 = 14;
899  const char *value2_str = ">34";
900  int i;
901 
902  if ((sig = SigAlloc()) == NULL)
903  goto end;
904 
905  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
906  sig->proto.flags |= DETECT_PROTO_ANY;
907  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
908  goto end;
909  for (i = 0; i < (value1 / 8); i++) {
910  if (sig->proto.proto[i] != 0xFF)
911  goto end;
912  }
913  if (sig->proto.proto[value1 / 8] != 0x3F) {
914  goto end;
915  }
916  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
917  if (sig->proto.proto[i] != 0)
918  goto end;
919  }
920  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
921  goto end;
922 
923  result = 1;
924 
925  end:
926  SigFree(sig);
927  return result;
928 
929 }
930 
931 static int DetectIPProtoTestSetup16(void)
932 {
933  int result = 0;
934  Signature *sig;
935  const char *value1_str = "<14";
936  const char *value2_str = ">34";
937  int value2 = 34;
938  int i;
939 
940  if ((sig = SigAlloc()) == NULL)
941  goto end;
942 
943  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
944  sig->proto.flags |= DETECT_PROTO_ANY;
945  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
946  goto end;
947  for (i = 0; i < (value2 / 8); i++) {
948  if (sig->proto.proto[i] != 0)
949  goto end;
950  }
951  if (sig->proto.proto[value2 / 8] != 0xF8) {
952  goto end;
953  }
954  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
955  if (sig->proto.proto[i] != 0xFF)
956  goto end;
957  }
958  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
959  goto end;
960 
961  result = 1;
962 
963  end:
964  SigFree(sig);
965  return result;
966 
967 }
968 
969 static int DetectIPProtoTestSetup17(void)
970 {
971  int result = 0;
972  Signature *sig;
973  const char *value1_str = "<11";
974  int value1 = 11;
975  const char *value2_str = ">13";
976  int i;
977 
978  if ((sig = SigAlloc()) == NULL)
979  goto end;
980 
981  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
982  sig->proto.flags |= DETECT_PROTO_ANY;
983  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
984  goto end;
985  for (i = 0; i < (value1 / 8); i++) {
986  if (sig->proto.proto[i] != 0xFF)
987  goto end;
988  }
989  if (sig->proto.proto[value1 / 8] != 0x07) {
990  goto end;
991  }
992  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
993  if (sig->proto.proto[i] != 0)
994  goto end;
995  }
996  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
997  goto end;
998 
999  result = 1;
1000 
1001  end:
1002  SigFree(sig);
1003  return result;
1004 
1005 }
1006 
1007 static int DetectIPProtoTestSetup18(void)
1008 {
1009  int result = 0;
1010  Signature *sig;
1011  const char *value1_str = "<11";
1012  const char *value2_str = ">13";
1013  int value2 = 13;
1014  int i;
1015 
1016  if ((sig = SigAlloc()) == NULL)
1017  goto end;
1018 
1019  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1020  sig->proto.flags |= DETECT_PROTO_ANY;
1021  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1022  goto end;
1023  for (i = 0; i < (value2 / 8); i++) {
1024  if (sig->proto.proto[i] != 0)
1025  goto end;
1026  }
1027  if (sig->proto.proto[value2 / 8] != 0xC0) {
1028  goto end;
1029  }
1030  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1031  if (sig->proto.proto[i] != 0xFF)
1032  goto end;
1033  }
1034  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1035  goto end;
1036 
1037  result = 1;
1038 
1039  end:
1040  SigFree(sig);
1041  return result;
1042 
1043 }
1044 
1045 static int DetectIPProtoTestSetup19(void)
1046 {
1047  int result = 0;
1048  Signature *sig;
1049  const char *value1_str = "<11";
1050  int value1 = 11;
1051  const char *value2_str = "!13";
1052  const char *value3_str = ">36";
1053  int i;
1054 
1055  if ((sig = SigAlloc()) == NULL)
1056  goto end;
1057 
1058  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1059  sig->proto.flags |= DETECT_PROTO_ANY;
1060  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1061  goto end;
1062  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1063  goto end;
1064  for (i = 0; i < (value1 / 8); i++) {
1065  if (sig->proto.proto[i] != 0xFF)
1066  goto end;
1067  }
1068  if (sig->proto.proto[value1 / 8] != 0x07) {
1069  goto end;
1070  }
1071  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1072  if (sig->proto.proto[i] != 0)
1073  goto end;
1074  }
1075  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1076  goto end;
1077 
1078  result = 1;
1079 
1080  end:
1081  SigFree(sig);
1082  return result;
1083 }
1084 
1085 static int DetectIPProtoTestSetup20(void)
1086 {
1087  int result = 0;
1088  Signature *sig;
1089  const char *value1_str = "<11";
1090  int value1 = 11;
1091  const char *value3_str = ">36";
1092  int i;
1093 
1094  if ((sig = SigAlloc()) == NULL)
1095  goto end;
1096 
1097  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1098  sig->proto.flags |= DETECT_PROTO_ANY;
1099  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1100  goto end;
1101  for (i = 0; i < (value1 / 8); i++) {
1102  if (sig->proto.proto[i] != 0xFF)
1103  goto end;
1104  }
1105  if (sig->proto.proto[value1 / 8] != 0x07) {
1106  goto end;
1107  }
1108  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1109  if (sig->proto.proto[i] != 0)
1110  goto end;
1111  }
1112  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1113  goto end;
1114 
1115  result = 1;
1116 
1117  end:
1118  SigFree(sig);
1119  return result;
1120 }
1121 
1122 static int DetectIPProtoTestSetup21(void)
1123 {
1124  int result = 0;
1125  Signature *sig;
1126  const char *value1_str = "<11";
1127  int value1 = 11;
1128  const char *value2_str = "!13";
1129  const char *value3_str = ">36";
1130  int i;
1131 
1132  if ((sig = SigAlloc()) == NULL)
1133  goto end;
1134 
1135  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1136  sig->proto.flags |= DETECT_PROTO_ANY;
1137  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1138  goto end;
1139  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1140  goto end;
1141  for (i = 0; i < (value1 / 8); i++) {
1142  if (sig->proto.proto[i] != 0xFF)
1143  goto end;
1144  }
1145  if (sig->proto.proto[value1 / 8] != 0x07) {
1146  goto end;
1147  }
1148  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1149  if (sig->proto.proto[i] != 0)
1150  goto end;
1151  }
1152  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1153  goto end;
1154 
1155  result = 1;
1156 
1157  end:
1158  SigFree(sig);
1159  return result;
1160 }
1161 
1162 static int DetectIPProtoTestSetup22(void)
1163 {
1164  int result = 0;
1165  Signature *sig;
1166  const char *value1_str = "<11";
1167  const char *value2_str = "!13";
1168  const char *value3_str = ">36";
1169  int value3 = 36;
1170  int i;
1171 
1172  if ((sig = SigAlloc()) == NULL)
1173  goto end;
1174 
1175  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1176  sig->proto.flags |= DETECT_PROTO_ANY;
1177  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1178  goto end;
1179  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1180  goto end;
1181  for (i = 0; i < (value3 / 8); i++) {
1182  if (sig->proto.proto[i] != 0)
1183  goto end;
1184  }
1185  if (sig->proto.proto[value3 / 8] != 0xE0) {
1186  goto end;
1187  }
1188  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1189  if (sig->proto.proto[i] != 0xFF)
1190  goto end;
1191  }
1192  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1193  goto end;
1194 
1195  result = 1;
1196 
1197  end:
1198  SigFree(sig);
1199  return result;
1200 }
1201 
1202 static int DetectIPProtoTestSetup23(void)
1203 {
1204  int result = 0;
1205  Signature *sig;
1206  const char *value1_str = "<11";
1207  const char *value3_str = ">36";
1208  int value3 = 36;
1209  int i;
1210 
1211  if ((sig = SigAlloc()) == NULL)
1212  goto end;
1213 
1214  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1215  sig->proto.flags |= DETECT_PROTO_ANY;
1216  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1217  goto end;
1218  for (i = 0; i < (value3 / 8); i++) {
1219  if (sig->proto.proto[i] != 0)
1220  goto end;
1221  }
1222  if (sig->proto.proto[value3 / 8] != 0xE0) {
1223  goto end;
1224  }
1225  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1226  if (sig->proto.proto[i] != 0xFF)
1227  goto end;
1228  }
1229  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1230  goto end;
1231 
1232  result = 1;
1233 
1234  end:
1235  SigFree(sig);
1236  return result;
1237 }
1238 
1239 static int DetectIPProtoTestSetup24(void)
1240 {
1241  int result = 0;
1242  Signature *sig;
1243  const char *value1_str = "<11";
1244  const char *value2_str = "!13";
1245  const char *value3_str = ">36";
1246  int value3 = 36;
1247  int i;
1248 
1249  if ((sig = SigAlloc()) == NULL)
1250  goto end;
1251 
1252  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1253  sig->proto.flags |= DETECT_PROTO_ANY;
1254  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1255  goto end;
1256  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1257  goto end;
1258  for (i = 0; i < (value3 / 8); i++) {
1259  if (sig->proto.proto[i] != 0)
1260  goto end;
1261  }
1262  if (sig->proto.proto[value3 / 8] != 0xE0) {
1263  goto end;
1264  }
1265  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1266  if (sig->proto.proto[i] != 0xFF)
1267  goto end;
1268  }
1269  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1270  goto end;
1271 
1272  result = 1;
1273 
1274  end:
1275  SigFree(sig);
1276  return result;
1277 }
1278 
1279 static int DetectIPProtoTestSetup33(void)
1280 {
1281  int result = 0;
1282  Signature *sig;
1283  const char *value1_str = "<11";
1284  int value1 = 11;
1285  const char *value2_str = "!34";
1286  const char *value3_str = ">36";
1287  int i;
1288 
1289  if ((sig = SigAlloc()) == NULL)
1290  goto end;
1291 
1292  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1293  sig->proto.flags |= DETECT_PROTO_ANY;
1294  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1295  goto end;
1296  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1297  goto end;
1298  for (i = 0; i < (value1 / 8); i++) {
1299  if (sig->proto.proto[i] != 0xFF)
1300  goto end;
1301  }
1302  if (sig->proto.proto[value1 / 8] != 0x07) {
1303  goto end;
1304  }
1305  for (i = (value1 / 8) + 1; i < (256 / 8); i++) {
1306  if (sig->proto.proto[i] != 0)
1307  goto end;
1308  }
1309  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1310  goto end;
1311 
1312  result = 1;
1313 
1314  end:
1315  SigFree(sig);
1316  return result;
1317 }
1318 
1319 static int DetectIPProtoTestSetup34(void)
1320 {
1321  int result = 0;
1322  Signature *sig;
1323  const char *value1_str = "<11";
1324  int value1 = 11;
1325  const char *value2_str = "!34";
1326  const char *value3_str = ">36";
1327  int value3 = 36;
1328  int i;
1329 
1330  if ((sig = SigAlloc()) == NULL)
1331  goto end;
1332 
1333  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1334  sig->proto.flags |= DETECT_PROTO_ANY;
1335  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1336  goto end;
1337  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1338  goto end;
1339  for (i = 0; i < (value1 / 8); i++) {
1340  if (sig->proto.proto[i] != 0)
1341  goto end;
1342  }
1343  if (sig->proto.proto[value3 / 8] != 0xE0) {
1344  goto end;
1345  }
1346  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1347  if (sig->proto.proto[i] != 0xFF)
1348  goto end;
1349  }
1350  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1351  goto end;
1352 
1353  result = 1;
1354 
1355  end:
1356  SigFree(sig);
1357  return result;
1358 }
1359 
1360 static int DetectIPProtoTestSetup36(void)
1361 {
1362  int result = 0;
1363  Signature *sig;
1364  const char *value1_str = "<11";
1365  const char *value2_str = "!34";
1366  const char *value3_str = ">36";
1367  int value3 = 36;
1368  int i;
1369 
1370  if ((sig = SigAlloc()) == NULL)
1371  goto end;
1372 
1373  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1374  sig->proto.flags |= DETECT_PROTO_ANY;
1375  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1376  goto end;
1377  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1378  goto end;
1379  for (i = 0; i < (value3 / 8); i++) {
1380  if (sig->proto.proto[i] != 0)
1381  goto end;
1382  }
1383  if (sig->proto.proto[value3 / 8] != 0xE0) {
1384  goto end;
1385  }
1386  for (i = (value3 / 8) + 1; i < (256 / 8); i++) {
1387  if (sig->proto.proto[i] != 0xFF)
1388  goto end;
1389  }
1390  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1391  goto end;
1392 
1393  result = 1;
1394 
1395  end:
1396  SigFree(sig);
1397  return result;
1398 }
1399 
1400 static int DetectIPProtoTestSetup43(void)
1401 {
1402  int result = 0;
1403  Signature *sig;
1404  const char *value1_str = "!4";
1405  int value1 = 4;
1406  const char *value2_str = "<13";
1407  int value2 = 13;
1408  const char *value3_str = ">34";
1409  int i;
1410 
1411  if ((sig = SigAlloc()) == NULL)
1412  goto end;
1413 
1414  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1415  sig->proto.flags |= DETECT_PROTO_ANY;
1416  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1417  goto end;
1418  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1419  goto end;
1420  if (sig->proto.proto[value1 / 8] != 0xEF) {
1421  goto end;
1422  }
1423  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1424  if (sig->proto.proto[i] != 0xFF)
1425  goto end;
1426  }
1427  if (sig->proto.proto[value2 / 8] != 0x1F) {
1428  goto end;
1429  }
1430  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1431  if (sig->proto.proto[i] != 0)
1432  goto end;
1433  }
1434  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1435  goto end;
1436 
1437  result = 1;
1438 
1439  end:
1440  SigFree(sig);
1441  return result;
1442 }
1443 
1444 static int DetectIPProtoTestSetup44(void)
1445 {
1446  int result = 0;
1447  Signature *sig;
1448  const char *value1_str = "!4";
1449  const char *value2_str = "<13";
1450  const char *value3_str = ">34";
1451  int value3 = 34;
1452  int i;
1453 
1454  if ((sig = SigAlloc()) == NULL)
1455  goto end;
1456 
1457  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1458  sig->proto.flags |= DETECT_PROTO_ANY;
1459  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1460  goto end;
1461  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1462  goto end;
1463  for (i = 0; i < (value3 / 8); i++) {
1464  if (sig->proto.proto[i] != 0)
1465  goto end;
1466  }
1467  if (sig->proto.proto[value3 / 8] != 0xF8) {
1468  goto end;
1469  }
1470  for (i = (value3 / 8) + 1; i < 256 / 8; i++) {
1471  if (sig->proto.proto[i] != 0xFF)
1472  goto end;
1473  }
1474  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1475  goto end;
1476 
1477  result = 1;
1478 
1479  end:
1480  SigFree(sig);
1481  return result;
1482 }
1483 
1484 static int DetectIPProtoTestSetup45(void)
1485 {
1486  int result = 0;
1487  Signature *sig;
1488  const char *value1_str = "!4";
1489  int value1 = 4;
1490  const char *value2_str = "<13";
1491  int value2 = 13;
1492  const char *value3_str = ">34";
1493  int i;
1494 
1495  if ((sig = SigAlloc()) == NULL)
1496  goto end;
1497 
1498  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1499  sig->proto.flags |= DETECT_PROTO_ANY;
1500  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1501  goto end;
1502  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1503  goto end;
1504  if (sig->proto.proto[value1 / 8] != 0xEF) {
1505  goto end;
1506  }
1507  for (i = (value1 / 8) + 1; i < (value2 / 8); i++) {
1508  if (sig->proto.proto[i] != 0xFF)
1509  goto end;
1510  }
1511  if (sig->proto.proto[value2 / 8] != 0x1F) {
1512  goto end;
1513  }
1514  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1515  if (sig->proto.proto[i] != 0)
1516  goto end;
1517  }
1518  if (DetectIPProtoSetup(NULL, sig, value3_str) == 0)
1519  goto end;
1520 
1521  result = 1;
1522 
1523  end:
1524  SigFree(sig);
1525  return result;
1526 }
1527 
1528 static int DetectIPProtoTestSetup56(void)
1529 {
1530  int result = 0;
1531  Signature *sig;
1532  const char *value1_str = "<13";
1533  int value1 = 13;
1534  const char *value2_str = ">34";
1535  const char *value3_str = "!37";
1536  int i;
1537 
1538  if ((sig = SigAlloc()) == NULL)
1539  goto end;
1540 
1541  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1542  sig->proto.flags |= DETECT_PROTO_ANY;
1543  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1544  goto end;
1545  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1546  goto end;
1547  for (i = 0; i < (value1 / 8); i++) {
1548  if (sig->proto.proto[i] != 0xFF)
1549  goto end;
1550  }
1551  if (sig->proto.proto[value1 / 8] != 0x1F) {
1552  goto end;
1553  }
1554  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1555  if (sig->proto.proto[i] != 0)
1556  goto end;
1557  }
1558  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1559  goto end;
1560 
1561  result = 1;
1562 
1563  end:
1564  SigFree(sig);
1565  return result;
1566 }
1567 
1568 static int DetectIPProtoTestSetup75(void)
1569 {
1570  int result = 0;
1571  Signature *sig;
1572  const char *value1_str = "!8";
1573  const char *value2_str = ">10";
1574  int value2 = 10;
1575  int i;
1576 
1577  if ((sig = SigAlloc()) == NULL)
1578  goto end;
1579 
1580  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1581  sig->proto.flags |= DETECT_PROTO_ANY;
1582  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1583  goto end;
1584  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1585  goto end;
1586  for (i = 0; i < (value2 / 8); i++) {
1587  if (sig->proto.proto[i] != 0)
1588  goto end;
1589  }
1590  if (sig->proto.proto[value2 / 8] != 0xF8) {
1591  goto end;
1592  }
1593  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1594  if (sig->proto.proto[i] != 0xFF)
1595  goto end;
1596  }
1597 
1598  result = 1;
1599 
1600  end:
1601  SigFree(sig);
1602  return result;
1603 }
1604 
1605 static int DetectIPProtoTestSetup76(void)
1606 {
1607  int result = 0;
1608  Signature *sig;
1609  const char *value1_str = "!8";
1610  const char *value2_str = ">10";
1611  int value2 = 10;
1612  int i;
1613 
1614  if ((sig = SigAlloc()) == NULL)
1615  goto end;
1616 
1617  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1618  sig->proto.flags |= DETECT_PROTO_ANY;
1619  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1620  goto end;
1621  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1622  goto end;
1623  for (i = 0; i < (value2 / 8); i++) {
1624  if (sig->proto.proto[i] != 0)
1625  goto end;
1626  }
1627  if (sig->proto.proto[value2 / 8] != 0xF8) {
1628  goto end;
1629  }
1630  for (i = (value2 / 8) + 1; i < (256 / 8); i++) {
1631  if (sig->proto.proto[i] != 0xFF)
1632  goto end;
1633  }
1634 
1635  result = 1;
1636 
1637  end:
1638  SigFree(sig);
1639  return result;
1640 }
1641 
1642 static int DetectIPProtoTestSetup129(void)
1643 {
1644  int result = 0;
1645  Signature *sig;
1646  const char *value1_str = "<10";
1647  int value1 = 10;
1648  const char *value2_str = ">10";
1649  int i;
1650 
1651  if ((sig = SigAlloc()) == NULL)
1652  goto end;
1653 
1654  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1655  sig->proto.flags |= DETECT_PROTO_ANY;
1656  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1657  goto end;
1658  for (i = 0; i < (value1 / 8); i++) {
1659  if (sig->proto.proto[i] != 0xFF)
1660  goto end;
1661  }
1662  if (sig->proto.proto[value1 / 8] != 0x03) {
1663  goto end;
1664  }
1665  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1666  if (sig->proto.proto[i] != 0)
1667  goto end;
1668  }
1669  if (DetectIPProtoSetup(NULL, sig, value2_str) == 0)
1670  goto end;
1671 
1672  result = 1;
1673 
1674  end:
1675  SigFree(sig);
1676  return result;
1677 }
1678 
1679 static int DetectIPProtoTestSetup130(void)
1680 {
1681  int result = 0;
1682  Signature *sig;
1683  const char *value1_str = "<10";
1684  const char *value2_str = ">10";
1685  int value2 = 10;
1686  int i;
1687 
1688  if ((sig = SigAlloc()) == NULL)
1689  goto end;
1690 
1691  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1692  sig->proto.flags |= DETECT_PROTO_ANY;
1693  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1694  goto end;
1695  if (DetectIPProtoSetup(NULL, sig, value1_str) == 0)
1696  goto end;
1697  for (i = 0; i < (value2 / 8); i++) {
1698  if (sig->proto.proto[i] != 0)
1699  goto end;
1700  }
1701  if (sig->proto.proto[value2 / 8] != 0xF8) {
1702  goto end;
1703  }
1704  for (i = (value2 / 8) + 1; i < 256 / 8; i++) {
1705  if (sig->proto.proto[i] != 0xFF)
1706  goto end;
1707  }
1708 
1709  result = 1;
1710 
1711  end:
1712  SigFree(sig);
1713  return result;
1714 }
1715 
1716 static int DetectIPProtoTestSetup131(void)
1717 {
1718  int result = 0;
1719  Signature *sig;
1720  const char *value1_str = "<10";
1721  int value1 = 10;
1722  const char *value2_str = "!10";
1723  int i;
1724 
1725  if ((sig = SigAlloc()) == NULL)
1726  goto end;
1727 
1728  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1729  sig->proto.flags |= DETECT_PROTO_ANY;
1730  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1731  goto end;
1732  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1733  goto end;
1734  for (i = 0; i < (value1 / 8); i++) {
1735  if (sig->proto.proto[i] != 0xFF)
1736  goto end;
1737  }
1738  if (sig->proto.proto[value1 / 8] != 0x03) {
1739  goto end;
1740  }
1741  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1742  if (sig->proto.proto[i] != 0x0)
1743  goto end;
1744  }
1745 
1746  result = 1;
1747 
1748  end:
1749  SigFree(sig);
1750  return result;
1751 }
1752 
1753 static int DetectIPProtoTestSetup132(void)
1754 {
1755  int result = 0;
1756  Signature *sig;
1757  const char *value1_str = "<10";
1758  int value1 = 10;
1759  const char *value2_str = "!10";
1760  int i;
1761 
1762  if ((sig = SigAlloc()) == NULL)
1763  goto end;
1764 
1765  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1766  sig->proto.flags |= DETECT_PROTO_ANY;
1767  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1768  goto end;
1769  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1770  goto end;
1771  for (i = 0; i < (value1 / 8); i++) {
1772  if (sig->proto.proto[i] != 0xFF)
1773  goto end;
1774  }
1775  if (sig->proto.proto[value1 / 8] != 0x03) {
1776  goto end;
1777  }
1778  for (i = (value1 / 8) + 1; i < 256 / 8; i++) {
1779  if (sig->proto.proto[i] != 0x0)
1780  goto end;
1781  }
1782 
1783  result = 1;
1784 
1785  end:
1786  SigFree(sig);
1787  return result;
1788 }
1789 
1790 static int DetectIPProtoTestSetup145(void)
1791 {
1792  int result = 0;
1793  Signature *sig;
1794  const char *value1_str = "!4";
1795  const char *value2_str = ">8";
1796  const char *value3_str = "!10";
1797  const char *value4_str = "!14";
1798  const char *value5_str = "!27";
1799  const char *value6_str = "!29";
1800  const char *value7_str = "!30";
1801  const char *value8_str = "!34";
1802  const char *value9_str = "<36";
1803  const char *value10_str = "!38";
1804  int value10 = 38;
1805 
1806  int i;
1807 
1808  if ((sig = SigAlloc()) == NULL)
1809  goto end;
1810 
1811  sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN;
1812  sig->proto.flags |= DETECT_PROTO_ANY;
1813  if (DetectIPProtoSetup(NULL, sig, value5_str) != 0)
1814  goto end;
1815  if (DetectIPProtoSetup(NULL, sig, value8_str) != 0)
1816  goto end;
1817  if (DetectIPProtoSetup(NULL, sig, value2_str) != 0)
1818  goto end;
1819  if (DetectIPProtoSetup(NULL, sig, value10_str) != 0)
1820  goto end;
1821  if (DetectIPProtoSetup(NULL, sig, value1_str) != 0)
1822  goto end;
1823  if (DetectIPProtoSetup(NULL, sig, value6_str) != 0)
1824  goto end;
1825  if (DetectIPProtoSetup(NULL, sig, value9_str) != 0)
1826  goto end;
1827  if (DetectIPProtoSetup(NULL, sig, value4_str) != 0)
1828  goto end;
1829  if (DetectIPProtoSetup(NULL, sig, value3_str) != 0)
1830  goto end;
1831  if (DetectIPProtoSetup(NULL, sig, value7_str) != 0)
1832  goto end;
1833  if (sig->proto.proto[0] != 0) {
1834  goto end;
1835  }
1836  if (sig->proto.proto[1] != 0xBA) {
1837  goto end;
1838  }
1839  if (sig->proto.proto[2] != 0xFF) {
1840  goto end;
1841  }
1842  if (sig->proto.proto[3] != 0x97) {
1843  goto end;
1844  }
1845  if (sig->proto.proto[4] != 0x0B) {
1846  goto end;
1847  }
1848  for (i = (value10 / 8) + 1; i < 256 / 8; i++) {
1849  if (sig->proto.proto[i] != 0)
1850  goto end;
1851  }
1852 
1853  result = 1;
1854 
1855  end:
1856  SigFree(sig);
1857  return result;
1858 }
1859 
1860 static int DetectIPProtoTestSig1(void)
1861 {
1862  int result = 0;
1863  uint8_t *buf = (uint8_t *)
1864  "GET /one/ HTTP/1.1\r\n"
1865  "Host: one.example.org\r\n"
1866  "\r\n";
1867  uint16_t buflen = strlen((char *)buf);
1868  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
1869  if (p == NULL)
1870  return 0;
1871 
1872  const char *sigs[4];
1873  sigs[0] = "alert ip any any -> any any "
1874  "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)";
1875  sigs[1] = "alert ip any any -> any any "
1876  "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)";
1877  sigs[2] = "alert ip any any -> any any "
1878  "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)";
1879  sigs[3] = "alert ip any any -> any any "
1880  "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)";
1881 
1882  /* sids to match */
1883  uint32_t sid[4] = {1, 2, 3, 4};
1884  /* expected matches for each sid within this packet we are testing */
1885  uint32_t results[4] = {0, 1, 1, 1};
1886 
1887  /* remember that UTHGenericTest expect the first parameter
1888  * as an array of packet pointers. And also a bidimensional array of results
1889  * For example:
1890  * results[numpacket][position] should hold the number of times
1891  * that the sid at sid[position] matched that packet (should be always 1..)
1892  * But here we built it as unidimensional array
1893  */
1894  result = UTHGenericTest(&p, 1, sigs, sid, results, 4);
1895 
1896  UTHFreePacket(p);
1897  return result;
1898 }
1899 
1900 static int DetectIPProtoTestSig2(void)
1901 {
1902  int result = 0;
1903 
1904  uint8_t raw_eth[] = {
1905  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1906  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1907  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1908  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1909  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1910  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1911  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1912  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1913  0x4a, 0xea, 0x7a, 0x8e,
1914  };
1915 
1916  Packet *p = SCMalloc(SIZE_OF_PACKET);
1917  if (unlikely(p == NULL))
1918  return 0;
1919  memset(p, 0, SIZE_OF_PACKET);
1920 
1921  DecodeThreadVars dtv;
1922  ThreadVars th_v;
1923  DetectEngineThreadCtx *det_ctx = NULL;
1924 
1925  p->proto = 0;
1926  memset(&dtv, 0, sizeof(DecodeThreadVars));
1927  memset(&th_v, 0, sizeof(th_v));
1928 
1929  FlowInitConfig(FLOW_QUIET);
1930  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
1931 
1932  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1933  if (de_ctx == NULL) {
1934  goto end;
1935  }
1936 
1937  de_ctx->mpm_matcher = mpm_default_matcher;
1938  de_ctx->flags |= DE_QUIET;
1939 
1940  de_ctx->sig_list = SigInit(de_ctx,
1941  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
1942  "ip_proto:!103; sid:1;)");
1943  if (de_ctx->sig_list == NULL) {
1944  result = 0;
1945  goto end;
1946  }
1947 
1948  SigGroupBuild(de_ctx);
1949  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1950 
1951  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1952  if (PacketAlertCheck(p, 1) == 0) {
1953  result = 1;
1954  goto end;
1955  } else {
1956  result = 0;
1957  }
1958 
1959  SigGroupCleanup(de_ctx);
1960  SigCleanSignatures(de_ctx);
1961 
1962  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1963  DetectEngineCtxFree(de_ctx);
1964  FlowShutdown();
1965 
1966  SCFree(p);
1967  return result;
1968 
1969 end:
1970  if (de_ctx) {
1971  SigGroupCleanup(de_ctx);
1972  SigCleanSignatures(de_ctx);
1973  }
1974 
1975  if (det_ctx)
1976  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1977  if (de_ctx)
1978  DetectEngineCtxFree(de_ctx);
1979 
1980  FlowShutdown();
1981  SCFree(p);
1982 
1983  return result;
1984 }
1985 
1986 static int DetectIPProtoTestSig3(void)
1987 {
1988  int result = 0;
1989 
1990  uint8_t raw_eth[] = {
1991  0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26,
1992  0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0,
1993  0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67,
1994  0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00,
1995  0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01,
1996  0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04,
1997  0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04,
1998  0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04,
1999  0x4a, 0xea, 0x7a, 0x8e,
2000  };
2001 
2002  Packet *p = UTHBuildPacket((uint8_t *)"boom", 4, IPPROTO_TCP);
2003  if (p == NULL)
2004  return 0;
2005 
2006  DecodeThreadVars dtv;
2007  ThreadVars th_v;
2008  DetectEngineThreadCtx *det_ctx = NULL;
2009 
2010  p->proto = 0;
2011  memset(&dtv, 0, sizeof(DecodeThreadVars));
2012  memset(&th_v, 0, sizeof(th_v));
2013 
2014  FlowInitConfig(FLOW_QUIET);
2015  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
2016 
2017  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2018  if (de_ctx == NULL) {
2019  goto end;
2020  }
2021 
2022  de_ctx->mpm_matcher = mpm_default_matcher;
2023  de_ctx->flags |= DE_QUIET;
2024 
2025  de_ctx->sig_list = SigInit(de_ctx,
2026  "alert ip any any -> any any (msg:\"Check ipproto usage\"; "
2027  "ip_proto:103; sid:1;)");
2028  if (de_ctx->sig_list == NULL) {
2029  result = 0;
2030  goto end;
2031  }
2032 
2033  SigGroupBuild(de_ctx);
2034  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2035 
2036  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
2037  if (!PacketAlertCheck(p, 1)) {
2038  result = 0;
2039  goto end;
2040  } else {
2041  result = 1;
2042  }
2043 
2044  SigGroupCleanup(de_ctx);
2045  SigCleanSignatures(de_ctx);
2046 
2047  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2048  DetectEngineCtxFree(de_ctx);
2049  FlowShutdown();
2050 
2051  SCFree(p);
2052  return result;
2053 
2054 end:
2055  if (de_ctx) {
2056  SigGroupCleanup(de_ctx);
2057  SigCleanSignatures(de_ctx);
2058  }
2059 
2060  if (det_ctx)
2061  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2062  if (de_ctx)
2063  DetectEngineCtxFree(de_ctx);
2064 
2065  FlowShutdown();
2066  SCFree(p);
2067 
2068  return result;
2069 }
2070 
2071 #endif /* UNITTESTS */
2072 
2073 /**
2074  * \internal
2075  * \brief Register ip_proto tests.
2076  */
2077 static void DetectIPProtoRegisterTests(void)
2078 {
2079 #ifdef UNITTESTS
2080  UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01);
2081  UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02);
2082  UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01);
2083  UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02);
2084  UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03);
2085  UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04);
2086  UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05);
2087  UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06);
2088  UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07);
2089  UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08);
2090  UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09);
2091  UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10);
2092  UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11);
2093  UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12);
2094  UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13);
2095  UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14);
2096  UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15);
2097  UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16);
2098  UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17);
2099  UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18);
2100  UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19);
2101  UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20);
2102  UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21);
2103  UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22);
2104  UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23);
2105  UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24);
2106  UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33);
2107  UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34);
2108  UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36);
2109  UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43);
2110  UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44);
2111  UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45);
2112  UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56);
2113  UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75);
2114  UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76);
2115  UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129);
2116  UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130);
2117  UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131);
2118  UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132);
2119  UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145);
2120 
2121  UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1);
2122  UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2);
2123  UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3);
2124 #endif /* UNITTESTS */
2125 }
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1406
Signature_::proto
DetectProto proto
Definition: detect.h:512
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:563
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1149
DETECT_PROTO_IPV6
#define DETECT_PROTO_IPV6
Definition: detect-engine-proto.h:37
DetectProto_::flags
uint8_t flags
Definition: detect-engine-proto.h:41
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Signature_::flags
uint32_t flags
Definition: detect.h:496
DETECT_PROTO_ANY
#define DETECT_PROTO_ANY
Definition: detect-engine-proto.h:27
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:1920
SigMatchRemoveSMFromList
void SigMatchRemoveSMFromList(Signature *s, SigMatch *sm, int sm_list)
Definition: detect-parse.c:326
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:729
DetectIPProtoRemoveAllSMs
void DetectIPProtoRemoveAllSMs(Signature *s)
Definition: detect-ipproto.c:429
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
DetectProto_::proto
uint8_t proto[256/8]
Definition: detect-engine-proto.h:40
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:37
DETECT_IPPROTO_OP_LT
#define DETECT_IPPROTO_OP_LT
Definition: detect-ipproto.h:30
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:228
ByteExtractStringUint8
int ByteExtractStringUint8(uint8_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:284
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2383
SigTableElmt_::name
const char * name
Definition: detect.h:1163
Signature_
Signature container.
Definition: detect.h:495
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:326
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2591
SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
#define SIG_FLAG_INIT_FIRST_IPPROTO_SEEN
Definition: detect.h:265
DETECT_IPPROTO_OP_GT
#define DETECT_IPPROTO_OP_GT
Definition: detect-ipproto.h:31
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:618
DetectIPProtoRegister
void DetectIPProtoRegister(void)
Registration function for ip_proto keyword.
Definition: detect-ipproto.c:58
Packet_::proto
uint8_t proto
Definition: decode.h:428
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724
DETECT_IPPROTO_OP_NOT
#define DETECT_IPPROTO_OP_NOT
Definition: detect-ipproto.h:29
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1154
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ethernet.c:41
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
SigFree
void SigFree(Signature *)
Definition: detect-parse.c:1294
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1892
DetectEngineCtx_::mpm_matcher
uint16_t mpm_matcher
Definition: detect.h:772
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1743
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
Definition: detect-parse.c:2286
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1343
DetectIPProtoData_
Definition: detect-ipproto.h:34
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:262
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
SigMatch_::type
uint8_t type
Definition: detect.h:323
Packet_
Definition: decode.h:405
PARSE_REGEX
#define PARSE_REGEX
Regex for parsing our options.
Definition: detect-ipproto.c:49
DETECT_PROTO_IPV4
#define DETECT_PROTO_IPV4
Definition: detect-engine-proto.h:36
SigTableElmt_::desc
const char * desc
Definition: detect.h:1165
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:288
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:489
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:1171
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:325
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:166
mpm_default_matcher
int mpm_default_matcher
Definition: util-mpm.h:170
SCFree
#define SCFree(a)
Definition: util-mem.h:228
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DETECT_IPPROTO_OP_EQ
#define DETECT_IPPROTO_OP_EQ
Definition: detect-ipproto.h:28
SignatureInitData_::init_flags
uint32_t init_flags
Definition: detect.h:459
UTHGenericTest
int UTHGenericTest(Packet **pkt, int numpkts, const char *sigs[], uint32_t sids[], uint32_t *results, int numsigs)
UTHGenericTest: function that perfom a generic check taking care of as maximum common unittest elemen...
Definition: util-unittest-helper.c:575
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:667
SigMatchFree
void SigMatchFree(SigMatch *sm)
free a SigMatch
Definition: detect-parse.c:247
SigTableElmt_::Match
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
SigTableElmt_::url
const char * url
Definition: detect.h:1166
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:410
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectIPProtoData_::op
uint8_t op
Definition: detect-ipproto.h:35
DetectIPProtoData_::proto
uint8_t proto
Definition: detect-ipproto.h:36
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:232
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
DetectEngineThreadCtx_
Definition: detect.h:965
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1157
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1155
SigMatch_
a single match condition for a signature
Definition: detect.h:322
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640
FlowInitConfig
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:512