89 #define ALPROTO_WITHFILES_MAX 16
99 .to_client_progress = HTP_RESPONSE_PROGRESS_BODY,
100 .to_server_progress = HTP_REQUEST_PROGRESS_BODY },
103 .to_client_progress = HTTP2StateDataServer,
104 .to_server_progress = HTTP2StateDataClient },
109 AppProto alproto,
int direction,
int to_client_progress,
int to_server_progress)
159 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
190 #define CASE_CODE_STRING(E, S) case E: return S; break
201 #undef CASE_CODE_STRING
205 #define CASE_CODE(E) case E: return #E
223 Signature *s,
const char *arg,
int sm_type,
int sm_list,
229 if (arg != NULL && strcmp(arg,
"") != 0) {
238 "with a sticky buffer still set. Reset sticky buffer "
239 "with pkt_data before using the modifier.",
253 "found inside the rule without a content context. "
254 "Please use a \"content\" keyword before using the "
262 "be used with the rawbytes rule keyword",
268 "be used with the replace rule keyword",
307 bool reuse_buffer =
false;
320 SCLogError(
"failed to expand rule buffer array");
329 SCLogDebug(
"idx %u list %d set up curbuf %p s->init_data->buffer_index %u",
370 if (sm->
ctx != NULL) {
381 ptrdiff_t
offset = e - table;
395 if (st->
name != NULL) {
428 if (strcmp(
str,
"all") == 0) {
440 char *xsaveptr = NULL;
441 char *key = strtok_r(copy,
",", &xsaveptr);
442 while (key != NULL) {
448 "argument '%s' not found",
451 key = strtok_r(NULL,
",", &xsaveptr);
478 SCLogDebug(
"s:%p new:%p list:%d: %s, s->init_data->list_set %s s->init_data->list %d", s,
new,
512 SCLogDebug(
"reusing buffer %u as it isn't multi-capable", x);
522 SCLogError(
"failed to expand rule buffer array");
552 SCLogDebug(
"appended %s to list %d, rule pos %u (s->init_data->list %d)",
571 if (sm->
prev != NULL)
573 if (sm->
next != NULL)
615 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
627 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
649 SCLogDebug(
"skip x %u s->init_data->list %d (int)s->init_data->buffers[x].id %d", x,
658 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
662 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
679 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
684 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
709 va_start(ap, sm_list);
711 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
713 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
716 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
747 va_start(ap, list_id);
749 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
753 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
765 va_start(ap, list_id);
767 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
768 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
771 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
794 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
802 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
809 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
815 if (sm->
prev != NULL)
817 if (sm->
next != NULL)
820 if (sm == *src_sm_list)
821 *src_sm_list = sm->
next;
822 if (sm == *src_sm_list_tail)
823 *src_sm_list_tail = sm->
prev;
825 if (*dst_sm_list == NULL) {
827 *dst_sm_list_tail = sm;
835 *dst_sm_list_tail = sm;
862 SCLogError(
"Unable to find the sm in any of the "
876 static int DetectSetupDirection(
Signature *s,
char **
str,
bool only_dir)
879 if (strncmp(*
str,
"to_client", strlen(
"to_client")) == 0) {
880 *
str += strlen(
"to_client");
882 while (**
str && isblank(**
str)) {
888 SCLogError(
"unknown option: only accepts to_server or to_client");
898 while (**
str && isblank(**
str)) {
910 }
else if (strncmp(*
str,
"to_server", strlen(
"to_server")) == 0) {
911 *
str += strlen(
"to_server");
913 while (**
str && isblank(**
str)) {
919 SCLogError(
"unknown option: only accepts to_server or to_client");
929 while (**
str && isblank(**
str)) {
941 }
else if (only_dir) {
942 SCLogError(
"unknown option: only accepts to_server or to_client");
949 size_t output_size,
bool requires)
952 char *optname = NULL;
953 char *optvalue = NULL;
956 while (isblank(*optstr)) {
961 char *optend = optstr;
963 optend = strchr(optend,
';');
964 if (optend == NULL) {
968 else if (optend > optstr && *(optend -1 ) ==
'\\') {
977 char *optvalptr = strchr(optstr,
':');
979 *(optvalptr++) =
'\0';
982 for (
size_t i = strlen(optvalptr); i > 0; i--) {
983 if (isblank(optvalptr[i - 1])) {
984 optvalptr[i - 1] =
'\0';
990 optvalue = optvalptr;
994 for (
size_t i = strlen(optstr); i > 0; i--) {
995 if (isblank(optstr[i - 1])) {
996 optstr[i - 1] =
'\0';
1005 bool requires_only = strcasecmp(optname,
"requires") == 0 || strcasecmp(optname,
"sid") == 0;
1006 if ((requires && !requires_only) || (!requires && requires_only)) {
1011 st = SigTableGet(optname);
1012 if (st == NULL || st->
Setup == NULL) {
1013 SCLogError(
"unknown rule keyword '%s'.", optname);
1018 if (optvalue == NULL || strlen(optvalue) == 0) {
1020 "invalid formatting or malformed option to %s keyword: '%s'", optname, optstr);
1024 if (optvalue && strlen(optvalue)) {
1025 SCLogError(
"unexpected option to %s keyword: '%s'", optname, optstr);
1035 #define URL "https://suricata.io/our-story/deprecation-policy/"
1038 "and will be removed soon. See %s",
1042 "and will be removed soon. Use '%s' instead. "
1051 if (optvalue != NULL && strlen(optvalue) > 0) {
1052 size_t ovlen = strlen(optvalue);
1053 char *ptr = optvalue;
1063 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
1069 SCLogWarning(
"keyword \'%s\' has not been tested for firewall rules", optname);
1086 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
1092 SCLogError(
"invalid formatting to %s keyword: "
1093 "value must be double quoted \'%s\'",
1099 && ovlen && *ptr ==
'"')
1101 for (; ovlen > 0; ovlen--) {
1102 if (isblank(ptr[ovlen - 1])) {
1103 ptr[ovlen - 1] =
'\0';
1108 if (ovlen && ptr[ovlen - 1] !=
'"') {
1109 SCLogError(
"bad option value formatting (possible missing semicolon) "
1110 "for keyword %s: \'%s\'",
1118 ptr[ovlen - 1] =
'\0';
1123 "for keyword %s: \'%s\'",
1130 "quotes on %s keyword that doesn't support them: \'%s\'", optname, optstr);
1148 if (setup_ret < 0) {
1152 if (setup_ret == -2) {
1164 if (strlen(optend) > 0) {
1165 strlcpy(output, optend, output_size);
1180 Signature *s,
const char *addrstr,
char flag)
1182 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
1186 if (strcasecmp(addrstr,
"any") == 0)
1194 if (strcasecmp(addrstr,
"any") == 0)
1209 static bool IsBuiltIn(
const char *n)
1211 if (strcmp(n,
"request_started") == 0 || strcmp(n,
"response_started") == 0) {
1214 if (strcmp(n,
"request_complete") == 0 || strcmp(n,
"response_complete") == 0) {
1232 if (strcmp(alproto_name,
"http") == 0)
1233 alproto_name =
"http1";
1234 SCLogDebug(
"alproto %u/%s", a, alproto_name);
1236 const int max_progress_ts =
1238 const int max_progress_tc =
1241 char ts_tx_started[64];
1242 snprintf(ts_tx_started,
sizeof(ts_tx_started),
"%s:request_started:generic", alproto_name);
1245 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_started,
1246 (uint32_t)strlen(ts_tx_started));
1248 char tc_tx_started[64];
1249 snprintf(tc_tx_started,
sizeof(tc_tx_started),
"%s:response_started:generic", alproto_name);
1252 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_started,
1253 (uint32_t)strlen(tc_tx_started));
1255 char ts_tx_complete[64];
1256 snprintf(ts_tx_complete,
sizeof(ts_tx_complete),
"%s:request_complete:generic",
1260 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_complete,
1261 (uint32_t)strlen(ts_tx_complete));
1263 char tc_tx_complete[64];
1264 snprintf(tc_tx_complete,
sizeof(tc_tx_complete),
"%s:response_complete:generic",
1268 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_complete,
1269 (uint32_t)strlen(tc_tx_complete));
1271 for (
int p = 0; p <= max_progress_ts; p++) {
1273 IPPROTO_TCP , a, p, STREAM_TOSERVER);
1274 if (
name != NULL && !IsBuiltIn(
name)) {
1276 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1277 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1278 (uint32_t)strlen(list_name));
1284 for (
int p = 0; p <= max_progress_tc; p++) {
1286 IPPROTO_TCP , a, p, STREAM_TOCLIENT);
1287 if (
name != NULL && !IsBuiltIn(
name)) {
1289 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1290 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1291 (uint32_t)strlen(list_name));
1317 if (strcmp(
str,
"flow_start") == 0) {
1319 }
else if (strcmp(
str,
"all") == 0) {
1332 return "flow_start";
1344 .t.pkt.ph = HookPktFromString(hook_str),
1352 static int SigParseProtoHookPkt(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1365 SCLogDebug(
"protocol:%s hook:%s: type:%s parsed hook:%s", p, h,
1375 .t.app.alproto = alproto,
1376 .t.app.app_progress = progress,
1384 static int SigParseProtoHookApp(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1386 if (strcmp(h,
"request_started") == 0) {
1390 }
else if (strcmp(h,
"response_started") == 0) {
1394 }
else if (strcmp(h,
"request_complete") == 0) {
1398 }
else if (strcmp(h,
"response_complete") == 0) {
1404 IPPROTO_TCP , s->
alproto, h, STREAM_TOSERVER);
1405 if (progress_ts >= 0) {
1410 IPPROTO_TCP , s->
alproto, h, STREAM_TOCLIENT);
1411 if (progress_tc < 0) {
1419 char generic_hook_name[64];
1420 snprintf(generic_hook_name,
sizeof(generic_hook_name),
"%s:generic", proto_hook);
1423 SCLogError(
"no list registered as %s for hook %s", generic_hook_name, proto_hook);
1428 SCLogDebug(
"protocol:%s hook:%s: type:%s alproto:%u hook:%d", p, h,
1448 static int SigParseProto(
Signature *s,
const char *protostr)
1451 if (strlen(protostr) > 32)
1456 const char *p =
proto;
1457 const char *h = NULL;
1459 bool has_hook = strchr(
proto,
':') != NULL;
1461 char *xsaveptr = NULL;
1462 p = strtok_r(
proto,
":", &xsaveptr);
1463 h = strtok_r(NULL,
":", &xsaveptr);
1481 if (SigParseProtoHookApp(s, protostr, p, h) < 0) {
1482 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1489 "in a signature. Either detection for this protocol "
1490 "is not yet supported OR detection has been disabled for "
1491 "protocol through the yaml option "
1492 "app-layer.protocols.%s.detection-enabled",
1496 }
else if (h != NULL) {
1497 SCLogDebug(
"non-app-layer rule with %s:%s", p, h);
1499 if (SigParseProtoHookPkt(s, protostr, p, h) < 0) {
1500 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1529 Signature *s,
const char *portstr,
char flag)
1535 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
1538 if (strcasecmp(portstr,
"any") == 0)
1542 }
else if (flag == 1) {
1543 if (strcasecmp(portstr,
"any") == 0)
1558 static int SigParseActionRejectValidate(
const char *action)
1560 #ifdef HAVE_LIBNET11
1561 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES
1564 "incompatible with POSIX based capabilities with privs dropping. "
1565 "For rejects to work, run as root/super user.");
1571 "required for action \"%s\" but is not compiled into Suricata",
1581 static uint8_t ActionStringToFlags(
const char *action)
1583 if (strcasecmp(action,
"alert") == 0) {
1585 }
else if (strcasecmp(action,
"drop") == 0) {
1587 }
else if (strcasecmp(action,
"pass") == 0) {
1589 }
else if (strcasecmp(action,
"reject") == 0 ||
1590 strcasecmp(action,
"rejectsrc") == 0)
1592 if (!(SigParseActionRejectValidate(action)))
1595 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1596 if (!(SigParseActionRejectValidate(action)))
1599 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1600 if (!(SigParseActionRejectValidate(action)))
1603 }
else if (strcasecmp(action,
"config") == 0) {
1605 }
else if (strcasecmp(action,
"accept") == 0) {
1608 SCLogError(
"An invalid action \"%s\" was given", action);
1624 static int SigParseAction(
Signature *s,
const char *action_in)
1627 strlcpy(action, action_in,
sizeof(action));
1628 const char *a = action;
1629 const char *o = NULL;
1631 bool has_scope = strchr(action,
':') != NULL;
1633 char *xsaveptr = NULL;
1634 a = strtok_r(action,
":", &xsaveptr);
1635 o = strtok_r(NULL,
":", &xsaveptr);
1639 SCLogError(
"invalid protocol specification '%s'", action_in);
1643 uint8_t
flags = ActionStringToFlags(a);
1649 uint8_t scope_flags = 0;
1651 if (strcmp(o,
"packet") == 0) {
1653 }
else if (strcmp(o,
"flow") == 0) {
1656 SCLogError(
"invalid action scope '%s' in action '%s': only 'packet' and 'flow' "
1663 if (strcmp(o,
"packet") == 0) {
1665 }
else if (strcmp(o,
"hook") == 0) {
1667 }
else if (strcmp(o,
"tx") == 0) {
1669 }
else if (strcmp(o,
"flow") == 0) {
1673 "invalid action scope '%s' in action '%s': only 'packet', 'flow', 'tx' and "
1680 SCLogError(
"invalid action scope '%s' in action '%s': scope only supported for actions "
1681 "'drop', 'pass' and 'reject'",
1689 SCLogError(
"firewall rules require setting an explicit action scope");
1694 SCLogError(
"'accept' action only supported for firewall rules");
1699 SCLogError(
"'pass' action not supported for firewall rules");
1718 static inline int SigParseToken(
char **input,
char *output,
1719 const size_t output_size)
1721 size_t len = *input == NULL ? 0 : strlen(*input);
1727 while (
len && isblank(**input)) {
1732 char *endptr = strpbrk(*input,
" \t\n\r");
1733 if (endptr != NULL) {
1736 strlcpy(output, *input, output_size);
1753 static inline int SigParseList(
char **input,
char *output,
1754 const size_t output_size)
1757 size_t len = *input != NULL ? strlen(*input) : 0;
1763 while (
len && isblank(**input)) {
1769 for (i = 0; i <
len; i++) {
1770 char c = (*input)[i];
1773 }
else if (c ==
']') {
1775 }
else if (c ==
' ') {
1786 strlcpy(output, *input, output_size);
1787 *input = *input + i + 1;
1807 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1813 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1816 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1822 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1825 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1828 if (index == NULL) {
1832 while (isspace(*index) || *index ==
'(') {
1835 for (
size_t i = strlen(index); i > 0; i--) {
1836 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1837 index[i - 1] =
'\0';
1849 if (SigParseAction(s, parser->
action) < 0)
1852 if (SigParseProto(s, parser->
protocol) < 0)
1855 if (strcmp(parser->
direction,
"<>") == 0) {
1857 }
else if (strcmp(parser->
direction,
"=>") == 0) {
1859 SCLogError(
"transactional bidirectional rules not supported for firewall rules");
1864 }
else if (strcmp(parser->
direction,
"->") != 0) {
1865 SCLogError(
"\"%s\" is not a valid direction modifier, "
1866 "\"->\" and \"<>\" are supported.",
1893 static inline bool CheckAscii(
const char *
str)
1895 for (
size_t i = 0; i < strlen(
str); i++) {
1896 if (
str[i] < 0x20) {
1898 if (
str[i] == 0x0a ||
str[i] == 0x0d ||
str[i] == 0x09) {
1902 }
else if (
str[i] == 0x7f) {
1926 if (!SCCheckUtf8(sigstr)) {
1931 if (!CheckAscii(sigstr)) {
1932 SCLogError(
"rule contains invalid (control) characters");
1936 int ret = SigParseBasics(
de_ctx, s, sigstr, parser, addrs_direction, requires);
1943 if (strlen(parser->
opts) > 0) {
1944 size_t buffer_size = strlen(parser->
opts) + 1;
1945 char input[buffer_size];
1946 char output[buffer_size];
1947 memset(input, 0x00, buffer_size);
1948 memcpy(input, parser->
opts, strlen(parser->
opts) + 1);
1954 memset(output, 0x00, buffer_size);
1955 ret = SigParseOptions(
de_ctx, s, input, output, buffer_size, requires);
1957 memcpy(input, output, buffer_size);
1989 memset(b, 0,
sizeof(*b));
2037 static void SigMetadataFree(
Signature *s)
2044 if (s == NULL || s->
metadata == NULL) {
2051 next_mdata = mdata->
next;
2082 next_ref = ref->
next;
2136 while (sm != NULL) {
2145 while (sm != NULL) {
2166 if (s->
sp != NULL) {
2169 if (s->
dp != NULL) {
2207 SCLogError(
"transforms must directly follow stickybuffers");
2240 if (s->
alproto == *alprotos) {
2283 }
else if (i == 1) {
2315 if (!AppProtoIsValid(alproto)) {
2339 alproto = AppProtoCommon(s->
alproto, alproto);
2341 SCLogError(
"can't set rule app proto to %s: already set to %s",
2368 if (addr_match4 == NULL) {
2374 addr_match4[idx].
ip =
SCNtohl(da->ip.addr_data32[0]);
2375 addr_match4[idx].
ip2 =
SCNtohl(da->ip2.addr_data32[0]);
2394 if (addr_match6 == NULL) {
2400 addr_match6[idx].
ip[0] =
SCNtohl(da->ip.addr_data32[0]);
2401 addr_match6[idx].
ip[1] =
SCNtohl(da->ip.addr_data32[1]);
2402 addr_match6[idx].
ip[2] =
SCNtohl(da->ip.addr_data32[2]);
2403 addr_match6[idx].
ip[3] =
SCNtohl(da->ip.addr_data32[3]);
2404 addr_match6[idx].
ip2[0] =
SCNtohl(da->ip2.addr_data32[0]);
2405 addr_match6[idx].
ip2[1] =
SCNtohl(da->ip2.addr_data32[1]);
2406 addr_match6[idx].
ip2[2] =
SCNtohl(da->ip2.addr_data32[2]);
2407 addr_match6[idx].
ip2[3] =
SCNtohl(da->ip2.addr_data32[3]);
2420 static void SigBuildAddressMatchArray(
Signature *s)
2437 static int SigMatchListLen(
SigMatch *sm)
2440 for (; sm != NULL; sm = sm->
next)
2451 int len = SigMatchListLen(
head);
2457 FatalError(
"initializing the detection engine failed");
2463 for (; sm != NULL; sm = sm->
next, smd++) {
2503 SCLogDebug(
"s %u: no mpm; prefilter? de_ctx->prefilter_setting %u "
2504 "s->init_data->has_possible_prefilter %s",
2518 prefilter_list =
MIN(prefilter_list, sm->
type);
2528 if (sm->
type == prefilter_list) {
2545 SCLogError(
"rule %u is loaded as a firewall rule, but does not specify an "
2553 static void DetectFirewallRuleSetTable(
Signature *s)
2589 if (!DetectFirewallRuleValidate(
de_ctx, s))
2593 uint32_t sig_flags = 0;
2598 nlists += (nlists > 0);
2602 SCLogError(
"rule %u setup buffer %s but didn't add matches to it", s->
id,
2607 bool has_frame =
false;
2608 bool has_app =
false;
2609 bool has_pkt =
false;
2610 bool has_pmatch =
false;
2620 struct BufferVsDir {
2623 } bufdir[nlists + 1];
2624 memset(&bufdir, 0, (nlists + 1) *
sizeof(
struct BufferVsDir));
2641 if (b->
head == NULL) {
2646 has_frame |= bt->
frame;
2652 "specific matches (like dsize, flags, ttl) with stream / "
2653 "state matching by matching on app layer proto (like using "
2654 "http_* keywords).");
2659 for (; app != NULL; app = app->
next) {
2674 bufdir[b->
id].ts += (app->
dir == 0);
2675 bufdir[b->
id].tc += (app->
dir == 1);
2689 SCLogError(
"engine progress value doesn't match hook");
2709 for (
int x = 0; x < nlists; x++) {
2710 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
2712 ts_excl += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
2713 tc_excl += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
2714 dir_amb += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
2720 if (!ts_excl || !tc_excl) {
2721 SCLogError(
"rule %u should use both directions, but does not", s->
id);
2725 SCLogError(
"rule %u means to use both directions, cannot have keywords ambiguous about "
2730 }
else if (ts_excl && tc_excl) {
2732 "rule %u mixes keywords with conflicting directions, a transactional rule with => "
2736 }
else if (ts_excl) {
2737 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
2739 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2742 }
else if (tc_excl) {
2743 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
2745 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2748 }
else if (dir_amb) {
2749 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
2755 "tcp-stream or flow:only_stream. Invalidating signature.");
2760 SCLogError(
"You seem to have mixed keywords "
2761 "that require inspection in both directions. Atm we only "
2762 "support keywords in one direction within a rule.");
2766 if (has_pmatch && has_frame) {
2767 SCLogError(
"can't mix pure content and frame inspection");
2770 if (has_app && has_frame) {
2771 SCLogError(
"can't mix app-layer buffer and frame inspection");
2774 if (has_pkt && has_frame) {
2775 SCLogError(
"can't mix pkt buffer and frame inspection");
2783 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
2814 "support file matching",
2829 SCLogError(
"No protocol support file matching");
2834 SCLogError(
"protocol HTTP2 doesn't support file name matching");
2854 memset(&parser, 0x00,
sizeof(parser));
2859 if (firewall_rule) {
2876 int ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
true);
2883 }
else if (ret < 0) {
2889 SCLogError(
"Signature missing required value \"sid\".");
2894 ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
false);
2900 }
else if (ret == -2) {
2903 }
else if (ret < 0) {
2908 if (sig->
prio == -1)
2915 int override_needed = 0;
2919 override_needed = 1;
2921 override_needed = 1;
2923 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
2925 override_needed = 0;
2934 if (override_needed)
2944 for ( ; sm != NULL; sm = sm->
next) {
2968 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
2972 SigBuildAddressMatchArray(sig);
2983 SigSetupPrefilter(
de_ctx, sig);
2986 if (SigValidate(
de_ctx, sig) == 0) {
2994 DetectFirewallRuleSetTable(sig);
3020 static bool SigHasSameSourceAndDestination(
const Signature *s)
3062 if (SigHasSameSourceAndDestination(sig)) {
3063 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, "
3064 "treating the rule as unidirectional", sig->
id);
3069 if (sig->
next == NULL) {
3099 return SigInitDo(
de_ctx, sigstr,
false);
3104 return SigInitDo(
de_ctx, sigstr,
true);
3113 static void DetectParseDupSigFreeFunc(
void *data)
3129 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3148 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
3154 if (sw1 == NULL || sw2 == NULL ||
3155 sw1->
s == NULL || sw2->
s == NULL)
3159 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
3175 DetectParseDupSigHashFunc,
3176 DetectParseDupSigCompareFunc,
3177 DetectParseDupSigFreeFunc);
3238 if (sw_dup == NULL) {
3251 (
void *)&sw_tmp, 0);
3263 if (sw->
s->
rev <= sw_dup->
s->
rev) {
3272 if (sw_dup->
s_prev == NULL) {
3280 sw_temp.
s = sw_dup->
s->
next;
3284 if (sw_temp.
s != NULL) {
3286 (
void *)&sw_temp, 0);
3306 sw_temp.
s = sw_dup->
s->
next;
3314 if (sw_temp.
s != NULL) {
3316 (
void *)&sw_temp, 0);
3331 (
void *)&sw_tmp, 0);
3332 if (sw_old->
s != sw_dup->
s) {
3375 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3379 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3381 }
else if (dup_sig == 2) {
3383 " so the older sig replaced by this new signature \"%s\"",
3388 if (sig->
next != NULL) {
3405 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3409 if (sig != NULL && sig->
next != NULL) {
3447 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3451 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3453 }
else if (dup_sig == 2) {
3455 " so the older sig replaced by this new signature \"%s\"",
3460 if (sig->
next != NULL) {
3477 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3481 if (sig != NULL && sig->
next != NULL) {
3494 int start_offset,
int options)
3496 *match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
3498 return pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)
str, strlen(
str), options, start_offset,
3499 *match, parse_regex->
context);
3506 pcre2_code_free(r->
regex);
3509 pcre2_match_context_free(r->
context);
3524 g_detect_parse_regex_list = NULL;
3533 FatalError(
"failed to alloc memory for pcre free list");
3536 r->
next = g_detect_parse_regex_list;
3537 g_detect_parse_regex_list = r;
3545 detect_parse->
regex =
3546 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3547 if (detect_parse->
regex == NULL) {
3548 PCRE2_UCHAR errbuffer[256];
3549 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3550 SCLogError(
"pcre compile of \"%s\" failed at "
3552 parse_str, en, errbuffer);
3555 detect_parse->
context = pcre2_match_context_create(NULL);
3556 if (detect_parse->
context == NULL) {
3557 SCLogError(
"pcre2 could not create match context");
3558 pcre2_code_free(detect_parse->
regex);
3559 detect_parse->
regex = NULL;
3574 if (detect_parse == NULL) {
3578 detect_parse->
regex =
3579 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3580 if (detect_parse->
regex == NULL) {
3581 PCRE2_UCHAR errbuffer[256];
3582 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3583 SCLogError(
"pcre2 compile of \"%s\" failed at "
3585 parse_str, (
int)eo, errbuffer);
3590 detect_parse->
next = g_detect_parse_regex_list;
3591 g_detect_parse_regex_list = detect_parse;
3592 return detect_parse;
3596 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
3598 int r = pcre2_substring_copy_bynumber(match_data, number, buffer, bufflen);
3599 if (r == PCRE2_ERROR_UNSET) {
3608 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
3610 int r = pcre2_substring_get_bynumber(match_data, number, bufferptr, bufflen);
3611 if (r == PCRE2_ERROR_UNSET) {
3634 static int SigParseTest01 (
void)
3643 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
3653 static int SigParseTest02 (
void)
3667 sig =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
3695 static int SigParseTest03 (
void)
3704 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
3707 printf(
"expected NULL got sig ptr %p: ",sig);
3716 static int SigParseTest04 (
void)
3725 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
3736 static int SigParseTest05 (
void)
3745 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
3749 printf(
"signature didn't fail to parse as we expected: ");
3759 static int SigParseTest06 (
void)
3768 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
3772 printf(
"signature failed to parse: ");
3786 static int SigParseTest07(
void)
3808 static int SigParseTest08(
void)
3831 static int SigParseTest09(
void)
3882 static int SigParseTest10(
void)
3914 static int SigParseTest11(
void)
3925 "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
3927 printf(
"sig 1 didn't parse: ");
3932 "the http link\"; sid:2;) ");
3934 printf(
"sig 2 didn't parse: ");
3948 static int SigParseTest12(
void)
3960 printf(
"sig 1 should have given an error: ");
3974 static int SigParseTest13(
void)
3986 printf(
"sig 1 invalidated: failure");
3991 printf(
"sig doesn't have stream flag set\n");
3996 printf(
"sig has packet flag set\n");
4011 static int SigParseTest14(
void)
4023 printf(
"sig 1 invalidated: failure");
4028 printf(
"sig doesn't have packet flag set\n");
4033 printf(
"sig has stream flag set\n");
4048 static int SigParseTest15(
void)
4060 printf(
"sig 1 invalidated: failure");
4065 printf(
"sig doesn't have packet flag set\n");
4070 printf(
"sig doesn't have stream flag set\n");
4085 static int SigParseTest16(
void)
4097 printf(
"sig 1 invalidated: failure");
4102 printf(
"sig doesn't have packet flag set\n");
4107 printf(
"sig doesn't have stream flag set\n");
4122 static int SigParseTest17(
void)
4134 printf(
"sig 1 invalidated: failure");
4139 printf(
"sig doesn't have packet flag set\n");
4144 printf(
"sig doesn't have stream flag set\n");
4157 static int SigParseTest18 (
void)
4165 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
4176 static int SigParseTest19 (
void)
4184 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
4195 static int SigParseTest20 (
void)
4203 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
4214 static int SigParseTest21 (
void)
4233 static int SigParseTest22 (
void)
4241 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
4254 static int SigParseTest23(
void)
4269 static int SigParseBidirecTest06 (
void)
4289 static int SigParseBidirecTest07 (
void)
4309 static int SigParseBidirecTest08 (
void)
4329 static int SigParseBidirecTest09 (
void)
4349 static int SigParseBidirecTest10 (
void)
4369 static int SigParseBidirecTest11 (
void)
4389 static int SigParseBidirecTest12 (
void)
4409 static int SigParseBidirecTest13 (
void)
4428 static int SigParseBidirecTest14 (
void)
4449 static int SigTestBidirec01 (
void)
4461 if (sig->
next != NULL)
4480 static int SigTestBidirec02 (
void)
4499 if (sig->
next == NULL)
4504 if (copy->
next != NULL)
4525 static int SigTestBidirec03 (
void)
4537 const char *sigs[3];
4538 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
4539 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
4540 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
4547 if (sig->
next == NULL)
4558 uint8_t rawpkt1_ether[] = {
4559 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4560 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4561 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4562 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4563 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4564 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4565 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4566 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4567 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4568 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4569 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4570 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4571 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4572 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4573 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4574 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4575 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4576 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4577 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4578 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4579 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4580 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4581 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4582 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4583 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4584 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4585 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4586 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4587 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4588 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4589 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4590 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4591 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4592 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4593 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4594 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4595 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4596 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4597 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4598 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4599 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4600 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4601 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4602 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4603 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4604 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4605 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4606 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4607 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4608 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4609 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4610 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4611 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4612 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4613 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4623 uint32_t sids[3] = {1, 2, 3};
4624 uint32_t results[3] = {1, 1, 1};
4640 static int SigTestBidirec04 (
void)
4655 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
4660 if (sig->
next == NULL)
4672 if (sig->
next == NULL)
4683 uint8_t rawpkt1_ether[] = {
4684 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4685 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4686 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4687 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4688 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4689 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4690 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4691 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4692 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4693 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4694 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4695 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4696 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4697 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4698 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4699 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4700 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4701 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4702 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4703 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4704 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4705 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4706 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4707 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4708 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4709 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4710 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4711 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4712 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4713 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4714 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4715 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4716 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4717 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4718 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4719 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4720 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4721 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4722 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4723 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4724 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4725 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4726 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4727 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4728 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4729 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4730 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4731 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4732 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4733 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4734 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4735 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4736 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4737 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4738 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4747 memset(&th_v, 0,
sizeof(th_v));
4787 static int SigParseTestNegation01 (
void)
4801 static int SigParseTestNegation02 (
void)
4812 s =
SigInit(
de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
4827 static int SigParseTestNegation03 (
void)
4838 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4853 static int SigParseTestNegation04 (
void)
4864 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4879 static int SigParseTestNegation05 (
void)
4890 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
4905 static int SigParseTestNegation06 (
void)
4916 s =
SigInit(
de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
4932 static int SigParseTestNegation07 (
void)
4938 de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (sid:410006;)");
4947 static int SigParseTestNegation08 (
void)
4958 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
4973 static int SigParseTestMpm01 (
void)
4982 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
4984 printf(
"sig failed to init: ");
4989 printf(
"sig doesn't have content list: ");
5004 static int SigParseTestMpm02 (
void)
5013 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
5015 printf(
"sig failed to init: ");
5020 printf(
"sig doesn't have content list: ");
5035 static int SigParseTestAppLayerTLS01(
void)
5046 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
5048 printf(
"parsing sig failed: ");
5053 printf(
"alproto not set: ");
5070 static int SigParseTestAppLayerTLS02(
void)
5081 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
5083 printf(
"parsing sig failed: ");
5088 printf(
"alproto not set: ");
5104 static int SigParseTestAppLayerTLS03(
void)
5115 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
5128 static int SigParseTestUnbalancedQuotes01(
void)
5138 "alert http any any -> any any (msg:\"SigParseTestUnbalancedQuotes01\"; "
5139 "pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" "
5140 "flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
5146 static int SigParseTestContentGtDsize01(
void)
5153 "alert http any any -> any any ("
5154 "dsize:21; content:\"0123456789001234567890|00 00|\"; "
5161 static int SigParseTestContentGtDsize02(
void)
5168 "alert http any any -> any any ("
5169 "dsize:21; content:\"0123456789|00 00|\"; offset:10; "
5186 static int SigParseBidirWithSameSrcAndDest01(
void)
5203 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:3;)");
5212 static int SigParseBidirWithSameSrcAndDest02(
void)
5220 de_ctx,
"alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1;)");
5227 de_ctx,
"alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:2;)");
5234 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:3;)");
5241 de_ctx,
"alert tcp [!1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:4;)");
5248 de_ctx,
"alert tcp [1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:5;)");
5257 static int SigParseTestActionReject(
void)
5263 de_ctx,
"reject tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5264 #ifdef HAVE_LIBNET11
5275 static int SigParseTestActionDrop(
void)
5281 de_ctx,
"drop tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5289 static int SigSetMultiAppProto(
void)
5364 static int DetectSetupDirection01(
void)
5369 char *
str = (
char *)
"to_client";
5370 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5375 static int DetectSetupDirection02(
void)
5379 char *
str = (
char *)
"to_server";
5380 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5382 str = (
char *)
"to_client";
5383 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5389 static int DetectSetupDirection03(
void)
5393 char *
str = (
char *)
"to_client , something";
5394 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5396 str = (
char *)
"to_client,something";
5397 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5403 static int DetectSetupDirection04(
void)
5408 char *
str = (
char *)
"to_client_toto";
5409 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5411 str = (
char *)
"to_client_toto";
5412 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5414 str = (
char *)
"to_client,something";
5416 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5453 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
5454 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
5455 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
5470 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
5471 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
5472 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
5473 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
5474 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
5475 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
5476 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
5477 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
5480 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
5481 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
5482 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
5483 UtRegisterTest(
"SigParseTestUnbalancedQuotes01", SigParseTestUnbalancedQuotes01);
5486 SigParseTestContentGtDsize01);
5488 SigParseTestContentGtDsize02);
5491 SigParseBidirWithSameSrcAndDest01);
5493 SigParseBidirWithSameSrcAndDest02);
5494 UtRegisterTest(
"SigParseTestActionReject", SigParseTestActionReject);
5495 UtRegisterTest(
"SigParseTestActionDrop", SigParseTestActionDrop);
5499 UtRegisterTest(
"DetectSetupDirection01", DetectSetupDirection01);
5500 UtRegisterTest(
"DetectSetupDirection02", DetectSetupDirection02);
5501 UtRegisterTest(
"DetectSetupDirection03", DetectSetupDirection03);
5502 UtRegisterTest(
"DetectSetupDirection04", DetectSetupDirection04);