85 int to_client_progress;
86 int to_server_progress;
87 } DetectFileHandlerProtocol_t;
88 static DetectFileHandlerProtocol_t al_protocols[] = {
95 .to_client_progress = HTP_RESPONSE_BODY,
96 .to_server_progress = HTP_REQUEST_BODY },
99 .to_client_progress = HTTP2StateDataServer,
100 .to_server_progress = HTTP2StateDataClient },
104 for (
size_t i = 0; i <
ARRAY_SIZE(al_protocols); i++) {
105 int direction = al_protocols[i].direction == 0
107 : al_protocols[i].direction;
111 reg->
GetData, al_protocols[i].al_proto, al_protocols[i].to_client_progress);
118 reg->
GetData, al_protocols[i].al_proto, al_protocols[i].to_server_progress);
131 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
148 #define CONFIG_PARTS 8
150 #define CONFIG_ACTION 0
151 #define CONFIG_PROTO 1
154 #define CONFIG_DIREC 4
157 #define CONFIG_OPTS 7
173 #define CASE_CODE_STRING(E, S) case E: return S; break
184 #undef CASE_CODE_STRING
188 #define CASE_CODE(E) case E: return #E
206 Signature *s,
const char *arg,
int sm_type,
int sm_list,
212 if (arg != NULL && strcmp(arg,
"") != 0) {
221 "with a sticky buffer still set. Reset sticky buffer "
222 "with pkt_data before using the modifier.",
236 "found inside the rule without a content context. "
237 "Please use a \"content\" keyword before using the "
245 "be used with the rawbytes rule keyword",
251 "be used with the replace rule keyword",
290 bool reuse_buffer =
false;
303 SCLogError(
"failed to expand rule buffer array");
312 SCLogDebug(
"idx %u list %d set up curbuf %p s->init_data->buffer_index %u",
353 if (sm->
ctx != NULL) {
364 ptrdiff_t
offset = e - table;
378 if (st->
name != NULL) {
379 if (strcasecmp(name,st->
name) == 0)
381 if (st->
alias != NULL && strcasecmp(name,st->
alias) == 0)
411 if (strcmp(
str,
"all") == 0) {
423 char *xsaveptr = NULL;
424 char *key = strtok_r(copy,
",", &xsaveptr);
425 while (key != NULL) {
431 "argument '%s' not found",
434 key = strtok_r(NULL,
",", &xsaveptr);
461 SCLogDebug(
"s:%p new:%p list:%d: %s, s->init_data->list_set %s s->init_data->list %d", s,
new,
495 SCLogDebug(
"reusing buffer %u as it isn't multi-capable", x);
505 SCLogError(
"failed to expand rule buffer array");
529 SCLogDebug(
"appended %s to list %d, rule pos %u (s->init_data->list %d)",
548 if (sm->
prev != NULL)
550 if (sm->
next != NULL)
594 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
606 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
628 SCLogDebug(
"skip x %u s->init_data->list %d (int)s->init_data->buffers[x].id %d", x,
637 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
641 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
658 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
663 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
688 va_start(ap, sm_list);
690 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
692 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
695 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
726 va_start(ap, list_id);
728 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
732 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
744 va_start(ap, list_id);
746 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
747 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
750 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
773 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
781 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
788 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
794 if (sm->
prev != NULL)
796 if (sm->
next != NULL)
799 if (sm == *src_sm_list)
800 *src_sm_list = sm->
next;
801 if (sm == *src_sm_list_tail)
802 *src_sm_list_tail = sm->
prev;
804 if (*dst_sm_list == NULL) {
806 *dst_sm_list_tail = sm;
814 *dst_sm_list_tail = sm;
843 SCLogError(
"Unable to find the sm in any of the "
849 size_t output_size,
bool requires)
852 char *optname = NULL;
853 char *optvalue = NULL;
856 while (isblank(*optstr)) {
861 char *optend = optstr;
863 optend = strchr(optend,
';');
864 if (optend == NULL) {
868 else if (optend > optstr && *(optend -1 ) ==
'\\') {
877 char *optvalptr = strchr(optstr,
':');
879 *(optvalptr++) =
'\0';
882 for (
size_t i = strlen(optvalptr); i > 0; i--) {
883 if (isblank(optvalptr[i - 1])) {
884 optvalptr[i - 1] =
'\0';
890 optvalue = optvalptr;
894 for (
size_t i = strlen(optstr); i > 0; i--) {
895 if (isblank(optstr[i - 1])) {
896 optstr[i - 1] =
'\0';
905 bool requires_only = strcasecmp(optname,
"requires") == 0 || strcasecmp(optname,
"sid") == 0;
906 if ((requires && !requires_only) || (!requires && requires_only)) {
911 st = SigTableGet(optname);
912 if (st == NULL || st->
Setup == NULL) {
913 SCLogError(
"unknown rule keyword '%s'.", optname);
918 if (optvalue == NULL || strlen(optvalue) == 0) {
920 "invalid formatting or malformed option to %s keyword: '%s'", optname, optstr);
924 if (optvalue && strlen(optvalue)) {
925 SCLogError(
"unexpected option to %s keyword: '%s'", optname, optstr);
932 #define URL "https://suricata.io/our-story/deprecation-policy/"
935 "and will be removed soon. See %s",
939 "and will be removed soon. Use '%s' instead. "
948 if (optvalue != NULL && strlen(optvalue) > 0) {
949 size_t ovlen = strlen(optvalue);
950 char *ptr = optvalue;
960 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
979 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
985 SCLogError(
"invalid formatting to %s keyword: "
986 "value must be double quoted \'%s\'",
992 && ovlen && *ptr ==
'"')
994 for (; ovlen > 0; ovlen--) {
995 if (isblank(ptr[ovlen - 1])) {
996 ptr[ovlen - 1] =
'\0';
1001 if (ovlen && ptr[ovlen - 1] !=
'"') {
1002 SCLogError(
"bad option value formatting (possible missing semicolon) "
1003 "for keyword %s: \'%s\'",
1011 ptr[ovlen - 1] =
'\0';
1016 "for keyword %s: \'%s\'",
1023 "quotes on %s keyword that doesn't support them: \'%s\'", optname, optstr);
1033 if (setup_ret < 0) {
1037 if (setup_ret == -2) {
1050 if (strlen(optend) > 0) {
1051 strlcpy(output, optend, output_size);
1066 Signature *s,
const char *addrstr,
char flag)
1068 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
1072 if (strcasecmp(addrstr,
"any") == 0)
1080 if (strcasecmp(addrstr,
"any") == 0)
1107 static int SigParseProto(
Signature *s,
const char *protostr)
1122 "in a signature. Either detection for this protocol "
1123 "is not yet supported OR detection has been disabled for "
1124 "protocol through the yaml option "
1125 "app-layer.protocols.%s.detection-enabled",
1126 protostr, protostr);
1155 Signature *s,
const char *portstr,
char flag)
1161 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
1164 if (strcasecmp(portstr,
"any") == 0)
1168 }
else if (flag == 1) {
1169 if (strcasecmp(portstr,
"any") == 0)
1184 static int SigParseActionRejectValidate(
const char *action)
1186 #ifdef HAVE_LIBNET11
1187 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES
1190 "incompatible with POSIX based capabilities with privs dropping. "
1191 "For rejects to work, run as root/super user.");
1197 "required for action \"%s\" but is not compiled into Suricata",
1215 static int SigParseAction(
Signature *s,
const char *action)
1217 if (strcasecmp(action,
"alert") == 0) {
1219 }
else if (strcasecmp(action,
"drop") == 0) {
1221 }
else if (strcasecmp(action,
"pass") == 0) {
1223 }
else if (strcasecmp(action,
"reject") == 0 ||
1224 strcasecmp(action,
"rejectsrc") == 0)
1226 if (!(SigParseActionRejectValidate(action)))
1229 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1230 if (!(SigParseActionRejectValidate(action)))
1233 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1234 if (!(SigParseActionRejectValidate(action)))
1237 }
else if (strcasecmp(action,
"config") == 0) {
1241 SCLogError(
"An invalid action \"%s\" was given", action);
1258 static inline int SigParseToken(
char **input,
char *output,
1259 const size_t output_size)
1261 size_t len = *input == NULL ? 0 : strlen(*input);
1267 while (
len && isblank(**input)) {
1272 char *endptr = strpbrk(*input,
" \t\n\r");
1273 if (endptr != NULL) {
1276 strlcpy(output, *input, output_size);
1293 static inline int SigParseList(
char **input,
char *output,
1294 const size_t output_size)
1297 size_t len = *input != NULL ? strlen(*input) : 0;
1303 while (
len && isblank(**input)) {
1309 for (i = 0; i <
len; i++) {
1310 char c = (*input)[i];
1313 }
else if (c ==
']') {
1315 }
else if (c ==
' ') {
1326 strlcpy(output, *input, output_size);
1327 *input = *input + i + 1;
1347 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1353 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1356 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1362 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1365 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1368 if (index == NULL) {
1372 while (isspace(*index) || *index ==
'(') {
1375 for (
size_t i = strlen(index); i > 0; i--) {
1376 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1377 index[i - 1] =
'\0';
1389 if (SigParseAction(s, parser->
action) < 0)
1392 if (SigParseProto(s, parser->
protocol) < 0)
1395 if (strcmp(parser->
direction,
"<>") == 0) {
1397 }
else if (strcmp(parser->
direction,
"->") != 0) {
1398 SCLogError(
"\"%s\" is not a valid direction modifier, "
1399 "\"->\" and \"<>\" are supported.",
1426 static inline bool CheckAscii(
const char *
str)
1428 for (
size_t i = 0; i < strlen(
str); i++) {
1429 if (
str[i] < 0x20) {
1431 if (
str[i] == 0x0a ||
str[i] == 0x0d ||
str[i] == 0x09) {
1435 }
else if (
str[i] == 0x7f) {
1459 if (!rs_check_utf8(sigstr)) {
1464 if (!CheckAscii(sigstr)) {
1465 SCLogError(
"rule contains invalid (control) characters");
1469 int ret = SigParseBasics(
de_ctx, s, sigstr, parser, addrs_direction, requires);
1476 if (strlen(parser->
opts) > 0) {
1477 size_t buffer_size = strlen(parser->
opts) + 1;
1478 char input[buffer_size];
1479 char output[buffer_size];
1480 memset(input, 0x00, buffer_size);
1481 memcpy(input, parser->
opts, strlen(parser->
opts) + 1);
1487 memset(output, 0x00, buffer_size);
1488 ret = SigParseOptions(
de_ctx, s, input, output, buffer_size, requires);
1490 memcpy(input, output, buffer_size);
1522 memset(b, 0,
sizeof(*b));
1565 static void SigMetadataFree(
Signature *s)
1572 if (s == NULL || s->
metadata == NULL) {
1579 next_mdata = mdata->
next;
1610 next_ref = ref->
next;
1664 while (sm != NULL) {
1673 while (sm != NULL) {
1694 if (s->
sp != NULL) {
1697 if (s->
dp != NULL) {
1735 SCLogError(
"transforms must directly follow stickybuffers");
1770 if (AppProtoEquals(alproto, s->
alproto)) {
1775 SCLogError(
"can't set rule app proto to %s: already set to %s",
1802 if (addr_match4 == NULL) {
1808 addr_match4[idx].
ip =
SCNtohl(da->ip.addr_data32[0]);
1809 addr_match4[idx].
ip2 =
SCNtohl(da->ip2.addr_data32[0]);
1828 if (addr_match6 == NULL) {
1834 addr_match6[idx].
ip[0] =
SCNtohl(da->ip.addr_data32[0]);
1835 addr_match6[idx].
ip[1] =
SCNtohl(da->ip.addr_data32[1]);
1836 addr_match6[idx].
ip[2] =
SCNtohl(da->ip.addr_data32[2]);
1837 addr_match6[idx].
ip[3] =
SCNtohl(da->ip.addr_data32[3]);
1838 addr_match6[idx].
ip2[0] =
SCNtohl(da->ip2.addr_data32[0]);
1839 addr_match6[idx].
ip2[1] =
SCNtohl(da->ip2.addr_data32[1]);
1840 addr_match6[idx].
ip2[2] =
SCNtohl(da->ip2.addr_data32[2]);
1841 addr_match6[idx].
ip2[3] =
SCNtohl(da->ip2.addr_data32[3]);
1854 static void SigBuildAddressMatchArray(
Signature *s)
1871 static int SigMatchListLen(
SigMatch *sm)
1874 for (; sm != NULL; sm = sm->
next)
1885 int len = SigMatchListLen(
head);
1891 FatalError(
"initializing the detection engine failed");
1897 for (; sm != NULL; sm = sm->
next, smd++) {
1919 uint32_t sig_flags = 0;
1924 nlists += (nlists > 0);
1928 SCLogError(
"rule %u setup buffer %s but didn't add matches to it", s->
id,
1933 bool has_frame =
false;
1934 bool has_app =
false;
1935 bool has_pkt =
false;
1936 bool has_pmatch =
false;
1946 struct BufferVsDir {
1949 } bufdir[nlists + 1];
1950 memset(&bufdir, 0, (nlists + 1) *
sizeof(
struct BufferVsDir));
1964 if (b->
head == NULL) {
1969 has_frame |= bt->
frame;
1970 has_app |= (bt->
frame ==
false && bt->
packet ==
false);
1975 "specific matches (like dsize, flags, ttl) with stream / "
1976 "state matching by matching on app layer proto (like using "
1977 "http_* keywords).");
1982 for (; app != NULL; app = app->
next) {
1989 bufdir[b->
id].ts += (app->
dir == 0);
1990 bufdir[b->
id].tc += (app->
dir == 1);
2006 for (
int x = 0; x < nlists; x++) {
2007 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
2009 ts_excl += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
2010 tc_excl += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
2011 dir_amb += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
2016 if (ts_excl && tc_excl) {
2017 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2019 }
else if (ts_excl) {
2020 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
2022 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2025 }
else if (tc_excl) {
2026 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
2028 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2031 }
else if (dir_amb) {
2032 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
2038 "tcp-stream or flow:only_stream. Invalidating signature.");
2043 SCLogError(
"You seem to have mixed keywords "
2044 "that require inspection in both directions. Atm we only "
2045 "support keywords in one direction within a rule.");
2049 if (has_pmatch && has_frame) {
2050 SCLogError(
"can't mix pure content and frame inspection");
2053 if (has_app && has_frame) {
2054 SCLogError(
"can't mix app-layer buffer and frame inspection");
2057 if (has_pkt && has_frame) {
2058 SCLogError(
"can't mix pkt buffer and frame inspection");
2066 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
2105 "support file matching",
2110 SCLogError(
"protocol HTTP2 doesn't support file name matching");
2130 memset(&parser, 0x00,
sizeof(parser));
2148 int ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
true);
2155 }
else if (ret < 0) {
2161 SCLogError(
"Signature missing required value \"sid\".");
2166 ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
false);
2172 }
else if (ret == -2) {
2175 }
else if (ret < 0) {
2180 if (sig->
prio == -1)
2187 int override_needed = 0;
2191 override_needed = 1;
2193 override_needed = 1;
2195 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
2197 override_needed = 0;
2206 if (override_needed)
2216 for ( ; sm != NULL; sm = sm->
next) {
2232 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
2236 SigBuildAddressMatchArray(sig);
2248 if (SigValidate(
de_ctx, sig) == 0) {
2278 static bool SigHasSameSourceAndDestination(
const Signature *s)
2330 if (SigHasSameSourceAndDestination(sig)) {
2331 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, "
2332 "treating the rule as unidirectional", sig->
id);
2337 if (sig->
next == NULL) {
2362 static void DetectParseDupSigFreeFunc(
void *data)
2380 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
2399 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
2405 if (sw1 == NULL || sw2 == NULL ||
2406 sw1->
s == NULL || sw2->
s == NULL)
2410 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
2426 DetectParseDupSigHashFunc,
2427 DetectParseDupSigCompareFunc,
2428 DetectParseDupSigFreeFunc);
2491 if (sw_dup == NULL) {
2504 (
void *)&sw_tmp, 0);
2516 if (sw->
s->
rev <= sw_dup->
s->
rev) {
2525 if (sw_dup->
s_prev == NULL) {
2533 sw_temp.
s = sw_dup->
s->
next;
2537 if (sw_temp.
s != NULL) {
2539 (
void *)&sw_temp, 0);
2559 sw_temp.
s = sw_dup->
s->
next;
2567 if (sw_temp.
s != NULL) {
2569 (
void *)&sw_temp, 0);
2584 (
void *)&sw_tmp, 0);
2585 if (sw_old->
s != sw_dup->
s) {
2628 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
2632 SCLogError(
"Duplicate signature \"%s\"", sigstr);
2634 }
else if (dup_sig == 2) {
2636 " so the older sig replaced by this new signature \"%s\"",
2641 if (sig->
next != NULL) {
2658 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
2662 if (sig != NULL && sig->
next != NULL) {
2675 int start_offset,
int options)
2677 *match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
2679 return pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)
str, strlen(
str), options, start_offset,
2680 *match, parse_regex->
context);
2687 pcre2_code_free(r->
regex);
2690 pcre2_match_context_free(r->
context);
2705 g_detect_parse_regex_list = NULL;
2714 FatalError(
"failed to alloc memory for pcre free list");
2717 r->
next = g_detect_parse_regex_list;
2718 g_detect_parse_regex_list = r;
2726 detect_parse->
regex =
2727 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
2728 if (detect_parse->
regex == NULL) {
2729 PCRE2_UCHAR errbuffer[256];
2730 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
2731 SCLogError(
"pcre compile of \"%s\" failed at "
2733 parse_str, en, errbuffer);
2736 detect_parse->
context = pcre2_match_context_create(NULL);
2737 if (detect_parse->
context == NULL) {
2738 SCLogError(
"pcre2 could not create match context");
2739 pcre2_code_free(detect_parse->
regex);
2740 detect_parse->
regex = NULL;
2755 if (detect_parse == NULL) {
2759 detect_parse->
regex =
2760 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
2761 if (detect_parse->
regex == NULL) {
2762 PCRE2_UCHAR errbuffer[256];
2763 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
2764 SCLogError(
"pcre2 compile of \"%s\" failed at "
2766 parse_str, (
int)eo, errbuffer);
2771 detect_parse->
next = g_detect_parse_regex_list;
2772 g_detect_parse_regex_list = detect_parse;
2773 return detect_parse;
2777 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
2779 int r = pcre2_substring_copy_bynumber(match_data, number, buffer, bufflen);
2780 if (r == PCRE2_ERROR_UNSET) {
2789 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
2791 int r = pcre2_substring_get_bynumber(match_data, number, bufferptr, bufflen);
2792 if (r == PCRE2_ERROR_UNSET) {
2816 static int SigParseTest01 (
void)
2825 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
2835 static int SigParseTest02 (
void)
2849 sig =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
2877 static int SigParseTest03 (
void)
2886 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
2889 printf(
"expected NULL got sig ptr %p: ",sig);
2898 static int SigParseTest04 (
void)
2907 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
2918 static int SigParseTest05 (
void)
2927 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
2931 printf(
"signature didn't fail to parse as we expected: ");
2941 static int SigParseTest06 (
void)
2950 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
2954 printf(
"signature failed to parse: ");
2968 static int SigParseTest07(
void)
2990 static int SigParseTest08(
void)
3013 static int SigParseTest09(
void)
3064 static int SigParseTest10(
void)
3096 static int SigParseTest11(
void)
3107 "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
3109 printf(
"sig 1 didn't parse: ");
3114 "the http link\"; sid:2;) ");
3116 printf(
"sig 2 didn't parse: ");
3130 static int SigParseTest12(
void)
3142 printf(
"sig 1 should have given an error: ");
3156 static int SigParseTest13(
void)
3168 printf(
"sig 1 invalidated: failure");
3173 printf(
"sig doesn't have stream flag set\n");
3178 printf(
"sig has packet flag set\n");
3193 static int SigParseTest14(
void)
3205 printf(
"sig 1 invalidated: failure");
3210 printf(
"sig doesn't have packet flag set\n");
3215 printf(
"sig has stream flag set\n");
3230 static int SigParseTest15(
void)
3242 printf(
"sig 1 invalidated: failure");
3247 printf(
"sig doesn't have packet flag set\n");
3252 printf(
"sig doesn't have stream flag set\n");
3267 static int SigParseTest16(
void)
3279 printf(
"sig 1 invalidated: failure");
3284 printf(
"sig doesn't have packet flag set\n");
3289 printf(
"sig doesn't have stream flag set\n");
3304 static int SigParseTest17(
void)
3316 printf(
"sig 1 invalidated: failure");
3321 printf(
"sig doesn't have packet flag set\n");
3326 printf(
"sig doesn't have stream flag set\n");
3339 static int SigParseTest18 (
void)
3347 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
3358 static int SigParseTest19 (
void)
3366 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
3377 static int SigParseTest20 (
void)
3385 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
3396 static int SigParseTest21 (
void)
3415 static int SigParseTest22 (
void)
3423 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
3436 static int SigParseTest23(
void)
3451 static int SigParseBidirecTest06 (
void)
3471 static int SigParseBidirecTest07 (
void)
3491 static int SigParseBidirecTest08 (
void)
3511 static int SigParseBidirecTest09 (
void)
3531 static int SigParseBidirecTest10 (
void)
3551 static int SigParseBidirecTest11 (
void)
3571 static int SigParseBidirecTest12 (
void)
3591 static int SigParseBidirecTest13 (
void)
3610 static int SigParseBidirecTest14 (
void)
3631 static int SigTestBidirec01 (
void)
3643 if (sig->
next != NULL)
3662 static int SigTestBidirec02 (
void)
3681 if (sig->
next == NULL)
3686 if (copy->
next != NULL)
3707 static int SigTestBidirec03 (
void)
3719 const char *sigs[3];
3720 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
3721 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
3722 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
3729 if (sig->
next == NULL)
3740 uint8_t rawpkt1_ether[] = {
3741 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3742 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3743 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3744 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3745 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3746 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3747 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3748 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3749 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3750 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3751 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3752 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3753 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3754 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3755 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3756 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3757 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3758 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3759 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3760 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3761 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3762 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3763 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3764 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3765 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3766 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3767 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3768 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3769 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3770 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3771 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3772 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3773 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3774 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3775 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3776 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3777 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3778 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3779 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3780 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3781 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3782 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3783 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3784 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3785 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3786 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3787 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3788 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3789 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3790 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3791 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3792 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3793 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3794 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3795 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3805 uint32_t sids[3] = {1, 2, 3};
3806 uint32_t
results[3] = {1, 1, 1};
3822 static int SigTestBidirec04 (
void)
3837 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
3842 if (sig->
next == NULL)
3854 if (sig->
next == NULL)
3865 uint8_t rawpkt1_ether[] = {
3866 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3867 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3868 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3869 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3870 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3871 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3872 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3873 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3874 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3875 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3876 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3877 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3878 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3879 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3880 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3881 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3882 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3883 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3884 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3885 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3886 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3887 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3888 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3889 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3890 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3891 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3892 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3893 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3894 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3895 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3896 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3897 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3898 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3899 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3900 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3901 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3902 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3903 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3904 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3905 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3906 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3907 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3908 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3909 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3910 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3911 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3912 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3913 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3914 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3915 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3916 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3917 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3918 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3919 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3920 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3929 memset(&th_v, 0,
sizeof(th_v));
3969 static int SigParseTestNegation01 (
void)
3983 static int SigParseTestNegation02 (
void)
3994 s =
SigInit(
de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
4009 static int SigParseTestNegation03 (
void)
4020 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4035 static int SigParseTestNegation04 (
void)
4046 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4061 static int SigParseTestNegation05 (
void)
4072 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
4087 static int SigParseTestNegation06 (
void)
4098 s =
SigInit(
de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
4114 static int SigParseTestNegation07 (
void)
4120 de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (sid:410006;)");
4129 static int SigParseTestNegation08 (
void)
4140 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
4155 static int SigParseTestMpm01 (
void)
4164 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
4166 printf(
"sig failed to init: ");
4171 printf(
"sig doesn't have content list: ");
4186 static int SigParseTestMpm02 (
void)
4195 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
4197 printf(
"sig failed to init: ");
4202 printf(
"sig doesn't have content list: ");
4217 static int SigParseTestAppLayerTLS01(
void)
4228 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
4230 printf(
"parsing sig failed: ");
4235 printf(
"alproto not set: ");
4252 static int SigParseTestAppLayerTLS02(
void)
4263 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
4265 printf(
"parsing sig failed: ");
4270 printf(
"alproto not set: ");
4286 static int SigParseTestAppLayerTLS03(
void)
4297 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
4310 static int SigParseTestUnbalancedQuotes01(
void)
4320 "alert http any any -> any any (msg:\"SigParseTestUnbalancedQuotes01\"; "
4321 "pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" "
4322 "flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
4328 static int SigParseTestContentGtDsize01(
void)
4335 "alert http any any -> any any ("
4336 "dsize:21; content:\"0123456789001234567890|00 00|\"; "
4343 static int SigParseTestContentGtDsize02(
void)
4350 "alert http any any -> any any ("
4351 "dsize:21; content:\"0123456789|00 00|\"; offset:10; "
4368 static int SigParseBidirWithSameSrcAndDest01(
void)
4385 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:3;)");
4394 static int SigParseBidirWithSameSrcAndDest02(
void)
4402 de_ctx,
"alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1;)");
4409 de_ctx,
"alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:2;)");
4416 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:3;)");
4423 de_ctx,
"alert tcp [!1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:4;)");
4430 de_ctx,
"alert tcp [1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:5;)");
4439 static int SigParseTestActionReject(
void)
4445 de_ctx,
"reject tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
4446 #ifdef HAVE_LIBNET11
4457 static int SigParseTestActionDrop(
void)
4463 de_ctx,
"drop tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
4503 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
4504 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
4505 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
4520 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
4521 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
4522 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
4523 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
4524 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
4525 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
4526 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
4527 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
4530 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
4531 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
4532 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
4533 UtRegisterTest(
"SigParseTestUnbalancedQuotes01", SigParseTestUnbalancedQuotes01);
4536 SigParseTestContentGtDsize01);
4538 SigParseTestContentGtDsize02);
4541 SigParseBidirWithSameSrcAndDest01);
4543 SigParseBidirWithSameSrcAndDest02);
4544 UtRegisterTest(
"SigParseTestActionReject", SigParseTestActionReject);
4545 UtRegisterTest(
"SigParseTestActionDrop", SigParseTestActionDrop);