85 int to_client_progress;
86 int to_server_progress;
87 } DetectFileHandlerProtocol_t;
88 static DetectFileHandlerProtocol_t al_protocols[] = {
95 .to_client_progress = HTP_RESPONSE_BODY,
96 .to_server_progress = HTP_REQUEST_BODY },
99 .to_client_progress = HTTP2StateDataServer,
100 .to_server_progress = HTTP2StateDataClient },
104 for (
size_t i = 0; i <
ARRAY_SIZE(al_protocols); i++) {
105 int direction = al_protocols[i].direction == 0
107 : al_protocols[i].direction;
111 reg->
GetData, al_protocols[i].al_proto, al_protocols[i].to_client_progress);
118 reg->
GetData, al_protocols[i].al_proto, al_protocols[i].to_server_progress);
131 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
148 #define CONFIG_PARTS 8
150 #define CONFIG_ACTION 0
151 #define CONFIG_PROTO 1
154 #define CONFIG_DIREC 4
157 #define CONFIG_OPTS 7
173 #define CASE_CODE_STRING(E, S) case E: return S; break
184 #undef CASE_CODE_STRING
188 #define CASE_CODE(E) case E: return #E
206 Signature *s,
const char *arg,
int sm_type,
int sm_list,
212 if (arg != NULL && strcmp(arg,
"") != 0) {
221 "with a sticky buffer still set. Reset sticky buffer "
222 "with pkt_data before using the modifier.",
236 "found inside the rule without a content context. "
237 "Please use a \"content\" keyword before using the "
245 "be used with the rawbytes rule keyword",
251 "be used with the replace rule keyword",
290 bool reuse_buffer =
false;
303 SCLogError(
"failed to expand rule buffer array");
312 SCLogDebug(
"idx %u list %d set up curbuf %p s->init_data->buffer_index %u",
353 if (sm->
ctx != NULL) {
364 ptrdiff_t
offset = e - table;
378 if (st->
name != NULL) {
379 if (strcasecmp(name,st->
name) == 0)
381 if (st->
alias != NULL && strcasecmp(name,st->
alias) == 0)
411 if (strcmp(
str,
"all") == 0) {
423 char *xsaveptr = NULL;
424 char *key = strtok_r(copy,
",", &xsaveptr);
425 while (key != NULL) {
431 "argument '%s' not found",
434 key = strtok_r(NULL,
",", &xsaveptr);
461 SCLogDebug(
"s:%p new:%p list:%d: %s, s->init_data->list_set %s s->init_data->list %d", s,
new,
495 SCLogDebug(
"reusing buffer %u as it isn't multi-capable", x);
505 SCLogError(
"failed to expand rule buffer array");
529 SCLogDebug(
"appended %s to list %d, rule pos %u (s->init_data->list %d)",
548 if (sm->
prev != NULL)
550 if (sm->
next != NULL)
594 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
606 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
628 SCLogDebug(
"skip x %u s->init_data->list %d (int)s->init_data->buffers[x].id %d", x,
637 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
641 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
658 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
663 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
688 va_start(ap, sm_list);
690 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
692 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
695 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
726 va_start(ap, list_id);
728 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
732 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
744 va_start(ap, list_id);
746 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
747 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
750 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
773 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
781 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
788 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
794 if (sm->
prev != NULL)
796 if (sm->
next != NULL)
799 if (sm == *src_sm_list)
800 *src_sm_list = sm->
next;
801 if (sm == *src_sm_list_tail)
802 *src_sm_list_tail = sm->
prev;
804 if (*dst_sm_list == NULL) {
806 *dst_sm_list_tail = sm;
814 *dst_sm_list_tail = sm;
843 SCLogError(
"Unable to find the sm in any of the "
849 size_t output_size,
bool requires)
852 char *optname = NULL;
853 char *optvalue = NULL;
856 while (isblank(*optstr)) {
861 char *optend = optstr;
863 optend = strchr(optend,
';');
864 if (optend == NULL) {
868 else if (optend > optstr && *(optend -1 ) ==
'\\') {
877 char *optvalptr = strchr(optstr,
':');
879 *(optvalptr++) =
'\0';
882 for (
size_t i = strlen(optvalptr); i > 0; i--) {
883 if (isblank(optvalptr[i - 1])) {
884 optvalptr[i - 1] =
'\0';
890 optvalue = optvalptr;
894 for (
size_t i = strlen(optstr); i > 0; i--) {
895 if (isblank(optstr[i - 1])) {
896 optstr[i - 1] =
'\0';
905 bool requires_only = strcasecmp(optname,
"requires") == 0 || strcasecmp(optname,
"sid") == 0;
906 if ((requires && !requires_only) || (!requires && requires_only)) {
911 st = SigTableGet(optname);
912 if (st == NULL || st->
Setup == NULL) {
913 SCLogError(
"unknown rule keyword '%s'.", optname);
918 if (optvalue == NULL || strlen(optvalue) == 0) {
920 "invalid formatting or malformed option to %s keyword: '%s'", optname, optstr);
924 if (optvalue && strlen(optvalue)) {
925 SCLogError(
"unexpected option to %s keyword: '%s'", optname, optstr);
932 #define URL "https://suricata.io/our-story/deprecation-policy/"
935 "and will be removed soon. See %s",
939 "and will be removed soon. Use '%s' instead. "
948 if (optvalue != NULL && strlen(optvalue) > 0) {
949 size_t ovlen = strlen(optvalue);
950 char *ptr = optvalue;
960 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
979 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
985 SCLogError(
"invalid formatting to %s keyword: "
986 "value must be double quoted \'%s\'",
992 && ovlen && *ptr ==
'"')
994 for (; ovlen > 0; ovlen--) {
995 if (isblank(ptr[ovlen - 1])) {
996 ptr[ovlen - 1] =
'\0';
1001 if (ovlen && ptr[ovlen - 1] !=
'"') {
1002 SCLogError(
"bad option value formatting (possible missing semicolon) "
1003 "for keyword %s: \'%s\'",
1011 ptr[ovlen - 1] =
'\0';
1016 "for keyword %s: \'%s\'",
1023 "quotes on %s keyword that doesn't support them: \'%s\'", optname, optstr);
1033 if (setup_ret < 0) {
1037 if (setup_ret == -2) {
1050 if (strlen(optend) > 0) {
1051 strlcpy(output, optend, output_size);
1066 Signature *s,
const char *addrstr,
char flag)
1068 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
1072 if (strcasecmp(addrstr,
"any") == 0)
1080 if (strcasecmp(addrstr,
"any") == 0)
1107 static int SigParseProto(
Signature *s,
const char *protostr)
1122 "in a signature. Either detection for this protocol "
1123 "is not yet supported OR detection has been disabled for "
1124 "protocol through the yaml option "
1125 "app-layer.protocols.%s.detection-enabled",
1126 protostr, protostr);
1155 Signature *s,
const char *portstr,
char flag)
1161 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
1164 if (strcasecmp(portstr,
"any") == 0)
1168 }
else if (flag == 1) {
1169 if (strcasecmp(portstr,
"any") == 0)
1184 static int SigParseActionRejectValidate(
const char *action)
1186 #ifdef HAVE_LIBNET11
1187 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES
1190 "incompatible with POSIX based capabilities with privs dropping. "
1191 "For rejects to work, run as root/super user.");
1197 "required for action \"%s\" but is not compiled into Suricata",
1215 static int SigParseAction(
Signature *s,
const char *action)
1217 if (strcasecmp(action,
"alert") == 0) {
1219 }
else if (strcasecmp(action,
"drop") == 0) {
1221 }
else if (strcasecmp(action,
"pass") == 0) {
1223 }
else if (strcasecmp(action,
"reject") == 0 ||
1224 strcasecmp(action,
"rejectsrc") == 0)
1226 if (!(SigParseActionRejectValidate(action)))
1229 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1230 if (!(SigParseActionRejectValidate(action)))
1233 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1234 if (!(SigParseActionRejectValidate(action)))
1237 }
else if (strcasecmp(action,
"config") == 0) {
1241 SCLogError(
"An invalid action \"%s\" was given", action);
1258 static inline int SigParseToken(
char **input,
char *output,
1259 const size_t output_size)
1261 size_t len = *input == NULL ? 0 : strlen(*input);
1267 while (
len && isblank(**input)) {
1272 char *endptr = strpbrk(*input,
" \t\n\r");
1273 if (endptr != NULL) {
1276 strlcpy(output, *input, output_size);
1293 static inline int SigParseList(
char **input,
char *output,
1294 const size_t output_size)
1297 size_t len = *input != NULL ? strlen(*input) : 0;
1303 while (
len && isblank(**input)) {
1309 for (i = 0; i <
len; i++) {
1310 char c = (*input)[i];
1313 }
else if (c ==
']') {
1315 }
else if (c ==
' ') {
1326 strlcpy(output, *input, output_size);
1327 *input = *input + i + 1;
1347 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1353 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1356 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1362 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1365 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1368 if (index == NULL) {
1372 while (isspace(*index) || *index ==
'(') {
1375 for (
size_t i = strlen(index); i > 0; i--) {
1376 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1377 index[i - 1] =
'\0';
1389 if (SigParseAction(s, parser->
action) < 0)
1392 if (SigParseProto(s, parser->
protocol) < 0)
1395 if (strcmp(parser->
direction,
"<>") == 0) {
1397 }
else if (strcmp(parser->
direction,
"->") != 0) {
1398 SCLogError(
"\"%s\" is not a valid direction modifier, "
1399 "\"->\" and \"<>\" are supported.",
1426 static inline bool CheckAscii(
const char *
str)
1428 for (
size_t i = 0; i < strlen(
str); i++) {
1429 if (
str[i] < 0x20) {
1431 if (
str[i] == 0x0a ||
str[i] == 0x0d ||
str[i] == 0x09) {
1435 }
else if (
str[i] == 0x7f) {
1459 if (!rs_check_utf8(sigstr)) {
1464 if (!CheckAscii(sigstr)) {
1465 SCLogError(
"rule contains invalid (control) characters");
1469 int ret = SigParseBasics(
de_ctx, s, sigstr, parser, addrs_direction, requires);
1476 if (strlen(parser->
opts) > 0) {
1477 size_t buffer_size = strlen(parser->
opts) + 1;
1478 char input[buffer_size];
1479 char output[buffer_size];
1480 memset(input, 0x00, buffer_size);
1481 memcpy(input, parser->
opts, strlen(parser->
opts) + 1);
1487 memset(output, 0x00, buffer_size);
1488 ret = SigParseOptions(
de_ctx, s, input, output, buffer_size, requires);
1490 memcpy(input, output, buffer_size);
1522 memset(b, 0,
sizeof(*b));
1565 static void SigMetadataFree(
Signature *s)
1572 if (s == NULL || s->
metadata == NULL) {
1579 next_mdata = mdata->
next;
1610 next_ref = ref->
next;
1664 while (sm != NULL) {
1673 while (sm != NULL) {
1694 if (s->
sp != NULL) {
1697 if (s->
dp != NULL) {
1735 SCLogError(
"transforms must directly follow stickybuffers");
1770 if (AppProtoEquals(alproto, s->
alproto)) {
1775 SCLogError(
"can't set rule app proto to %s: already set to %s",
1802 if (addr_match4 == NULL) {
1808 addr_match4[idx].
ip =
SCNtohl(da->ip.addr_data32[0]);
1809 addr_match4[idx].
ip2 =
SCNtohl(da->ip2.addr_data32[0]);
1828 if (addr_match6 == NULL) {
1834 addr_match6[idx].
ip[0] =
SCNtohl(da->ip.addr_data32[0]);
1835 addr_match6[idx].
ip[1] =
SCNtohl(da->ip.addr_data32[1]);
1836 addr_match6[idx].
ip[2] =
SCNtohl(da->ip.addr_data32[2]);
1837 addr_match6[idx].
ip[3] =
SCNtohl(da->ip.addr_data32[3]);
1838 addr_match6[idx].
ip2[0] =
SCNtohl(da->ip2.addr_data32[0]);
1839 addr_match6[idx].
ip2[1] =
SCNtohl(da->ip2.addr_data32[1]);
1840 addr_match6[idx].
ip2[2] =
SCNtohl(da->ip2.addr_data32[2]);
1841 addr_match6[idx].
ip2[3] =
SCNtohl(da->ip2.addr_data32[3]);
1854 static void SigBuildAddressMatchArray(
Signature *s)
1871 static int SigMatchListLen(
SigMatch *sm)
1874 for (; sm != NULL; sm = sm->
next)
1885 int len = SigMatchListLen(
head);
1891 FatalError(
"initializing the detection engine failed");
1897 for (; sm != NULL; sm = sm->
next, smd++) {
1919 uint32_t sig_flags = 0;
1924 nlists += (nlists > 0);
1928 SCLogError(
"rule %u setup buffer %s but didn't add matches to it", s->
id,
1933 bool has_frame =
false;
1934 bool has_app =
false;
1935 bool has_pkt =
false;
1936 bool has_pmatch =
false;
1946 struct BufferVsDir {
1949 } bufdir[nlists + 1];
1950 memset(&bufdir, 0, (nlists + 1) *
sizeof(
struct BufferVsDir));
1964 if (b->
head == NULL) {
1969 has_frame |= bt->
frame;
1970 has_app |= (bt->
frame ==
false && bt->
packet ==
false);
1975 "specific matches (like dsize, flags, ttl) with stream / "
1976 "state matching by matching on app layer proto (like using "
1977 "http_* keywords).");
1982 for (; app != NULL; app = app->
next) {
1989 bufdir[b->
id].ts += (app->
dir == 0);
1990 bufdir[b->
id].tc += (app->
dir == 1);
2006 for (
int x = 0; x < nlists; x++) {
2007 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
2009 ts_excl += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
2010 tc_excl += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
2011 dir_amb += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
2016 if (ts_excl && tc_excl) {
2017 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2019 }
else if (ts_excl) {
2020 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
2022 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2025 }
else if (tc_excl) {
2026 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
2028 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2031 }
else if (dir_amb) {
2032 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
2038 "tcp-stream or flow:only_stream. Invalidating signature.");
2043 SCLogError(
"You seem to have mixed keywords "
2044 "that require inspection in both directions. Atm we only "
2045 "support keywords in one direction within a rule.");
2049 if (has_pmatch && has_frame) {
2050 SCLogError(
"can't mix pure content and frame inspection");
2053 if (has_app && has_frame) {
2054 SCLogError(
"can't mix app-layer buffer and frame inspection");
2057 if (has_pkt && has_frame) {
2058 SCLogError(
"can't mix pkt buffer and frame inspection");
2066 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
2105 "support file matching",
2110 SCLogError(
"protocol HTTP2 doesn't support file name matching");
2130 memset(&parser, 0x00,
sizeof(parser));
2148 int ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
true);
2155 }
else if (ret < 0) {
2161 SCLogError(
"Signature missing required value \"sid\".");
2166 ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
false);
2172 }
else if (ret == -2) {
2175 }
else if (ret < 0) {
2180 if (sig->
prio == -1)
2187 int override_needed = 0;
2191 override_needed = 1;
2193 override_needed = 1;
2195 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
2197 override_needed = 0;
2206 if (override_needed)
2216 for ( ; sm != NULL; sm = sm->
next) {
2232 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
2236 SigBuildAddressMatchArray(sig);
2248 if (SigValidate(
de_ctx, sig) == 0) {
2278 static bool SigHasSameSourceAndDestination(
const Signature *s)
2330 if (SigHasSameSourceAndDestination(sig)) {
2331 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, "
2332 "treating the rule as unidirectional", sig->
id);
2337 if (sig->
next == NULL) {
2362 static void DetectParseDupSigFreeFunc(
void *data)
2380 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
2399 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
2405 if (sw1 == NULL || sw2 == NULL ||
2406 sw1->
s == NULL || sw2->
s == NULL)
2410 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
2426 DetectParseDupSigHashFunc,
2427 DetectParseDupSigCompareFunc,
2428 DetectParseDupSigFreeFunc);
2491 if (sw_dup == NULL) {
2504 (
void *)&sw_tmp, 0);
2516 if (sw->
s->
rev <= sw_dup->
s->
rev) {
2525 if (sw_dup->
s_prev == NULL) {
2533 sw_temp.
s = sw_dup->
s->
next;
2537 if (sw_temp.
s != NULL) {
2539 (
void *)&sw_temp, 0);
2559 sw_temp.
s = sw_dup->
s->
next;
2567 if (sw_temp.
s != NULL) {
2569 (
void *)&sw_temp, 0);
2584 (
void *)&sw_tmp, 0);
2585 if (sw_old->
s != sw_dup->
s) {
2628 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
2632 SCLogError(
"Duplicate signature \"%s\"", sigstr);
2634 }
else if (dup_sig == 2) {
2636 " so the older sig replaced by this new signature \"%s\"",
2641 if (sig->
next != NULL) {
2658 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
2662 if (sig != NULL && sig->
next != NULL) {
2675 int start_offset,
int options)
2677 *match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
2679 return pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)
str, strlen(
str), options, start_offset,
2687 pcre2_code_free(r->
regex);
2690 pcre2_match_context_free(r->
context);
2705 g_detect_parse_regex_list = NULL;
2714 FatalError(
"failed to alloc memory for pcre free list");
2717 r->
next = g_detect_parse_regex_list;
2718 g_detect_parse_regex_list = r;
2726 detect_parse->
regex =
2727 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
2728 if (detect_parse->
regex == NULL) {
2729 PCRE2_UCHAR errbuffer[256];
2730 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
2731 SCLogError(
"pcre compile of \"%s\" failed at "
2733 parse_str, en, errbuffer);
2746 if (detect_parse == NULL) {
2750 detect_parse->
regex =
2751 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
2752 if (detect_parse->
regex == NULL) {
2753 PCRE2_UCHAR errbuffer[256];
2754 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
2755 SCLogError(
"pcre2 compile of \"%s\" failed at "
2757 parse_str, (
int)eo, errbuffer);
2762 detect_parse->
next = g_detect_parse_regex_list;
2763 g_detect_parse_regex_list = detect_parse;
2764 return detect_parse;
2768 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
2770 int r = pcre2_substring_copy_bynumber(match_data, number, buffer, bufflen);
2771 if (r == PCRE2_ERROR_UNSET) {
2780 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
2782 int r = pcre2_substring_get_bynumber(match_data, number, bufferptr, bufflen);
2783 if (r == PCRE2_ERROR_UNSET) {
2807 static int SigParseTest01 (
void)
2816 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
2826 static int SigParseTest02 (
void)
2840 sig =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
2868 static int SigParseTest03 (
void)
2877 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
2880 printf(
"expected NULL got sig ptr %p: ",sig);
2889 static int SigParseTest04 (
void)
2898 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
2909 static int SigParseTest05 (
void)
2918 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
2922 printf(
"signature didn't fail to parse as we expected: ");
2932 static int SigParseTest06 (
void)
2941 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
2945 printf(
"signature failed to parse: ");
2959 static int SigParseTest07(
void)
2981 static int SigParseTest08(
void)
3004 static int SigParseTest09(
void)
3055 static int SigParseTest10(
void)
3087 static int SigParseTest11(
void)
3098 "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
3100 printf(
"sig 1 didn't parse: ");
3105 "the http link\"; sid:2;) ");
3107 printf(
"sig 2 didn't parse: ");
3121 static int SigParseTest12(
void)
3133 printf(
"sig 1 should have given an error: ");
3147 static int SigParseTest13(
void)
3159 printf(
"sig 1 invalidated: failure");
3164 printf(
"sig doesn't have stream flag set\n");
3169 printf(
"sig has packet flag set\n");
3184 static int SigParseTest14(
void)
3196 printf(
"sig 1 invalidated: failure");
3201 printf(
"sig doesn't have packet flag set\n");
3206 printf(
"sig has stream flag set\n");
3221 static int SigParseTest15(
void)
3233 printf(
"sig 1 invalidated: failure");
3238 printf(
"sig doesn't have packet flag set\n");
3243 printf(
"sig doesn't have stream flag set\n");
3258 static int SigParseTest16(
void)
3270 printf(
"sig 1 invalidated: failure");
3275 printf(
"sig doesn't have packet flag set\n");
3280 printf(
"sig doesn't have stream flag set\n");
3295 static int SigParseTest17(
void)
3307 printf(
"sig 1 invalidated: failure");
3312 printf(
"sig doesn't have packet flag set\n");
3317 printf(
"sig doesn't have stream flag set\n");
3330 static int SigParseTest18 (
void)
3338 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
3349 static int SigParseTest19 (
void)
3357 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
3368 static int SigParseTest20 (
void)
3376 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
3387 static int SigParseTest21 (
void)
3406 static int SigParseTest22 (
void)
3414 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
3427 static int SigParseTest23(
void)
3442 static int SigParseBidirecTest06 (
void)
3462 static int SigParseBidirecTest07 (
void)
3482 static int SigParseBidirecTest08 (
void)
3502 static int SigParseBidirecTest09 (
void)
3522 static int SigParseBidirecTest10 (
void)
3542 static int SigParseBidirecTest11 (
void)
3562 static int SigParseBidirecTest12 (
void)
3582 static int SigParseBidirecTest13 (
void)
3601 static int SigParseBidirecTest14 (
void)
3622 static int SigTestBidirec01 (
void)
3634 if (sig->
next != NULL)
3653 static int SigTestBidirec02 (
void)
3672 if (sig->
next == NULL)
3677 if (copy->
next != NULL)
3698 static int SigTestBidirec03 (
void)
3710 const char *sigs[3];
3711 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
3712 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
3713 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
3720 if (sig->
next == NULL)
3731 uint8_t rawpkt1_ether[] = {
3732 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3733 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3734 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3735 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3736 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3737 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3738 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3739 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3740 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3741 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3742 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3743 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3744 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3745 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3746 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3747 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3748 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3749 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3750 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3751 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3752 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3753 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3754 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3755 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3756 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3757 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3758 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3759 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3760 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3761 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3762 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3763 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3764 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3765 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3766 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3767 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3768 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3769 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3770 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3771 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3772 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3773 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3774 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3775 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3776 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3777 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3778 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3779 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3780 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3781 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3782 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3783 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3784 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3785 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3786 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3796 uint32_t sids[3] = {1, 2, 3};
3797 uint32_t
results[3] = {1, 1, 1};
3813 static int SigTestBidirec04 (
void)
3828 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
3833 if (sig->
next == NULL)
3845 if (sig->
next == NULL)
3856 uint8_t rawpkt1_ether[] = {
3857 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
3858 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
3859 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
3860 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
3861 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
3862 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
3863 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
3864 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
3865 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
3866 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
3867 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
3868 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
3869 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
3870 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
3871 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
3872 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
3873 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
3874 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
3875 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
3876 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
3877 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
3878 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
3879 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
3880 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
3881 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
3882 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
3883 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
3884 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
3885 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
3886 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
3887 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
3888 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
3889 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
3890 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
3891 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3892 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3893 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
3894 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
3895 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
3896 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
3897 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
3898 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
3899 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
3900 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
3901 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
3902 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
3903 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
3904 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
3905 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
3906 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
3907 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
3908 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
3909 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
3910 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
3911 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
3920 memset(&th_v, 0,
sizeof(th_v));
3960 static int SigParseTestNegation01 (
void)
3974 static int SigParseTestNegation02 (
void)
3985 s =
SigInit(
de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
4000 static int SigParseTestNegation03 (
void)
4011 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4026 static int SigParseTestNegation04 (
void)
4037 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4052 static int SigParseTestNegation05 (
void)
4063 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
4078 static int SigParseTestNegation06 (
void)
4089 s =
SigInit(
de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
4105 static int SigParseTestNegation07 (
void)
4111 de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (sid:410006;)");
4120 static int SigParseTestNegation08 (
void)
4131 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
4146 static int SigParseTestMpm01 (
void)
4155 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
4157 printf(
"sig failed to init: ");
4162 printf(
"sig doesn't have content list: ");
4177 static int SigParseTestMpm02 (
void)
4186 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
4188 printf(
"sig failed to init: ");
4193 printf(
"sig doesn't have content list: ");
4208 static int SigParseTestAppLayerTLS01(
void)
4219 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
4221 printf(
"parsing sig failed: ");
4226 printf(
"alproto not set: ");
4243 static int SigParseTestAppLayerTLS02(
void)
4254 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
4256 printf(
"parsing sig failed: ");
4261 printf(
"alproto not set: ");
4277 static int SigParseTestAppLayerTLS03(
void)
4288 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
4301 static int SigParseTestUnbalancedQuotes01(
void)
4311 "alert http any any -> any any (msg:\"SigParseTestUnbalancedQuotes01\"; "
4312 "pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" "
4313 "flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
4319 static int SigParseTestContentGtDsize01(
void)
4326 "alert http any any -> any any ("
4327 "dsize:21; content:\"0123456789001234567890|00 00|\"; "
4334 static int SigParseTestContentGtDsize02(
void)
4341 "alert http any any -> any any ("
4342 "dsize:21; content:\"0123456789|00 00|\"; offset:10; "
4359 static int SigParseBidirWithSameSrcAndDest01(
void)
4376 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:3;)");
4385 static int SigParseBidirWithSameSrcAndDest02(
void)
4393 de_ctx,
"alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1;)");
4400 de_ctx,
"alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:2;)");
4407 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:3;)");
4414 de_ctx,
"alert tcp [!1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:4;)");
4421 de_ctx,
"alert tcp [1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:5;)");
4430 static int SigParseTestActionReject(
void)
4436 de_ctx,
"reject tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
4437 #ifdef HAVE_LIBNET11
4448 static int SigParseTestActionDrop(
void)
4454 de_ctx,
"drop tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
4494 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
4495 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
4496 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
4511 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
4512 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
4513 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
4514 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
4515 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
4516 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
4517 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
4518 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
4521 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
4522 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
4523 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
4524 UtRegisterTest(
"SigParseTestUnbalancedQuotes01", SigParseTestUnbalancedQuotes01);
4527 SigParseTestContentGtDsize01);
4529 SigParseTestContentGtDsize02);
4532 SigParseBidirWithSameSrcAndDest01);
4534 SigParseBidirWithSameSrcAndDest02);
4535 UtRegisterTest(
"SigParseTestActionReject", SigParseTestActionReject);
4536 UtRegisterTest(
"SigParseTestActionDrop", SigParseTestActionDrop);