83 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
114 #define CASE_CODE_STRING(E, S) case E: return S; break
125 #undef CASE_CODE_STRING
129 #define CASE_CODE(E) case E: return #E
147 Signature *s,
const char *arg,
int sm_type,
int sm_list,
153 if (arg != NULL && strcmp(arg,
"") != 0) {
162 "with a sticky buffer still set. Reset sticky buffer "
163 "with pkt_data before using the modifier.",
177 "found inside the rule without a content context. "
178 "Please use a \"content\" keyword before using the "
186 "be used with the rawbytes rule keyword",
192 "be used with the replace rule keyword",
231 bool reuse_buffer =
false;
244 SCLogError(
"failed to expand rule buffer array");
253 SCLogDebug(
"idx %u list %d set up curbuf %p s->init_data->buffer_index %u",
294 if (sm->
ctx != NULL) {
305 ptrdiff_t
offset = e - table;
319 if (st->
name != NULL) {
352 if (strcmp(
str,
"all") == 0) {
364 char *xsaveptr = NULL;
365 char *key = strtok_r(copy,
",", &xsaveptr);
366 while (key != NULL) {
372 "argument '%s' not found",
375 key = strtok_r(NULL,
",", &xsaveptr);
402 SCLogDebug(
"s:%p new:%p list:%d: %s, s->init_data->list_set %s s->init_data->list %d", s,
new,
436 SCLogDebug(
"reusing buffer %u as it isn't multi-capable", x);
446 SCLogError(
"failed to expand rule buffer array");
476 SCLogDebug(
"appended %s to list %d, rule pos %u (s->init_data->list %d)",
495 if (sm->
prev != NULL)
497 if (sm->
next != NULL)
539 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
551 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
573 SCLogDebug(
"skip x %u s->init_data->list %d (int)s->init_data->buffers[x].id %d", x,
582 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
586 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
603 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
608 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
633 va_start(ap, sm_list);
635 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
637 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
640 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
671 va_start(ap, list_id);
673 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
677 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
689 va_start(ap, list_id);
691 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
692 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
695 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
718 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
726 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
733 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
739 if (sm->
prev != NULL)
741 if (sm->
next != NULL)
744 if (sm == *src_sm_list)
745 *src_sm_list = sm->
next;
746 if (sm == *src_sm_list_tail)
747 *src_sm_list_tail = sm->
prev;
749 if (*dst_sm_list == NULL) {
751 *dst_sm_list_tail = sm;
759 *dst_sm_list_tail = sm;
786 SCLogError(
"Unable to find the sm in any of the "
800 static int DetectSetupDirection(
Signature *s,
char **
str,
bool only_dir)
803 if (strncmp(*
str,
"to_client", strlen(
"to_client")) == 0) {
804 *
str += strlen(
"to_client");
806 while (**
str && isblank(**
str)) {
812 SCLogError(
"unknown option: only accepts to_server or to_client");
822 while (**
str && isblank(**
str)) {
834 }
else if (strncmp(*
str,
"to_server", strlen(
"to_server")) == 0) {
835 *
str += strlen(
"to_server");
837 while (**
str && isblank(**
str)) {
843 SCLogError(
"unknown option: only accepts to_server or to_client");
853 while (**
str && isblank(**
str)) {
865 }
else if (only_dir) {
866 SCLogError(
"unknown option: only accepts to_server or to_client");
873 size_t output_size,
bool requires)
876 char *optname = NULL;
877 char *optvalue = NULL;
880 while (isblank(*optstr)) {
885 char *optend = optstr;
887 optend = strchr(optend,
';');
888 if (optend == NULL) {
892 else if (optend > optstr && *(optend -1 ) ==
'\\') {
901 char *optvalptr = strchr(optstr,
':');
903 *(optvalptr++) =
'\0';
906 for (
size_t i = strlen(optvalptr); i > 0; i--) {
907 if (isblank(optvalptr[i - 1])) {
908 optvalptr[i - 1] =
'\0';
914 optvalue = optvalptr;
918 for (
size_t i = strlen(optstr); i > 0; i--) {
919 if (isblank(optstr[i - 1])) {
920 optstr[i - 1] =
'\0';
929 bool requires_only = strcasecmp(optname,
"requires") == 0 || strcasecmp(optname,
"sid") == 0;
930 if ((requires && !requires_only) || (!requires && requires_only)) {
935 st = SigTableGet(optname);
936 if (st == NULL || st->
Setup == NULL) {
937 SCLogError(
"unknown rule keyword '%s'.", optname);
942 if (optvalue == NULL || strlen(optvalue) == 0) {
944 "invalid formatting or malformed option to %s keyword: '%s'", optname, optstr);
948 if (optvalue && strlen(optvalue)) {
949 SCLogError(
"unexpected option to %s keyword: '%s'", optname, optstr);
959 #define URL "https://suricata.io/our-story/deprecation-policy/"
962 "and will be removed soon. See %s",
966 "and will be removed soon. Use '%s' instead. "
975 if (optvalue != NULL && strlen(optvalue) > 0) {
976 size_t ovlen = strlen(optvalue);
977 char *ptr = optvalue;
987 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
993 SCLogWarning(
"keyword \'%s\' has not been tested for firewall rules", optname);
1010 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
1016 SCLogError(
"invalid formatting to %s keyword: "
1017 "value must be double quoted \'%s\'",
1023 && ovlen && *ptr ==
'"')
1025 for (; ovlen > 0; ovlen--) {
1026 if (isblank(ptr[ovlen - 1])) {
1027 ptr[ovlen - 1] =
'\0';
1032 if (ovlen && ptr[ovlen - 1] !=
'"') {
1033 SCLogError(
"bad option value formatting (possible missing semicolon) "
1034 "for keyword %s: \'%s\'",
1042 ptr[ovlen - 1] =
'\0';
1047 "for keyword %s: \'%s\'",
1054 "quotes on %s keyword that doesn't support them: \'%s\'", optname, optstr);
1072 if (setup_ret < 0) {
1076 if (setup_ret == -2) {
1088 if (strlen(optend) > 0) {
1089 strlcpy(output, optend, output_size);
1104 Signature *s,
const char *addrstr,
char flag)
1106 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
1110 if (strcasecmp(addrstr,
"any") == 0)
1118 if (strcasecmp(addrstr,
"any") == 0)
1133 static bool IsBuiltIn(
const char *n)
1135 if (strcmp(n,
"request_started") == 0 || strcmp(n,
"response_started") == 0) {
1138 if (strcmp(n,
"request_complete") == 0 || strcmp(n,
"response_complete") == 0) {
1156 if (strcmp(alproto_name,
"http") == 0)
1157 alproto_name =
"http1";
1158 SCLogDebug(
"alproto %u/%s", a, alproto_name);
1160 const int max_progress_ts =
1162 const int max_progress_tc =
1165 char ts_tx_started[64];
1166 snprintf(ts_tx_started,
sizeof(ts_tx_started),
"%s:request_started:generic", alproto_name);
1169 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_started,
1170 (uint32_t)strlen(ts_tx_started));
1172 char tc_tx_started[64];
1173 snprintf(tc_tx_started,
sizeof(tc_tx_started),
"%s:response_started:generic", alproto_name);
1176 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_started,
1177 (uint32_t)strlen(tc_tx_started));
1179 char ts_tx_complete[64];
1180 snprintf(ts_tx_complete,
sizeof(ts_tx_complete),
"%s:request_complete:generic",
1184 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_complete,
1185 (uint32_t)strlen(ts_tx_complete));
1187 char tc_tx_complete[64];
1188 snprintf(tc_tx_complete,
sizeof(tc_tx_complete),
"%s:response_complete:generic",
1192 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_complete,
1193 (uint32_t)strlen(tc_tx_complete));
1195 for (
int p = 0; p <= max_progress_ts; p++) {
1197 IPPROTO_TCP , a, p, STREAM_TOSERVER);
1198 if (
name != NULL && !IsBuiltIn(
name)) {
1200 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1201 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1202 (uint32_t)strlen(list_name));
1208 for (
int p = 0; p <= max_progress_tc; p++) {
1210 IPPROTO_TCP , a, p, STREAM_TOCLIENT);
1211 if (
name != NULL && !IsBuiltIn(
name)) {
1213 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1214 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1215 (uint32_t)strlen(list_name));
1241 if (strcmp(
str,
"flow_start") == 0) {
1243 }
else if (strcmp(
str,
"pre_flow") == 0) {
1245 }
else if (strcmp(
str,
"pre_stream") == 0) {
1247 }
else if (strcmp(
str,
"all") == 0) {
1260 return "flow_start";
1264 return "pre_stream";
1276 .t.pkt.ph = HookPktFromString(hook_str),
1284 static int SigParseProtoHookPkt(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1297 SCLogDebug(
"protocol:%s hook:%s: type:%s parsed hook:%s", p, h,
1307 .t.app.alproto = alproto,
1308 .t.app.app_progress = progress,
1316 static int SigParseProtoHookApp(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1318 if (strcmp(h,
"request_started") == 0) {
1322 }
else if (strcmp(h,
"response_started") == 0) {
1326 }
else if (strcmp(h,
"request_complete") == 0) {
1330 }
else if (strcmp(h,
"response_complete") == 0) {
1336 IPPROTO_TCP , s->
alproto, h, STREAM_TOSERVER);
1337 if (progress_ts >= 0) {
1342 IPPROTO_TCP , s->
alproto, h, STREAM_TOCLIENT);
1343 if (progress_tc < 0) {
1351 char generic_hook_name[64];
1352 snprintf(generic_hook_name,
sizeof(generic_hook_name),
"%s:generic", proto_hook);
1355 SCLogError(
"no list registered as %s for hook %s", generic_hook_name, proto_hook);
1360 SCLogDebug(
"protocol:%s hook:%s: type:%s alproto:%u hook:%d", p, h,
1380 static int SigParseProto(
Signature *s,
const char *protostr)
1383 if (strlen(protostr) > 32)
1388 const char *p =
proto;
1389 const char *h = NULL;
1391 bool has_hook = strchr(
proto,
':') != NULL;
1393 char *xsaveptr = NULL;
1394 p = strtok_r(
proto,
":", &xsaveptr);
1395 h = strtok_r(NULL,
":", &xsaveptr);
1413 if (SigParseProtoHookApp(s, protostr, p, h) < 0) {
1414 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1421 "in a signature. Either detection for this protocol "
1422 "is not yet supported OR detection has been disabled for "
1423 "protocol through the yaml option "
1424 "app-layer.protocols.%s.detection-enabled",
1428 }
else if (h != NULL) {
1429 SCLogDebug(
"non-app-layer rule with %s:%s", p, h);
1431 if (SigParseProtoHookPkt(s, protostr, p, h) < 0) {
1432 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1461 Signature *s,
const char *portstr,
char flag)
1467 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
1470 if (strcasecmp(portstr,
"any") == 0)
1474 }
else if (flag == 1) {
1475 if (strcasecmp(portstr,
"any") == 0)
1490 static int SigParseActionRejectValidate(
const char *action)
1492 #ifdef HAVE_LIBNET11
1493 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES
1496 "incompatible with POSIX based capabilities with privs dropping. "
1497 "For rejects to work, run as root/super user.");
1503 "required for action \"%s\" but is not compiled into Suricata",
1513 static uint8_t ActionStringToFlags(
const char *action)
1515 if (strcasecmp(action,
"alert") == 0) {
1517 }
else if (strcasecmp(action,
"drop") == 0) {
1519 }
else if (strcasecmp(action,
"pass") == 0) {
1521 }
else if (strcasecmp(action,
"reject") == 0 ||
1522 strcasecmp(action,
"rejectsrc") == 0)
1524 if (!(SigParseActionRejectValidate(action)))
1527 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1528 if (!(SigParseActionRejectValidate(action)))
1531 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1532 if (!(SigParseActionRejectValidate(action)))
1535 }
else if (strcasecmp(action,
"config") == 0) {
1537 }
else if (strcasecmp(action,
"accept") == 0) {
1540 SCLogError(
"An invalid action \"%s\" was given", action);
1556 static int SigParseAction(
Signature *s,
const char *action_in)
1559 strlcpy(action, action_in,
sizeof(action));
1560 const char *a = action;
1561 const char *o = NULL;
1563 bool has_scope = strchr(action,
':') != NULL;
1565 char *xsaveptr = NULL;
1566 a = strtok_r(action,
":", &xsaveptr);
1567 o = strtok_r(NULL,
":", &xsaveptr);
1571 SCLogError(
"invalid protocol specification '%s'", action_in);
1575 uint8_t
flags = ActionStringToFlags(a);
1581 uint8_t scope_flags = 0;
1583 if (strcmp(o,
"packet") == 0) {
1585 }
else if (strcmp(o,
"flow") == 0) {
1588 SCLogError(
"invalid action scope '%s' in action '%s': only 'packet' and 'flow' "
1595 if (strcmp(o,
"packet") == 0) {
1597 }
else if (strcmp(o,
"hook") == 0) {
1599 }
else if (strcmp(o,
"tx") == 0) {
1601 }
else if (strcmp(o,
"flow") == 0) {
1605 "invalid action scope '%s' in action '%s': only 'packet', 'flow', 'tx' and "
1612 if (strcmp(o,
"packet") == 0) {
1615 SCLogError(
"invalid action scope '%s' in action '%s': only 'packet' allowed", o,
1621 SCLogError(
"invalid action scope '%s' in action '%s': scope only supported for actions "
1622 "'drop', 'pass' and 'reject'",
1630 SCLogError(
"firewall rules require setting an explicit action scope");
1635 SCLogError(
"'accept' action only supported for firewall rules");
1640 SCLogError(
"'pass' action not supported for firewall rules");
1659 static inline int SigParseToken(
char **input,
char *output,
1660 const size_t output_size)
1662 size_t len = *input == NULL ? 0 : strlen(*input);
1668 while (
len && isblank(**input)) {
1673 char *endptr = strpbrk(*input,
" \t\n\r");
1674 if (endptr != NULL) {
1677 strlcpy(output, *input, output_size);
1694 static inline int SigParseList(
char **input,
char *output,
1695 const size_t output_size)
1698 size_t len = *input != NULL ? strlen(*input) : 0;
1704 while (
len && isblank(**input)) {
1710 for (i = 0; i <
len; i++) {
1711 char c = (*input)[i];
1714 }
else if (c ==
']') {
1716 }
else if (c ==
' ') {
1727 strlcpy(output, *input, output_size);
1728 *input = *input + i + 1;
1748 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1754 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1757 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1763 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1766 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1769 if (index == NULL) {
1773 while (isspace(*index) || *index ==
'(') {
1776 for (
size_t i = strlen(index); i > 0; i--) {
1777 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1778 index[i - 1] =
'\0';
1790 if (SigParseAction(s, parser->
action) < 0)
1793 if (SigParseProto(s, parser->
protocol) < 0)
1796 if (strcmp(parser->
direction,
"<>") == 0) {
1798 }
else if (strcmp(parser->
direction,
"=>") == 0) {
1800 SCLogError(
"transactional bidirectional rules not supported for firewall rules");
1805 }
else if (strcmp(parser->
direction,
"->") != 0) {
1806 SCLogError(
"\"%s\" is not a valid direction modifier, "
1807 "\"->\" and \"<>\" are supported.",
1834 static inline bool CheckAscii(
const char *
str)
1836 for (
size_t i = 0; i < strlen(
str); i++) {
1837 if (
str[i] < 0x20) {
1839 if (
str[i] == 0x0a ||
str[i] == 0x0d ||
str[i] == 0x09) {
1843 }
else if (
str[i] == 0x7f) {
1867 if (!SCCheckUtf8(sigstr)) {
1872 if (!CheckAscii(sigstr)) {
1873 SCLogError(
"rule contains invalid (control) characters");
1877 int ret = SigParseBasics(
de_ctx, s, sigstr, parser, addrs_direction, requires);
1884 if (strlen(parser->
opts) > 0) {
1885 size_t buffer_size = strlen(parser->
opts) + 1;
1886 char input[buffer_size];
1887 char output[buffer_size];
1888 memset(input, 0x00, buffer_size);
1889 memcpy(input, parser->
opts, strlen(parser->
opts) + 1);
1895 memset(output, 0x00, buffer_size);
1896 ret = SigParseOptions(
de_ctx, s, input, output, buffer_size, requires);
1898 memcpy(input, output, buffer_size);
1930 memset(b, 0,
sizeof(*b));
1978 static void SigMetadataFree(
Signature *s)
1985 if (s == NULL || s->
metadata == NULL) {
1992 next_mdata = mdata->
next;
2023 next_ref = ref->
next;
2077 while (sm != NULL) {
2086 while (sm != NULL) {
2107 if (s->
sp != NULL) {
2110 if (s->
dp != NULL) {
2156 if (s->
alproto == *alprotos) {
2199 }
else if (i == 1) {
2231 if (!AppProtoIsValid(alproto)) {
2255 alproto = AppProtoCommon(s->
alproto, alproto);
2257 SCLogError(
"can't set rule app proto to %s: already set to %s",
2284 if (addr_match4 == NULL) {
2290 addr_match4[idx].
ip =
SCNtohl(da->ip.addr_data32[0]);
2291 addr_match4[idx].
ip2 =
SCNtohl(da->ip2.addr_data32[0]);
2310 if (addr_match6 == NULL) {
2316 addr_match6[idx].
ip[0] =
SCNtohl(da->ip.addr_data32[0]);
2317 addr_match6[idx].
ip[1] =
SCNtohl(da->ip.addr_data32[1]);
2318 addr_match6[idx].
ip[2] =
SCNtohl(da->ip.addr_data32[2]);
2319 addr_match6[idx].
ip[3] =
SCNtohl(da->ip.addr_data32[3]);
2320 addr_match6[idx].
ip2[0] =
SCNtohl(da->ip2.addr_data32[0]);
2321 addr_match6[idx].
ip2[1] =
SCNtohl(da->ip2.addr_data32[1]);
2322 addr_match6[idx].
ip2[2] =
SCNtohl(da->ip2.addr_data32[2]);
2323 addr_match6[idx].
ip2[3] =
SCNtohl(da->ip2.addr_data32[3]);
2336 static void SigBuildAddressMatchArray(
Signature *s)
2353 static int SigMatchListLen(
SigMatch *sm)
2356 for (; sm != NULL; sm = sm->
next)
2367 int len = SigMatchListLen(
head);
2373 FatalError(
"initializing the detection engine failed");
2379 for (; sm != NULL; sm = sm->
next, smd++) {
2419 SCLogDebug(
"s %u: no mpm; prefilter? de_ctx->prefilter_setting %u "
2420 "s->init_data->has_possible_prefilter %s",
2434 prefilter_list =
MIN(prefilter_list, sm->
type);
2444 if (sm->
type == prefilter_list) {
2461 static bool DetectRuleValidateTable(
const Signature *s)
2470 if (kw_tables_supported != 0 && (kw_tables_supported & table_as_flag) == 0) {
2471 SCLogError(
"rule %u uses hook \"%s\", but keyword \"%s\" doesn't support this hook",
2482 SCLogError(
"rule %u is loaded as a firewall rule, but does not specify an "
2490 static void DetectRuleSetTable(
Signature *s)
2523 if (!DetectFirewallRuleValidate(
de_ctx, s))
2529 static int SigValidateCheckBuffers(
2532 bool has_frame =
false;
2533 bool has_app =
false;
2534 bool has_pkt =
false;
2535 bool has_pmatch =
false;
2541 nlists += (nlists > 0);
2545 SCLogError(
"rule %u setup buffer %s but didn't add matches to it", s->
id,
2558 struct BufferVsDir {
2561 } bufdir[nlists + 1];
2562 memset(&bufdir, 0, (nlists + 1) *
sizeof(
struct BufferVsDir));
2576 if (b->
head == NULL) {
2581 has_frame |= bt->
frame;
2587 "specific matches (like dsize, flags, ttl) with stream / "
2588 "state matching by matching on app layer proto (like using "
2589 "http_* keywords).");
2594 for (; app != NULL; app = app->
next) {
2609 bufdir[b->
id].ts += (app->
dir == 0);
2610 bufdir[b->
id].tc += (app->
dir == 1);
2624 SCLogError(
"engine progress value doesn't match hook");
2643 if (has_pmatch && has_frame) {
2644 SCLogError(
"can't mix pure content and frame inspection");
2647 if (has_app && has_frame) {
2648 SCLogError(
"can't mix app-layer buffer and frame inspection");
2651 if (has_pkt && has_frame) {
2652 SCLogError(
"can't mix pkt buffer and frame inspection");
2656 for (
int x = 0; x < nlists; x++) {
2657 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
2659 (*ts_excl) += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
2660 (*tc_excl) += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
2661 (*dir_amb) += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
2670 static int SigValidatePacketStream(
const Signature *s)
2674 "tcp-stream or flow:only_stream. Invalidating signature.");
2680 static int SigConsolidateDirection(
2681 Signature *s,
const int ts_excl,
const int tc_excl,
const int dir_amb)
2684 if (!ts_excl || !tc_excl) {
2685 SCLogError(
"rule %u should use both directions, but does not", s->
id);
2689 SCLogError(
"rule %u means to use both directions, cannot have keywords ambiguous about "
2694 }
else if (ts_excl && tc_excl) {
2696 "rule %u mixes keywords with conflicting directions, a transactional rule with => "
2700 }
else if (ts_excl) {
2701 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
2703 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2706 }
else if (tc_excl) {
2707 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
2709 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2712 }
else if (dir_amb) {
2713 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
2718 static void SigConsolidateTcpBuffer(
Signature *s)
2724 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
2750 static bool SigInspectsFiles(
const Signature *s)
2761 static int SigValidateFileHandling(
const Signature *s)
2763 if (!SigInspectsFiles(s)) {
2770 "support file matching",
2787 SCLogError(
"No protocol support file matching");
2792 SCLogError(
"protocol HTTP2 doesn't support file name matching");
2808 static int SigValidateConsolidate(
2813 if (SigValidateFirewall(
de_ctx, s) == 0)
2816 if (SigValidatePacketStream(s) == 0) {
2824 if (SigValidateCheckBuffers(
de_ctx, s, &ts_excl, &tc_excl, &dir_amb) == 0) {
2828 if (SigConsolidateDirection(s, ts_excl, tc_excl, dir_amb) == 0) {
2832 SigConsolidateTcpBuffer(s);
2835 DetectRuleSetTable(s);
2837 int r = SigValidateFileHandling(s);
2841 if (SigInspectsFiles(s)) {
2846 if (DetectRuleValidateTable(s) ==
false) {
2869 memset(&parser, 0x00,
sizeof(parser));
2874 if (firewall_rule) {
2891 int ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
true);
2898 }
else if (ret < 0) {
2904 SCLogError(
"Signature missing required value \"sid\".");
2909 ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
false);
2915 }
else if (ret == -2) {
2918 }
else if (ret < 0) {
2923 if (sig->
prio == -1)
2930 int override_needed = 0;
2934 override_needed = 1;
2936 override_needed = 1;
2938 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
2940 override_needed = 0;
2949 if (override_needed)
2959 for ( ; sm != NULL; sm = sm->
next) {
2983 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
2987 SigBuildAddressMatchArray(sig);
2998 SigSetupPrefilter(
de_ctx, sig);
3001 if (SigValidateConsolidate(
de_ctx, sig, &parser, dir) == 0) {
3020 static bool SigHasSameSourceAndDestination(
const Signature *s)
3062 if (SigHasSameSourceAndDestination(sig)) {
3063 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, "
3064 "treating the rule as unidirectional", sig->
id);
3069 if (sig->
next == NULL) {
3099 return SigInitDo(
de_ctx, sigstr,
false);
3104 return SigInitDo(
de_ctx, sigstr,
true);
3113 static void DetectParseDupSigFreeFunc(
void *data)
3129 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3148 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
3154 if (sw1 == NULL || sw2 == NULL ||
3155 sw1->
s == NULL || sw2->
s == NULL)
3159 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
3175 DetectParseDupSigHashFunc,
3176 DetectParseDupSigCompareFunc,
3177 DetectParseDupSigFreeFunc);
3238 if (sw_dup == NULL) {
3251 (
void *)&sw_tmp, 0);
3263 if (sw->
s->
rev <= sw_dup->
s->
rev) {
3272 if (sw_dup->
s_prev == NULL) {
3280 sw_temp.
s = sw_dup->
s->
next;
3284 if (sw_temp.
s != NULL) {
3286 (
void *)&sw_temp, 0);
3306 sw_temp.
s = sw_dup->
s->
next;
3314 if (sw_temp.
s != NULL) {
3316 (
void *)&sw_temp, 0);
3331 (
void *)&sw_tmp, 0);
3332 if (sw_old->
s != sw_dup->
s) {
3375 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3379 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3381 }
else if (dup_sig == 2) {
3383 " so the older sig replaced by this new signature \"%s\"",
3388 if (sig->
next != NULL) {
3405 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3409 if (sig != NULL && sig->
next != NULL) {
3447 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3451 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3453 }
else if (dup_sig == 2) {
3455 " so the older sig replaced by this new signature \"%s\"",
3460 if (sig->
next != NULL) {
3477 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3481 if (sig != NULL && sig->
next != NULL) {
3494 int start_offset,
int options)
3496 *match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
3498 return pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)
str, strlen(
str), options, start_offset,
3499 *match, parse_regex->
context);
3506 pcre2_code_free(r->
regex);
3509 pcre2_match_context_free(r->
context);
3524 g_detect_parse_regex_list = NULL;
3533 FatalError(
"failed to alloc memory for pcre free list");
3536 r->
next = g_detect_parse_regex_list;
3537 g_detect_parse_regex_list = r;
3545 detect_parse->
regex =
3546 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3547 if (detect_parse->
regex == NULL) {
3548 PCRE2_UCHAR errbuffer[256];
3549 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3550 SCLogError(
"pcre compile of \"%s\" failed at "
3552 parse_str, en, errbuffer);
3555 detect_parse->
context = pcre2_match_context_create(NULL);
3556 if (detect_parse->
context == NULL) {
3557 SCLogError(
"pcre2 could not create match context");
3558 pcre2_code_free(detect_parse->
regex);
3559 detect_parse->
regex = NULL;
3574 if (detect_parse == NULL) {
3578 detect_parse->
regex =
3579 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3580 if (detect_parse->
regex == NULL) {
3581 PCRE2_UCHAR errbuffer[256];
3582 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3583 SCLogError(
"pcre2 compile of \"%s\" failed at "
3585 parse_str, (
int)eo, errbuffer);
3590 detect_parse->
next = g_detect_parse_regex_list;
3591 g_detect_parse_regex_list = detect_parse;
3592 return detect_parse;
3596 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
3598 int r = pcre2_substring_copy_bynumber(match_data, number, buffer, bufflen);
3599 if (r == PCRE2_ERROR_UNSET) {
3608 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
3610 int r = pcre2_substring_get_bynumber(match_data, number, bufferptr, bufflen);
3611 if (r == PCRE2_ERROR_UNSET) {
3634 static int SigParseTest01 (
void)
3643 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
3653 static int SigParseTest02 (
void)
3668 sig =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
3696 static int SigParseTest03 (
void)
3705 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
3708 printf(
"expected NULL got sig ptr %p: ",sig);
3717 static int SigParseTest04 (
void)
3726 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
3737 static int SigParseTest05 (
void)
3746 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
3750 printf(
"signature didn't fail to parse as we expected: ");
3760 static int SigParseTest06 (
void)
3769 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
3773 printf(
"signature failed to parse: ");
3787 static int SigParseTest07(
void)
3809 static int SigParseTest08(
void)
3832 static int SigParseTest09(
void)
3883 static int SigParseTest10(
void)
3915 static int SigParseTest11(
void)
3926 "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
3928 printf(
"sig 1 didn't parse: ");
3933 "the http link\"; sid:2;) ");
3935 printf(
"sig 2 didn't parse: ");
3949 static int SigParseTest12(
void)
3961 printf(
"sig 1 should have given an error: ");
3975 static int SigParseTest13(
void)
3987 printf(
"sig 1 invalidated: failure");
3992 printf(
"sig doesn't have stream flag set\n");
3997 printf(
"sig has packet flag set\n");
4012 static int SigParseTest14(
void)
4024 printf(
"sig 1 invalidated: failure");
4029 printf(
"sig doesn't have packet flag set\n");
4034 printf(
"sig has stream flag set\n");
4049 static int SigParseTest15(
void)
4061 printf(
"sig 1 invalidated: failure");
4066 printf(
"sig doesn't have packet flag set\n");
4071 printf(
"sig doesn't have stream flag set\n");
4086 static int SigParseTest16(
void)
4098 printf(
"sig 1 invalidated: failure");
4103 printf(
"sig doesn't have packet flag set\n");
4108 printf(
"sig doesn't have stream flag set\n");
4123 static int SigParseTest17(
void)
4135 printf(
"sig 1 invalidated: failure");
4140 printf(
"sig doesn't have packet flag set\n");
4145 printf(
"sig doesn't have stream flag set\n");
4158 static int SigParseTest18 (
void)
4166 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
4177 static int SigParseTest19 (
void)
4185 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
4196 static int SigParseTest20 (
void)
4204 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
4215 static int SigParseTest21 (
void)
4234 static int SigParseTest22 (
void)
4242 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
4255 static int SigParseTest23(
void)
4270 static int SigParseBidirecTest06 (
void)
4290 static int SigParseBidirecTest07 (
void)
4310 static int SigParseBidirecTest08 (
void)
4330 static int SigParseBidirecTest09 (
void)
4350 static int SigParseBidirecTest10 (
void)
4370 static int SigParseBidirecTest11 (
void)
4390 static int SigParseBidirecTest12 (
void)
4410 static int SigParseBidirecTest13 (
void)
4429 static int SigParseBidirecTest14 (
void)
4450 static int SigTestBidirec01 (
void)
4462 if (sig->
next != NULL)
4481 static int SigTestBidirec02 (
void)
4500 if (sig->
next == NULL)
4505 if (copy->
next != NULL)
4526 static int SigTestBidirec03 (
void)
4538 const char *sigs[3];
4539 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
4540 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
4541 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
4548 if (sig->
next == NULL)
4559 uint8_t rawpkt1_ether[] = {
4560 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4561 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4562 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4563 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4564 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4565 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4566 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4567 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4568 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4569 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4570 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4571 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4572 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4573 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4574 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4575 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4576 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4577 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4578 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4579 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4580 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4581 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4582 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4583 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4584 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4585 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4586 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4587 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4588 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4589 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4590 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4591 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4592 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4593 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4594 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4595 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4596 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4597 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4598 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4599 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4600 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4601 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4602 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4603 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4604 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4605 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4606 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4607 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4608 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4609 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4610 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4611 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4612 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4613 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4614 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4624 uint32_t sids[3] = {1, 2, 3};
4625 uint32_t results[3] = {1, 1, 1};
4641 static int SigTestBidirec04 (
void)
4656 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
4661 if (sig->
next == NULL)
4673 if (sig->
next == NULL)
4684 uint8_t rawpkt1_ether[] = {
4685 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4686 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4687 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4688 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4689 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4690 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4691 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4692 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4693 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4694 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4695 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4696 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4697 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4698 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4699 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4700 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4701 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4702 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4703 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4704 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4705 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4706 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4707 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4708 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4709 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4710 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4711 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4712 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4713 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4714 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4715 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4716 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4717 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4718 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4719 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4720 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4721 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4722 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4723 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4724 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4725 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4726 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4727 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4728 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4729 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4730 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4731 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4732 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4733 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4734 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4735 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4736 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4737 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4738 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4739 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4748 memset(&th_v, 0,
sizeof(th_v));
4787 static int SigParseTestNegation01 (
void)
4801 static int SigParseTestNegation02 (
void)
4812 s =
SigInit(
de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
4827 static int SigParseTestNegation03 (
void)
4838 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4853 static int SigParseTestNegation04 (
void)
4864 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4879 static int SigParseTestNegation05 (
void)
4890 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
4905 static int SigParseTestNegation06 (
void)
4916 s =
SigInit(
de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
4932 static int SigParseTestNegation07 (
void)
4938 de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (sid:410006;)");
4947 static int SigParseTestNegation08 (
void)
4959 "alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
4974 static int SigParseTestMpm01 (
void)
4983 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
4985 printf(
"sig failed to init: ");
4990 printf(
"sig doesn't have content list: ");
5005 static int SigParseTestMpm02 (
void)
5014 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
5016 printf(
"sig failed to init: ");
5021 printf(
"sig doesn't have content list: ");
5036 static int SigParseTestAppLayerTLS01(
void)
5047 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
5049 printf(
"parsing sig failed: ");
5054 printf(
"alproto not set: ");
5071 static int SigParseTestAppLayerTLS02(
void)
5082 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
5084 printf(
"parsing sig failed: ");
5089 printf(
"alproto not set: ");
5105 static int SigParseTestAppLayerTLS03(
void)
5116 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
5129 static int SigParseTestUnbalancedQuotes01(
void)
5135 "alert http any any -> any any (msg:\"SigParseTestUnbalancedQuotes01\"; "
5136 "pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" "
5137 "flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
5143 static int SigParseTestContentGtDsize01(
void)
5150 "dsize:21; content:\"0123456789001234567890|00 00|\"; "
5157 static int SigParseTestContentGtDsize02(
void)
5164 "dsize:21; content:\"0123456789|00 00|\"; offset:10; "
5181 static int SigParseBidirWithSameSrcAndDest01(
void)
5198 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:3;)");
5207 static int SigParseBidirWithSameSrcAndDest02(
void)
5215 de_ctx,
"alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1;)");
5222 de_ctx,
"alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:2;)");
5229 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:3;)");
5236 de_ctx,
"alert tcp [!1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:4;)");
5243 de_ctx,
"alert tcp [1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:5;)");
5252 static int SigParseTestActionReject(
void)
5258 de_ctx,
"reject tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5259 #ifdef HAVE_LIBNET11
5270 static int SigParseTestActionDrop(
void)
5276 de_ctx,
"drop tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5284 static int SigSetMultiAppProto(
void)
5359 static int DetectSetupDirection01(
void)
5364 char *
str = (
char *)
"to_client";
5365 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5370 static int DetectSetupDirection02(
void)
5374 char *
str = (
char *)
"to_server";
5375 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5377 str = (
char *)
"to_client";
5378 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5384 static int DetectSetupDirection03(
void)
5388 char *
str = (
char *)
"to_client , something";
5389 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5391 str = (
char *)
"to_client,something";
5392 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5398 static int DetectSetupDirection04(
void)
5403 char *
str = (
char *)
"to_client_toto";
5404 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5406 str = (
char *)
"to_client_toto";
5407 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5409 str = (
char *)
"to_client,something";
5411 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5448 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
5449 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
5450 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
5465 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
5466 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
5467 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
5468 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
5469 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
5470 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
5471 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
5472 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
5475 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
5476 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
5477 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
5478 UtRegisterTest(
"SigParseTestUnbalancedQuotes01", SigParseTestUnbalancedQuotes01);
5481 SigParseTestContentGtDsize01);
5483 SigParseTestContentGtDsize02);
5486 SigParseBidirWithSameSrcAndDest01);
5488 SigParseBidirWithSameSrcAndDest02);
5489 UtRegisterTest(
"SigParseTestActionReject", SigParseTestActionReject);
5490 UtRegisterTest(
"SigParseTestActionDrop", SigParseTestActionDrop);
5494 UtRegisterTest(
"DetectSetupDirection01", DetectSetupDirection01);
5495 UtRegisterTest(
"DetectSetupDirection02", DetectSetupDirection02);
5496 UtRegisterTest(
"DetectSetupDirection03", DetectSetupDirection03);
5497 UtRegisterTest(
"DetectSetupDirection04", DetectSetupDirection04);