83 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
114 #define CASE_CODE_STRING(E, S) case E: return S; break
125 #undef CASE_CODE_STRING
129 #define CASE_CODE(E) case E: return #E
147 Signature *s,
const char *arg,
int sm_type,
int sm_list,
153 if (arg != NULL && strcmp(arg,
"") != 0) {
162 "with a sticky buffer still set. Reset sticky buffer "
163 "with pkt_data before using the modifier.",
177 "found inside the rule without a content context. "
178 "Please use a \"content\" keyword before using the "
186 "be used with the rawbytes rule keyword",
192 "be used with the replace rule keyword",
231 bool reuse_buffer =
false;
244 SCLogError(
"failed to expand rule buffer array");
253 SCLogDebug(
"idx %u list %d set up curbuf %p s->init_data->buffer_index %u",
294 if (sm->
ctx != NULL) {
305 ptrdiff_t
offset = e - table;
319 if (st->
name != NULL) {
352 if (strcmp(
str,
"all") == 0) {
364 char *xsaveptr = NULL;
365 char *key = strtok_r(copy,
",", &xsaveptr);
366 while (key != NULL) {
372 "argument '%s' not found",
375 key = strtok_r(NULL,
",", &xsaveptr);
402 SCLogDebug(
"s:%p new:%p list:%d: %s, s->init_data->list_set %s s->init_data->list %d", s,
new,
436 SCLogDebug(
"reusing buffer %u as it isn't multi-capable", x);
446 SCLogError(
"failed to expand rule buffer array");
476 SCLogDebug(
"appended %s to list %d, rule pos %u (s->init_data->list %d)",
495 if (sm->
prev != NULL)
497 if (sm->
next != NULL)
539 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
551 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
573 SCLogDebug(
"skip x %u s->init_data->list %d (int)s->init_data->buffers[x].id %d", x,
582 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
586 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
603 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
608 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
633 va_start(ap, sm_list);
635 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
637 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
640 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
671 va_start(ap, list_id);
673 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
677 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
689 va_start(ap, list_id);
691 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
692 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
695 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
718 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
726 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
733 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
739 if (sm->
prev != NULL)
741 if (sm->
next != NULL)
744 if (sm == *src_sm_list)
745 *src_sm_list = sm->
next;
746 if (sm == *src_sm_list_tail)
747 *src_sm_list_tail = sm->
prev;
749 if (*dst_sm_list == NULL) {
751 *dst_sm_list_tail = sm;
759 *dst_sm_list_tail = sm;
786 SCLogError(
"Unable to find the sm in any of the "
800 static int DetectSetupDirection(
Signature *s,
char **
str,
bool only_dir)
803 if (strncmp(*
str,
"to_client", strlen(
"to_client")) == 0) {
804 *
str += strlen(
"to_client");
806 while (**
str && isblank(**
str)) {
812 SCLogError(
"unknown option: only accepts to_server or to_client");
822 while (**
str && isblank(**
str)) {
834 }
else if (strncmp(*
str,
"to_server", strlen(
"to_server")) == 0) {
835 *
str += strlen(
"to_server");
837 while (**
str && isblank(**
str)) {
843 SCLogError(
"unknown option: only accepts to_server or to_client");
853 while (**
str && isblank(**
str)) {
865 }
else if (only_dir) {
866 SCLogError(
"unknown option: only accepts to_server or to_client");
873 size_t output_size,
bool requires)
876 char *optname = NULL;
877 char *optvalue = NULL;
880 while (isblank(*optstr)) {
885 char *optend = optstr;
887 optend = strchr(optend,
';');
888 if (optend == NULL) {
892 else if (optend > optstr && *(optend -1 ) ==
'\\') {
901 char *optvalptr = strchr(optstr,
':');
903 *(optvalptr++) =
'\0';
906 for (
size_t i = strlen(optvalptr); i > 0; i--) {
907 if (isblank(optvalptr[i - 1])) {
908 optvalptr[i - 1] =
'\0';
914 optvalue = optvalptr;
918 for (
size_t i = strlen(optstr); i > 0; i--) {
919 if (isblank(optstr[i - 1])) {
920 optstr[i - 1] =
'\0';
929 bool requires_only = strcasecmp(optname,
"requires") == 0 || strcasecmp(optname,
"sid") == 0;
930 if ((requires && !requires_only) || (!requires && requires_only)) {
935 st = SigTableGet(optname);
936 if (st == NULL || st->
Setup == NULL) {
937 SCLogError(
"unknown rule keyword '%s'.", optname);
942 if (optvalue == NULL || strlen(optvalue) == 0) {
944 "invalid formatting or malformed option to %s keyword: '%s'", optname, optstr);
948 if (optvalue && strlen(optvalue)) {
949 SCLogError(
"unexpected option to %s keyword: '%s'", optname, optstr);
959 #define URL "https://suricata.io/our-story/deprecation-policy/"
962 "and will be removed soon. See %s",
966 "and will be removed soon. Use '%s' instead. "
975 if (optvalue != NULL && strlen(optvalue) > 0) {
976 size_t ovlen = strlen(optvalue);
977 char *ptr = optvalue;
987 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
993 SCLogWarning(
"keyword \'%s\' has not been tested for firewall rules", optname);
1010 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
1016 SCLogError(
"invalid formatting to %s keyword: "
1017 "value must be double quoted \'%s\'",
1023 && ovlen && *ptr ==
'"')
1025 for (; ovlen > 0; ovlen--) {
1026 if (isblank(ptr[ovlen - 1])) {
1027 ptr[ovlen - 1] =
'\0';
1032 if (ovlen && ptr[ovlen - 1] !=
'"') {
1033 SCLogError(
"bad option value formatting (possible missing semicolon) "
1034 "for keyword %s: \'%s\'",
1042 ptr[ovlen - 1] =
'\0';
1047 "for keyword %s: \'%s\'",
1054 "quotes on %s keyword that doesn't support them: \'%s\'", optname, optstr);
1072 if (setup_ret < 0) {
1076 if (setup_ret == -2) {
1088 if (strlen(optend) > 0) {
1089 strlcpy(output, optend, output_size);
1104 Signature *s,
const char *addrstr,
char flag)
1106 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
1110 if (strcasecmp(addrstr,
"any") == 0)
1118 if (strcasecmp(addrstr,
"any") == 0)
1133 static bool IsBuiltIn(
const char *n)
1135 if (strcmp(n,
"request_started") == 0 || strcmp(n,
"response_started") == 0) {
1138 if (strcmp(n,
"request_complete") == 0 || strcmp(n,
"response_complete") == 0) {
1156 if (strcmp(alproto_name,
"http") == 0)
1157 alproto_name =
"http1";
1158 SCLogDebug(
"alproto %u/%s", a, alproto_name);
1160 const int max_progress_ts =
1162 const int max_progress_tc =
1165 char ts_tx_started[64];
1166 snprintf(ts_tx_started,
sizeof(ts_tx_started),
"%s:request_started:generic", alproto_name);
1169 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_started,
1170 (uint32_t)strlen(ts_tx_started));
1172 char tc_tx_started[64];
1173 snprintf(tc_tx_started,
sizeof(tc_tx_started),
"%s:response_started:generic", alproto_name);
1176 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_started,
1177 (uint32_t)strlen(tc_tx_started));
1179 char ts_tx_complete[64];
1180 snprintf(ts_tx_complete,
sizeof(ts_tx_complete),
"%s:request_complete:generic",
1184 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_complete,
1185 (uint32_t)strlen(ts_tx_complete));
1187 char tc_tx_complete[64];
1188 snprintf(tc_tx_complete,
sizeof(tc_tx_complete),
"%s:response_complete:generic",
1192 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_complete,
1193 (uint32_t)strlen(tc_tx_complete));
1195 for (
int p = 0; p <= max_progress_ts; p++) {
1197 IPPROTO_TCP , a, p, STREAM_TOSERVER);
1198 if (
name != NULL && !IsBuiltIn(
name)) {
1200 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1201 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1202 (uint32_t)strlen(list_name));
1208 for (
int p = 0; p <= max_progress_tc; p++) {
1210 IPPROTO_TCP , a, p, STREAM_TOCLIENT);
1211 if (
name != NULL && !IsBuiltIn(
name)) {
1213 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1214 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1215 (uint32_t)strlen(list_name));
1241 if (strcmp(
str,
"flow_start") == 0) {
1243 }
else if (strcmp(
str,
"pre_flow") == 0) {
1245 }
else if (strcmp(
str,
"pre_stream") == 0) {
1247 }
else if (strcmp(
str,
"all") == 0) {
1260 return "flow_start";
1264 return "pre_stream";
1276 .t.pkt.ph = HookPktFromString(hook_str),
1284 static int SigParseProtoHookPkt(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1297 SCLogDebug(
"protocol:%s hook:%s: type:%s parsed hook:%s", p, h,
1307 .t.app.alproto = alproto,
1308 .t.app.app_progress = progress,
1316 static int SigParseProtoHookApp(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1318 if (strcmp(h,
"request_started") == 0) {
1322 }
else if (strcmp(h,
"response_started") == 0) {
1326 }
else if (strcmp(h,
"request_complete") == 0) {
1330 }
else if (strcmp(h,
"response_complete") == 0) {
1336 IPPROTO_TCP , s->
alproto, h, STREAM_TOSERVER);
1337 if (progress_ts >= 0) {
1342 IPPROTO_TCP , s->
alproto, h, STREAM_TOCLIENT);
1343 if (progress_tc < 0) {
1351 char generic_hook_name[64];
1352 snprintf(generic_hook_name,
sizeof(generic_hook_name),
"%s:generic", proto_hook);
1355 SCLogError(
"no list registered as %s for hook %s", generic_hook_name, proto_hook);
1360 SCLogDebug(
"protocol:%s hook:%s: type:%s alproto:%u hook:%d", p, h,
1380 static int SigParseProto(
Signature *s,
const char *protostr)
1383 if (strlen(protostr) > 32)
1388 const char *p =
proto;
1389 const char *h = NULL;
1391 bool has_hook = strchr(
proto,
':') != NULL;
1393 char *xsaveptr = NULL;
1394 p = strtok_r(
proto,
":", &xsaveptr);
1395 h = strtok_r(NULL,
":", &xsaveptr);
1413 if (SigParseProtoHookApp(s, protostr, p, h) < 0) {
1414 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1421 "in a signature. Either detection for this protocol "
1422 "is not yet supported OR detection has been disabled for "
1423 "protocol through the yaml option "
1424 "app-layer.protocols.%s.detection-enabled",
1428 }
else if (h != NULL) {
1429 SCLogDebug(
"non-app-layer rule with %s:%s", p, h);
1431 if (SigParseProtoHookPkt(s, protostr, p, h) < 0) {
1432 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1461 Signature *s,
const char *portstr,
char flag)
1467 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
1470 if (strcasecmp(portstr,
"any") == 0)
1474 }
else if (flag == 1) {
1475 if (strcasecmp(portstr,
"any") == 0)
1490 static int SigParseActionRejectValidate(
const char *action)
1492 #ifdef HAVE_LIBNET11
1493 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES
1496 "incompatible with POSIX based capabilities with privs dropping. "
1497 "For rejects to work, run as root/super user.");
1503 "required for action \"%s\" but is not compiled into Suricata",
1513 static uint8_t ActionStringToFlags(
const char *action)
1515 if (strcasecmp(action,
"alert") == 0) {
1517 }
else if (strcasecmp(action,
"drop") == 0) {
1519 }
else if (strcasecmp(action,
"pass") == 0) {
1521 }
else if (strcasecmp(action,
"reject") == 0 ||
1522 strcasecmp(action,
"rejectsrc") == 0)
1524 if (!(SigParseActionRejectValidate(action)))
1527 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1528 if (!(SigParseActionRejectValidate(action)))
1531 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1532 if (!(SigParseActionRejectValidate(action)))
1535 }
else if (strcasecmp(action,
"config") == 0) {
1537 }
else if (strcasecmp(action,
"accept") == 0) {
1540 SCLogError(
"An invalid action \"%s\" was given", action);
1556 static int SigParseAction(
Signature *s,
const char *action_in)
1559 strlcpy(action, action_in,
sizeof(action));
1560 const char *a = action;
1561 const char *o = NULL;
1563 bool has_scope = strchr(action,
':') != NULL;
1565 char *xsaveptr = NULL;
1566 a = strtok_r(action,
":", &xsaveptr);
1567 o = strtok_r(NULL,
":", &xsaveptr);
1571 SCLogError(
"invalid protocol specification '%s'", action_in);
1575 uint8_t
flags = ActionStringToFlags(a);
1581 uint8_t scope_flags = 0;
1583 if (strcmp(o,
"packet") == 0) {
1585 }
else if (strcmp(o,
"flow") == 0) {
1588 SCLogError(
"invalid action scope '%s' in action '%s': only 'packet' and 'flow' "
1595 if (strcmp(o,
"packet") == 0) {
1597 }
else if (strcmp(o,
"hook") == 0) {
1599 }
else if (strcmp(o,
"tx") == 0) {
1601 }
else if (strcmp(o,
"flow") == 0) {
1605 "invalid action scope '%s' in action '%s': only 'packet', 'flow', 'tx' and "
1612 if (strcmp(o,
"packet") == 0) {
1615 SCLogError(
"invalid action scope '%s' in action '%s': only 'packet' allowed", o,
1621 SCLogError(
"invalid action scope '%s' in action '%s': scope only supported for actions "
1622 "'drop', 'pass' and 'reject'",
1630 SCLogError(
"firewall rules require setting an explicit action scope");
1635 SCLogError(
"'accept' action only supported for firewall rules");
1640 SCLogError(
"'pass' action not supported for firewall rules");
1659 static inline int SigParseToken(
char **input,
char *output,
1660 const size_t output_size)
1662 size_t len = *input == NULL ? 0 : strlen(*input);
1668 while (
len && isblank(**input)) {
1673 char *endptr = strpbrk(*input,
" \t\n\r");
1674 if (endptr != NULL) {
1677 strlcpy(output, *input, output_size);
1694 static inline int SigParseList(
char **input,
char *output,
1695 const size_t output_size)
1698 size_t len = *input != NULL ? strlen(*input) : 0;
1704 while (
len && isblank(**input)) {
1710 for (i = 0; i <
len; i++) {
1711 char c = (*input)[i];
1714 }
else if (c ==
']') {
1716 }
else if (c ==
' ') {
1727 strlcpy(output, *input, output_size);
1728 *input = *input + i + 1;
1748 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1754 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1757 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1763 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1766 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1769 if (index == NULL) {
1773 while (isspace(*index) || *index ==
'(') {
1776 for (
size_t i = strlen(index); i > 0; i--) {
1777 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1778 index[i - 1] =
'\0';
1790 if (SigParseAction(s, parser->
action) < 0)
1793 if (SigParseProto(s, parser->
protocol) < 0)
1796 if (strcmp(parser->
direction,
"<>") == 0) {
1798 }
else if (strcmp(parser->
direction,
"=>") == 0) {
1800 SCLogError(
"transactional bidirectional rules not supported for firewall rules");
1805 }
else if (strcmp(parser->
direction,
"->") != 0) {
1806 SCLogError(
"\"%s\" is not a valid direction modifier, "
1807 "\"->\" and \"<>\" are supported.",
1834 static inline bool CheckAscii(
const char *
str)
1836 for (
size_t i = 0; i < strlen(
str); i++) {
1837 if (
str[i] < 0x20) {
1839 if (
str[i] == 0x0a ||
str[i] == 0x0d ||
str[i] == 0x09) {
1843 }
else if (
str[i] == 0x7f) {
1867 if (!SCCheckUtf8(sigstr)) {
1872 if (!CheckAscii(sigstr)) {
1873 SCLogError(
"rule contains invalid (control) characters");
1877 int ret = SigParseBasics(
de_ctx, s, sigstr, parser, addrs_direction, requires);
1884 if (strlen(parser->
opts) > 0) {
1885 size_t buffer_size = strlen(parser->
opts) + 1;
1886 char input[buffer_size];
1887 char output[buffer_size];
1888 memset(input, 0x00, buffer_size);
1889 memcpy(input, parser->
opts, strlen(parser->
opts) + 1);
1895 memset(output, 0x00, buffer_size);
1896 ret = SigParseOptions(
de_ctx, s, input, output, buffer_size, requires);
1898 memcpy(input, output, buffer_size);
1930 memset(b, 0,
sizeof(*b));
1978 static void SigMetadataFree(
Signature *s)
1985 if (s == NULL || s->
metadata == NULL) {
1992 next_mdata = mdata->
next;
2023 next_ref = ref->
next;
2077 while (sm != NULL) {
2086 while (sm != NULL) {
2107 if (s->
sp != NULL) {
2110 if (s->
dp != NULL) {
2156 if (s->
alproto == *alprotos) {
2199 }
else if (i == 1) {
2231 if (!AppProtoIsValid(alproto)) {
2255 alproto = AppProtoCommon(s->
alproto, alproto);
2257 SCLogError(
"can't set rule app proto to %s: already set to %s",
2284 if (addr_match4 == NULL) {
2290 addr_match4[idx].
ip =
SCNtohl(da->ip.addr_data32[0]);
2291 addr_match4[idx].
ip2 =
SCNtohl(da->ip2.addr_data32[0]);
2310 if (addr_match6 == NULL) {
2316 addr_match6[idx].
ip[0] =
SCNtohl(da->ip.addr_data32[0]);
2317 addr_match6[idx].
ip[1] =
SCNtohl(da->ip.addr_data32[1]);
2318 addr_match6[idx].
ip[2] =
SCNtohl(da->ip.addr_data32[2]);
2319 addr_match6[idx].
ip[3] =
SCNtohl(da->ip.addr_data32[3]);
2320 addr_match6[idx].
ip2[0] =
SCNtohl(da->ip2.addr_data32[0]);
2321 addr_match6[idx].
ip2[1] =
SCNtohl(da->ip2.addr_data32[1]);
2322 addr_match6[idx].
ip2[2] =
SCNtohl(da->ip2.addr_data32[2]);
2323 addr_match6[idx].
ip2[3] =
SCNtohl(da->ip2.addr_data32[3]);
2336 static void SigBuildAddressMatchArray(
Signature *s)
2353 static int SigMatchListLen(
SigMatch *sm)
2356 for (; sm != NULL; sm = sm->
next)
2367 int len = SigMatchListLen(
head);
2373 FatalError(
"initializing the detection engine failed");
2379 for (; sm != NULL; sm = sm->
next, smd++) {
2419 SCLogDebug(
"s %u: no mpm; prefilter? de_ctx->prefilter_setting %u "
2420 "s->init_data->has_possible_prefilter %s",
2434 prefilter_list =
MIN(prefilter_list, sm->
type);
2444 if (sm->
type == prefilter_list) {
2461 static bool DetectRuleValidateTable(
const Signature *s)
2470 if (kw_tables_supported != 0 && (kw_tables_supported & table_as_flag) == 0) {
2471 SCLogError(
"rule %u uses hook \"%s\", but keyword \"%s\" doesn't support this hook",
2482 SCLogError(
"rule %u is loaded as a firewall rule, but does not specify an "
2490 static void DetectRuleSetTable(
Signature *s)
2523 if (!DetectFirewallRuleValidate(
de_ctx, s))
2529 static int SigValidateCheckBuffers(
2532 bool has_frame =
false;
2533 bool has_app =
false;
2534 bool has_pkt =
false;
2535 bool has_pmatch =
false;
2541 nlists += (nlists > 0);
2545 SCLogError(
"rule %u setup buffer %s but didn't add matches to it", s->
id,
2558 struct BufferVsDir {
2561 } bufdir[nlists + 1];
2562 memset(&bufdir, 0, (nlists + 1) *
sizeof(
struct BufferVsDir));
2576 if (b->
head == NULL) {
2581 has_frame |= bt->
frame;
2587 "specific matches (like dsize, flags, ttl) with stream / "
2588 "state matching by matching on app layer proto (like using "
2589 "http_* keywords).");
2594 for (; app != NULL; app = app->
next) {
2609 bufdir[b->
id].ts += (app->
dir == 0);
2610 bufdir[b->
id].tc += (app->
dir == 1);
2624 SCLogError(
"engine progress value doesn't match hook");
2643 if (has_pmatch && has_frame) {
2644 SCLogError(
"can't mix pure content and frame inspection");
2647 if (has_app && has_frame) {
2648 SCLogError(
"can't mix app-layer buffer and frame inspection");
2651 if (has_pkt && has_frame) {
2652 SCLogError(
"can't mix pkt buffer and frame inspection");
2656 for (
int x = 0; x < nlists; x++) {
2657 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
2659 (*ts_excl) += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
2660 (*tc_excl) += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
2661 (*dir_amb) += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
2670 static int SigValidatePacketStream(
const Signature *s)
2674 "tcp-stream or flow:only_stream. Invalidating signature.");
2680 static int SigConsolidateDirection(
2681 Signature *s,
const int ts_excl,
const int tc_excl,
const int dir_amb)
2684 if (!ts_excl || !tc_excl) {
2685 SCLogError(
"rule %u should use both directions, but does not", s->
id);
2689 SCLogError(
"rule %u means to use both directions, cannot have keywords ambiguous about "
2694 }
else if (ts_excl && tc_excl) {
2696 "rule %u mixes keywords with conflicting directions, a transactional rule with => "
2700 }
else if (ts_excl) {
2701 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
2703 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2706 }
else if (tc_excl) {
2707 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
2709 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2712 }
else if (dir_amb) {
2713 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
2718 static void SigConsolidateTcpBuffer(
Signature *s)
2724 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
2750 static bool SigInspectsFiles(
const Signature *s)
2761 static int SigValidateFileHandling(
const Signature *s)
2763 if (!SigInspectsFiles(s)) {
2769 "support file matching",
2785 SCLogError(
"No protocol support file matching");
2790 SCLogError(
"protocol HTTP2 doesn't support file name matching");
2806 static int SigValidateConsolidate(
2811 if (SigValidateFirewall(
de_ctx, s) == 0)
2814 if (SigValidatePacketStream(s) == 0) {
2822 if (SigValidateCheckBuffers(
de_ctx, s, &ts_excl, &tc_excl, &dir_amb) == 0) {
2826 if (SigConsolidateDirection(s, ts_excl, tc_excl, dir_amb) == 0) {
2830 SigConsolidateTcpBuffer(s);
2833 DetectRuleSetTable(s);
2835 int r = SigValidateFileHandling(s);
2839 if (SigInspectsFiles(s)) {
2844 if (DetectRuleValidateTable(s) ==
false) {
2867 memset(&parser, 0x00,
sizeof(parser));
2872 if (firewall_rule) {
2889 int ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
true);
2896 }
else if (ret < 0) {
2902 SCLogError(
"Signature missing required value \"sid\".");
2907 ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
false);
2913 }
else if (ret == -2) {
2916 }
else if (ret < 0) {
2921 if (sig->
prio == -1)
2928 int override_needed = 0;
2932 override_needed = 1;
2934 override_needed = 1;
2936 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
2938 override_needed = 0;
2947 if (override_needed)
2957 for ( ; sm != NULL; sm = sm->
next) {
2981 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
2985 SigBuildAddressMatchArray(sig);
2996 SigSetupPrefilter(
de_ctx, sig);
2999 if (SigValidateConsolidate(
de_ctx, sig, &parser, dir) == 0) {
3018 static bool SigHasSameSourceAndDestination(
const Signature *s)
3060 if (SigHasSameSourceAndDestination(sig)) {
3061 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, "
3062 "treating the rule as unidirectional", sig->
id);
3067 if (sig->
next == NULL) {
3097 return SigInitDo(
de_ctx, sigstr,
false);
3102 return SigInitDo(
de_ctx, sigstr,
true);
3111 static void DetectParseDupSigFreeFunc(
void *data)
3127 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3146 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
3152 if (sw1 == NULL || sw2 == NULL ||
3153 sw1->
s == NULL || sw2->
s == NULL)
3157 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
3173 DetectParseDupSigHashFunc,
3174 DetectParseDupSigCompareFunc,
3175 DetectParseDupSigFreeFunc);
3236 if (sw_dup == NULL) {
3249 (
void *)&sw_tmp, 0);
3261 if (sw->
s->
rev <= sw_dup->
s->
rev) {
3270 if (sw_dup->
s_prev == NULL) {
3278 sw_temp.
s = sw_dup->
s->
next;
3282 if (sw_temp.
s != NULL) {
3284 (
void *)&sw_temp, 0);
3304 sw_temp.
s = sw_dup->
s->
next;
3312 if (sw_temp.
s != NULL) {
3314 (
void *)&sw_temp, 0);
3329 (
void *)&sw_tmp, 0);
3330 if (sw_old->
s != sw_dup->
s) {
3373 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3377 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3379 }
else if (dup_sig == 2) {
3381 " so the older sig replaced by this new signature \"%s\"",
3386 if (sig->
next != NULL) {
3403 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3407 if (sig != NULL && sig->
next != NULL) {
3445 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3449 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3451 }
else if (dup_sig == 2) {
3453 " so the older sig replaced by this new signature \"%s\"",
3458 if (sig->
next != NULL) {
3475 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3479 if (sig != NULL && sig->
next != NULL) {
3492 int start_offset,
int options)
3494 *match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
3496 return pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)
str, strlen(
str), options, start_offset,
3497 *match, parse_regex->
context);
3504 pcre2_code_free(r->
regex);
3507 pcre2_match_context_free(r->
context);
3522 g_detect_parse_regex_list = NULL;
3531 FatalError(
"failed to alloc memory for pcre free list");
3534 r->
next = g_detect_parse_regex_list;
3535 g_detect_parse_regex_list = r;
3543 detect_parse->
regex =
3544 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3545 if (detect_parse->
regex == NULL) {
3546 PCRE2_UCHAR errbuffer[256];
3547 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3548 SCLogError(
"pcre compile of \"%s\" failed at "
3550 parse_str, en, errbuffer);
3553 detect_parse->
context = pcre2_match_context_create(NULL);
3554 if (detect_parse->
context == NULL) {
3555 SCLogError(
"pcre2 could not create match context");
3556 pcre2_code_free(detect_parse->
regex);
3557 detect_parse->
regex = NULL;
3572 if (detect_parse == NULL) {
3576 detect_parse->
regex =
3577 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3578 if (detect_parse->
regex == NULL) {
3579 PCRE2_UCHAR errbuffer[256];
3580 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3581 SCLogError(
"pcre2 compile of \"%s\" failed at "
3583 parse_str, (
int)eo, errbuffer);
3588 detect_parse->
next = g_detect_parse_regex_list;
3589 g_detect_parse_regex_list = detect_parse;
3590 return detect_parse;
3594 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
3596 int r = pcre2_substring_copy_bynumber(match_data, number, buffer, bufflen);
3597 if (r == PCRE2_ERROR_UNSET) {
3606 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
3608 int r = pcre2_substring_get_bynumber(match_data, number, bufferptr, bufflen);
3609 if (r == PCRE2_ERROR_UNSET) {
3632 static int SigParseTest01 (
void)
3641 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
3651 static int SigParseTest02 (
void)
3665 sig =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
3693 static int SigParseTest03 (
void)
3702 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
3705 printf(
"expected NULL got sig ptr %p: ",sig);
3714 static int SigParseTest04 (
void)
3723 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
3734 static int SigParseTest05 (
void)
3743 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
3747 printf(
"signature didn't fail to parse as we expected: ");
3757 static int SigParseTest06 (
void)
3766 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
3770 printf(
"signature failed to parse: ");
3784 static int SigParseTest07(
void)
3806 static int SigParseTest08(
void)
3829 static int SigParseTest09(
void)
3880 static int SigParseTest10(
void)
3912 static int SigParseTest11(
void)
3923 "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
3925 printf(
"sig 1 didn't parse: ");
3930 "the http link\"; sid:2;) ");
3932 printf(
"sig 2 didn't parse: ");
3946 static int SigParseTest12(
void)
3958 printf(
"sig 1 should have given an error: ");
3972 static int SigParseTest13(
void)
3984 printf(
"sig 1 invalidated: failure");
3989 printf(
"sig doesn't have stream flag set\n");
3994 printf(
"sig has packet flag set\n");
4009 static int SigParseTest14(
void)
4021 printf(
"sig 1 invalidated: failure");
4026 printf(
"sig doesn't have packet flag set\n");
4031 printf(
"sig has stream flag set\n");
4046 static int SigParseTest15(
void)
4058 printf(
"sig 1 invalidated: failure");
4063 printf(
"sig doesn't have packet flag set\n");
4068 printf(
"sig doesn't have stream flag set\n");
4083 static int SigParseTest16(
void)
4095 printf(
"sig 1 invalidated: failure");
4100 printf(
"sig doesn't have packet flag set\n");
4105 printf(
"sig doesn't have stream flag set\n");
4120 static int SigParseTest17(
void)
4132 printf(
"sig 1 invalidated: failure");
4137 printf(
"sig doesn't have packet flag set\n");
4142 printf(
"sig doesn't have stream flag set\n");
4155 static int SigParseTest18 (
void)
4163 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
4174 static int SigParseTest19 (
void)
4182 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
4193 static int SigParseTest20 (
void)
4201 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
4212 static int SigParseTest21 (
void)
4231 static int SigParseTest22 (
void)
4239 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
4252 static int SigParseTest23(
void)
4267 static int SigParseBidirecTest06 (
void)
4287 static int SigParseBidirecTest07 (
void)
4307 static int SigParseBidirecTest08 (
void)
4327 static int SigParseBidirecTest09 (
void)
4347 static int SigParseBidirecTest10 (
void)
4367 static int SigParseBidirecTest11 (
void)
4387 static int SigParseBidirecTest12 (
void)
4407 static int SigParseBidirecTest13 (
void)
4426 static int SigParseBidirecTest14 (
void)
4447 static int SigTestBidirec01 (
void)
4459 if (sig->
next != NULL)
4478 static int SigTestBidirec02 (
void)
4497 if (sig->
next == NULL)
4502 if (copy->
next != NULL)
4523 static int SigTestBidirec03 (
void)
4535 const char *sigs[3];
4536 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
4537 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
4538 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
4545 if (sig->
next == NULL)
4556 uint8_t rawpkt1_ether[] = {
4557 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4558 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4559 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4560 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4561 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4562 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4563 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4564 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4565 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4566 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4567 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4568 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4569 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4570 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4571 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4572 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4573 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4574 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4575 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4576 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4577 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4578 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4579 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4580 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4581 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4582 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4583 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4584 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4585 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4586 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4587 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4588 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4589 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4590 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4591 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4592 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4593 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4594 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4595 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4596 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4597 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4598 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4599 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4600 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4601 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4602 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4603 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4604 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4605 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4606 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4607 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4608 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4609 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4610 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4611 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4621 uint32_t sids[3] = {1, 2, 3};
4622 uint32_t results[3] = {1, 1, 1};
4638 static int SigTestBidirec04 (
void)
4653 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
4658 if (sig->
next == NULL)
4670 if (sig->
next == NULL)
4681 uint8_t rawpkt1_ether[] = {
4682 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4683 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4684 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4685 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4686 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4687 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4688 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4689 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4690 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4691 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4692 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4693 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4694 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4695 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4696 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4697 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4698 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4699 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4700 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4701 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4702 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4703 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4704 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4705 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4706 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4707 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4708 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4709 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4710 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4711 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4712 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4713 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4714 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4715 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4716 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4717 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4718 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4719 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4720 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4721 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4722 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4723 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4724 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4725 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4726 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4727 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4728 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4729 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4730 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4731 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4732 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4733 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4734 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4735 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4736 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4745 memset(&th_v, 0,
sizeof(th_v));
4785 static int SigParseTestNegation01 (
void)
4799 static int SigParseTestNegation02 (
void)
4810 s =
SigInit(
de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
4825 static int SigParseTestNegation03 (
void)
4836 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4851 static int SigParseTestNegation04 (
void)
4862 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4877 static int SigParseTestNegation05 (
void)
4888 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
4903 static int SigParseTestNegation06 (
void)
4914 s =
SigInit(
de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
4930 static int SigParseTestNegation07 (
void)
4936 de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (sid:410006;)");
4945 static int SigParseTestNegation08 (
void)
4956 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
4971 static int SigParseTestMpm01 (
void)
4980 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
4982 printf(
"sig failed to init: ");
4987 printf(
"sig doesn't have content list: ");
5002 static int SigParseTestMpm02 (
void)
5011 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
5013 printf(
"sig failed to init: ");
5018 printf(
"sig doesn't have content list: ");
5033 static int SigParseTestAppLayerTLS01(
void)
5044 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
5046 printf(
"parsing sig failed: ");
5051 printf(
"alproto not set: ");
5068 static int SigParseTestAppLayerTLS02(
void)
5079 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
5081 printf(
"parsing sig failed: ");
5086 printf(
"alproto not set: ");
5102 static int SigParseTestAppLayerTLS03(
void)
5113 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
5126 static int SigParseTestUnbalancedQuotes01(
void)
5136 "alert http any any -> any any (msg:\"SigParseTestUnbalancedQuotes01\"; "
5137 "pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" "
5138 "flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
5144 static int SigParseTestContentGtDsize01(
void)
5151 "alert http any any -> any any ("
5152 "dsize:21; content:\"0123456789001234567890|00 00|\"; "
5159 static int SigParseTestContentGtDsize02(
void)
5166 "alert http any any -> any any ("
5167 "dsize:21; content:\"0123456789|00 00|\"; offset:10; "
5184 static int SigParseBidirWithSameSrcAndDest01(
void)
5201 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:3;)");
5210 static int SigParseBidirWithSameSrcAndDest02(
void)
5218 de_ctx,
"alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1;)");
5225 de_ctx,
"alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:2;)");
5232 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:3;)");
5239 de_ctx,
"alert tcp [!1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:4;)");
5246 de_ctx,
"alert tcp [1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:5;)");
5255 static int SigParseTestActionReject(
void)
5261 de_ctx,
"reject tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5262 #ifdef HAVE_LIBNET11
5273 static int SigParseTestActionDrop(
void)
5279 de_ctx,
"drop tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5287 static int SigSetMultiAppProto(
void)
5362 static int DetectSetupDirection01(
void)
5367 char *
str = (
char *)
"to_client";
5368 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5373 static int DetectSetupDirection02(
void)
5377 char *
str = (
char *)
"to_server";
5378 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5380 str = (
char *)
"to_client";
5381 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5387 static int DetectSetupDirection03(
void)
5391 char *
str = (
char *)
"to_client , something";
5392 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5394 str = (
char *)
"to_client,something";
5395 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5401 static int DetectSetupDirection04(
void)
5406 char *
str = (
char *)
"to_client_toto";
5407 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5409 str = (
char *)
"to_client_toto";
5410 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5412 str = (
char *)
"to_client,something";
5414 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5451 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
5452 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
5453 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
5468 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
5469 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
5470 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
5471 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
5472 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
5473 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
5474 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
5475 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
5478 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
5479 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
5480 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
5481 UtRegisterTest(
"SigParseTestUnbalancedQuotes01", SigParseTestUnbalancedQuotes01);
5484 SigParseTestContentGtDsize01);
5486 SigParseTestContentGtDsize02);
5489 SigParseBidirWithSameSrcAndDest01);
5491 SigParseBidirWithSameSrcAndDest02);
5492 UtRegisterTest(
"SigParseTestActionReject", SigParseTestActionReject);
5493 UtRegisterTest(
"SigParseTestActionDrop", SigParseTestActionDrop);
5497 UtRegisterTest(
"DetectSetupDirection01", DetectSetupDirection01);
5498 UtRegisterTest(
"DetectSetupDirection02", DetectSetupDirection02);
5499 UtRegisterTest(
"DetectSetupDirection03", DetectSetupDirection03);
5500 UtRegisterTest(
"DetectSetupDirection04", DetectSetupDirection04);