83 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
114 #define CASE_CODE_STRING(E, S) case E: return S; break
125 #undef CASE_CODE_STRING
129 #define CASE_CODE(E) case E: return #E
147 Signature *s,
const char *arg,
int sm_type,
int sm_list,
153 if (arg != NULL && strcmp(arg,
"") != 0) {
162 "with a sticky buffer still set. Reset sticky buffer "
163 "with pkt_data before using the modifier.",
177 "found inside the rule without a content context. "
178 "Please use a \"content\" keyword before using the "
186 "be used with the rawbytes rule keyword",
192 "be used with the replace rule keyword",
231 bool reuse_buffer =
false;
244 SCLogError(
"failed to expand rule buffer array");
253 SCLogDebug(
"idx %u list %d set up curbuf %p s->init_data->buffer_index %u",
294 if (sm->
ctx != NULL) {
305 ptrdiff_t
offset = e - table;
319 if (st->
name != NULL) {
352 if (strcmp(
str,
"all") == 0) {
364 char *xsaveptr = NULL;
365 char *key = strtok_r(copy,
",", &xsaveptr);
366 while (key != NULL) {
372 "argument '%s' not found",
375 key = strtok_r(NULL,
",", &xsaveptr);
402 SCLogDebug(
"s:%p new:%p list:%d: %s, s->init_data->list_set %s s->init_data->list %d", s,
new,
436 SCLogDebug(
"reusing buffer %u as it isn't multi-capable", x);
446 SCLogError(
"failed to expand rule buffer array");
476 SCLogDebug(
"appended %s to list %d, rule pos %u (s->init_data->list %d)",
495 if (sm->
prev != NULL)
497 if (sm->
next != NULL)
539 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
551 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
573 SCLogDebug(
"skip x %u s->init_data->list %d (int)s->init_data->buffers[x].id %d", x,
582 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
586 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
603 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
608 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
633 va_start(ap, sm_list);
635 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int))
637 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
640 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
671 va_start(ap, list_id);
673 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
677 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
689 va_start(ap, list_id);
691 for (sm_type = va_arg(ap,
int); sm_type != -1; sm_type = va_arg(ap,
int)) {
692 sm_new = SigMatchGetLastSMByType(sm_list, sm_type);
695 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
718 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
726 if (sm_last == NULL || sm_new->
idx > sm_last->
idx)
733 static void SigMatchTransferSigMatchAcrossLists(
SigMatch *sm,
739 if (sm->
prev != NULL)
741 if (sm->
next != NULL)
744 if (sm == *src_sm_list)
745 *src_sm_list = sm->
next;
746 if (sm == *src_sm_list_tail)
747 *src_sm_list_tail = sm->
prev;
749 if (*dst_sm_list == NULL) {
751 *dst_sm_list_tail = sm;
759 *dst_sm_list_tail = sm;
786 SCLogError(
"Unable to find the sm in any of the "
800 static int DetectSetupDirection(
Signature *s,
char **
str,
bool only_dir)
803 if (strncmp(*
str,
"to_client", strlen(
"to_client")) == 0) {
804 *
str += strlen(
"to_client");
806 while (**
str && isblank(**
str)) {
812 SCLogError(
"unknown option: only accepts to_server or to_client");
822 while (**
str && isblank(**
str)) {
834 }
else if (strncmp(*
str,
"to_server", strlen(
"to_server")) == 0) {
835 *
str += strlen(
"to_server");
837 while (**
str && isblank(**
str)) {
843 SCLogError(
"unknown option: only accepts to_server or to_client");
853 while (**
str && isblank(**
str)) {
865 }
else if (only_dir) {
866 SCLogError(
"unknown option: only accepts to_server or to_client");
873 size_t output_size,
bool requires)
876 char *optname = NULL;
877 char *optvalue = NULL;
880 while (isblank(*optstr)) {
885 char *optend = optstr;
887 optend = strchr(optend,
';');
888 if (optend == NULL) {
892 else if (optend > optstr && *(optend -1 ) ==
'\\') {
901 char *optvalptr = strchr(optstr,
':');
903 *(optvalptr++) =
'\0';
906 for (
size_t i = strlen(optvalptr); i > 0; i--) {
907 if (isblank(optvalptr[i - 1])) {
908 optvalptr[i - 1] =
'\0';
914 optvalue = optvalptr;
918 for (
size_t i = strlen(optstr); i > 0; i--) {
919 if (isblank(optstr[i - 1])) {
920 optstr[i - 1] =
'\0';
929 bool requires_only = strcasecmp(optname,
"requires") == 0 || strcasecmp(optname,
"sid") == 0;
930 if ((requires && !requires_only) || (!requires && requires_only)) {
935 st = SigTableGet(optname);
936 if (st == NULL || st->
Setup == NULL) {
937 SCLogError(
"unknown rule keyword '%s'.", optname);
942 if (optvalue == NULL || strlen(optvalue) == 0) {
944 "invalid formatting or malformed option to %s keyword: '%s'", optname, optstr);
948 if (optvalue && strlen(optvalue)) {
949 SCLogError(
"unexpected option to %s keyword: '%s'", optname, optstr);
959 #define URL "https://suricata.io/our-story/deprecation-policy/"
962 "and will be removed soon. See %s",
966 "and will be removed soon. Use '%s' instead. "
975 if (optvalue != NULL && strlen(optvalue) > 0) {
976 size_t ovlen = strlen(optvalue);
977 char *ptr = optvalue;
987 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
993 SCLogWarning(
"keyword \'%s\' has not been tested for firewall rules", optname);
1010 SCLogError(
"invalid formatting or malformed option to %s keyword: \'%s\'", optname,
1016 SCLogError(
"invalid formatting to %s keyword: "
1017 "value must be double quoted \'%s\'",
1023 && ovlen && *ptr ==
'"')
1025 for (; ovlen > 0; ovlen--) {
1026 if (isblank(ptr[ovlen - 1])) {
1027 ptr[ovlen - 1] =
'\0';
1032 if (ovlen && ptr[ovlen - 1] !=
'"') {
1033 SCLogError(
"bad option value formatting (possible missing semicolon) "
1034 "for keyword %s: \'%s\'",
1042 ptr[ovlen - 1] =
'\0';
1047 "for keyword %s: \'%s\'",
1054 "quotes on %s keyword that doesn't support them: \'%s\'", optname, optstr);
1072 if (setup_ret < 0) {
1076 if (setup_ret == -2) {
1088 if (strlen(optend) > 0) {
1089 strlcpy(output, optend, output_size);
1104 Signature *s,
const char *addrstr,
char flag)
1106 SCLogDebug(
"Address Group \"%s\" to be parsed now", addrstr);
1110 if (strcasecmp(addrstr,
"any") == 0)
1118 if (strcasecmp(addrstr,
"any") == 0)
1133 static bool IsBuiltIn(
const char *n)
1135 if (strcmp(n,
"request_started") == 0 || strcmp(n,
"response_started") == 0) {
1138 if (strcmp(n,
"request_complete") == 0 || strcmp(n,
"response_complete") == 0) {
1156 if (strcmp(alproto_name,
"http") == 0)
1157 alproto_name =
"http1";
1158 SCLogDebug(
"alproto %u/%s", a, alproto_name);
1160 const int max_progress_ts =
1162 const int max_progress_tc =
1165 char ts_tx_started[64];
1166 snprintf(ts_tx_started,
sizeof(ts_tx_started),
"%s:request_started:generic", alproto_name);
1169 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_started,
1170 (uint32_t)strlen(ts_tx_started));
1172 char tc_tx_started[64];
1173 snprintf(tc_tx_started,
sizeof(tc_tx_started),
"%s:response_started:generic", alproto_name);
1176 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_started,
1177 (uint32_t)strlen(tc_tx_started));
1179 char ts_tx_complete[64];
1180 snprintf(ts_tx_complete,
sizeof(ts_tx_complete),
"%s:request_complete:generic",
1184 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"request_name", ts_tx_complete,
1185 (uint32_t)strlen(ts_tx_complete));
1187 char tc_tx_complete[64];
1188 snprintf(tc_tx_complete,
sizeof(tc_tx_complete),
"%s:response_complete:generic",
1192 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
"response_name", tc_tx_complete,
1193 (uint32_t)strlen(tc_tx_complete));
1195 for (
int p = 0; p <= max_progress_ts; p++) {
1197 IPPROTO_TCP , a, p, STREAM_TOSERVER);
1198 if (
name != NULL && !IsBuiltIn(
name)) {
1200 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1201 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1202 (uint32_t)strlen(list_name));
1208 for (
int p = 0; p <= max_progress_tc; p++) {
1210 IPPROTO_TCP , a, p, STREAM_TOCLIENT);
1211 if (
name != NULL && !IsBuiltIn(
name)) {
1213 snprintf(list_name,
sizeof(list_name),
"%s:%s:generic", alproto_name,
name);
1214 SCLogDebug(
"- hook %s:%s list %s (%u)", alproto_name,
name, list_name,
1215 (uint32_t)strlen(list_name));
1241 if (strcmp(
str,
"flow_start") == 0) {
1243 }
else if (strcmp(
str,
"all") == 0) {
1256 return "flow_start";
1268 .t.pkt.ph = HookPktFromString(hook_str),
1276 static int SigParseProtoHookPkt(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1289 SCLogDebug(
"protocol:%s hook:%s: type:%s parsed hook:%s", p, h,
1299 .t.app.alproto = alproto,
1300 .t.app.app_progress = progress,
1308 static int SigParseProtoHookApp(
Signature *s,
const char *proto_hook,
const char *p,
const char *h)
1310 if (strcmp(h,
"request_started") == 0) {
1314 }
else if (strcmp(h,
"response_started") == 0) {
1318 }
else if (strcmp(h,
"request_complete") == 0) {
1322 }
else if (strcmp(h,
"response_complete") == 0) {
1328 IPPROTO_TCP , s->
alproto, h, STREAM_TOSERVER);
1329 if (progress_ts >= 0) {
1334 IPPROTO_TCP , s->
alproto, h, STREAM_TOCLIENT);
1335 if (progress_tc < 0) {
1343 char generic_hook_name[64];
1344 snprintf(generic_hook_name,
sizeof(generic_hook_name),
"%s:generic", proto_hook);
1347 SCLogError(
"no list registered as %s for hook %s", generic_hook_name, proto_hook);
1352 SCLogDebug(
"protocol:%s hook:%s: type:%s alproto:%u hook:%d", p, h,
1372 static int SigParseProto(
Signature *s,
const char *protostr)
1375 if (strlen(protostr) > 32)
1380 const char *p =
proto;
1381 const char *h = NULL;
1383 bool has_hook = strchr(
proto,
':') != NULL;
1385 char *xsaveptr = NULL;
1386 p = strtok_r(
proto,
":", &xsaveptr);
1387 h = strtok_r(NULL,
":", &xsaveptr);
1405 if (SigParseProtoHookApp(s, protostr, p, h) < 0) {
1406 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1413 "in a signature. Either detection for this protocol "
1414 "is not yet supported OR detection has been disabled for "
1415 "protocol through the yaml option "
1416 "app-layer.protocols.%s.detection-enabled",
1420 }
else if (h != NULL) {
1421 SCLogDebug(
"non-app-layer rule with %s:%s", p, h);
1423 if (SigParseProtoHookPkt(s, protostr, p, h) < 0) {
1424 SCLogError(
"protocol \"%s\" does not support hook \"%s\"", p, h);
1453 Signature *s,
const char *portstr,
char flag)
1459 SCLogDebug(
"Port group \"%s\" to be parsed", portstr);
1462 if (strcasecmp(portstr,
"any") == 0)
1466 }
else if (flag == 1) {
1467 if (strcasecmp(portstr,
"any") == 0)
1482 static int SigParseActionRejectValidate(
const char *action)
1484 #ifdef HAVE_LIBNET11
1485 #if defined HAVE_LIBCAP_NG && !defined HAVE_LIBNET_CAPABILITIES
1488 "incompatible with POSIX based capabilities with privs dropping. "
1489 "For rejects to work, run as root/super user.");
1495 "required for action \"%s\" but is not compiled into Suricata",
1505 static uint8_t ActionStringToFlags(
const char *action)
1507 if (strcasecmp(action,
"alert") == 0) {
1509 }
else if (strcasecmp(action,
"drop") == 0) {
1511 }
else if (strcasecmp(action,
"pass") == 0) {
1513 }
else if (strcasecmp(action,
"reject") == 0 ||
1514 strcasecmp(action,
"rejectsrc") == 0)
1516 if (!(SigParseActionRejectValidate(action)))
1519 }
else if (strcasecmp(action,
"rejectdst") == 0) {
1520 if (!(SigParseActionRejectValidate(action)))
1523 }
else if (strcasecmp(action,
"rejectboth") == 0) {
1524 if (!(SigParseActionRejectValidate(action)))
1527 }
else if (strcasecmp(action,
"config") == 0) {
1529 }
else if (strcasecmp(action,
"accept") == 0) {
1532 SCLogError(
"An invalid action \"%s\" was given", action);
1548 static int SigParseAction(
Signature *s,
const char *action_in)
1551 strlcpy(action, action_in,
sizeof(action));
1552 const char *a = action;
1553 const char *o = NULL;
1555 bool has_scope = strchr(action,
':') != NULL;
1557 char *xsaveptr = NULL;
1558 a = strtok_r(action,
":", &xsaveptr);
1559 o = strtok_r(NULL,
":", &xsaveptr);
1563 SCLogError(
"invalid protocol specification '%s'", action_in);
1567 uint8_t
flags = ActionStringToFlags(a);
1573 uint8_t scope_flags = 0;
1575 if (strcmp(o,
"packet") == 0) {
1577 }
else if (strcmp(o,
"flow") == 0) {
1580 SCLogError(
"invalid action scope '%s' in action '%s': only 'packet' and 'flow' "
1587 if (strcmp(o,
"packet") == 0) {
1589 }
else if (strcmp(o,
"hook") == 0) {
1591 }
else if (strcmp(o,
"tx") == 0) {
1593 }
else if (strcmp(o,
"flow") == 0) {
1597 "invalid action scope '%s' in action '%s': only 'packet', 'flow', 'tx' and "
1604 SCLogError(
"invalid action scope '%s' in action '%s': scope only supported for actions "
1605 "'drop', 'pass' and 'reject'",
1613 SCLogError(
"firewall rules require setting an explicit action scope");
1618 SCLogError(
"'accept' action only supported for firewall rules");
1623 SCLogError(
"'pass' action not supported for firewall rules");
1642 static inline int SigParseToken(
char **input,
char *output,
1643 const size_t output_size)
1645 size_t len = *input == NULL ? 0 : strlen(*input);
1651 while (
len && isblank(**input)) {
1656 char *endptr = strpbrk(*input,
" \t\n\r");
1657 if (endptr != NULL) {
1660 strlcpy(output, *input, output_size);
1677 static inline int SigParseList(
char **input,
char *output,
1678 const size_t output_size)
1681 size_t len = *input != NULL ? strlen(*input) : 0;
1687 while (
len && isblank(**input)) {
1693 for (i = 0; i <
len; i++) {
1694 char c = (*input)[i];
1697 }
else if (c ==
']') {
1699 }
else if (c ==
' ') {
1710 strlcpy(output, *input, output_size);
1711 *input = *input + i + 1;
1731 SigParseToken(&index, parser->
action,
sizeof(parser->
action));
1737 SigParseList(&index, parser->
src,
sizeof(parser->
src));
1740 SigParseList(&index, parser->
sp,
sizeof(parser->
sp));
1746 SigParseList(&index, parser->
dst,
sizeof(parser->
dst));
1749 SigParseList(&index, parser->
dp,
sizeof(parser->
dp));
1752 if (index == NULL) {
1756 while (isspace(*index) || *index ==
'(') {
1759 for (
size_t i = strlen(index); i > 0; i--) {
1760 if (isspace(index[i - 1]) || index[i - 1] ==
')') {
1761 index[i - 1] =
'\0';
1773 if (SigParseAction(s, parser->
action) < 0)
1776 if (SigParseProto(s, parser->
protocol) < 0)
1779 if (strcmp(parser->
direction,
"<>") == 0) {
1781 }
else if (strcmp(parser->
direction,
"=>") == 0) {
1783 SCLogError(
"transactional bidirectional rules not supported for firewall rules");
1788 }
else if (strcmp(parser->
direction,
"->") != 0) {
1789 SCLogError(
"\"%s\" is not a valid direction modifier, "
1790 "\"->\" and \"<>\" are supported.",
1817 static inline bool CheckAscii(
const char *
str)
1819 for (
size_t i = 0; i < strlen(
str); i++) {
1820 if (
str[i] < 0x20) {
1822 if (
str[i] == 0x0a ||
str[i] == 0x0d ||
str[i] == 0x09) {
1826 }
else if (
str[i] == 0x7f) {
1850 if (!SCCheckUtf8(sigstr)) {
1855 if (!CheckAscii(sigstr)) {
1856 SCLogError(
"rule contains invalid (control) characters");
1860 int ret = SigParseBasics(
de_ctx, s, sigstr, parser, addrs_direction, requires);
1867 if (strlen(parser->
opts) > 0) {
1868 size_t buffer_size = strlen(parser->
opts) + 1;
1869 char input[buffer_size];
1870 char output[buffer_size];
1871 memset(input, 0x00, buffer_size);
1872 memcpy(input, parser->
opts, strlen(parser->
opts) + 1);
1878 memset(output, 0x00, buffer_size);
1879 ret = SigParseOptions(
de_ctx, s, input, output, buffer_size, requires);
1881 memcpy(input, output, buffer_size);
1913 memset(b, 0,
sizeof(*b));
1961 static void SigMetadataFree(
Signature *s)
1968 if (s == NULL || s->
metadata == NULL) {
1975 next_mdata = mdata->
next;
2006 next_ref = ref->
next;
2060 while (sm != NULL) {
2069 while (sm != NULL) {
2090 if (s->
sp != NULL) {
2093 if (s->
dp != NULL) {
2139 if (s->
alproto == *alprotos) {
2182 }
else if (i == 1) {
2214 if (!AppProtoIsValid(alproto)) {
2238 alproto = AppProtoCommon(s->
alproto, alproto);
2240 SCLogError(
"can't set rule app proto to %s: already set to %s",
2267 if (addr_match4 == NULL) {
2273 addr_match4[idx].
ip =
SCNtohl(da->ip.addr_data32[0]);
2274 addr_match4[idx].
ip2 =
SCNtohl(da->ip2.addr_data32[0]);
2293 if (addr_match6 == NULL) {
2299 addr_match6[idx].
ip[0] =
SCNtohl(da->ip.addr_data32[0]);
2300 addr_match6[idx].
ip[1] =
SCNtohl(da->ip.addr_data32[1]);
2301 addr_match6[idx].
ip[2] =
SCNtohl(da->ip.addr_data32[2]);
2302 addr_match6[idx].
ip[3] =
SCNtohl(da->ip.addr_data32[3]);
2303 addr_match6[idx].
ip2[0] =
SCNtohl(da->ip2.addr_data32[0]);
2304 addr_match6[idx].
ip2[1] =
SCNtohl(da->ip2.addr_data32[1]);
2305 addr_match6[idx].
ip2[2] =
SCNtohl(da->ip2.addr_data32[2]);
2306 addr_match6[idx].
ip2[3] =
SCNtohl(da->ip2.addr_data32[3]);
2319 static void SigBuildAddressMatchArray(
Signature *s)
2336 static int SigMatchListLen(
SigMatch *sm)
2339 for (; sm != NULL; sm = sm->
next)
2350 int len = SigMatchListLen(
head);
2356 FatalError(
"initializing the detection engine failed");
2362 for (; sm != NULL; sm = sm->
next, smd++) {
2402 SCLogDebug(
"s %u: no mpm; prefilter? de_ctx->prefilter_setting %u "
2403 "s->init_data->has_possible_prefilter %s",
2417 prefilter_list =
MIN(prefilter_list, sm->
type);
2427 if (sm->
type == prefilter_list) {
2444 SCLogError(
"rule %u is loaded as a firewall rule, but does not specify an "
2452 static void DetectFirewallRuleSetTable(
Signature *s)
2488 if (!DetectFirewallRuleValidate(
de_ctx, s))
2492 uint32_t sig_flags = 0;
2497 nlists += (nlists > 0);
2501 SCLogError(
"rule %u setup buffer %s but didn't add matches to it", s->
id,
2506 bool has_frame =
false;
2507 bool has_app =
false;
2508 bool has_pkt =
false;
2509 bool has_pmatch =
false;
2519 struct BufferVsDir {
2522 } bufdir[nlists + 1];
2523 memset(&bufdir, 0, (nlists + 1) *
sizeof(
struct BufferVsDir));
2540 if (b->
head == NULL) {
2545 has_frame |= bt->
frame;
2551 "specific matches (like dsize, flags, ttl) with stream / "
2552 "state matching by matching on app layer proto (like using "
2553 "http_* keywords).");
2558 for (; app != NULL; app = app->
next) {
2573 bufdir[b->
id].ts += (app->
dir == 0);
2574 bufdir[b->
id].tc += (app->
dir == 1);
2588 SCLogError(
"engine progress value doesn't match hook");
2608 for (
int x = 0; x < nlists; x++) {
2609 if (bufdir[x].
ts == 0 && bufdir[x].tc == 0)
2611 ts_excl += (bufdir[x].ts > 0 && bufdir[x].tc == 0);
2612 tc_excl += (bufdir[x].ts == 0 && bufdir[x].tc > 0);
2613 dir_amb += (bufdir[x].ts > 0 && bufdir[x].tc > 0);
2619 if (!ts_excl || !tc_excl) {
2620 SCLogError(
"rule %u should use both directions, but does not", s->
id);
2624 SCLogError(
"rule %u means to use both directions, cannot have keywords ambiguous about "
2629 }
else if (ts_excl && tc_excl) {
2631 "rule %u mixes keywords with conflicting directions, a transactional rule with => "
2635 }
else if (ts_excl) {
2636 SCLogDebug(
"%u: implied rule direction is toserver", s->
id);
2638 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2641 }
else if (tc_excl) {
2642 SCLogDebug(
"%u: implied rule direction is toclient", s->
id);
2644 SCLogError(
"rule %u mixes keywords with conflicting directions", s->
id);
2647 }
else if (dir_amb) {
2648 SCLogDebug(
"%u: rule direction cannot be deduced from keywords", s->
id);
2654 "tcp-stream or flow:only_stream. Invalidating signature.");
2659 SCLogError(
"You seem to have mixed keywords "
2660 "that require inspection in both directions. Atm we only "
2661 "support keywords in one direction within a rule.");
2665 if (has_pmatch && has_frame) {
2666 SCLogError(
"can't mix pure content and frame inspection");
2669 if (has_app && has_frame) {
2670 SCLogError(
"can't mix app-layer buffer and frame inspection");
2673 if (has_pkt && has_frame) {
2674 SCLogError(
"can't mix pkt buffer and frame inspection");
2682 if (s->
proto.
proto[IPPROTO_TCP / 8] & (1 << (IPPROTO_TCP % 8))) {
2713 "support file matching",
2728 SCLogError(
"No protocol support file matching");
2733 SCLogError(
"protocol HTTP2 doesn't support file name matching");
2753 memset(&parser, 0x00,
sizeof(parser));
2758 if (firewall_rule) {
2775 int ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
true);
2782 }
else if (ret < 0) {
2788 SCLogError(
"Signature missing required value \"sid\".");
2793 ret = SigParse(
de_ctx, sig, sigstr, dir, &parser,
false);
2799 }
else if (ret == -2) {
2802 }
else if (ret < 0) {
2807 if (sig->
prio == -1)
2814 int override_needed = 0;
2818 override_needed = 1;
2820 override_needed = 1;
2822 for (s = 0; s <
sizeof(sig->
proto.
proto); s++) {
2824 override_needed = 0;
2833 if (override_needed)
2843 for ( ; sm != NULL; sm = sm->
next) {
2867 SCLogDebug(
"sig %"PRIu32
" SIG_FLAG_APPLAYER: %s, SIG_FLAG_PACKET: %s",
2871 SigBuildAddressMatchArray(sig);
2882 SigSetupPrefilter(
de_ctx, sig);
2885 if (SigValidate(
de_ctx, sig) == 0) {
2893 DetectFirewallRuleSetTable(sig);
2919 static bool SigHasSameSourceAndDestination(
const Signature *s)
2961 if (SigHasSameSourceAndDestination(sig)) {
2962 SCLogInfo(
"Rule with ID %u is bidirectional, but source and destination are the same, "
2963 "treating the rule as unidirectional", sig->
id);
2968 if (sig->
next == NULL) {
2998 return SigInitDo(
de_ctx, sigstr,
false);
3003 return SigInitDo(
de_ctx, sigstr,
true);
3012 static void DetectParseDupSigFreeFunc(
void *data)
3028 static uint32_t DetectParseDupSigHashFunc(
HashListTable *ht,
void *data, uint16_t datalen)
3047 static char DetectParseDupSigCompareFunc(
void *data1, uint16_t len1,
void *data2,
3053 if (sw1 == NULL || sw2 == NULL ||
3054 sw1->
s == NULL || sw2->
s == NULL)
3058 if (sw1->
s->
id == sw2->
s->
id && sw1->
s->
gid == sw2->
s->
gid)
return 1;
3074 DetectParseDupSigHashFunc,
3075 DetectParseDupSigCompareFunc,
3076 DetectParseDupSigFreeFunc);
3137 if (sw_dup == NULL) {
3150 (
void *)&sw_tmp, 0);
3162 if (sw->
s->
rev <= sw_dup->
s->
rev) {
3171 if (sw_dup->
s_prev == NULL) {
3179 sw_temp.
s = sw_dup->
s->
next;
3183 if (sw_temp.
s != NULL) {
3185 (
void *)&sw_temp, 0);
3205 sw_temp.
s = sw_dup->
s->
next;
3213 if (sw_temp.
s != NULL) {
3215 (
void *)&sw_temp, 0);
3230 (
void *)&sw_tmp, 0);
3231 if (sw_old->
s != sw_dup->
s) {
3274 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3278 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3280 }
else if (dup_sig == 2) {
3282 " so the older sig replaced by this new signature \"%s\"",
3287 if (sig->
next != NULL) {
3304 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3308 if (sig != NULL && sig->
next != NULL) {
3346 int dup_sig = DetectEngineSignatureIsDuplicate(
de_ctx, sig);
3350 SCLogError(
"Duplicate signature \"%s\"", sigstr);
3352 }
else if (dup_sig == 2) {
3354 " so the older sig replaced by this new signature \"%s\"",
3359 if (sig->
next != NULL) {
3376 return (dup_sig == 0 || dup_sig == 2) ? sig : NULL;
3380 if (sig != NULL && sig->
next != NULL) {
3393 int start_offset,
int options)
3395 *match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
3397 return pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)
str, strlen(
str), options, start_offset,
3398 *match, parse_regex->
context);
3405 pcre2_code_free(r->
regex);
3408 pcre2_match_context_free(r->
context);
3423 g_detect_parse_regex_list = NULL;
3432 FatalError(
"failed to alloc memory for pcre free list");
3435 r->
next = g_detect_parse_regex_list;
3436 g_detect_parse_regex_list = r;
3444 detect_parse->
regex =
3445 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3446 if (detect_parse->
regex == NULL) {
3447 PCRE2_UCHAR errbuffer[256];
3448 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3449 SCLogError(
"pcre compile of \"%s\" failed at "
3451 parse_str, en, errbuffer);
3454 detect_parse->
context = pcre2_match_context_create(NULL);
3455 if (detect_parse->
context == NULL) {
3456 SCLogError(
"pcre2 could not create match context");
3457 pcre2_code_free(detect_parse->
regex);
3458 detect_parse->
regex = NULL;
3473 if (detect_parse == NULL) {
3477 detect_parse->
regex =
3478 pcre2_compile((PCRE2_SPTR8)parse_str, PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
3479 if (detect_parse->
regex == NULL) {
3480 PCRE2_UCHAR errbuffer[256];
3481 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
3482 SCLogError(
"pcre2 compile of \"%s\" failed at "
3484 parse_str, (
int)eo, errbuffer);
3489 detect_parse->
next = g_detect_parse_regex_list;
3490 g_detect_parse_regex_list = detect_parse;
3491 return detect_parse;
3495 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR *buffer, PCRE2_SIZE *bufflen)
3497 int r = pcre2_substring_copy_bynumber(match_data, number, buffer, bufflen);
3498 if (r == PCRE2_ERROR_UNSET) {
3507 pcre2_match_data *match_data, uint32_t number, PCRE2_UCHAR **bufferptr, PCRE2_SIZE *bufflen)
3509 int r = pcre2_substring_get_bynumber(match_data, number, bufferptr, bufflen);
3510 if (r == PCRE2_ERROR_UNSET) {
3533 static int SigParseTest01 (
void)
3542 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
3552 static int SigParseTest02 (
void)
3566 sig =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
3594 static int SigParseTest03 (
void)
3603 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 any <- !1.2.3.4 any (msg:\"SigParseTest03\"; sid:1;)");
3606 printf(
"expected NULL got sig ptr %p: ",sig);
3615 static int SigParseTest04 (
void)
3624 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024: -> !1.2.3.4 1024: (msg:\"SigParseTest04\"; sid:1;)");
3635 static int SigParseTest05 (
void)
3644 sig =
SigInit(
de_ctx,
"alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any (msg:\"SigParseTest05\"; sid:1;)");
3648 printf(
"signature didn't fail to parse as we expected: ");
3658 static int SigParseTest06 (
void)
3667 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (flow:to_server; content:\"GET\"; nocase; http_method; uricontent:\"/uri/\"; nocase; content:\"Host|3A| abc\"; nocase; sid:1; rev:1;)");
3671 printf(
"signature failed to parse: ");
3685 static int SigParseTest07(
void)
3707 static int SigParseTest08(
void)
3730 static int SigParseTest09(
void)
3781 static int SigParseTest10(
void)
3813 static int SigParseTest11(
void)
3824 "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
3826 printf(
"sig 1 didn't parse: ");
3831 "the http link\"; sid:2;) ");
3833 printf(
"sig 2 didn't parse: ");
3847 static int SigParseTest12(
void)
3859 printf(
"sig 1 should have given an error: ");
3873 static int SigParseTest13(
void)
3885 printf(
"sig 1 invalidated: failure");
3890 printf(
"sig doesn't have stream flag set\n");
3895 printf(
"sig has packet flag set\n");
3910 static int SigParseTest14(
void)
3922 printf(
"sig 1 invalidated: failure");
3927 printf(
"sig doesn't have packet flag set\n");
3932 printf(
"sig has stream flag set\n");
3947 static int SigParseTest15(
void)
3959 printf(
"sig 1 invalidated: failure");
3964 printf(
"sig doesn't have packet flag set\n");
3969 printf(
"sig doesn't have stream flag set\n");
3984 static int SigParseTest16(
void)
3996 printf(
"sig 1 invalidated: failure");
4001 printf(
"sig doesn't have packet flag set\n");
4006 printf(
"sig doesn't have stream flag set\n");
4021 static int SigParseTest17(
void)
4033 printf(
"sig 1 invalidated: failure");
4038 printf(
"sig doesn't have packet flag set\n");
4043 printf(
"sig doesn't have stream flag set\n");
4056 static int SigParseTest18 (
void)
4064 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:99999999999999999999;)") != NULL)
4075 static int SigParseTest19 (
void)
4083 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; gid:99999999999999999999;)") != NULL)
4094 static int SigParseTest20 (
void)
4102 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1; rev:99999999999999999999;)") != NULL)
4113 static int SigParseTest21 (
void)
4132 static int SigParseTest22 (
void)
4140 if (
DetectEngineAppendSig(
de_ctx,
"alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
4153 static int SigParseTest23(
void)
4168 static int SigParseBidirecTest06 (
void)
4188 static int SigParseBidirecTest07 (
void)
4208 static int SigParseBidirecTest08 (
void)
4228 static int SigParseBidirecTest09 (
void)
4248 static int SigParseBidirecTest10 (
void)
4268 static int SigParseBidirecTest11 (
void)
4288 static int SigParseBidirecTest12 (
void)
4308 static int SigParseBidirecTest13 (
void)
4327 static int SigParseBidirecTest14 (
void)
4348 static int SigTestBidirec01 (
void)
4360 if (sig->
next != NULL)
4379 static int SigTestBidirec02 (
void)
4398 if (sig->
next == NULL)
4403 if (copy->
next != NULL)
4424 static int SigTestBidirec03 (
void)
4436 const char *sigs[3];
4437 sigs[0] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 1\"; sid:1;)";
4438 sigs[1] =
"alert tcp any any <> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)";
4439 sigs[2] =
"alert tcp any any -> 192.168.1.1 any (msg:\"SigTestBidirec03 sid 3\"; sid:3;)";
4446 if (sig->
next == NULL)
4457 uint8_t rawpkt1_ether[] = {
4458 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4459 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4460 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4461 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4462 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4463 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4464 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4465 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4466 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4467 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4468 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4469 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4470 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4471 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4472 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4473 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4474 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4475 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4476 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4477 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4478 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4479 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4480 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4481 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4482 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4483 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4484 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4485 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4486 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4487 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4488 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4489 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4490 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4491 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4492 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4493 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4494 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4495 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4496 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4497 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4498 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4499 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4500 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4501 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4502 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4503 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4504 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4505 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4506 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4507 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4508 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4509 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4510 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4511 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4512 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4522 uint32_t sids[3] = {1, 2, 3};
4523 uint32_t results[3] = {1, 1, 1};
4539 static int SigTestBidirec04 (
void)
4554 sig =
DetectEngineAppendSig(
de_ctx,
"alert tcp 192.168.1.1 any <> any any (msg:\"SigTestBidirec03 sid 2 bidirectional\"; sid:2;)");
4559 if (sig->
next == NULL)
4571 if (sig->
next == NULL)
4582 uint8_t rawpkt1_ether[] = {
4583 0x00,0x50,0x56,0xea,0x00,0xbd,0x00,0x0c,
4584 0x29,0x40,0xc8,0xb5,0x08,0x00,0x45,0x00,
4585 0x01,0xa8,0xb9,0xbb,0x40,0x00,0x40,0x06,
4586 0xe0,0xbf,0xc0,0xa8,0x1c,0x83,0xc0,0xa8,
4587 0x01,0x01,0xb9,0x0a,0x00,0x50,0x6f,0xa2,
4588 0x92,0xed,0x7b,0xc1,0xd3,0x4d,0x50,0x18,
4589 0x16,0xd0,0xa0,0x6f,0x00,0x00,0x47,0x45,
4590 0x54,0x20,0x2f,0x20,0x48,0x54,0x54,0x50,
4591 0x2f,0x31,0x2e,0x31,0x0d,0x0a,0x48,0x6f,
4592 0x73,0x74,0x3a,0x20,0x31,0x39,0x32,0x2e,
4593 0x31,0x36,0x38,0x2e,0x31,0x2e,0x31,0x0d,
4594 0x0a,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,
4595 0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,
4596 0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,
4597 0x20,0x28,0x58,0x31,0x31,0x3b,0x20,0x55,
4598 0x3b,0x20,0x4c,0x69,0x6e,0x75,0x78,0x20,
4599 0x78,0x38,0x36,0x5f,0x36,0x34,0x3b,0x20,
4600 0x65,0x6e,0x2d,0x55,0x53,0x3b,0x20,0x72,
4601 0x76,0x3a,0x31,0x2e,0x39,0x2e,0x30,0x2e,
4602 0x31,0x34,0x29,0x20,0x47,0x65,0x63,0x6b,
4603 0x6f,0x2f,0x32,0x30,0x30,0x39,0x30,0x39,
4604 0x30,0x32,0x31,0x37,0x20,0x55,0x62,0x75,
4605 0x6e,0x74,0x75,0x2f,0x39,0x2e,0x30,0x34,
4606 0x20,0x28,0x6a,0x61,0x75,0x6e,0x74,0x79,
4607 0x29,0x20,0x46,0x69,0x72,0x65,0x66,0x6f,
4608 0x78,0x2f,0x33,0x2e,0x30,0x2e,0x31,0x34,
4609 0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,0x74,
4610 0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,
4611 0x74,0x6d,0x6c,0x2c,0x61,0x70,0x70,0x6c,
4612 0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,
4613 0x78,0x68,0x74,0x6d,0x6c,0x2b,0x78,0x6d,
4614 0x6c,0x2c,0x61,0x70,0x70,0x6c,0x69,0x63,
4615 0x61,0x74,0x69,0x6f,0x6e,0x2f,0x78,0x6d,
4616 0x6c,0x3b,0x71,0x3d,0x30,0x2e,0x39,0x2c,
4617 0x2a,0x2f,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4618 0x38,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4619 0x74,0x2d,0x4c,0x61,0x6e,0x67,0x75,0x61,
4620 0x67,0x65,0x3a,0x20,0x65,0x6e,0x2d,0x75,
4621 0x73,0x2c,0x65,0x6e,0x3b,0x71,0x3d,0x30,
4622 0x2e,0x35,0x0d,0x0a,0x41,0x63,0x63,0x65,
4623 0x70,0x74,0x2d,0x45,0x6e,0x63,0x6f,0x64,
4624 0x69,0x6e,0x67,0x3a,0x20,0x67,0x7a,0x69,
4625 0x70,0x2c,0x64,0x65,0x66,0x6c,0x61,0x74,
4626 0x65,0x0d,0x0a,0x41,0x63,0x63,0x65,0x70,
4627 0x74,0x2d,0x43,0x68,0x61,0x72,0x73,0x65,
4628 0x74,0x3a,0x20,0x49,0x53,0x4f,0x2d,0x38,
4629 0x38,0x35,0x39,0x2d,0x31,0x2c,0x75,0x74,
4630 0x66,0x2d,0x38,0x3b,0x71,0x3d,0x30,0x2e,
4631 0x37,0x2c,0x2a,0x3b,0x71,0x3d,0x30,0x2e,
4632 0x37,0x0d,0x0a,0x4b,0x65,0x65,0x70,0x2d,
4633 0x41,0x6c,0x69,0x76,0x65,0x3a,0x20,0x33,
4634 0x30,0x30,0x0d,0x0a,0x43,0x6f,0x6e,0x6e,
4635 0x65,0x63,0x74,0x69,0x6f,0x6e,0x3a,0x20,
4636 0x6b,0x65,0x65,0x70,0x2d,0x61,0x6c,0x69,
4637 0x76,0x65,0x0d,0x0a,0x0d,0x0a };
4646 memset(&th_v, 0,
sizeof(th_v));
4686 static int SigParseTestNegation01 (
void)
4700 static int SigParseTestNegation02 (
void)
4711 s =
SigInit(
de_ctx,
"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
4726 static int SigParseTestNegation03 (
void)
4737 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4752 static int SigParseTestNegation04 (
void)
4763 s =
SigInit(
de_ctx,
"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
4778 static int SigParseTestNegation05 (
void)
4789 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
4804 static int SigParseTestNegation06 (
void)
4815 s =
SigInit(
de_ctx,
"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
4831 static int SigParseTestNegation07 (
void)
4837 de_ctx,
"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (sid:410006;)");
4846 static int SigParseTestNegation08 (
void)
4857 s =
SigInit(
de_ctx,
"alert tcp any any -> [192.168.0.0/16,!192.168.0.0/24] any (sid:410006; rev:1;)");
4872 static int SigParseTestMpm01 (
void)
4881 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; sid:1;)");
4883 printf(
"sig failed to init: ");
4888 printf(
"sig doesn't have content list: ");
4903 static int SigParseTestMpm02 (
void)
4912 sig =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"mpm test\"; content:\"abcd\"; content:\"abcdef\"; sid:1;)");
4914 printf(
"sig failed to init: ");
4919 printf(
"sig doesn't have content list: ");
4934 static int SigParseTestAppLayerTLS01(
void)
4945 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS01 \"; sid:410006; rev:1;)");
4947 printf(
"parsing sig failed: ");
4952 printf(
"alproto not set: ");
4969 static int SigParseTestAppLayerTLS02(
void)
4980 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS02 \"; tls.version:1.0; sid:410006; rev:1;)");
4982 printf(
"parsing sig failed: ");
4987 printf(
"alproto not set: ");
5003 static int SigParseTestAppLayerTLS03(
void)
5014 s =
SigInit(
de_ctx,
"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
5027 static int SigParseTestUnbalancedQuotes01(
void)
5037 "alert http any any -> any any (msg:\"SigParseTestUnbalancedQuotes01\"; "
5038 "pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" "
5039 "flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
5045 static int SigParseTestContentGtDsize01(
void)
5052 "alert http any any -> any any ("
5053 "dsize:21; content:\"0123456789001234567890|00 00|\"; "
5060 static int SigParseTestContentGtDsize02(
void)
5067 "alert http any any -> any any ("
5068 "dsize:21; content:\"0123456789|00 00|\"; offset:10; "
5085 static int SigParseBidirWithSameSrcAndDest01(
void)
5102 "alert tcp [1.2.3.4, 5.6.7.8] [80, 81] <> [5.6.7.8, 1.2.3.4] [81, 80] (sid:3;)");
5111 static int SigParseBidirWithSameSrcAndDest02(
void)
5119 de_ctx,
"alert tcp 1.2.3.4 any <> [1.2.3.4, 5.6.7.8, ::1] any (sid:1;)");
5126 de_ctx,
"alert tcp [1.2.3.4, ::1] [80, 81, 82] <> [1.2.3.4, ::1] [80, 81] (sid:2;)");
5133 "alert tcp [1.2.3.4, ::1, ABCD:AAAA::1] [80] <> [1.2.3.4, ::1] [80, 81] (sid:3;)");
5140 de_ctx,
"alert tcp [!1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:4;)");
5147 de_ctx,
"alert tcp [1.2.3.4, 1.2.3.0/24] any <> [1.2.3.0/24, !1.2.3.4] any (sid:5;)");
5156 static int SigParseTestActionReject(
void)
5162 de_ctx,
"reject tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5163 #ifdef HAVE_LIBNET11
5174 static int SigParseTestActionDrop(
void)
5180 de_ctx,
"drop tcp 1.2.3.4 any -> !1.2.3.4 any (msg:\"SigParseTest01\"; sid:1;)");
5188 static int SigSetMultiAppProto(
void)
5263 static int DetectSetupDirection01(
void)
5268 char *
str = (
char *)
"to_client";
5269 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5274 static int DetectSetupDirection02(
void)
5278 char *
str = (
char *)
"to_server";
5279 FAIL_IF(DetectSetupDirection(s, &
str,
true) < 0);
5281 str = (
char *)
"to_client";
5282 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5288 static int DetectSetupDirection03(
void)
5292 char *
str = (
char *)
"to_client , something";
5293 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5295 str = (
char *)
"to_client,something";
5296 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5302 static int DetectSetupDirection04(
void)
5307 char *
str = (
char *)
"to_client_toto";
5308 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5310 str = (
char *)
"to_client_toto";
5311 FAIL_IF(DetectSetupDirection(s, &
str,
false) < 0);
5313 str = (
char *)
"to_client,something";
5315 FAIL_IF(DetectSetupDirection(s, &
str,
true) >= 0);
5352 UtRegisterTest(
"SigParseTest21 -- address with space", SigParseTest21);
5353 UtRegisterTest(
"SigParseTest22 -- address with space", SigParseTest22);
5354 UtRegisterTest(
"SigParseTest23 -- carriage return", SigParseTest23);
5369 UtRegisterTest(
"SigParseTestNegation01", SigParseTestNegation01);
5370 UtRegisterTest(
"SigParseTestNegation02", SigParseTestNegation02);
5371 UtRegisterTest(
"SigParseTestNegation03", SigParseTestNegation03);
5372 UtRegisterTest(
"SigParseTestNegation04", SigParseTestNegation04);
5373 UtRegisterTest(
"SigParseTestNegation05", SigParseTestNegation05);
5374 UtRegisterTest(
"SigParseTestNegation06", SigParseTestNegation06);
5375 UtRegisterTest(
"SigParseTestNegation07", SigParseTestNegation07);
5376 UtRegisterTest(
"SigParseTestNegation08", SigParseTestNegation08);
5379 UtRegisterTest(
"SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
5380 UtRegisterTest(
"SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
5381 UtRegisterTest(
"SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
5382 UtRegisterTest(
"SigParseTestUnbalancedQuotes01", SigParseTestUnbalancedQuotes01);
5385 SigParseTestContentGtDsize01);
5387 SigParseTestContentGtDsize02);
5390 SigParseBidirWithSameSrcAndDest01);
5392 SigParseBidirWithSameSrcAndDest02);
5393 UtRegisterTest(
"SigParseTestActionReject", SigParseTestActionReject);
5394 UtRegisterTest(
"SigParseTestActionDrop", SigParseTestActionDrop);
5398 UtRegisterTest(
"DetectSetupDirection01", DetectSetupDirection01);
5399 UtRegisterTest(
"DetectSetupDirection02", DetectSetupDirection02);
5400 UtRegisterTest(
"DetectSetupDirection03", DetectSetupDirection03);
5401 UtRegisterTest(
"DetectSetupDirection04", DetectSetupDirection04);