64 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>" 65 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)" 67 #define SC_MATCH_LIMIT_DEFAULT 3500 68 #define SC_MATCH_LIMIT_RECURSION_DEFAULT 1500 70 static int pcre_match_limit = 0;
71 static int pcre_match_limit_recursion = 0;
73 static pcre *parse_regex;
74 static pcre_extra *parse_regex_study;
75 static pcre *parse_capture_regex;
76 static pcre_extra *parse_capture_regex_study;
79 static int pcre_use_jit = 1;
83 static void DetectPcreFree(
void *);
84 static void DetectPcreRegisterTests(
void);
101 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
104 pcre_match_limit = val;
106 SCLogInfo(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
108 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
114 if (!
ConfGetInt(
"pcre.match-limit-recursion", &val)) {
116 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
119 pcre_match_limit_recursion = val;
121 SCLogInfo(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
123 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
132 int opts = PCRE_UNGREEDY;
135 if (parse_capture_regex == NULL)
140 parse_capture_regex_study = pcre_study(parse_capture_regex, 0, &eb);
148 SCLogConfig(
"PCRE won't use JIT as OS doesn't allow RWX pages");
176 #define MAX_SUBSTRINGS 30 181 uint16_t capture_len = 0;
193 int start_offset = 0;
199 ret = pcre_exec(pe->
re, pe->
sd, (
char *)ptr, len, start_offset, 0, ov,
MAX_SUBSTRINGS);
202 if (ret == PCRE_ERROR_NOMATCH) {
210 }
else if (ret >= 0) {
222 if (ret > 1 && pe->
idx != 0) {
224 for (x = 0; x < pe->
idx; x++) {
226 const char *str_ptr = NULL;
227 ret = pcre_get_substring((
char *)ptr, ov,
MAX_SUBSTRINGS, x+1, &str_ptr);
229 pcre_free_substring(str_ptr);
238 const char *str_ptr2 = NULL;
239 int ret2 = pcre_get_substring((
char *)ptr, ov,
MAX_SUBSTRINGS, x+2, &str_ptr2);
241 pcre_free_substring(str_ptr);
242 pcre_free_substring(str_ptr2);
246 uint16_t key_len = (ret < 0xff) ? (uint16_t)ret : 0xff;
247 capture_len = (ret2 < 0xffff) ? (uint16_t)ret2 : 0xffff;
250 (uint8_t *)str_ptr, key_len,
251 (uint8_t *)str_ptr2, capture_len,
256 capture_len = (ret < 0xffff) ? (uint16_t)ret : 0xffff;
258 (uint8_t *)str_ptr, capture_len,
263 capture_len = (ret < 0xffff) ? (uint16_t)ret : 0xffff;
265 (uint8_t *)str_ptr, capture_len,
285 static int DetectPcreSetList(
int list,
int set)
294 static int DetectPcreHasUpperCase(
const char *re)
296 size_t len = strlen(re);
297 bool is_meta =
false;
298 bool is_meta_hex =
false;
299 int meta_hex_cnt = 0;
301 for (
size_t i = 0; i <
len; i++) {
305 if (meta_hex_cnt == 2) {
309 }
else if (is_meta) {
316 else if (re[i] ==
'\\') {
319 else if (isupper((
unsigned char)re[i])) {
328 const char *regexstr,
int *sm_list,
char *capture_names,
329 size_t capture_names_size,
bool negate,
AppProto *alproto)
337 #define MAX_SUBSTRINGS 30 338 int ret = 0,
res = 0;
340 int check_host_header = 0;
341 char op_str[64] =
"";
344 char *fcap = strstr(regexstr,
"flow:");
345 char *pcap = strstr(regexstr,
"pkt:");
348 size_t slen = strlen(regexstr) + 1;
353 cut_capture = fcap - regexstr;
354 else if (pcap && !fcap)
355 cut_capture = pcap - regexstr;
357 cut_capture =
MIN((pcap - regexstr), (fcap - regexstr));
361 if (cut_capture > 1) {
362 int offset = cut_capture - 1;
364 SCLogDebug(
"regexstr[offset] %c", regexstr[offset]);
365 if (regexstr[offset] ==
',' || regexstr[offset] ==
' ') {
372 if (cut_capture == (offset + 1)) {
373 SCLogDebug(
"missing separators, assume it's part of the regex");
376 strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
377 if (capture_names[strlen(capture_names)-1] ==
'"')
378 capture_names[strlen(capture_names)-1] =
'\0';
384 ret = pcre_exec(parse_regex, parse_regex_study, regexstr, slen,
400 2, op_str,
sizeof(op_str));
423 opts |= PCRE_ANCHORED;
426 opts |= PCRE_DOLLAR_ENDONLY;
429 opts |= PCRE_UNGREEDY;
433 opts |= PCRE_CASELESS;
437 opts |= PCRE_MULTILINE;
443 opts |= PCRE_EXTENDED;
469 *sm_list = DetectPcreSetList(*sm_list, list);
479 *sm_list = DetectPcreSetList(*sm_list, list);
489 *sm_list = DetectPcreSetList(*sm_list, list);
491 check_host_header = 1;
500 *sm_list = DetectPcreSetList(*sm_list, list);
510 *sm_list = DetectPcreSetList(*sm_list, list);
519 *sm_list = DetectPcreSetList(*sm_list, list);
525 *sm_list = DetectPcreSetList(*sm_list, list);
535 *sm_list = DetectPcreSetList(*sm_list, list);
545 *sm_list = DetectPcreSetList(*sm_list, list);
552 *sm_list = DetectPcreSetList(*sm_list, list);
559 *sm_list = DetectPcreSetList(*sm_list, list);
566 *sm_list = DetectPcreSetList(*sm_list, list);
573 *sm_list = DetectPcreSetList(*sm_list, list);
590 if (check_host_header) {
593 "specified along with \"i(caseless)\" modifier. " 594 "Since the hostname buffer we match against " 595 "is actually lowercase, having a " 596 "nocase is redundant.");
598 else if (DetectPcreHasUpperCase(re)) {
600 "specified has an uppercase char. " 601 "Since the hostname buffer we match against " 602 "is actually lowercase, please specify an " 603 "all lowercase based pcre.");
613 if (capture_names == NULL || strlen(capture_names) == 0)
614 opts |= PCRE_NO_AUTO_CAPTURE;
616 pd->
re = pcre_compile2(re, opts, &ec, &eb, &eo, NULL);
617 if (pd->
re == NULL && ec == 15) {
618 opts &= ~PCRE_NO_AUTO_CAPTURE;
619 pd->
re = pcre_compile(re, opts, &eb, &eo, NULL);
622 if (pd->
re == NULL) {
624 "at offset %" PRId32
": %s", regexstr, eo, eb);
631 options |= PCRE_STUDY_JIT_COMPILE;
633 pd->
sd = pcre_study(pd->
re, options, &eb);
641 ret = pcre_fullinfo(pd->
re, pd->
sd, PCRE_INFO_JIT, &jit);
642 if (ret != 0 || jit != 1) {
646 SCLogDebug(
"PCRE JIT compiler does not support: %s. " 647 "Falling back to regular PCRE handling (%s:%d)",
653 pd->
sd = (pcre_extra *)
SCCalloc(1,
sizeof(pcre_extra));
657 if(pcre_match_limit >= -1) {
658 pd->
sd->match_limit = pcre_match_limit;
659 pd->
sd->flags |= PCRE_EXTRA_MATCH_LIMIT;
661 #ifndef NO_PCRE_MATCH_RLIMIT 662 if(pcre_match_limit_recursion >= -1) {
663 pd->
sd->match_limit_recursion = pcre_match_limit_recursion;
664 pd->
sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
669 pd->
sd->flags |= PCRE_EXTRA_MATCH_LIMIT;
670 #ifndef NO_PCRE_MATCH_RLIMIT 672 pd->
sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
681 if (pd != NULL && pd->
re != NULL)
683 if (pd != NULL && pd->
sd != NULL)
696 int ret = 0,
res = 0;
698 memset(&ov, 0,
sizeof(ov));
699 char type_str[16] =
"";
700 const char *orig_right_edge = regexstr + strlen(regexstr);
706 SCLogDebug(
"regexstr %s, pd %p", regexstr, pd);
708 ret = pcre_fullinfo(pd->
re, pd->
sd, PCRE_INFO_CAPTURECOUNT, &capture_cnt);
709 SCLogDebug(
"ret %d capture_cnt %d", ret, capture_cnt);
710 if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
713 while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL,
" ,", &ptr))){
714 if (name_idx > capture_cnt) {
716 "var capture names than capturing substrings");
719 SCLogDebug(
"name '%s'", name_array[name_idx]);
721 if (strcmp(name_array[name_idx],
"pkt:key") == 0) {
729 }
else if (key == 1 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
734 }
else if (key == 0 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
736 }
else if (key == 1) {
739 }
else if (strncmp(name_array[name_idx],
"flow:", 5) == 0) {
744 }
else if (strncmp(name_array[name_idx],
"pkt:", 4) == 0) {
752 "var capture names must start with 'pkt:' or 'flow:'");
764 size_t cap_buffer_len = strlen(regexstr) + 1;
765 char capture_str[cap_buffer_len];
766 memset(capture_str, 0x00, cap_buffer_len);
774 ret = pcre_exec(parse_capture_regex, parse_capture_regex_study, regexstr, strlen(regexstr), 0, 0, ov,
MAX_SUBSTRINGS);
779 res = pcre_copy_substring((
char *)regexstr, ov,
MAX_SUBSTRINGS, 1, type_str,
sizeof(type_str));
784 res = pcre_copy_substring((
char *)regexstr, ov,
MAX_SUBSTRINGS, 2, capture_str, cap_buffer_len);
789 if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
802 if (strcmp(type_str,
"pkt") == 0) {
807 }
else if (strcmp(type_str,
"flow") == 0) {
816 if (regexstr >= orig_right_edge)
832 char capture_names[1024] =
"";
835 pd = DetectPcreParse(de_ctx, regexstr, &parsed_sm_list,
840 if (DetectPcreParseCapture(regexstr, de_ctx, pd, capture_names) < 0)
851 switch(parsed_sm_list) {
865 sm_list = parsed_sm_list;
877 sm->
ctx = (
void *)pd;
881 for (x = 0; x < pd->
idx; x++) {
895 "preceeding match in the same buffer");
898 }
else if (prev_pm == NULL)
917 static void DetectPcreFree(
void *ptr)
934 static int g_file_data_buffer_id = 0;
935 static int g_http_header_buffer_id = 0;
936 static int g_dce_stub_data_buffer_id = 0;
941 static int DetectPcreParseTest01 (
void)
945 const char *teststring =
"/blah/7";
951 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
961 static int DetectPcreParseTest02 (
void)
965 const char *teststring =
"/blah/Ui$";
971 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
982 static int DetectPcreParseTest03 (
void)
986 const char *teststring =
"/blah/UNi";
992 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1002 static int DetectPcreParseTest04 (
void)
1006 const char *teststring =
"/b\\\"lah/i";
1012 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1024 static int DetectPcreParseTest05 (
void)
1028 const char *teststring =
"/b(l|a)h/";
1034 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1046 static int DetectPcreParseTest06 (
void)
1050 const char *teststring =
"/b(l|a)h/smi";
1056 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1068 static int DetectPcreParseTest07 (
void)
1072 const char *teststring =
"/blah/Ui";
1078 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1090 static int DetectPcreParseTest08 (
void)
1094 const char *teststring =
"/b(l|a)h/O";
1100 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1113 static int DetectPcreParseTest09 (
void)
1116 const char *teststring =
"/lala\\\\/";
1122 pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1133 static int DetectPcreParseTest10(
void)
1141 FAIL_IF_NOT(DetectPcreSetup(de_ctx, s,
"/bamboo/") == 0);
1150 FAIL_IF_NOT(DetectPcreSetup(de_ctx, s,
"/bamboo/") == 0);
1162 static int DetectPcreParseTest11(
void)
1173 "(msg:\"Testing bytejump_body\"; " 1174 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " 1176 "pcre:/bamboo/R; sid:1;)");
1179 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
1181 data = (
DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1185 s->
next =
SigInit(de_ctx,
"alert tcp any any -> any any " 1186 "(msg:\"Testing bytejump_body\"; " 1187 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " 1189 "pcre:/bamboo/R; sid:1;)");
1192 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
1194 data = (
DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1198 s->
next =
SigInit(de_ctx,
"alert tcp any any -> any any " 1199 "(msg:\"Testing bytejump_body\"; " 1200 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; " 1202 "pcre:/bamboo/RB; sid:1;)");
1205 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
1207 data = (
DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1211 s->
next =
SigInit(de_ctx,
"alert tcp any any -> any any " 1212 "(msg:\"Testing bytejump_body\"; " 1213 "content:\"one\"; pcre:/bamboo/; sid:1;)");
1216 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL);
1229 static int DetectPcreParseTest12(
void)
1240 "(file_data; pcre:/abc/R; sid:1;)");
1244 FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
1248 data = (
DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1262 static int DetectPcreParseTest13(
void)
1273 "(file_data; content:\"abc\"; pcre:/def/R; sid:1;)");
1277 FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
1281 data = (
DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1295 static int DetectPcreParseTest14(
void)
1306 "(file_data; pcre:/def/; sid:1;)");
1310 FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
1314 data = (
DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1326 static int DetectPcreParseTest15(
void)
1334 "alert tcp any any -> any any " 1335 "(msg:\"Testing pcre relative http_method\"; " 1337 "http_method; pcre:\"/abc/RM\"; sid:1;)");
1349 static int DetectPcreParseTest16(
void)
1357 "alert tcp any any -> any any " 1358 "(msg:\"Testing pcre relative http_cookie\"; " 1359 "content:\"test\"; " 1360 "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1371 static int DetectPcreParseTest17(
void)
1379 "alert tcp any any -> any any " 1380 "(msg:\"Testing pcre relative http_raw_header\"; " 1381 "flow:to_server; content:\"test\"; " 1382 "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1393 static int DetectPcreParseTest18(
void)
1401 "alert tcp any any -> any any " 1402 "(msg:\"Testing pcre relative http_header\"; " 1403 "content:\"test\"; " 1404 "http_header; pcre:\"/abc/RH\"; sid:1;)");
1415 static int DetectPcreParseTest19(
void)
1423 "alert tcp any any -> any any " 1424 "(msg:\"Testing pcre relativie http_client_body\"; " 1425 "content:\"test\"; " 1426 "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1437 static int DetectPcreParseTest20(
void)
1445 "alert tcp any any -> any any " 1446 "(msg:\"Testing http_raw_uri\"; " 1447 "content:\"test\"; " 1448 "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1459 static int DetectPcreParseTest21(
void)
1467 "alert tcp any any -> any any " 1468 "(msg:\"Testing pcre relative uricontent\"; " 1469 "uricontent:\"test\"; " 1470 "pcre:\"/abc/RU\"; sid:1;)");
1481 static int DetectPcreParseTest22(
void)
1489 "alert tcp any any -> any any " 1490 "(msg:\"Testing pcre relative http_uri\"; " 1491 "content:\"test\"; " 1492 "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1503 static int DetectPcreParseTest23(
void)
1511 "alert tcp any any -> any any " 1512 "(msg:\"Testing inconsistent pcre relative\"; " 1514 "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1525 static int DetectPcreParseTest24(
void)
1533 "alert tcp any any -> any any " 1534 "(msg:\"Testing inconsistent pcre modifiers\"; " 1535 "pcre:\"/abc/UI\"; sid:1;)");
1546 static int DetectPcreParseTest25(
void)
1554 "alert tcp any any -> any any " 1555 "(msg:\"Testing inconsistent pcre modifiers\"; " 1556 "pcre:\"/abc/DH\"; sid:1;)");
1567 static int DetectPcreParseTest26(
void)
1575 "alert http any any -> any any " 1576 "(msg:\"Testing inconsistent pcre modifiers\"; " 1577 "pcre:\"/abc/F\"; sid:1;)");
1588 static int DetectPcreParseTest27(
void)
1596 "(content:\"baduricontent\"; http_raw_uri; " 1597 "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1608 static int DetectPcreParseTest28(
void)
1616 "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; " 1624 static int DetectPcreTestSig01(
void)
1626 uint8_t *buf = (uint8_t *)
1627 "GET /one/ HTTP/1.1\r\n" 1628 "Host: one.example.org\r\n" 1630 "GET /two/ HTTP/1.1\r\n" 1631 "Host: two.example.org\r\n" 1633 uint16_t buflen = strlen((
char *)buf);
1639 memset(&th_v, 0,
sizeof(th_v));
1645 p->
tcph->th_seq = htonl(1000);
1648 f->
proto = IPPROTO_TCP;
1663 de_ctx->
sig_list =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; pcre:\"/^gEt/i\"; pcre:\"/\\/two\\//U\"; pcre:\"/GET \\/two\\//\"; pcre:\"/\\s+HTTP/R\"; sid:1;)");
1688 static int DetectPcreTestSig02(
void)
1690 uint8_t *buf = (uint8_t *)
1691 "GET /one/ HTTP/1.1\r\n" 1692 "Host: one.example.org\r\n" 1694 "GET /two/ HTTP/1.1\r\n" 1695 "Host: two.example.org\r\n" 1697 uint16_t buflen = strlen((
char *)buf);
1703 memset(&th_v, 0,
sizeof(th_v));
1704 memset(&f, 0,
sizeof(f));
1712 pcre_match_limit = 100;
1713 pcre_match_limit_recursion = 100;
1720 de_ctx->
sig_list =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; pcre:\"/two/O\"; sid:2;)");
1743 static int DetectPcreTestSig03(
void)
1745 uint8_t *buf = (uint8_t *)
1746 "GET /one/ HTTP/1.1\r\n" 1747 "Host: one.example.org\r\n" 1749 "GET /two/ HTTP/1.1\r\n" 1750 "Host: two.example.org\r\n" 1752 uint16_t buflen = strlen((
char *)buf);
1757 memset(&th_v, 0,
sizeof(th_v));
1766 de_ctx->
sig_list =
SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"GET\"; pcre:!\"/two/\"; sid:1;)");
1787 static int DetectPcreModifPTest04(
void)
1789 uint8_t httpbuf1[] =
1790 "GET / HTTP/1.1\r\n" 1791 "Host: www.emergingthreats.net\r\n" 1792 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" 1793 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" 1794 "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" 1795 "Accept-Encoding: gzip,deflate\r\n" 1796 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" 1797 "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 1798 "Server: Apache\r\n" 1799 "X-Powered-By: PHP/5.2.5\r\n" 1800 "P3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\r\n" 1801 "Expires: Mon, 1 Jan 2001 00:00:00 GMT\r\n" 1802 "Last-Modified: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 1803 "Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\n" 1804 "Pragma: no-cache\r\n" 1805 "Keep-Alive: timeout=15, max=100\r\n" 1806 "Connection: Keep-Alive\r\n" 1807 "Transfer-Encoding: chunked\r\n" 1808 "Content-Type: text/html; charset=utf-8\r\n" 1812 "<!DOCTYPE html PUBLIC\r\n" 1815 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1824 memset(&th_v, 0,
sizeof(th_v));
1825 memset(&f, 0,
sizeof(f));
1826 memset(&ssn, 0,
sizeof(ssn));
1832 f.
proto = IPPROTO_TCP;
1848 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 1849 "\"Pcre modifier P\"; pcre:\"/DOCTYPE/P\"; " 1853 s->
next =
SigInit(de_ctx,
"alert http any any -> any any (msg:\"" 1854 "Pcre modifier P (no match)\"; pcre:\"/blah/P\"; sid:2;)");
1875 if (alp_tctx != NULL)
1891 static int DetectPcreModifPTest05(
void)
1893 uint8_t httpbuf1[] =
1894 "GET / HTTP/1.1\r\n" 1895 "Host: www.emergingthreats.net\r\n" 1896 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" 1897 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" 1898 "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" 1899 "Accept-Encoding: gzip,deflate\r\n" 1900 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" 1901 "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 1902 "Server: Apache\r\n" 1903 "X-Powered-By: PHP/5.2.5\r\n" 1904 "P3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\r\n" 1905 "Expires: Mon, 1 Jan 2001 00:00:00 GMT\r\n" 1906 "Last-Modified: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 1907 "Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\n" 1908 "Pragma: no-cache\r\n" 1909 "Keep-Alive: timeout=15, max=100\r\n" 1910 "Connection: Keep-Alive\r\n" 1911 "Transfer-Encoding: chunked\r\n" 1912 "Content-Type: text/html; charset=utf-8\r\n" 1918 uint8_t httpbuf2[] =
"<!DOCTYPE html PUBLIC\r\n0\r\n\r\n";
1920 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1921 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1931 memset(&th_v, 0,
sizeof(th_v));
1932 memset(&f, 0,
sizeof(f));
1933 memset(&ssn, 0,
sizeof(ssn));
1940 f.
proto = IPPROTO_TCP;
1960 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 1961 "\"Pcre modifier P\"; pcre:\"/DOC/P\"; " 1965 s->
next =
SigInit(de_ctx,
"alert http any any -> any any (msg:\"" 1966 "Pcre modifier P (no match)\"; pcre:\"/DOCTYPE/P\"; sid:2;)");
2001 if (alp_tctx != NULL)
2014 static int DetectPcreTestSig06(
void)
2016 uint8_t *buf = (uint8_t *)
2017 "lalala lalala\\ lala\n";
2018 uint16_t buflen = strlen((
char *)buf);
2022 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ lalala\\\\/\"; sid:1;)";
2035 static int DetectPcreTestSig07(
void)
2037 uint8_t *buf = (uint8_t *)
2039 uint16_t buflen = strlen((
char *)buf);
2042 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/^(la)+$/\"; sid:1;)";
2051 static int DetectPcreTestSig08(
void)
2054 uint8_t *buf = (uint8_t *)
2056 uint16_t buflen = strlen((
char *)buf);
2059 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/^(la)+$/\"; sid:1;)";
2070 static int DetectPcreTestSig09(
void)
2073 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2074 "Cookie: dummy\r\n\r\n";
2075 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2084 memset(&th_v, 0,
sizeof(th_v));
2085 memset(&p, 0,
sizeof(p));
2086 memset(&f, 0,
sizeof(f));
2087 memset(&ssn, 0,
sizeof(ssn));
2093 f.
proto = IPPROTO_TCP;
2109 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2110 "\"HTTP cookie\"; pcre:\"/dummy/C\"; " 2131 if (alp_tctx != NULL)
2133 if (det_ctx != NULL) {
2136 if (de_ctx != NULL) {
2149 static int DetectPcreTestSig10(
void)
2152 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2153 "Cookie: dummoOOooooO\r\n\r\n";
2154 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2163 memset(&th_v, 0,
sizeof(th_v));
2164 memset(&p, 0,
sizeof(p));
2165 memset(&f, 0,
sizeof(f));
2166 memset(&ssn, 0,
sizeof(ssn));
2172 f.
proto = IPPROTO_TCP;
2188 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2189 "\"HTTP cookie\"; pcre:!\"/dummy/C\"; " 2210 if (alp_tctx != NULL)
2212 if (det_ctx != NULL) {
2215 if (de_ctx != NULL) {
2228 static int DetectPcreTestSig11(
void)
2231 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2232 "Cookie: dummy\r\n\r\n";
2233 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2242 memset(&th_v, 0,
sizeof(th_v));
2243 memset(&p, 0,
sizeof(p));
2244 memset(&f, 0,
sizeof(f));
2245 memset(&ssn, 0,
sizeof(ssn));
2251 f.
proto = IPPROTO_TCP;
2267 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2268 "\"HTTP method\"; pcre:\"/POST/M\"; " 2289 if (alp_tctx != NULL)
2291 if (det_ctx != NULL) {
2294 if (de_ctx != NULL) {
2307 static int DetectPcreTestSig12(
void)
2310 uint8_t httpbuf1[] =
"GET / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2311 "Cookie: dummoOOooooO\r\n\r\n";
2312 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2321 memset(&th_v, 0,
sizeof(th_v));
2322 memset(&p, 0,
sizeof(p));
2323 memset(&f, 0,
sizeof(f));
2324 memset(&ssn, 0,
sizeof(ssn));
2330 f.
proto = IPPROTO_TCP;
2346 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2347 "\"HTTP method\"; pcre:!\"/POST/M\"; " 2368 if (alp_tctx != NULL)
2370 if (det_ctx != NULL) {
2373 if (de_ctx != NULL) {
2386 static int DetectPcreTestSig13(
void)
2389 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2390 "Cookie: dummy\r\n\r\n";
2391 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2400 memset(&th_v, 0,
sizeof(th_v));
2401 memset(&p, 0,
sizeof(p));
2402 memset(&f, 0,
sizeof(f));
2403 memset(&ssn, 0,
sizeof(ssn));
2409 f.
proto = IPPROTO_TCP;
2425 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2426 "\"HTTP header\"; pcre:\"/User[-_]Agent[:]?\\sMozilla/H\"; " 2447 if (alp_tctx != NULL)
2449 if (det_ctx != NULL) {
2452 if (de_ctx != NULL) {
2465 static int DetectPcreTestSig14(
void)
2468 uint8_t httpbuf1[] =
"GET / HTTP/1.0\r\nUser-Agent: IEXPLORER/1.0\r\n" 2469 "Cookie: dummoOOooooO\r\n\r\n";
2470 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2479 memset(&th_v, 0,
sizeof(th_v));
2480 memset(&p, 0,
sizeof(p));
2481 memset(&f, 0,
sizeof(f));
2482 memset(&ssn, 0,
sizeof(ssn));
2488 f.
proto = IPPROTO_TCP;
2504 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2505 "\"HTTP header\"; pcre:!\"/User-Agent[:]?\\s+Mozilla/H\"; " 2526 if (alp_tctx != NULL)
2528 if (det_ctx != NULL) {
2531 if (de_ctx != NULL) {
2544 static int DetectPcreTestSig15(
void)
2547 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2548 "Cookie: dummy 1234\r\n\r\n";
2549 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2558 memset(&th_v, 0,
sizeof(th_v));
2559 memset(&p, 0,
sizeof(p));
2560 memset(&f, 0,
sizeof(f));
2561 memset(&ssn, 0,
sizeof(ssn));
2567 f.
proto = IPPROTO_TCP;
2583 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2584 "\"pcre relative HTTP cookie\"; content:\"dummy\";" 2585 " http_cookie; pcre:\"/1234/RC\"; " 2606 if (alp_tctx != NULL)
2608 if (det_ctx != NULL) {
2611 if (de_ctx != NULL) {
2624 static int DetectPcreTestSig16(
void)
2627 uint8_t httpbuf1[] =
"POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n" 2628 "Cookie: dummy 1234\r\n\r\n";
2629 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2638 memset(&th_v, 0,
sizeof(th_v));
2639 memset(&p, 0,
sizeof(p));
2640 memset(&f, 0,
sizeof(f));
2641 memset(&ssn, 0,
sizeof(ssn));
2647 f.
proto = IPPROTO_TCP;
2663 s = de_ctx->
sig_list =
SigInit(de_ctx,
"alert http any any -> any any (msg:" 2664 "\"pcre relative HTTP method\"; content:\"PO\";" 2665 " http_method; pcre:\"/ST/RM\"; " 2686 if (alp_tctx != NULL)
2688 if (det_ctx != NULL) {
2691 if (de_ctx != NULL) {
2703 static int DetectPcreTxBodyChunksTest01(
void)
2708 uint8_t httpbuf1[] =
"GET / HTTP/1.1\r\n";
2709 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
2710 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
2711 uint8_t httpbuf4[] =
"Body one!!";
2712 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2713 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2714 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
2715 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
2716 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
2717 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
2718 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
2719 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
2720 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
2721 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
2724 memset(&f, 0,
sizeof(f));
2725 memset(&ssn, 0,
sizeof(ssn));
2731 f.
proto = IPPROTO_TCP;
2801 if (alp_tctx != NULL)
2811 static int DetectPcreTxBodyChunksTest02(
void)
2819 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
2820 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
2821 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
2822 uint8_t httpbuf4[] =
"Body one!!";
2823 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2824 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
2825 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
2826 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
2827 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
2828 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
2829 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
2830 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
2831 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
2832 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
2835 memset(&th_v, 0,
sizeof(th_v));
2836 memset(&f, 0,
sizeof(f));
2837 memset(&ssn, 0,
sizeof(ssn));
2843 f.
proto = IPPROTO_TCP;
2859 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
2861 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
2969 if (alp_tctx != NULL)
2971 if (det_ctx != NULL) {
2974 if (de_ctx != NULL) {
2986 static int DetectPcreTxBodyChunksTest03(
void)
2994 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
2995 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
2996 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
2997 uint8_t httpbuf4[] =
"Body one!!";
2998 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
2999 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
3000 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
3001 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
3002 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
3003 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
3004 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
3005 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
3006 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
3007 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
3010 memset(&th_v, 0,
sizeof(th_v));
3011 memset(&f, 0,
sizeof(f));
3012 memset(&ssn, 0,
sizeof(ssn));
3018 f.
proto = IPPROTO_TCP;
3034 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
3036 s =
DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
3126 if (alp_tctx != NULL)
3128 if (det_ctx != NULL) {
3131 if (de_ctx != NULL) {
3145 static int DetectPcreFlowvarCapture01(
void)
3148 "Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13";
3149 uint32_t ualen1 =
sizeof(uabuf1) - 1;
3150 uint8_t httpbuf1[] =
3151 "GET / HTTP/1.1\r\n" 3152 "Host: www.emergingthreats.net\r\n" 3153 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" 3154 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" 3155 "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" 3156 "Accept-Encoding: gzip,deflate\r\n" 3157 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" 3158 "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 3159 "Server: Apache\r\n" 3161 "<!DOCTYPE html PUBLIC\r\n\r\n";
3162 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
3171 memset(&th_v, 0,
sizeof(th_v));
3172 memset(&f, 0,
sizeof(f));
3173 memset(&ssn, 0,
sizeof(ssn));
3179 f.
proto = IPPROTO_TCP;
3194 s =
DetectEngineAppendSig(de_ctx,
"alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; sid:1;)");
3197 FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
3198 s->sm_lists[g_http_header_buffer_id]->
next == NULL ||
3228 printf(
"buffer mismatch: ");
3232 if (alp_tctx != NULL)
3246 static int DetectPcreFlowvarCapture02(
void)
3250 uint32_t ualen1 =
sizeof(uabuf1) - 1;
3251 uint8_t httpbuf1[] =
3252 "GET / HTTP/1.1\r\n" 3253 "Host: www.emergingthreats.net\r\n" 3254 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" 3255 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" 3256 "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" 3257 "Accept-Encoding: gzip,deflate\r\n" 3258 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" 3259 "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 3260 "Server: Apache\r\n" 3262 "<!DOCTYPE html PUBLIC\r\n\r\n";
3263 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
3272 memset(&th_v, 0,
sizeof(th_v));
3273 memset(&f, 0,
sizeof(f));
3274 memset(&ssn, 0,
sizeof(ssn));
3280 f.
proto = IPPROTO_TCP;
3295 s =
DetectEngineAppendSig(de_ctx,
"alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; priority:1; sid:1;)");
3298 FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
3299 s->sm_lists[g_http_header_buffer_id]->
next == NULL ||
3303 s =
DetectEngineAppendSig(de_ctx,
"alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; priority:3; sid:2;)");
3306 FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
3307 s->sm_lists[g_http_header_buffer_id]->
next == NULL ||
3347 printf(
"buffer mismatch: ");
3351 if (alp_tctx != NULL)
3365 static int DetectPcreFlowvarCapture03(
void)
3367 uint8_t httpbuf1[] =
3368 "GET / HTTP/1.1\r\n" 3369 "Host: www.emergingthreats.net\r\n" 3370 "User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13\r\n" 3371 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8\r\n" 3372 "Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n" 3373 "Accept-Encoding: gzip,deflate\r\n" 3374 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" 3375 "Date: Tue, 22 Sep 2009 19:24:48 GMT\r\n" 3376 "Server: Apache\r\n" 3378 "<!DOCTYPE html PUBLIC\r\n\r\n";
3379 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
3388 memset(&th_v, 0,
sizeof(th_v));
3389 memset(&f, 0,
sizeof(f));
3390 memset(&ssn, 0,
sizeof(ssn));
3396 f.
proto = IPPROTO_TCP;
3411 s =
DetectEngineAppendSig(de_ctx,
"alert http any any -> any any (content:\"User-Agent: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:1; sid:1;)");
3414 FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
3415 s->sm_lists[g_http_header_buffer_id]->
next == NULL ||
3419 s =
DetectEngineAppendSig(de_ctx,
"alert http any any -> any any (content:\"Server: \"; http_header; pcre:\"/(?P<flow_ua>.*)\\r\\n/HR\"; content:\"xyz\"; http_header; priority:3; sid:2;)");
3422 FAIL_IF(s->sm_lists[g_http_header_buffer_id] == NULL ||
3423 s->sm_lists[g_http_header_buffer_id]->
next == NULL ||
3449 if (alp_tctx != NULL)
3463 static int DetectPcreParseHttpHost(
void)
3471 DetectPcreData *pd = DetectPcreParse(de_ctx,
"/domain\\.com/W", &list, NULL, 0,
false, &alproto);
3476 pd = DetectPcreParse(de_ctx,
"/dOmain\\.com/W", &list, NULL, 0,
false, &alproto);
3481 pd = DetectPcreParse(de_ctx,
"/domain\\D+\\.com/W", &list, NULL, 0,
false, &alproto);
3488 pd = DetectPcreParse(de_ctx,
"/\\\\Ddomain\\.com/W", &list, NULL, 0,
false, &alproto);
3498 static int DetectPcreParseCaptureTest(
void)
3504 "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
3507 "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
3510 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
3529 static void DetectPcreRegisterTests(
void)
3565 UtRegisterTest(
"DetectPcreTestSig01 -- pcre test", DetectPcreTestSig01);
3566 UtRegisterTest(
"DetectPcreTestSig02 -- pcre test", DetectPcreTestSig02);
3568 DetectPcreTestSig03);
3571 DetectPcreModifPTest04);
3572 UtRegisterTest(
"DetectPcreModifPTest05 -- Modifier P fragmented",
3573 DetectPcreModifPTest05);
3576 DetectPcreTestSig07);
3578 DetectPcreTestSig08);
3580 DetectPcreTestSig09);
3582 DetectPcreTestSig10);
3584 DetectPcreTestSig11);
3586 DetectPcreTestSig12);
3588 DetectPcreTestSig13);
3590 DetectPcreTestSig14);
3591 UtRegisterTest(
"DetectPcreTestSig15 -- relative Cookie modifier",
3592 DetectPcreTestSig15);
3593 UtRegisterTest(
"DetectPcreTestSig16 -- relative Method modifier",
3594 DetectPcreTestSig16);
3597 DetectPcreTxBodyChunksTest01);
3598 UtRegisterTest(
"DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
3599 DetectPcreTxBodyChunksTest02);
3600 UtRegisterTest(
"DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
3601 DetectPcreTxBodyChunksTest03);
3603 UtRegisterTest(
"DetectPcreFlowvarCapture01 -- capture for http_header",
3604 DetectPcreFlowvarCapture01);
3605 UtRegisterTest(
"DetectPcreFlowvarCapture02 -- capture for http_header",
3606 DetectPcreFlowvarCapture02);
3607 UtRegisterTest(
"DetectPcreFlowvarCapture03 -- capture for http_header",
3608 DetectPcreFlowvarCapture03);
3610 UtRegisterTest(
"DetectPcreParseHttpHost", DetectPcreParseHttpHost);
3611 UtRegisterTest(
"DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
SignatureInitData * init_data
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, uint8_t *payload, uint32_t payload_len)
Match a regex on a single payload.
#define DETECT_PCRE_RELATIVE
size_t strlcpy(char *dst, const char *src, size_t siz)
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define SC_MATCH_LIMIT_RECURSION_DEFAULT
int DetectFlowvarPostMatchSetup(Signature *s, uint32_t idx)
Setup a post-match for flowvar storage We're piggyback riding the DetectFlowvarData struct...
#define FLOWLOCK_UNLOCK(fb)
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
int UTHAddStreamToFlow(Flow *f, int direction, uint8_t *data, uint32_t data_len)
#define DETECT_PCRE_CASELESS
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
uint32_t capids[DETECT_PCRE_CAPTURE_MAX]
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
#define FLOWLOCK_WRLOCK(fb)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
StreamingBufferSegment sbseg
#define SIG_FLAG_APPLAYER
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
main detection engine ctx
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define SC_MATCH_LIMIT_DEFAULT
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered...
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer...
int DetectBufferTypeGetByName(const char *name)
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
union FlowVar_::@120 data
void DetectPcreRegister(void)
Data structures and function prototypes for keeping state for the detection engine.
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
#define DETECT_PCRE_MATCH_LIMIT
int UTHPacketMatchSig(Packet *p, const char *sig)
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void SigFree(Signature *)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
void SCSigSignatureOrderingModuleCleanup(DetectEngineCtx *de_ctx)
De-registers all the signature ordering functions registered.
#define SIGMATCH_QUOTES_OPTIONAL
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
#define DETECT_SM_LIST_NOTSET
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define FLOW_PKT_TOSERVER
#define DETECT_PCRE_CAPTURE_MAX
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define DETECT_PCRE_RAWBYTES
int UTHRemoveSessionFromFlow(Flow *f)
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Signature * SigAlloc(void)
int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
void DetectParseRegexAddToFreeList(pcre *regex, pcre_extra *study)
add regex and/or study to at exit free list
uint8_t captypes[DETECT_PCRE_CAPTURE_MAX]
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
FlowVar * FlowVarGet(Flow *f, uint32_t idx)
get the flowvar with index 'idx' from the flow
void PrintRawDataFp(FILE *fp, const uint8_t *buf, uint32_t buflen)
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
uint32_t pcre_match_start_offset
int UTHAddSessionToFlow(Flow *f, uint32_t ts_isn, uint32_t tc_isn)
int(* Match)(ThreadVars *, DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define DETECT_PCRE_NEGATE
uint32_t VarNameStoreSetupAdd(const char *name, const enum VarTypes type)
add to staging or return existing id if already in there
#define FatalError(x,...)
#define FLOW_INITIALIZE(f)
int StreamingBufferSegmentCompareRawData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t *rawdata, uint32_t rawdata_len)
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define PARSE_CAPTURE_REGEX
#define DETECT_VAR_TYPE_FLOW_POSTMATCH
#define DETECT_PCRE_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
SigMatch * SigMatchAlloc(void)
Per thread variable structure.
AppProto alproto
application level protocol
#define PageSupportsRWX()
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
#define SIGMATCH_HANDLE_NEGATION
#define DETECT_VAR_TYPE_PKT_POSTMATCH
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len, uint8_t *buffer, uint16_t len, int type)
Store flowvar in det_ctx so we can exec it post-match.
void(* RegisterTests)(void)
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
void UTHFreeFlow(Flow *flow)
DetectEngineCtx * DetectEngineCtxInit(void)