65 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>"
66 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
68 static int pcre_match_limit = 0;
69 static int pcre_match_limit_recursion = 0;
75 static int pcre2_use_jit = 1;
83 const char *
str,
const size_t strlen,
int start_offset,
int options,
84 pcre2_match_data *match)
93 static void DetectPcreRegisterTests(
void);
113 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
115 pcre_match_limit = val;
117 SCLogInfo(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
119 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
125 if (!
SCConfGetInt(
"pcre.match-limit-recursion", &val)) {
127 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
129 pcre_match_limit_recursion = val;
131 SCLogInfo(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
133 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
138 if (parse_regex == NULL) {
139 FatalError(
"pcre2 compile failed for parse_regex");
145 if (parse_capture_regex == NULL) {
146 FatalError(
"pcre2 compile failed for parse_capture_regex");
149 #ifdef PCRE2_HAVE_JIT
151 SCLogConfig(
"PCRE2 won't use JIT as OS doesn't allow RWX pages");
177 const uint8_t *ptr = NULL;
179 PCRE2_SIZE capture_len = 0;
191 int start_offset = 0;
197 pcre2_match_data *match =
200 ret = DetectPcreExec(det_ctx, pe, (
char *)ptr,
len, start_offset, 0, match);
203 if (ret == PCRE2_ERROR_NOMATCH) {
211 }
else if (ret >= 0) {
223 if (ret > 1 && pe->
idx != 0) {
225 for (x = 0; x < pe->
idx; x++) {
227 const char *pcre2_str_ptr = NULL;
228 ret = pcre2_substring_get_bynumber(
229 match, x + 1, (PCRE2_UCHAR8 **)&pcre2_str_ptr, &capture_len);
231 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
235 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
236 uint8_t *str_ptr =
SCMalloc(capture_len);
238 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
241 memcpy(str_ptr, pcre2_str_ptr, capture_len);
242 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
249 const char *pcre2_str_ptr2 = NULL;
251 uint16_t key_len = (capture_len < 0xff) ? (uint16_t)capture_len : 0xff;
252 int ret2 = pcre2_substring_get_bynumber(
253 match, x + 2, (PCRE2_UCHAR8 **)&pcre2_str_ptr2, &capture_len);
257 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
260 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
261 uint8_t *str_ptr2 =
SCMalloc(capture_len);
264 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
267 memcpy(str_ptr2, pcre2_str_ptr2, capture_len);
268 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
271 (uint8_t *)str_ptr2, (uint16_t)capture_len,
288 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
303 static int DetectPcreSetList(
int list,
int set)
306 SCLogError(
"only one pcre option to specify a buffer type is allowed");
312 static int DetectPcreHasUpperCase(
const char *re)
314 size_t len = strlen(re);
315 bool is_meta =
false;
316 bool is_meta_hex =
false;
317 int meta_hex_cnt = 0;
319 for (
size_t i = 0; i <
len; i++) {
323 if (meta_hex_cnt == 2) {
327 }
else if (is_meta) {
334 else if (re[i] ==
'\\') {
337 else if (isupper((
unsigned char)re[i])) {
346 const char *regexstr,
int *sm_list,
char *capture_names,
347 size_t capture_names_size,
bool negate,
AppProto *alproto)
349 pcre2_match_data *match = NULL;
355 int ret = 0, res = 0;
356 int check_host_header = 0;
357 char op_str[64] =
"";
359 bool apply_match_limit =
false;
362 char *fcap = strstr(regexstr,
"flow:");
363 char *pcap = strstr(regexstr,
"pkt:");
366 size_t slen = strlen(regexstr) + 1;
371 cut_capture = fcap - regexstr;
372 else if (pcap && !fcap)
373 cut_capture = pcap - regexstr;
377 cut_capture =
MIN((pcap - regexstr), (fcap - regexstr));
382 if (cut_capture > 1) {
383 int offset = cut_capture - 1;
386 if (regexstr[
offset] ==
',' || regexstr[
offset] ==
' ') {
393 if (cut_capture == (
offset + 1)) {
394 SCLogDebug(
"missing separators, assume it's part of the regex");
397 strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
398 if (capture_names[strlen(capture_names)-1] ==
'"')
399 capture_names[strlen(capture_names)-1] =
'\0';
406 match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
411 ret = pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)regexstr, slen, 0, 0, match, NULL);
417 res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)re, &slen);
419 SCLogError(
"pcre2_substring_copy_bynumber failed");
420 pcre2_match_data_free(match);
425 size_t copylen =
sizeof(op_str);
426 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)op_str, ©len);
428 SCLogError(
"pcre2_substring_copy_bynumber failed");
429 pcre2_match_data_free(match);
449 opts |= PCRE2_ANCHORED;
452 opts |= PCRE2_DOLLAR_ENDONLY;
455 opts |= PCRE2_UNGREEDY;
459 opts |= PCRE2_CASELESS;
463 opts |= PCRE2_MULTILINE;
466 opts |= PCRE2_DOTALL;
469 opts |= PCRE2_EXTENDED;
473 apply_match_limit =
true;
478 SCLogError(
"regex modifier 'B' inconsistent with chosen buffer");
491 SCLogError(
"regex modifier 'U' inconsistent with 'B'");
495 *sm_list = DetectPcreSetList(*sm_list, list);
501 SCLogError(
"regex modifier 'V' inconsistent with 'B'");
505 *sm_list = DetectPcreSetList(*sm_list, list);
511 SCLogError(
"regex modifier 'W' inconsistent with 'B'");
515 *sm_list = DetectPcreSetList(*sm_list, list);
517 check_host_header = 1;
522 SCLogError(
"regex modifier 'Z' inconsistent with 'B'");
526 *sm_list = DetectPcreSetList(*sm_list, list);
532 SCLogError(
"regex modifier 'H' inconsistent with 'B'");
536 *sm_list = DetectPcreSetList(*sm_list, list);
541 SCLogError(
"regex modifier 'I' inconsistent with 'B'");
545 *sm_list = DetectPcreSetList(*sm_list, list);
551 *sm_list = DetectPcreSetList(*sm_list, list);
557 SCLogError(
"regex modifier 'M' inconsistent with 'B'");
561 *sm_list = DetectPcreSetList(*sm_list, list);
567 SCLogError(
"regex modifier 'C' inconsistent with 'B'");
571 *sm_list = DetectPcreSetList(*sm_list, list);
578 *sm_list = DetectPcreSetList(*sm_list, list);
585 *sm_list = DetectPcreSetList(*sm_list, list);
592 *sm_list = DetectPcreSetList(*sm_list, list);
599 *sm_list = DetectPcreSetList(*sm_list, list);
604 SCLogError(
"unknown regex modifier '%c'", *op);
616 if (check_host_header) {
619 "specified along with \"i(caseless)\" modifier. "
620 "Since the hostname buffer we match against "
621 "is actually lowercase, having a "
622 "nocase is redundant.");
624 else if (DetectPcreHasUpperCase(re)) {
626 "specified has an uppercase char. "
627 "Since the hostname buffer we match against "
628 "is actually lowercase, please specify an "
629 "all lowercase based pcre.");
639 if (capture_names == NULL || strlen(capture_names) == 0)
640 opts |= PCRE2_NO_AUTO_CAPTURE;
643 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
645 opts &= ~PCRE2_NO_AUTO_CAPTURE;
647 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
650 PCRE2_UCHAR errbuffer[256];
651 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
652 SCLogError(
"pcre2 compile of \"%s\" failed at "
654 regexstr, (
int)eo2, errbuffer);
658 #ifdef PCRE2_HAVE_JIT
665 SCLogDebug(
"PCRE2 JIT compiler does not support: %s. "
666 "Falling back to regular PCRE2 handling (%s:%d)",
674 SCLogError(
"pcre2 could not create match context");
678 if (apply_match_limit) {
679 if (pcre_match_limit >= -1) {
682 if (pcre_match_limit_recursion >= -1) {
691 pcre2_match_data_free(match);
695 pcre2_match_data_free(match);
696 DetectPcreFree(
de_ctx, pd);
706 int ret = 0, res = 0;
707 char type_str[16] =
"";
708 const char *orig_right_edge = regexstr + strlen(regexstr);
714 pcre2_match_data *match = NULL;
716 SCLogDebug(
"regexstr %s, pd %p", regexstr, pd);
718 ret = pcre2_pattern_info(pd->
parse_regex.
regex, PCRE2_INFO_CAPTURECOUNT, &capture_cnt);
719 SCLogDebug(
"ret %d capture_cnt %d", ret, capture_cnt);
720 if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
723 while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL,
" ,", &ptr))){
724 if (name_idx > (capture_cnt - 1)) {
726 "var capture names than capturing substrings");
729 SCLogDebug(
"name '%s'", name_array[name_idx]);
731 if (strcmp(name_array[name_idx],
"pkt:key") == 0) {
739 }
else if (key == 1 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
744 }
else if (key == 0 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
746 }
else if (key == 1) {
749 }
else if (strncmp(name_array[name_idx],
"flow:", 5) == 0) {
755 }
else if (strncmp(name_array[name_idx],
"pkt:", 4) == 0) {
764 "var capture names must start with 'pkt:' or 'flow:'");
776 size_t cap_buffer_len = strlen(regexstr) + 1;
777 char capture_str[cap_buffer_len];
778 memset(capture_str, 0x00, cap_buffer_len);
788 pcre2_match_data_free(match);
791 copylen =
sizeof(type_str);
792 res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)type_str, ©len);
794 SCLogError(
"pcre2_substring_copy_bynumber failed");
797 cap_buffer_len = strlen(regexstr) + 1;
798 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)capture_str, &cap_buffer_len);
800 SCLogError(
"pcre2_substring_copy_bynumber failed");
803 if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
811 SCLogError(
"rule can have maximally %d pkt/flow "
814 pcre2_match_data_free(match);
818 if (strcmp(type_str,
"pkt") == 0) {
823 }
else if (strcmp(type_str,
"flow") == 0) {
830 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
833 pcre2_match_data_free(match);
836 if (regexstr >= orig_right_edge)
842 pcre2_match_data_free(match);
846 static void *DetectPcreThreadInit(
void *data)
849 pcre2_match_data *match = pcre2_match_data_create_from_pattern(pd->
parse_regex.
regex, NULL);
853 static void DetectPcreThreadFree(
void *
ctx)
856 pcre2_match_data *match = (pcre2_match_data *)
ctx;
857 pcre2_match_data_free(match);
866 char capture_names[1024] =
"";
869 pd = DetectPcreParse(
de_ctx, regexstr, &parsed_sm_list,
874 if (DetectPcreParseCapture(regexstr,
de_ctx, pd, capture_names) < 0)
878 de_ctx,
"pcre", DetectPcreThreadInit, (
void *)pd, DetectPcreThreadFree, 0);
885 SCLogError(
"Expression seen with a sticky buffer still set; either (1) reset sticky "
886 "buffer with pkt_data or (2) use a sticky buffer providing \"%s\".",
895 switch (parsed_sm_list) {
909 sm_list = parsed_sm_list;
922 for (uint8_t x = 0; x < pd->
idx; x++) {
936 "preceding match in the same buffer");
939 }
else if (prev_pm == NULL) {
953 DetectPcreFree(
de_ctx, pd);
967 for (uint8_t i = 0; i < pd->
idx; i++) {
975 static int g_file_data_buffer_id = 0;
976 static int g_http_header_buffer_id = 0;
977 static int g_dce_stub_data_buffer_id = 0;
982 static int DetectPcreParseTest01 (
void)
986 const char *teststring =
"/blah/7";
992 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1002 static int DetectPcreParseTest02 (
void)
1006 const char *teststring =
"/blah/Ui$";
1012 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1023 static int DetectPcreParseTest03 (
void)
1027 const char *teststring =
"/blah/UNi";
1033 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1043 static int DetectPcreParseTest04 (
void)
1047 const char *teststring =
"/b\\\"lah/i";
1053 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1057 DetectPcreFree(
de_ctx, pd);
1065 static int DetectPcreParseTest05 (
void)
1069 const char *teststring =
"/b(l|a)h/";
1075 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1079 DetectPcreFree(
de_ctx, pd);
1087 static int DetectPcreParseTest06 (
void)
1091 const char *teststring =
"/b(l|a)h/smi";
1097 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1101 DetectPcreFree(
de_ctx, pd);
1109 static int DetectPcreParseTest07 (
void)
1113 const char *teststring =
"/blah/Ui";
1119 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1123 DetectPcreFree(
de_ctx, pd);
1131 static int DetectPcreParseTest08 (
void)
1135 const char *teststring =
"/b(l|a)h/O";
1141 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1145 DetectPcreFree(
de_ctx, pd);
1154 static int DetectPcreParseTest09 (
void)
1157 const char *teststring =
"/lala\\\\/";
1163 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1166 DetectPcreFree(
de_ctx, pd);
1174 static int DetectPcreParseTest10(
void)
1203 static int DetectPcreParseTest15(
void)
1211 "alert tcp any any -> any any "
1212 "(msg:\"Testing pcre relative http_method\"; "
1214 "http_method; pcre:\"/abc/RM\"; sid:1;)");
1226 static int DetectPcreParseTest16(
void)
1234 "alert tcp any any -> any any "
1235 "(msg:\"Testing pcre relative http_cookie\"; "
1236 "content:\"test\"; "
1237 "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1248 static int DetectPcreParseTest17(
void)
1256 "alert tcp any any -> any any "
1257 "(msg:\"Testing pcre relative http_raw_header\"; "
1258 "flow:to_server; content:\"test\"; "
1259 "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1270 static int DetectPcreParseTest18(
void)
1278 "alert tcp any any -> any any "
1279 "(msg:\"Testing pcre relative http_header\"; "
1280 "content:\"test\"; "
1281 "http_header; pcre:\"/abc/RH\"; sid:1;)");
1292 static int DetectPcreParseTest19(
void)
1300 "alert tcp any any -> any any "
1301 "(msg:\"Testing pcre relative http_client_body\"; "
1302 "content:\"test\"; "
1303 "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1314 static int DetectPcreParseTest20(
void)
1322 "alert tcp any any -> any any "
1323 "(msg:\"Testing http_raw_uri\"; "
1324 "content:\"test\"; "
1325 "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1336 static int DetectPcreParseTest21(
void)
1344 "alert tcp any any -> any any "
1345 "(msg:\"Testing pcre relative uricontent\"; "
1346 "uricontent:\"test\"; "
1347 "pcre:\"/abc/RU\"; sid:1;)");
1358 static int DetectPcreParseTest22(
void)
1366 "alert tcp any any -> any any "
1367 "(msg:\"Testing pcre relative http_uri\"; "
1368 "content:\"test\"; "
1369 "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1380 static int DetectPcreParseTest23(
void)
1388 "alert tcp any any -> any any "
1389 "(msg:\"Testing inconsistent pcre relative\"; "
1391 "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1402 static int DetectPcreParseTest24(
void)
1410 "alert tcp any any -> any any "
1411 "(msg:\"Testing inconsistent pcre modifiers\"; "
1412 "pcre:\"/abc/UI\"; sid:1;)");
1423 static int DetectPcreParseTest25(
void)
1431 "alert tcp any any -> any any "
1432 "(msg:\"Testing inconsistent pcre modifiers\"; "
1433 "pcre:\"/abc/DH\"; sid:1;)");
1444 static int DetectPcreParseTest26(
void)
1452 "alert http any any -> any any "
1453 "(msg:\"Testing inconsistent pcre modifiers\"; "
1454 "pcre:\"/abc/F\"; sid:1;)");
1465 static int DetectPcreParseTest27(
void)
1473 "(content:\"baduricontent\"; http_raw_uri; "
1474 "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1485 static int DetectPcreParseTest28(
void)
1493 "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
1501 static int DetectPcreTestSig01(
void)
1503 uint8_t *buf = (uint8_t *)
"lalala lalala\\ lala\n";
1504 uint16_t buflen = strlen((
char *)buf);
1508 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
1509 "lalala\\\\/\"; sid:1;)";
1522 static int DetectPcreTestSig02(
void)
1524 uint8_t *buf = (uint8_t *)
"lalala\n";
1525 uint16_t buflen = strlen((
char *)buf);
1528 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1529 "pcre:\"/^(la)+$/\"; sid:1;)";
1538 static int DetectPcreTestSig03(
void)
1541 uint8_t *buf = (uint8_t *)
"lalala";
1542 uint16_t buflen = strlen((
char *)buf);
1545 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1546 "pcre:\"/^(la)+$/\"; sid:1;)";
1556 static int DetectPcreTxBodyChunksTest01(
void)
1561 uint8_t httpbuf1[] =
"GET / HTTP/1.1\r\n";
1562 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1563 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1564 uint8_t httpbuf4[] =
"Body one!!";
1565 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1566 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1567 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1568 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1569 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1570 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1571 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1572 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1573 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1574 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1577 memset(&f, 0,
sizeof(f));
1578 memset(&ssn, 0,
sizeof(ssn));
1584 f.
proto = IPPROTO_TCP;
1655 static int DetectPcreTxBodyChunksTest02(
void)
1663 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1664 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1665 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1666 uint8_t httpbuf4[] =
"Body one!!";
1667 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1668 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1669 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1670 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1671 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1672 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1673 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1674 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1675 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1676 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1679 memset(&th_v, 0,
sizeof(th_v));
1680 memset(&f, 0,
sizeof(f));
1681 memset(&ssn, 0,
sizeof(ssn));
1687 f.
proto = IPPROTO_TCP;
1703 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1705 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1795 if (det_ctx != NULL) {
1810 static int DetectPcreTxBodyChunksTest03(
void)
1818 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1819 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1820 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1821 uint8_t httpbuf4[] =
"Body one!!";
1822 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1823 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1824 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1825 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1826 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1827 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1828 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1829 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1830 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1831 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1834 memset(&th_v, 0,
sizeof(th_v));
1835 memset(&f, 0,
sizeof(f));
1836 memset(&ssn, 0,
sizeof(ssn));
1842 f.
proto = IPPROTO_TCP;
1858 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1860 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1932 if (det_ctx != NULL) {
1949 static int DetectPcreParseHttpHost(
void)
1957 DetectPcreData *pd = DetectPcreParse(
de_ctx,
"/domain\\.com/W", &list, NULL, 0,
false, &alproto);
1959 DetectPcreFree(
de_ctx, pd);
1962 pd = DetectPcreParse(
de_ctx,
"/dOmain\\.com/W", &list, NULL, 0,
false, &alproto);
1967 pd = DetectPcreParse(
de_ctx,
"/domain\\D+\\.com/W", &list, NULL, 0,
false, &alproto);
1969 DetectPcreFree(
de_ctx, pd);
1974 pd = DetectPcreParse(
de_ctx,
"/\\\\Ddomain\\.com/W", &list, NULL, 0,
false, &alproto);
1984 static int DetectPcreParseCaptureTest(
void)
1990 "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
1993 "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
1996 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
1999 "alert http any any -> any any "
2000 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)\\r\\n/HR, flow:somecapture, "
2001 "pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2019 static void DetectPcreRegisterTests(
void)
2051 UtRegisterTest(
"DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
2052 UtRegisterTest(
"DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
2055 DetectPcreTxBodyChunksTest01);
2056 UtRegisterTest(
"DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
2057 DetectPcreTxBodyChunksTest02);
2058 UtRegisterTest(
"DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
2059 DetectPcreTxBodyChunksTest03);
2061 UtRegisterTest(
"DetectPcreParseHttpHost", DetectPcreParseHttpHost);
2062 UtRegisterTest(
"DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);