66 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>"
67 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
69 static int pcre_match_limit = 0;
70 static int pcre_match_limit_recursion = 0;
76 static int pcre2_use_jit = 1;
84 const char *
str,
const size_t strlen,
int start_offset,
int options,
85 pcre2_match_data *match)
94 static void DetectPcreRegisterTests(
void);
115 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
117 pcre_match_limit = (int)val;
119 SCLogInfo(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
121 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
127 if (!
SCConfGetInt(
"pcre.match-limit-recursion", &val)) {
129 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
131 pcre_match_limit_recursion = (int)val;
133 SCLogInfo(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
135 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
140 if (parse_regex == NULL) {
141 FatalError(
"pcre2 compile failed for parse_regex");
147 if (parse_capture_regex == NULL) {
148 FatalError(
"pcre2 compile failed for parse_capture_regex");
151 #ifdef PCRE2_HAVE_JIT
153 SCLogConfig(
"PCRE2 won't use JIT as OS doesn't allow RWX pages");
160 uint8_t *str_ptr, uint16_t capture_len)
165 if (json_key == NULL) {
177 SCJsonBuilder *js = SCJbNewObject();
182 SCJbSetStringFromBytes(js, json_key, str_ptr, capture_len);
183 uint32_t js_len = (uint32_t)SCJbLen(js);
185 SCLogDebug(
"Captured length is too long for JSON.");
191 SCLogDebug(
"Captured length is zero for JSON.");
229 const uint8_t *ptr = NULL;
231 PCRE2_SIZE capture_len = 0;
243 int start_offset = 0;
249 pcre2_match_data *match =
252 ret = DetectPcreExec(det_ctx, pe, (
char *)ptr,
len, start_offset, 0, match);
255 if (ret == PCRE2_ERROR_NOMATCH) {
263 }
else if (ret >= 0) {
275 if (ret > 1 && pe->
idx != 0) {
277 for (x = 0; x < pe->
idx; x++) {
279 const char *pcre2_str_ptr = NULL;
280 ret = pcre2_substring_get_bynumber(
281 match, x + 1, (PCRE2_UCHAR8 **)&pcre2_str_ptr, &capture_len);
283 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
287 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
288 uint8_t *str_ptr =
SCMalloc(capture_len);
290 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
293 memcpy(str_ptr, pcre2_str_ptr, capture_len);
294 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
301 const char *pcre2_str_ptr2 = NULL;
303 uint16_t key_len = (capture_len < 0xff) ? (uint16_t)capture_len : 0xff;
304 int ret2 = pcre2_substring_get_bynumber(
305 match, x + 2, (PCRE2_UCHAR8 **)&pcre2_str_ptr2, &capture_len);
309 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
312 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
313 uint8_t *str_ptr2 =
SCMalloc(capture_len);
316 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
319 memcpy(str_ptr2, pcre2_str_ptr2, capture_len);
320 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
323 (uint8_t *)str_ptr2, (uint16_t)capture_len,
335 (void)DetectAlertStoreMatch(det_ctx, s, pe->
capids[x], (uint8_t *)str_ptr,
336 (uint16_t)capture_len);
345 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
347 det_ctx->
buffer_offset = (uint32_t)((ptr + ov[1]) - payload);
360 static int DetectPcreSetList(
int list,
int set)
363 SCLogError(
"only one pcre option to specify a buffer type is allowed");
369 static bool DetectPcreHasUnicodeCluster(
const char *re)
371 return strstr(re,
"\\X") != NULL;
374 static int DetectPcreHasUpperCase(
const char *re)
376 size_t len = strlen(re);
377 bool is_meta =
false;
378 bool is_meta_hex =
false;
379 int meta_hex_cnt = 0;
381 for (
size_t i = 0; i <
len; i++) {
385 if (meta_hex_cnt == 2) {
389 }
else if (is_meta) {
396 else if (re[i] ==
'\\') {
399 else if (isupper((
unsigned char)re[i])) {
408 const char *regexstr,
int *sm_list,
char *capture_names,
409 size_t capture_names_size,
bool negate,
AppProto *alproto)
411 pcre2_match_data *match = NULL;
417 int ret = 0, res = 0;
418 int check_host_header = 0;
419 char op_str[64] =
"";
421 bool apply_match_limit =
false;
424 const char *fcap = strstr(regexstr,
"flow:");
425 const char *pcap = strstr(regexstr,
"pkt:");
426 const char *acap = strstr(regexstr,
"alert:");
429 size_t slen = strlen(regexstr) + 1;
430 if (fcap || pcap || acap) {
437 cut_capture = (int)(fcap - regexstr);
441 cut_capture = (int)
MIN(cut_capture, (pcap - regexstr));
443 cut_capture = (int)(pcap - regexstr);
449 cut_capture =
MIN(cut_capture, (
int)(acap - regexstr));
451 cut_capture = (int)(acap - regexstr);
456 if (cut_capture > 1) {
457 int offset = cut_capture - 1;
460 if (regexstr[
offset] ==
',' || regexstr[
offset] ==
' ') {
467 if (cut_capture == (
offset + 1)) {
468 SCLogDebug(
"missing separators, assume it's part of the regex");
471 strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
472 if (capture_names[strlen(capture_names)-1] ==
'"')
473 capture_names[strlen(capture_names)-1] =
'\0';
481 match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
486 ret = pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)regexstr, slen, 0, 0, match, NULL);
492 res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)re, &slen);
494 SCLogError(
"pcre2_substring_copy_bynumber failed");
495 pcre2_match_data_free(match);
500 size_t copylen =
sizeof(op_str);
501 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)op_str, ©len);
503 SCLogError(
"pcre2_substring_copy_bynumber failed");
504 pcre2_match_data_free(match);
524 opts |= PCRE2_ANCHORED;
527 opts |= PCRE2_DOLLAR_ENDONLY;
530 opts |= PCRE2_UNGREEDY;
534 opts |= PCRE2_CASELESS;
538 opts |= PCRE2_MULTILINE;
541 opts |= PCRE2_DOTALL;
544 opts |= PCRE2_EXTENDED;
548 apply_match_limit =
true;
553 SCLogError(
"regex modifier 'B' inconsistent with chosen buffer");
566 SCLogError(
"regex modifier 'U' inconsistent with 'B'");
570 *sm_list = DetectPcreSetList(*sm_list, list);
576 SCLogError(
"regex modifier 'V' inconsistent with 'B'");
580 *sm_list = DetectPcreSetList(*sm_list, list);
586 SCLogError(
"regex modifier 'W' inconsistent with 'B'");
590 *sm_list = DetectPcreSetList(*sm_list, list);
592 check_host_header = 1;
597 SCLogError(
"regex modifier 'Z' inconsistent with 'B'");
601 *sm_list = DetectPcreSetList(*sm_list, list);
607 SCLogError(
"regex modifier 'H' inconsistent with 'B'");
611 *sm_list = DetectPcreSetList(*sm_list, list);
616 SCLogError(
"regex modifier 'I' inconsistent with 'B'");
620 *sm_list = DetectPcreSetList(*sm_list, list);
626 *sm_list = DetectPcreSetList(*sm_list, list);
632 SCLogError(
"regex modifier 'M' inconsistent with 'B'");
636 *sm_list = DetectPcreSetList(*sm_list, list);
642 SCLogError(
"regex modifier 'C' inconsistent with 'B'");
646 *sm_list = DetectPcreSetList(*sm_list, list);
653 *sm_list = DetectPcreSetList(*sm_list, list);
660 *sm_list = DetectPcreSetList(*sm_list, list);
667 *sm_list = DetectPcreSetList(*sm_list, list);
674 *sm_list = DetectPcreSetList(*sm_list, list);
679 SCLogError(
"unknown regex modifier '%c'", *op);
691 if (check_host_header) {
694 "specified along with \"i(caseless)\" modifier. "
695 "Since the hostname buffer we match against "
696 "is actually lowercase, having a "
697 "nocase is redundant.");
699 else if (DetectPcreHasUpperCase(re)) {
701 "specified has an uppercase char. "
702 "Since the hostname buffer we match against "
703 "is actually lowercase, please specify an "
704 "all lowercase based pcre.");
714 if (capture_names == NULL || strlen(capture_names) == 0)
715 opts |= PCRE2_NO_AUTO_CAPTURE;
718 if (DetectPcreHasUnicodeCluster(re)) {
719 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
727 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
729 opts &= ~PCRE2_NO_AUTO_CAPTURE;
731 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
734 PCRE2_UCHAR errbuffer[256];
735 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
736 SCLogError(
"pcre2 compile of \"%s\" failed at "
738 regexstr, (
int)eo2, errbuffer);
742 #ifdef PCRE2_HAVE_JIT
749 SCLogDebug(
"PCRE2 JIT compiler does not support: %s. "
750 "Falling back to regular PCRE2 handling (%s:%d)",
758 SCLogError(
"pcre2 could not create match context");
762 if (apply_match_limit) {
763 if (pcre_match_limit >= -1) {
766 if (pcre_match_limit_recursion >= -1) {
775 pcre2_match_data_free(match);
779 pcre2_match_data_free(match);
780 DetectPcreFree(
de_ctx, pd);
790 int ret = 0, res = 0;
791 char type_str[16] =
"";
792 const char *orig_right_edge = regexstr + strlen(regexstr);
798 pcre2_match_data *match = NULL;
800 SCLogDebug(
"regexstr %s, pd %p", regexstr, pd);
802 ret = pcre2_pattern_info(pd->
parse_regex.
regex, PCRE2_INFO_CAPTURECOUNT, &capture_cnt);
803 SCLogDebug(
"ret %d capture_cnt %d", ret, capture_cnt);
804 if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
807 while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL,
" ,", &ptr))){
808 if (name_idx > (capture_cnt - 1)) {
810 "var capture names than capturing substrings");
813 SCLogDebug(
"name '%s'", name_array[name_idx]);
815 if (strcmp(name_array[name_idx],
"pkt:key") == 0) {
823 }
else if (key == 1 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
828 }
else if (key == 0 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
830 }
else if (key == 1) {
833 }
else if (strncmp(name_array[name_idx],
"flow:", 5) == 0) {
834 uint32_t varname_id =
842 }
else if (strncmp(name_array[name_idx],
"pkt:", 4) == 0) {
843 uint32_t varname_id =
852 }
else if (strncmp(name_array[name_idx],
"alert:", 6) == 0) {
853 uint32_t varname_id =
863 "var capture names must start with 'pkt:' or 'flow:'");
875 size_t cap_buffer_len = strlen(regexstr) + 1;
877 char capture_str[cap_buffer_len];
878 memset(capture_str, 0x00, cap_buffer_len);
888 pcre2_match_data_free(match);
891 copylen =
sizeof(type_str);
892 res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)type_str, ©len);
894 SCLogError(
"pcre2_substring_copy_bynumber failed");
897 cap_buffer_len = strlen(regexstr) + 1;
898 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)capture_str, &cap_buffer_len);
900 SCLogError(
"pcre2_substring_copy_bynumber failed");
903 if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
911 SCLogError(
"rule can have maximally %d pkt/flow "
914 pcre2_match_data_free(match);
918 if (strcmp(type_str,
"pkt") == 0) {
926 }
else if (strcmp(type_str,
"flow") == 0) {
933 }
else if (strcmp(type_str,
"alert") == 0) {
943 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
946 pcre2_match_data_free(match);
949 if (regexstr >= orig_right_edge)
955 pcre2_match_data_free(match);
959 static void *DetectPcreThreadInit(
void *data)
962 pcre2_match_data *match = pcre2_match_data_create_from_pattern(pd->
parse_regex.
regex, NULL);
966 static void DetectPcreThreadFree(
void *
ctx)
969 pcre2_match_data *match = (pcre2_match_data *)
ctx;
970 pcre2_match_data_free(match);
979 char capture_names[1024] =
"";
982 pd = DetectPcreParse(
de_ctx, regexstr, &parsed_sm_list,
987 if (DetectPcreParseCapture(regexstr,
de_ctx, pd, capture_names) < 0)
991 de_ctx,
"pcre", DetectPcreThreadInit, (
void *)pd, DetectPcreThreadFree, 0);
998 SCLogError(
"Expression seen with a sticky buffer still set; either (1) reset sticky "
999 "buffer with pkt_data or (2) use a sticky buffer providing \"%s\".",
1008 switch (parsed_sm_list) {
1022 sm_list = parsed_sm_list;
1035 for (uint8_t x = 0; x < pd->
idx; x++) {
1049 "preceding match in the same buffer");
1052 }
else if (prev_pm == NULL) {
1066 DetectPcreFree(
de_ctx, pd);
1080 for (uint8_t i = 0; i < pd->
idx; i++) {
1088 static int g_file_data_buffer_id = 0;
1089 static int g_http_header_buffer_id = 0;
1090 static int g_dce_stub_data_buffer_id = 0;
1095 static int DetectPcreParseTest01 (
void)
1098 const char *teststring =
"/blah/7";
1104 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1114 static int DetectPcreParseTest02 (
void)
1117 const char *teststring =
"/blah/Ui$";
1123 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1134 static int DetectPcreParseTest03 (
void)
1137 const char *teststring =
"/blah/UNi";
1143 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1153 static int DetectPcreParseTest04 (
void)
1156 const char *teststring =
"/b\\\"lah/i";
1162 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1166 DetectPcreFree(
de_ctx, pd);
1174 static int DetectPcreParseTest05 (
void)
1177 const char *teststring =
"/b(l|a)h/";
1183 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1187 DetectPcreFree(
de_ctx, pd);
1195 static int DetectPcreParseTest06 (
void)
1198 const char *teststring =
"/b(l|a)h/smi";
1204 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1208 DetectPcreFree(
de_ctx, pd);
1216 static int DetectPcreParseTest07 (
void)
1219 const char *teststring =
"/blah/Ui";
1225 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1229 DetectPcreFree(
de_ctx, pd);
1237 static int DetectPcreParseTest08 (
void)
1240 const char *teststring =
"/b(l|a)h/O";
1246 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1250 DetectPcreFree(
de_ctx, pd);
1259 static int DetectPcreParseTest09 (
void)
1262 const char *teststring =
"/lala\\\\/";
1268 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1271 DetectPcreFree(
de_ctx, pd);
1279 static int DetectPcreParseTest10(
void)
1309 static int DetectPcreParseTest15(
void)
1316 "alert tcp any any -> any any "
1317 "(msg:\"Testing pcre relative http_method\"; "
1319 "http_method; pcre:\"/abc/RM\"; sid:1;)");
1329 static int DetectPcreParseTest16(
void)
1336 "alert tcp any any -> any any "
1337 "(msg:\"Testing pcre relative http_cookie\"; "
1338 "content:\"test\"; "
1339 "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1348 static int DetectPcreParseTest17(
void)
1355 "alert tcp any any -> any any "
1356 "(msg:\"Testing pcre relative http_raw_header\"; "
1357 "flow:to_server; content:\"test\"; "
1358 "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1367 static int DetectPcreParseTest18(
void)
1374 "alert tcp any any -> any any "
1375 "(msg:\"Testing pcre relative http_header\"; "
1376 "content:\"test\"; "
1377 "http_header; pcre:\"/abc/RH\"; sid:1;)");
1386 static int DetectPcreParseTest19(
void)
1393 "alert tcp any any -> any any "
1394 "(msg:\"Testing pcre relative http_client_body\"; "
1395 "content:\"test\"; "
1396 "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1405 static int DetectPcreParseTest20(
void)
1413 "alert tcp any any -> any any "
1414 "(msg:\"Testing http_raw_uri\"; "
1415 "content:\"test\"; "
1416 "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1425 static int DetectPcreParseTest21(
void)
1433 "alert tcp any any -> any any "
1434 "(msg:\"Testing pcre relative uricontent\"; "
1435 "uricontent:\"test\"; "
1436 "pcre:\"/abc/RU\"; sid:1;)");
1445 static int DetectPcreParseTest22(
void)
1453 "alert tcp any any -> any any "
1454 "(msg:\"Testing pcre relative http_uri\"; "
1455 "content:\"test\"; "
1456 "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1465 static int DetectPcreParseTest23(
void)
1473 "alert tcp any any -> any any "
1474 "(msg:\"Testing inconsistent pcre relative\"; "
1476 "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1485 static int DetectPcreParseTest24(
void)
1493 "alert tcp any any -> any any "
1494 "(msg:\"Testing inconsistent pcre modifiers\"; "
1495 "pcre:\"/abc/UI\"; sid:1;)");
1504 static int DetectPcreParseTest25(
void)
1512 "alert tcp any any -> any any "
1513 "(msg:\"Testing inconsistent pcre modifiers\"; "
1514 "pcre:\"/abc/DH\"; sid:1;)");
1523 static int DetectPcreParseTest26(
void)
1531 "alert http any any -> any any "
1532 "(msg:\"Testing inconsistent pcre modifiers\"; "
1533 "pcre:\"/abc/F\"; sid:1;)");
1542 static int DetectPcreParseTest27(
void)
1550 "(content:\"baduricontent\"; http_raw_uri; "
1551 "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1560 static int DetectPcreParseTest28(
void)
1568 "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
1576 static int DetectPcreTestSig01(
void)
1578 uint8_t *buf = (uint8_t *)
"lalala lalala\\ lala\n";
1579 uint16_t buflen = strlen((
char *)buf);
1582 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
1583 "lalala\\\\/\"; sid:1;)";
1591 static int DetectPcreTestSig02(
void)
1593 uint8_t *buf = (uint8_t *)
"lalala\n";
1594 uint16_t buflen = strlen((
char *)buf);
1597 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1598 "pcre:\"/^(la)+$/\"; sid:1;)";
1606 static int DetectPcreTestSig03(
void)
1609 uint8_t *buf = (uint8_t *)
"lalala";
1610 uint16_t buflen = strlen((
char *)buf);
1613 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1614 "pcre:\"/^(la)+$/\"; sid:1;)";
1623 static int DetectPcreTxBodyChunksTest01(
void)
1628 uint8_t httpbuf1[] =
"GET / HTTP/1.1\r\n";
1629 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1630 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1631 uint8_t httpbuf4[] =
"Body one!!";
1632 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1633 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1634 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1635 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1636 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1637 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1638 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1639 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1640 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1641 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1644 memset(&f, 0,
sizeof(f));
1645 memset(&ssn, 0,
sizeof(ssn));
1651 f.
proto = IPPROTO_TCP;
1721 static int DetectPcreTxBodyChunksTest02(
void)
1729 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1730 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1731 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1732 uint8_t httpbuf4[] =
"Body one!!";
1733 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1734 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1735 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1736 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1737 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1738 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1739 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1740 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1741 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1742 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1747 memset(&f, 0,
sizeof(f));
1748 memset(&ssn, 0,
sizeof(ssn));
1754 f.
proto = IPPROTO_TCP;
1770 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1772 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1871 static int DetectPcreTxBodyChunksTest03(
void)
1879 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1880 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1881 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1882 uint8_t httpbuf4[] =
"Body one!!";
1883 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1884 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1885 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1886 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1887 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1888 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1889 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1890 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1891 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1892 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1897 memset(&f, 0,
sizeof(f));
1898 memset(&ssn, 0,
sizeof(ssn));
1904 f.
proto = IPPROTO_TCP;
1920 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1922 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
2006 static int DetectPcreParseHttpHost(
void)
2014 DetectPcreData *pd = DetectPcreParse(
de_ctx,
"/domain\\.com/W", &list, NULL, 0,
false, &alproto);
2016 DetectPcreFree(
de_ctx, pd);
2019 pd = DetectPcreParse(
de_ctx,
"/dOmain\\.com/W", &list, NULL, 0,
false, &alproto);
2024 pd = DetectPcreParse(
de_ctx,
"/domain\\D+\\.com/W", &list, NULL, 0,
false, &alproto);
2026 DetectPcreFree(
de_ctx, pd);
2031 pd = DetectPcreParse(
de_ctx,
"/\\\\Ddomain\\.com/W", &list, NULL, 0,
false, &alproto);
2041 static int DetectPcreParseCaptureTest(
void)
2047 "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
2050 "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
2053 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2056 "alert http any any -> any any "
2057 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)\\r\\n/HR, flow:somecapture, "
2058 "pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2076 static void DetectPcreRegisterTests(
void)
2108 UtRegisterTest(
"DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
2109 UtRegisterTest(
"DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
2112 DetectPcreTxBodyChunksTest01);
2113 UtRegisterTest(
"DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
2114 DetectPcreTxBodyChunksTest02);
2115 UtRegisterTest(
"DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
2116 DetectPcreTxBodyChunksTest03);
2118 UtRegisterTest(
"DetectPcreParseHttpHost", DetectPcreParseHttpHost);
2119 UtRegisterTest(
"DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);