suricata
detect-pcre.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the pcre keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "pkt-var.h"
31 #include "flow-var.h"
32 #include "flow-util.h"
33 
34 #include "detect-pcre.h"
35 #include "detect-flowvar.h"
36 
37 #include "detect-parse.h"
38 #include "detect-content.h"
39 #include "detect-engine.h"
40 #include "detect-engine-buffer.h"
41 #include "detect-engine-sigorder.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-engine-state.h"
44 #include "detect-engine-build.h"
45 
46 #include "util-var-name.h"
47 #include "util-unittest-helper.h"
48 #include "util-debug.h"
49 #include "util-unittest.h"
50 #include "util-print.h"
51 #include "util-pool.h"
52 
53 #include "conf.h"
54 #include "app-layer.h"
55 #include "app-layer-htp.h"
56 #include "stream.h"
57 #include "stream-tcp.h"
58 #include "stream-tcp-private.h"
59 #include "stream-tcp-reassemble.h"
60 #include "app-layer-protos.h"
61 #include "app-layer-parser.h"
62 #include "util-pages.h"
63 
64 /* pcre named substring capture supports only 32byte names, A-z0-9 plus _
65  * and needs to start with non-numeric. */
66 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>"
67 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
68 
69 static int pcre_match_limit = 0;
70 static int pcre_match_limit_recursion = 0;
71 
72 static DetectParseRegex *parse_regex;
73 static DetectParseRegex *parse_capture_regex;
74 
75 #ifdef PCRE2_HAVE_JIT
76 static int pcre2_use_jit = 1;
77 #endif
78 
79 // TODOpcre2 pcre2_jit_stack_create ?
80 
81 /* \brief Helper function for using pcre2_match with/without JIT
82  */
83 static inline int DetectPcreExec(DetectEngineThreadCtx *det_ctx, const DetectPcreData *pd,
84  const char *str, const size_t strlen, int start_offset, int options,
85  pcre2_match_data *match)
86 {
87  return pcre2_match(pd->parse_regex.regex, (PCRE2_SPTR8)str, strlen, start_offset, options,
88  match, pd->parse_regex.context);
89 }
90 
91 static int DetectPcreSetup (DetectEngineCtx *, Signature *, const char *);
92 static void DetectPcreFree(DetectEngineCtx *, void *);
93 #ifdef UNITTESTS
94 static void DetectPcreRegisterTests(void);
95 #endif
96 
97 void DetectPcreRegister (void)
98 {
99  sigmatch_table[DETECT_PCRE].name = "pcre";
100  sigmatch_table[DETECT_PCRE].desc = "match on regular expression";
101  sigmatch_table[DETECT_PCRE].url = "/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions";
102  sigmatch_table[DETECT_PCRE].Match = NULL;
103  sigmatch_table[DETECT_PCRE].Setup = DetectPcreSetup;
104  sigmatch_table[DETECT_PCRE].Free = DetectPcreFree;
105 #ifdef UNITTESTS
106  sigmatch_table[DETECT_PCRE].RegisterTests = DetectPcreRegisterTests;
107 #endif
108  sigmatch_table[DETECT_PCRE].flags =
109  (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION | SIGMATCH_SUPPORT_FIREWALL);
110 
111  intmax_t val = 0;
112 
113  if (!SCConfGetInt("pcre.match-limit", &val)) {
114  pcre_match_limit = SC_MATCH_LIMIT_DEFAULT;
115  SCLogDebug("Using PCRE match-limit setting of: %i", pcre_match_limit);
116  } else {
117  pcre_match_limit = (int)val;
118  if (pcre_match_limit != SC_MATCH_LIMIT_DEFAULT) {
119  SCLogInfo("Using PCRE match-limit setting of: %i", pcre_match_limit);
120  } else {
121  SCLogDebug("Using PCRE match-limit setting of: %i", pcre_match_limit);
122  }
123  }
124 
125  val = 0;
126 
127  if (!SCConfGetInt("pcre.match-limit-recursion", &val)) {
128  pcre_match_limit_recursion = SC_MATCH_LIMIT_RECURSION_DEFAULT;
129  SCLogDebug("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
130  } else {
131  pcre_match_limit_recursion = (int)val;
132  if (pcre_match_limit_recursion != SC_MATCH_LIMIT_RECURSION_DEFAULT) {
133  SCLogInfo("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
134  } else {
135  SCLogDebug("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
136  }
137  }
138 
139  parse_regex = DetectSetupPCRE2(PARSE_REGEX, 0);
140  if (parse_regex == NULL) {
141  FatalError("pcre2 compile failed for parse_regex");
142  }
143 
144  /* setup the capture regex, as it needs PCRE2_UNGREEDY we do it manually */
145  /* pkt_http_ua should be pkt, http_ua, for this reason the UNGREEDY */
146  parse_capture_regex = DetectSetupPCRE2(PARSE_CAPTURE_REGEX, PCRE2_UNGREEDY);
147  if (parse_capture_regex == NULL) {
148  FatalError("pcre2 compile failed for parse_capture_regex");
149  }
150 
151 #ifdef PCRE2_HAVE_JIT
152  if (PageSupportsRWX() == 0) {
153  SCLogConfig("PCRE2 won't use JIT as OS doesn't allow RWX pages");
154  pcre2_use_jit = 0;
155  }
156 #endif
157 }
158 
159 static void DetectAlertStoreMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, uint32_t idx,
160  uint8_t *str_ptr, uint16_t capture_len)
161 {
162  /* We need the key */
163  const char *json_key = VarNameStoreLookupById(idx, VAR_TYPE_ALERT_VAR);
164 
165  if (json_key == NULL) {
166  SCFree(str_ptr);
167  return;
168  }
169 
170  SCLogDebug("json key: %s", json_key);
171  /* Setup the data*/
172  if (capture_len + strlen(json_key) + 5 < SIG_JSON_CONTENT_ITEM_LEN) {
173  if (DetectEngineThreadCtxGetJsonContext(det_ctx) < 0) {
174  SCFree(str_ptr);
175  return;
176  }
177  SCJsonBuilder *js = SCJbNewObject();
178  if (unlikely(js == NULL)) {
179  SCFree(str_ptr);
180  return;
181  }
182  SCJbSetStringFromBytes(js, json_key, str_ptr, capture_len);
183  uint32_t js_len = (uint32_t)SCJbLen(js);
184  if (js_len > SIG_JSON_CONTENT_ITEM_LEN) {
185  SCLogDebug("Captured length is too long for JSON.");
186  SCFree(str_ptr);
187  SCJbFree(js);
188  return;
189  }
190  if (js_len == 0) {
191  SCLogDebug("Captured length is zero for JSON.");
192  SCFree(str_ptr);
193  SCJbFree(js);
194  return;
195  }
196  /* Copy js but skip the starting curly bracket to just get the inner data */
197  memcpy(det_ctx->json_content[det_ctx->json_content_len].json_content, SCJbPtr(js) + 1,
198  js_len - 1);
199  /* end the string as we have used memcpy */
200  det_ctx->json_content[det_ctx->json_content_len].json_content[js_len - 1] = 0;
201  det_ctx->json_content[det_ctx->json_content_len].id = (void *)s;
202  det_ctx->json_content_len++;
203  SCJbFree(js);
204  }
205 
206  SCFree(str_ptr);
207 }
208 
209 /**
210  * \brief Match a regex on a single payload.
211  *
212  * \param det_ctx Thread detection ctx.
213  * \param s Signature.
214  * \param sm Sig match to match against.
215  * \param p Packet to set PktVars if any.
216  * \param f Flow to set FlowVars if any.
217  * \param payload Payload to inspect.
218  * \param payload_len Length of the payload.
219  *
220  * \retval 1 Match.
221  * \retval 0 No match.
222  */
223 int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, const Signature *s,
224  const SigMatchData *smd, Packet *p, Flow *f,
225  const uint8_t *payload, uint32_t payload_len)
226 {
227  SCEnter();
228  int ret = 0;
229  const uint8_t *ptr = NULL;
230  uint32_t len = 0;
231  PCRE2_SIZE capture_len = 0;
232 
233  const DetectPcreData *pe = (const DetectPcreData *)smd->ctx;
234 
235  if (pe->flags & DETECT_PCRE_RELATIVE) {
236  ptr = payload + det_ctx->buffer_offset;
237  len = payload_len - det_ctx->buffer_offset;
238  } else {
239  ptr = payload;
240  len = payload_len;
241  }
242 
243  int start_offset = 0;
244  if (det_ctx->pcre_match_start_offset != 0) {
245  start_offset = (uint32_t)(payload - ptr) + det_ctx->pcre_match_start_offset;
246  }
247 
248  /* run the actual pcre detection */
249  pcre2_match_data *match =
250  (pcre2_match_data *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, pe->thread_ctx_id);
251 
252  ret = DetectPcreExec(det_ctx, pe, (char *)ptr, len, start_offset, 0, match);
253  SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set");
254 
255  if (ret == PCRE2_ERROR_NOMATCH) {
256  if (pe->flags & DETECT_PCRE_NEGATE) {
257  /* regex didn't match with negate option means we
258  * consider it a match */
259  ret = 1;
260  } else {
261  ret = 0;
262  }
263  } else if (ret >= 0) {
264  if (pe->flags & DETECT_PCRE_NEGATE) {
265  /* regex matched but we're negated, so not
266  * considering it a match */
267  ret = 0;
268  } else {
269  /* regex matched and we're not negated,
270  * considering it a match */
271 
272  SCLogDebug("ret %d pe->idx %u", ret, pe->idx);
273 
274  /* see if we need to do substring capturing. */
275  if (ret > 1 && pe->idx != 0) {
276  uint8_t x;
277  for (x = 0; x < pe->idx; x++) {
278  SCLogDebug("capturing %u", x);
279  const char *pcre2_str_ptr = NULL;
280  ret = pcre2_substring_get_bynumber(
281  match, x + 1, (PCRE2_UCHAR8 **)&pcre2_str_ptr, &capture_len);
282  if (unlikely(ret != 0)) {
283  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
284  continue;
285  }
286  /* store max 64k. Errors are ignored */
287  capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
288  uint8_t *str_ptr = SCMalloc(capture_len);
289  if (unlikely(str_ptr == NULL)) {
290  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
291  continue;
292  }
293  memcpy(str_ptr, pcre2_str_ptr, capture_len);
294  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
295 
296  SCLogDebug("data %p/%u, type %u id %u p %p",
297  str_ptr, ret, pe->captypes[x], pe->capids[x], p);
298 
299  if (pe->captypes[x] == VAR_TYPE_PKT_VAR_KV) {
300  /* get the value, as first capture is the key */
301  const char *pcre2_str_ptr2 = NULL;
302  /* key length is limited to 256 chars */
303  uint16_t key_len = (capture_len < 0xff) ? (uint16_t)capture_len : 0xff;
304  int ret2 = pcre2_substring_get_bynumber(
305  match, x + 2, (PCRE2_UCHAR8 **)&pcre2_str_ptr2, &capture_len);
306 
307  if (unlikely(ret2 != 0)) {
308  SCFree(str_ptr);
309  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
310  break;
311  }
312  capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
313  uint8_t *str_ptr2 = SCMalloc(capture_len);
314  if (unlikely(str_ptr2 == NULL)) {
315  SCFree(str_ptr);
316  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
317  break;
318  }
319  memcpy(str_ptr2, pcre2_str_ptr2, capture_len);
320  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
321 
322  (void)DetectVarStoreMatchKeyValue(det_ctx, (uint8_t *)str_ptr, key_len,
323  (uint8_t *)str_ptr2, (uint16_t)capture_len,
324  DETECT_VAR_TYPE_PKT_POSTMATCH);
325 
326  } else if (pe->captypes[x] == VAR_TYPE_PKT_VAR) {
327  (void)DetectVarStoreMatch(det_ctx, pe->capids[x], (uint8_t *)str_ptr,
328  (uint16_t)capture_len, DETECT_VAR_TYPE_PKT_POSTMATCH);
329 
330  } else if (pe->captypes[x] == VAR_TYPE_FLOW_VAR && f != NULL) {
331  (void)DetectVarStoreMatch(det_ctx, pe->capids[x], (uint8_t *)str_ptr,
332  (uint16_t)capture_len, DETECT_VAR_TYPE_FLOW_POSTMATCH);
333 
334  } else if (pe->captypes[x] == VAR_TYPE_ALERT_VAR) {
335  (void)DetectAlertStoreMatch(det_ctx, s, pe->capids[x], (uint8_t *)str_ptr,
336  (uint16_t)capture_len);
337 
338  } else {
339  BUG_ON(1); // Impossible captype
340  SCFree(str_ptr);
341  }
342  }
343  }
344 
345  PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
346  /* update offset for pcre RELATIVE */
347  det_ctx->buffer_offset = (uint32_t)((ptr + ov[1]) - payload);
348  det_ctx->pcre_match_start_offset = (uint32_t)((ptr + ov[0] + 1) - payload);
349 
350  ret = 1;
351  }
352 
353  } else {
354  SCLogDebug("pcre had matching error");
355  ret = 0;
356  }
357  SCReturnInt(ret);
358 }
359 
360 static int DetectPcreSetList(int list, int set)
361 {
362  if (list != DETECT_SM_LIST_NOTSET) {
363  SCLogError("only one pcre option to specify a buffer type is allowed");
364  return -1;
365  }
366  return set;
367 }
368 
369 static int DetectPcreHasUpperCase(const char *re)
370 {
371  size_t len = strlen(re);
372  bool is_meta = false;
373  bool is_meta_hex = false;
374  int meta_hex_cnt = 0;
375 
376  for (size_t i = 0; i < len; i++) {
377  if (is_meta_hex) {
378  meta_hex_cnt++;
379 
380  if (meta_hex_cnt == 2) {
381  is_meta_hex = false;
382  meta_hex_cnt = 0;
383  }
384  } else if (is_meta) {
385  if (re[i] == 'x') {
386  is_meta_hex = true;
387  } else {
388  is_meta = false;
389  }
390  }
391  else if (re[i] == '\\') {
392  is_meta = true;
393  }
394  else if (isupper((unsigned char)re[i])) {
395  return 1;
396  }
397  }
398 
399  return 0;
400 }
401 
402 static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx,
403  const char *regexstr, int *sm_list, char *capture_names,
404  size_t capture_names_size, bool negate, AppProto *alproto)
405 {
406  pcre2_match_data *match = NULL;
407  int en;
408  PCRE2_SIZE eo2;
409  int opts = 0;
410  DetectPcreData *pd = NULL;
411  char *op = NULL;
412  int ret = 0, res = 0;
413  int check_host_header = 0;
414  char op_str[64] = "";
415 
416  bool apply_match_limit = false;
417 
418  int cut_capture = 0;
419  const char *fcap = strstr(regexstr, "flow:");
420  const char *pcap = strstr(regexstr, "pkt:");
421  const char *acap = strstr(regexstr, "alert:");
422  /* take the size of the whole input as buffer size for the regex we will
423  * extract below. Add 1 to please Coverity's alloc_strlen test. */
424  size_t slen = strlen(regexstr) + 1;
425  if (fcap || pcap || acap) {
426  SCLogDebug("regexstr %s", regexstr);
427 
428  bool a_set = false;
429  cut_capture = 0;
430  if (fcap) {
431  a_set = true;
432  cut_capture = (int)(fcap - regexstr);
433  }
434  if (pcap) {
435  if (a_set)
436  cut_capture = (int)MIN(cut_capture, (pcap - regexstr));
437  else {
438  cut_capture = (int)(pcap - regexstr);
439  a_set = true;
440  }
441  }
442  if (acap) {
443  if (a_set)
444  cut_capture = MIN(cut_capture, (int)(acap - regexstr));
445  else
446  cut_capture = (int)(acap - regexstr);
447  }
448 
449  SCLogDebug("cut_capture %d", cut_capture);
450 
451  if (cut_capture > 1) {
452  int offset = cut_capture - 1;
453  while (offset) {
454  SCLogDebug("regexstr[offset] %c", regexstr[offset]);
455  if (regexstr[offset] == ',' || regexstr[offset] == ' ') {
456  offset--;
457  }
458  else
459  break;
460  }
461 
462  if (cut_capture == (offset + 1)) {
463  SCLogDebug("missing separators, assume it's part of the regex");
464  } else {
465  slen = offset + 1;
466  strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
467  if (capture_names[strlen(capture_names)-1] == '"')
468  capture_names[strlen(capture_names)-1] = '\0';
469  }
470  }
471  }
472 
473  DEBUG_VALIDATE_BUG_ON(slen > UINT16_MAX);
474  char re[slen];
475 
476  match = pcre2_match_data_create_from_pattern(parse_regex->regex, NULL);
477  if (!match) {
478  goto error;
479  }
480 
481  ret = pcre2_match(parse_regex->regex, (PCRE2_SPTR8)regexstr, slen, 0, 0, match, NULL);
482  if (ret <= 0) {
483  SCLogError("pcre parse error: %s", regexstr);
484  goto error;
485  }
486 
487  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)re, &slen);
488  if (res < 0) {
489  SCLogError("pcre2_substring_copy_bynumber failed");
490  pcre2_match_data_free(match);
491  return NULL;
492  }
493 
494  if (ret > 2) {
495  size_t copylen = sizeof(op_str);
496  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)op_str, &copylen);
497  if (res < 0) {
498  SCLogError("pcre2_substring_copy_bynumber failed");
499  pcre2_match_data_free(match);
500  return NULL;
501  }
502  op = op_str;
503  }
504  //printf("ret %" PRId32 " re \'%s\', op \'%s\'\n", ret, re, op);
505 
506  pd = SCCalloc(1, sizeof(DetectPcreData));
507  if (unlikely(pd == NULL))
508  goto error;
509 
510  if (negate)
511  pd->flags |= DETECT_PCRE_NEGATE;
512 
513  if (op != NULL) {
514  while (*op) {
515  SCLogDebug("regex option %c", *op);
516 
517  switch (*op) {
518  case 'A':
519  opts |= PCRE2_ANCHORED;
520  break;
521  case 'E':
522  opts |= PCRE2_DOLLAR_ENDONLY;
523  break;
524  case 'G':
525  opts |= PCRE2_UNGREEDY;
526  break;
527 
528  case 'i':
529  opts |= PCRE2_CASELESS;
530  pd->flags |= DETECT_PCRE_CASELESS;
531  break;
532  case 'm':
533  opts |= PCRE2_MULTILINE;
534  break;
535  case 's':
536  opts |= PCRE2_DOTALL;
537  break;
538  case 'x':
539  opts |= PCRE2_EXTENDED;
540  break;
541 
542  case 'O':
543  apply_match_limit = true;
544  break;
545 
546  case 'B': /* snort's option */
547  if (*sm_list != DETECT_SM_LIST_NOTSET) {
548  SCLogError("regex modifier 'B' inconsistent with chosen buffer");
549  goto error;
550  }
551  pd->flags |= DETECT_PCRE_RAWBYTES;
552  break;
553  case 'R': /* snort's option */
554  pd->flags |= DETECT_PCRE_RELATIVE;
555  break;
556 
557  /* buffer selection */
558 
559  case 'U': { /* snort's option */
560  if (pd->flags & DETECT_PCRE_RAWBYTES) {
561  SCLogError("regex modifier 'U' inconsistent with 'B'");
562  goto error;
563  }
564  int list = DetectBufferTypeGetByName("http_uri");
565  *sm_list = DetectPcreSetList(*sm_list, list);
566  *alproto = ALPROTO_HTTP1;
567  break;
568  }
569  case 'V': {
570  if (pd->flags & DETECT_PCRE_RAWBYTES) {
571  SCLogError("regex modifier 'V' inconsistent with 'B'");
572  goto error;
573  }
574  int list = DetectBufferTypeGetByName("http_user_agent");
575  *sm_list = DetectPcreSetList(*sm_list, list);
576  *alproto = ALPROTO_HTTP1;
577  break;
578  }
579  case 'W': {
580  if (pd->flags & DETECT_PCRE_RAWBYTES) {
581  SCLogError("regex modifier 'W' inconsistent with 'B'");
582  goto error;
583  }
584  int list = DetectBufferTypeGetByName("http_host");
585  *sm_list = DetectPcreSetList(*sm_list, list);
586  *alproto = ALPROTO_HTTP1;
587  check_host_header = 1;
588  break;
589  }
590  case 'Z': {
591  if (pd->flags & DETECT_PCRE_RAWBYTES) {
592  SCLogError("regex modifier 'Z' inconsistent with 'B'");
593  goto error;
594  }
595  int list = DetectBufferTypeGetByName("http_raw_host");
596  *sm_list = DetectPcreSetList(*sm_list, list);
597  *alproto = ALPROTO_HTTP1;
598  break;
599  }
600  case 'H': { /* snort's option */
601  if (pd->flags & DETECT_PCRE_RAWBYTES) {
602  SCLogError("regex modifier 'H' inconsistent with 'B'");
603  goto error;
604  }
605  int list = DetectBufferTypeGetByName("http_header");
606  *sm_list = DetectPcreSetList(*sm_list, list);
607  *alproto = ALPROTO_HTTP1;
608  break;
609  } case 'I': { /* snort's option */
610  if (pd->flags & DETECT_PCRE_RAWBYTES) {
611  SCLogError("regex modifier 'I' inconsistent with 'B'");
612  goto error;
613  }
614  int list = DetectBufferTypeGetByName("http_raw_uri");
615  *sm_list = DetectPcreSetList(*sm_list, list);
616  *alproto = ALPROTO_HTTP1;
617  break;
618  }
619  case 'D': { /* snort's option */
620  int list = DetectBufferTypeGetByName("http_raw_header");
621  *sm_list = DetectPcreSetList(*sm_list, list);
622  *alproto = ALPROTO_HTTP1;
623  break;
624  }
625  case 'M': { /* snort's option */
626  if (pd->flags & DETECT_PCRE_RAWBYTES) {
627  SCLogError("regex modifier 'M' inconsistent with 'B'");
628  goto error;
629  }
630  int list = DetectBufferTypeGetByName("http_method");
631  *sm_list = DetectPcreSetList(*sm_list, list);
632  *alproto = ALPROTO_HTTP1;
633  break;
634  }
635  case 'C': { /* snort's option */
636  if (pd->flags & DETECT_PCRE_RAWBYTES) {
637  SCLogError("regex modifier 'C' inconsistent with 'B'");
638  goto error;
639  }
640  int list = DetectBufferTypeGetByName("http_cookie");
641  *sm_list = DetectPcreSetList(*sm_list, list);
642  *alproto = ALPROTO_HTTP1;
643  break;
644  }
645  case 'P': {
646  /* snort's option (http request body inspection) */
647  int list = DetectBufferTypeGetByName("http_client_body");
648  *sm_list = DetectPcreSetList(*sm_list, list);
649  *alproto = ALPROTO_HTTP1;
650  break;
651  }
652  case 'Q': {
653  int list = DetectBufferTypeGetByName("file_data");
654  /* suricata extension (http response body inspection) */
655  *sm_list = DetectPcreSetList(*sm_list, list);
656  *alproto = ALPROTO_HTTP1;
657  break;
658  }
659  case 'Y': {
660  /* snort's option */
661  int list = DetectBufferTypeGetByName("http_stat_msg");
662  *sm_list = DetectPcreSetList(*sm_list, list);
663  *alproto = ALPROTO_HTTP1;
664  break;
665  }
666  case 'S': {
667  /* snort's option */
668  int list = DetectBufferTypeGetByName("http_stat_code");
669  *sm_list = DetectPcreSetList(*sm_list, list);
670  *alproto = ALPROTO_HTTP1;
671  break;
672  }
673  default:
674  SCLogError("unknown regex modifier '%c'", *op);
675  goto error;
676  }
677  op++;
678  }
679  }
680  if (*sm_list == -1)
681  goto error;
682 
683  SCLogDebug("DetectPcreParse: \"%s\"", re);
684 
685  /* host header */
686  if (check_host_header) {
687  if (pd->flags & DETECT_PCRE_CASELESS) {
688  SCLogWarning("http host pcre(\"W\") "
689  "specified along with \"i(caseless)\" modifier. "
690  "Since the hostname buffer we match against "
691  "is actually lowercase, having a "
692  "nocase is redundant.");
693  }
694  else if (DetectPcreHasUpperCase(re)) {
695  SCLogError("pcre host(\"W\") "
696  "specified has an uppercase char. "
697  "Since the hostname buffer we match against "
698  "is actually lowercase, please specify an "
699  "all lowercase based pcre.");
700  goto error;
701  }
702  }
703 
704  /* Try to compile as if all (...) groups had been meant as (?:...),
705  * which is the common case in most rules.
706  * If we fail because a capture group is later referenced (e.g., \1),
707  * PCRE will let us know.
708  */
709  if (capture_names == NULL || strlen(capture_names) == 0)
710  opts |= PCRE2_NO_AUTO_CAPTURE;
711 
712 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
713  // forbid use of \X Unicode extended grapheme cluster as slow
714  bool escape = false;
715  for (size_t i = 0; i < strlen(re); i++) {
716  if (escape) {
717  if (re[i] == 'X') {
718  goto error;
719  }
720  escape = false;
721  } else if (re[i] == '\\') {
722  escape = true;
723  }
724  }
725 
726 #endif
727  pd->parse_regex.regex =
728  pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
729  if (pd->parse_regex.regex == NULL && en == 115) { // reference to nonexistent subpattern
730  opts &= ~PCRE2_NO_AUTO_CAPTURE;
731  pd->parse_regex.regex =
732  pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
733  }
734  if (pd->parse_regex.regex == NULL) {
735  PCRE2_UCHAR errbuffer[256];
736  pcre2_get_error_message(en, errbuffer, sizeof(errbuffer));
737  SCLogError("pcre2 compile of \"%s\" failed at "
738  "offset %d: %s",
739  regexstr, (int)eo2, errbuffer);
740  goto error;
741  }
742 
743 #ifdef PCRE2_HAVE_JIT
744  if (pcre2_use_jit) {
745  ret = pcre2_jit_compile(pd->parse_regex.regex, PCRE2_JIT_COMPLETE);
746  if (ret != 0) {
747  /* warning, so we won't print the sig after this. Adding
748  * file and line to the message so the admin can figure
749  * out what sig this is about */
750  SCLogDebug("PCRE2 JIT compiler does not support: %s. "
751  "Falling back to regular PCRE2 handling (%s:%d)",
752  regexstr, de_ctx->rule_file, de_ctx->rule_line);
753  }
754  }
755 #endif /*PCRE2_HAVE_JIT*/
756 
757  pd->parse_regex.context = pcre2_match_context_create(NULL);
758  if (pd->parse_regex.context == NULL) {
759  SCLogError("pcre2 could not create match context");
760  goto error;
761  }
762 
763  if (apply_match_limit) {
764  if (pcre_match_limit >= -1) {
765  pcre2_set_match_limit(pd->parse_regex.context, pcre_match_limit);
766  }
767  if (pcre_match_limit_recursion >= -1) {
768  // pcre2_set_depth_limit unsupported on ubuntu 16.04
769  pcre2_set_recursion_limit(pd->parse_regex.context, pcre_match_limit_recursion);
770  }
771  } else {
772  pcre2_set_match_limit(pd->parse_regex.context, SC_MATCH_LIMIT_DEFAULT);
773  pcre2_set_recursion_limit(pd->parse_regex.context, SC_MATCH_LIMIT_RECURSION_DEFAULT);
774  }
775 
776  pcre2_match_data_free(match);
777  return pd;
778 
779 error:
780  pcre2_match_data_free(match);
781  DetectPcreFree(de_ctx, pd);
782  return NULL;
783 }
784 
785 /** \internal
786  * \brief check if we need to extract capture settings and set them up if needed
787  */
788 static int DetectPcreParseCapture(const char *regexstr, DetectEngineCtx *de_ctx, DetectPcreData *pd,
789  char *capture_names)
790 {
791  int ret = 0, res = 0;
792  char type_str[16] = "";
793  const char *orig_right_edge = regexstr + strlen(regexstr);
794  char *name_array[DETECT_PCRE_CAPTURE_MAX] = { NULL };
795  int name_idx = 0;
796  int capture_cnt = 0;
797  int key = 0;
798  size_t copylen;
799  pcre2_match_data *match = NULL;
800 
801  SCLogDebug("regexstr %s, pd %p", regexstr, pd);
802 
803  ret = pcre2_pattern_info(pd->parse_regex.regex, PCRE2_INFO_CAPTURECOUNT, &capture_cnt);
804  SCLogDebug("ret %d capture_cnt %d", ret, capture_cnt);
805  if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
806  {
807  char *ptr = NULL;
808  while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL, " ,", &ptr))){
809  if (name_idx > (capture_cnt - 1)) {
810  SCLogError("more pkt/flow "
811  "var capture names than capturing substrings");
812  return -1;
813  }
814  SCLogDebug("name '%s'", name_array[name_idx]);
815 
816  if (strcmp(name_array[name_idx], "pkt:key") == 0) {
817  key = 1;
818  SCLogDebug("key-value/key");
819 
820  pd->captypes[pd->idx] = VAR_TYPE_PKT_VAR_KV;
821  SCLogDebug("id %u type %u", pd->capids[pd->idx], pd->captypes[pd->idx]);
822  pd->idx++;
823 
824  } else if (key == 1 && strcmp(name_array[name_idx], "pkt:value") == 0) {
825  SCLogDebug("key-value/value");
826  key = 0;
827 
828  /* kv error conditions */
829  } else if (key == 0 && strcmp(name_array[name_idx], "pkt:value") == 0) {
830  return -1;
831  } else if (key == 1) {
832  return -1;
833 
834  } else if (strncmp(name_array[name_idx], "flow:", 5) == 0) {
835  uint32_t varname_id =
836  VarNameStoreRegister(name_array[name_idx] + 5, VAR_TYPE_FLOW_VAR);
837  if (unlikely(varname_id == 0))
838  return -1;
839  pd->capids[pd->idx] = varname_id;
840  pd->captypes[pd->idx] = VAR_TYPE_FLOW_VAR;
841  pd->idx++;
842 
843  } else if (strncmp(name_array[name_idx], "pkt:", 4) == 0) {
844  uint32_t varname_id =
845  VarNameStoreRegister(name_array[name_idx] + 4, VAR_TYPE_PKT_VAR);
846  if (unlikely(varname_id == 0))
847  return -1;
848  pd->capids[pd->idx] = varname_id;
849  pd->captypes[pd->idx] = VAR_TYPE_PKT_VAR;
850  SCLogDebug("id %u type %u", pd->capids[pd->idx], pd->captypes[pd->idx]);
851  pd->idx++;
852 
853  } else if (strncmp(name_array[name_idx], "alert:", 6) == 0) {
854  uint32_t varname_id =
855  VarNameStoreRegister(name_array[name_idx] + 6, VAR_TYPE_ALERT_VAR);
856  if (unlikely(varname_id == 0))
857  return -1;
858  pd->capids[pd->idx] = varname_id;
859  pd->captypes[pd->idx] = VAR_TYPE_ALERT_VAR;
860  pd->idx++;
861 
862  } else {
863  SCLogError(" pkt/flow "
864  "var capture names must start with 'pkt:' or 'flow:'");
865  return -1;
866  }
867 
868  name_idx++;
869  if (name_idx >= DETECT_PCRE_CAPTURE_MAX)
870  break;
871  }
872  }
873 
874  /* take the size of the whole input as buffer size for the string we will
875  * extract below. Add 1 to please Coverity's alloc_strlen test. */
876  size_t cap_buffer_len = strlen(regexstr) + 1;
877  DEBUG_VALIDATE_BUG_ON(cap_buffer_len > UINT16_MAX);
878  char capture_str[cap_buffer_len];
879  memset(capture_str, 0x00, cap_buffer_len);
880 
881  if (de_ctx == NULL)
882  goto error;
883 
884  while (1) {
885  SCLogDebug("\'%s\'", regexstr);
886 
887  ret = DetectParsePcreExec(parse_capture_regex, &match, regexstr, 0, 0);
888  if (ret < 3) {
889  pcre2_match_data_free(match);
890  return 0;
891  }
892  copylen = sizeof(type_str);
893  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)type_str, &copylen);
894  if (res != 0) {
895  SCLogError("pcre2_substring_copy_bynumber failed");
896  goto error;
897  }
898  cap_buffer_len = strlen(regexstr) + 1;
899  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)capture_str, &cap_buffer_len);
900  if (res != 0) {
901  SCLogError("pcre2_substring_copy_bynumber failed");
902  goto error;
903  }
904  if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
905  goto error;
906  }
907 
908  SCLogDebug("type \'%s\'", type_str);
909  SCLogDebug("capture \'%s\'", capture_str);
910 
911  if (pd->idx >= DETECT_PCRE_CAPTURE_MAX) {
912  SCLogError("rule can have maximally %d pkt/flow "
913  "var captures",
914  DETECT_PCRE_CAPTURE_MAX);
915  pcre2_match_data_free(match);
916  return -1;
917  }
918 
919  if (strcmp(type_str, "pkt") == 0) {
920  uint32_t varname_id = VarNameStoreRegister((char *)capture_str, VAR_TYPE_PKT_VAR);
921  if (unlikely(varname_id == 0))
922  return -1;
923  pd->capids[pd->idx] = varname_id;
924  pd->captypes[pd->idx] = VAR_TYPE_PKT_VAR;
925  SCLogDebug("id %u type %u", pd->capids[pd->idx], pd->captypes[pd->idx]);
926  pd->idx++;
927  } else if (strcmp(type_str, "flow") == 0) {
928  uint32_t varname_id = VarNameStoreRegister((char *)capture_str, VAR_TYPE_FLOW_VAR);
929  if (unlikely(varname_id == 0))
930  return -1;
931  pd->capids[pd->idx] = varname_id;
932  pd->captypes[pd->idx] = VAR_TYPE_FLOW_VAR;
933  pd->idx++;
934  } else if (strcmp(type_str, "alert") == 0) {
935  uint32_t varname_id = VarNameStoreRegister((char *)capture_str, VAR_TYPE_ALERT_VAR);
936  if (unlikely(varname_id == 0))
937  return -1;
938  pd->capids[pd->idx] = varname_id;
939  pd->captypes[pd->idx] = VAR_TYPE_ALERT_VAR;
940  pd->idx++;
941  }
942 
943  //SCLogNotice("pd->capname %s", pd->capname);
944  PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
945  regexstr += ov[1];
946 
947  pcre2_match_data_free(match);
948  match = NULL;
949 
950  if (regexstr >= orig_right_edge)
951  break;
952  }
953  return 0;
954 
955 error:
956  pcre2_match_data_free(match);
957  return -1;
958 }
959 
960 static void *DetectPcreThreadInit(void *data)
961 {
962  DetectPcreData *pd = (DetectPcreData *)data;
963  pcre2_match_data *match = pcre2_match_data_create_from_pattern(pd->parse_regex.regex, NULL);
964  return match;
965 }
966 
967 static void DetectPcreThreadFree(void *ctx)
968 {
969  if (ctx != NULL) {
970  pcre2_match_data *match = (pcre2_match_data *)ctx;
971  pcre2_match_data_free(match);
972  }
973 }
974 
975 static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *regexstr)
976 {
977  SCEnter();
978  DetectPcreData *pd = NULL;
979  int parsed_sm_list = DETECT_SM_LIST_NOTSET;
980  char capture_names[1024] = "";
981  AppProto alproto = ALPROTO_UNKNOWN;
982 
983  pd = DetectPcreParse(de_ctx, regexstr, &parsed_sm_list,
984  capture_names, sizeof(capture_names), s->init_data->negated,
985  &alproto);
986  if (pd == NULL)
987  goto error;
988  if (DetectPcreParseCapture(regexstr, de_ctx, pd, capture_names) < 0)
989  goto error;
990 
991  pd->thread_ctx_id = DetectRegisterThreadCtxFuncs(
992  de_ctx, "pcre", DetectPcreThreadInit, (void *)pd, DetectPcreThreadFree, 0);
993  if (pd->thread_ctx_id == -1)
994  goto error;
995 
996  int sm_list = -1;
997  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
998  if (parsed_sm_list != DETECT_SM_LIST_NOTSET && parsed_sm_list != s->init_data->list) {
999  SCLogError("Expression seen with a sticky buffer still set; either (1) reset sticky "
1000  "buffer with pkt_data or (2) use a sticky buffer providing \"%s\".",
1001  DetectEngineBufferTypeGetDescriptionById(de_ctx, parsed_sm_list));
1002  goto error;
1003  }
1004  if (DetectBufferGetActiveList(de_ctx, s) == -1)
1005  goto error;
1006 
1007  sm_list = s->init_data->list;
1008  } else {
1009  switch (parsed_sm_list) {
1010  case DETECT_SM_LIST_NOTSET:
1011  sm_list = DETECT_SM_LIST_PMATCH;
1012  break;
1013  default: {
1014  if (alproto != ALPROTO_UNKNOWN) {
1015  /* see if the proto doesn't conflict
1016  * with what we already have. */
1017  if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, alproto)) {
1018  goto error;
1019  }
1020  if (SCDetectSignatureSetAppProto(s, alproto) < 0)
1021  goto error;
1022  }
1023  sm_list = parsed_sm_list;
1024  break;
1025  }
1026  }
1027  }
1028  if (sm_list == -1)
1029  goto error;
1030 
1031  SigMatch *sm = SCSigMatchAppendSMToList(de_ctx, s, DETECT_PCRE, (SigMatchCtx *)pd, sm_list);
1032  if (sm == NULL) {
1033  goto error;
1034  }
1035 
1036  for (uint8_t x = 0; x < pd->idx; x++) {
1037  if (DetectFlowvarPostMatchSetup(de_ctx, s, pd->capids[x]) < 0)
1038  goto error_nofree;
1039  }
1040 
1041  if (!(pd->flags & DETECT_PCRE_RELATIVE))
1042  goto okay;
1043 
1044  /* errors below shouldn't free pd */
1045 
1046  SigMatch *prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
1047  DETECT_CONTENT, DETECT_PCRE, -1);
1048  if (s->init_data->list == DETECT_SM_LIST_NOTSET && prev_pm == NULL) {
1049  SCLogError("pcre with /R (relative) needs "
1050  "preceding match in the same buffer");
1051  goto error_nofree;
1052  /* null is allowed when we use a sticky buffer */
1053  } else if (prev_pm == NULL) {
1054  goto okay;
1055  }
1056  if (prev_pm->type == DETECT_CONTENT) {
1057  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
1058  cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
1059  } else if (prev_pm->type == DETECT_PCRE) {
1060  DetectPcreData *tmp = (DetectPcreData *)prev_pm->ctx;
1061  tmp->flags |= DETECT_PCRE_RELATIVE_NEXT;
1062  }
1063 
1064  okay:
1065  SCReturnInt(0);
1066  error:
1067  DetectPcreFree(de_ctx, pd);
1068  error_nofree:
1069  SCReturnInt(-1);
1070 }
1071 
1072 static void DetectPcreFree(DetectEngineCtx *de_ctx, void *ptr)
1073 {
1074  if (ptr == NULL)
1075  return;
1076 
1077  DetectPcreData *pd = (DetectPcreData *)ptr;
1078  DetectParseFreeRegex(&pd->parse_regex);
1079  DetectUnregisterThreadCtxFuncs(de_ctx, pd, "pcre");
1080 
1081  for (uint8_t i = 0; i < pd->idx; i++) {
1082  VarNameStoreUnregister(pd->capids[i], pd->captypes[i]);
1083  }
1084  SCFree(pd);
1085 }
1086 
1087 #ifdef UNITTESTS /* UNITTESTS */
1088 #include "detect-engine-alert.h"
1089 static int g_file_data_buffer_id = 0;
1090 static int g_http_header_buffer_id = 0;
1091 static int g_dce_stub_data_buffer_id = 0;
1092 
1093 /**
1094  * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7.
1095  */
1096 static int DetectPcreParseTest01 (void)
1097 {
1098  DetectPcreData *pd = NULL;
1099  const char *teststring = "/blah/7";
1100  int list = DETECT_SM_LIST_NOTSET;
1101  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1102  FAIL_IF_NULL(de_ctx);
1103  AppProto alproto = ALPROTO_UNKNOWN;
1104 
1105  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1106  FAIL_IF_NOT_NULL(pd);
1107 
1108  DetectEngineCtxFree(de_ctx);
1109  PASS;
1110 }
1111 
1112 /**
1113  * \test DetectPcreParseTest02 make sure we don't allow invalid opts Ui$.
1114  */
1115 static int DetectPcreParseTest02 (void)
1116 {
1117  DetectPcreData *pd = NULL;
1118  const char *teststring = "/blah/Ui$";
1119  int list = DETECT_SM_LIST_NOTSET;
1120  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1121  FAIL_IF_NULL(de_ctx);
1122  AppProto alproto = ALPROTO_UNKNOWN;
1123 
1124  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1125  FAIL_IF_NOT_NULL(pd);
1126  FAIL_IF_NOT(alproto == ALPROTO_HTTP1);
1127 
1128  DetectEngineCtxFree(de_ctx);
1129  PASS;
1130 }
1131 
1132 /**
1133  * \test DetectPcreParseTest03 make sure we don't allow invalid opts UZi.
1134  */
1135 static int DetectPcreParseTest03 (void)
1136 {
1137  DetectPcreData *pd = NULL;
1138  const char *teststring = "/blah/UNi";
1139  int list = DETECT_SM_LIST_NOTSET;
1140  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1141  FAIL_IF_NULL(de_ctx);
1142  AppProto alproto = ALPROTO_UNKNOWN;
1143 
1144  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1145  FAIL_IF_NOT_NULL(pd);
1146 
1147  DetectEngineCtxFree(de_ctx);
1148  PASS;
1149 }
1150 
1151 /**
1152  * \test DetectPcreParseTest04 make sure we allow escaped "
1153  */
1154 static int DetectPcreParseTest04 (void)
1155 {
1156  DetectPcreData *pd = NULL;
1157  const char *teststring = "/b\\\"lah/i";
1158  int list = DETECT_SM_LIST_NOTSET;
1159  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1160  FAIL_IF_NULL(de_ctx);
1161  AppProto alproto = ALPROTO_UNKNOWN;
1162 
1163  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1164  FAIL_IF_NULL(pd);
1165  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1166 
1167  DetectPcreFree(de_ctx, pd);
1168  DetectEngineCtxFree(de_ctx);
1169  PASS;
1170 }
1171 
1172 /**
1173  * \test DetectPcreParseTest05 make sure we parse pcre with no opts
1174  */
1175 static int DetectPcreParseTest05 (void)
1176 {
1177  DetectPcreData *pd = NULL;
1178  const char *teststring = "/b(l|a)h/";
1179  int list = DETECT_SM_LIST_NOTSET;
1180  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1181  FAIL_IF_NULL(de_ctx);
1182  AppProto alproto = ALPROTO_UNKNOWN;
1183 
1184  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1185  FAIL_IF_NULL(pd);
1186  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1187 
1188  DetectPcreFree(de_ctx, pd);
1189  DetectEngineCtxFree(de_ctx);
1190  PASS;
1191 }
1192 
1193 /**
1194  * \test DetectPcreParseTest06 make sure we parse pcre with smi opts
1195  */
1196 static int DetectPcreParseTest06 (void)
1197 {
1198  DetectPcreData *pd = NULL;
1199  const char *teststring = "/b(l|a)h/smi";
1200  int list = DETECT_SM_LIST_NOTSET;
1201  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1202  FAIL_IF_NULL(de_ctx);
1203  AppProto alproto = ALPROTO_UNKNOWN;
1204 
1205  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1206  FAIL_IF_NULL(pd);
1207  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1208 
1209  DetectPcreFree(de_ctx, pd);
1210  DetectEngineCtxFree(de_ctx);
1211  PASS;
1212 }
1213 
1214 /**
1215  * \test DetectPcreParseTest07 make sure we parse pcre with /Ui opts
1216  */
1217 static int DetectPcreParseTest07 (void)
1218 {
1219  DetectPcreData *pd = NULL;
1220  const char *teststring = "/blah/Ui";
1221  int list = DETECT_SM_LIST_NOTSET;
1222  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1223  FAIL_IF_NULL(de_ctx);
1224  AppProto alproto = ALPROTO_UNKNOWN;
1225 
1226  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1227  FAIL_IF_NULL(pd);
1228  FAIL_IF_NOT(alproto == ALPROTO_HTTP1);
1229 
1230  DetectPcreFree(de_ctx, pd);
1231  DetectEngineCtxFree(de_ctx);
1232  PASS;
1233 }
1234 
1235 /**
1236  * \test DetectPcreParseTest08 make sure we parse pcre with O opts
1237  */
1238 static int DetectPcreParseTest08 (void)
1239 {
1240  DetectPcreData *pd = NULL;
1241  const char *teststring = "/b(l|a)h/O";
1242  int list = DETECT_SM_LIST_NOTSET;
1243  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1244  FAIL_IF_NULL(de_ctx);
1245  AppProto alproto = ALPROTO_UNKNOWN;
1246 
1247  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1248  FAIL_IF_NULL(pd);
1249  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1250 
1251  DetectPcreFree(de_ctx, pd);
1252  DetectEngineCtxFree(de_ctx);
1253  PASS;
1254 }
1255 
1256 /**
1257  * \test DetectPcreParseTest09 make sure we parse pcre with a content
1258  * that has slashes
1259  */
1260 static int DetectPcreParseTest09 (void)
1261 {
1262  DetectPcreData *pd = NULL;
1263  const char *teststring = "/lala\\\\/";
1264  int list = DETECT_SM_LIST_NOTSET;
1265  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1266  FAIL_IF_NULL(de_ctx);
1267  AppProto alproto = ALPROTO_UNKNOWN;
1268 
1269  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1270  FAIL_IF_NULL(pd);
1271 
1272  DetectPcreFree(de_ctx, pd);
1273  DetectEngineCtxFree(de_ctx);
1274  PASS;
1275 }
1276 
1277 /**
1278  * \test Test pcre option for dce sig(yeah I'm bored of writing test titles).
1279  */
1280 static int DetectPcreParseTest10(void)
1281 {
1282  Signature *s = SigAlloc();
1283  FAIL_IF_NULL(s);
1284  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1285  FAIL_IF_NULL(de_ctx);
1286 
1287  FAIL_IF(SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0);
1288 
1289  FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
1290  FAIL_IF_NOT(DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id) == NULL);
1291  FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL);
1292 
1293  SigFree(de_ctx, s);
1294 
1295  s = SigAlloc();
1296  FAIL_IF_NULL(s);
1297 
1298  /* failure since we have no preceding content/pcre/bytejump */
1299  FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
1300  FAIL_IF_NOT(DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id) == NULL);
1301  FAIL_IF_NOT(s->init_data->smlists[DETECT_SM_LIST_PMATCH] != NULL);
1302 
1303  SigFree(de_ctx, s);
1304  DetectEngineCtxFree(de_ctx);
1305 
1306  PASS;
1307 }
1308 
1309 /** \test Check a signature with pcre relative method */
1310 static int DetectPcreParseTest15(void)
1311 {
1312  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1313  FAIL_IF_NULL(de_ctx);
1314 
1315  de_ctx->flags |= DE_QUIET;
1316  de_ctx->sig_list = SigInit(de_ctx,
1317  "alert tcp any any -> any any "
1318  "(msg:\"Testing pcre relative http_method\"; "
1319  "content:\"GET\"; "
1320  "http_method; pcre:\"/abc/RM\"; sid:1;)");
1321  FAIL_IF_NULL(de_ctx->sig_list);
1322 
1323  SigCleanSignatures(de_ctx);
1324  DetectEngineCtxFree(de_ctx);
1325  PASS;
1326 }
1327 
1328 
1329 /** \test Check a signature with pcre relative cookie */
1330 static int DetectPcreParseTest16(void)
1331 {
1332  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1333  FAIL_IF_NULL(de_ctx);
1334 
1335  de_ctx->flags |= DE_QUIET;
1336  de_ctx->sig_list = SigInit(de_ctx,
1337  "alert tcp any any -> any any "
1338  "(msg:\"Testing pcre relative http_cookie\"; "
1339  "content:\"test\"; "
1340  "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1341  FAIL_IF_NULL(de_ctx->sig_list);
1342 
1343  SigCleanSignatures(de_ctx);
1344  DetectEngineCtxFree(de_ctx);
1345  PASS;
1346 }
1347 
1348 /** \test Check a signature with pcre relative raw header */
1349 static int DetectPcreParseTest17(void)
1350 {
1351  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1352  FAIL_IF_NULL(de_ctx);
1353 
1354  de_ctx->flags |= DE_QUIET;
1355  de_ctx->sig_list = SigInit(de_ctx,
1356  "alert tcp any any -> any any "
1357  "(msg:\"Testing pcre relative http_raw_header\"; "
1358  "flow:to_server; content:\"test\"; "
1359  "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1360  FAIL_IF_NULL(de_ctx->sig_list);
1361 
1362  SigCleanSignatures(de_ctx);
1363  DetectEngineCtxFree(de_ctx);
1364  PASS;
1365 }
1366 
1367 /** \test Check a signature with pcre relative header */
1368 static int DetectPcreParseTest18(void)
1369 {
1370  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1371  FAIL_IF_NULL(de_ctx);
1372 
1373  de_ctx->flags |= DE_QUIET;
1374  de_ctx->sig_list = SigInit(de_ctx,
1375  "alert tcp any any -> any any "
1376  "(msg:\"Testing pcre relative http_header\"; "
1377  "content:\"test\"; "
1378  "http_header; pcre:\"/abc/RH\"; sid:1;)");
1379  FAIL_IF_NULL(de_ctx->sig_list);
1380 
1381  SigCleanSignatures(de_ctx);
1382  DetectEngineCtxFree(de_ctx);
1383  PASS;
1384 }
1385 
1386 /** \test Check a signature with pcre relative client-body */
1387 static int DetectPcreParseTest19(void)
1388 {
1389  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1390  FAIL_IF_NULL(de_ctx);
1391 
1392  de_ctx->flags |= DE_QUIET;
1393  de_ctx->sig_list = SigInit(de_ctx,
1394  "alert tcp any any -> any any "
1395  "(msg:\"Testing pcre relative http_client_body\"; "
1396  "content:\"test\"; "
1397  "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1398  FAIL_IF_NULL(de_ctx->sig_list);
1399 
1400  SigCleanSignatures(de_ctx);
1401  DetectEngineCtxFree(de_ctx);
1402  PASS;
1403 }
1404 
1405 /** \test Check a signature with pcre relative raw uri */
1406 static int DetectPcreParseTest20(void)
1407 {
1408  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1409 
1410  FAIL_IF_NULL(de_ctx);
1411 
1412  de_ctx->flags |= DE_QUIET;
1413  de_ctx->sig_list = SigInit(de_ctx,
1414  "alert tcp any any -> any any "
1415  "(msg:\"Testing http_raw_uri\"; "
1416  "content:\"test\"; "
1417  "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1418  FAIL_IF_NULL(de_ctx->sig_list);
1419 
1420  SigCleanSignatures(de_ctx);
1421  DetectEngineCtxFree(de_ctx);
1422  PASS;
1423 }
1424 
1425 /** \test Check a signature with pcre relative uricontent */
1426 static int DetectPcreParseTest21(void)
1427 {
1428  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1429 
1430  FAIL_IF_NULL(de_ctx);
1431 
1432  de_ctx->flags |= DE_QUIET;
1433  de_ctx->sig_list = SigInit(de_ctx,
1434  "alert tcp any any -> any any "
1435  "(msg:\"Testing pcre relative uricontent\"; "
1436  "uricontent:\"test\"; "
1437  "pcre:\"/abc/RU\"; sid:1;)");
1438  FAIL_IF_NULL(de_ctx->sig_list);
1439 
1440  SigCleanSignatures(de_ctx);
1441  DetectEngineCtxFree(de_ctx);
1442  PASS;
1443 }
1444 
1445 /** \test Check a signature with pcre relative http_uri */
1446 static int DetectPcreParseTest22(void)
1447 {
1448  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1449 
1450  FAIL_IF_NULL(de_ctx);
1451 
1452  de_ctx->flags |= DE_QUIET;
1453  de_ctx->sig_list = SigInit(de_ctx,
1454  "alert tcp any any -> any any "
1455  "(msg:\"Testing pcre relative http_uri\"; "
1456  "content:\"test\"; "
1457  "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1458  FAIL_IF_NULL(de_ctx->sig_list);
1459 
1460  SigCleanSignatures(de_ctx);
1461  DetectEngineCtxFree(de_ctx);
1462  PASS;
1463 }
1464 
1465 /** \test Check a signature with inconsistent pcre relative */
1466 static int DetectPcreParseTest23(void)
1467 {
1468  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1469 
1470  FAIL_IF_NULL(de_ctx);
1471 
1472  de_ctx->flags |= DE_QUIET;
1473  de_ctx->sig_list = SigInit(de_ctx,
1474  "alert tcp any any -> any any "
1475  "(msg:\"Testing inconsistent pcre relative\"; "
1476  "content:\"GET\"; "
1477  "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1478  FAIL_IF_NOT_NULL(de_ctx->sig_list);
1479 
1480  SigCleanSignatures(de_ctx);
1481  DetectEngineCtxFree(de_ctx);
1482  PASS;
1483 }
1484 
1485 /** \test Check a signature with inconsistent pcre modifiers */
1486 static int DetectPcreParseTest24(void)
1487 {
1488  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1489 
1490  FAIL_IF_NULL(de_ctx);
1491 
1492  de_ctx->flags |= DE_QUIET;
1493  de_ctx->sig_list = SigInit(de_ctx,
1494  "alert tcp any any -> any any "
1495  "(msg:\"Testing inconsistent pcre modifiers\"; "
1496  "pcre:\"/abc/UI\"; sid:1;)");
1497  FAIL_IF_NOT_NULL(de_ctx->sig_list);
1498 
1499  SigCleanSignatures(de_ctx);
1500  DetectEngineCtxFree(de_ctx);
1501  PASS;
1502 }
1503 
1504 /** \test Check a signature with inconsistent pcre modifiers */
1505 static int DetectPcreParseTest25(void)
1506 {
1507  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1508 
1509  FAIL_IF_NULL(de_ctx);
1510 
1511  de_ctx->flags |= DE_QUIET;
1512  de_ctx->sig_list = SigInit(de_ctx,
1513  "alert tcp any any -> any any "
1514  "(msg:\"Testing inconsistent pcre modifiers\"; "
1515  "pcre:\"/abc/DH\"; sid:1;)");
1516  FAIL_IF_NOT_NULL(de_ctx->sig_list);
1517 
1518  SigCleanSignatures(de_ctx);
1519  DetectEngineCtxFree(de_ctx);
1520  PASS;
1521 }
1522 
1523 /** \test Check a signature with inconsistent pcre modifiers */
1524 static int DetectPcreParseTest26(void)
1525 {
1526  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1527 
1528  FAIL_IF_NULL(de_ctx);
1529 
1530  de_ctx->flags |= DE_QUIET;
1531  de_ctx->sig_list = SigInit(de_ctx,
1532  "alert http any any -> any any "
1533  "(msg:\"Testing inconsistent pcre modifiers\"; "
1534  "pcre:\"/abc/F\"; sid:1;)");
1535  FAIL_IF_NOT_NULL(de_ctx->sig_list);
1536 
1537  SigCleanSignatures(de_ctx);
1538  DetectEngineCtxFree(de_ctx);
1539  PASS;
1540 }
1541 
1542 /** \test Bug 1098 */
1543 static int DetectPcreParseTest27(void)
1544 {
1545  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1546 
1547  FAIL_IF_NULL(de_ctx);
1548 
1549  de_ctx->flags |= DE_QUIET;
1550  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any 80 "
1551  "(content:\"baduricontent\"; http_raw_uri; "
1552  "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1553  FAIL_IF_NOT_NULL(de_ctx->sig_list);
1554 
1555  SigCleanSignatures(de_ctx);
1556  DetectEngineCtxFree(de_ctx);
1557  PASS;
1558 }
1559 
1560 /** \test Bug 1957 */
1561 static int DetectPcreParseTest28(void)
1562 {
1563  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1564 
1565  FAIL_IF_NULL(de_ctx);
1566 
1567  de_ctx->flags |= DE_QUIET;
1568  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any 80 "
1569  "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
1570  "sid:2; rev:2;)");
1571  FAIL_IF_NULL(de_ctx->sig_list);
1572 
1573  DetectEngineCtxFree(de_ctx);
1574  PASS;
1575 }
1576 
1577 static int DetectPcreTestSig01(void)
1578 {
1579  uint8_t *buf = (uint8_t *)"lalala lalala\\ lala\n";
1580  uint16_t buflen = strlen((char *)buf);
1581  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1582 
1583  char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
1584  "lalala\\\\/\"; sid:1;)";
1585  FAIL_IF_NOT(UTHPacketMatchSig(p, sig));
1586 
1587  UTHFreePacket(p);
1588  PASS;
1589 }
1590 
1591 /** \test anchored pcre */
1592 static int DetectPcreTestSig02(void)
1593 {
1594  uint8_t *buf = (uint8_t *)"lalala\n";
1595  uint16_t buflen = strlen((char *)buf);
1596  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1597 
1598  char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1599  "pcre:\"/^(la)+$/\"; sid:1;)";
1600  FAIL_IF_NOT(UTHPacketMatchSig(p, sig));
1601 
1602  UTHFreePacket(p);
1603  PASS;
1604 }
1605 
1606 /** \test anchored pcre */
1607 static int DetectPcreTestSig03(void)
1608 {
1609  /* test it also without ending in a newline "\n" */
1610  uint8_t *buf = (uint8_t *)"lalala";
1611  uint16_t buflen = strlen((char *)buf);
1612  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1613 
1614  char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1615  "pcre:\"/^(la)+$/\"; sid:1;)";
1616  FAIL_IF_NOT(UTHPacketMatchSig(p, sig));
1617 
1618  UTHFreePacket(p);
1619  PASS;
1620 }
1621 
1622 /** \test Test tracking of body chunks per transactions (on requests)
1623  */
1624 static int DetectPcreTxBodyChunksTest01(void)
1625 {
1626  Flow f;
1627  TcpSession ssn;
1628  Packet *p = NULL;
1629  uint8_t httpbuf1[] = "GET / HTTP/1.1\r\n";
1630  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1631  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1632  uint8_t httpbuf4[] = "Body one!!";
1633  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1634  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1635  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1636  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1637  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1638  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1639  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1640  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1641  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1642  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1643  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1644 
1645  memset(&f, 0, sizeof(f));
1646  memset(&ssn, 0, sizeof(ssn));
1647 
1648  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1649 
1650  FLOW_INITIALIZE(&f);
1651  f.protoctx = (void *)&ssn;
1652  f.proto = IPPROTO_TCP;
1653  f.flags |= FLOW_IPV4;
1654 
1655  p->flow = &f;
1656  p->flowflags |= FLOW_PKT_TOSERVER;
1657  p->flowflags |= FLOW_PKT_ESTABLISHED;
1658  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1659  f.alproto = ALPROTO_HTTP1;
1660 
1661  StreamTcpInitConfig(true);
1662 
1663  AppLayerHtpEnableRequestBodyCallback();
1664 
1665  int r = AppLayerParserParse(
1666  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1667  FAIL_IF(r != 0);
1668 
1669  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1670  FAIL_IF(r != 0);
1671 
1672  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1673  FAIL_IF(r != 0);
1674 
1675  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1676  FAIL_IF(r != 0);
1677 
1678  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1679  FAIL_IF(r != 0);
1680 
1681  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1682  FAIL_IF(r != 0);
1683 
1684  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1685  FAIL_IF(r != 0);
1686 
1687  /* Now we should have 2 transactions, each with it's own list
1688  * of request body chunks (let's test it) */
1689 
1690  HtpState *htp_state = f.alstate;
1691  FAIL_IF(htp_state == NULL);
1692 
1693  /* hardcoded check of the transactions and it's client body chunks */
1694  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
1695 
1696  htp_tx_t *t1 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 0);
1697  htp_tx_t *t2 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 1);
1698 
1699  HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(t1);
1700  FAIL_IF(htud == NULL);
1701 
1702  HtpBodyChunk *cur = htud->request_body.first;
1703  FAIL_IF(htud->request_body.first == NULL);
1704 
1705  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body one!!", 10) != 1);
1706 
1707  htud = (HtpTxUserData *) htp_tx_get_user_data(t2);
1708 
1709  cur = htud->request_body.first;
1710  FAIL_IF(htud->request_body.first == NULL);
1711 
1712  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body two!!", 10) != 1);
1713 
1714  AppLayerParserThreadCtxFree(alp_tctx);
1715  StreamTcpFreeConfig(true);
1716  FLOW_DESTROY(&f);
1717  UTHFreePacket(p);
1718  PASS;
1719 }
1720 
1721 /** \test test pcre P modifier with multiple pipelined http transactions */
1722 static int DetectPcreTxBodyChunksTest02(void)
1723 {
1724  Signature *s = NULL;
1725  DetectEngineThreadCtx *det_ctx = NULL;
1726  ThreadVars th_v;
1727  Flow f;
1728  TcpSession ssn;
1729  Packet *p = NULL;
1730  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1731  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1732  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1733  uint8_t httpbuf4[] = "Body one!!";
1734  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1735  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1736  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1737  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1738  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1739  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1740  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1741  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1742  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1743  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1744  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1745 
1746  memset(&th_v, 0, sizeof(th_v));
1747  StatsThreadInit(&th_v.stats);
1748  memset(&f, 0, sizeof(f));
1749  memset(&ssn, 0, sizeof(ssn));
1750 
1751  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1752 
1753  FLOW_INITIALIZE(&f);
1754  f.protoctx = (void *)&ssn;
1755  f.proto = IPPROTO_TCP;
1756  f.flags |= FLOW_IPV4;
1757 
1758  p->flow = &f;
1759  p->flowflags |= FLOW_PKT_TOSERVER;
1760  p->flowflags |= FLOW_PKT_ESTABLISHED;
1761  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1762  f.alproto = ALPROTO_HTTP1;
1763 
1764  StreamTcpInitConfig(true);
1765 
1766  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1767  FAIL_IF(de_ctx == NULL);
1768 
1769  de_ctx->flags |= DE_QUIET;
1770 
1771  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1772  FAIL_IF(s == NULL);
1773  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1774  FAIL_IF(s == NULL);
1775 
1776  SigGroupBuild(de_ctx);
1777  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1778 
1779  int r = AppLayerParserParse(
1780  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1781  FAIL_IF(r != 0);
1782 
1783  /* do detect */
1784  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1785  FAIL_IF(PacketAlertCheck(p, 1));
1786  p->alerts.cnt = 0;
1787 
1788  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1789  FAIL_IF(r != 0);
1790 
1791  /* do detect */
1792  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1793  FAIL_IF(PacketAlertCheck(p, 1));
1794  p->alerts.cnt = 0;
1795 
1796  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1797  FAIL_IF(r != 0);
1798 
1799  /* do detect */
1800  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1801  FAIL_IF(PacketAlertCheck(p, 1));
1802  p->alerts.cnt = 0;
1803 
1804  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1805  FAIL_IF(r != 0);
1806 
1807  /* do detect */
1808  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1809  FAIL_IF(!(PacketAlertCheck(p, 1)));
1810  p->alerts.cnt = 0;
1811 
1812  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1813  FAIL_IF(r != 0);
1814 
1815  /* do detect */
1816  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1817  FAIL_IF(PacketAlertCheck(p, 1));
1818  p->alerts.cnt = 0;
1819 
1820  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1821  FAIL_IF(r != 0);
1822 
1823  /* do detect */
1824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1825  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
1826  p->alerts.cnt = 0;
1827 
1828  SCLogDebug("sending data chunk 7");
1829 
1830  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1831  FAIL_IF(r != 0);
1832 
1833  /* do detect */
1834  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1835  FAIL_IF(!(PacketAlertCheck(p, 2)));
1836  p->alerts.cnt = 0;
1837 
1838  HtpState *htp_state = f.alstate;
1839  FAIL_IF(htp_state == NULL);
1840 
1841  /* hardcoded check of the transactions and it's client body chunks */
1842  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
1843 
1844  htp_tx_t *t1 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 0);
1845  htp_tx_t *t2 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 1);
1846 
1847  HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(t1);
1848 
1849  HtpBodyChunk *cur = htud->request_body.first;
1850  FAIL_IF(htud->request_body.first == NULL);
1851 
1852  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body one!!", 10) != 1);
1853 
1854  htud = (HtpTxUserData *) htp_tx_get_user_data(t2);
1855 
1856  cur = htud->request_body.first;
1857  FAIL_IF(htud->request_body.first == NULL);
1858 
1859  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body two!!", 10) != 1);
1860 
1861  UTHFreePacket(p);
1862  FLOW_DESTROY(&f);
1863  AppLayerParserThreadCtxFree(alp_tctx);
1864  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1865  DetectEngineCtxFree(de_ctx);
1866  StreamTcpFreeConfig(true);
1867  StatsThreadCleanup(&th_v.stats);
1868  PASS;
1869 }
1870 
1871 /** \test multiple http transactions and body chunks of request handling */
1872 static int DetectPcreTxBodyChunksTest03(void)
1873 {
1874  Signature *s = NULL;
1875  DetectEngineThreadCtx *det_ctx = NULL;
1876  ThreadVars th_v;
1877  Flow f;
1878  TcpSession ssn;
1879  Packet *p = NULL;
1880  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1881  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1882  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1883  uint8_t httpbuf4[] = "Body one!!";
1884  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1885  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1886  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1887  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1888  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1889  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1890  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1891  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1892  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1893  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1894  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
1895 
1896  memset(&th_v, 0, sizeof(th_v));
1897  StatsThreadInit(&th_v.stats);
1898  memset(&f, 0, sizeof(f));
1899  memset(&ssn, 0, sizeof(ssn));
1900 
1901  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1902 
1903  FLOW_INITIALIZE(&f);
1904  f.protoctx = (void *)&ssn;
1905  f.proto = IPPROTO_TCP;
1906  f.flags |= FLOW_IPV4;
1907 
1908  p->flow = &f;
1909  p->flowflags |= FLOW_PKT_TOSERVER;
1910  p->flowflags |= FLOW_PKT_ESTABLISHED;
1911  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1912  f.alproto = ALPROTO_HTTP1;
1913 
1914  StreamTcpInitConfig(true);
1915 
1916  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1917  FAIL_IF(de_ctx == NULL);
1918 
1919  de_ctx->flags |= DE_QUIET;
1920 
1921  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1922  FAIL_IF(s == NULL);
1923  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1924  FAIL_IF(s == NULL);
1925 
1926  SigGroupBuild(de_ctx);
1927  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1928 
1929  int r = AppLayerParserParse(
1930  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1931  FAIL_IF(r != 0);
1932 
1933  /* do detect */
1934  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1935  FAIL_IF(PacketAlertCheck(p, 1));
1936  p->alerts.cnt = 0;
1937 
1938  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1939  FAIL_IF(r != 0);
1940 
1941  /* do detect */
1942  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1943  FAIL_IF(PacketAlertCheck(p, 1));
1944  p->alerts.cnt = 0;
1945 
1946  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1947  FAIL_IF(r != 0);
1948 
1949  /* do detect */
1950  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1951  FAIL_IF(PacketAlertCheck(p, 1));
1952  p->alerts.cnt = 0;
1953 
1954  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1955  FAIL_IF(r != 0);
1956 
1957  /* do detect */
1958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1959  FAIL_IF(!(PacketAlertCheck(p, 1)));
1960  p->alerts.cnt = 0;
1961 
1962  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1963  FAIL_IF(r != 0);
1964 
1965  /* do detect */
1966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1967  FAIL_IF(PacketAlertCheck(p, 1));
1968  p->alerts.cnt = 0;
1969 
1970  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1971  FAIL_IF(r != 0);
1972 
1973  /* do detect */
1974  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1975  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
1976  p->alerts.cnt = 0;
1977 
1978  SCLogDebug("sending data chunk 7");
1979 
1980  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1981  FAIL_IF(r != 0);
1982 
1983  /* do detect */
1984  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1985  FAIL_IF(!(PacketAlertCheck(p, 2)));
1986  p->alerts.cnt = 0;
1987 
1988  HtpState *htp_state = f.alstate;
1989  FAIL_IF(htp_state == NULL);
1990 
1991  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
1992 
1993  UTHFreePacket(p);
1994  FLOW_DESTROY(&f);
1995  AppLayerParserThreadCtxFree(alp_tctx);
1996  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1997  DetectEngineCtxFree(de_ctx);
1998 
1999  StreamTcpFreeConfig(true);
2000  StatsThreadCleanup(&th_v.stats);
2001  PASS;
2002 }
2003 
2004 /**
2005  * \brief Test parsing of pcre's with the W modifier set.
2006  */
2007 static int DetectPcreParseHttpHost(void)
2008 {
2009  AppProto alproto = ALPROTO_UNKNOWN;
2010  int list = DETECT_SM_LIST_NOTSET;
2011  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2012 
2013  FAIL_IF(de_ctx == NULL);
2014 
2015  DetectPcreData *pd = DetectPcreParse(de_ctx, "/domain\\.com/W", &list, NULL, 0, false, &alproto);
2016  FAIL_IF(pd == NULL);
2017  DetectPcreFree(de_ctx, pd);
2018 
2019  list = DETECT_SM_LIST_NOTSET;
2020  pd = DetectPcreParse(de_ctx, "/dOmain\\.com/W", &list, NULL, 0, false, &alproto);
2021  FAIL_IF(pd != NULL);
2022 
2023  /* Uppercase meta characters are valid. */
2024  list = DETECT_SM_LIST_NOTSET;
2025  pd = DetectPcreParse(de_ctx, "/domain\\D+\\.com/W", &list, NULL, 0, false, &alproto);
2026  FAIL_IF(pd == NULL);
2027  DetectPcreFree(de_ctx, pd);
2028 
2029  /* This should not parse as the first \ escapes the second \, then
2030  * we have a D. */
2031  list = DETECT_SM_LIST_NOTSET;
2032  pd = DetectPcreParse(de_ctx, "/\\\\Ddomain\\.com/W", &list, NULL, 0, false, &alproto);
2033  FAIL_IF(pd != NULL);
2034 
2035  DetectEngineCtxFree(de_ctx);
2036  PASS;
2037 }
2038 
2039 /**
2040  * \brief Test parsing of capture extension
2041  */
2042 static int DetectPcreParseCaptureTest(void)
2043 {
2044  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2045  FAIL_IF(de_ctx == NULL);
2046 
2047  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
2048  "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
2049  FAIL_IF(s == NULL);
2050  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
2051  "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
2052  FAIL_IF(s == NULL);
2053  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
2054  "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2055  FAIL_IF(s == NULL);
2056  s = DetectEngineAppendSig(de_ctx,
2057  "alert http any any -> any any "
2058  "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)\\r\\n/HR, flow:somecapture, "
2059  "pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2060  FAIL_IF_NOT_NULL(s);
2061 
2062  SigGroupBuild(de_ctx);
2063 
2064  uint32_t capid1 = VarNameStoreLookupByName("somecapture", VAR_TYPE_FLOW_VAR);
2065  FAIL_IF(capid1 == 0);
2066  uint32_t capid2 = VarNameStoreLookupByName("anothercap", VAR_TYPE_PKT_VAR);
2067  FAIL_IF(capid2 == 0);
2068  FAIL_IF(capid1 == capid2);
2069 
2070  DetectEngineCtxFree(de_ctx);
2071  PASS;
2072 }
2073 
2074 /**
2075  * \brief this function registers unit tests for DetectPcre
2076  */
2077 static void DetectPcreRegisterTests(void)
2078 {
2079  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
2080  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
2081  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
2082 
2083  UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01);
2084  UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02);
2085  UtRegisterTest("DetectPcreParseTest03", DetectPcreParseTest03);
2086  UtRegisterTest("DetectPcreParseTest04", DetectPcreParseTest04);
2087  UtRegisterTest("DetectPcreParseTest05", DetectPcreParseTest05);
2088  UtRegisterTest("DetectPcreParseTest06", DetectPcreParseTest06);
2089  UtRegisterTest("DetectPcreParseTest07", DetectPcreParseTest07);
2090  UtRegisterTest("DetectPcreParseTest08", DetectPcreParseTest08);
2091  UtRegisterTest("DetectPcreParseTest09", DetectPcreParseTest09);
2092  UtRegisterTest("DetectPcreParseTest10", DetectPcreParseTest10);
2093  UtRegisterTest("DetectPcreParseTest15", DetectPcreParseTest15);
2094  UtRegisterTest("DetectPcreParseTest16", DetectPcreParseTest16);
2095  UtRegisterTest("DetectPcreParseTest17", DetectPcreParseTest17);
2096  UtRegisterTest("DetectPcreParseTest18", DetectPcreParseTest18);
2097  UtRegisterTest("DetectPcreParseTest19", DetectPcreParseTest19);
2098  UtRegisterTest("DetectPcreParseTest20", DetectPcreParseTest20);
2099  UtRegisterTest("DetectPcreParseTest21", DetectPcreParseTest21);
2100  UtRegisterTest("DetectPcreParseTest22", DetectPcreParseTest22);
2101  UtRegisterTest("DetectPcreParseTest23", DetectPcreParseTest23);
2102  UtRegisterTest("DetectPcreParseTest24", DetectPcreParseTest24);
2103  UtRegisterTest("DetectPcreParseTest25", DetectPcreParseTest25);
2104  UtRegisterTest("DetectPcreParseTest26", DetectPcreParseTest26);
2105  UtRegisterTest("DetectPcreParseTest27", DetectPcreParseTest27);
2106  UtRegisterTest("DetectPcreParseTest28", DetectPcreParseTest28);
2107 
2108  UtRegisterTest("DetectPcreTestSig01", DetectPcreTestSig01);
2109  UtRegisterTest("DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
2110  UtRegisterTest("DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
2111 
2112  UtRegisterTest("DetectPcreTxBodyChunksTest01",
2113  DetectPcreTxBodyChunksTest01);
2114  UtRegisterTest("DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
2115  DetectPcreTxBodyChunksTest02);
2116  UtRegisterTest("DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
2117  DetectPcreTxBodyChunksTest03);
2118 
2119  UtRegisterTest("DetectPcreParseHttpHost", DetectPcreParseHttpHost);
2120  UtRegisterTest("DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);
2121 }
2122 #endif /* UNITTESTS */
DETECT_PCRE_CASELESS
#define DETECT_PCRE_CASELESS
Definition: detect-pcre.h:32
SigTableElmt_::url
const char * url
Definition: detect.h:1512
SC_MATCH_LIMIT_DEFAULT
#define SC_MATCH_LIMIT_DEFAULT
Definition: detect-pcre.h:43
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:361
detect-content.h
DetectPcreData_::idx
uint8_t idx
Definition: detect-pcre.h:52
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1315
DetectFlowvarPostMatchSetup
int DetectFlowvarPostMatchSetup(DetectEngineCtx *de_ctx, Signature *s, uint32_t idx)
Setup a post-match for flowvar storage We're piggyback riding the DetectFlowvarData struct.
Definition: detect-flowvar.c:259
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:649
SigTableElmt_::desc
const char * desc
Definition: detect.h:1511
Flow_::flags
uint64_t flags
Definition: flow.h:403
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1310
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1496
flow-util.h
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:157
DetectPcrePayloadMatch
int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *payload, uint32_t payload_len)
Match a regex on a single payload.
Definition: detect-pcre.c:223
DetectParseRegex
Definition: detect-parse.h:94
SigTableElmt_::name
const char * name
Definition: detect.h:1509
stream-tcp.h
HtpBody_::sb
StreamingBuffer * sb
Definition: app-layer-htp.h:135
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:2126
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3879
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:76
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1500
DetectParseRegex::context
pcre2_match_context * context
Definition: detect-parse.h:96
Signature_::alproto
AppProto alproto
Definition: detect.h:680
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:288
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:144
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
Packet_::flags
uint32_t flags
Definition: decode.h:561
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect-engine-register.h:321
Flow_
Flow data structure.
Definition: flow.h:354
DetectSetupPCRE2
DetectParseRegex * DetectSetupPCRE2(const char *parse_str, int opts)
Definition: detect-parse.c:3725
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-pcre.c:67
ctx
struct Thresholds ctx
th_v
ThreadVars * th_v
Definition: fuzz_iprep.c:20
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2760
HtpTxUserData_::request_body
HtpBody request_body
Definition: app-layer-htp.h:166
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:231
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:416
DetectParseRegex::regex
pcre2_code * regex
Definition: detect-parse.h:95
DetectPcreData_::parse_regex
DetectParseRegex parse_regex
Definition: detect-pcre.h:48
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHPacketMatchSig
int UTHPacketMatchSig(Packet *p, const char *sig)
Definition: util-unittest-helper.c:835
DetectGetLastSMByListPtr
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer.
Definition: detect-parse.c:625
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:243
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2971
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3649
DetectContentData_
Definition: detect-content.h:93
p
Packet * p
Definition: fuzz_iprep.c:21
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:51
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:156
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
DETECT_PCRE_CAPTURE_MAX
#define DETECT_PCRE_CAPTURE_MAX
Definition: detect-pcre.h:37
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2301
DETECT_VAR_TYPE_PKT_POSTMATCH
#define DETECT_VAR_TYPE_PKT_POSTMATCH
Definition: detect.h:831
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3595
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:546
StreamingBufferSegmentCompareRawData
int StreamingBufferSegmentCompareRawData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t *rawdata, uint32_t rawdata_len)
Definition: util-streaming-buffer.c:1794
Flow_::protoctx
void * protoctx
Definition: flow.h:433
SigMatchData_
Data needed for Match()
Definition: detect.h:365
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1491
detect-pcre.h
PARSE_CAPTURE_REGEX
#define PARSE_CAPTURE_REGEX
Definition: detect-pcre.c:66
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:636
SIG_JSON_CONTENT_ITEM_LEN
#define SIG_JSON_CONTENT_ITEM_LEN
Definition: detect.h:1279
util-unittest.h
HtpBody_::first
HtpBodyChunk * first
Definition: app-layer-htp.h:132
HtpState_
Definition: app-layer-htp.h:183
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1384
VAR_TYPE_PKT_VAR_KV
@ VAR_TYPE_PKT_VAR_KV
Definition: util-var.h:34
detect-flowvar.h
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
DetectPcreData_::capids
uint32_t capids[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:54
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:327
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:31
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DetectEngineThreadCtx_
Definition: detect.h:1291
DetectEngineBufferTypeGetDescriptionById
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1492
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:441
AppLayerHtpEnableRequestBodyCallback
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Definition: app-layer-htp.c:552
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
SignatureInitData_::list
int list
Definition: detect.h:632
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:387
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectPcreData_::thread_ctx_id
int thread_ctx_id
Definition: detect-pcre.h:49
pkt-var.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3506
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:205
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3248
VAR_TYPE_ALERT_VAR
@ VAR_TYPE_ALERT_VAR
Definition: util-var.h:50
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
SC_MATCH_LIMIT_RECURSION_DEFAULT
#define SC_MATCH_LIMIT_RECURSION_DEFAULT
Definition: detect-pcre.h:44
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
stream.h
Packet_
Definition: decode.h:515
detect-engine-build.h
stream-tcp-private.h
detect-engine-alert.h
conf.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SignatureInitData_::negated
bool negated
Definition: detect.h:601
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1471
PageSupportsRWX
#define PageSupportsRWX()
Definition: util-pages.h:37
util-pages.h
DetectEngineThreadCtxGetJsonContext
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:5264
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:78
DETECT_VAR_TYPE_FLOW_POSTMATCH
#define DETECT_VAR_TYPE_FLOW_POSTMATCH
Definition: detect.h:830
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1134
DetectPcreData_::captypes
uint8_t captypes[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:53
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2295
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1333
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
DetectVarStoreMatchKeyValue
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len, uint8_t *buffer, uint16_t len, uint16_t type)
Store flowvar in det_ctx so we can exec it post-match.
Definition: detect-flowvar.c:205
Packet_::flow
struct Flow_ * flow
Definition: decode.h:563
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineCtx_::rule_file
const char * rule_file
Definition: detect.h:1071
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:866
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3809
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1316
suricata-common.h
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:307
SigMatch_::type
uint16_t type
Definition: detect.h:357
HtpBodyChunk_
Definition: app-layer-htp.h:123
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3751
detect-engine-buffer.h
FatalError
#define FatalError(...)
Definition: util-debug.h:517
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:982
HtpTxUserData_
Definition: app-layer-htp.h:153
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
DetectEngineThreadCtx_::pcre_match_start_offset
uint32_t pcre_match_start_offset
Definition: detect.h:1319
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1328
str
#define str(s)
Definition: suricata-common.h:316
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:472
Flow_::alstate
void * alstate
Definition: flow.h:479
detect-parse.h
Signature_
Signature container.
Definition: detect.h:675
SigMatch_
a single match condition for a signature
Definition: detect.h:356
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:233
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2721
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect-engine-register.h:339
DetectPcreData_
Definition: detect-pcre.h:47
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1330
DetectParseFreeRegex
void DetectParseFreeRegex(DetectParseRegex *r)
Definition: detect-parse.c:3659
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:975
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:2006
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3861
DetectEngineCtx_::rule_line
int rule_line
Definition: detect.h:1070
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-pool.h
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
DETECT_PCRE_NEGATE
#define DETECT_PCRE_NEGATE
Definition: detect-pcre.h:35
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1429
flow-var.h
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1127
HtpBodyChunk_::sbseg
StreamingBufferSegment sbseg
Definition: app-layer-htp.h:126
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect-engine-register.h:329
DetectPcreRegister
void DetectPcreRegister(void)
Definition: detect-pcre.c:97
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
SigJsonContent::json_content
char json_content[SIG_JSON_CONTENT_ITEM_LEN]
Definition: detect.h:1285
SigJsonContent::id
void * id
Definition: detect.h:1284
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1306
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1498
app-layer.h
DetectVarStoreMatch
int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, uint16_t type)
Store flowvar in det_ctx so we can exec it post-match.
Definition: detect-flowvar.c:224