suricata
detect-pcre.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements the pcre keyword
24  */
25 
26 #include "suricata-common.h"
27 #include "decode.h"
28 #include "detect.h"
29 
30 #include "pkt-var.h"
31 #include "flow-var.h"
32 #include "flow-util.h"
33 
34 #include "detect-pcre.h"
35 #include "detect-flowvar.h"
36 
37 #include "detect-parse.h"
38 #include "detect-content.h"
39 #include "detect-engine.h"
40 #include "detect-engine-buffer.h"
41 #include "detect-engine-sigorder.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-engine-state.h"
44 #include "detect-engine-build.h"
45 
46 #include "util-var-name.h"
47 #include "util-unittest-helper.h"
48 #include "util-debug.h"
49 #include "util-unittest.h"
50 #include "util-print.h"
51 #include "util-pool.h"
52 
53 #include "conf.h"
54 #include "app-layer.h"
55 #include "app-layer-htp.h"
56 #include "stream.h"
57 #include "stream-tcp.h"
58 #include "stream-tcp-private.h"
59 #include "stream-tcp-reassemble.h"
60 #include "app-layer-protos.h"
61 #include "app-layer-parser.h"
62 #include "util-pages.h"
63 
64 /* pcre named substring capture supports only 32byte names, A-z0-9 plus _
65  * and needs to start with non-numeric. */
66 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>"
67 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
68 
69 static int pcre_match_limit = 0;
70 static int pcre_match_limit_recursion = 0;
71 
72 static DetectParseRegex *parse_regex;
73 static DetectParseRegex *parse_capture_regex;
74 
75 #ifdef PCRE2_HAVE_JIT
76 static int pcre2_use_jit = 1;
77 #endif
78 
79 // TODOpcre2 pcre2_jit_stack_create ?
80 
81 /* \brief Helper function for using pcre2_match with/without JIT
82  */
83 static inline int DetectPcreExec(DetectEngineThreadCtx *det_ctx, const DetectPcreData *pd,
84  const char *str, const size_t strlen, int start_offset, int options,
85  pcre2_match_data *match)
86 {
87  return pcre2_match(pd->parse_regex.regex, (PCRE2_SPTR8)str, strlen, start_offset, options,
88  match, pd->parse_regex.context);
89 }
90 
91 static int DetectPcreSetup (DetectEngineCtx *, Signature *, const char *);
92 static void DetectPcreFree(DetectEngineCtx *, void *);
93 #ifdef UNITTESTS
94 static void DetectPcreRegisterTests(void);
95 #endif
96 
97 void DetectPcreRegister (void)
98 {
100  sigmatch_table[DETECT_PCRE].desc = "match on regular expression";
101  sigmatch_table[DETECT_PCRE].url = "/rules/payload-keywords.html#pcre-perl-compatible-regular-expressions";
103  sigmatch_table[DETECT_PCRE].Setup = DetectPcreSetup;
104  sigmatch_table[DETECT_PCRE].Free = DetectPcreFree;
105 #ifdef UNITTESTS
106  sigmatch_table[DETECT_PCRE].RegisterTests = DetectPcreRegisterTests;
107 #endif
110 
111  intmax_t val = 0;
112 
113  if (!SCConfGetInt("pcre.match-limit", &val)) {
114  pcre_match_limit = SC_MATCH_LIMIT_DEFAULT;
115  SCLogDebug("Using PCRE match-limit setting of: %i", pcre_match_limit);
116  } else {
117  pcre_match_limit = (int)val;
118  if (pcre_match_limit != SC_MATCH_LIMIT_DEFAULT) {
119  SCLogInfo("Using PCRE match-limit setting of: %i", pcre_match_limit);
120  } else {
121  SCLogDebug("Using PCRE match-limit setting of: %i", pcre_match_limit);
122  }
123  }
124 
125  val = 0;
126 
127  if (!SCConfGetInt("pcre.match-limit-recursion", &val)) {
128  pcre_match_limit_recursion = SC_MATCH_LIMIT_RECURSION_DEFAULT;
129  SCLogDebug("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
130  } else {
131  pcre_match_limit_recursion = (int)val;
132  if (pcre_match_limit_recursion != SC_MATCH_LIMIT_RECURSION_DEFAULT) {
133  SCLogInfo("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
134  } else {
135  SCLogDebug("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
136  }
137  }
138 
139  parse_regex = DetectSetupPCRE2(PARSE_REGEX, 0);
140  if (parse_regex == NULL) {
141  FatalError("pcre2 compile failed for parse_regex");
142  }
143 
144  /* setup the capture regex, as it needs PCRE2_UNGREEDY we do it manually */
145  /* pkt_http_ua should be pkt, http_ua, for this reason the UNGREEDY */
146  parse_capture_regex = DetectSetupPCRE2(PARSE_CAPTURE_REGEX, PCRE2_UNGREEDY);
147  if (parse_capture_regex == NULL) {
148  FatalError("pcre2 compile failed for parse_capture_regex");
149  }
150 
151 #ifdef PCRE2_HAVE_JIT
152  if (PageSupportsRWX() == 0) {
153  SCLogConfig("PCRE2 won't use JIT as OS doesn't allow RWX pages");
154  pcre2_use_jit = 0;
155  }
156 #endif
157 }
158 
159 static void DetectAlertStoreMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, uint32_t idx,
160  uint8_t *str_ptr, uint16_t capture_len)
161 {
162  /* We need the key */
163  const char *json_key = VarNameStoreLookupById(idx, VAR_TYPE_ALERT_VAR);
164 
165  if (json_key == NULL) {
166  SCFree(str_ptr);
167  return;
168  }
169 
170  SCLogDebug("json key: %s", json_key);
171  /* Setup the data*/
172  if (capture_len + strlen(json_key) + 5 < SIG_JSON_CONTENT_ITEM_LEN) {
173  if (DetectEngineThreadCtxGetJsonContext(det_ctx) < 0) {
174  SCFree(str_ptr);
175  return;
176  }
177  SCJsonBuilder *js = SCJbNewObject();
178  if (unlikely(js == NULL)) {
179  SCFree(str_ptr);
180  return;
181  }
182  SCJbSetStringFromBytes(js, json_key, str_ptr, capture_len);
183  uint32_t js_len = (uint32_t)SCJbLen(js);
184  if (js_len > SIG_JSON_CONTENT_ITEM_LEN) {
185  SCLogDebug("Captured length is too long for JSON.");
186  SCFree(str_ptr);
187  SCJbFree(js);
188  return;
189  }
190  if (js_len == 0) {
191  SCLogDebug("Captured length is zero for JSON.");
192  SCFree(str_ptr);
193  SCJbFree(js);
194  return;
195  }
196  /* Copy js but skip the starting curly bracket to just get the inner data */
197  memcpy(det_ctx->json_content[det_ctx->json_content_len].json_content, SCJbPtr(js) + 1,
198  js_len - 1);
199  /* end the string as we have used memcpy */
200  det_ctx->json_content[det_ctx->json_content_len].json_content[js_len - 1] = 0;
201  det_ctx->json_content[det_ctx->json_content_len].id = (void *)s;
202  det_ctx->json_content_len++;
203  SCJbFree(js);
204  }
205 
206  SCFree(str_ptr);
207 }
208 
209 /**
210  * \brief Match a regex on a single payload.
211  *
212  * \param det_ctx Thread detection ctx.
213  * \param s Signature.
214  * \param sm Sig match to match against.
215  * \param p Packet to set PktVars if any.
216  * \param f Flow to set FlowVars if any.
217  * \param payload Payload to inspect.
218  * \param payload_len Length of the payload.
219  *
220  * \retval 1 Match.
221  * \retval 0 No match.
222  */
224  const SigMatchData *smd, Packet *p, Flow *f,
225  const uint8_t *payload, uint32_t payload_len)
226 {
227  SCEnter();
228  int ret = 0;
229  const uint8_t *ptr = NULL;
230  uint32_t len = 0;
231  PCRE2_SIZE capture_len = 0;
232 
233  const DetectPcreData *pe = (const DetectPcreData *)smd->ctx;
234 
235  if (pe->flags & DETECT_PCRE_RELATIVE) {
236  ptr = payload + det_ctx->buffer_offset;
237  len = payload_len - det_ctx->buffer_offset;
238  } else {
239  ptr = payload;
240  len = payload_len;
241  }
242 
243  int start_offset = 0;
244  if (det_ctx->pcre_match_start_offset != 0) {
245  start_offset = (uint32_t)(payload - ptr) + det_ctx->pcre_match_start_offset;
246  }
247 
248  /* run the actual pcre detection */
249  pcre2_match_data *match =
250  (pcre2_match_data *)DetectThreadCtxGetKeywordThreadCtx(det_ctx, pe->thread_ctx_id);
251 
252  ret = DetectPcreExec(det_ctx, pe, (char *)ptr, len, start_offset, 0, match);
253  SCLogDebug("ret %d (negating %s)", ret, (pe->flags & DETECT_PCRE_NEGATE) ? "set" : "not set");
254 
255  if (ret == PCRE2_ERROR_NOMATCH) {
256  if (pe->flags & DETECT_PCRE_NEGATE) {
257  /* regex didn't match with negate option means we
258  * consider it a match */
259  ret = 1;
260  } else {
261  ret = 0;
262  }
263  } else if (ret >= 0) {
264  if (pe->flags & DETECT_PCRE_NEGATE) {
265  /* regex matched but we're negated, so not
266  * considering it a match */
267  ret = 0;
268  } else {
269  /* regex matched and we're not negated,
270  * considering it a match */
271 
272  SCLogDebug("ret %d pe->idx %u", ret, pe->idx);
273 
274  /* see if we need to do substring capturing. */
275  if (ret > 1 && pe->idx != 0) {
276  uint8_t x;
277  for (x = 0; x < pe->idx; x++) {
278  SCLogDebug("capturing %u", x);
279  const char *pcre2_str_ptr = NULL;
280  ret = pcre2_substring_get_bynumber(
281  match, x + 1, (PCRE2_UCHAR8 **)&pcre2_str_ptr, &capture_len);
282  if (unlikely(ret != 0)) {
283  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
284  continue;
285  }
286  /* store max 64k. Errors are ignored */
287  capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
288  uint8_t *str_ptr = SCMalloc(capture_len);
289  if (unlikely(str_ptr == NULL)) {
290  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
291  continue;
292  }
293  memcpy(str_ptr, pcre2_str_ptr, capture_len);
294  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
295 
296  SCLogDebug("data %p/%u, type %u id %u p %p",
297  str_ptr, ret, pe->captypes[x], pe->capids[x], p);
298 
299  if (pe->captypes[x] == VAR_TYPE_PKT_VAR_KV) {
300  /* get the value, as first capture is the key */
301  const char *pcre2_str_ptr2 = NULL;
302  /* key length is limited to 256 chars */
303  uint16_t key_len = (capture_len < 0xff) ? (uint16_t)capture_len : 0xff;
304  int ret2 = pcre2_substring_get_bynumber(
305  match, x + 2, (PCRE2_UCHAR8 **)&pcre2_str_ptr2, &capture_len);
306 
307  if (unlikely(ret2 != 0)) {
308  SCFree(str_ptr);
309  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
310  break;
311  }
312  capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
313  uint8_t *str_ptr2 = SCMalloc(capture_len);
314  if (unlikely(str_ptr2 == NULL)) {
315  SCFree(str_ptr);
316  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
317  break;
318  }
319  memcpy(str_ptr2, pcre2_str_ptr2, capture_len);
320  pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
321 
322  (void)DetectVarStoreMatchKeyValue(det_ctx, (uint8_t *)str_ptr, key_len,
323  (uint8_t *)str_ptr2, (uint16_t)capture_len,
325 
326  } else if (pe->captypes[x] == VAR_TYPE_PKT_VAR) {
327  (void)DetectVarStoreMatch(det_ctx, pe->capids[x], (uint8_t *)str_ptr,
328  (uint16_t)capture_len, DETECT_VAR_TYPE_PKT_POSTMATCH);
329 
330  } else if (pe->captypes[x] == VAR_TYPE_FLOW_VAR && f != NULL) {
331  (void)DetectVarStoreMatch(det_ctx, pe->capids[x], (uint8_t *)str_ptr,
332  (uint16_t)capture_len, DETECT_VAR_TYPE_FLOW_POSTMATCH);
333 
334  } else if (pe->captypes[x] == VAR_TYPE_ALERT_VAR) {
335  (void)DetectAlertStoreMatch(det_ctx, s, pe->capids[x], (uint8_t *)str_ptr,
336  (uint16_t)capture_len);
337 
338  } else {
339  BUG_ON(1); // Impossible captype
340  SCFree(str_ptr);
341  }
342  }
343  }
344 
345  PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
346  /* update offset for pcre RELATIVE */
347  det_ctx->buffer_offset = (uint32_t)((ptr + ov[1]) - payload);
348  det_ctx->pcre_match_start_offset = (uint32_t)((ptr + ov[0] + 1) - payload);
349 
350  ret = 1;
351  }
352 
353  } else {
354  SCLogDebug("pcre had matching error");
355  ret = 0;
356  }
357  SCReturnInt(ret);
358 }
359 
360 static int DetectPcreSetList(int list, int set)
361 {
362  if (list != DETECT_SM_LIST_NOTSET) {
363  SCLogError("only one pcre option to specify a buffer type is allowed");
364  return -1;
365  }
366  return set;
367 }
368 
369 static bool DetectPcreHasUnicodeCluster(const char *re)
370 {
371  return strstr(re, "\\X") != NULL;
372 }
373 
374 static int DetectPcreHasUpperCase(const char *re)
375 {
376  size_t len = strlen(re);
377  bool is_meta = false;
378  bool is_meta_hex = false;
379  int meta_hex_cnt = 0;
380 
381  for (size_t i = 0; i < len; i++) {
382  if (is_meta_hex) {
383  meta_hex_cnt++;
384 
385  if (meta_hex_cnt == 2) {
386  is_meta_hex = false;
387  meta_hex_cnt = 0;
388  }
389  } else if (is_meta) {
390  if (re[i] == 'x') {
391  is_meta_hex = true;
392  } else {
393  is_meta = false;
394  }
395  }
396  else if (re[i] == '\\') {
397  is_meta = true;
398  }
399  else if (isupper((unsigned char)re[i])) {
400  return 1;
401  }
402  }
403 
404  return 0;
405 }
406 
407 static DetectPcreData *DetectPcreParse (DetectEngineCtx *de_ctx,
408  const char *regexstr, int *sm_list, char *capture_names,
409  size_t capture_names_size, bool negate, AppProto *alproto)
410 {
411  pcre2_match_data *match = NULL;
412  int en;
413  PCRE2_SIZE eo2;
414  int opts = 0;
415  DetectPcreData *pd = NULL;
416  char *op = NULL;
417  int ret = 0, res = 0;
418  int check_host_header = 0;
419  char op_str[64] = "";
420 
421  bool apply_match_limit = false;
422 
423  int cut_capture = 0;
424  const char *fcap = strstr(regexstr, "flow:");
425  const char *pcap = strstr(regexstr, "pkt:");
426  const char *acap = strstr(regexstr, "alert:");
427  /* take the size of the whole input as buffer size for the regex we will
428  * extract below. Add 1 to please Coverity's alloc_strlen test. */
429  size_t slen = strlen(regexstr) + 1;
430  if (fcap || pcap || acap) {
431  SCLogDebug("regexstr %s", regexstr);
432 
433  bool a_set = false;
434  cut_capture = 0;
435  if (fcap) {
436  a_set = true;
437  cut_capture = (int)(fcap - regexstr);
438  }
439  if (pcap) {
440  if (a_set)
441  cut_capture = (int)MIN(cut_capture, (pcap - regexstr));
442  else {
443  cut_capture = (int)(pcap - regexstr);
444  a_set = true;
445  }
446  }
447  if (acap) {
448  if (a_set)
449  cut_capture = MIN(cut_capture, (int)(acap - regexstr));
450  else
451  cut_capture = (int)(acap - regexstr);
452  }
453 
454  SCLogDebug("cut_capture %d", cut_capture);
455 
456  if (cut_capture > 1) {
457  int offset = cut_capture - 1;
458  while (offset) {
459  SCLogDebug("regexstr[offset] %c", regexstr[offset]);
460  if (regexstr[offset] == ',' || regexstr[offset] == ' ') {
461  offset--;
462  }
463  else
464  break;
465  }
466 
467  if (cut_capture == (offset + 1)) {
468  SCLogDebug("missing separators, assume it's part of the regex");
469  } else {
470  slen = offset + 1;
471  strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
472  if (capture_names[strlen(capture_names)-1] == '"')
473  capture_names[strlen(capture_names)-1] = '\0';
474  }
475  }
476  }
477 
478  DEBUG_VALIDATE_BUG_ON(slen > UINT16_MAX);
479  char re[slen];
480 
481  match = pcre2_match_data_create_from_pattern(parse_regex->regex, NULL);
482  if (!match) {
483  goto error;
484  }
485 
486  ret = pcre2_match(parse_regex->regex, (PCRE2_SPTR8)regexstr, slen, 0, 0, match, NULL);
487  if (ret <= 0) {
488  SCLogError("pcre parse error: %s", regexstr);
489  goto error;
490  }
491 
492  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)re, &slen);
493  if (res < 0) {
494  SCLogError("pcre2_substring_copy_bynumber failed");
495  pcre2_match_data_free(match);
496  return NULL;
497  }
498 
499  if (ret > 2) {
500  size_t copylen = sizeof(op_str);
501  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)op_str, &copylen);
502  if (res < 0) {
503  SCLogError("pcre2_substring_copy_bynumber failed");
504  pcre2_match_data_free(match);
505  return NULL;
506  }
507  op = op_str;
508  }
509  //printf("ret %" PRId32 " re \'%s\', op \'%s\'\n", ret, re, op);
510 
511  pd = SCCalloc(1, sizeof(DetectPcreData));
512  if (unlikely(pd == NULL))
513  goto error;
514 
515  if (negate)
516  pd->flags |= DETECT_PCRE_NEGATE;
517 
518  if (op != NULL) {
519  while (*op) {
520  SCLogDebug("regex option %c", *op);
521 
522  switch (*op) {
523  case 'A':
524  opts |= PCRE2_ANCHORED;
525  break;
526  case 'E':
527  opts |= PCRE2_DOLLAR_ENDONLY;
528  break;
529  case 'G':
530  opts |= PCRE2_UNGREEDY;
531  break;
532 
533  case 'i':
534  opts |= PCRE2_CASELESS;
536  break;
537  case 'm':
538  opts |= PCRE2_MULTILINE;
539  break;
540  case 's':
541  opts |= PCRE2_DOTALL;
542  break;
543  case 'x':
544  opts |= PCRE2_EXTENDED;
545  break;
546 
547  case 'O':
548  apply_match_limit = true;
549  break;
550 
551  case 'B': /* snort's option */
552  if (*sm_list != DETECT_SM_LIST_NOTSET) {
553  SCLogError("regex modifier 'B' inconsistent with chosen buffer");
554  goto error;
555  }
557  break;
558  case 'R': /* snort's option */
560  break;
561 
562  /* buffer selection */
563 
564  case 'U': { /* snort's option */
565  if (pd->flags & DETECT_PCRE_RAWBYTES) {
566  SCLogError("regex modifier 'U' inconsistent with 'B'");
567  goto error;
568  }
569  int list = DetectBufferTypeGetByName("http_uri");
570  *sm_list = DetectPcreSetList(*sm_list, list);
571  *alproto = ALPROTO_HTTP1;
572  break;
573  }
574  case 'V': {
575  if (pd->flags & DETECT_PCRE_RAWBYTES) {
576  SCLogError("regex modifier 'V' inconsistent with 'B'");
577  goto error;
578  }
579  int list = DetectBufferTypeGetByName("http_user_agent");
580  *sm_list = DetectPcreSetList(*sm_list, list);
581  *alproto = ALPROTO_HTTP1;
582  break;
583  }
584  case 'W': {
585  if (pd->flags & DETECT_PCRE_RAWBYTES) {
586  SCLogError("regex modifier 'W' inconsistent with 'B'");
587  goto error;
588  }
589  int list = DetectBufferTypeGetByName("http_host");
590  *sm_list = DetectPcreSetList(*sm_list, list);
591  *alproto = ALPROTO_HTTP1;
592  check_host_header = 1;
593  break;
594  }
595  case 'Z': {
596  if (pd->flags & DETECT_PCRE_RAWBYTES) {
597  SCLogError("regex modifier 'Z' inconsistent with 'B'");
598  goto error;
599  }
600  int list = DetectBufferTypeGetByName("http_raw_host");
601  *sm_list = DetectPcreSetList(*sm_list, list);
602  *alproto = ALPROTO_HTTP1;
603  break;
604  }
605  case 'H': { /* snort's option */
606  if (pd->flags & DETECT_PCRE_RAWBYTES) {
607  SCLogError("regex modifier 'H' inconsistent with 'B'");
608  goto error;
609  }
610  int list = DetectBufferTypeGetByName("http_header");
611  *sm_list = DetectPcreSetList(*sm_list, list);
612  *alproto = ALPROTO_HTTP1;
613  break;
614  } case 'I': { /* snort's option */
615  if (pd->flags & DETECT_PCRE_RAWBYTES) {
616  SCLogError("regex modifier 'I' inconsistent with 'B'");
617  goto error;
618  }
619  int list = DetectBufferTypeGetByName("http_raw_uri");
620  *sm_list = DetectPcreSetList(*sm_list, list);
621  *alproto = ALPROTO_HTTP1;
622  break;
623  }
624  case 'D': { /* snort's option */
625  int list = DetectBufferTypeGetByName("http_raw_header");
626  *sm_list = DetectPcreSetList(*sm_list, list);
627  *alproto = ALPROTO_HTTP1;
628  break;
629  }
630  case 'M': { /* snort's option */
631  if (pd->flags & DETECT_PCRE_RAWBYTES) {
632  SCLogError("regex modifier 'M' inconsistent with 'B'");
633  goto error;
634  }
635  int list = DetectBufferTypeGetByName("http_method");
636  *sm_list = DetectPcreSetList(*sm_list, list);
637  *alproto = ALPROTO_HTTP1;
638  break;
639  }
640  case 'C': { /* snort's option */
641  if (pd->flags & DETECT_PCRE_RAWBYTES) {
642  SCLogError("regex modifier 'C' inconsistent with 'B'");
643  goto error;
644  }
645  int list = DetectBufferTypeGetByName("http_cookie");
646  *sm_list = DetectPcreSetList(*sm_list, list);
647  *alproto = ALPROTO_HTTP1;
648  break;
649  }
650  case 'P': {
651  /* snort's option (http request body inspection) */
652  int list = DetectBufferTypeGetByName("http_client_body");
653  *sm_list = DetectPcreSetList(*sm_list, list);
654  *alproto = ALPROTO_HTTP1;
655  break;
656  }
657  case 'Q': {
658  int list = DetectBufferTypeGetByName("file_data");
659  /* suricata extension (http response body inspection) */
660  *sm_list = DetectPcreSetList(*sm_list, list);
661  *alproto = ALPROTO_HTTP1;
662  break;
663  }
664  case 'Y': {
665  /* snort's option */
666  int list = DetectBufferTypeGetByName("http_stat_msg");
667  *sm_list = DetectPcreSetList(*sm_list, list);
668  *alproto = ALPROTO_HTTP1;
669  break;
670  }
671  case 'S': {
672  /* snort's option */
673  int list = DetectBufferTypeGetByName("http_stat_code");
674  *sm_list = DetectPcreSetList(*sm_list, list);
675  *alproto = ALPROTO_HTTP1;
676  break;
677  }
678  default:
679  SCLogError("unknown regex modifier '%c'", *op);
680  goto error;
681  }
682  op++;
683  }
684  }
685  if (*sm_list == -1)
686  goto error;
687 
688  SCLogDebug("DetectPcreParse: \"%s\"", re);
689 
690  /* host header */
691  if (check_host_header) {
692  if (pd->flags & DETECT_PCRE_CASELESS) {
693  SCLogWarning("http host pcre(\"W\") "
694  "specified along with \"i(caseless)\" modifier. "
695  "Since the hostname buffer we match against "
696  "is actually lowercase, having a "
697  "nocase is redundant.");
698  }
699  else if (DetectPcreHasUpperCase(re)) {
700  SCLogError("pcre host(\"W\") "
701  "specified has an uppercase char. "
702  "Since the hostname buffer we match against "
703  "is actually lowercase, please specify an "
704  "all lowercase based pcre.");
705  goto error;
706  }
707  }
708 
709  /* Try to compile as if all (...) groups had been meant as (?:...),
710  * which is the common case in most rules.
711  * If we fail because a capture group is later referenced (e.g., \1),
712  * PCRE will let us know.
713  */
714  if (capture_names == NULL || strlen(capture_names) == 0)
715  opts |= PCRE2_NO_AUTO_CAPTURE;
716 
717  // forbid use of \X Unicode extended grapheme cluster as slow
718  if (DetectPcreHasUnicodeCluster(re)) {
719 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
720  goto error;
721 #else
723 #endif
724  }
725 
726  pd->parse_regex.regex =
727  pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
728  if (pd->parse_regex.regex == NULL && en == 115) { // reference to nonexistent subpattern
729  opts &= ~PCRE2_NO_AUTO_CAPTURE;
730  pd->parse_regex.regex =
731  pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
732  }
733  if (pd->parse_regex.regex == NULL) {
734  PCRE2_UCHAR errbuffer[256];
735  pcre2_get_error_message(en, errbuffer, sizeof(errbuffer));
736  SCLogError("pcre2 compile of \"%s\" failed at "
737  "offset %d: %s",
738  regexstr, (int)eo2, errbuffer);
739  goto error;
740  }
741 
742 #ifdef PCRE2_HAVE_JIT
743  if (pcre2_use_jit) {
744  ret = pcre2_jit_compile(pd->parse_regex.regex, PCRE2_JIT_COMPLETE);
745  if (ret != 0) {
746  /* warning, so we won't print the sig after this. Adding
747  * file and line to the message so the admin can figure
748  * out what sig this is about */
749  SCLogDebug("PCRE2 JIT compiler does not support: %s. "
750  "Falling back to regular PCRE2 handling (%s:%d)",
751  regexstr, de_ctx->rule_file, de_ctx->rule_line);
752  }
753  }
754 #endif /*PCRE2_HAVE_JIT*/
755 
756  pd->parse_regex.context = pcre2_match_context_create(NULL);
757  if (pd->parse_regex.context == NULL) {
758  SCLogError("pcre2 could not create match context");
759  goto error;
760  }
761 
762  if (apply_match_limit) {
763  if (pcre_match_limit >= -1) {
764  pcre2_set_match_limit(pd->parse_regex.context, pcre_match_limit);
765  }
766  if (pcre_match_limit_recursion >= -1) {
767  // pcre2_set_depth_limit unsupported on ubuntu 16.04
768  pcre2_set_recursion_limit(pd->parse_regex.context, pcre_match_limit_recursion);
769  }
770  } else {
771  pcre2_set_match_limit(pd->parse_regex.context, SC_MATCH_LIMIT_DEFAULT);
772  pcre2_set_recursion_limit(pd->parse_regex.context, SC_MATCH_LIMIT_RECURSION_DEFAULT);
773  }
774 
775  pcre2_match_data_free(match);
776  return pd;
777 
778 error:
779  pcre2_match_data_free(match);
780  DetectPcreFree(de_ctx, pd);
781  return NULL;
782 }
783 
784 /** \internal
785  * \brief check if we need to extract capture settings and set them up if needed
786  */
787 static int DetectPcreParseCapture(const char *regexstr, DetectEngineCtx *de_ctx, DetectPcreData *pd,
788  char *capture_names)
789 {
790  int ret = 0, res = 0;
791  char type_str[16] = "";
792  const char *orig_right_edge = regexstr + strlen(regexstr);
793  char *name_array[DETECT_PCRE_CAPTURE_MAX] = { NULL };
794  int name_idx = 0;
795  int capture_cnt = 0;
796  int key = 0;
797  size_t copylen;
798  pcre2_match_data *match = NULL;
799 
800  SCLogDebug("regexstr %s, pd %p", regexstr, pd);
801 
802  ret = pcre2_pattern_info(pd->parse_regex.regex, PCRE2_INFO_CAPTURECOUNT, &capture_cnt);
803  SCLogDebug("ret %d capture_cnt %d", ret, capture_cnt);
804  if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
805  {
806  char *ptr = NULL;
807  while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL, " ,", &ptr))){
808  if (name_idx > (capture_cnt - 1)) {
809  SCLogError("more pkt/flow "
810  "var capture names than capturing substrings");
811  return -1;
812  }
813  SCLogDebug("name '%s'", name_array[name_idx]);
814 
815  if (strcmp(name_array[name_idx], "pkt:key") == 0) {
816  key = 1;
817  SCLogDebug("key-value/key");
818 
819  pd->captypes[pd->idx] = VAR_TYPE_PKT_VAR_KV;
820  SCLogDebug("id %u type %u", pd->capids[pd->idx], pd->captypes[pd->idx]);
821  pd->idx++;
822 
823  } else if (key == 1 && strcmp(name_array[name_idx], "pkt:value") == 0) {
824  SCLogDebug("key-value/value");
825  key = 0;
826 
827  /* kv error conditions */
828  } else if (key == 0 && strcmp(name_array[name_idx], "pkt:value") == 0) {
829  return -1;
830  } else if (key == 1) {
831  return -1;
832 
833  } else if (strncmp(name_array[name_idx], "flow:", 5) == 0) {
834  uint32_t varname_id =
835  VarNameStoreRegister(name_array[name_idx] + 5, VAR_TYPE_FLOW_VAR);
836  if (unlikely(varname_id == 0))
837  return -1;
838  pd->capids[pd->idx] = varname_id;
839  pd->captypes[pd->idx] = VAR_TYPE_FLOW_VAR;
840  pd->idx++;
841 
842  } else if (strncmp(name_array[name_idx], "pkt:", 4) == 0) {
843  uint32_t varname_id =
844  VarNameStoreRegister(name_array[name_idx] + 4, VAR_TYPE_PKT_VAR);
845  if (unlikely(varname_id == 0))
846  return -1;
847  pd->capids[pd->idx] = varname_id;
848  pd->captypes[pd->idx] = VAR_TYPE_PKT_VAR;
849  SCLogDebug("id %u type %u", pd->capids[pd->idx], pd->captypes[pd->idx]);
850  pd->idx++;
851 
852  } else if (strncmp(name_array[name_idx], "alert:", 6) == 0) {
853  uint32_t varname_id =
854  VarNameStoreRegister(name_array[name_idx] + 6, VAR_TYPE_ALERT_VAR);
855  if (unlikely(varname_id == 0))
856  return -1;
857  pd->capids[pd->idx] = varname_id;
858  pd->captypes[pd->idx] = VAR_TYPE_ALERT_VAR;
859  pd->idx++;
860 
861  } else {
862  SCLogError(" pkt/flow "
863  "var capture names must start with 'pkt:' or 'flow:'");
864  return -1;
865  }
866 
867  name_idx++;
868  if (name_idx >= DETECT_PCRE_CAPTURE_MAX)
869  break;
870  }
871  }
872 
873  /* take the size of the whole input as buffer size for the string we will
874  * extract below. Add 1 to please Coverity's alloc_strlen test. */
875  size_t cap_buffer_len = strlen(regexstr) + 1;
876  DEBUG_VALIDATE_BUG_ON(cap_buffer_len > UINT16_MAX);
877  char capture_str[cap_buffer_len];
878  memset(capture_str, 0x00, cap_buffer_len);
879 
880  if (de_ctx == NULL)
881  goto error;
882 
883  while (1) {
884  SCLogDebug("\'%s\'", regexstr);
885 
886  ret = DetectParsePcreExec(parse_capture_regex, &match, regexstr, 0, 0);
887  if (ret < 3) {
888  pcre2_match_data_free(match);
889  return 0;
890  }
891  copylen = sizeof(type_str);
892  res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)type_str, &copylen);
893  if (res != 0) {
894  SCLogError("pcre2_substring_copy_bynumber failed");
895  goto error;
896  }
897  cap_buffer_len = strlen(regexstr) + 1;
898  res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)capture_str, &cap_buffer_len);
899  if (res != 0) {
900  SCLogError("pcre2_substring_copy_bynumber failed");
901  goto error;
902  }
903  if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
904  goto error;
905  }
906 
907  SCLogDebug("type \'%s\'", type_str);
908  SCLogDebug("capture \'%s\'", capture_str);
909 
910  if (pd->idx >= DETECT_PCRE_CAPTURE_MAX) {
911  SCLogError("rule can have maximally %d pkt/flow "
912  "var captures",
914  pcre2_match_data_free(match);
915  return -1;
916  }
917 
918  if (strcmp(type_str, "pkt") == 0) {
919  uint32_t varname_id = VarNameStoreRegister((char *)capture_str, VAR_TYPE_PKT_VAR);
920  if (unlikely(varname_id == 0))
921  return -1;
922  pd->capids[pd->idx] = varname_id;
923  pd->captypes[pd->idx] = VAR_TYPE_PKT_VAR;
924  SCLogDebug("id %u type %u", pd->capids[pd->idx], pd->captypes[pd->idx]);
925  pd->idx++;
926  } else if (strcmp(type_str, "flow") == 0) {
927  uint32_t varname_id = VarNameStoreRegister((char *)capture_str, VAR_TYPE_FLOW_VAR);
928  if (unlikely(varname_id == 0))
929  return -1;
930  pd->capids[pd->idx] = varname_id;
931  pd->captypes[pd->idx] = VAR_TYPE_FLOW_VAR;
932  pd->idx++;
933  } else if (strcmp(type_str, "alert") == 0) {
934  uint32_t varname_id = VarNameStoreRegister((char *)capture_str, VAR_TYPE_ALERT_VAR);
935  if (unlikely(varname_id == 0))
936  return -1;
937  pd->capids[pd->idx] = varname_id;
938  pd->captypes[pd->idx] = VAR_TYPE_ALERT_VAR;
939  pd->idx++;
940  }
941 
942  //SCLogNotice("pd->capname %s", pd->capname);
943  PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
944  regexstr += ov[1];
945 
946  pcre2_match_data_free(match);
947  match = NULL;
948 
949  if (regexstr >= orig_right_edge)
950  break;
951  }
952  return 0;
953 
954 error:
955  pcre2_match_data_free(match);
956  return -1;
957 }
958 
959 static void *DetectPcreThreadInit(void *data)
960 {
961  DetectPcreData *pd = (DetectPcreData *)data;
962  pcre2_match_data *match = pcre2_match_data_create_from_pattern(pd->parse_regex.regex, NULL);
963  return match;
964 }
965 
966 static void DetectPcreThreadFree(void *ctx)
967 {
968  if (ctx != NULL) {
969  pcre2_match_data *match = (pcre2_match_data *)ctx;
970  pcre2_match_data_free(match);
971  }
972 }
973 
974 static int DetectPcreSetup (DetectEngineCtx *de_ctx, Signature *s, const char *regexstr)
975 {
976  SCEnter();
977  DetectPcreData *pd = NULL;
978  int parsed_sm_list = DETECT_SM_LIST_NOTSET;
979  char capture_names[1024] = "";
980  AppProto alproto = ALPROTO_UNKNOWN;
981 
982  pd = DetectPcreParse(de_ctx, regexstr, &parsed_sm_list,
983  capture_names, sizeof(capture_names), s->init_data->negated,
984  &alproto);
985  if (pd == NULL)
986  goto error;
987  if (DetectPcreParseCapture(regexstr, de_ctx, pd, capture_names) < 0)
988  goto error;
989 
991  de_ctx, "pcre", DetectPcreThreadInit, (void *)pd, DetectPcreThreadFree, 0);
992  if (pd->thread_ctx_id == -1)
993  goto error;
994 
995  int sm_list = -1;
996  if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
997  if (parsed_sm_list != DETECT_SM_LIST_NOTSET && parsed_sm_list != s->init_data->list) {
998  SCLogError("Expression seen with a sticky buffer still set; either (1) reset sticky "
999  "buffer with pkt_data or (2) use a sticky buffer providing \"%s\".",
1001  goto error;
1002  }
1003  if (DetectBufferGetActiveList(de_ctx, s) == -1)
1004  goto error;
1005 
1006  sm_list = s->init_data->list;
1007  } else {
1008  switch (parsed_sm_list) {
1009  case DETECT_SM_LIST_NOTSET:
1010  sm_list = DETECT_SM_LIST_PMATCH;
1011  break;
1012  default: {
1013  if (alproto != ALPROTO_UNKNOWN) {
1014  /* see if the proto doesn't conflict
1015  * with what we already have. */
1016  if (s->alproto != ALPROTO_UNKNOWN && !AppProtoEquals(s->alproto, alproto)) {
1017  goto error;
1018  }
1019  if (SCDetectSignatureSetAppProto(s, alproto) < 0)
1020  goto error;
1021  }
1022  sm_list = parsed_sm_list;
1023  break;
1024  }
1025  }
1026  }
1027  if (sm_list == -1)
1028  goto error;
1029 
1030  SigMatch *sm = SCSigMatchAppendSMToList(de_ctx, s, DETECT_PCRE, (SigMatchCtx *)pd, sm_list);
1031  if (sm == NULL) {
1032  goto error;
1033  }
1034 
1035  for (uint8_t x = 0; x < pd->idx; x++) {
1036  if (DetectFlowvarPostMatchSetup(de_ctx, s, pd->capids[x]) < 0)
1037  goto error_nofree;
1038  }
1039 
1040  if (!(pd->flags & DETECT_PCRE_RELATIVE))
1041  goto okay;
1042 
1043  /* errors below shouldn't free pd */
1044 
1045  SigMatch *prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
1047  if (s->init_data->list == DETECT_SM_LIST_NOTSET && prev_pm == NULL) {
1048  SCLogError("pcre with /R (relative) needs "
1049  "preceding match in the same buffer");
1050  goto error_nofree;
1051  /* null is allowed when we use a sticky buffer */
1052  } else if (prev_pm == NULL) {
1053  goto okay;
1054  }
1055  if (prev_pm->type == DETECT_CONTENT) {
1056  DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
1058  } else if (prev_pm->type == DETECT_PCRE) {
1059  DetectPcreData *tmp = (DetectPcreData *)prev_pm->ctx;
1061  }
1062 
1063  okay:
1064  SCReturnInt(0);
1065  error:
1066  DetectPcreFree(de_ctx, pd);
1067  error_nofree:
1068  SCReturnInt(-1);
1069 }
1070 
1071 static void DetectPcreFree(DetectEngineCtx *de_ctx, void *ptr)
1072 {
1073  if (ptr == NULL)
1074  return;
1075 
1076  DetectPcreData *pd = (DetectPcreData *)ptr;
1079 
1080  for (uint8_t i = 0; i < pd->idx; i++) {
1081  VarNameStoreUnregister(pd->capids[i], pd->captypes[i]);
1082  }
1083  SCFree(pd);
1084 }
1085 
1086 #ifdef UNITTESTS /* UNITTESTS */
1087 #include "detect-engine-alert.h"
1088 static int g_file_data_buffer_id = 0;
1089 static int g_http_header_buffer_id = 0;
1090 static int g_dce_stub_data_buffer_id = 0;
1091 
1092 /**
1093  * \test DetectPcreParseTest01 make sure we don't allow invalid opts 7.
1094  */
1095 static int DetectPcreParseTest01 (void)
1096 {
1097  DetectPcreData *pd = NULL;
1098  const char *teststring = "/blah/7";
1099  int list = DETECT_SM_LIST_NOTSET;
1102  AppProto alproto = ALPROTO_UNKNOWN;
1103 
1104  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1105  FAIL_IF_NOT_NULL(pd);
1106 
1108  PASS;
1109 }
1110 
1111 /**
1112  * \test DetectPcreParseTest02 make sure we don't allow invalid opts Ui$.
1113  */
1114 static int DetectPcreParseTest02 (void)
1115 {
1116  DetectPcreData *pd = NULL;
1117  const char *teststring = "/blah/Ui$";
1118  int list = DETECT_SM_LIST_NOTSET;
1121  AppProto alproto = ALPROTO_UNKNOWN;
1122 
1123  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1124  FAIL_IF_NOT_NULL(pd);
1125  FAIL_IF_NOT(alproto == ALPROTO_HTTP1);
1126 
1128  PASS;
1129 }
1130 
1131 /**
1132  * \test DetectPcreParseTest03 make sure we don't allow invalid opts UZi.
1133  */
1134 static int DetectPcreParseTest03 (void)
1135 {
1136  DetectPcreData *pd = NULL;
1137  const char *teststring = "/blah/UNi";
1138  int list = DETECT_SM_LIST_NOTSET;
1141  AppProto alproto = ALPROTO_UNKNOWN;
1142 
1143  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1144  FAIL_IF_NOT_NULL(pd);
1145 
1147  PASS;
1148 }
1149 
1150 /**
1151  * \test DetectPcreParseTest04 make sure we allow escaped "
1152  */
1153 static int DetectPcreParseTest04 (void)
1154 {
1155  DetectPcreData *pd = NULL;
1156  const char *teststring = "/b\\\"lah/i";
1157  int list = DETECT_SM_LIST_NOTSET;
1160  AppProto alproto = ALPROTO_UNKNOWN;
1161 
1162  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1163  FAIL_IF_NULL(pd);
1164  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1165 
1166  DetectPcreFree(de_ctx, pd);
1168  PASS;
1169 }
1170 
1171 /**
1172  * \test DetectPcreParseTest05 make sure we parse pcre with no opts
1173  */
1174 static int DetectPcreParseTest05 (void)
1175 {
1176  DetectPcreData *pd = NULL;
1177  const char *teststring = "/b(l|a)h/";
1178  int list = DETECT_SM_LIST_NOTSET;
1181  AppProto alproto = ALPROTO_UNKNOWN;
1182 
1183  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1184  FAIL_IF_NULL(pd);
1185  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1186 
1187  DetectPcreFree(de_ctx, pd);
1189  PASS;
1190 }
1191 
1192 /**
1193  * \test DetectPcreParseTest06 make sure we parse pcre with smi opts
1194  */
1195 static int DetectPcreParseTest06 (void)
1196 {
1197  DetectPcreData *pd = NULL;
1198  const char *teststring = "/b(l|a)h/smi";
1199  int list = DETECT_SM_LIST_NOTSET;
1202  AppProto alproto = ALPROTO_UNKNOWN;
1203 
1204  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1205  FAIL_IF_NULL(pd);
1206  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1207 
1208  DetectPcreFree(de_ctx, pd);
1210  PASS;
1211 }
1212 
1213 /**
1214  * \test DetectPcreParseTest07 make sure we parse pcre with /Ui opts
1215  */
1216 static int DetectPcreParseTest07 (void)
1217 {
1218  DetectPcreData *pd = NULL;
1219  const char *teststring = "/blah/Ui";
1220  int list = DETECT_SM_LIST_NOTSET;
1223  AppProto alproto = ALPROTO_UNKNOWN;
1224 
1225  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1226  FAIL_IF_NULL(pd);
1227  FAIL_IF_NOT(alproto == ALPROTO_HTTP1);
1228 
1229  DetectPcreFree(de_ctx, pd);
1231  PASS;
1232 }
1233 
1234 /**
1235  * \test DetectPcreParseTest08 make sure we parse pcre with O opts
1236  */
1237 static int DetectPcreParseTest08 (void)
1238 {
1239  DetectPcreData *pd = NULL;
1240  const char *teststring = "/b(l|a)h/O";
1241  int list = DETECT_SM_LIST_NOTSET;
1244  AppProto alproto = ALPROTO_UNKNOWN;
1245 
1246  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1247  FAIL_IF_NULL(pd);
1248  FAIL_IF_NOT(alproto == ALPROTO_UNKNOWN);
1249 
1250  DetectPcreFree(de_ctx, pd);
1252  PASS;
1253 }
1254 
1255 /**
1256  * \test DetectPcreParseTest09 make sure we parse pcre with a content
1257  * that has slashes
1258  */
1259 static int DetectPcreParseTest09 (void)
1260 {
1261  DetectPcreData *pd = NULL;
1262  const char *teststring = "/lala\\\\/";
1263  int list = DETECT_SM_LIST_NOTSET;
1266  AppProto alproto = ALPROTO_UNKNOWN;
1267 
1268  pd = DetectPcreParse(de_ctx, teststring, &list, NULL, 0, false, &alproto);
1269  FAIL_IF_NULL(pd);
1270 
1271  DetectPcreFree(de_ctx, pd);
1273  PASS;
1274 }
1275 
1276 /**
1277  * \test Test pcre option for dce sig(yeah I'm bored of writing test titles).
1278  */
1279 static int DetectPcreParseTest10(void)
1280 {
1281  Signature *s = SigAlloc();
1282  FAIL_IF_NULL(s);
1285 
1287 
1288  FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
1289  FAIL_IF_NOT(DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id) == NULL);
1291 
1292  SigFree(de_ctx, s);
1293 
1294  s = SigAlloc();
1295  FAIL_IF_NULL(s);
1296 
1297  /* failure since we have no preceding content/pcre/bytejump */
1298  FAIL_IF_NOT(DetectPcreSetup(de_ctx, s, "/bamboo/") == 0);
1299  FAIL_IF_NOT(DetectBufferGetFirstSigMatch(s, g_dce_stub_data_buffer_id) == NULL);
1301 
1302  SigFree(de_ctx, s);
1304 
1305  PASS;
1306 }
1307 
1308 /** \test Check a signature with pcre relative method */
1309 static int DetectPcreParseTest15(void)
1310 {
1313 
1314  de_ctx->flags |= DE_QUIET;
1316  "alert tcp any any -> any any "
1317  "(msg:\"Testing pcre relative http_method\"; "
1318  "content:\"GET\"; "
1319  "http_method; pcre:\"/abc/RM\"; sid:1;)");
1321 
1324  PASS;
1325 }
1326 
1327 
1328 /** \test Check a signature with pcre relative cookie */
1329 static int DetectPcreParseTest16(void)
1330 {
1333 
1334  de_ctx->flags |= DE_QUIET;
1336  "alert tcp any any -> any any "
1337  "(msg:\"Testing pcre relative http_cookie\"; "
1338  "content:\"test\"; "
1339  "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1341 
1344  PASS;
1345 }
1346 
1347 /** \test Check a signature with pcre relative raw header */
1348 static int DetectPcreParseTest17(void)
1349 {
1352 
1353  de_ctx->flags |= DE_QUIET;
1355  "alert tcp any any -> any any "
1356  "(msg:\"Testing pcre relative http_raw_header\"; "
1357  "flow:to_server; content:\"test\"; "
1358  "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1360 
1363  PASS;
1364 }
1365 
1366 /** \test Check a signature with pcre relative header */
1367 static int DetectPcreParseTest18(void)
1368 {
1371 
1372  de_ctx->flags |= DE_QUIET;
1374  "alert tcp any any -> any any "
1375  "(msg:\"Testing pcre relative http_header\"; "
1376  "content:\"test\"; "
1377  "http_header; pcre:\"/abc/RH\"; sid:1;)");
1379 
1382  PASS;
1383 }
1384 
1385 /** \test Check a signature with pcre relative client-body */
1386 static int DetectPcreParseTest19(void)
1387 {
1390 
1391  de_ctx->flags |= DE_QUIET;
1393  "alert tcp any any -> any any "
1394  "(msg:\"Testing pcre relative http_client_body\"; "
1395  "content:\"test\"; "
1396  "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1398 
1401  PASS;
1402 }
1403 
1404 /** \test Check a signature with pcre relative raw uri */
1405 static int DetectPcreParseTest20(void)
1406 {
1408 
1410 
1411  de_ctx->flags |= DE_QUIET;
1413  "alert tcp any any -> any any "
1414  "(msg:\"Testing http_raw_uri\"; "
1415  "content:\"test\"; "
1416  "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1418 
1421  PASS;
1422 }
1423 
1424 /** \test Check a signature with pcre relative uricontent */
1425 static int DetectPcreParseTest21(void)
1426 {
1428 
1430 
1431  de_ctx->flags |= DE_QUIET;
1433  "alert tcp any any -> any any "
1434  "(msg:\"Testing pcre relative uricontent\"; "
1435  "uricontent:\"test\"; "
1436  "pcre:\"/abc/RU\"; sid:1;)");
1438 
1441  PASS;
1442 }
1443 
1444 /** \test Check a signature with pcre relative http_uri */
1445 static int DetectPcreParseTest22(void)
1446 {
1448 
1450 
1451  de_ctx->flags |= DE_QUIET;
1453  "alert tcp any any -> any any "
1454  "(msg:\"Testing pcre relative http_uri\"; "
1455  "content:\"test\"; "
1456  "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1458 
1461  PASS;
1462 }
1463 
1464 /** \test Check a signature with inconsistent pcre relative */
1465 static int DetectPcreParseTest23(void)
1466 {
1468 
1470 
1471  de_ctx->flags |= DE_QUIET;
1473  "alert tcp any any -> any any "
1474  "(msg:\"Testing inconsistent pcre relative\"; "
1475  "content:\"GET\"; "
1476  "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1478 
1481  PASS;
1482 }
1483 
1484 /** \test Check a signature with inconsistent pcre modifiers */
1485 static int DetectPcreParseTest24(void)
1486 {
1488 
1490 
1491  de_ctx->flags |= DE_QUIET;
1493  "alert tcp any any -> any any "
1494  "(msg:\"Testing inconsistent pcre modifiers\"; "
1495  "pcre:\"/abc/UI\"; sid:1;)");
1497 
1500  PASS;
1501 }
1502 
1503 /** \test Check a signature with inconsistent pcre modifiers */
1504 static int DetectPcreParseTest25(void)
1505 {
1507 
1509 
1510  de_ctx->flags |= DE_QUIET;
1512  "alert tcp any any -> any any "
1513  "(msg:\"Testing inconsistent pcre modifiers\"; "
1514  "pcre:\"/abc/DH\"; sid:1;)");
1516 
1519  PASS;
1520 }
1521 
1522 /** \test Check a signature with inconsistent pcre modifiers */
1523 static int DetectPcreParseTest26(void)
1524 {
1526 
1528 
1529  de_ctx->flags |= DE_QUIET;
1531  "alert http any any -> any any "
1532  "(msg:\"Testing inconsistent pcre modifiers\"; "
1533  "pcre:\"/abc/F\"; sid:1;)");
1535 
1538  PASS;
1539 }
1540 
1541 /** \test Bug 1098 */
1542 static int DetectPcreParseTest27(void)
1543 {
1545 
1547 
1548  de_ctx->flags |= DE_QUIET;
1549  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any 80 "
1550  "(content:\"baduricontent\"; http_raw_uri; "
1551  "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1553 
1556  PASS;
1557 }
1558 
1559 /** \test Bug 1957 */
1560 static int DetectPcreParseTest28(void)
1561 {
1563 
1565 
1566  de_ctx->flags |= DE_QUIET;
1567  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any 80 "
1568  "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
1569  "sid:2; rev:2;)");
1571 
1573  PASS;
1574 }
1575 
1576 static int DetectPcreTestSig01(void)
1577 {
1578  uint8_t *buf = (uint8_t *)"lalala lalala\\ lala\n";
1579  uint16_t buflen = strlen((char *)buf);
1580  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1581 
1582  char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
1583  "lalala\\\\/\"; sid:1;)";
1585 
1586  UTHFreePacket(p);
1587  PASS;
1588 }
1589 
1590 /** \test anchored pcre */
1591 static int DetectPcreTestSig02(void)
1592 {
1593  uint8_t *buf = (uint8_t *)"lalala\n";
1594  uint16_t buflen = strlen((char *)buf);
1595  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1596 
1597  char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1598  "pcre:\"/^(la)+$/\"; sid:1;)";
1600 
1601  UTHFreePacket(p);
1602  PASS;
1603 }
1604 
1605 /** \test anchored pcre */
1606 static int DetectPcreTestSig03(void)
1607 {
1608  /* test it also without ending in a newline "\n" */
1609  uint8_t *buf = (uint8_t *)"lalala";
1610  uint16_t buflen = strlen((char *)buf);
1611  Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
1612 
1613  char sig[] = "alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1614  "pcre:\"/^(la)+$/\"; sid:1;)";
1616 
1617  UTHFreePacket(p);
1618  PASS;
1619 }
1620 
1621 /** \test Test tracking of body chunks per transactions (on requests)
1622  */
1623 static int DetectPcreTxBodyChunksTest01(void)
1624 {
1625  Flow f;
1626  TcpSession ssn;
1627  Packet *p = NULL;
1628  uint8_t httpbuf1[] = "GET / HTTP/1.1\r\n";
1629  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1630  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1631  uint8_t httpbuf4[] = "Body one!!";
1632  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1633  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1634  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1635  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1636  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1637  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1638  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1639  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1640  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1641  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1643 
1644  memset(&f, 0, sizeof(f));
1645  memset(&ssn, 0, sizeof(ssn));
1646 
1647  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1648 
1649  FLOW_INITIALIZE(&f);
1650  f.protoctx = (void *)&ssn;
1651  f.proto = IPPROTO_TCP;
1652  f.flags |= FLOW_IPV4;
1653 
1654  p->flow = &f;
1658  f.alproto = ALPROTO_HTTP1;
1659 
1660  StreamTcpInitConfig(true);
1661 
1663 
1664  int r = AppLayerParserParse(
1665  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER | STREAM_START, httpbuf1, httplen1);
1666  FAIL_IF(r != 0);
1667 
1668  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1669  FAIL_IF(r != 0);
1670 
1671  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1672  FAIL_IF(r != 0);
1673 
1674  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1675  FAIL_IF(r != 0);
1676 
1677  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1678  FAIL_IF(r != 0);
1679 
1680  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1681  FAIL_IF(r != 0);
1682 
1683  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1684  FAIL_IF(r != 0);
1685 
1686  /* Now we should have 2 transactions, each with it's own list
1687  * of request body chunks (let's test it) */
1688 
1689  HtpState *htp_state = f.alstate;
1690  FAIL_IF(htp_state == NULL);
1691 
1692  /* hardcoded check of the transactions and it's client body chunks */
1693  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
1694 
1695  htp_tx_t *t1 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 0);
1696  htp_tx_t *t2 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 1);
1697 
1698  HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(t1);
1699  FAIL_IF(htud == NULL);
1700 
1701  HtpBodyChunk *cur = htud->request_body.first;
1702  FAIL_IF(htud->request_body.first == NULL);
1703 
1704  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body one!!", 10) != 1);
1705 
1706  htud = (HtpTxUserData *) htp_tx_get_user_data(t2);
1707 
1708  cur = htud->request_body.first;
1709  FAIL_IF(htud->request_body.first == NULL);
1710 
1711  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body two!!", 10) != 1);
1712 
1714  StreamTcpFreeConfig(true);
1715  FLOW_DESTROY(&f);
1716  UTHFreePacket(p);
1717  PASS;
1718 }
1719 
1720 /** \test test pcre P modifier with multiple pipelined http transactions */
1721 static int DetectPcreTxBodyChunksTest02(void)
1722 {
1723  Signature *s = NULL;
1724  DetectEngineThreadCtx *det_ctx = NULL;
1725  ThreadVars th_v;
1726  Flow f;
1727  TcpSession ssn;
1728  Packet *p = NULL;
1729  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1730  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1731  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1732  uint8_t httpbuf4[] = "Body one!!";
1733  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1734  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1735  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1736  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1737  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1738  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1739  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1740  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1741  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1742  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1744 
1745  memset(&th_v, 0, sizeof(th_v));
1747  memset(&f, 0, sizeof(f));
1748  memset(&ssn, 0, sizeof(ssn));
1749 
1750  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1751 
1752  FLOW_INITIALIZE(&f);
1753  f.protoctx = (void *)&ssn;
1754  f.proto = IPPROTO_TCP;
1755  f.flags |= FLOW_IPV4;
1756 
1757  p->flow = &f;
1761  f.alproto = ALPROTO_HTTP1;
1762 
1763  StreamTcpInitConfig(true);
1764 
1766  FAIL_IF(de_ctx == NULL);
1767 
1768  de_ctx->flags |= DE_QUIET;
1769 
1770  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1771  FAIL_IF(s == NULL);
1772  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1773  FAIL_IF(s == NULL);
1774 
1776  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1777 
1778  int r = AppLayerParserParse(
1779  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1780  FAIL_IF(r != 0);
1781 
1782  /* do detect */
1783  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1784  FAIL_IF(PacketAlertCheck(p, 1));
1785  p->alerts.cnt = 0;
1786 
1787  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1788  FAIL_IF(r != 0);
1789 
1790  /* do detect */
1791  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1792  FAIL_IF(PacketAlertCheck(p, 1));
1793  p->alerts.cnt = 0;
1794 
1795  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1796  FAIL_IF(r != 0);
1797 
1798  /* do detect */
1799  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1800  FAIL_IF(PacketAlertCheck(p, 1));
1801  p->alerts.cnt = 0;
1802 
1803  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1804  FAIL_IF(r != 0);
1805 
1806  /* do detect */
1807  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1808  FAIL_IF(!(PacketAlertCheck(p, 1)));
1809  p->alerts.cnt = 0;
1810 
1811  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1812  FAIL_IF(r != 0);
1813 
1814  /* do detect */
1815  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1816  FAIL_IF(PacketAlertCheck(p, 1));
1817  p->alerts.cnt = 0;
1818 
1819  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1820  FAIL_IF(r != 0);
1821 
1822  /* do detect */
1823  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1824  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
1825  p->alerts.cnt = 0;
1826 
1827  SCLogDebug("sending data chunk 7");
1828 
1829  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1830  FAIL_IF(r != 0);
1831 
1832  /* do detect */
1833  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1834  FAIL_IF(!(PacketAlertCheck(p, 2)));
1835  p->alerts.cnt = 0;
1836 
1837  HtpState *htp_state = f.alstate;
1838  FAIL_IF(htp_state == NULL);
1839 
1840  /* hardcoded check of the transactions and it's client body chunks */
1841  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
1842 
1843  htp_tx_t *t1 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 0);
1844  htp_tx_t *t2 = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP1, htp_state, 1);
1845 
1846  HtpTxUserData *htud = (HtpTxUserData *) htp_tx_get_user_data(t1);
1847 
1848  HtpBodyChunk *cur = htud->request_body.first;
1849  FAIL_IF(htud->request_body.first == NULL);
1850 
1851  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body one!!", 10) != 1);
1852 
1853  htud = (HtpTxUserData *) htp_tx_get_user_data(t2);
1854 
1855  cur = htud->request_body.first;
1856  FAIL_IF(htud->request_body.first == NULL);
1857 
1858  FAIL_IF(StreamingBufferSegmentCompareRawData(htud->request_body.sb, &cur->sbseg, (uint8_t *)"Body two!!", 10) != 1);
1859 
1860  UTHFreePacket(p);
1861  FLOW_DESTROY(&f);
1863  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1865  StreamTcpFreeConfig(true);
1867  PASS;
1868 }
1869 
1870 /** \test multiple http transactions and body chunks of request handling */
1871 static int DetectPcreTxBodyChunksTest03(void)
1872 {
1873  Signature *s = NULL;
1874  DetectEngineThreadCtx *det_ctx = NULL;
1875  ThreadVars th_v;
1876  Flow f;
1877  TcpSession ssn;
1878  Packet *p = NULL;
1879  uint8_t httpbuf1[] = "POST / HTTP/1.1\r\n";
1880  uint8_t httpbuf2[] = "User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1881  uint8_t httpbuf3[] = "Cookie: dummy\r\n\r\n";
1882  uint8_t httpbuf4[] = "Body one!!";
1883  uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
1884  uint32_t httplen2 = sizeof(httpbuf2) - 1; /* minus the \0 */
1885  uint32_t httplen3 = sizeof(httpbuf3) - 1; /* minus the \0 */
1886  uint32_t httplen4 = sizeof(httpbuf4) - 1; /* minus the \0 */
1887  uint8_t httpbuf5[] = "GET /?var=val HTTP/1.1\r\n";
1888  uint8_t httpbuf6[] = "User-Agent: Firefox/1.0\r\n";
1889  uint8_t httpbuf7[] = "Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1890  uint32_t httplen5 = sizeof(httpbuf5) - 1; /* minus the \0 */
1891  uint32_t httplen6 = sizeof(httpbuf6) - 1; /* minus the \0 */
1892  uint32_t httplen7 = sizeof(httpbuf7) - 1; /* minus the \0 */
1894 
1895  memset(&th_v, 0, sizeof(th_v));
1897  memset(&f, 0, sizeof(f));
1898  memset(&ssn, 0, sizeof(ssn));
1899 
1900  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
1901 
1902  FLOW_INITIALIZE(&f);
1903  f.protoctx = (void *)&ssn;
1904  f.proto = IPPROTO_TCP;
1905  f.flags |= FLOW_IPV4;
1906 
1907  p->flow = &f;
1911  f.alproto = ALPROTO_HTTP1;
1912 
1913  StreamTcpInitConfig(true);
1914 
1916  FAIL_IF(de_ctx == NULL);
1917 
1918  de_ctx->flags |= DE_QUIET;
1919 
1920  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1921  FAIL_IF(s == NULL);
1922  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1923  FAIL_IF(s == NULL);
1924 
1926  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1927 
1928  int r = AppLayerParserParse(
1929  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf1, httplen1);
1930  FAIL_IF(r != 0);
1931 
1932  /* do detect */
1933  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1934  FAIL_IF(PacketAlertCheck(p, 1));
1935  p->alerts.cnt = 0;
1936 
1937  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf2, httplen2);
1938  FAIL_IF(r != 0);
1939 
1940  /* do detect */
1941  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1942  FAIL_IF(PacketAlertCheck(p, 1));
1943  p->alerts.cnt = 0;
1944 
1945  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf3, httplen3);
1946  FAIL_IF(r != 0);
1947 
1948  /* do detect */
1949  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1950  FAIL_IF(PacketAlertCheck(p, 1));
1951  p->alerts.cnt = 0;
1952 
1953  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf4, httplen4);
1954  FAIL_IF(r != 0);
1955 
1956  /* do detect */
1957  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1958  FAIL_IF(!(PacketAlertCheck(p, 1)));
1959  p->alerts.cnt = 0;
1960 
1961  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf5, httplen5);
1962  FAIL_IF(r != 0);
1963 
1964  /* do detect */
1965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1966  FAIL_IF(PacketAlertCheck(p, 1));
1967  p->alerts.cnt = 0;
1968 
1969  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf6, httplen6);
1970  FAIL_IF(r != 0);
1971 
1972  /* do detect */
1973  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1974  FAIL_IF((PacketAlertCheck(p, 1)) || (PacketAlertCheck(p, 2)));
1975  p->alerts.cnt = 0;
1976 
1977  SCLogDebug("sending data chunk 7");
1978 
1979  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, httpbuf7, httplen7);
1980  FAIL_IF(r != 0);
1981 
1982  /* do detect */
1983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1984  FAIL_IF(!(PacketAlertCheck(p, 2)));
1985  p->alerts.cnt = 0;
1986 
1987  HtpState *htp_state = f.alstate;
1988  FAIL_IF(htp_state == NULL);
1989 
1990  FAIL_IF(AppLayerParserGetTxCnt(&f, htp_state) != 2);
1991 
1992  UTHFreePacket(p);
1993  FLOW_DESTROY(&f);
1995  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1997 
1998  StreamTcpFreeConfig(true);
2000  PASS;
2001 }
2002 
2003 /**
2004  * \brief Test parsing of pcre's with the W modifier set.
2005  */
2006 static int DetectPcreParseHttpHost(void)
2007 {
2008  AppProto alproto = ALPROTO_UNKNOWN;
2009  int list = DETECT_SM_LIST_NOTSET;
2011 
2012  FAIL_IF(de_ctx == NULL);
2013 
2014  DetectPcreData *pd = DetectPcreParse(de_ctx, "/domain\\.com/W", &list, NULL, 0, false, &alproto);
2015  FAIL_IF(pd == NULL);
2016  DetectPcreFree(de_ctx, pd);
2017 
2018  list = DETECT_SM_LIST_NOTSET;
2019  pd = DetectPcreParse(de_ctx, "/dOmain\\.com/W", &list, NULL, 0, false, &alproto);
2020  FAIL_IF(pd != NULL);
2021 
2022  /* Uppercase meta characters are valid. */
2023  list = DETECT_SM_LIST_NOTSET;
2024  pd = DetectPcreParse(de_ctx, "/domain\\D+\\.com/W", &list, NULL, 0, false, &alproto);
2025  FAIL_IF(pd == NULL);
2026  DetectPcreFree(de_ctx, pd);
2027 
2028  /* This should not parse as the first \ escapes the second \, then
2029  * we have a D. */
2030  list = DETECT_SM_LIST_NOTSET;
2031  pd = DetectPcreParse(de_ctx, "/\\\\Ddomain\\.com/W", &list, NULL, 0, false, &alproto);
2032  FAIL_IF(pd != NULL);
2033 
2035  PASS;
2036 }
2037 
2038 /**
2039  * \brief Test parsing of capture extension
2040  */
2041 static int DetectPcreParseCaptureTest(void)
2042 {
2044  FAIL_IF(de_ctx == NULL);
2045 
2046  Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
2047  "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
2048  FAIL_IF(s == NULL);
2049  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
2050  "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
2051  FAIL_IF(s == NULL);
2052  s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any "
2053  "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2054  FAIL_IF(s == NULL);
2056  "alert http any any -> any any "
2057  "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)\\r\\n/HR, flow:somecapture, "
2058  "pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2059  FAIL_IF_NOT_NULL(s);
2060 
2062 
2063  uint32_t capid1 = VarNameStoreLookupByName("somecapture", VAR_TYPE_FLOW_VAR);
2064  FAIL_IF(capid1 == 0);
2065  uint32_t capid2 = VarNameStoreLookupByName("anothercap", VAR_TYPE_PKT_VAR);
2066  FAIL_IF(capid2 == 0);
2067  FAIL_IF(capid1 == capid2);
2068 
2070  PASS;
2071 }
2072 
2073 /**
2074  * \brief this function registers unit tests for DetectPcre
2075  */
2076 static void DetectPcreRegisterTests(void)
2077 {
2078  g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
2079  g_http_header_buffer_id = DetectBufferTypeGetByName("http_header");
2080  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
2081 
2082  UtRegisterTest("DetectPcreParseTest01", DetectPcreParseTest01);
2083  UtRegisterTest("DetectPcreParseTest02", DetectPcreParseTest02);
2084  UtRegisterTest("DetectPcreParseTest03", DetectPcreParseTest03);
2085  UtRegisterTest("DetectPcreParseTest04", DetectPcreParseTest04);
2086  UtRegisterTest("DetectPcreParseTest05", DetectPcreParseTest05);
2087  UtRegisterTest("DetectPcreParseTest06", DetectPcreParseTest06);
2088  UtRegisterTest("DetectPcreParseTest07", DetectPcreParseTest07);
2089  UtRegisterTest("DetectPcreParseTest08", DetectPcreParseTest08);
2090  UtRegisterTest("DetectPcreParseTest09", DetectPcreParseTest09);
2091  UtRegisterTest("DetectPcreParseTest10", DetectPcreParseTest10);
2092  UtRegisterTest("DetectPcreParseTest15", DetectPcreParseTest15);
2093  UtRegisterTest("DetectPcreParseTest16", DetectPcreParseTest16);
2094  UtRegisterTest("DetectPcreParseTest17", DetectPcreParseTest17);
2095  UtRegisterTest("DetectPcreParseTest18", DetectPcreParseTest18);
2096  UtRegisterTest("DetectPcreParseTest19", DetectPcreParseTest19);
2097  UtRegisterTest("DetectPcreParseTest20", DetectPcreParseTest20);
2098  UtRegisterTest("DetectPcreParseTest21", DetectPcreParseTest21);
2099  UtRegisterTest("DetectPcreParseTest22", DetectPcreParseTest22);
2100  UtRegisterTest("DetectPcreParseTest23", DetectPcreParseTest23);
2101  UtRegisterTest("DetectPcreParseTest24", DetectPcreParseTest24);
2102  UtRegisterTest("DetectPcreParseTest25", DetectPcreParseTest25);
2103  UtRegisterTest("DetectPcreParseTest26", DetectPcreParseTest26);
2104  UtRegisterTest("DetectPcreParseTest27", DetectPcreParseTest27);
2105  UtRegisterTest("DetectPcreParseTest28", DetectPcreParseTest28);
2106 
2107  UtRegisterTest("DetectPcreTestSig01", DetectPcreTestSig01);
2108  UtRegisterTest("DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
2109  UtRegisterTest("DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
2110 
2111  UtRegisterTest("DetectPcreTxBodyChunksTest01",
2112  DetectPcreTxBodyChunksTest01);
2113  UtRegisterTest("DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
2114  DetectPcreTxBodyChunksTest02);
2115  UtRegisterTest("DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
2116  DetectPcreTxBodyChunksTest03);
2117 
2118  UtRegisterTest("DetectPcreParseHttpHost", DetectPcreParseHttpHost);
2119  UtRegisterTest("DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);
2120 }
2121 #endif /* UNITTESTS */
DETECT_PCRE_CASELESS
#define DETECT_PCRE_CASELESS
Definition: detect-pcre.h:32
SigTableElmt_::url
const char * url
Definition: detect.h:1512
SC_MATCH_LIMIT_DEFAULT
#define SC_MATCH_LIMIT_DEFAULT
Definition: detect-pcre.h:44
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition: detect-content.h:66
SigMatch_::prev
struct SigMatch_ * prev
Definition: detect.h:361
detect-content.h
DetectPcreData_::idx
uint8_t idx
Definition: detect-pcre.h:53
len
uint8_t len
Definition: app-layer-dnp3.h:2
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition: detect.h:1315
DetectFlowvarPostMatchSetup
int DetectFlowvarPostMatchSetup(DetectEngineCtx *de_ctx, Signature *s, uint32_t idx)
Setup a post-match for flowvar storage We're piggyback riding the DetectFlowvarData struct.
Definition: detect-flowvar.c:259
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:649
SigTableElmt_::desc
const char * desc
Definition: detect.h:1511
Flow_::flags
uint64_t flags
Definition: flow.h:403
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1310
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1496
flow-util.h
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition: detect-engine-buffer.c:157
DetectPcrePayloadMatch
int DetectPcrePayloadMatch(DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *payload, uint32_t payload_len)
Match a regex on a single payload.
Definition: detect-pcre.c:223
DetectParseRegex
Definition: detect-parse.h:94
SigTableElmt_::name
const char * name
Definition: detect.h:1509
stream-tcp.h
HtpBody_::sb
StreamingBuffer * sb
Definition: app-layer-htp.h:135
SigFree
void SigFree(DetectEngineCtx *, Signature *)
Definition: detect-parse.c:2131
DetectThreadCtxGetKeywordThreadCtx
void * DetectThreadCtxGetKeywordThreadCtx(DetectEngineThreadCtx *det_ctx, int id)
Retrieve thread local keyword ctx by id.
Definition: detect-engine.c:3878
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:76
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1500
DetectParseRegex::context
pcre2_match_context * context
Definition: detect-parse.h:96
Signature_::alproto
AppProto alproto
Definition: detect.h:680
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
Flow_::proto
uint8_t proto
Definition: flow.h:376
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:87
PacketAlerts_::cnt
uint16_t cnt
Definition: decode.h:288
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:144
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:368
Packet_::flags
uint32_t flags
Definition: decode.h:561
SIGMATCH_QUOTES_OPTIONAL
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect-engine-register.h:316
Flow_
Flow data structure.
Definition: flow.h:354
DetectSetupPCRE2
DetectParseRegex * DetectSetupPCRE2(const char *parse_str, int opts)
Definition: detect-parse.c:3730
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-pcre.c:67
ctx
struct Thresholds ctx
th_v
ThreadVars * th_v
Definition: fuzz_iprep.c:20
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2759
HtpTxUserData_::request_body
HtpBody request_body
Definition: app-layer-htp.h:166
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:231
util-var-name.h
MIN
#define MIN(x, y)
Definition: suricata-common.h:416
DetectParseRegex::regex
pcre2_code * regex
Definition: detect-parse.h:95
DetectPcreData_::parse_regex
DetectParseRegex parse_regex
Definition: detect-pcre.h:49
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHPacketMatchSig
int UTHPacketMatchSig(Packet *p, const char *sig)
Definition: util-unittest-helper.c:835
DetectGetLastSMByListPtr
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer.
Definition: detect-parse.c:625
stream-tcp-reassemble.h
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:243
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2971
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:3654
DetectContentData_
Definition: detect-content.h:93
p
Packet * p
Definition: fuzz_iprep.c:21
DetectPcreData_::flags
uint16_t flags
Definition: detect-pcre.h:52
VarNameStoreRegister
uint32_t VarNameStoreRegister(const char *name, const enum VarTypes type)
Definition: util-var-name.c:156
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:56
DETECT_PCRE_CAPTURE_MAX
#define DETECT_PCRE_CAPTURE_MAX
Definition: detect-pcre.h:38
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition: detect-parse.c:2306
DETECT_VAR_TYPE_PKT_POSTMATCH
#define DETECT_VAR_TYPE_PKT_POSTMATCH
Definition: detect.h:831
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3600
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:546
StreamingBufferSegmentCompareRawData
int StreamingBufferSegmentCompareRawData(const StreamingBuffer *sb, const StreamingBufferSegment *seg, const uint8_t *rawdata, uint32_t rawdata_len)
Definition: util-streaming-buffer.c:1794
Flow_::protoctx
void * protoctx
Definition: flow.h:433
SigMatchData_
Data needed for Match()
Definition: detect.h:365
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1491
detect-pcre.h
PARSE_CAPTURE_REGEX
#define PARSE_CAPTURE_REGEX
Definition: detect-pcre.c:66
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
Packet_::alerts
PacketAlerts alerts
Definition: decode.h:636
SIG_JSON_CONTENT_ITEM_LEN
#define SIG_JSON_CONTENT_ITEM_LEN
Definition: detect.h:1279
util-unittest.h
HtpBody_::first
HtpBodyChunk * first
Definition: app-layer-htp.h:132
HtpState_
Definition: app-layer-htp.h:183
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1383
VAR_TYPE_PKT_VAR_KV
@ VAR_TYPE_PKT_VAR_KV
Definition: util-var.h:34
detect-flowvar.h
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
DetectPcreData_::capids
uint32_t capids[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:55
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
app-layer-htp.h
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:327
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
DETECT_PCRE_RAWBYTES
#define DETECT_PCRE_RAWBYTES
Definition: detect-pcre.h:31
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DetectEngineThreadCtx_
Definition: detect.h:1291
DetectEngineBufferTypeGetDescriptionById
const char * DetectEngineBufferTypeGetDescriptionById(const DetectEngineCtx *de_ctx, const int id)
Definition: detect-engine.c:1491
SCConfGetInt
int SCConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:441
AppLayerHtpEnableRequestBodyCallback
void AppLayerHtpEnableRequestBodyCallback(void)
Sets a flag that informs the HTP app layer that some module in the engine needs the http request body...
Definition: app-layer-htp.c:546
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
SignatureInitData_::list
int list
Definition: detect.h:632
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:284
detect-engine-mpm.h
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:387
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectPcreData_::thread_ctx_id
int thread_ctx_id
Definition: detect-pcre.h:50
pkt-var.h
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3505
VarNameStoreUnregister
void VarNameStoreUnregister(const uint32_t id, const enum VarTypes type)
Definition: util-var-name.c:205
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:262
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3253
VAR_TYPE_ALERT_VAR
@ VAR_TYPE_ALERT_VAR
Definition: util-var.h:50
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:359
SC_MATCH_LIMIT_RECURSION_DEFAULT
#define SC_MATCH_LIMIT_RECURSION_DEFAULT
Definition: detect-pcre.h:45
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
stream.h
Packet_
Definition: decode.h:515
detect-engine-build.h
stream-tcp-private.h
detect-engine-alert.h
conf.h
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:104
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
SignatureInitData_::negated
bool negated
Definition: detect.h:601
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1471
PageSupportsRWX
#define PageSupportsRWX()
Definition: util-pages.h:37
util-pages.h
DetectEngineThreadCtxGetJsonContext
int DetectEngineThreadCtxGetJsonContext(DetectEngineThreadCtx *det_ctx)
Definition: detect-engine.c:5263
DETECT_PCRE_HAS_UNICODE_CLUSTER
#define DETECT_PCRE_HAS_UNICODE_CLUSTER
Definition: detect-pcre.h:36
SCLogInfo
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:232
DETECT_PCRE
@ DETECT_PCRE
Definition: detect-engine-register.h:78
DETECT_VAR_TYPE_FLOW_POSTMATCH
#define DETECT_VAR_TYPE_FLOW_POSTMATCH
Definition: detect.h:830
AppLayerParserGetTx
void * AppLayerParserGetTx(uint8_t ipproto, AppProto alproto, void *alstate, uint64_t tx_id)
Definition: app-layer-parser.c:1124
DetectPcreData_::captypes
uint8_t captypes[DETECT_PCRE_CAPTURE_MAX]
Definition: detect-pcre.h:54
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2295
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1333
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:351
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition: detect.h:144
DetectVarStoreMatchKeyValue
int DetectVarStoreMatchKeyValue(DetectEngineThreadCtx *det_ctx, uint8_t *key, uint16_t key_len, uint8_t *buffer, uint16_t len, uint16_t type)
Store flowvar in det_ctx so we can exec it post-match.
Definition: detect-flowvar.c:205
Packet_::flow
struct Flow_ * flow
Definition: decode.h:563
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineCtx_::rule_file
const char * rule_file
Definition: detect.h:1071
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:866
DetectRegisterThreadCtxFuncs
int DetectRegisterThreadCtxFuncs(DetectEngineCtx *de_ctx, const char *name, void *(*InitFunc)(void *), void *data, void(*FreeFunc)(void *), int mode)
Register Thread keyword context Funcs.
Definition: detect-engine.c:3808
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1306
suricata-common.h
VarNameStoreLookupById
const char * VarNameStoreLookupById(const uint32_t id, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:307
SigMatch_::type
uint16_t type
Definition: detect.h:357
HtpBodyChunk_
Definition: app-layer-htp.h:123
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3750
detect-engine-buffer.h
FatalError
#define FatalError(...)
Definition: util-debug.h:517
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:982
HtpTxUserData_
Definition: app-layer-htp.h:153
detect-engine-sigorder.h
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
SCLogConfig
struct SCLogConfig_ SCLogConfig
Holds the config state used by the logging api.
DetectEngineThreadCtx_::pcre_match_start_offset
uint32_t pcre_match_start_offset
Definition: detect.h:1319
DetectEngineThreadCtx_::json_content
SigJsonContent * json_content
Definition: detect.h:1328
str
#define str(s)
Definition: suricata-common.h:316
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:274
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:472
Flow_::alstate
void * alstate
Definition: flow.h:479
detect-parse.h
Signature_
Signature container.
Definition: detect.h:675
SigMatch_
a single match condition for a signature
Definition: detect.h:356
payload_len
uint16_t payload_len
Definition: stream-tcp-private.h:1
VAR_TYPE_FLOW_VAR
@ VAR_TYPE_FLOW_VAR
Definition: util-var.h:39
ALPROTO_UNKNOWN
@ ALPROTO_UNKNOWN
Definition: app-layer-protos.h:29
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:233
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2720
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition: detect-pcre.h:34
app-layer-protos.h
SIGMATCH_SUPPORT_FIREWALL
#define SIGMATCH_SUPPORT_FIREWALL
Definition: detect-engine-register.h:334
DetectPcreData_
Definition: detect-pcre.h:48
DetectEngineThreadCtx_::json_content_len
uint8_t json_content_len
Definition: detect.h:1330
DetectParseFreeRegex
void DetectParseFreeRegex(DetectParseRegex *r)
Definition: detect-parse.c:3664
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:975
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
DETECT_PCRE_RELATIVE
#define DETECT_PCRE_RELATIVE
Definition: detect-pcre.h:29
SigAlloc
Signature * SigAlloc(void)
Definition: detect-parse.c:2011
DetectUnregisterThreadCtxFuncs
int DetectUnregisterThreadCtxFuncs(DetectEngineCtx *de_ctx, void *data, const char *name)
Remove Thread keyword context registration.
Definition: detect-engine.c:3860
DetectEngineCtx_::rule_line
int rule_line
Definition: detect.h:1070
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
util-pool.h
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:288
DETECT_PCRE_NEGATE
#define DETECT_PCRE_NEGATE
Definition: detect-pcre.h:35
DetectBufferGetActiveList
int DetectBufferGetActiveList(DetectEngineCtx *de_ctx, Signature *s)
Definition: detect-engine-buffer.c:109
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1429
flow-var.h
AppLayerParserGetTxCnt
uint64_t AppLayerParserGetTxCnt(const Flow *f, void *alstate)
Definition: app-layer-parser.c:1117
HtpBodyChunk_::sbseg
StreamingBufferSegment sbseg
Definition: app-layer-htp.h:126
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect-engine-register.h:324
DetectPcreRegister
void DetectPcreRegister(void)
Definition: detect-pcre.c:97
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:109
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
SigJsonContent::json_content
char json_content[SIG_JSON_CONTENT_ITEM_LEN]
Definition: detect.h:1285
SigJsonContent::id
void * id
Definition: detect.h:1284
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1306
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1498
app-layer.h
DetectVarStoreMatch
int DetectVarStoreMatch(DetectEngineThreadCtx *det_ctx, uint32_t idx, uint8_t *buffer, uint16_t len, uint16_t type)
Store flowvar in det_ctx so we can exec it post-match.
Definition: detect-flowvar.c:224