65 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>"
66 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
68 static int pcre_match_limit = 0;
69 static int pcre_match_limit_recursion = 0;
75 static int pcre2_use_jit = 1;
83 const char *
str,
const size_t strlen,
int start_offset,
int options,
84 pcre2_match_data *match)
93 static void DetectPcreRegisterTests(
void);
113 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
116 pcre_match_limit = val;
118 SCLogInfo(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
120 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
126 if (!
ConfGetInt(
"pcre.match-limit-recursion", &val)) {
128 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
131 pcre_match_limit_recursion = val;
133 SCLogInfo(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
135 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
140 if (parse_regex == NULL) {
141 FatalError(
"pcre2 compile failed for parse_regex");
147 if (parse_capture_regex == NULL) {
148 FatalError(
"pcre2 compile failed for parse_capture_regex");
151 #ifdef PCRE2_HAVE_JIT
153 SCLogConfig(
"PCRE2 won't use JIT as OS doesn't allow RWX pages");
181 const uint8_t *ptr = NULL;
183 PCRE2_SIZE capture_len = 0;
195 int start_offset = 0;
201 pcre2_match_data *match =
204 ret = DetectPcreExec(det_ctx, pe, (
char *)ptr,
len, start_offset, 0, match);
207 if (ret == PCRE2_ERROR_NOMATCH) {
215 }
else if (ret >= 0) {
227 if (ret > 1 && pe->
idx != 0) {
229 for (x = 0; x < pe->
idx; x++) {
231 const char *pcre2_str_ptr = NULL;
232 ret = pcre2_substring_get_bynumber(
233 match, x + 1, (PCRE2_UCHAR8 **)&pcre2_str_ptr, &capture_len);
235 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
239 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
240 uint8_t *str_ptr =
SCMalloc(capture_len);
242 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
245 memcpy(str_ptr, pcre2_str_ptr, capture_len);
246 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
253 const char *pcre2_str_ptr2 = NULL;
255 uint16_t key_len = (capture_len < 0xff) ? (uint16_t)capture_len : 0xff;
256 int ret2 = pcre2_substring_get_bynumber(
257 match, x + 2, (PCRE2_UCHAR8 **)&pcre2_str_ptr2, &capture_len);
261 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
264 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
265 uint8_t *str_ptr2 =
SCMalloc(capture_len);
268 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
271 memcpy(str_ptr2, pcre2_str_ptr2, capture_len);
272 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
275 (uint8_t *)str_ptr2, (uint16_t)capture_len,
292 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
307 static int DetectPcreSetList(
int list,
int set)
310 SCLogError(
"only one pcre option to specify a buffer type is allowed");
316 static int DetectPcreHasUpperCase(
const char *re)
318 size_t len = strlen(re);
319 bool is_meta =
false;
320 bool is_meta_hex =
false;
321 int meta_hex_cnt = 0;
323 for (
size_t i = 0; i <
len; i++) {
327 if (meta_hex_cnt == 2) {
331 }
else if (is_meta) {
338 else if (re[i] ==
'\\') {
341 else if (isupper((
unsigned char)re[i])) {
350 const char *regexstr,
int *sm_list,
char *capture_names,
351 size_t capture_names_size,
bool negate,
AppProto *alproto)
353 pcre2_match_data *match = NULL;
359 int ret = 0, res = 0;
360 int check_host_header = 0;
361 char op_str[64] =
"";
363 bool apply_match_limit =
false;
366 char *fcap = strstr(regexstr,
"flow:");
367 char *pcap = strstr(regexstr,
"pkt:");
370 size_t slen = strlen(regexstr) + 1;
375 cut_capture = fcap - regexstr;
376 else if (pcap && !fcap)
377 cut_capture = pcap - regexstr;
381 cut_capture =
MIN((pcap - regexstr), (fcap - regexstr));
386 if (cut_capture > 1) {
387 int offset = cut_capture - 1;
390 if (regexstr[
offset] ==
',' || regexstr[
offset] ==
' ') {
397 if (cut_capture == (
offset + 1)) {
398 SCLogDebug(
"missing separators, assume it's part of the regex");
401 strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
402 if (capture_names[strlen(capture_names)-1] ==
'"')
403 capture_names[strlen(capture_names)-1] =
'\0';
410 match = pcre2_match_data_create_from_pattern(parse_regex->
regex, NULL);
415 ret = pcre2_match(parse_regex->
regex, (PCRE2_SPTR8)regexstr, slen, 0, 0, match, NULL);
421 res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)re, &slen);
423 SCLogError(
"pcre2_substring_copy_bynumber failed");
424 pcre2_match_data_free(match);
429 size_t copylen =
sizeof(op_str);
430 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)op_str, ©len);
432 SCLogError(
"pcre2_substring_copy_bynumber failed");
433 pcre2_match_data_free(match);
453 opts |= PCRE2_ANCHORED;
456 opts |= PCRE2_DOLLAR_ENDONLY;
459 opts |= PCRE2_UNGREEDY;
463 opts |= PCRE2_CASELESS;
467 opts |= PCRE2_MULTILINE;
470 opts |= PCRE2_DOTALL;
473 opts |= PCRE2_EXTENDED;
477 apply_match_limit =
true;
482 SCLogError(
"regex modifier 'B' inconsistent with chosen buffer");
495 SCLogError(
"regex modifier 'U' inconsistent with 'B'");
499 *sm_list = DetectPcreSetList(*sm_list, list);
505 SCLogError(
"regex modifier 'V' inconsistent with 'B'");
509 *sm_list = DetectPcreSetList(*sm_list, list);
515 SCLogError(
"regex modifier 'W' inconsistent with 'B'");
519 *sm_list = DetectPcreSetList(*sm_list, list);
521 check_host_header = 1;
526 SCLogError(
"regex modifier 'Z' inconsistent with 'B'");
530 *sm_list = DetectPcreSetList(*sm_list, list);
536 SCLogError(
"regex modifier 'H' inconsistent with 'B'");
540 *sm_list = DetectPcreSetList(*sm_list, list);
545 SCLogError(
"regex modifier 'I' inconsistent with 'B'");
549 *sm_list = DetectPcreSetList(*sm_list, list);
555 *sm_list = DetectPcreSetList(*sm_list, list);
561 SCLogError(
"regex modifier 'M' inconsistent with 'B'");
565 *sm_list = DetectPcreSetList(*sm_list, list);
571 SCLogError(
"regex modifier 'C' inconsistent with 'B'");
575 *sm_list = DetectPcreSetList(*sm_list, list);
582 *sm_list = DetectPcreSetList(*sm_list, list);
589 *sm_list = DetectPcreSetList(*sm_list, list);
596 *sm_list = DetectPcreSetList(*sm_list, list);
603 *sm_list = DetectPcreSetList(*sm_list, list);
608 SCLogError(
"unknown regex modifier '%c'", *op);
620 if (check_host_header) {
623 "specified along with \"i(caseless)\" modifier. "
624 "Since the hostname buffer we match against "
625 "is actually lowercase, having a "
626 "nocase is redundant.");
628 else if (DetectPcreHasUpperCase(re)) {
630 "specified has an uppercase char. "
631 "Since the hostname buffer we match against "
632 "is actually lowercase, please specify an "
633 "all lowercase based pcre.");
643 if (capture_names == NULL || strlen(capture_names) == 0)
644 opts |= PCRE2_NO_AUTO_CAPTURE;
647 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
649 opts &= ~PCRE2_NO_AUTO_CAPTURE;
651 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
654 PCRE2_UCHAR errbuffer[256];
655 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
656 SCLogError(
"pcre2 compile of \"%s\" failed at "
658 regexstr, (
int)eo2, errbuffer);
662 #ifdef PCRE2_HAVE_JIT
669 SCLogDebug(
"PCRE2 JIT compiler does not support: %s. "
670 "Falling back to regular PCRE2 handling (%s:%d)",
678 SCLogError(
"pcre2 could not create match context");
682 if (apply_match_limit) {
683 if (pcre_match_limit >= -1) {
686 if (pcre_match_limit_recursion >= -1) {
695 pcre2_match_data_free(match);
699 pcre2_match_data_free(match);
700 DetectPcreFree(
de_ctx, pd);
710 int ret = 0, res = 0;
711 char type_str[16] =
"";
712 const char *orig_right_edge = regexstr + strlen(regexstr);
718 pcre2_match_data *match = NULL;
720 SCLogDebug(
"regexstr %s, pd %p", regexstr, pd);
722 ret = pcre2_pattern_info(pd->
parse_regex.
regex, PCRE2_INFO_CAPTURECOUNT, &capture_cnt);
723 SCLogDebug(
"ret %d capture_cnt %d", ret, capture_cnt);
724 if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
727 while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL,
" ,", &ptr))){
728 if (name_idx > (capture_cnt - 1)) {
730 "var capture names than capturing substrings");
733 SCLogDebug(
"name '%s'", name_array[name_idx]);
735 if (strcmp(name_array[name_idx],
"pkt:key") == 0) {
743 }
else if (key == 1 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
748 }
else if (key == 0 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
750 }
else if (key == 1) {
753 }
else if (strncmp(name_array[name_idx],
"flow:", 5) == 0) {
759 }
else if (strncmp(name_array[name_idx],
"pkt:", 4) == 0) {
768 "var capture names must start with 'pkt:' or 'flow:'");
780 size_t cap_buffer_len = strlen(regexstr) + 1;
781 char capture_str[cap_buffer_len];
782 memset(capture_str, 0x00, cap_buffer_len);
792 pcre2_match_data_free(match);
795 copylen =
sizeof(type_str);
796 res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)type_str, ©len);
798 SCLogError(
"pcre2_substring_copy_bynumber failed");
801 cap_buffer_len = strlen(regexstr) + 1;
802 res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)capture_str, &cap_buffer_len);
804 SCLogError(
"pcre2_substring_copy_bynumber failed");
807 if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
815 SCLogError(
"rule can have maximally %d pkt/flow "
818 pcre2_match_data_free(match);
822 if (strcmp(type_str,
"pkt") == 0) {
827 }
else if (strcmp(type_str,
"flow") == 0) {
834 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(match);
837 pcre2_match_data_free(match);
840 if (regexstr >= orig_right_edge)
846 pcre2_match_data_free(match);
850 static void *DetectPcreThreadInit(
void *data)
853 pcre2_match_data *match = pcre2_match_data_create_from_pattern(pd->
parse_regex.
regex, NULL);
857 static void DetectPcreThreadFree(
void *ctx)
860 pcre2_match_data *match = (pcre2_match_data *)ctx;
861 pcre2_match_data_free(match);
870 char capture_names[1024] =
"";
873 pd = DetectPcreParse(
de_ctx, regexstr, &parsed_sm_list,
878 if (DetectPcreParseCapture(regexstr,
de_ctx, pd, capture_names) < 0)
882 de_ctx,
"pcre", DetectPcreThreadInit, (
void *)pd, DetectPcreThreadFree, 0);
889 SCLogError(
"Expression seen with a sticky buffer still set; either (1) reset sticky "
890 "buffer with pkt_data or (2) use a sticky buffer providing \"%s\".",
899 switch (parsed_sm_list) {
913 sm_list = parsed_sm_list;
926 for (uint8_t x = 0; x < pd->
idx; x++) {
940 "preceding match in the same buffer");
943 }
else if (prev_pm == NULL) {
957 DetectPcreFree(
de_ctx, pd);
971 for (uint8_t i = 0; i < pd->
idx; i++) {
981 static int g_file_data_buffer_id = 0;
982 static int g_http_header_buffer_id = 0;
983 static int g_dce_stub_data_buffer_id = 0;
988 static int DetectPcreParseTest01 (
void)
992 const char *teststring =
"/blah/7";
998 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1008 static int DetectPcreParseTest02 (
void)
1012 const char *teststring =
"/blah/Ui$";
1018 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1029 static int DetectPcreParseTest03 (
void)
1033 const char *teststring =
"/blah/UNi";
1039 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1049 static int DetectPcreParseTest04 (
void)
1053 const char *teststring =
"/b\\\"lah/i";
1059 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1063 DetectPcreFree(
de_ctx, pd);
1071 static int DetectPcreParseTest05 (
void)
1075 const char *teststring =
"/b(l|a)h/";
1081 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1085 DetectPcreFree(
de_ctx, pd);
1093 static int DetectPcreParseTest06 (
void)
1097 const char *teststring =
"/b(l|a)h/smi";
1103 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1107 DetectPcreFree(
de_ctx, pd);
1115 static int DetectPcreParseTest07 (
void)
1119 const char *teststring =
"/blah/Ui";
1125 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1129 DetectPcreFree(
de_ctx, pd);
1137 static int DetectPcreParseTest08 (
void)
1141 const char *teststring =
"/b(l|a)h/O";
1147 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1151 DetectPcreFree(
de_ctx, pd);
1160 static int DetectPcreParseTest09 (
void)
1163 const char *teststring =
"/lala\\\\/";
1169 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1172 DetectPcreFree(
de_ctx, pd);
1180 static int DetectPcreParseTest10(
void)
1209 static int DetectPcreParseTest15(
void)
1217 "alert tcp any any -> any any "
1218 "(msg:\"Testing pcre relative http_method\"; "
1220 "http_method; pcre:\"/abc/RM\"; sid:1;)");
1232 static int DetectPcreParseTest16(
void)
1240 "alert tcp any any -> any any "
1241 "(msg:\"Testing pcre relative http_cookie\"; "
1242 "content:\"test\"; "
1243 "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1254 static int DetectPcreParseTest17(
void)
1262 "alert tcp any any -> any any "
1263 "(msg:\"Testing pcre relative http_raw_header\"; "
1264 "flow:to_server; content:\"test\"; "
1265 "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1276 static int DetectPcreParseTest18(
void)
1284 "alert tcp any any -> any any "
1285 "(msg:\"Testing pcre relative http_header\"; "
1286 "content:\"test\"; "
1287 "http_header; pcre:\"/abc/RH\"; sid:1;)");
1298 static int DetectPcreParseTest19(
void)
1306 "alert tcp any any -> any any "
1307 "(msg:\"Testing pcre relative http_client_body\"; "
1308 "content:\"test\"; "
1309 "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1320 static int DetectPcreParseTest20(
void)
1328 "alert tcp any any -> any any "
1329 "(msg:\"Testing http_raw_uri\"; "
1330 "content:\"test\"; "
1331 "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1342 static int DetectPcreParseTest21(
void)
1350 "alert tcp any any -> any any "
1351 "(msg:\"Testing pcre relative uricontent\"; "
1352 "uricontent:\"test\"; "
1353 "pcre:\"/abc/RU\"; sid:1;)");
1364 static int DetectPcreParseTest22(
void)
1372 "alert tcp any any -> any any "
1373 "(msg:\"Testing pcre relative http_uri\"; "
1374 "content:\"test\"; "
1375 "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1386 static int DetectPcreParseTest23(
void)
1394 "alert tcp any any -> any any "
1395 "(msg:\"Testing inconsistent pcre relative\"; "
1397 "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1408 static int DetectPcreParseTest24(
void)
1416 "alert tcp any any -> any any "
1417 "(msg:\"Testing inconsistent pcre modifiers\"; "
1418 "pcre:\"/abc/UI\"; sid:1;)");
1429 static int DetectPcreParseTest25(
void)
1437 "alert tcp any any -> any any "
1438 "(msg:\"Testing inconsistent pcre modifiers\"; "
1439 "pcre:\"/abc/DH\"; sid:1;)");
1450 static int DetectPcreParseTest26(
void)
1458 "alert http any any -> any any "
1459 "(msg:\"Testing inconsistent pcre modifiers\"; "
1460 "pcre:\"/abc/F\"; sid:1;)");
1471 static int DetectPcreParseTest27(
void)
1479 "(content:\"baduricontent\"; http_raw_uri; "
1480 "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1491 static int DetectPcreParseTest28(
void)
1499 "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
1507 static int DetectPcreTestSig01(
void)
1509 uint8_t *buf = (uint8_t *)
"lalala lalala\\ lala\n";
1510 uint16_t buflen = strlen((
char *)buf);
1514 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
1515 "lalala\\\\/\"; sid:1;)";
1528 static int DetectPcreTestSig02(
void)
1530 uint8_t *buf = (uint8_t *)
"lalala\n";
1531 uint16_t buflen = strlen((
char *)buf);
1534 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1535 "pcre:\"/^(la)+$/\"; sid:1;)";
1544 static int DetectPcreTestSig03(
void)
1547 uint8_t *buf = (uint8_t *)
"lalala";
1548 uint16_t buflen = strlen((
char *)buf);
1551 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1552 "pcre:\"/^(la)+$/\"; sid:1;)";
1562 static int DetectPcreTxBodyChunksTest01(
void)
1567 uint8_t httpbuf1[] =
"GET / HTTP/1.1\r\n";
1568 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1569 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1570 uint8_t httpbuf4[] =
"Body one!!";
1571 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1572 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1573 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1574 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1575 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1576 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1577 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1578 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1579 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1580 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1583 memset(&f, 0,
sizeof(f));
1584 memset(&ssn, 0,
sizeof(ssn));
1590 f.
proto = IPPROTO_TCP;
1661 static int DetectPcreTxBodyChunksTest02(
void)
1669 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1670 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1671 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1672 uint8_t httpbuf4[] =
"Body one!!";
1673 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1674 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1675 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1676 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1677 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1678 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1679 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1680 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1681 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1682 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1685 memset(&th_v, 0,
sizeof(th_v));
1686 memset(&f, 0,
sizeof(f));
1687 memset(&ssn, 0,
sizeof(ssn));
1693 f.
proto = IPPROTO_TCP;
1709 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1711 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1801 if (det_ctx != NULL) {
1816 static int DetectPcreTxBodyChunksTest03(
void)
1824 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1825 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1826 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1827 uint8_t httpbuf4[] =
"Body one!!";
1828 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1829 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1830 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1831 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1832 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1833 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1834 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1835 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1836 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1837 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1840 memset(&th_v, 0,
sizeof(th_v));
1841 memset(&f, 0,
sizeof(f));
1842 memset(&ssn, 0,
sizeof(ssn));
1848 f.
proto = IPPROTO_TCP;
1864 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1866 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1938 if (det_ctx != NULL) {
1955 static int DetectPcreParseHttpHost(
void)
1963 DetectPcreData *pd = DetectPcreParse(
de_ctx,
"/domain\\.com/W", &list, NULL, 0,
false, &alproto);
1965 DetectPcreFree(
de_ctx, pd);
1968 pd = DetectPcreParse(
de_ctx,
"/dOmain\\.com/W", &list, NULL, 0,
false, &alproto);
1973 pd = DetectPcreParse(
de_ctx,
"/domain\\D+\\.com/W", &list, NULL, 0,
false, &alproto);
1975 DetectPcreFree(
de_ctx, pd);
1980 pd = DetectPcreParse(
de_ctx,
"/\\\\Ddomain\\.com/W", &list, NULL, 0,
false, &alproto);
1990 static int DetectPcreParseCaptureTest(
void)
1996 "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
1999 "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
2002 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2005 "alert http any any -> any any "
2006 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)\\r\\n/HR, flow:somecapture, "
2007 "pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2025 static void DetectPcreRegisterTests(
void)
2057 UtRegisterTest(
"DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
2058 UtRegisterTest(
"DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
2061 DetectPcreTxBodyChunksTest01);
2062 UtRegisterTest(
"DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
2063 DetectPcreTxBodyChunksTest02);
2064 UtRegisterTest(
"DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
2065 DetectPcreTxBodyChunksTest03);
2067 UtRegisterTest(
"DetectPcreParseHttpHost", DetectPcreParseHttpHost);
2068 UtRegisterTest(
"DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);