65 #define PARSE_CAPTURE_REGEX "\\(\\?P\\<([A-z]+)\\_([A-z0-9_]+)\\>"
66 #define PARSE_REGEX "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
68 static int pcre_match_limit = 0;
69 static int pcre_match_limit_recursion = 0;
75 static int pcre2_use_jit = 1;
83 const char *
str,
const size_t strlen,
int start_offset,
int options,
84 pcre2_match_data *
match)
93 static void DetectPcreRegisterTests(
void);
113 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
116 pcre_match_limit = val;
118 SCLogInfo(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
120 SCLogDebug(
"Using PCRE match-limit setting of: %i", pcre_match_limit);
126 if (!
ConfGetInt(
"pcre.match-limit-recursion", &val)) {
128 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
131 pcre_match_limit_recursion = val;
133 SCLogInfo(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
135 SCLogDebug(
"Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
140 if (parse_regex == NULL) {
141 FatalError(
"pcre2 compile failed for parse_regex");
147 if (parse_capture_regex == NULL) {
148 FatalError(
"pcre2 compile failed for parse_capture_regex");
151 #ifdef PCRE2_HAVE_JIT
153 SCLogConfig(
"PCRE2 won't use JIT as OS doesn't allow RWX pages");
181 const uint8_t *ptr = NULL;
183 PCRE2_SIZE capture_len = 0;
195 int start_offset = 0;
201 pcre2_match_data *
match =
204 ret = DetectPcreExec(det_ctx, pe, (
char *)ptr,
len, start_offset, 0,
match);
207 if (ret == PCRE2_ERROR_NOMATCH) {
215 }
else if (ret >= 0) {
227 if (ret > 1 && pe->
idx != 0) {
229 for (x = 0; x < pe->
idx; x++) {
231 const char *pcre2_str_ptr = NULL;
232 ret = pcre2_substring_get_bynumber(
233 match, x + 1, (PCRE2_UCHAR8 **)&pcre2_str_ptr, &capture_len);
235 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
239 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
240 uint8_t *str_ptr =
SCMalloc(capture_len);
242 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
245 memcpy(str_ptr, pcre2_str_ptr, capture_len);
246 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr);
253 const char *pcre2_str_ptr2 = NULL;
255 uint16_t key_len = (capture_len < 0xff) ? (uint16_t)capture_len : 0xff;
256 int ret2 = pcre2_substring_get_bynumber(
257 match, x + 2, (PCRE2_UCHAR8 **)&pcre2_str_ptr2, &capture_len);
261 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
264 capture_len = (capture_len < 0xffff) ? (uint16_t)capture_len : 0xffff;
265 uint8_t *str_ptr2 =
SCMalloc(capture_len);
268 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
271 memcpy(str_ptr2, pcre2_str_ptr2, capture_len);
272 pcre2_substring_free((PCRE2_UCHAR8 *)pcre2_str_ptr2);
275 (uint8_t *)str_ptr2, (uint16_t)capture_len,
292 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(
match);
307 static int DetectPcreSetList(
int list,
int set)
310 SCLogError(
"only one pcre option to specify a buffer type is allowed");
316 static int DetectPcreHasUpperCase(
const char *re)
318 size_t len = strlen(re);
319 bool is_meta =
false;
320 bool is_meta_hex =
false;
321 int meta_hex_cnt = 0;
323 for (
size_t i = 0; i <
len; i++) {
327 if (meta_hex_cnt == 2) {
331 }
else if (is_meta) {
338 else if (re[i] ==
'\\') {
341 else if (isupper((
unsigned char)re[i])) {
350 const char *regexstr,
int *sm_list,
char *capture_names,
351 size_t capture_names_size,
bool negate,
AppProto *alproto)
358 int ret = 0, res = 0;
359 int check_host_header = 0;
360 char op_str[64] =
"";
363 char *fcap = strstr(regexstr,
"flow:");
364 char *pcap = strstr(regexstr,
"pkt:");
367 size_t slen = strlen(regexstr) + 1;
372 cut_capture = fcap - regexstr;
373 else if (pcap && !fcap)
374 cut_capture = pcap - regexstr;
378 cut_capture =
MIN((pcap - regexstr), (fcap - regexstr));
383 if (cut_capture > 1) {
384 int offset = cut_capture - 1;
387 if (regexstr[
offset] ==
',' || regexstr[
offset] ==
' ') {
394 if (cut_capture == (
offset + 1)) {
395 SCLogDebug(
"missing separators, assume it's part of the regex");
398 strlcpy(capture_names, regexstr+cut_capture, capture_names_size);
399 if (capture_names[strlen(capture_names)-1] ==
'"')
400 capture_names[strlen(capture_names)-1] =
'\0';
407 parse_regex->
regex, (PCRE2_SPTR8)regexstr, slen, 0, 0, parse_regex->
match, NULL);
413 res = pcre2_substring_copy_bynumber(parse_regex->
match, 1, (PCRE2_UCHAR8 *)re, &slen);
415 SCLogError(
"pcre2_substring_copy_bynumber failed");
420 size_t copylen =
sizeof(op_str);
421 res = pcre2_substring_copy_bynumber(
422 parse_regex->
match, 2, (PCRE2_UCHAR8 *)op_str, ©len);
424 SCLogError(
"pcre2_substring_copy_bynumber failed");
444 opts |= PCRE2_ANCHORED;
447 opts |= PCRE2_DOLLAR_ENDONLY;
450 opts |= PCRE2_UNGREEDY;
454 opts |= PCRE2_CASELESS;
458 opts |= PCRE2_MULTILINE;
461 opts |= PCRE2_DOTALL;
464 opts |= PCRE2_EXTENDED;
473 SCLogError(
"regex modifier 'B' inconsistent with chosen buffer");
486 SCLogError(
"regex modifier 'U' inconsistent with 'B'");
490 *sm_list = DetectPcreSetList(*sm_list, list);
496 SCLogError(
"regex modifier 'V' inconsistent with 'B'");
500 *sm_list = DetectPcreSetList(*sm_list, list);
506 SCLogError(
"regex modifier 'W' inconsistent with 'B'");
510 *sm_list = DetectPcreSetList(*sm_list, list);
512 check_host_header = 1;
517 SCLogError(
"regex modifier 'Z' inconsistent with 'B'");
521 *sm_list = DetectPcreSetList(*sm_list, list);
527 SCLogError(
"regex modifier 'H' inconsistent with 'B'");
531 *sm_list = DetectPcreSetList(*sm_list, list);
536 SCLogError(
"regex modifier 'I' inconsistent with 'B'");
540 *sm_list = DetectPcreSetList(*sm_list, list);
546 *sm_list = DetectPcreSetList(*sm_list, list);
552 SCLogError(
"regex modifier 'M' inconsistent with 'B'");
556 *sm_list = DetectPcreSetList(*sm_list, list);
562 SCLogError(
"regex modifier 'C' inconsistent with 'B'");
566 *sm_list = DetectPcreSetList(*sm_list, list);
573 *sm_list = DetectPcreSetList(*sm_list, list);
580 *sm_list = DetectPcreSetList(*sm_list, list);
587 *sm_list = DetectPcreSetList(*sm_list, list);
594 *sm_list = DetectPcreSetList(*sm_list, list);
599 SCLogError(
"unknown regex modifier '%c'", *op);
611 if (check_host_header) {
614 "specified along with \"i(caseless)\" modifier. "
615 "Since the hostname buffer we match against "
616 "is actually lowercase, having a "
617 "nocase is redundant.");
619 else if (DetectPcreHasUpperCase(re)) {
621 "specified has an uppercase char. "
622 "Since the hostname buffer we match against "
623 "is actually lowercase, please specify an "
624 "all lowercase based pcre.");
634 if (capture_names == NULL || strlen(capture_names) == 0)
635 opts |= PCRE2_NO_AUTO_CAPTURE;
638 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
640 opts &= ~PCRE2_NO_AUTO_CAPTURE;
642 pcre2_compile((PCRE2_SPTR8)re, PCRE2_ZERO_TERMINATED, opts, &en, &eo2, NULL);
645 PCRE2_UCHAR errbuffer[256];
646 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
647 SCLogError(
"pcre2 compile of \"%s\" failed at "
649 regexstr, (
int)eo2, errbuffer);
653 #ifdef PCRE2_HAVE_JIT
660 SCLogDebug(
"PCRE2 JIT compiler does not support: %s. "
661 "Falling back to regular PCRE2 handling (%s:%d)",
669 SCLogError(
"pcre2 could not create match context");
675 if (pcre_match_limit >= -1) {
678 if (pcre_match_limit_recursion >= -1) {
689 DetectPcreFree(
de_ctx, pd);
699 int ret = 0, res = 0;
700 char type_str[16] =
"";
701 const char *orig_right_edge = regexstr + strlen(regexstr);
708 SCLogDebug(
"regexstr %s, pd %p", regexstr, pd);
710 ret = pcre2_pattern_info(pd->
parse_regex.
regex, PCRE2_INFO_CAPTURECOUNT, &capture_cnt);
711 SCLogDebug(
"ret %d capture_cnt %d", ret, capture_cnt);
712 if (ret == 0 && capture_cnt && strlen(capture_names) > 0)
715 while ((name_array[name_idx] = strtok_r(name_idx == 0 ? capture_names : NULL,
" ,", &ptr))){
716 if (name_idx > (capture_cnt - 1)) {
718 "var capture names than capturing substrings");
721 SCLogDebug(
"name '%s'", name_array[name_idx]);
723 if (strcmp(name_array[name_idx],
"pkt:key") == 0) {
731 }
else if (key == 1 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
736 }
else if (key == 0 && strcmp(name_array[name_idx],
"pkt:value") == 0) {
738 }
else if (key == 1) {
741 }
else if (strncmp(name_array[name_idx],
"flow:", 5) == 0) {
746 }
else if (strncmp(name_array[name_idx],
"pkt:", 4) == 0) {
754 "var capture names must start with 'pkt:' or 'flow:'");
766 size_t cap_buffer_len = strlen(regexstr) + 1;
767 char capture_str[cap_buffer_len];
768 memset(capture_str, 0x00, cap_buffer_len);
776 ret = pcre2_match(parse_capture_regex->
regex, (PCRE2_SPTR8)regexstr, strlen(regexstr), 0, 0,
777 parse_capture_regex->
match, NULL);
781 copylen =
sizeof(type_str);
782 res = pcre2_substring_copy_bynumber(
783 parse_capture_regex->
match, 1, (PCRE2_UCHAR8 *)type_str, ©len);
785 SCLogError(
"pcre2_substring_copy_bynumber failed");
788 cap_buffer_len = strlen(regexstr) + 1;
789 res = pcre2_substring_copy_bynumber(
790 parse_capture_regex->
match, 2, (PCRE2_UCHAR8 *)capture_str, &cap_buffer_len);
792 SCLogError(
"pcre2_substring_copy_bynumber failed");
795 if (strlen(capture_str) == 0 || strlen(type_str) == 0) {
803 SCLogError(
"rule can have maximally %d pkt/flow "
809 if (strcmp(type_str,
"pkt") == 0) {
814 }
else if (strcmp(type_str,
"flow") == 0) {
821 PCRE2_SIZE *ov = pcre2_get_ovector_pointer(parse_capture_regex->
match);
824 if (regexstr >= orig_right_edge)
833 static void *DetectPcreThreadInit(
void *data)
840 static void DetectPcreThreadFree(
void *ctx)
843 pcre2_match_data *
match = (pcre2_match_data *)ctx;
844 pcre2_match_data_free(
match);
854 char capture_names[1024] =
"";
857 pd = DetectPcreParse(
de_ctx, regexstr, &parsed_sm_list,
862 if (DetectPcreParseCapture(regexstr,
de_ctx, pd, capture_names) < 0)
866 de_ctx,
"pcre", DetectPcreThreadInit, (
void *)pd, DetectPcreThreadFree, 0);
873 SCLogError(
"Expression seen with a sticky buffer still set; either (1) reset sticky "
874 "buffer with pkt_data or (2) use a sticky buffer providing \"%s\".",
884 switch (parsed_sm_list) {
898 sm_list = parsed_sm_list;
910 sm->
ctx = (
void *)pd;
913 for (uint8_t x = 0; x < pd->
idx; x++) {
927 "preceding match in the same buffer");
930 }
else if (prev_pm == NULL) {
944 DetectPcreFree(
de_ctx, pd);
965 static int g_file_data_buffer_id = 0;
966 static int g_http_header_buffer_id = 0;
967 static int g_dce_stub_data_buffer_id = 0;
972 static int DetectPcreParseTest01 (
void)
976 const char *teststring =
"/blah/7";
982 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
992 static int DetectPcreParseTest02 (
void)
996 const char *teststring =
"/blah/Ui$";
1002 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1013 static int DetectPcreParseTest03 (
void)
1017 const char *teststring =
"/blah/UNi";
1023 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1033 static int DetectPcreParseTest04 (
void)
1037 const char *teststring =
"/b\\\"lah/i";
1043 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1047 DetectPcreFree(
de_ctx, pd);
1055 static int DetectPcreParseTest05 (
void)
1059 const char *teststring =
"/b(l|a)h/";
1065 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1069 DetectPcreFree(
de_ctx, pd);
1077 static int DetectPcreParseTest06 (
void)
1081 const char *teststring =
"/b(l|a)h/smi";
1087 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1091 DetectPcreFree(
de_ctx, pd);
1099 static int DetectPcreParseTest07 (
void)
1103 const char *teststring =
"/blah/Ui";
1109 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1113 DetectPcreFree(
de_ctx, pd);
1121 static int DetectPcreParseTest08 (
void)
1125 const char *teststring =
"/b(l|a)h/O";
1131 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1135 DetectPcreFree(
de_ctx, pd);
1144 static int DetectPcreParseTest09 (
void)
1147 const char *teststring =
"/lala\\\\/";
1153 pd = DetectPcreParse(
de_ctx, teststring, &list, NULL, 0,
false, &alproto);
1156 DetectPcreFree(
de_ctx, pd);
1164 static int DetectPcreParseTest10(
void)
1193 static int DetectPcreParseTest11(
void)
1204 "(msg:\"Testing bytejump_body\"; "
1205 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1207 "pcre:/bamboo/R; sid:1;)");
1210 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
1212 data = (
DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1217 "(msg:\"Testing bytejump_body\"; "
1218 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1220 "pcre:/bamboo/R; sid:1;)");
1223 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
1225 data = (
DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1230 "(msg:\"Testing bytejump_body\"; "
1231 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
1233 "pcre:/bamboo/RB; sid:1;)");
1236 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL);
1238 data = (
DetectPcreData *)s->sm_lists_tail[g_dce_stub_data_buffer_id]->ctx;
1243 "(msg:\"Testing bytejump_body\"; "
1244 "content:\"one\"; pcre:/bamboo/; sid:1;)");
1247 FAIL_IF(s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL);
1260 static int DetectPcreParseTest12(
void)
1271 "(file_data; pcre:/abc/R; sid:1;)");
1275 FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
1279 data = (
DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1293 static int DetectPcreParseTest13(
void)
1304 "(file_data; content:\"abc\"; pcre:/def/R; sid:1;)");
1308 FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
1312 data = (
DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1326 static int DetectPcreParseTest14(
void)
1337 "(file_data; pcre:/def/; sid:1;)");
1341 FAIL_IF(s->sm_lists_tail[g_file_data_buffer_id] == NULL);
1345 data = (
DetectPcreData *)s->sm_lists_tail[g_file_data_buffer_id]->ctx;
1357 static int DetectPcreParseTest15(
void)
1365 "alert tcp any any -> any any "
1366 "(msg:\"Testing pcre relative http_method\"; "
1368 "http_method; pcre:\"/abc/RM\"; sid:1;)");
1380 static int DetectPcreParseTest16(
void)
1388 "alert tcp any any -> any any "
1389 "(msg:\"Testing pcre relative http_cookie\"; "
1390 "content:\"test\"; "
1391 "http_cookie; pcre:\"/abc/RC\"; sid:1;)");
1402 static int DetectPcreParseTest17(
void)
1410 "alert tcp any any -> any any "
1411 "(msg:\"Testing pcre relative http_raw_header\"; "
1412 "flow:to_server; content:\"test\"; "
1413 "http_raw_header; pcre:\"/abc/RD\"; sid:1;)");
1424 static int DetectPcreParseTest18(
void)
1432 "alert tcp any any -> any any "
1433 "(msg:\"Testing pcre relative http_header\"; "
1434 "content:\"test\"; "
1435 "http_header; pcre:\"/abc/RH\"; sid:1;)");
1446 static int DetectPcreParseTest19(
void)
1454 "alert tcp any any -> any any "
1455 "(msg:\"Testing pcre relative http_client_body\"; "
1456 "content:\"test\"; "
1457 "http_client_body; pcre:\"/abc/RP\"; sid:1;)");
1468 static int DetectPcreParseTest20(
void)
1476 "alert tcp any any -> any any "
1477 "(msg:\"Testing http_raw_uri\"; "
1478 "content:\"test\"; "
1479 "http_raw_uri; pcre:\"/abc/RI\"; sid:1;)");
1490 static int DetectPcreParseTest21(
void)
1498 "alert tcp any any -> any any "
1499 "(msg:\"Testing pcre relative uricontent\"; "
1500 "uricontent:\"test\"; "
1501 "pcre:\"/abc/RU\"; sid:1;)");
1512 static int DetectPcreParseTest22(
void)
1520 "alert tcp any any -> any any "
1521 "(msg:\"Testing pcre relative http_uri\"; "
1522 "content:\"test\"; "
1523 "http_uri; pcre:\"/abc/RU\"; sid:1;)");
1534 static int DetectPcreParseTest23(
void)
1542 "alert tcp any any -> any any "
1543 "(msg:\"Testing inconsistent pcre relative\"; "
1545 "http_cookie; pcre:\"/abc/RM\"; sid:1;)");
1556 static int DetectPcreParseTest24(
void)
1564 "alert tcp any any -> any any "
1565 "(msg:\"Testing inconsistent pcre modifiers\"; "
1566 "pcre:\"/abc/UI\"; sid:1;)");
1577 static int DetectPcreParseTest25(
void)
1585 "alert tcp any any -> any any "
1586 "(msg:\"Testing inconsistent pcre modifiers\"; "
1587 "pcre:\"/abc/DH\"; sid:1;)");
1598 static int DetectPcreParseTest26(
void)
1606 "alert http any any -> any any "
1607 "(msg:\"Testing inconsistent pcre modifiers\"; "
1608 "pcre:\"/abc/F\"; sid:1;)");
1619 static int DetectPcreParseTest27(
void)
1627 "(content:\"baduricontent\"; http_raw_uri; "
1628 "pcre:\"/^[a-z]{5}\\.html/R\"; sid:2; rev:2;)");
1639 static int DetectPcreParseTest28(
void)
1647 "(content:\"|2E|suricata\"; http_host; pcre:\"/\\x2Esuricata$/W\"; "
1655 static int DetectPcreTestSig01(
void)
1657 uint8_t *buf = (uint8_t *)
"lalala lalala\\ lala\n";
1658 uint16_t buflen = strlen((
char *)buf);
1662 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; pcre:\"/ "
1663 "lalala\\\\/\"; sid:1;)";
1676 static int DetectPcreTestSig02(
void)
1678 uint8_t *buf = (uint8_t *)
"lalala\n";
1679 uint16_t buflen = strlen((
char *)buf);
1682 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1683 "pcre:\"/^(la)+$/\"; sid:1;)";
1692 static int DetectPcreTestSig03(
void)
1695 uint8_t *buf = (uint8_t *)
"lalala";
1696 uint16_t buflen = strlen((
char *)buf);
1699 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with an ending slash\"; "
1700 "pcre:\"/^(la)+$/\"; sid:1;)";
1710 static int DetectPcreTxBodyChunksTest01(
void)
1715 uint8_t httpbuf1[] =
"GET / HTTP/1.1\r\n";
1716 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1717 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1718 uint8_t httpbuf4[] =
"Body one!!";
1719 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1720 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1721 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1722 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1723 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1724 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1725 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1726 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1727 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1728 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1731 memset(&f, 0,
sizeof(f));
1732 memset(&ssn, 0,
sizeof(ssn));
1738 f.
proto = IPPROTO_TCP;
1809 static int DetectPcreTxBodyChunksTest02(
void)
1817 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1818 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1819 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1820 uint8_t httpbuf4[] =
"Body one!!";
1821 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1822 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1823 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1824 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1825 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1826 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1827 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1828 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1829 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1830 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1833 memset(&th_v, 0,
sizeof(th_v));
1834 memset(&f, 0,
sizeof(f));
1835 memset(&ssn, 0,
sizeof(ssn));
1841 f.
proto = IPPROTO_TCP;
1857 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
1859 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
1949 if (det_ctx != NULL) {
1964 static int DetectPcreTxBodyChunksTest03(
void)
1972 uint8_t httpbuf1[] =
"POST / HTTP/1.1\r\n";
1973 uint8_t httpbuf2[] =
"User-Agent: Mozilla/1.0\r\nContent-Length: 10\r\n";
1974 uint8_t httpbuf3[] =
"Cookie: dummy\r\n\r\n";
1975 uint8_t httpbuf4[] =
"Body one!!";
1976 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
1977 uint32_t httplen2 =
sizeof(httpbuf2) - 1;
1978 uint32_t httplen3 =
sizeof(httpbuf3) - 1;
1979 uint32_t httplen4 =
sizeof(httpbuf4) - 1;
1980 uint8_t httpbuf5[] =
"GET /?var=val HTTP/1.1\r\n";
1981 uint8_t httpbuf6[] =
"User-Agent: Firefox/1.0\r\n";
1982 uint8_t httpbuf7[] =
"Cookie: dummy2\r\nContent-Length: 10\r\n\r\nBody two!!";
1983 uint32_t httplen5 =
sizeof(httpbuf5) - 1;
1984 uint32_t httplen6 =
sizeof(httpbuf6) - 1;
1985 uint32_t httplen7 =
sizeof(httpbuf7) - 1;
1988 memset(&th_v, 0,
sizeof(th_v));
1989 memset(&f, 0,
sizeof(f));
1990 memset(&ssn, 0,
sizeof(ssn));
1996 f.
proto = IPPROTO_TCP;
2012 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"POST\"; http_method; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; pcre:\"/one/P\"; sid:1; rev:1;)");
2014 s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; pcre:\"/two/P\"; sid:2; rev:1;)");
2086 if (det_ctx != NULL) {
2103 static int DetectPcreParseHttpHost(
void)
2111 DetectPcreData *pd = DetectPcreParse(
de_ctx,
"/domain\\.com/W", &list, NULL, 0,
false, &alproto);
2113 DetectPcreFree(
de_ctx, pd);
2116 pd = DetectPcreParse(
de_ctx,
"/dOmain\\.com/W", &list, NULL, 0,
false, &alproto);
2121 pd = DetectPcreParse(
de_ctx,
"/domain\\D+\\.com/W", &list, NULL, 0,
false, &alproto);
2123 DetectPcreFree(
de_ctx, pd);
2128 pd = DetectPcreParse(
de_ctx,
"/\\\\Ddomain\\.com/W", &list, NULL, 0,
false, &alproto);
2138 static int DetectPcreParseCaptureTest(
void)
2144 "(content:\"Server: \"; http_header; pcre:\"/(.*)\\r\\n/HR, flow:somecapture\"; content:\"xyz\"; http_header; sid:1;)");
2147 "(content:\"Server: \"; http_header; pcre:\"/(flow:.*)\\r\\n/HR\"; content:\"xyz\"; http_header; sid:2;)");
2150 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)([0-9]+)\\r\\n/HR, flow:somecapture, pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2153 "alert http any any -> any any "
2154 "(content:\"Server: \"; http_header; pcre:\"/([a-z]+)\\r\\n/HR, flow:somecapture, "
2155 "pkt:anothercap\"; content:\"xyz\"; http_header; sid:3;)");
2172 static void DetectPcreRegisterTests(
void)
2208 UtRegisterTest(
"DetectPcreTestSig02 -- anchored pcre", DetectPcreTestSig02);
2209 UtRegisterTest(
"DetectPcreTestSig03 -- anchored pcre", DetectPcreTestSig03);
2212 DetectPcreTxBodyChunksTest01);
2213 UtRegisterTest(
"DetectPcreTxBodyChunksTest02 -- modifier P, body chunks per tx",
2214 DetectPcreTxBodyChunksTest02);
2215 UtRegisterTest(
"DetectPcreTxBodyChunksTest03 -- modifier P, body chunks per tx",
2216 DetectPcreTxBodyChunksTest03);
2218 UtRegisterTest(
"DetectPcreParseHttpHost", DetectPcreParseHttpHost);
2219 UtRegisterTest(
"DetectPcreParseCaptureTest", DetectPcreParseCaptureTest);