suricata
detect-uricontent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23  *
24  * Simple uricontent match part of the detection engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-content.h"
31 #include "detect-http-uri.h"
32 #include "detect-uricontent.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "flow.h"
38 #include "detect-flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 #include "threads.h"
42 
43 #include "stream-tcp.h"
44 #include "stream.h"
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 #include "app-layer-protos.h"
48 #include "app-layer-htp.h"
49 
50 #include "util-mpm.h"
51 #include "util-print.h"
52 #include "util-debug.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-spm.h"
56 #include "conf.h"
57 
58 /* prototypes */
59 static int DetectUricontentSetup (DetectEngineCtx *, Signature *, const char *);
60 #ifdef UNITTESTS
61 static void DetectUricontentRegisterTests(void);
62 #endif
63 static void DetectUricontentFree(DetectEngineCtx *de_ctx, void *);
64 
65 static int g_http_uri_buffer_id = 0;
66 
67 /**
68  * \brief Registration function for uricontent: keyword
69  */
71 {
72  sigmatch_table[DETECT_URICONTENT].name = "uricontent";
73  sigmatch_table[DETECT_URICONTENT].desc = "legacy keyword to match on the request URI buffer";
74  sigmatch_table[DETECT_URICONTENT].url = "/rules/http-keywords.html#uricontent";
76  sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
77  sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
78 #ifdef UNITTESTS
79  sigmatch_table[DETECT_URICONTENT].RegisterTests = DetectUricontentRegisterTests;
80 #endif
83 
84  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
85 }
86 
87 /**
88  * \brief this function will Free memory associated with DetectContentData
89  *
90  * \param cd pointer to DetectUricotentData
91  */
92 void DetectUricontentFree(DetectEngineCtx *de_ctx, void *ptr)
93 {
94  SCEnter();
96 
97  if (cd == NULL)
98  SCReturn;
99 
100  SpmDestroyCtx(cd->spm_ctx);
101  SCFree(cd);
102 
103  SCReturn;
104 }
105 
106 /**
107  * \brief Creates a SigMatch for the uricontent keyword being sent as argument,
108  * and appends it to the Signature(s).
109  *
110  * \param de_ctx Pointer to the detection engine context
111  * \param s Pointer to signature for the current Signature being parsed
112  * from the rules
113  * \param contentstr Pointer to the string holding the keyword value
114  *
115  * \retval 0 on success, -1 on failure
116  */
117 int DetectUricontentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
118 {
119  SCEnter();
120 
121  const char *legacy = NULL;
122  if (ConfGet("legacy.uricontent", &legacy) == 1) {
123  if (strcasecmp("disabled", legacy) == 0) {
124  SCLogError(SC_ERR_INVALID_SIGNATURE, "uriconent deprecated. To "
125  "use a rule with \"uricontent\", either set the "
126  "option - \"legacy.uricontent\" in the conf to "
127  "\"enabled\" OR replace uricontent with "
128  "\'content:%s; http_uri;\'.", contentstr);
129  goto error;
130  } else if (strcasecmp("enabled", legacy) == 0) {
131  ;
132  } else {
133  SCLogError(SC_ERR_INVALID_YAML_CONF_ENTRY, "Invalid value found "
134  "for legacy.uriconent - \"%s\". Valid values are "
135  "\"enabled\" OR \"disabled\".", legacy);
136  goto error;
137  }
138  }
139 
140  if (DetectContentSetup(de_ctx, s, contentstr) < 0)
141  goto error;
142 
143  if (DetectHttpUriSetup(de_ctx, s, NULL) < 0)
144  goto error;
145 
146  SCReturnInt(0);
147 error:
148  SCReturnInt(-1);
149 }
150 
151 /*
152  * UNITTTESTS
153  */
154 
155 #ifdef UNITTESTS
156 
157 #include "detect-isdataat.h"
158 #include "stream-tcp-reassemble.h"
159 
160 /**
161  * \test Checks if a uricontent is registered in a Signature
162  */
163 static int DetectUriSigTest01(void)
164 {
165  ThreadVars th_v;
166  Signature *s = NULL;
167 
168  memset(&th_v, 0, sizeof(th_v));
169 
172  de_ctx->flags |= DE_QUIET;
173 
174  s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any (msg:"
175  "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)");
176  FAIL_IF_NULL(s);
177 
178  BUG_ON(s->sm_lists[g_http_uri_buffer_id] == NULL);
179  FAIL_IF_NOT(de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]->type == DETECT_CONTENT);
180 
182  PASS;
183 }
184 
185 /**
186  * \test Check that modifiers of content apply only to content keywords
187  * and the same for uricontent modifiers
188  */
189 static int DetectUriSigTest02(void)
190 {
191  Signature *s = NULL;
192 
195 
196  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
197  "\" Test uricontent\"; "
198  "uricontent:\"foo\"; sid:1;)");
199  FAIL_IF_NULL(s);
200  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
203 
204  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
205  "\" Test uricontent and content\"; "
206  "uricontent:\"foo\"; content:\"bar\";sid:1;)");
207 
208  FAIL_IF_NULL(s);
209  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
210  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
212 
213  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
214  "\" Test uricontent and content\"; "
215  "uricontent:\"foo\"; content:\"bar\";"
216  " depth:10; offset: 5; sid:1;)");
217 
218  FAIL_IF_NULL(s);
219  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
220  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
221  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
222  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
224 
225  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
226  "\" Test uricontent and content\"; "
227  "content:\"foo\"; uricontent:\"bar\";"
228  " depth:10; offset: 5; sid:1;)");
229 
230  FAIL_IF_NULL(s);
231  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
232  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
233  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->depth = 15);
234  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->offset = 5);
236 
237  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
238  "\" Test uricontent and content\"; "
239  "uricontent:\"foo\"; content:\"bar\";"
240  " depth:10; offset: 5; within:3; sid:1;)");
241 
242  FAIL_IF_NOT_NULL(s);
243 
244  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
245  "\" Test uricontent and content\"; "
246  "uricontent:\"foo\"; content:\"bar\";"
247  " depth:10; offset: 5; distance:3; sid:1;)");
248  FAIL_IF_NOT_NULL(s);
249 
250  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
251  "\" Test uricontent and content\"; "
252  "uricontent:\"foo\"; content:\"bar\";"
253  " depth:10; offset: 5; content:"
254  "\"two_contents\"; within:30; sid:1;)");
255 
256  FAIL_IF_NULL(s);
257  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
258  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
259  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
260  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
261  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within = 30);
263 
264  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
265  "\" Test uricontent and content\"; "
266  "uricontent:\"foo\"; content:\"bar\";"
267  " depth:10; offset: 5; uricontent:"
268  "\"two_uricontents\"; within:30; sid:1;)");
269 
270  FAIL_IF_NULL(s);
271  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
272  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
273  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
274  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
275  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within = 30);
277 
278  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
279  "\" Test uricontent and content\"; "
280  "uricontent:\"foo\"; content:\"bar\";"
281  " depth:10; offset: 5; content:"
282  "\"two_contents\"; distance:30; sid:1;)");
283 
284  FAIL_IF_NULL(s);
285  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
286  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
287  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
288  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
289  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance = 30);
291 
292  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
293  "\" Test uricontent and content\"; "
294  "uricontent:\"foo\"; content:\"bar\";"
295  " depth:10; offset: 5; uricontent:"
296  "\"two_uricontents\"; distance:30; sid:1;)");
297 
298  FAIL_IF_NULL(s);
299  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
300  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
301  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
302  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
303  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance = 30);
305 
306  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
307  "\" Test uricontent and content\"; "
308  "uricontent:\"foo\"; content:\"bar\";"
309  " depth:10; offset: 5; uricontent:"
310  "\"two_uricontents\"; distance:30; "
311  "within:60; content:\"two_contents\";"
312  " within:70; distance:45; sid:1;)");
313  FAIL_IF_NULL(s);
314 
315  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
316  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
317  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
318  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
319  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance = 30);
320  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within = 60);
321  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance = 45);
322  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within = 70);
324 
326  PASS;
327 }
328 
329 /**
330  * \test Test content for dce sig.
331  */
332 static int DetectUriSigTest03(void)
333 {
336  de_ctx->flags |= DE_QUIET;
337 
338  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
339  "(msg:\"test\"; uricontent:\"\"; sid:238012;)");
340  FAIL_IF_NOT_NULL(s);
341 
343  PASS;
344 }
345 
346 /**
347  * \test Test content for dce sig.
348  */
349 static int DetectUriSigTest04(void)
350 {
353  de_ctx->flags |= DE_QUIET;
354 
355  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
356  "(msg:\"test\"; uricontent:\"; sid:238012;)");
357  FAIL_IF_NOT_NULL(s);
358 
360  PASS;
361 }
362 
363 /**
364  * \test Test content for dce sig.
365  */
366 static int DetectUriSigTest05(void)
367 {
370  de_ctx->flags |= DE_QUIET;
371 
372  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
373  "(msg:\"test\"; uricontent:\"boo; sid:238012;)");
374  FAIL_IF_NOT_NULL(s);
375 
377  PASS;
378 }
379 
380 /**
381  * \test Test content for dce sig.
382  */
383 static int DetectUriSigTest06(void)
384 {
387  de_ctx->flags |= DE_QUIET;
388 
389  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
390  "(msg:\"test\"; uricontent:boo\"; sid:238012;)");
391  FAIL_IF_NOT_NULL(s);
392 
394  PASS;
395 }
396 
397 /**
398  * \test Parsing test
399  */
400 static int DetectUriSigTest07(void)
401 {
402  DetectContentData *ud = 0;
403  Signature *s = NULL;
404 
407 
408  de_ctx->flags |= DE_QUIET;
409  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
410  "(msg:\"test\"; uricontent: !\"boo\"; sid:238012;)");
411  FAIL_IF_NULL(s);
412 
413  FAIL_IF_NULL(s->sm_lists_tail[g_http_uri_buffer_id]);
414  FAIL_IF_NULL(s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
415 
416  ud = (DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx;
417  FAIL_IF_NOT(strncmp("boo", (char *)ud->content, ud->content_len) == 0);
418 
420  PASS;
421 }
422 
423 
424 /**
425  * \test Parsing test
426  */
427 static int DetectUriContentParseTest08(void)
428 {
431  de_ctx->flags |= DE_QUIET;
432 
433  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
434  "(msg:\"test\"; uricontent:\"|\"; sid:1;)");
435  FAIL_IF_NOT_NULL(s);
436 
438  PASS;
439 }
440 
441 /**
442  * \test Parsing test
443  */
444 static int DetectUriContentParseTest09(void)
445 {
448  de_ctx->flags |= DE_QUIET;
449 
450  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
451  "(msg:\"test\"; uricontent:\"|af\"; sid:1;)");
452  FAIL_IF_NOT_NULL(s);
453 
455  PASS;
456 }
457 
458 /**
459  * \test Parsing test
460  */
461 static int DetectUriContentParseTest10(void)
462 {
465  de_ctx->flags |= DE_QUIET;
466 
467  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
468  "(msg:\"test\"; uricontent:\"af|\"; sid:1;)");
469  FAIL_IF_NOT_NULL(s);
470 
472  PASS;
473 }
474 
475 /**
476  * \test Parsing test
477  */
478 static int DetectUriContentParseTest11(void)
479 {
482  de_ctx->flags |= DE_QUIET;
483 
484  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
485  "(msg:\"test\"; uricontent:\"|af|\"; sid:1;)");
486  FAIL_IF_NULL(s);
487 
489  PASS;
490 }
491 
492 /**
493  * \test Parsing test
494  */
495 static int DetectUriContentParseTest12(void)
496 {
499  de_ctx->flags |= DE_QUIET;
500 
501  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
502  "(msg:\"test\"; uricontent:\"aast|\"; sid:1;)");
503  FAIL_IF_NOT_NULL(s);
504 
506  PASS;
507 }
508 
509 /**
510  * \test Parsing test
511  */
512 static int DetectUriContentParseTest13(void)
513 {
516  de_ctx->flags |= DE_QUIET;
517 
518  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
519  "(msg:\"test\"; uricontent:\"aast|af\"; sid:1;)");
520  FAIL_IF_NOT_NULL(s);
521 
523  PASS;
524 }
525 
526 /**
527  * \test Parsing test
528  */
529 static int DetectUriContentParseTest14(void)
530 {
533  de_ctx->flags |= DE_QUIET;
534 
535  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
536  "(msg:\"test\"; uricontent:\"aast|af|\"; sid:1;)");
537  FAIL_IF_NULL(s);
538 
540  PASS;
541 }
542 
543 /**
544  * \test Parsing test
545  */
546 static int DetectUriContentParseTest15(void)
547 {
550  de_ctx->flags |= DE_QUIET;
551 
552  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
553  "(msg:\"test\"; uricontent:\"|af|asdf\"; sid:1;)");
554  FAIL_IF_NULL(s);
555 
557  PASS;
558 }
559 
560 /**
561  * \test Parsing test
562  */
563 static int DetectUriContentParseTest16(void)
564 {
567  de_ctx->flags |= DE_QUIET;
568 
569  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
570  "(msg:\"test\"; uricontent:\"|af|af|\"; sid:1;)");
571  FAIL_IF_NOT_NULL(s);
572 
574  PASS;
575 }
576 
577 /**
578  * \test Parsing test
579  */
580 static int DetectUriContentParseTest17(void)
581 {
584  de_ctx->flags |= DE_QUIET;
585 
586  Signature *s =
587  DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
588  "(msg:\"test\"; uricontent:\"|af|af|af\"; sid:1;)");
589  FAIL_IF_NOT_NULL(s);
590 
592  PASS;
593 }
594 
595 /**
596  * \test Parsing test
597  */
598 static int DetectUriContentParseTest18(void)
599 {
602  de_ctx->flags |= DE_QUIET;
603 
604  Signature *s =
605  DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
606  "(msg:\"test\"; uricontent:\"|af|af|af|\"; sid:1;)");
607  FAIL_IF_NULL(s);
608 
610  PASS;
611 }
612 
613 /**
614  * \test Parsing test
615  */
616 static int DetectUriContentParseTest19(void)
617 {
620  de_ctx->flags |= DE_QUIET;
621 
622  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
623  "(msg:\"test\"; uricontent:\"\"; sid:1;)");
624  FAIL_IF_NOT_NULL(s);
625 
627  PASS;
628 }
629 
630 static int DetectUricontentIsdataatParseTest(void)
631 {
634  de_ctx->flags |= DE_QUIET;
635 
637  "alert tcp any any -> any any ("
638  "uricontent:\"one\"; "
639  "isdataat:!4,relative; sid:1;)");
640  FAIL_IF_NULL(s);
641 
642  SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
643  FAIL_IF_NULL(sm);
645 
650 
652  PASS;
653 }
654 
655 static void DetectUricontentRegisterTests(void)
656 {
657  UtRegisterTest("DetectUriSigTest01", DetectUriSigTest01);
658  UtRegisterTest("DetectUriSigTest02 - Modifiers", DetectUriSigTest02);
659  UtRegisterTest("DetectUriSigTest03", DetectUriSigTest03);
660  UtRegisterTest("DetectUriSigTest04", DetectUriSigTest04);
661  UtRegisterTest("DetectUriSigTest05", DetectUriSigTest05);
662  UtRegisterTest("DetectUriSigTest06", DetectUriSigTest06);
663  UtRegisterTest("DetectUriSigTest07", DetectUriSigTest07);
664 
665  UtRegisterTest("DetectUriContentParseTest08", DetectUriContentParseTest08);
666  UtRegisterTest("DetectUriContentParseTest09", DetectUriContentParseTest09);
667  UtRegisterTest("DetectUriContentParseTest10", DetectUriContentParseTest10);
668  UtRegisterTest("DetectUriContentParseTest11", DetectUriContentParseTest11);
669  UtRegisterTest("DetectUriContentParseTest12", DetectUriContentParseTest12);
670  UtRegisterTest("DetectUriContentParseTest13", DetectUriContentParseTest13);
671  UtRegisterTest("DetectUriContentParseTest14", DetectUriContentParseTest14);
672  UtRegisterTest("DetectUriContentParseTest15", DetectUriContentParseTest15);
673  UtRegisterTest("DetectUriContentParseTest16", DetectUriContentParseTest16);
674  UtRegisterTest("DetectUriContentParseTest17", DetectUriContentParseTest17);
675  UtRegisterTest("DetectUriContentParseTest18", DetectUriContentParseTest18);
676  UtRegisterTest("DetectUriContentParseTest19", DetectUriContentParseTest19);
677 
678  UtRegisterTest("DetectUricontentIsdataatParseTest",
679  DetectUricontentIsdataatParseTest);
680 }
681 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1238
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1237
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1225
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1235
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
detect-isdataat.h
threads.h
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1229
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:784
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2444
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
stream-tcp-reassemble.h
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:86
DetectUricontentRegister
void DetectUricontentRegister(void)
Registration function for uricontent: keyword.
Definition: detect-uricontent.c:70
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1220
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectHttpUriSetup
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
this function setups the http_uri modifier keyword used in the rule
Definition: detect-http-uri.c:184
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:331
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:535
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1436
app-layer-htp.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectContentSetup
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
Definition: detect-content.c:327
DETECT_URICONTENT
@ DETECT_URICONTENT
Definition: detect-engine-register.h:63
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
detect-http-uri.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:78
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1233
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:316
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
SCReturn
#define SCReturn
Definition: util-debug.h:300
stream.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
conf.h
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1440
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:610
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1203
SC_ERR_INVALID_YAML_CONF_ENTRY
@ SC_ERR_INVALID_YAML_CONF_ENTRY
Definition: util-error.h:169
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
util-mpm.h
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1031
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:314
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:790
detect-flow.h
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
DetectContentData_::spm_ctx
SpmCtx * spm_ctx
Definition: detect-content.h:104
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:539
SigMatch_
a single match condition for a signature
Definition: detect.h:313
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2405
app-layer-protos.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
detect-uricontent.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:785
flow.h
SpmDestroyCtx
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:184
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
flow-var.h
DETECT_HTTP_URI
@ DETECT_HTTP_URI
Definition: detect-engine-register.h:151
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1227
app-layer.h