suricata
detect-uricontent.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
23  *
24  * Simple uricontent match part of the detection engine.
25  */
26 
27 #include "suricata-common.h"
28 #include "decode.h"
29 #include "detect.h"
30 #include "detect-content.h"
31 #include "detect-http-uri.h"
32 #include "detect-uricontent.h"
33 #include "detect-engine-mpm.h"
34 #include "detect-parse.h"
35 #include "detect-engine.h"
36 #include "detect-engine-state.h"
37 #include "flow.h"
38 #include "detect-flow.h"
39 #include "flow-var.h"
40 #include "flow-util.h"
41 #include "threads.h"
42 
43 #include "stream-tcp.h"
44 #include "stream.h"
45 #include "app-layer.h"
46 #include "app-layer-parser.h"
47 #include "app-layer-protos.h"
48 #include "app-layer-htp.h"
49 
50 #include "util-mpm.h"
51 #include "util-print.h"
52 #include "util-debug.h"
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-spm.h"
56 #include "conf.h"
57 
58 /* prototypes */
59 static int DetectUricontentSetup (DetectEngineCtx *, Signature *, const char *);
60 #ifdef UNITTESTS
61 static void DetectUricontentRegisterTests(void);
62 #endif
63 static void DetectUricontentFree(DetectEngineCtx *de_ctx, void *);
64 
65 static int g_http_uri_buffer_id = 0;
66 
67 /**
68  * \brief Registration function for uricontent: keyword
69  */
70 void DetectUricontentRegister (void)
71 {
72  sigmatch_table[DETECT_URICONTENT].name = "uricontent";
73  sigmatch_table[DETECT_URICONTENT].desc = "legacy keyword to match on the request URI buffer";
74  sigmatch_table[DETECT_URICONTENT].url = "/rules/http-keywords.html#uricontent";
75  sigmatch_table[DETECT_URICONTENT].Match = NULL;
76  sigmatch_table[DETECT_URICONTENT].Setup = DetectUricontentSetup;
77  sigmatch_table[DETECT_URICONTENT].Free = DetectUricontentFree;
78 #ifdef UNITTESTS
79  sigmatch_table[DETECT_URICONTENT].RegisterTests = DetectUricontentRegisterTests;
80 #endif
81  sigmatch_table[DETECT_URICONTENT].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION);
82  sigmatch_table[DETECT_URICONTENT].alternative = DETECT_HTTP_URI;
83 
84  g_http_uri_buffer_id = DetectBufferTypeRegister("http_uri");
85 }
86 
87 /**
88  * \brief this function will Free memory associated with DetectContentData
89  *
90  * \param cd pointer to DetectUricotentData
91  */
92 void DetectUricontentFree(DetectEngineCtx *de_ctx, void *ptr)
93 {
94  SCEnter();
95  DetectContentData *cd = (DetectContentData *)ptr;
96 
97  if (cd == NULL)
98  SCReturn;
99 
100  SpmDestroyCtx(cd->spm_ctx);
101  SCFree(cd);
102 
103  SCReturn;
104 }
105 
106 /**
107  * \brief Creates a SigMatch for the uricontent keyword being sent as argument,
108  * and appends it to the Signature(s).
109  *
110  * \param de_ctx Pointer to the detection engine context
111  * \param s Pointer to signature for the current Signature being parsed
112  * from the rules
113  * \param contentstr Pointer to the string holding the keyword value
114  *
115  * \retval 0 on success, -1 on failure
116  */
117 int DetectUricontentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
118 {
119  SCEnter();
120 
121  const char *legacy = NULL;
122  if (ConfGet("legacy.uricontent", &legacy) == 1) {
123  if (strcasecmp("disabled", legacy) == 0) {
124  SCLogError("uriconent deprecated. To "
125  "use a rule with \"uricontent\", either set the "
126  "option - \"legacy.uricontent\" in the conf to "
127  "\"enabled\" OR replace uricontent with "
128  "\'content:%s; http_uri;\'.",
129  contentstr);
130  goto error;
131  } else if (strcasecmp("enabled", legacy) == 0) {
132  ;
133  } else {
134  SCLogError("Invalid value found "
135  "for legacy.uriconent - \"%s\". Valid values are "
136  "\"enabled\" OR \"disabled\".",
137  legacy);
138  goto error;
139  }
140  }
141 
142  if (DetectContentSetup(de_ctx, s, contentstr) < 0)
143  goto error;
144 
145  if (DetectHttpUriSetup(de_ctx, s, NULL) < 0)
146  goto error;
147 
148  SCReturnInt(0);
149 error:
150  SCReturnInt(-1);
151 }
152 
153 /*
154  * UNITTTESTS
155  */
156 
157 #ifdef UNITTESTS
158 
159 #include "detect-isdataat.h"
160 #include "stream-tcp-reassemble.h"
161 
162 /**
163  * \test Checks if a uricontent is registered in a Signature
164  */
165 static int DetectUriSigTest01(void)
166 {
167  ThreadVars th_v;
168  Signature *s = NULL;
169 
170  memset(&th_v, 0, sizeof(th_v));
171 
172  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
173  FAIL_IF_NULL(de_ctx);
174  de_ctx->flags |= DE_QUIET;
175 
176  s = DetectEngineAppendSig(de_ctx,"alert http any any -> any any (msg:"
177  "\" Test uricontent\"; content:\"me\"; uricontent:\"me\"; sid:1;)");
178  FAIL_IF_NULL(s);
179 
180  BUG_ON(s->sm_lists[g_http_uri_buffer_id] == NULL);
181  FAIL_IF_NOT(de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]->type == DETECT_CONTENT);
182 
183  DetectEngineCtxFree(de_ctx);
184  PASS;
185 }
186 
187 /**
188  * \test Check that modifiers of content apply only to content keywords
189  * and the same for uricontent modifiers
190  */
191 static int DetectUriSigTest02(void)
192 {
193  Signature *s = NULL;
194 
195  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
196  FAIL_IF_NULL(de_ctx);
197 
198  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
199  "\" Test uricontent\"; "
200  "uricontent:\"foo\"; sid:1;)");
201  FAIL_IF_NULL(s);
202  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
203  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
204  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
205 
206  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
207  "\" Test uricontent and content\"; "
208  "uricontent:\"foo\"; content:\"bar\";sid:1;)");
209 
210  FAIL_IF_NULL(s);
211  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
212  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
213  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
214 
215  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
216  "\" Test uricontent and content\"; "
217  "uricontent:\"foo\"; content:\"bar\";"
218  " depth:10; offset: 5; sid:1;)");
219 
220  FAIL_IF_NULL(s);
221  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
222  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
223  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
224  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
225  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
226 
227  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
228  "\" Test uricontent and content\"; "
229  "content:\"foo\"; uricontent:\"bar\";"
230  " depth:10; offset: 5; sid:1;)");
231 
232  FAIL_IF_NULL(s);
233  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
234  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
235  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->depth = 15);
236  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[g_http_uri_buffer_id]->ctx)->offset = 5);
237  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
238 
239  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
240  "\" Test uricontent and content\"; "
241  "uricontent:\"foo\"; content:\"bar\";"
242  " depth:10; offset: 5; within:3; sid:1;)");
243 
244  FAIL_IF_NOT_NULL(s);
245 
246  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
247  "\" Test uricontent and content\"; "
248  "uricontent:\"foo\"; content:\"bar\";"
249  " depth:10; offset: 5; distance:3; sid:1;)");
250  FAIL_IF_NOT_NULL(s);
251 
252  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
253  "\" Test uricontent and content\"; "
254  "uricontent:\"foo\"; content:\"bar\";"
255  " depth:10; offset: 5; content:"
256  "\"two_contents\"; within:30; sid:1;)");
257 
258  FAIL_IF_NULL(s);
259  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
260  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
261  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
262  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
263  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within = 30);
264  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
265 
266  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
267  "\" Test uricontent and content\"; "
268  "uricontent:\"foo\"; content:\"bar\";"
269  " depth:10; offset: 5; uricontent:"
270  "\"two_uricontents\"; within:30; sid:1;)");
271 
272  FAIL_IF_NULL(s);
273  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
274  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
275  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
276  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
277  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within = 30);
278  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
279 
280  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
281  "\" Test uricontent and content\"; "
282  "uricontent:\"foo\"; content:\"bar\";"
283  " depth:10; offset: 5; content:"
284  "\"two_contents\"; distance:30; sid:1;)");
285 
286  FAIL_IF_NULL(s);
287  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
288  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
289  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
290  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
291  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance = 30);
292  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
293 
294  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
295  "\" Test uricontent and content\"; "
296  "uricontent:\"foo\"; content:\"bar\";"
297  " depth:10; offset: 5; uricontent:"
298  "\"two_uricontents\"; distance:30; sid:1;)");
299 
300  FAIL_IF_NULL(s);
301  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
302  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
303  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
304  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
305  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance = 30);
306  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
307 
308  s = SigInit(de_ctx, "alert tcp any any -> any any (msg:"
309  "\" Test uricontent and content\"; "
310  "uricontent:\"foo\"; content:\"bar\";"
311  " depth:10; offset: 5; uricontent:"
312  "\"two_uricontents\"; distance:30; "
313  "within:60; content:\"two_contents\";"
314  " within:70; distance:45; sid:1;)");
315  FAIL_IF_NULL(s);
316 
317  FAIL_IF_NULL(s->sm_lists[g_http_uri_buffer_id]);
318  FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_PMATCH]);
319  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->depth = 15);
320  FAIL_IF_NOT(((DetectContentData *)s->sm_lists[DETECT_SM_LIST_PMATCH]->ctx)->offset = 5);
321  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->distance = 30);
322  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->within = 60);
323  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->distance = 45);
324  FAIL_IF_NOT(((DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx)->within = 70);
325  FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_MATCH]);
326 
327  DetectEngineCtxFree(de_ctx);
328  PASS;
329 }
330 
331 /**
332  * \test Test content for dce sig.
333  */
334 static int DetectUriSigTest03(void)
335 {
336  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
337  FAIL_IF_NULL(de_ctx);
338  de_ctx->flags |= DE_QUIET;
339 
340  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
341  "(msg:\"test\"; uricontent:\"\"; sid:238012;)");
342  FAIL_IF_NOT_NULL(s);
343 
344  DetectEngineCtxFree(de_ctx);
345  PASS;
346 }
347 
348 /**
349  * \test Test content for dce sig.
350  */
351 static int DetectUriSigTest04(void)
352 {
353  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
354  FAIL_IF_NULL(de_ctx);
355  de_ctx->flags |= DE_QUIET;
356 
357  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
358  "(msg:\"test\"; uricontent:\"; sid:238012;)");
359  FAIL_IF_NOT_NULL(s);
360 
361  DetectEngineCtxFree(de_ctx);
362  PASS;
363 }
364 
365 /**
366  * \test Test content for dce sig.
367  */
368 static int DetectUriSigTest05(void)
369 {
370  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
371  FAIL_IF_NULL(de_ctx);
372  de_ctx->flags |= DE_QUIET;
373 
374  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
375  "(msg:\"test\"; uricontent:\"boo; sid:238012;)");
376  FAIL_IF_NOT_NULL(s);
377 
378  DetectEngineCtxFree(de_ctx);
379  PASS;
380 }
381 
382 /**
383  * \test Test content for dce sig.
384  */
385 static int DetectUriSigTest06(void)
386 {
387  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
388  FAIL_IF_NULL(de_ctx);
389  de_ctx->flags |= DE_QUIET;
390 
391  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
392  "(msg:\"test\"; uricontent:boo\"; sid:238012;)");
393  FAIL_IF_NOT_NULL(s);
394 
395  DetectEngineCtxFree(de_ctx);
396  PASS;
397 }
398 
399 /**
400  * \test Parsing test
401  */
402 static int DetectUriSigTest07(void)
403 {
404  DetectContentData *ud = 0;
405  Signature *s = NULL;
406 
407  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
408  FAIL_IF_NULL(de_ctx);
409 
410  de_ctx->flags |= DE_QUIET;
411  s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
412  "(msg:\"test\"; uricontent: !\"boo\"; sid:238012;)");
413  FAIL_IF_NULL(s);
414 
415  FAIL_IF_NULL(s->sm_lists_tail[g_http_uri_buffer_id]);
416  FAIL_IF_NULL(s->sm_lists_tail[g_http_uri_buffer_id]->ctx);
417 
418  ud = (DetectContentData *)s->sm_lists_tail[g_http_uri_buffer_id]->ctx;
419  FAIL_IF_NOT(strncmp("boo", (char *)ud->content, ud->content_len) == 0);
420 
421  DetectEngineCtxFree(de_ctx);
422  PASS;
423 }
424 
425 
426 /**
427  * \test Parsing test
428  */
429 static int DetectUriContentParseTest08(void)
430 {
431  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
432  FAIL_IF_NULL(de_ctx);
433  de_ctx->flags |= DE_QUIET;
434 
435  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
436  "(msg:\"test\"; uricontent:\"|\"; sid:1;)");
437  FAIL_IF_NOT_NULL(s);
438 
439  DetectEngineCtxFree(de_ctx);
440  PASS;
441 }
442 
443 /**
444  * \test Parsing test
445  */
446 static int DetectUriContentParseTest09(void)
447 {
448  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
449  FAIL_IF_NULL(de_ctx);
450  de_ctx->flags |= DE_QUIET;
451 
452  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
453  "(msg:\"test\"; uricontent:\"|af\"; sid:1;)");
454  FAIL_IF_NOT_NULL(s);
455 
456  DetectEngineCtxFree(de_ctx);
457  PASS;
458 }
459 
460 /**
461  * \test Parsing test
462  */
463 static int DetectUriContentParseTest10(void)
464 {
465  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
466  FAIL_IF_NULL(de_ctx);
467  de_ctx->flags |= DE_QUIET;
468 
469  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
470  "(msg:\"test\"; uricontent:\"af|\"; sid:1;)");
471  FAIL_IF_NOT_NULL(s);
472 
473  DetectEngineCtxFree(de_ctx);
474  PASS;
475 }
476 
477 /**
478  * \test Parsing test
479  */
480 static int DetectUriContentParseTest11(void)
481 {
482  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
483  FAIL_IF_NULL(de_ctx);
484  de_ctx->flags |= DE_QUIET;
485 
486  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
487  "(msg:\"test\"; uricontent:\"|af|\"; sid:1;)");
488  FAIL_IF_NULL(s);
489 
490  DetectEngineCtxFree(de_ctx);
491  PASS;
492 }
493 
494 /**
495  * \test Parsing test
496  */
497 static int DetectUriContentParseTest12(void)
498 {
499  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
500  FAIL_IF_NULL(de_ctx);
501  de_ctx->flags |= DE_QUIET;
502 
503  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
504  "(msg:\"test\"; uricontent:\"aast|\"; sid:1;)");
505  FAIL_IF_NOT_NULL(s);
506 
507  DetectEngineCtxFree(de_ctx);
508  PASS;
509 }
510 
511 /**
512  * \test Parsing test
513  */
514 static int DetectUriContentParseTest13(void)
515 {
516  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
517  FAIL_IF_NULL(de_ctx);
518  de_ctx->flags |= DE_QUIET;
519 
520  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
521  "(msg:\"test\"; uricontent:\"aast|af\"; sid:1;)");
522  FAIL_IF_NOT_NULL(s);
523 
524  DetectEngineCtxFree(de_ctx);
525  PASS;
526 }
527 
528 /**
529  * \test Parsing test
530  */
531 static int DetectUriContentParseTest14(void)
532 {
533  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
534  FAIL_IF_NULL(de_ctx);
535  de_ctx->flags |= DE_QUIET;
536 
537  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
538  "(msg:\"test\"; uricontent:\"aast|af|\"; sid:1;)");
539  FAIL_IF_NULL(s);
540 
541  DetectEngineCtxFree(de_ctx);
542  PASS;
543 }
544 
545 /**
546  * \test Parsing test
547  */
548 static int DetectUriContentParseTest15(void)
549 {
550  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
551  FAIL_IF_NULL(de_ctx);
552  de_ctx->flags |= DE_QUIET;
553 
554  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
555  "(msg:\"test\"; uricontent:\"|af|asdf\"; sid:1;)");
556  FAIL_IF_NULL(s);
557 
558  DetectEngineCtxFree(de_ctx);
559  PASS;
560 }
561 
562 /**
563  * \test Parsing test
564  */
565 static int DetectUriContentParseTest16(void)
566 {
567  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
568  FAIL_IF_NULL(de_ctx);
569  de_ctx->flags |= DE_QUIET;
570 
571  Signature *s = DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
572  "(msg:\"test\"; uricontent:\"|af|af|\"; sid:1;)");
573  FAIL_IF_NOT_NULL(s);
574 
575  DetectEngineCtxFree(de_ctx);
576  PASS;
577 }
578 
579 /**
580  * \test Parsing test
581  */
582 static int DetectUriContentParseTest17(void)
583 {
584  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
585  FAIL_IF_NULL(de_ctx);
586  de_ctx->flags |= DE_QUIET;
587 
588  Signature *s =
589  DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
590  "(msg:\"test\"; uricontent:\"|af|af|af\"; sid:1;)");
591  FAIL_IF_NOT_NULL(s);
592 
593  DetectEngineCtxFree(de_ctx);
594  PASS;
595 }
596 
597 /**
598  * \test Parsing test
599  */
600 static int DetectUriContentParseTest18(void)
601 {
602  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
603  FAIL_IF_NULL(de_ctx);
604  de_ctx->flags |= DE_QUIET;
605 
606  Signature *s =
607  DetectEngineAppendSig(de_ctx, "alert udp any any -> any any "
608  "(msg:\"test\"; uricontent:\"|af|af|af|\"; sid:1;)");
609  FAIL_IF_NULL(s);
610 
611  DetectEngineCtxFree(de_ctx);
612  PASS;
613 }
614 
615 /**
616  * \test Parsing test
617  */
618 static int DetectUriContentParseTest19(void)
619 {
620  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
621  FAIL_IF_NULL(de_ctx);
622  de_ctx->flags |= DE_QUIET;
623 
624  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
625  "(msg:\"test\"; uricontent:\"\"; sid:1;)");
626  FAIL_IF_NOT_NULL(s);
627 
628  DetectEngineCtxFree(de_ctx);
629  PASS;
630 }
631 
632 static int DetectUricontentIsdataatParseTest(void)
633 {
634  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
635  FAIL_IF_NULL(de_ctx);
636  de_ctx->flags |= DE_QUIET;
637 
638  Signature *s = DetectEngineAppendSig(de_ctx,
639  "alert tcp any any -> any any ("
640  "uricontent:\"one\"; "
641  "isdataat:!4,relative; sid:1;)");
642  FAIL_IF_NULL(s);
643 
644  SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id];
645  FAIL_IF_NULL(sm);
646  FAIL_IF_NOT(sm->type == DETECT_ISDATAAT);
647 
648  DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx;
649  FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE);
650  FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED);
651  FAIL_IF(data->flags & ISDATAAT_RAWBYTES);
652 
653  DetectEngineCtxFree(de_ctx);
654  PASS;
655 }
656 
657 static void DetectUricontentRegisterTests(void)
658 {
659  UtRegisterTest("DetectUriSigTest01", DetectUriSigTest01);
660  UtRegisterTest("DetectUriSigTest02 - Modifiers", DetectUriSigTest02);
661  UtRegisterTest("DetectUriSigTest03", DetectUriSigTest03);
662  UtRegisterTest("DetectUriSigTest04", DetectUriSigTest04);
663  UtRegisterTest("DetectUriSigTest05", DetectUriSigTest05);
664  UtRegisterTest("DetectUriSigTest06", DetectUriSigTest06);
665  UtRegisterTest("DetectUriSigTest07", DetectUriSigTest07);
666 
667  UtRegisterTest("DetectUriContentParseTest08", DetectUriContentParseTest08);
668  UtRegisterTest("DetectUriContentParseTest09", DetectUriContentParseTest09);
669  UtRegisterTest("DetectUriContentParseTest10", DetectUriContentParseTest10);
670  UtRegisterTest("DetectUriContentParseTest11", DetectUriContentParseTest11);
671  UtRegisterTest("DetectUriContentParseTest12", DetectUriContentParseTest12);
672  UtRegisterTest("DetectUriContentParseTest13", DetectUriContentParseTest13);
673  UtRegisterTest("DetectUriContentParseTest14", DetectUriContentParseTest14);
674  UtRegisterTest("DetectUriContentParseTest15", DetectUriContentParseTest15);
675  UtRegisterTest("DetectUriContentParseTest16", DetectUriContentParseTest16);
676  UtRegisterTest("DetectUriContentParseTest17", DetectUriContentParseTest17);
677  UtRegisterTest("DetectUriContentParseTest18", DetectUriContentParseTest18);
678  UtRegisterTest("DetectUriContentParseTest19", DetectUriContentParseTest19);
679 
680  UtRegisterTest("DetectUricontentIsdataatParseTest",
681  DetectUricontentIsdataatParseTest);
682 }
683 #endif /* UNITTESTS */
SigTableElmt_::url
const char * url
Definition: detect.h:1243
detect-content.h
detect-engine.h
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:81
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SigTableElmt_::desc
const char * desc
Definition: detect.h:1242
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1230
flow-util.h
SigTableElmt_::name
const char * name
Definition: detect.h:1240
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
detect-isdataat.h
threads.h
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1234
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:787
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2455
DE_QUIET
#define DE_QUIET
Definition: detect.h:289
stream-tcp-reassemble.h
DetectIsdataatData_
Definition: detect-isdataat.h:35
DetectContentData_
Definition: detect-content.h:93
DetectUricontentRegister
void DetectUricontentRegister(void)
Registration function for uricontent: keyword.
Definition: detect-uricontent.c:70
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2423
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1225
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectHttpUriSetup
int DetectHttpUriSetup(DetectEngineCtx *de_ctx, Signature *s, const char *str)
this function setups the http_uri modifier keyword used in the rule
Definition: detect-http-uri.c:184
ConfGet
int ConfGet(const char *name, const char **vptr)
Retrieve the value of a configuration node.
Definition: conf.c:335
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:538
SIGMATCH_QUOTES_MANDATORY
#define SIGMATCH_QUOTES_MANDATORY
Definition: detect.h:1441
app-layer-htp.h
decode.h
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectContentSetup
int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, const char *contentstr)
Function to setup a content pattern.
Definition: detect-content.c:328
DETECT_URICONTENT
@ DETECT_URICONTENT
Definition: detect-engine-register.h:63
util-print.h
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
detect-http-uri.h
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:79
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2118
SigTableElmt_::alternative
uint16_t alternative
Definition: detect.h:1238
app-layer-parser.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:318
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
SCReturn
#define SCReturn
Definition: util-debug.h:273
stream.h
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
conf.h
SIGMATCH_HANDLE_NEGATION
#define SIGMATCH_HANDLE_NEGATION
Definition: detect.h:1445
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:613
detect-engine-state.h
Data structures and function prototypes for keeping state for the detection engine.
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1208
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
util-mpm.h
DetectBufferTypeRegister
int DetectBufferTypeRegister(const char *name)
Definition: detect-engine.c:1025
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:316
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:76
util-spm.h
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:94
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:793
detect-flow.h
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
DetectContentData_::spm_ctx
SpmCtx * spm_ctx
Definition: detect-content.h:111
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:542
SigMatch_
a single match condition for a signature
Definition: detect.h:315
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:82
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2416
app-layer-protos.h
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:95
detect-uricontent.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:788
flow.h
SpmDestroyCtx
void SpmDestroyCtx(SpmCtx *ctx)
Definition: util-spm.c:183
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
flow-var.h
DETECT_HTTP_URI
@ DETECT_HTTP_URI
Definition: detect-engine-register.h:151
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1232
app-layer.h