48 #define PARSE_REGEX "^(?:\\s*)(<|>)?(?:\\s*)([0-9]{1,5})(?:\\s*)(?:(<>)(?:\\s*)([0-9]{1,5}))?\\s*(?:,\\s*(norm|raw))?\\s*$"
56 static void DetectUrilenRegisterTests (
void);
58 static int g_http_uri_buffer_id = 0;
59 static int g_http_raw_uri_buffer_id = 0;
103 if (ret < 3 || ret > 6) {
116 arg1 = (
char *) str_ptr;
119 res = pcre2_substring_get_bynumber(parse_regex.
match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
124 arg2 = (
char *) str_ptr;
133 arg3 = (
char *) str_ptr;
142 arg4 = (
char *) str_ptr;
146 res = pcre2_substring_get_bynumber(
147 parse_regex.
match, 5, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
152 arg5 = (
char *) str_ptr;
162 if (arg1 != NULL && arg1[0] ==
'<')
164 else if (arg1 != NULL && arg1[0] ==
'>')
169 if (arg3 != NULL && strcmp(
"<>", arg3) == 0) {
170 if (arg1 != NULL && strlen(arg1) != 0) {
184 if (arg4 != NULL && strlen(arg4) > 0) {
187 " but mode is not range");
205 if (strcasecmp(
"raw", arg5) == 0) {
211 pcre2_substring_free((PCRE2_UCHAR *)arg1);
212 pcre2_substring_free((PCRE2_UCHAR *)arg2);
214 pcre2_substring_free((PCRE2_UCHAR *)arg3);
216 pcre2_substring_free((PCRE2_UCHAR *)arg4);
218 pcre2_substring_free((PCRE2_UCHAR *)arg5);
225 pcre2_substring_free((PCRE2_UCHAR *)arg1);
227 pcre2_substring_free((PCRE2_UCHAR *)arg2);
229 pcre2_substring_free((PCRE2_UCHAR *)arg3);
231 pcre2_substring_free((PCRE2_UCHAR *)arg4);
233 pcre2_substring_free((PCRE2_UCHAR *)arg5);
256 urilend = DetectUrilenParse(urilenstr);
263 sm->
ctx = (
void *)urilend;
273 DetectUrilenFree(
de_ctx, urilend);
296 uint16_t high = 65535;
300 for ( ; sm != NULL; sm = sm->
next) {
324 if (!found || high == 65535)
330 for ( ; sm != NULL; sm = sm->
next) {
340 cd->
depth = (uint16_t)high;
341 SCLogDebug(
"updated %u, content %u to have depth %u "
342 "because of urilen.", s->
id, cd->
id, cd->
depth);
350 for ( ; sm != NULL; sm = sm->
next) {
360 *sigerror =
"depth or urilen smaller than content len";
379 static int DetectUrilenParseTest01(
void)
384 urilend = DetectUrilenParse(
"10");
385 if (urilend != NULL) {
390 DetectUrilenFree(NULL, urilend);
396 static int DetectUrilenParseTest02(
void)
401 urilend = DetectUrilenParse(
" < 10 ");
402 if (urilend != NULL) {
407 DetectUrilenFree(NULL, urilend);
413 static int DetectUrilenParseTest03(
void)
418 urilend = DetectUrilenParse(
" > 10 ");
419 if (urilend != NULL) {
424 DetectUrilenFree(NULL, urilend);
430 static int DetectUrilenParseTest04(
void)
435 urilend = DetectUrilenParse(
" 5 <> 10 ");
436 if (urilend != NULL) {
442 DetectUrilenFree(NULL, urilend);
448 static int DetectUrilenParseTest05(
void)
453 urilend = DetectUrilenParse(
"5<>10,norm");
454 if (urilend != NULL) {
460 DetectUrilenFree(NULL, urilend);
466 static int DetectUrilenParseTest06(
void)
471 urilend = DetectUrilenParse(
"5<>10,raw");
472 if (urilend != NULL) {
478 DetectUrilenFree(NULL, urilend);
484 static int DetectUrilenParseTest07(
void)
489 urilend = DetectUrilenParse(
">10, norm ");
490 if (urilend != NULL) {
495 DetectUrilenFree(NULL, urilend);
501 static int DetectUrilenParseTest08(
void)
506 urilend = DetectUrilenParse(
"<10, norm ");
507 if (urilend != NULL) {
512 DetectUrilenFree(NULL, urilend);
518 static int DetectUrilenParseTest09(
void)
523 urilend = DetectUrilenParse(
">10, raw ");
524 if (urilend != NULL) {
529 DetectUrilenFree(NULL, urilend);
535 static int DetectUrilenParseTest10(
void)
540 urilend = DetectUrilenParse(
"<10, raw ");
541 if (urilend != NULL) {
546 DetectUrilenFree(NULL, urilend);
566 if (snprintf(fullstr, 1024,
"alert ip any any -> any any (msg:\"Urilen "
567 "test\"; urilen:%s; sid:1;)",
str) >= 1024) {
579 if ((*de_ctx)->sig_list == NULL) {
583 *sig = (*de_ctx)->sig_list;
585 *urilend = DetectUrilenParse(
str);
600 static int DetectUrilenSetpTest01(
void)
608 res = DetectUrilenInitTest(&
de_ctx, &sig, &urilend,
"1 <> 2 ");
616 if (urilend != NULL) {
623 if (urilend)
SCFree(urilend);
632 static int DetectUrilenSigTest01(
void)
636 uint8_t httpbuf1[] =
"POST /suricata HTTP/1.0\r\n"
637 "Host: foo.bar.tld\r\n"
639 uint32_t httplen1 =
sizeof(httpbuf1) - 1;
647 memset(&th_v, 0,
sizeof(th_v));
648 memset(&f, 0,
sizeof(f));
649 memset(&ssn, 0,
sizeof(ssn));
655 f.
proto = IPPROTO_TCP;
674 "alert tcp any any -> any any "
675 "(msg:\"Testing urilen\"; "
676 "urilen: <5; sid:1;)");
682 "alert tcp any any -> any any "
683 "(msg:\"Testing http_method\"; "
684 "urilen: >5; sid:2;)");
696 SCLogDebug(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
703 if (htp_state == NULL) {
711 printf(
"sid 1 alerted, but should not have: \n");
715 printf(
"sid 2 did not alerted, but should have: \n");
737 void DetectUrilenRegisterTests(
void)
739 UtRegisterTest(
"DetectUrilenParseTest01", DetectUrilenParseTest01);
740 UtRegisterTest(
"DetectUrilenParseTest02", DetectUrilenParseTest02);
741 UtRegisterTest(
"DetectUrilenParseTest03", DetectUrilenParseTest03);
742 UtRegisterTest(
"DetectUrilenParseTest04", DetectUrilenParseTest04);
743 UtRegisterTest(
"DetectUrilenParseTest05", DetectUrilenParseTest05);
744 UtRegisterTest(
"DetectUrilenParseTest06", DetectUrilenParseTest06);
745 UtRegisterTest(
"DetectUrilenParseTest07", DetectUrilenParseTest07);
746 UtRegisterTest(
"DetectUrilenParseTest08", DetectUrilenParseTest08);
747 UtRegisterTest(
"DetectUrilenParseTest09", DetectUrilenParseTest09);
748 UtRegisterTest(
"DetectUrilenParseTest10", DetectUrilenParseTest10);