71 const char *
str = withinstr;
79 "preceding content option");
91 "keyword like within/distance with a absolute " 92 "relative keyword like depth/offset for the same " 98 "negated keyword set along with a fast_pattern");
103 "keyword set along with a fast_pattern:only;");
106 if (str[0] !=
'-' && isalpha((
unsigned char)str[0])) {
108 if (bed_sm == NULL) {
110 "seen in within - %s\n", str);
118 "invalid value for within: %s", str);
124 "less than the content length \"%"PRIu32
"\" which is invalid, since " 125 "this will never match. Invalidating signature", cd->
within,
137 if (prev_pm == NULL) {
145 "has a fast_pattern:only; set. Can't " 146 "have relative keywords around a fast_pattern " 169 static int DetectWithinTestPacket01 (
void)
171 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0" 172 "User-Agent: Wget/1.11.4" 174 "Host: www.google.com" 175 "Connection: Keep-Alive" 176 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
177 uint16_t buflen = strlen((
char *)buf);
182 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with within " 183 "modifier\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\";" 184 " content:\"HTTP\"; within:5; sid:49; rev:1;)";
193 static int DetectWithinTestPacket02 (
void)
195 uint8_t *buf = (uint8_t *)
"Zero Five Ten Fourteen";
196 uint16_t buflen = strlen((
char *)buf);
201 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with within " 202 "modifier\"; content:\"Five\"; content:\"Ten\"; within:3; distance:1; sid:1;)";
211 static int DetectWithinTestVarSetup(
void)
213 char sig[] =
"alert tcp any any -> any any ( " 214 "msg:\"test rule\"; " 217 "byte_extract:2,0,somevar,relative; " 238 UtRegisterTest(
"DetectWithinTestPacket01", DetectWithinTestPacket01);
239 UtRegisterTest(
"DetectWithinTestPacket02", DetectWithinTestPacket02);
240 UtRegisterTest(
"DetectWithinTestVarSetup", DetectWithinTestVarSetup);
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
int ByteExtractStringInt32(int32_t *res, int base, uint16_t len, const char *str)
#define DETECT_CONTENT_FAST_PATTERN
#define PASS
Pass the test.
#define DETECT_CONTENT_DEPTH
main detection engine ctx
#define DETECT_CONTENT_WITHIN_BE
SigMatch * DetectGetLastSMByListPtr(const Signature *s, SigMatch *sm_list,...)
Returns the sm with the largest index (added last) from the list passed to us as a pointer...
int UTHPacketMatchSig(Packet *p, const char *sig)
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void DetectWithinRegister(void)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define DETECT_CONTENT_WITHIN_NEXT
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
#define DETECT_CONTENT_FAST_PATTERN_ONLY
#define DETECT_CONTENT_NEGATED
void DetectWithinRegisterTests(void)
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us. ...
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
#define DETECT_CONTENT_WITHIN
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
#define DETECT_PCRE_RELATIVE_NEXT
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define DETECT_CONTENT_OFFSET
void(* RegisterTests)(void)
a single match condition for a signature
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
DetectEngineCtx * DetectEngineCtxInit(void)