suricata
Test List

Test that the http_client_body content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

multiple http transactions and body chunks of request handling

multiple http transactions and body chunks of request handling

Test that the http_client_body content matches against a http request which holds the content.

Negative test that the negated http_client_body content matches against a http request which holds hold the content.

Test that the negated http_client_body content matches against a http request which doesn't hold the content.

Test that the http_client_body content matches against a http request against a case insensitive pattern.

Test that the http_client_body content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_client_body content matches against a http request which holds the content.

Test that the http_client_body content matches against a http request which holds the content.

Test that an invalid signature containing a rawbytes along with a http_client_body is invalidated.

Test invalid signatures

Test that a signature containing an valid http_client_body entry is parsed.

Test that a signature containing a http_client_body is correctly parsed and the keyword is registered.

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Test the file_data fails with flow:to_server.

Test that the http_cookie content matches against a http request which holds the content.

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is matched .

Checks if a http_cookie is registered in a Signature, if some parameter is specified with http_cookie in the signature

Checks if a http_cookie is registered in a Signature, if content is not specified in the signature

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

endswith (isdataat) recursion logic based on DetectEngineContentInspectionTest06

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

test insert with overlap

Test the pruning of SACK ranges.

Test the pruning of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

test insert with overlaps

test insert with overlaps

Test the pruning of SACK ranges.

App Layer reassembly.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge). Test if the first segment is removed from the list.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge). Test if the first segment is removed from the list.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge) with small packet overlap.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge)

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly.

3 in order segments in inline reassembly

Test to make sure we detect the sequence wrap around and continue stream reassembly properly.

Test the unlimited config value of reassembly depth.

simple match with distance

mix in byte_extract

mix in byte_jump

mix in negation

extreme recursion

isdataat recursion logic

multiple independent blocks recursion logic

pcre recursion logic

simple recursion logic

simple match with pcre/R

Check the signature working to alert when http_cookie is not present

AppLayerHtpFileParseContentRangeTest04 is a test for setting up a valid range value without the size.

AppLayerHtpFileParseContentRangeTest03 is a regression test for setting up an invalid range value.

AppLayerHtpFileParseContentRangeTest02 is a regression test for setting up an invalid range value.

AppLayerHtpFileParseContentRangeTest01 is a test for setting up a valid range value.

Test the insertion of out of window condition.

Test the insertion on out of window condition.

Test the pruning of SACK ranges.

Test the pruning of SACK ranges.

Test the pruning of SACK ranges.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

invalid sig: uppercase content

Test that a http_host with nocase is parsed.

Test that an invalid signature containing a rawbytes along with a http_host is invalidated.

Test that an invalid signature containing no content but a http_host is invalidated.

Test that a signature containing a http_host is correctly parsed and the keyword is registered.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request against a case insensitive pattern.

multiple http transactions and body chunks of request handling

Test that the http_raw_host content matches against a http request which holds the content.

Negative test that the negated http_raw_host content matches against a http request which holds hold the content.

Test that the negated http_raw_host content matches against a http request which doesn't hold the content.

Test that the http_raw_host content matches against a http request against a case insensitive pattern.

Test that the http_raw_host content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

multiple http transactions and body chunks of request handling

Test that the http_host content matches against a http request which holds the content.

Negative test that the negated http_host content matches against a http request which holds hold the content.

Test that the negated http_host content matches against a http request which doesn't hold the content.

Test that the http_host content matches against a http request against a case insensitive pattern.

Test that the http_host content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_host content matches against a http request which holds the content.

Test that the http_header content matches against a http request against a case insensitive pattern.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

app-layer-event:http.host_header_ambiguous should be set

app-layer-event:http.host_header_ambiguous should be set

app-layer-event:http.host_header_ambiguous should not be set

Test that the http_header content matches against a http request which holds the content.

Negative test that the negated http_header content matches against a http request which holds hold the content.

Test that the negated http_header content matches against a http request which doesn't hold the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Check the signature working to alert against cookie/set-cookie

Check the signature working to alert against set-cookie

Check the signature working to alert when http_cookie is not present

Test that the http_header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Trailing headers.

Trailing headers.

Trailing headers.

Trailing headers.

reassembly bug where headers with names of length 6 were skipped

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test to make sure that reassembly_depth is enforced.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

QuicVersionTestParse01 is a test for a valid value

Check if replace is not done when second content don't match

Check if replace is working with second content

Check if replace is working with offset and keyword inversion

Check if replace is working with offset

Check if replace is working

Test packet Matches

parsing: invalid reference.

for two valid references.

one valid reference.

QuicVersionTestParse03 is a test for an invalid value

Check if replace is not done when second content match and not first

QuicUaTestParse03 is a test for an invalid value

QuicUaTestParse01 is a test for a valid value

QuicSniTestParse03 is a test for an invalid value

QuicSniTestParse01 is a test for a valid value

DetectQuicCyuStringTest01 is a test for a valid quic packet, matching on the cyu string

DetectQuicCyuHashTest01 is a test for a valid quic packet, matching on the cyu hash

multiple http transactions and body chunks of request handling

test pcre P modifier with multiple pipelined http transactions

Test tracking of body chunks per transactions (on requests)

Parsing test

DetectRpcTestParse04 is a test for check the discarding of empty options

DetectRpcTestParse03 is a test for checking the wildcards and not specified fields

DetectRpcTestParse02 is a test for setting the established rpc opt

DetectRpcTestParse01 is a test to make sure that we return "something" when given valid rpc opt

Parsing test content and replace length differ

Parsing test content and replace length differ

Parsing test content after replace

Parsing test no content

Parsing test: non valid because of http_header on same content as replace keyword

Parsing test: non valid because of http protocol

anchored pcre

Check if replace is working with within

Check if replace is working with within

Check if replace is working with within

Check if replace is working with within

Check if replace is working with within

Check if replace is working when depth block match used

Check if replace is working when depth block match used

Check if replace is working when depth is used

Check if replace is working when nocase used

check valid negation bug 1079

DetectPcreParseTest05 make sure we parse pcre with no opts

DetectPcreParseTest04 make sure we allow escaped "

DetectPcreParseTest03 make sure we don't allow invalid opts UZi.

DetectPcreParseTest02 make sure we don't allow invalid opts Ui$.

DetectPcreParseTest01 make sure we don't allow invalid opts 7.

test tls (app layer) rule

test tls (app layer) rule

test tls (app layer) rule

mpm

mpm

DetectPcreParseTest06 make sure we parse pcre with smi opts

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

Ensure that we set a bidirectional Signature correctly and we install it with the rest of the signatures, checking also that it match with the correct addr directions

Ensure that we set a bidirectional Signature correctly and we install it with the rest of the signatures, checking also that it match with the correct addr directions

Check a signature with pcre relative raw uri

anchored pcre

Bug 1957

Bug 1098

Check a signature with inconsistent pcre modifiers

Check a signature with inconsistent pcre modifiers

Check a signature with inconsistent pcre modifiers

Check a signature with inconsistent pcre relative

Check a signature with pcre relative http_uri

Check a signature with pcre relative uricontent

DetectRpcTestParse05 is a test for check invalid values

Check a signature with pcre relative client-body

Check a signature with pcre relative header

Check a signature with pcre relative raw header

Check a signature with pcre relative cookie

Check a signature with pcre relative method

Test pcre option for dce sig(yeah I'm bored of writing test titles).

DetectPcreParseTest09 make sure we parse pcre with a content that has slashes

DetectPcreParseTest08 make sure we parse pcre with O opts

DetectPcreParseTest07 make sure we parse pcre with /Ui opts

Test drop action being set even if thresholded

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

DetectThresholdTestSig14 is a test for checking the working by_both limits by setting up the signature and later testing its working by matching received packets against the sig.

DetectThresholdTestSig13 is a test for checking the working by_rule limits by setting up the signature and later testing its working by matching received packets against the sig.

Test the Urilen keyword setup

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

DetectThresholdTestSig5 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectThresholdTestSig4 is a test for checking the working of both keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectThresholdTestSig3 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectThresholdTestSig2 is a test for checking the working of threshold keyword by setting up the signature and later testing its working by matching the received packet against the sig.

Test flow allocations when it reach memcap

Test the memcap incrementing/decrementing and memcap check

Test to make sure that we sent all the segments from the initial segments to app layer until we have detected the app layer proto.

Test to make sure that we don't return the segments until the app layer proto has been detected and after that remove the processed segments.

Test the handling of packets missed by IDS, but the end host has received it and send the acknowledgment of it. The packet is missed in the middle of the stream.

Test the handling of packets missed by IDS, but the end host has received it and send the acknowledgment of it. The packet is missed in the starting of the stream.

Test the handling of packets missed by both IDS and the end host. The packet is missed in the end of the stream.

Test the handling of packets missed by both IDS and the end host. The packet is missed in the middle of the stream.

Test the handling of packets missed by both IDS and the end host. The packet is missed in the starting of the stream.

Test flow allocations when it reach memcap

DetectThresholdTestSig1 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.

Test flow allocations when it reach memcap

Test the setting of the per protocol free function to free the protocol specific memory.

Test the setting of the per protocol timeouts.

various options

DetectWithinTestPacket01 is a test to check matches of within, if the previous keyword is pcre (bug 145)

Check a signature with given urilen

DetectUrilenSetpTest01 is a test for setting up an valid urilen values with valid "<>" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context and setting up the signature itself.

Test the Urilen keyword setup

DetectTagTestParse05 is a test for default opts

FlagsTestParse10 test if ACK and PUSH are not set. Must return success.

FlagsTestParse09 test if SYN and RST are not set. Must fails.

FlagsTestParse08 test if SYN or RST are set. Must return success.

FlagsTestParse07 test if SYN or RST are set. Must fails.

FlagsTestParse06 test if ACK+PUSH and more flags are set. Ignore URG and RST bits. Must return success.

FlagsTestParse05 test if ACK+PUSH and more flags are set. Ignore SYN and RST bits. Must fails.

FlagsTestParse04 check if ACK bit is set. Must fails.

FlagsTestParse03 test if ACK and PUSH are set. Must return success

FlagsTestParse02 is a test for an invalid flags value

FlagsTestParse01 is a test for a valid flags value

FlagsTestParse11 test if ACK or PUSH are set. Ignore SYN and RST. Must fails.

DetectTagTestParse04 is a test for default opts

DetectTagTestParse03 is a test for setting the stateless tag opt

DetectTagTestParse02 is a test to check that we parse tag correctly

DetectTagTestParse01 is a test to make sure that we return "something" when given valid tag opt

DetectStreamSizeParseTest04 is a test to make sure that we match the stream_size against invalid packet parameters.

DetectStreamSizeParseTest03 is a test to make sure that we match the packet correctly provided valid stream size.

DetectStreamSizeParseTest02 is a test to make sure that we detect the invalid stream_size options.

DetectStreamSizeParseTest01 is a test to make sure that we parse the user options correctly, when given valid stream_size options.

DetectRpcTestParse05 is a test to check the match function

DetectWindowTestParse03 is a test to check for a big value

backoff by_flow

ThresholdTestParse07 is a test for thresholding by_rule

ThresholdTestParse06 is a test for thresholding by_both

ThresholdTestParse05 is a test for a valid threshold options in any order

ThresholdTestParse04 is a test for an invalid threshold options in any order

ThresholdTestParse03 is a test for a valid threshold options in any order

ThresholdTestParse02 is a test for a invalid threshold options

ThresholdTestParse01 is a test for a valid threshold options

DetectWindowTestPacket01 is a test to check window with constructed packets

Test that the http_raw_host content matches against a http request which holds the content.

DetectWindowTestParse03 is a test to check for an empty value

DetectWindowTestParse02 is a test for setting the window opt negated

DetectWindowTestParse01 is a test to make sure that we set the size correctly when given valid window opt

DetectSeqSigTest02 tests seq keyword

DetectSeqSigTest01 tests parses

Negative test.

Parse 'C' and 'E' flags.

test for a valid flags value

FlagsTestParse12 check if no flags are set. Must fails.

set up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK, but the SYN/ACK does not have the right SEQ

Test the stream mem leaks conditions.

Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1". To check the setting of Default os policy

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1"

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1"

set up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK: however the SYN/ACK and ACK are part of a normal 3WHS

Test the stream mem leaks conditions.

Test the setting up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string"

Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN and SYN/ACK packets in that stream. Later, we start to receive the packet from other end stream too.

Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN and SYN/ACK packets in that stream.

Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN packet of that stream.

Test the setting up a TCP session when we are seeing asynchronous stream, while we see all the packets in that stream from start.

Test the working of No stream reassembly flag. The stream will not reassemble the segment if the flag is set.

Test the working on PAWS. The packet will be accepted by engine as the timestamp is valid and it is in window.

Test the working on PAWS. The packet will be dropped by stream, as its timestamp is old, although the segment is in the window.

multiple different SYN/ACK, pick neither

max u32 value

Check that the expected defaults are loaded if the action-order configuration is not present.

Check that we load a valid config

Check that we load a valid config

Check that we invalidate with unknown keywords and/or more than the expected (It should default to pass, drop, reject, alert)

Check that we invalidate if any action is missing (It should default to pass, drop, reject, alert)

Check that we invalidate if any action is missing (It should default to pass, drop, reject, alert)

Check that we invalidate with unknown keywords (It should default to pass, drop, reject, alert)

Check that we invalidate duplicated actions (It should default to pass, drop, reject, alert)

multiple different SYN/ACK, over the limit

Test the setting up a TCP session when we have seen only the FIN, RST packets packet of the session. The session is setup only if midstream sessions are allowed to setup.

multiple different SYN/ACK, pick second

multiple different SYN/ACK, pick first

Test the validation of the ACK number before setting up the stream.last_ack and update the next_seq after loosing the .

Test the validation of the ACK number before setting up the stream.last_ack.

Test the processing of out of order FIN packets in tcp session.

Test the memcap incrementing/decrementing and memcap check

Test the initialization of tcp streams with congestion flags

Test the initialization of tcp streams with congestion flags

Test the initialization of tcp streams with congestion flags

DetectTtlSetupTest01 is a test for setting up an valid ttl values with valid "-" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context setting up the signature itself.

ICMP packet shouldn't be matching port based sig Bug #611

test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode, and it doesn't inspect any other packet of the stream

test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode

test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode

sigs with patterns at the limit of the pm's size limit

SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION flag is set, we don't need to inspect the packet contents.

SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION flag is set, we don't need to inspect the packet protocol header or its contents.

SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,

SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,

DetectTtlTestSig01 is a test for checking the working of ttl keyword by setting up the signature and later testing its working by matching the received packet against the sig.

almost identical patterns

DetectTtlParseTest07 is a test for setting up an valid ttl values with invalid "<>" operator and include spaces arround the given values.

DetectTtlParseTest06 is a test for setting up an valid ttl values with invalid "=" operator and include spaces arround the given values.

DetectTtlParseTest05 is a test for setting up an valid ttl values with "-" operator and include spaces arround the given values.

DetectTtlParseTest04 is a test for setting up an valid ttl value with ">" operator and include spaces arround the given values.

DetectTtlParseTest03 is a test for setting up an valid ttl values with "-" operator.

DetectTtlParseTest02 is a test for setting up an valid ttl value with "<" operator.

DetectTtlParseTest01 is a test for setting up an valid ttl value.

signature with a pcrexform value without substring capture

signature with a valid pcrexform value.

Vista Policy

Test the setting up a TCP session when we missed the initial 3WHS packet of the session. The session is setup only if midstream sessions are allowed to setup.

Test the setting up a TCP session when we missed the initial SYN/ACK packet of the session. The session is setup only if midstream sessions are allowed to setup.

Test the setting up a TCP session when we missed the initial SYN packet of the session. The session is setup only if midstream sessions are allowed to setup.

Test the deallocation of TCP session for a given packet and return the memory back to ssn_pool and corresponding segments to segment pool.

Test the allocation of TCP session for a given packet from the ssn_pool.

policy 'last'

Solaris policy

policy Linux old

Linux policy

max u32 value + 1

BSD policy

overlap, data not different

multiple overlaps

no overlap

partial overlap

partial overlap

full overlap

full overlap

bug #815

lots of gaps in block list

Check if the rate_filter rules are loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

lots of gaps in block list

lots of gaps in block list

lots of gaps in block list

Check if the rate_filter rules are loaded and well parsed with multilines

lots of gaps in block list

Check that all the algorithms (no case) work at any offset and any pattern length

Check that all the algorithms work at any offset and any pattern length

issue 130 (@redmine) check to ensure that the problem is not the algorithm implementation

Generic test for boyer moore nocase matching

Generic test for boyer moore matching

Generic test for Bs2Bm no case matching

Generic test for Bs2Bm matching

Generic test for BasicSearch nocase matching

Check if the suppress rule parsing handles errors correctly

Global UTHPacketMatchSig (Packet *p, const char *) Test if a packet match a signature given as string Hint: Useful for unittests with only one packet and one signature

Global UTHPacketMatchSigMpm (Packet *, char *, uint16_t) Test if a packet match a signature given as string and a mpm_type Hint: Useful for unittests with only one packet and one signature

Global UTHMatchPackets (DetectEngineCtx *, Packet **, int) UTHMatchPackets Match a packet or a array of packets against sigs of a de_ctx, but note that the return value doesn't mean that we have a match, we have to check it later with PacketAlertCheck()

Global UTHMatchPacketsWithResults (DetectEngineCtx *de_ctx, Packet **p, int num_packets, uint32_t sids[], uint32_t *results, int numsigs) UTHMatchPacketsWithResults Match a packet or a array of packets against sigs of a de_ctx, checking that each signature matches X times for certain packets

" Check if the rate_filter by_both work when similar packets going in opposite direction

Check if the rate_filter rules work with track by_both

Check if the threshold file is loaded and well parsed, and applied correctly to a rule with thresholding

Check if the threshold file is loaded and well parsed

Check if the suppress rule parsing handles errors correctly

Generic test for BasicSearch matching

Check if the suppress rules work - ip only rule

Check if the suppress rules work

Check if the suppress rules work

Check if the suppress rules work

Check if the threshold file is loaded and well parsed

Check if the rate_filter rules work

Check if the rate_filter rules work

Check if the rate_filter rules work with track by_rule

Check if the rate_filter rules work

Check that valid ipv4 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.

endswith logic

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Check that valid ipv4 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.

Check that valid ipv6 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.

Check that valid ipv6 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.

Check that valid ipv6 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.

pool with unlimited size

Check that valid ipv4 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.

Check that invalid ipv4 addresses and ipv4 netblocks are rejected by the host os info API

Check that invalid ipv4 addresses and ipv4 netblocks are rejected by the host os info API

Check if we the IPs with the right OS flavours are added to the host OS radix tree, and the IPS with invalid flavours returns an error(-1)

Check if the classtype info from the invalid classification.config file have not been loaded into the hash table, and cross verify to check that the hash table contains no classtype data.

Check if the classtype info from the classification.config file have been loaded into the hash table.

Check that only valid classtypes are loaded into the hash table from the classification.config file.

Check that invalid classtypes present in the classification config file aren't loaded.

Check that the classification file is loaded and the detection engine content class_conf_hash_table loaded with the classtype data.

Check that invalid references present in the reference.config file aren't loaded.

Check that valid address and port group vars are correctly retrieved from the configuration.

Check that Signatures with invalid address and port groups, are are invalidated by the Signature parsing API.

Check that Signatures with valid address and port groups are parsed without any errors by the Signature parsing API.

Check that invalid address and port groups are properly handled by the API.

Check that valid address and port group vars are correctly retrieved from the configuration.

Check if the reference info from the reference.config file have been loaded into the hash table.

Check if the reference info from the invalid reference.config file have not been loaded into the hash table, and cross verify to check that the hash table contains no reference data.

Check if the reference info from the reference.config file have been loaded into the hash table.

Check that only valid references are loaded into the hash table from the reference.config file.

signature with an invalid pcrexform value.

Check that the reference file is loaded and the detection engine content reference_conf_ht loaded with the reference data.

SCRadix6TestIPV6NetblockInsertion26 insert a node searching on it. Should always return true but the purposse of the test is to monitor the memory usage to detect memleaks (there was one on searching)

SCRadix6TestIPV6NetblockInsertion15 insert a node searching on it. Should always return true but the purposse of the test is to monitor the memory usage to detect memleaks (there was one on searching)

Check special combinations of netblocks and addresses on best search checking the returned userdata

Check that the best match search works for all the possible netblocks of a fixed address

SCRadix4TestIPV4NetblockInsertion26 insert a node searching on it. Should always return true but the purposse of the test is to monitor the memory usage to detect memleaks (there was one on searching)

SCRadix4TestIPV4NetblockInsertion15 insert a node searching on it. Should always return true but the purposse of the test is to monitor the memory usage to detect memleaks (there was one on searching)

Check special combinations of netblocks and addresses on best search checking the returned userdata

Check that the best match search works for all the possible netblocks of a fixed address

Test that the http_header content matches against a http request which holds the content.

Trailing headers.

Trailing headers.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test parser accepting valid rules and rejecting invalid rules

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

multiple http transactions and body chunks of request handling

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_server_body content matches against a http request which holds the content. Case insensitive.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Test that the http_header content matches against a http request which holds the content.

Negative test that the negated http_header content matches against a http request which holds hold the content.

Test that the negated http_header content matches against a http request which doesn't hold the content.

Test that the http_header content matches against a http request against a case insensitive pattern.

Test that the http_header content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Check a signature with an request method and negation of the same

Check a signature against an unparsable request

Check a signature with an unknown request method

Check a signature with an known request method

Check a signature with rawbytes (fail)

Check a signature with fast_pattern (should work)

Check a signature with parameter (fail)

Check a signature without content (fail)

Check a signature with content

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

This is a test for a valid value >1430000000.

This is a test for a valid value 1430000000 <> 1490000000.

This is a test for a invalid value 1490000000<>1430000000.

This is a test for a invalid value " ".

This is a test for a invalid value "".

This is a test for a invalid value <>1430000000.

This is a test for a invalid value 1430000000<>.

This is a test for a invalid value >1430000000<>1470000000.

This is a test for a invalid value A.

This is a test for a valid value 1430000000<>1470000000.

This is a test for a valid value <1430000000.

This is a test for a valid value > 1430000000.

This is a test for a valid value 1430000000.

Test matching for google in the subject of a certificate

Test that a signature containing a tls.cert_subject is correctly parsed and that the keyword is registered.

Test matching for serial in a certificate.

Test that a signature containing tls.cert_serial is correctly parsed and that the keyword is registered.

Test matching for google in the issuer of a certificate

Test that a signature containing a tls_cert_issuer is correctly parsed and that the keyword is registered.

Test matching for fingerprint of a certificate.

Test that a signature containing tls_cert_fingerprint is correctly parsed and that the keyword is registered.

This is a test for a valid value 2015-10-22T23:59:59.

DetectTlsVersionTestParse02 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL

DetectTlsVersionTestParse01 is a test to make sure that we parse the "id" option correctly when given valid id option

Test matching on bytes in a certificate

Test that a signature containing tls.certs is correctly parsed and that the keyword is registered.

Test matching on a valid TLS certificate.

Test matching on an expired certificate.

Test matching on validity dates in a certificate.

This is a test for a valid value of 1965-10-22T23:59:59 that is lower than epoch 0, but within the range of acceptable values (1950-2049) as per RFC 5280. (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)

This is a test for a valid value of 1970-01-01T00:00:00 that is at epoch 0, within the range of acceptable values (1950-2049) as per RFC 5280. (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)

test signature parsing

This is a test for a valid value 2015-10-22T23:59.

This is a test for a valid value 2015-10-22T23.

This is a test for a valid value 2015-10-22 23:59:59.

This is a test for a valid value 2015-10-22 23:59.

This is a test for a valid value <2015-10-22 23.

This is a test for a valid value >2015-10-22.

This is a test for a valid value 2015-10.

This is a test for a valid value 1490000000.

This is a test for a valid value < 1490000000.

Check the signature working to alert when http_stat_msg is matched .

Test that the http_user_agent content matches against a http request which holds the content.

Test that the http_user_agent content matches against a http request which holds the content.

Test that the http_user_agent content matches against a http request which holds the content.

Test that a http_user_agent with nocase is parsed.

Test that an invalid signature containing a rawbytes along with a http_user_agent is invalidated.

Test that an invalid signature containing no content but a http_user_agent is invalidated.

Test that a signature containing an valid http_user_agent entry is parsed.

Test that a signature containing a http_user_agent is correctly parsed and the keyword is registered.

Check the signature working to alert when http_stat_msg is used with negated content .

Check the signature working to alert when http_stat_msg is not matched .

Test that the http_user_agent content matches against a http request which holds the content, against a cross boundary present pattern.

Check the signature working to alert when http_stat_code is matched for for negation or not

Check the signature working to alert when http_stat_code is matched for for nocase or not

Check the signature working to alert when http_stat_code is not matched .

Check the signature working to alert when http_stat_code is matched .

multiple http transactions and body chunks of request handling

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_server_body content matches against a http request which holds the content. Case insensitive.

Test that the http_server_body content matches against a http request which holds the content.

signature with a valid http2.settings value.

test keyword parsing

DetectSslVersionTestParse03 is a test to make sure that we parse the "ssl_version" options correctly when given valid ssl_version options

DetectSslVersionTestParse02 is a test to make sure that we parse the "ssl_version" option correctly when given an invalid ssl_version option it should return ssl = NULL

DetectSslVersionTestParse01 is a test to make sure that we parse the "ssl_version" option correctly when given valid ssl_version option

Test parsing of negated states.

DetectParseTestNoOpt is a regression test to make sure that we reject any signature where a NOOPT rule option is given a value. This can hide rule errors which make other options disappear, eg: foo: bar: baz; where "foo" is the NOOPT option, we will end up with a signature which is missing "bar".

DetectParseTest01 is a regression test against a memory leak in the case of multiple signatures with different revisions Leak happened in function DetectEngineSignatureIsDuplicate

signature with a valid icmpv6.mtu value.

signature with a valid http2.size_update value.

Ensure that we set a bidirectional Signature correctly

signature with a valid http2.window value.

signature with a valid http2.priority value.

signature with a valid http2.errorcode value.

signature with a valid http2.frametype value.

multiple http transactions and body chunks of request handling

Test that the http_user_agent content matches against a http request which holds the content.

Negative test that the negated http_user_agent content matches against a http request which holds hold the content.

Test that the negated http_user_agent content matches against a http request which doesn't hold the content.

Test that the http_user_agent content matches against a http request against a case insensitive pattern.

Test dce option.

DetectBytetestTestParse02 is a test for setting the required opts

DetectBytetestTestParse01 is a test to make sure that we return "something" when given valid bytetest opt

check matches of with from_end

check matches of with from_beginning (bug 626/627)

check matches of with from_beginning (bug 626/627)

check matches of with from_beginning (bug 626/627)

check matches of with from_beginning (bug 626/627)

DetectByteJumpTestPacket02 is a test to check matches of byte_jump and byte_jump relative works if the previous keyword is byte_jump (bug 165)

DetectByteJumpTestPacket01 is a test to check matches of byte_jump and byte_jump relative works if the previous keyword is pcre (bug 142)

Test file_data

DetectBytetestTestParse03 is a test for setting the relative flag

Test dce option.

Test dce option.

DetectBytejumpTestParse08 is a test for offset too big

DetectBytejumpTestParse07 is a test for too many string bytes to extract

DetectBytejumpTestParse06 is a test for too many bytes to extract

DetectBytejumpTestParse05 is a test for setting base without string

DetectBytejumpTestParse04 is a test for setting the optional flags with parameters

DetectBytejumpTestParse03 is a test for setting the optional flags

DetectBytejumpTestParse02 is a test for setting the required opts

DetectBytetestTestParse13 is a test for too many bytes to extract

Test bitmask option.

Test file_data

Test dce option.

Test dce option.

Test dce option.

Test dce option.

Test dce option.

DetectBytetestTestParse16 is a test for offset too big

DetectBytetestTestParse15 is a test for too many bytes to extract (string)

DetectBytetestTestParse14 is a test for large string extraction

DetectBytejumpTestParse01 is a test to make sure that we return "something" when given valid bytejump opt

DetectBytetestTestParse12 is a test for hex w/o string

DetectBytetestTestParse11 is a test for whitespace

DetectBytetestTestParse10 is a test for whitespace

DetectBytetestTestParse09 is a test for neg operator only

DetectBytetestTestParse08 is a test for setting the little flag

DetectBytetestTestParse07 is a test for setting the big flag

DetectBytetestTestParse06 is a test for setting the string/hex flags

DetectBytetestTestParse05 is a test for setting the string/dec flags

DetectBytetestTestParse04 is a test for setting the string/oct flags

IPV4 with SID option.

IPV4 defrag and flow retrieval test.

Don't send IPv4 fragments to the upper layer decoder and and packet recursion level test.

IPV4 defrag and packet recursion level test

IPV4 with RTRALT option (len invalid.

IPV4 with RTRALT option.

IPV4 with SSRR option (ptr not in 4 byte increment).

IPV4 with SSRR option (ptr too large).

IPV4 with SSRR option (len too large).

IPV4 with SSRR option.

IPV4 with SID option (len invalid.

fragment decoding

IPV4 with CIPSO option.

IPV4 with LSRR option (ptr not in 4 byte increment).

IPV4 with LSRR option (ptr too large).

IPV4 with LSRR option (len too large).

IPV4 with LSRR option.

IPV4 with ESEC option (invalid length).

IPV4 with ESEC option.

IPV4 with SEC option (invalid length).

IPV4 with SEC option.

DecodeVNTagt02 test if vntag header has unknown type.

Test that the list can be changed to post-detection lists after the base64 keyword.

DetectAsn1TestReal04 like the real test 02, but modified the relative offset to check negative offset values, in this case start decoding from -7 bytes respect the content match "John"

DetectAsn1TestReal03 Ensure that all works together

DetectAsn1TestReal02 Ensure that all works together

DetectAsn1TestReal01 Ensure that all works together

Test a report Linux overlap issue that doesn't appear to be covered by the Sturges/Novak tests above.

DecodeVXLANtest02 tests default port disabled by the config.

DecodeVXLANTest01 test a good vxlan header. Contains a DNS request packet.

DecodeVNTagTest03 test a good vntag header.

Test all options

DecodeVNTagTest01 test if vntag header is too small.

DecodeVLANTest02 test a good vlan header.

DecodeVLANTest02 test if vlan header has unknown type.

DecodeVLANTest01 test if vlan header is too small.

Get the wscale, but it's missing, so see if return 0 properly

Get the wscale of 15, so see if return 0 properly

Get the wscale of 2

HOP header decode

routing header decode

A negative test that uses a combination of content string with negated content string, with we receiving a failure for 'onee' itself.

A positive test that checks the combined use of 2 contents in the presence of within

A negative test that checks the use of negated content along with the presence of depth

A positive test that checks the combined use of content and negated content, in the presence of within

A negative test that checks the combined use of content and negated content, in the presence of within

A negative test that checks the combined use of content and negated content, with the content not being present

A negative test that checks the combined use of content and negated content with the use of distance

A positive test that checks the combined use of content and negated content with the use of distance

A negative test that checks the combined use of content and negated content with the use of within

A positive test that checks that we don't have a negated content within the specified length from the previous content match.

A negative test that uses a combination of content string with negated content string, with we receiving a failure of first content's offset condition

A negative test that checks the combined use of content and negated content, in the presence of within

A positive test that uses a combination of content string with negated content string

A negative test that checks that the content string doesn't contain the negated content after the specified offset and within the specified depth.

A negative test that checks that the content string doesn't contain the negated content within the specified depth, and also after the specified offset. Since the content is there, the match fails.

A positive test that checks that the content string doesn't contain the negated content within the specified depth

crash condition: as packet has no direction, it defaults to toclient in stream ctx inspection of packet. There a null ptr deref happens We don't care about the match/nomatch here.

A positive test that checks that the content string doesn't contain the negated content

Parsing test to check for unescaped quote within content section

Parsing test

Parsing test

DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order

multi tx google.(com|net) query matching

simple google.com query matching

DetectDistanceTestPacket01 is a test to check matches of distance works, if the previous keyword is byte_jump and content (bug 163)

drops

DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter

DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order

DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order

Parsing test

DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options

DetectDetectionFilterTestParse01 is a test for a valid detection_filter options

Test a valid dce_stub_data with just a request frag.

Test a valid dce_stub_data entry with bind, bind_ack, request frags.

within and distance

Test negation in combination with within and depth

Test negation in combination with within and depth

A negative test that checks the combined use of content and negated content, in the presence of distance

A positive test that checks the combined use of content and negated content, in the presence of distance

DetectContentParseTest06 test a binary content

Check if we match contents that are in the payload but not in the same order as specified in the signature

Check that we match packets with multiple chunks and not chunks Here we should specify contents that fit and contents that must be splitted Each of them with their modifier values

Check that we match packets with multiple chunks and not chunks Here we should specify only contents that fit in 32 bytes Each of them with their modifier values

Check if we match multiple content (not splitted)

Check that we don't match the signature if one of the splitted chunks doesn't match the packet

Check if we match a splitted pattern

Check if we match a normal pattern (not splitted)

Test packet Matches

DetectContentParseTest08 test an empty content

DetectContentParseTest07 test an empty content

Check if we match contents that are in the payload but not in the same order as specified in the signature

DetectContentParseTest05 test illegal escape

DetectContentParseTest04 this is a test to make sure we can deal with escaped backslashes

DetectContentParseTest03 this is a test to make sure we can deal with escaped double-quotes

DetectContentParseTest02 this is a test to make sure we can deal with escaped semi-colons

DetectContentParseTest01 this is a test to make sure we can deal with escaped colons

test propagation of depth/offset/distance/within

Check that the signatures are assigned priority based on classtype they are given.

Check that both valid and invalid classtypes in a rule are handled properly, with rules containing invalid classtypes being rejected and the ones containing valid classtypes parsed and returned.

undefined classtype

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

IPV4 with TS option (ptr not valid).

Parsing test

Parsing test

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test cases where if within specified is < content length we invalidate the sig.

Check if we match two contents of length 1

Check if we match two consecutive simple contents

Check if we match contents that are in the payload but not in the same order as specified in the signature

Test %2f decoding in profile IDS with double-decode-* options

Test really long request (same as HTPParserTest14), now with config update to allow it

Test really long request, this should result in HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG

BG crash

BG box crash – chunks are messed up. Observed for real.

Test 'proxy' URI normalization. Ticket 1008

Test 'proxy' URI normalization. Ticket 1008

Test + char in query. Bug 1035

Test + char in query. Bug 1035

Test \ char in query profile IDS. Bug 739

Test http:// in query profile IDS

Test unusual delims in request line HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG

Test %2f decoding in profile IDS

Test %2f decoding in profile Apache_2_2

Test traffic is handled by the correct htp config

Test config builds radix correctly

Test basic config

Host:www.google.com0dName: Value0d0a <- missing space between name:value (rfc violation)

double encoding in query

double encoding in path

Host:www.google.com <- missing space between name:value (rfc violation)

Send Modbus Force Listen Only Mode request.

Send Modbus Mask Write register request/response.

Send Modbus invalid PDU Length.

Send Modbus exceed Length request.

Modbus fragmentation - 2 ADU in 1 TCP packet.

Modbus fragmentation - 1 ADU over 2 TCP packets.

Send Modbus Read Coils request and error response with Exception code invalid.

Send Modbus invalid Length request.

Send Modbus unsolicited response.

Send Modbus invalid Protocol version in request.

Abort

Send Modbus Read/Write Multiple registers request/response with mismatch value.

Send Modbus Write Multiple registers request/response.

Send Modbus Read Coils request/response.

multi transactions and cleanup

Test response not HTTP

Test response not HTTP

Test response not HTTP

Test response not HTTP

Test response not HTTP

Test the link layer length calculation.

Test the parsing of a request PDU.

Test multiple DNP3 frames in one TCP read.

Test parsing of partial frames.

Test flood state.

Test an unsolicited response from an outstation.

Test a basic request/response.

Test the probing parser.

Test removal of CRCs from user data.

Test the validation of the link header CRC.

The conversion of length with CRCs to the length without CRCs.

Test the decode of a DNP3 fragment with a single 70:3 object.

Test validation of all CRCs in user data.

Test CRC checking on partial and full blocks.

test if the engine detect the proto and doesn't match because the packet has another proto (ex ftp)

test if the engine detect the proto and doesn't match because the sig expects another proto (ex ftp)

test if the engine detect the proto on a non standar port and match with it

test if the engine detect the proto and match with it

What about if we add some sigs only for udp calling it for UDP? It should detect ALPROTO_HTTP1 (over udp). This is just a check to ensure that TCP/UDP differences work correctly.

What about if we add some sigs only for udp but call for tcp? It should not detect any proto

AlpProtoSignature test

Test folding in 1 read case

Abort

Test proper chunked encoded response body

Test both sides of a http stream mixed up to see if the HTP parser properly parsed them and also keeps them separated.

Test case where invalid data is sent and check the response of the parser from HTP library.

Test case where method is invalid and data is sent in smaller chunks and check the response of the parser from HTP library.

See how it deals with an incomplete request.

Test case where chunks are sent in smaller chunks and check the response of the parser from HTP library.

Test folding in 1byte per read case

Send Modbus Write single register request/response.

Test case where chunks are sent in smaller chunks and check the response of the parser from HTP library.

filedata cut in two pieces

empty entries

invalid header: Somereallylongheaderstr: has no value

POST, but not multipart

first multipart part contains file but doesn't end in first chunk

Supply STOR without a filename

Supply RETR without a filename

Send a get request in one chunk.

DecodeGeneveTest04 tests default port disabled by the config.

icmpv6 message type: echo reply, valid packet

icmpv6 message type: echo request, valid packet

icmpv6 message type: destination unreach, valid packet

icmpv6 message type: time exceed, valid packet

icmpv6 message type: packet too big, valid packet

icmpv6 message type: parameter problem, valid packet

DecodeGRETest03 is a test for valid gre packet

DecodeGRETest02 is a test for wrong gre version

DecodeGRETest01 is a test for small gre packet

DecodeGeneveTest05 tests if Geneve header has inconsistent option len values.

icmpv6 message type: parameter problem, invalid packet

DecodeGeneveTest03 tests a good Geneve header with 16-bytes of options. Contains a IPv4 DNS request packet with a VLAN tag after the Ethernet frame. In practice, this probably won't be used but it should be support either way.

DecodeGeneveTest02 tests a good Geneve header with 16-bytes of options. Contains a IPv4 DNS request packet.

DecodeGeneveTest01 tests a good Geneve header with 16-bytes of options. Contains a Ethernet+IPv6 DHCP request packet.

Failure decoding, no data

Failure decoding, not enough data

Successful decoding, with payload data

Successful decoding

RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP NOT DONE) -> RUBBISH(TS - PM and PP DONE)

RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP DONE)

IPV4 with NOP option.

IPV4 with TS option (ptr too large).

IPV4 with TS option (ptr too small).

IPV4 with TS option.

IPV4 with QS option (len too small)

IPV4 with QS option.

IPV4 with RR option (ptr not in 4 byte increment).

IPV4 with RR option (ptr too large).

IPV4 with RR option (len too large).

IPV4 with RR option.

RUBBISH(TC - PM and PP NOT DONE) -> RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP DONE)

IPV4 with EOL option.

IPV4 with no options.

Test for valid ICMPv6 checksum when the FCS is still attached.

icmpv6 packet decoding and setting up of payload_len and payload buffer

icmpv6 message type: echo reply, invalid packet

icmpv6 message type: echo request, invalid packet

icmpv6 message type: destination unreach, invalid packet

icmpv6 message type: time exceed, invalid packet

icmpv6 message type: packet too big, invalid packet

Send a version string in one chunk (client version str).

Send a banner and 2 records record in four chunks.

Send a banner and 2 records record in four chunks.

Send a banner and record in three chunks.

Send a version banner in three chunks.

Send a version banner in three chunks.

Send a invalid version string in one chunk (server version str)

Send a version string in one chunk (server version str)

Send a version string in one chunk (server version str).

Send a invalid version string in one chunk but multiple lines and comments. (client version str)

Send a version string in one chunk but multiple lines and comments. (client version str)

Send a banner and 2 records record in four chunks.

Test DATA command w/MIME message.

Test multiple DATA commands(full mail transactions).

Testing parsing pipelined commands.

Test multiple DATA commands(full mail transactions).

multi transactions and cleanup

Send Modbus invalid function.

Checks if stream_depth is correct

Send invalid Modbus Mask Write register request.

Send invalid Modbus Mask Write register request.

Send a version string in one chunk (client version str).

SMB -> HTTP/1.1

GET -> DCERPC

HTTP/1.1 -> GET

RUBBISH -> HTTP/1.1

GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).

GET -> RUBBISH(PM AND PP DONE IN ONE GO)

GE -> T -> HTTP/1.1

GET -> HTTP/1.1

Send a malformed banner

simple google.com query matching (TCP)

Send a version string in one chunk (client version str).

Fragmented banner handling: chunk has final part of bannel plus a record.

Fragmented banner handling: chunk has final part of bannel plus a record.

Really long banner handling: banner exactly 255, followed by malformed record

Really long banner handling: bannel exactly 255

2 directional test

Send toserver a banner and 2 records record in four chunks.

Send toserver a banner and record in three chunks.

Send a banner and 2 records record in four chunks.

DetectICodeParseTest03 is a test for setting a valid icode value with "<" operator

DetectIdTestParse03 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL

DetectIdTestParse02 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL

DetectIdTestParse01 is a test to make sure that we parse the "id" option correctly when given valid id option

DetectICodeMatchTest01 is a test for checking the working of icode keyword by creating 5 rules and matching a crafted packet against them. 4 out of 5 rules shall trigger.

DetectICodeParseTest09 is a test for setting an invalid icode value with "<<" operator

DetectICodeParseTest08 is a test for setting an invalid icode value

DetectICodeParseTest07 is a test for setting a valid icode value with "<>" operator and spaces all around

DetectICodeParseTest06 is a test for setting a valid icode value with ">" operator and spaces all around

DetectICodeParseTest05 is a test for setting a valid icode value with spaces all around

DetectICodeParseTest04 is a test for setting a valid icode value with "<>" operator

DetectIdTestParse04 is a test to make sure that we parse the "id" option correctly when given valid id option but wrapped with "'s

DetectICodeParseTest02 is a test for setting a valid icode value with ">" operator

DetectICodeParseTest01 is a test for setting a valid icode value

DetectIcmpSeqParseTest03 is a test for setting an invalid icmp_seq value

DetectIcmpSeqParseTest02 is a test for setting a valid icmp_seq value with spaces all around

DetectIcmpSeqParseTest01 is a test for setting a valid icmp_seq value

DetectIcmpIdMatchTest02 is a test for checking the working of icmp_id keyword by creating 1 rule and matching a crafted packet against them. The packet is an ICMP packet with no "id" field, therefore the rule should not trigger.

DetectIcmpIdMatchTest01 is a test for checking the working of icmp_id keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.

DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id value with missing quotation marks

DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value with quotation marks and spaces all around

DetectIPProtoTestSetup01 is a test for a protocol number

Negative test.

Negative test.

Negative test.

Negative test.

Negative test.

Negative test.

DetectIPProtoTestSetup05 is a test for a ! operator

DetectIPProtoTestSetup04 is a test for a > operator

DetectIPProtoTestSetup03 is a test for a < operator

DetectIPProtoTestSetup02 is a test for a protocol name

DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value with quotation marks

DetectIPProtoTestParse02 is a test for an invalid proto name

DetectIPProtoTestParse01 is a test for an invalid proto number

IpOptsTestParse05 tests the NULL and empty string

IpOptsTestParse04 test the match function on a packet that needs to not match

IpOptsTestParse03 test the match function on a packet that needs to match

IpOptsTestParse02 is a test for an invalid ipopts value

IpOptsTestParse01 is a test for a valid ipopts value

IKEChosenSaParserTest is a test for valid values

DetectIdTestSig01

DetectFlowintTestParseVal06 is a test to make sure that we set the DetectFlowint correctly for checking if greater than a valid target value

DetectFlowintTestPacket01Real

DetectFlowintTestParseInvalidSyntaxis01 is a test to make sure that we dont set the DetectFlowint for a invalid input option

DetectFlowintTestParseVar09 is a test to make sure that handle the isset keyword correctly

DetectFlowintTestParseVar09 is a test to make sure that we set the DetectFlowint correctly for checking if lower than a valid target variable

DetectFlowintTestParseVal09 is a test to make sure that we set the DetectFlowint correctly for checking if lower than a valid target value

DetectFlowintTestParseVar08 is a test to make sure that we set the DetectFlowint correctly for checking if lower or equal than a valid target variable

DetectFlowintTestParseVal08 is a test to make sure that we set the DetectFlowint correctly for checking if lower or equal than a valid target value

DetectFlowintTestParseVar07 is a test to make sure that we set the DetectFlowint correctly for checking if greater or equal than a valid target variable

DetectFlowintTestParseVal07 is a test to make sure that we set the DetectFlowint correctly for checking if greater or equal than a valid target value

DetectFlowintTestParseVar06 is a test to make sure that we set the DetectFlowint correctly for checking if greater than a valid target variable

DetectFlowintTestPacket02Real

DetectFlowintTestParseVar05 is a test to make sure that we set the DetectFlowint correctly for checking if not equal to a valid target variable

DetectFlowintTestParseVal05 is a test to make sure that we set the DetectFlowint correctly for checking if not equal to a valid target value

DetectFlowintTestParseVar04 is a test to make sure that we set the DetectFlowint correctly for checking if equal to a valid target variable

DetectFlowintTestParseVal04 is a test to make sure that we set the DetectFlowint correctly for checking if equal to a valid target value

DetectFlowintTestParseVar03 is a test to make sure that we set the DetectFlowint correctly for substract a valid target variable

DetectFlowintTestParseVal03 is a test to make sure that we set the DetectFlowint correctly for substract a valid target value

DetectFlowintTestParseVar02 is a test to make sure that we set the DetectFlowint correctly for adding a valid target variable

DetectFlowintTestParseVal02 is a test to make sure that we set the DetectFlowint correctly for adding a valid target value

DetectFlowintTestParseVar01 is a test to make sure that we set the DetectFlowint correctly for setting a valid target variable

GidTestParse01 is a test for a valid gid value

DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value with spaces all around

DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value

Test that a signature containing a http_response_line is correctly parsed and the keyword is registered.

Test that a signature containing a http_request_line is correctly parsed and the keyword is registered.

HostBitsTestSig03 is a test check idx value

various options

HostBitsTestSig01 is a test for a valid noalert flowbits option

Test a gid consisting of a single quote.

GidTestParse02 is a test for an invalid gid value

Negative test.

DetectFragOffsetMatchTest01 is a test for checking the working of fragoffset keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.

DetectFragOffsetParseTest03 is a test for setting an invalid fragoffset value

DetectFragOffsetParseTest02 is a test for setting a valid fragoffset value with spaces all around

DetectFragOffsetParseTest01 is a test for setting a valid fragoffset value

FragBitsTestParse04 test if DONT FRAG is not set. Must fails.

FragBitsTestParse03 test if DONT FRAG is set. Must return success

FragBitsTestParse02 is a test for an invalid fragbits value

FragBitsTestParse01 is a test for a valid fragbits value

DetectFlowintTestPacket03Real

This is a test for a valid value 1490000000.

packet/stream sig

file_data with rawbytes

Parsing sig with trailing space(s) as reported by Morgan Cox on oisf-users.

Parsing duplicate sigs.

Parsing duplicate sigs.

Parsing duplicate sigs.

Parsing duplicate sigs.

Parsing bug debugging at 2010-03-18

Port validation

SigParseTest03 test for invalid direction operator in rule

packet/stream sig

This is a test for a valid value < 1490000000.

This is a test for a valid value > 1430000000.

This is a test for a valid value 1430000000 <> 1490000000.

This is a test for a invalid value 1490000000<>1430000000.

This is a test for a invalid value " ".

This is a test for a invalid value "".

This is a test for a invalid value <>1430000000.

This is a test for a invalid value 1430000000<>.

This is a test for a invalid value >1430000000<>1470000000.

Direction operator validation (invalid)

Ensure that we don't set bidirectional in a normal (one direction) Signature

Direction operator validation (valid)

Direction operator validation (valid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

This is a test for a invalid value A.

rule ending in carriage return

address parsing

address parsing

rev value too large. Related to bug #779

gid value too large. Related to bug #779

sid value too large. Bug #779

packet/stream sig

packet/stream sig

packet/stream sig

DetectITypeParseTest02 is a test for setting a valid itype value with ">" operator

DetectL3protoTestSig02 is a test for checking the working of l3proto keyword by setting up the signature and later testing its working by matching the received IPv6 packet against the sig.

DetectL3protoTestSig01 is a test for checking the working of ttl keyword by setting up the signature and later testing its working by matching the received packet against the sig.

description of the test

description of the test

DetectITypeParseTest08 is a test for setting an invalid itype value

DetectITypeParseTest07 is a test for setting a valid itype value with "<>" operator and spaces all around

DetectITypeParseTest06 is a test for setting a valid itype value with ">" operator and spaces all around

DetectITypeParseTest05 is a test for setting a valid itype value with spaces all around

DetectITypeParseTest04 is a test for setting a valid itype value with "<>" operator

DetectITypeParseTest03 is a test for setting a valid itype value with "<" operator

DetectL3protoTestSig03 is a test for checking the working of l3proto keyword in conjunction with ip_proto keyword.

DetectITypeParseTest01 is a test for setting a valid itype value

DetectIsdataatTestPacket03 is a test to check matches of isdataat, and isdataat relative works if the previous keyword is byte_jump (bug 146)

DetectIsdataatTestPacket02 is a test to check matches of isdataat, and isdataat relative works if the previous keyword is pcre (bug 144)

DetectIsdataatTestPacket01 is a test to check matches of isdataat, and isdataat relative

Test isdataat option for dce sig.

DetectIsdataatTestParse03 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt

DetectIsdataatTestParse02 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt

DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt

Negative test.

http buffer, flowints

This is a test for a valid value 1430000000<>1470000000.

This is a test for a valid value <1430000000.

This is a test for a valid value >1430000000.

This is a test for a valid value 1430000000.

MarkTestParse04 is a test for a invalid mark value

MarkTestParse03 is a test for a valid mark value

MarkTestParse02 is a test for an invalid mark value

MarkTestParse01 is a test for a valid mark value

http buffer, flowints

DetectFlowintTestParseVal01 is a test to make sure that we set the DetectFlowint correctly for setting a valid target value

http buffer, flowints

http buffer, flowints

http buffer, flowints

http buffer, flowints

packet buffer

packet buffer

payload buffer

payload buffer

http buffer

Test invalid sig.

Check if two ports are properly allocated in the DetectPort group

Check if a DetectPort is properly allocated

Test byte_extract.

Test byte_test.

Test byte_jump.

Test pcre recursive matching - bug #529

normal & negated matching, both absolute and relative

Used to check the working of recursion_limit counter.

Test invalid sig.

Test invalid sig.

Check if two port ranges are properly allocated in the DetectPort group

Test pcre recursive matching.

Test multiple relative matches with negative matches and show the need for det_ctx->discontinue_matching.

Test multiple relative matches.

Test multiple relative matches.

Test multiple relative matches.

Test multiple relative matches.

Negative distance matching

Nocase matching

Not the first but the second occurrence of "abc" should be used for the 2nd match

Test merging port groups

DetectIPProtoTestSetup01 is a test for a protocol setting up in signature.

make sure that we properly parse tcp-stream

make sure that we properly parse tcp-pkt

ProtoTestParse05 is a test to make sure that we do not parse the protocol, when given an invalid proto option.

ProtoTestParse04 is a test to make sure that we do not parse the protocol, when given an invalid proto option.

ProtoTestParse03 is a test to make sure that we parse the protocol correctly, when given "ip" as proto option.

ProtoTestParse02 is a test to make sure that we parse the protocol correctly, when given "tcp" as proto option.

ProtoTestParse01 is a test to make sure that we parse the protocol correctly, when given valid proto option.

Test merging negated port groups

build IP-only tree

Test first port of range being too big

Test second port of range being just right

Test second port of range being too big

Test we don't allow a port that is too big

Check if we autocomplete correctly an open range

Check if we dont allow invalid port range specification

Check if a negated port range is properly fragmented in the allowed real groups

Check if a negated port range is properly fragmented in the allowed real groups, ex !80:81 should allow 0:79 and 82:65535

Check if a negated port range is properly allocated in the DetectPort

test for a valid dsize value 12

Test the working of byte_test endianness.

Test the working of byte_test endianness.

recursion limit

that address range sets proper start address

DetectDsizeIcmpv6Test01 is a test for checking the working of dsize keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.

this is a test for negative ! dsize matching

this is a test for positive ! dsize matching

this is a test for invalid dsize values A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!

this is a test for a valid dsize value ! 1

this is a test for a valid dsize value !1

Test the working of byte_test endianness.

test for a valid dsize value < 12

this is test for a valid dsize value > 2

this is a test for a valid dsize value 1 <> 3

this is a test for a valid dsize value 1<>3

this is a test for a valid dsize value <100

this is a test for a valid dsize value >10

this is a test for a valid dsize value 1

multi tx google.(com|net) query matching + app layer event

simple google.com query matching, pcre

check that we set a Signature as IPOnly because it has no rule option appending a SigMatch and no port is fixed

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match) with ipv4 and ipv6 mixed

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (all should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (all should match)

check that we set don't set a Signature as IPOnly because it has rule options appending a SigMatch like content, and pcre

check that we don't set a Signature as IPOnly because it has no rule option appending a SigMatch but a port is fixed

DetectProtoTestSetup02 is a test for a icmpv4 and icmpv6 protocol setting up in signature.

EngineEventTestParse06 is a test for match function with valid decode-event value

EngineEventTestParse05 is a test for an invalid char into the decode-event value

EngineEventTestParse04 is a test for an invalid upper case decode-event value

EngineEventTestParse03 is a test for a valid upper case decode-event value

EngineEventTestParse02 is a test for a valid upper + lower case decode-event value

EngineEventTestParse01 is a test for a valid decode-event value

Test the working of byte_jump endianness.

Test the working of byte_jump endianness.

Test the working of byte_jump endianness.

DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts

DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)

DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server flowbit flags are the same

DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server

DetectFlowTestParse15 is a test for an invalid combo of options established,stateless

DetectFlowTestParse14 is a test for a empty option

DetectFlowTestParse13 is a test for an invalid option

DetectFlowTestParse12 is a test for setting an invalid separator :

DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around

DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)

DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)

DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)

DetectFlowTestParseNocase07 is a test for setting the from_client flow opt

DetectFlowTestParseNocase06 is a test for setting the from_server flow opt

DetectFlowTestParseNocase05 is a test for setting the to_server flow opt

DetectFlowTestParseNocase04 is a test for setting the to_client flow opt

DetectFlowTestParseNocase03 is a test for setting the stateless flow opt

DetectFlowTestParseNocase02 is a test for setting the established flow opt

DetectFlowTestParseNocase01 is a test to make sure that we return "something" when given valid flow opt

DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around

DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)

Test no_frag matching.

FlowBitsTestSig08 is a test toggle flowbits option

FlowBitsTestSig07 is a test unset flowbits option

FlowBitsTestSig06 is a test set flowbits option

FlowBitsTestSig05 is a test check noalert flag

FlowBitsTestSig04 is a test check idx value

FlowBitsTestSig03 is a test for a invalid flowbits option

FlowBitsTestSig02 is a test for a valid isset,set,isnotset,unset,toggle flowbits options

FlowBitsTestSig01 is a test for a valid noalert flowbits option

Test only_frag matching.

DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)

Test that parsing of only_frag and no_frag together fails.

Test parsing of the "only_frag" flow argument.

Test parsing of the "no_frag" flow argument.

Test parsing of the not_established keyword.

DetectFlowTestParse22 is a test for setting the established,not_established flow opts both

DetectFlowTestParse21 is a test for an invalid opt between to valid opts

DetectFlowTestParse20 is a test for setting from_server, established, no_stream

DetectFlowTestParse20 is a test for setting from_server, established, no_stream

DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse

Order with a different Action priority (as specified from config)

session tagging: seconds

session tagging: packets

host tagging: bytes

host tagging: seconds

host tagging: packets

multiple files in a tx. Both files should match. No other matches.

multiple files in a tx. Both files should match

multiple files in a tx

multiple pipelined http transactions

Bug 1061

session tagging: bytes

Order with a different Action priority (as specified from config)

Order with a different Action priority (as specified from config)

ICMP(?) sig grouping bug.

Check if SigGroupHeadBuildMatchArray(), correctly updates the match array with the sids.

Check if SigGroupHeadCopySigs(), correctly copies the sig_array from the source to the destination SigGroupHead.

Check if a SigGroupHeadAppendSig(), correctly appends a sid to a SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates the presence of a sid and SigGroupHeadClearSigs(), correctly clears the SigGroupHead->sig_array and SigGroupHead->sig_cnt.

Check if a SigGroupHeadAppendSig() correctly appends a sid to a SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates the presence of a sid.

Check if a SigGroupHead hash table is properly allocated and deallocated when calling SigGroupHeadHashInit() and SigGroupHeadHashFree() respectively.

signature parsing with tcp-pkt and tcp-stream

Test the Filesize keyword setup

DetectFlowTestParse08 is a test for setting the established,to_client flow opts

DetectFlowTestParse07 is a test for setting the from_client flow opt

DetectFlowTestParse06 is a test for setting the from_server flow opt

DetectFlowTestParse05 is a test for setting the to_server flow opt

DetectFlowTestParse04 is a test for setting the to_client flow opt

DetectFlowTestParse03 is a test for setting the stateless flow opt

DetectFlowTestParse02 is a test for setting the established flow opt

DetectFlowTestParse01 is a test to make sure that we return "something" when given valid flow opt

DetectFilesizeSetpTest01 is a test for setting up an valid filesize values with valid "<>" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context and setting up the signature itself.

Why we still get http for connect... obviously because we also match on the reply, duh

Test the Filesize keyword setup

Test the Filesize keyword setup

Test the Filesize keyword setup

Test the Filesize keyword setup

Test parser accepting valid rules and rejecting invalid rules

Checks to make sure that other sigs work that should when fast_pattern is inspecting on the same payload

Checks if a fast_pattern is registered in a Signature

bug 892 bad values

session tagging: bytes, where a 2nd match makes us tag more