suricata
Test List

Test that the http_cookie content matches against a http request which holds the content.

Checks if a http_cookie is registered in a Signature, when fast_pattern is also specified in the signature (now it should)

Checks if a http_cookie is registered in a Signature

Checks if a http_cookie is registered in a Signature, if some parameter is specified with http_cookie in the signature

Checks if a http_cookie is registered in a Signature, if content is not specified in the signature

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Checks if a http_cookie is registered in a Signature, when rawbytes is also specified in the signature

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

Test that the http_cookie content matches against a http request which holds the content.

multiple http transactions and body chunks of request handling

multiple http transactions and body chunks of request handling

Test parser accepting valid rules and rejecting invalid rules

app-layer-event:http.host_header_ambiguous should not be set

Test that the http_header content matches against a http request which holds the content.

Negative test that the negated http_header content matches against a http request which holds hold the content.

Test that the negated http_header content matches against a http request which doesn't hold the content.

Test that the http_header content matches against a http request against a case insensitive pattern.

Test that the http_header content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that a signature containting a http_header is correctly parsed and the keyword is registered.

Test parser accepting valid rules and rejecting invalid rules

Test that the http_client_body content matches against a http request which holds the content.

Check the signature working to alert against cookie/set-cookie

Check the signature working to alert against set-cookie

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is not present

Check the signature working to alert when http_cookie is matched .

Checks if a http_cookie is registered in a Signature, when rawbytes is also specified in the signature

Test the pruning of SACK ranges.

simple recursion logic

simple match with pcre/R

simple match with distance

AppLayerHtpFileParseContentRangeTest04 is a test for setting up a valid range value without the size.

AppLayerHtpFileParseContentRangeTest03 is a regression test for setting up an invalid range value.

AppLayerHtpFileParseContentRangeTest02 is a regression test for setting up an invalid range value.

AppLayerHtpFileParseContentRangeTest01 is a test for setting up a valid range value.

Test the insertion of out of window condition.

Test the insertion on out of window condition.

Test the pruning of SACK ranges.

Test the pruning of SACK ranges.

pcre recursion logic

Test the pruning of SACK ranges.

Test the pruning of SACK ranges.

Test the pruning of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

Test the insertion of SACK ranges.

test insert with overlaps

test insert with overlaps

Test that a signature containting a http_client_body is correctly parsed and the keyword is registered.

Negative test that the negated http_client_body content matches against a http request which holds hold the content.

Test that the negated http_client_body content matches against a http request which doesn't hold the content.

Test that the http_client_body content matches against a http request against a case insensitive pattern.

Test that the http_client_body content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_client_body content matches against a http request which holds the content.

Test that the http_client_body content matches against a http request which holds the content.

Test that the http_client_body content matches against a http request which holds the content.

Test that an invalid signature containing a rawbytes along with a http_client_body is invalidated.

Test that an invalid signature containing a rawbytes along with a http_client_body is invalidated.

Test that an invalid signature containing no content but a http_client_body is invalidated.

Test that a signature containing an valid http_client_body entry is parsed.

app-layer-event:http.host_header_ambiguous should be set

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Test the file_data fails with flow:to_server.

endswith (isdataat) recursion logic based on DetectEngineContentInspectionTest06

mix in byte_extract

mix in byte_jump

mix in negation

extreme recursion

isdataat recursion logic

multiple independent blocks recursion logic

Test that an invalid signature containing no content but a http_raw_host is invalidated.

multiple http transactions and body chunks of request handling

Test that the http_raw_host content matches against a http request which holds the content.

Negative test that the negated http_raw_host content matches against a http request which holds hold the content.

Test that the negated http_raw_host content matches against a http request which doesn't hold the content.

Test that the http_raw_host content matches against a http request against a case insensitive pattern.

Test that the http_raw_host content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that a http_raw_host with nocase is parsed.

Test that an invalid signature containing a rawbytes along with a http_raw_host is invalidated.

Test that the http_raw_host content matches against a http request against a case insensitive pattern.

Test that a signature containing an valid http_raw_host entry is parsed.

Test that a signature containting a http_raw_host is correctly parsed and the keyword is registered.

multiple http transactions and body chunks of request handling

Test that the http_host content matches against a http request which holds the content.

Negative test that the negated http_host content matches against a http request which holds hold the content.

Test that the negated http_host content matches against a http request which doesn't hold the content.

Test that the http_host content matches against a http request against a case insensitive pattern.

Test that the http_host content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

invalid sig: uppercase content

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host header content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_raw_host content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Trailing headers.

Trailing headers.

Trailing headers.

reassembly bug where headers with names of length 6 were skipped

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Trailing headers.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

app-layer-event:http.host_header_ambiguous should be set

Test that the http_host header content matches against a http request which holds the content.

Test that a http_host with nocase is parsed.

Test that an invalid signature containing a rawbytes along with a http_host is invalidated.

Test that an invalid signature containing no content but a http_host is invalidated.

Test that a signature containing an valid http_host entry is parsed.

Test that a signature containting a http_host is correctly parsed and the keyword is registered.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

test insert with overlap

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host header content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

Test that the http_host content matches against a http request which holds the content.

RfbSecresultTestParse01 is a test for a valid secresult value

Send a get request in three chunks + more data.

DetectSshVersionTestParse03 is a test to make sure that we don't return a ssh_data with an invalid value specified

DetectSshVersionTestParse02 is a test to make sure that we parse the proto version (compatible with proto version 2) correctly

DetectSshVersionTestParse01 is a test to make sure that we parse a proto version correctly

DetectRpcTestParse05 is a test to check the match function

DetectRpcTestParse05 is a test for check invalid values

DetectRpcTestParse04 is a test for check the discarding of empty options

DetectRpcTestParse03 is a test for checking the wildcards and not specified fields

DetectRpcTestParse02 is a test for setting the established rpc opt

DetectRpcTestParse01 is a test to make sure that we return "something" when given valid rpc opt

RfbSecresultTestParse02 is a test for an invalid secresult value

Send a get request in three chunks + more data.

Parsing test content and replace length differ

Parsing test content and replace length differ

Parsing test content after replace

Parsing test no content

Parsing test: non valid because of http_header on same content as replace keyword

Parsing test: non valid because of http protocol

Parsing test

Check if replace is working with within

Check if replace is working with within

Check if replace is working with within

Check if replace is working with within

DetectStreamSizeParseTest04 is a test to make sure that we match the stream_size against invalid packet parameters.

FlagsTestParse06 test if ACK+PUSH and more flags are set. Ignore URG and RST bits. Must return success.

FlagsTestParse05 test if ACK+PUSH and more flags are set. Ignore SYN and RST bits. Must fails.

FlagsTestParse04 check if ACK bit is set. Must fails.

FlagsTestParse03 test if ACK and PUSH are set. Must return success

FlagsTestParse02 is a test for an invalid flags value

FlagsTestParse01 is a test for a valid flags value

DetectTagTestParse05 is a test for default opts

DetectTagTestParse04 is a test for default opts

DetectTagTestParse03 is a test for setting the stateless tag opt

DetectTagTestParse02 is a test to check that we parse tag correctly

DetectTagTestParse01 is a test to make sure that we return "something" when given valid tag opt

Check if replace is working with within

DetectStreamSizeParseTest03 is a test to make sure that we match the packet correctly provided valid stream size.

DetectStreamSizeParseTest02 is a test to make sure that we detect the invalid stream_size options.

DetectStreamSizeParseTest01 is a test to make sure that we parse the user options correctly, when given valid stream_size options.

Send a get request in three chunks + more data.

Send a get request in three chunks + more data.

Send a get request in three chunks + more data.

DetectSshSoftwareVersionTestParse03 is a test to make sure that we don't return a ssh_data with an empty value specified

DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse the software version correctly

DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse a software version correctly

Send a get request in three chunks + more data.

Check a signature with pcre relative uricontent

test pcre P modifier with multiple pipelined http transactions

Test tracking of body chunks per transactions (on requests)

anchored pcre

anchored pcre

Bug 1957

Bug 1098

Check a signature with inconsistent pcre modifiers

Check a signature with inconsistent pcre modifiers

Check a signature with inconsistent pcre modifiers

Check a signature with inconsistent pcre relative

Check a signature with pcre relative http_uri

multiple http transactions and body chunks of request handling

Check a signature with pcre relative raw uri

Check a signature with pcre relative client-body

Check a signature with pcre relative header

Check a signature with pcre relative raw header

Check a signature with pcre relative cookie

Check a signature with pcre relative method

Test pcre option with file data.

Test pcre option with file data.

Test pcre option with file data. pcre is relative to file_data, so relative flag should be unset.

Test pcre option for dce sig.

parsing: invalid reference.

Check if replace is working when depth block match used

Check if replace is working when depth block match used

Check if replace is working when depth is used

Check if replace is working when nocase used

Check if replace is not done when second content match and not first

Check if replace is not done when second content don't match

Check if replace is working with second content

Check if replace is working with offset and keyword inversion

Check if replace is working with offset

Check if replace is working

Test packet Matches

FlagsTestParse07 test if SYN or RST are set. Must fails.

for two valid references.

one valid reference.

QuicVersionTestParse03 is a test for an invalid value

QuicVersionTestParse01 is a test for a valid value

QuicUaTestParse03 is a test for an invalid value

QuicUaTestParse01 is a test for a valid value

QuicSniTestParse03 is a test for an invalid value

QuicSniTestParse01 is a test for a valid value

DetectQuicCyuStringTest01 is a test for a valid quic packet, matching on the cyu string

DetectQuicCyuHashTest01 is a test for a valid quic packet, matching on the cyu hash

Test the Urilen keyword setup

various options

DetectWithinTestPacket01 is a test to check matches of within, if the previous keyword is pcre (bug 145)

Check a signature with gievn urilen

DetectUrilenSetpTest01 is a test for setting up an valid urilen values with valid "<>" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context and setting up the signature itself.

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the setting of the per protocol timeouts.

Test the Urilen keyword setup

Test the Urilen keyword setup

Test the Urilen keyword setup

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Test to make sure that we sent all the segments from the initial segments to app layer until we have detected the app layer proto.

App Layer reassembly.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge). Test if the first segment is removed from the list.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge). Test if the first segment is removed from the list.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge) with small packet overlap.

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge)

3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly.

3 in order segments in inline reassembly

Test to make sure we detect the sequence wrap around and continue stream reassembly properly.

Test the unlimited config value of reassembly depth.

Test to make sure that reassembly_depth is enforced.

Test the memcap incrementing/decrementing and memcap check

Parsing test

Test to make sure that we don't return the segments until the app layer proto has been detected and after that remove the processed segments.

Test the handling of packets missed by IDS, but the end host has received it and send the acknowledgment of it. The packet is missed in the middle of the stream.

Test the handling of packets missed by IDS, but the end host has received it and send the acknowledgment of it. The packet is missed in the starting of the stream.

Test the handling of packets missed by both IDS and the end host. The packet is missed in the end of the stream.

Test the handling of packets missed by both IDS and the end host. The packet is missed in the middle of the stream.

Test the handling of packets missed by both IDS and the end host. The packet is missed in the starting of the stream.

Test flow allocations when it reach memcap

Test flow allocations when it reach memcap

Test flow allocations when it reach memcap

Test the setting of the per protocol free function to free the protocol specific memory.

DetectWindowTestParse01 is a test to make sure that we set the size correctly when given valid window opt

ThresholdTestParse07 is a test for thresholding by_rule

ThresholdTestParse06 is a test for thresholding by_both

ThresholdTestParse05 is a test for a valid threshold options in any order

ThresholdTestParse04 is a test for an invalid threshold options in any order

ThresholdTestParse03 is a test for a valid threshold options in any order

ThresholdTestParse02 is a test for a invalid threshold options

ThresholdTestParse01 is a test for a valid threshold options

DetectWindowTestPacket01 is a test to check window with constructed packets

DetectWindowTestParse03 is a test to check for a big value

DetectWindowTestParse03 is a test to check for an empty value

DetectWindowTestParse02 is a test for setting the window opt negated

DetectThresholdTestSig1 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectSeqSigTest02 tests seq keyword

DetectSeqSigTest01 tests parses

Negative test.

Parse 'C' and 'E' flags.

test for a valid flags value

FlagsTestParse12 check if no flags are set. Must fails.

FlagsTestParse11 test if ACK or PUSH are set. Ignore SYN and RST. Must fails.

FlagsTestParse10 test if ACK and PUSH are not set. Must return success.

FlagsTestParse09 test if SYN and RST are not set. Must fails.

FlagsTestParse08 test if SYN or RST are set. Must return success.

DetectThresholdTestSig13 is a test for checking the working by_rule limits by setting up the signature and later testing its working by matching received packets against the sig.

Parsing test

Parsing test

Parsing test

Parsing test

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Check that modifiers of content apply only to content keywords and the same for uricontent modifiers

Checks if a uricontent is registered in a Signature

DetectThresholdTestSig14 is a test for checking the working by_both limits by setting up the signature and later testing its working by matching received packets against the sig.

Test that the http_method content matches against a http request which holds the content.

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

Test drop action being set even if thresholded

DetectThresholdTestSig5 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectThresholdTestSig4 is a test for checking the working of both keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectThresholdTestSig3 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectThresholdTestSig2 is a test for checking the working of threshold keyword by setting up the signature and later testing its working by matching the received packet against the sig.

Test the setting up a TCP session when we missed the intial 3WHS packet of the session. The session is setup only if midstream sessions are allowed to setup.

set up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK, but the SYN/ACK does not have the right SEQ

Test the setting up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string"

Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN and SYN/ACK packets in that stream. Later, we start to receive the packet from other end stream too.

Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN and SYN/ACK packets in that stream.

Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN packet of that stream.

Test the setting up a TCP session when we are seeing asynchronous stream, while we see all the packets in that stream from start.

Test the working of No stream reassembly flag. The stream will not reassemble the segment if the flag is set.

Test the working on PAWS. The packet will be accpeted by engine as the timestamp is valid and it is in window.

Test the working on PAWS. The packet will be dropped by stream, as its timestamp is old, although the segment is in the window.

Test the setting up a TCP session when we have seen only the FIN, RST packets packet of the session. The session is setup only if midstream sessions are allowed to setup.

set up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK: however the SYN/ACK and ACK are part of a normal 3WHS

Test the setting up a TCP session when we missed the intial SYN/ACK packet of the session. The session is setup only if midstream sessions are allowed to setup.

Test the setting up a TCP session when we missed the intial SYN packet of the session. The session is setup only if midstream sessions are allowed to setup.

Test the deallocation of TCP session for a given packet and return the memory back to ssn_pool and corresponding segments to segment pool.

Test the allocation of TCP session for a given packet from the ssn_pool.

policy 'last'

Solaris policy

policy Linux old

Linux policy

Vista Policy

BSD policy

overlap, data not different

Test the initialization of tcp streams with congestion flags

Check that we invalidate duplicated actions (It should default to pass, drop, reject, alert)

multiple different SYN/ACK, over the limit

multiple different SYN/ACK, pick neither

multiple different SYN/ACK, pick second

multiple different SYN/ACK, pick first

Test the validation of the ACK number before setting up the stream.last_ack and update the next_seq after loosing the .

Test the validation of the ACK number before setting up the stream.last_ack.

Test the processing of out of order FIN packets in tcp session.

Test the memcap incrementing/decrementing and memcap check

Test the initialization of tcp streams with congestion flags

Test the initialization of tcp streams with congestion flags

multiple overlaps

Test the stream mem leaks conditions.

Test the stream mem leaks conditions.

Test the various OS policies based on different IP addresses from confuguration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from confuguration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from confuguration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from confuguration defined in 'dummy_conf_string1'

Test the various OS policies based on different IP addresses from confuguration defined in 'dummy_conf_string1'

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1". To check the setting of Default os policy

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1"

Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1"

Test that a signature containing tls.certs is correctly parsed and that the keyword is registred.

DetectTtlParseTest03 is a test for setting up an valid ttl values with "-" operator.

DetectTtlParseTest02 is a test for setting up an valid ttl value with "<" operator.

DetectTtlParseTest01 is a test for setting up an valid ttl value.

signature with a valid xor value.

signature with an invalid xor value.

signature with a pcrexform value without substring capture

signature with a valid pcrexform value.

signature with an invalid pcrexform value.

DetectTlsVersionTestParse02 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL

DetectTlsVersionTestParse01 is a test to make sure that we parse the "id" option correctly when given valid id option

Test matching on bytes in a certificate

DetectTtlParseTest04 is a test for setting up an valid ttl value with ">" operator and include spaces arround the given values.

Test matching on a valid TLS certificate.

Test matching on an expired certificate.

Test matching on validity dates in a certificate.

This is a test for a valid value 2015-10-22T23:59:59.

This is a test for a valid value 2015-10-22T23:59.

This is a test for a valid value 2015-10-22T23.

This is a test for a valid value 2015-10-22 23:59:59.

This is a test for a valid value 2015-10-22 23:59.

This is a test for a valid value <2015-10-22 23.

This is a test for a valid value >2015-10-22.

test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode

no overlap

partial overlap

partial overlap

full overlap

full overlap

bug #815

almost identical patterns

ICMP packet shouldn't be matching port based sig Bug #611

test if the engine set flag to drop pkts of a flow that triggered a drop action on IDS mode, but continue the inspection as usual (instead of on IPS mode)

test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode, and it doesn't inspect any other packet of the stream

test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode

Check that we invalidate with unknown keywords (It should default to pass, drop, reject, alert)

sigs with patterns at the limit of the pm's size limit

SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION flasg is set, we don't need to inspect the packet contents.

SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION flag is set, we don't need to inspect the packet protocol header or its contents.

SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,

SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,

DetectTtlTestSig01 is a test for checking the working of ttl keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectTtlSetupTest01 is a test for setting up an valid ttl values with valid "-" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context setting up the signature itself.

DetectTtlParseTest07 is a test for setting up an valid ttl values with invalid "<>" operator and include spaces arround the given values.

DetectTtlParseTest06 is a test for setting up an valid ttl values with invalid "=" operator and include spaces arround the given values.

DetectTtlParseTest05 is a test for setting up an valid ttl values with "-" operator and include spaces arround the given values.

issue 130 (@redmine) check to ensure that the problem is not the algorithm implementation

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

Check if the threshold file is loaded and well parsed

lots of gaps in block list

lots of gaps in block list

lots of gaps in block list

lots of gaps in block list

lots of gaps in block list

Check that all the algorithms (no case) work at any offset and any pattern length

Check that all the algorithms work at any offset and any pattern length

Check if the threshold file is loaded and well parsed

Generic test for boyer moore nocase matching

Generic test for boyer moore matching

Generic test for Bs2Bm no case matching

Generic test for Bs2Bm matching

Generic test for BasicSearch nocase matching

Generic test for BasicSearch matching

Check that valid address and port group vars are correctly retrieved from the configuration.

Check that Signatures with invalid address and port groups, are are invalidated by the Singature parsing API.

Check that Signatures with valid address and port groups are parsed without any errors by the Signature parsing API.

Check that invalid address and port groups are properly handled by the API.

Check that valid address and port group vars are correctly retrieved from the configuration.

Check if the suppress rules work

Global UTHPacketMatchSig (Packet *p, const char *) Test if a packet match a signature given as string Hint: Useful for unittests with only one packet and one signature

Global UTHPacketMatchSigMpm (Packet *, char *, uint16_t) Test if a packet match a signature given as string and a mpm_type Hint: Useful for unittests with only one packet and one signature

Global UTHMatchPackets (DetectEngineCtx *, Packet **, int) UTHMatchPackets Match a packet or a array of packets against sigs of a de_ctx, but note that the return value doesn't mean that we have a match, we have to check it later with PacketAlertCheck()

Global UTHMatchPacketsWithResults (DetectEngineCtx *de_ctx, Packet **p, int num_packets, uint32_t sids[], uint32_t *results, int numsigs) UTHMatchPacketsWithResults Match a packet or a array of packets against sigs of a de_ctx, checking that each signature match match X times for certain packets

" Check if the rate_filter by_both work when similar packets going in opposite direction

Check if the rate_filter rules work with track by_both

Check if the threshold file is loaded and well parsed, and applied correctly to a rule with thresholding

Check if the threshold file is loaded and well parsed

Check if the suppress rule parsing handles errors correctly

Check if the suppress rule parsing handles errors correctly

Check if the suppress rules work - ip only rule

Check if the reference info from the reference.config file have been loaded into the hash table.

Check if the suppress rules work

Check if the suppress rules work

Check if the threshold file is loaded and well parsed

Check if the rate_filter rules work

Check if the rate_filter rules work

Check if the rate_filter rules work with track by_rule

Check if the rate_filter rules work

Check if the rate_filter rules are loaded and well parsed with multilines

Check if the rate_filter rules are loaded and well parsed

Check if the threshold file is loaded and well parsed

Check that only valid classtypes are loaded into the hash table from the classfication.config file.

Check that valid ipv4 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.

Check that valid ipv6 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.

Check that valid ipv6 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.

Check that valid ipv6 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.

Check that valid ipv4 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.

Check that valid ipv4 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.

Check that invalid ipv4 addresses and ipv4 netblocks are rejected by the host os info API

Check that invalid ipv4 addresses and ipv4 netblocks are rejected by the host os info API

Check if we the IPs with the right OS flavours are added to the host OS radix tree, and the IPS with invalid flavours returns an error(-1)

Check if the classtype info from the invalid classification.config file have not been loaded into the hash table, and cross verify to check that the hash table contains no classtype data.

Check if the classtype info from the classification.config file have been loaded into the hash table.

Check the loading of host info from a configuration file.

Check that invalid classtypes present in the classification config file aren't loaded.

Check that the classification file is loaded and the detection engine content class_conf_hash_table loaded with the classtype data.

max u32 value + 1

max u32 value

Check that the expected defaults are loaded if the action-order configuration is not present.

Check that we load a valid config

Check that we load a valid config

Check that we invalidate with unknown keywords and/or more than the expected (It should default to pass, drop, reject, alert)

Check that we invalidate if any action is missing (It should default to pass, drop, reject, alert)

Check that we invalidate if any action is missing (It should default to pass, drop, reject, alert)

Check that the best match search works for all the possible netblocks of a fixed address

Check if the reference info from the invalid reference.config file have not been loaded into the hash table, and cross verify to check that the hash table contains no reference data.

Check if the reference info from the reference.config file have been loaded into the hash table.

Check that only valid references are loaded into the hash table from the reference.config file.

Check that invalid references present in the reference.config file aren't loaded.

Check that the reference file is loaded and the detection engine content reference_conf_ht loaded with the reference data.

SCRadixTestIPV4NetblockInsertion26 insert a node searching on it. Should always return true but the purposse of the test is to monitor the memory usage to detect memleaks (there was one on searching)

SCRadixTestIPV4NetblockInsertion15 insert a node searching on it. Should always return true but the purposse of the test is to monitor the memory usage to detect memleaks (there was one on searching)

Check special combinations of netblocks and addresses on best search checking the returned userdata

Check that the best match search works for all the possible netblocks of a fixed address

Check that the best match search works for all the possible netblocks of a fixed address

Check that the best match search works for all the possible netblocks of a fixed address

This is a test for a valid value 2015-10.

Check special combinations of netblocks and addresses on best search checking the returned userdata

Check that the best match search works for all the possible netblocks of a fixed address

Check that the best match search works for all the possible netblocks of a fixed address

Check that the best match search works for all the possible netblocks of a fixed address

Check that the best match search works for all the possible netblocks of a fixed address

pool with unlimited size

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Check the loading of host info from a configuration file.

Test that the http_header content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that an invalid signature containing a rawbytes along with a http_server_body is invalidated.

Test that an invalid signature containing a rawbytes along with a http_server_body is invalidated.

Test that an invalid signature containing no content but a http_server_body is invalidated.

Test that a signature containing an valid http_server_body entry is parsed.

Test that a signature containting a http_server_body is correctly parsed and the keyword is registered.

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Test that the http_server_body content matches against a http request which holds the content. Case insensitve.

Negative test that the negated http_header content matches against a http request which holds hold the content.

Test that the negated http_header content matches against a http request which doesn't hold the content.

Test that the http_header content matches against a http request against a case insensitive pattern.

Test that the http_header content matches against a http request which holds the content, against a cross boundary present pattern.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that an invalid signature containing a rawbytes along with a http_header is invalidated.

Test that an invalid signature containing a rawbytes along with a http_header is invalidated.

Test that an invalid signature containing no content but a http_header is invalidated.

Test that a signature containing an valid http_header entry is parsed.

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Check the signature working to alert when http_stat_msg is not matched .

Check the signature working to alert when http_stat_msg is matched .

Checks if a http_stat_msg is registered in a Signature and also checks the nocase

Checks if a http_stat_msg is registered in a Signature, if content is not specified in the signature or rawbyes is specified or fast_pattern is provided in the signature.

Check the signature working to alert when http_stat_code is matched for for negatoin or not

Check the signature working to alert when http_stat_code is matched for for nocase or not

Check the signature working to alert when http_stat_code is not matched .

Check the signature working to alert when http_stat_code is matched .

Checks if a http_stat_code is registered in a Signature and also checks the nocase

Checks if a http_stat_code is registered in a Signature, if content is not specified in the signature or rawbyes is specified or fast_pattern is provided in the signature.

multiple http transactions and body chunks of request handling

Test that a signature containting a http_header is correctly parsed and the keyword is registered.

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_server_body content matches against a http request which holds the content. Case insensitve.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

Test that the http_server_body content matches against a http request which holds the content.

invalid combination for content: distance, depth, http_server_body

multiple http transactions and body chunks of request handling

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_server_body content matches against a http request which holds the content. Negated match.

Test that the http_method content matches against a http request which holds the content.

Check a signature with an unknown request method

Check a signature with an known request method

Check a signature with method + within and pcre with /M (should work)

Check a signature with method + within and pcre without /M (should fail)

Check a signature with method + within and pcre with /M (should work)

setting the nocase flag

Check a signature with rawbytes (fail)

Check a signature with fast_pattern (should work)

Check a signature with parameter (fail)

Check a signature without content (fail)

Check a signature with content

Check a signature against an unparsable request

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_method content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Trailing headers.

Trailing headers.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Check the signature working to alert when http_stat_msg is used with negated content .

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test that the http_header content matches against a http request which holds the content.

Test parser accepting valid rules and rejecting invalid rules

Test parser accepting valid rules and rejecting invalid rules

Check a signature with an request method and negation of the same

signature with a valid icmpv6.mtu value.

test signature parsing

test keyword parsing

DetectSslVersionTestParse03 is a test to make sure that we parse the "ssl_version" options correctly when given valid ssl_version options

DetectSslVersionTestParse02 is a test to make sure that we parse the "ssl_version" option correctly when given an invalid ssl_version option it should return ssl = NULL

DetectSslVersionTestParse01 is a test to make sure that we parse the "ssl_version" option correctly when given valid ssl_version option

Test parsing of negated states.

This is a test for a valid value >2.

This is a test for a valid value 2.

This is a test for a valid value 2.

DetectParseTestNoOpt is a regression test to make sure that we reject any signature where a NOOPT rule option is given a value. This can hide rule errors which make other options disappear, eg: foo: bar: baz; where "foo" is the NOOPT option, we will end up with a signature which is missing "bar".

DetectParseTest01 is a regression test against a memory leak in the case of multiple signatures with different revisions Leak happened in function DetectEngineSignatureIsDuplicate

Test that a signature containing tls_cert_fingerprint is correctly parsed and that the keyword is registered.

signature with a valid http2.size_update value.

signature with a valid http2.settings value.

signature with a valid http2.window value.

signature with a valid http2.priority value.

signature with a valid http2.errorcode value.

signature with a valid http2.frametype value.

multiple http transactions and body chunks of request handling

Test that the http_user_agent content matches against a http request which holds the content.

Negative test that the negated http_user_agent content matches against a http request which holds hold the content.

Test that the negated http_user_agent content matches against a http request which doesn't hold the content.

Test that the http_user_agent content matches against a http request against a case insensitive pattern.

This is a test for a valid value 1430000000<>1470000000.

This is a test for a valid value 1490000000.

This is a test for a valid value < 1490000000.

This is a test for a valid value > 1430000000.

This is a test for a valid value 1430000000 <> 1490000000.

This is a test for a invalid value 1490000000<>1430000000.

This is a test for a invalid value " ".

This is a test for a invalid value "".

This is a test for a invalid value <>1430000000.

This is a test for a invalid value 1430000000<>.

This is a test for a invalid value >1430000000<>1470000000.

This is a test for a invalid value A.

Test that the http_user_agent content matches against a http request which holds the content, against a cross boundary present pattern.

This is a test for a valid value <1430000000.

This is a test for a valid value >1430000000.

This is a test for a valid value 1430000000.

Test matching for google in the subject of a certificate

Test that a signature containing a tls.cert_subject is correctly parsed and that the keyword is registered.

Test matching for serial in a certificate.

Test that a signature containing tls.cert_serial is correctly parsed and that the keyword is registered.

Test matching for google in the issuer of a certificate

Test that a signature containing a tls_cert_issuer is correctly parsed and that the keyword is registered.

Test matching for fingerprint of a certificate.

Test uricontent, urilen

Test multiple relative contents with a negated content.

Test multiple relative contents with a negated content.

Test relative pcre.

Test multiple relative contents with a negated content.

Test multiple relative contents with offset

Test multiple relative contents

Test multiple relative contents

Test multiple relative contents

Test pcre /U with anchored regex (bug 155)

Test pcre /U with anchored regex (bug 155)

Test uricontent, pcre /U

Test normalized uricontents.

Test uricontent, urilen, pcre /U options

Test the pcre /U option in combination with urilen

Test the pcre /U option in combination with urilen

Test the pcre /U option in combination with urilen

Test the pcre /U option

Test the urilen option

Test the urilen option

Test the pcre /U option

Test the pcre /U option

Test a simple uricontent option

Checks if a http_raw_uri is registered in a Signature, when rawbytes is also specified in the signature.

Test that the http_user_agent content matches against a http request which holds the content.

Test that the http_user_agent content matches against a http request which holds the content.

Test that the http_user_agent content matches against a http request which holds the content.

Test that a http_user_agent with nocase is parsed.

Test that an invalid signature containing a rawbytes along with a http_user_agent is invalidated.

Test that an invalid signature containing no content but a http_user_agent is invalidated.

Test that a signature containing an valid http_user_agent entry is parsed.

Test that a signature containting a http_user_agent is correctly parsed and the keyword is registered.

Test multiple relative contents with a negated content.

Test multiple relative contents with a negated content.

Checks if a http_raw_uri is successfully converted to a rawuricontent.

Test pcre option for dce sig(yeah I'm bored of writing test titles).

Checks if a http_raw_uri is registered in a Signature.

Checks if a http_raw_uri is registered in a Signature, if some parameter is specified with http_raw_uri in the signature.

Checks if a http_raw_uri is registered in a Signature, if content is not specified in the signature.

Checks if a http_uri is successfully converted to a uricontent

Checks if a http_uri is registered in a Signature, when rawbytes is also specified in the signature

Checks if a http_uri is registered in a Signature

Checks if a http_uri is registered in a Signature, if some parameter is specified with http_uri in the signature

Checks if a http_uri is registered in a Signature, if content is not specified in the signature

Test multiple relative contents with a negated content.

Test multiple relative contents with a negated content.

DetectBytetestTestParse14 is a test for large string extraction

Test CIP Command parameter parsing

Test all options

Test bitmask option.

Test file_data

Test dce option.

Test dce option.

Test dce option.

Test dce option.

Test dce option.

DetectBytetestTestParse16 is a test for offset too big

DetectBytetestTestParse15 is a test for too many bytes to extract (string)

Test CIP Service signature

DetectBytetestTestParse13 is a test for too many bytes to extract

DetectBytetestTestParse12 is a test for hex w/o string

DetectBytetestTestParse11 is a test for whitespace

DetectBytetestTestParse10 is a test for whitespace

DetectBytetestTestParse09 is a test for neg operator only

DetectBytetestTestParse08 is a test for setting the little flag

DetectBytetestTestParse07 is a test for setting the big flag

DetectBytetestTestParse06 is a test for setting the string/hex flags

DetectBytetestTestParse05 is a test for setting the string/dec flags

DetectBytetestTestParse04 is a test for setting the string/oct flags

DetectBytetestTestParse03 is a test for setting the relative flag

DetectCotentParseTest05 test illegal escape

Check if we match contents that are in the payload but not in the same order as specified in the signature

Check that we match packets with multiple chunks and not chunks Here we should specify contents that fit and contents that must be splitted Each of them with their modifier values

Check that we match packets with multiple chunks and not chunks Here we should specify only contents that fit in 32 bytes Each of them with their modifier values

Check if we match multiple content (not splitted)

Check that we don't match the signature if one of the splitted chunks doesn't match the packet

Check if we match a splitted pattern

Check if we match a normal pattern (not splitted)

Test packet Matches

DetectCotentParseTest08 test an empty content

DetectCotentParseTest07 test an empty content

DetectCotentParseTest06 test a binary content

DetectBytetestTestParse02 is a test for setting the required opts

DetectCotentParseTest04 this is a test to make sure we can deal with escaped backslashes

DetectCotentParseTest03 this is a test to make sure we can deal with escaped double-quotes

DetectCotentParseTest02 this is a test to make sure we can deal with escaped semi-colons

DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons

test propagation of depth/offset/distance/within

Check that the signatures are assigned priority based on classtype they are given.

Check that both valid and invalid classtypes in a rule are handled properly, with rules containing invalid classtypes being rejected and the ones containing valid classtypes parsed and returned.

undefined classtype

ENIP Command signature test

ENIP parameter test

DecodeVLANTest01 test if vlan header is too small.

DetectAsn1TestReal03 Ensure that all works together

DetectAsn1TestReal02 Ensure that all works together

DetectAsn1TestReal01 Ensure that all works together

Test a report Linux overlap issue that doesn't appear to be covered by the Sturges/Novak tests above.

DecodeVXLANtest02 tests default port disabled by the config.

DecodeVXLANTest01 test a good vxlan header. Contains a DNS request packet.

DecodeVNTagTest03 test a good vntag header.

DecodeVNTagt02 test if vntag header has unknown type.

DecodeVNTagTest01 test if vntag header is too small.

DecodeVLANTest02 test a good vlan header.

DecodeVLANTest02 test if vlan header has unknown type.

DetectAsn1TestReal04 like the real test 02, but modified the relative offset to check negative offset values, in this case start decoding from -7 bytes respect the content match "John"

Get the wscale, but it's missing, so see if return 0 properly

Get the wscale of 15, so see if return 0 properly

Get the wscale of 2

HOP header decode

routing header decode

fragment decoding

IPV4 defrag and flow retrieval test.

Don't send IPv4 fragments to the upper layer decoder and and packet recursion level test.

IPV4 defrag and packet recursion level test

IPV4 with RTRALT option (len invalid.

Test dce option.

DetectBytetestTestParse01 is a test to make sure that we return "something" when given valid bytetest opt

check matches of with from_end

check matches of with from_beginning (bug 626/627)

check matches of with from_beginning (bug 626/627)

check matches of with from_beginning (bug 626/627)

check matches of with from_beginning (bug 626/627)

DetectByteJumpTestPacket02 is a test to check matches of byte_jump and byte_jump relative works if the previous keyword is byte_jump (bug 165)

DetectByteJumpTestPacket01 is a test to check matches of byte_jump and byte_jump relative works if the previous keyword is pcre (bug 142)

Test file_data

Test dce option.

Test dce option.

Check if we match contents that are in the payload but not in the same order as specified in the signature

DetectBytejumpTestParse08 is a test for offset too big

DetectBytejumpTestParse07 is a test for too many string bytes to extract

DetectBytejumpTestParse06 is a test for too many bytes to extract

DetectBytejumpTestParse05 is a test for setting base without string

DetectBytejumpTestParse04 is a test for setting the optional flags with parameters

DetectBytejumpTestParse03 is a test for setting the optional flags

DetectBytejumpTestParse02 is a test for setting the required opts

DetectBytejumpTestParse01 is a test to make sure that we return "something" when given valid bytejump opt

Test that the list can be changed to post-detection lists after the base64 keyword.

Test that the rule fails to load if the detection list is changed after base64_data.

DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order

this is a test for a valid dsize value 1

multi tx google.(com|net) query matching + app layer event

simple google.com query matching, pcre

simple google.com query matching (TCP)

multi tx google.(com|net) query matching

simple google.com query matching

DetectDistanceTestPacket01 is a test to check matches of distance works, if the previous keyword is byte_jump and content (bug 163)

drops

DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword by setting up the signature and later testing its working by matching the received packet against the sig.

DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter

this is a test for a valid dsize value >10

DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order

DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order

DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options

DetectDetectionFilterTestParse01 is a test for a valid detection_filter options

Test a valid dce_stub_data with just a request frag.

Test a valid dce_stub_data entry with bind, bind_ack, request frags.

within and distance

Test negation in combination with within and depth

Test negation in combination with within and depth

A negative test that checks the combined use of content and negated content, in the presence of distance

A positive test that checks the combined use of content and negated content, in the presence of distance

this is a test for negative ! dsize matching

Test content for dce sig.

Test content for dce sig.

Test the working of byte_jump endianness.

Test the working of byte_jump endianness.

Test the working of byte_jump endianness.

Test the working of byte_test endianness.

Test the working of byte_test endianness.

Test the working of byte_test endianness.

recursion limit

that address range sets proper start address

DetectDsizeIcmpv6Test01 is a test for checking the working of dsize keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.

A negative test that checks the combined use of content and negated content, in the presence of within

this is a test for positive ! dsize matching

this is a test for invalid dsize values A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!

this is a test for a valid dsize value ! 1

this is a test for a valid dsize value !1

test for a valid dsize value 12

test for a valid dsize value < 12

this is test for a valid dsize value > 2

this is a test for a valid dsize value 1 <> 3

this is a test for a valid dsize value 1<>3

this is a test for a valid dsize value <100

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test

Parsing test: file_data

Parsing test

Parsing test

Parsing test

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test cases where if within specified is < content length we invalidate the sig.

Check if we match two contents of length 1

Check if we match two consecutive simple contents

Check if we match contents that are in the payload but not in the same order as specified in the signature

A positive test that uses a combination of content string with negated content string

A positive test that checks the combined use of 2 contents in the presence of within

A negative test that checks the use of negated content along with the presence of depth

A positive test that checks the combined use of content and negated content, in the presence of within

A negative test that checks the combined use of content and negated content, in the presence of within

A negative test that checks the combined use of content and negated content, with the content not being present

A negative test that checks the combined use of content and negated content with the use of distance

A positive test that checks the combined use of content and negated content with the use of distance

A negative test that checks the combined use of content and negated content with the use of within

A positive test that checks that we don't have a negated content within the specified length from the previous content match.

A negative test that uses a combination of content string with negated content string, with we receiving a failure of first content's offset condition

A negative test that uses a combination of content string with negated content string, with we receiving a failure for 'onee' itself.

IPV4 with RTRALT option.

A negative test that checks that the content string doesn't contain the negated content after the specified offset and within the specified depth.

A negative test that checks that the content string doesn't contain the negated content within the specified depth, and also after the specified offset. Since the content is there, the match fails.

A positive test that checks that the content string doesn't contain the negated content within the specified depth

crash condition: as packet has no direction, it defaults to toclient in stream ctx inspection of packet. There a null ptr deref happens We don't care about the match/nomatch here.

A positive test that checks that the content string doesn't contain the negated content

Parsing test to check for unescaped quote within content section

Parsing test: file_data, distance relative to file_data

Parsing test: file_data, within relative to file_data

Parsing test: file_data

Parsing test: file_data

Test + char in query. Bug 1035

Test response not HTTP

Test response not HTTP

Test response not HTTP

Test unusual delims in request line HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG

Test really long request (same as HTPParserTest14), now with config update to allow it

Test really long request, this should result in HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG

BG crash

BG box crash – chunks are messed up. Observed for real.

Test 'proxy' URI normalization. Ticket 1008

Test 'proxy' URI normalization. Ticket 1008

Test + char in query. Bug 1035

Test response not HTTP

Test \ char in query profile IDS. Bug 739

Test http:// in query profile IDS

Test %2f decoding in profile IDS with double-decode-* options

Test %2f decoding in profile IDS

Test %2f decoding in profile Apache_2_2

Test traffic is handled by the correct htp config

Test config builds radix correctly

Test basic config

Host:www.google.com0dName: Value0d0a <- missing space between name:value (rfc violation)

double encoding in query

double encoding in path

Modbus fragmentation - 1 ADU over 2 TCP packets.

Test the deallocation of app layer parser memory on occurance of error in the parsing process for UDP.

Test the deallocation of app layer parser memory on occurance of error in the parsing process.

Send Modbus invalid function.

Checks if stream_depth is correct

Send invalid Modbus Mask Write register request.

Send invalid Modbus Mask Write register request.

Send Modbus Write single register request/response.

Send Modbus Mask Write register request/response.

Send Modbus invalid PDU Length.

Send Modbus exceed Length request.

Modbus fragmentation - 2 ADU in 1 TCP packet.

Host:www.google.com <- missing space between name:value (rfc violation)

Send Modbus Read Coils request and error response with Exception code invalid.

Send Modbus invalid Length request.

Send Modbus unsolicited response.

Send Modbus invalid Protocol version in request.

Send Modbus Force Listen Only Mode request.

Send Modbus Read/Write Multiple registers request/response with mismatch value.

Send Modbus Write Multiple registers request/response.

Send Modbus Read Coils request/response.

multi transactions and cleanup

Test response not HTTP

The conversion of length with CRCs to the length without CRCs.

Send a get request in one chunk.

Test the decode of a DNP3 fragment with a single 70:3 object.

Test the parsing of a request PDU.

Test multiple DNP3 frames in one TCP read.

Test parsing of partial frames.

Test flood state.

Test an unsolicited response from an outstation.

Test a basic request/response.

Test the probing parser.

Test removal of CRCs from user data.

Test the validation of the link header CRC.

Send a split get request.

Test the link layer length calculation.

Test validation of all CRCs in user data.

Test CRC checking on partial and full blocks.

test if the engine detect the proto and doesn't match because the packet has another proto (ex ftp)

test if the engine detect the proto and doesn't match because the sig expects another proto (ex ftp)

test if the engine detect the proto on a non standar port and match with it

test if the engine detect the proto and match with it

What about if we add some sigs only for udp calling it for UDP? It should detect ALPROTO_HTTP1 (over udp). This is just a check to ensure that TCP/UDP differences work correctly.

What about if we add some sigs only for udp but call for tcp? It should not detect any proto

AlpProtoSignature test

Test case where chunks are sent in smaller chunks and check the response of the parser from HTP library.

Abort

Abort

Test proper chunked encoded response body

Test both sides of a http stream mixed up to see if the HTP parser properly parsed them and also keeps them separated.

Test case where invalid data is sent and check the response of the parser from HTP library.

Test case where method is invalid and data is sent in smaller chunks and check the response of the parser from HTP library.

See how it deals with an incomplete request.

Test case where chunks are sent in smaller chunks and check the response of the parser from HTP library.

Test folding in 1byte per read case

Test folding in 1 read case

multi transactions and cleanup

filedata cut in two pieces

empty entries

invalid header: Somereallylongheaderstr: has no value

POST, but not multipart

first multipart part contains file but doesn't end in first chunk

Supply STOR without a filename

Supply RETR without a filename

Test case where chunks are smaller than the delim length and the last chunk is supposed to match the delim.

See how it deals with an incomplete request in multiple chunks.

See how it deals with an incomplete request.

icmpv6 message type: packet too big, invalid packet

IPV4 with RR option (len too large).

IPV4 with RR option.

IPV4 with NOP option.

IPV4 with EOL option.

IPV4 with no options.

Test for valid ICMPv6 checksum when the FCS is still attached.

icmpv6 packet decoding and setting up of payload_len and payload buufer

icmpv6 message type: echo reply, invalid packet

icmpv6 message type: echo request, invalid packet

icmpv6 message type: destination unreach, invalid packet

icmpv6 message type: time exceed, invalid packet

IPV4 with RR option (ptr too large).

icmpv6 message type: parameter problem, invalid packet

icmpv6 message type: echo reply, valid packet

icmpv6 message type: echo request, valid packet

icmpv6 message type: destination unreach, valid packet

icmpv6 message type: time exceed, valid packet

icmpv6 message type: packet too big, valid packet

icmpv6 message type: parameter problem, valid packet

DecodeGRETest03 is a test for valid gre packet

DecodeGRETest02 is a test for wrong gre version

DecodeGRETest01 is a test for small gre packet

DecodeGeneveTest05 tests if Geneve header has inconsistent option len values.

IPV4 with ESEC option (invalid length).

IPV4 with SSRR option (ptr not in 4 byte increment).

IPV4 with SSRR option (ptr too large).

IPV4 with SSRR option (len too large).

IPV4 with SSRR option.

IPV4 with SID option (len invalid.

IPV4 with SID option.

IPV4 with CIPSO option.

IPV4 with LSRR option (ptr not in 4 byte increment).

IPV4 with LSRR option (ptr too large).

IPV4 with LSRR option (len too large).

IPV4 with LSRR option.

DecodeGeneveTest04 tests default port disabled by the config.

IPV4 with ESEC option.

IPV4 with SEC option (invalid length).

IPV4 with SEC option.

IPV4 with TS option (ptr not valid).

IPV4 with TS option (ptr too large).

IPV4 with TS option (ptr too small).

IPV4 with TS option.

IPV4 with QS option (len too small)

IPV4 with QS option.

IPV4 with RR option (ptr not in 4 byte increment).

Send a version banner in three chunks.

Really long banner handling: banner exactly 255, followed by malformed record

Really long banner handling: bannel exactly 255

2 directional test

Send toserver a banner and 2 records record in four chunks.

Send toserver a banner and record in three chunks.

Send a banner and 2 records record in four chunks.

Send a banner and 2 records record in four chunks.

Send a banner and 2 records record in four chunks.

Send a banner and 2 records record in four chunks.

Send a banner and record in three chunks.

Send a version banner in three chunks.

Fragmented banner handling: chunk has final part of bannel plus a record.

Send a invalid version string in one chunk (server version str)

Send a version string in one chunk (server version str)

Send a version string in one chunk (server version str).

Send a invalid version string in one chunk but multiple lines and comments. (client version str)

Send a version string in one chunk but multiple lines and comments. (client version str)

Send a version string in one chunk (client version str).

Test DATA command w/MIME message.

Test multiple DATA commands(full mail transactions).

Testing parsing pipelined commands.

Test multiple DATA commands(full mail transactions).

GET -> DCERPC

DecodeGeneveTest03 tests a good Geneve header with 16-bytes of options. Contains a IPv4 DNS request packet with a VLAN tag after the Ethernet frame. In practice, this probably won't be used but it should be support either way.

DecodeGeneveTest02 tests a good Geneve header with 16-bytes of options. Contains a IPv4 DNS request packet.

DecodeGeneveTest01 tests a good Geneve header with 16-bytes of options. Contains a Ethernet+IPv6 DHCP request packet.

Failure decoding, no data

Failure decoding, not enough data

Successful decoding, with payload data

Successful decoding

RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP NOT DONE) -> RUBBISH(TS - PM and PP DONE)

RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP DONE)

RUBBISH(TC - PM and PP NOT DONE) -> RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP DONE)

SMB -> HTTP/1.1

Test content for dce sig.

HTTP/1.1 -> GET

RUBBISH -> HTTP/1.1

GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).

GET -> RUBBISH(PM AND PP DONE IN ONE GO)

GE -> T -> HTTP/1.1

GET -> HTTP/1.1

Send a malformed banner

Send a version string in one chunk (client version str).

Send a version string in one chunk (client version str).

Fragmented banner handling: chunk has final part of bannel plus a record.

Negative test.

DetectIsdataatTestPacket02 is a test to check matches of isdataat, and isdataat relative works if the previous keyword is pcre (bug 144)

DetectIsdataatTestPacket01 is a test to check matches of isdataat, and isdataat relative

Test isdataat option for dce sig.

Test isdataat option for dce sig.

DetectIsdataatTestParse03 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt

DetectIsdataatTestParse02 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt

DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt

Negative test.

Negative test.

Negative test.

Negative test.

DetectIsdataatTestPacket03 is a test to check matches of isdataat, and isdataat relative works if the previous keyword is byte_jump (bug 146)

Negative test.

Negative test.

Negative test.

DetectIPProtoTestSetup05 is a test for a ! operator

DetectIPProtoTestSetup04 is a test for a > operator

DetectIPProtoTestSetup03 is a test for a < operator

DetectIPProtoTestSetup02 is a test for a protocol name

DetectIPProtoTestSetup01 is a test for a protocol number

DetectIPProtoTestParse02 is a test for an invalid proto name

DetectIPProtoTestParse01 is a test for an invalid proto number

IpOptsTestParse04 test the match function on a packet that needs to not match

DetectL3protoTestSig01 is a test for checking the working of ttl keyword by setting up the signature and later testing its working by matching the received packet against the sig.

MQTTConnectFlagsTestParse01 is a test for a valid value

MQTTConnackSessionPresentTestParse04 is a test for an invalid value

MQTTConnackSessionPresentTestParse03 is a test for an invalid value

MQTTConnackSessionPresentTestParse02 is a test for an invalid value

MQTTConnackSessionPresentTestParse01 is a test for a valid value

MarkTestParse04 is a test for a invalid mark value

MarkTestParse03 is a test for a valid mark value

MarkTestParse02 is a test for an invalid mark value

MarkTestParse01 is a test for a valid mark value

DetectL3protoTestSig03 is a test for checking the working of l3proto keyword in conjonction with ip_proto keyword.

DetectL3protoTestSig02 is a test for checking the working of l3proto keyword by setting up the signature and later testing its working by matching the received IPv6 packet against the sig.

IpOptsTestParse03 test the match function on a packet that needs to match

description of the test

description of the test

DetectITypeParseTest08 is a test for setting an invalid itype value

DetectITypeParseTest07 is a test for setting a valid itype value with "<>" operator and spaces all around

DetectITypeParseTest06 is a test for setting a valid itype value with ">" operator and spaces all around

DetectITypeParseTest05 is a test for setting a valid itype value with spaces all around

DetectITypeParseTest04 is a test for setting a valid itype value with "<>" operator

DetectITypeParseTest03 is a test for setting a valid itype value with "<" operator

DetectITypeParseTest02 is a test for setting a valid itype value with ">" operator

DetectITypeParseTest01 is a test for setting a valid itype value

GidTestParse02 is a test for an invalid gid value

DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id value with missing quotation marks

DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value with quotation marks and spaces all around

DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value with quotation marks

DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value with spaces all around

DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value

Test that a signature containting a http_response_line is correctly parsed and the keyword is registered.

Test that a signature containting a http_request_line is correctly parsed and the keyword is registered.

HostBitsTestSig03 is a test check idx value

various options

HostBitsTestSig01 is a test for a valid noalert flowbits option

Test a gid consisting of a single quote.

DetectIcmpIdMatchTest01 is a test for checking the working of icmp_id keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.

GidTestParse01 is a test for a valid gid value

Check the ftpbounce match

Check the ftpbounce match, send a get request in three chunks

  • more data.

DetectFtpbounceTestSetup01 is a test for the Setup ftpbounce

DetectFragOffsetMatchTest01 is a test for checking the working of fragoffset keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.

DetectFragOffsetParseTest03 is a test for setting an invalid fragoffset value

DetectFragOffsetParseTest02 is a test for setting a valid fragoffset value with spaces all around

DetectFragOffsetParseTest01 is a test for setting a valid fragoffset value

FragBitsTestParse04 test if DONT FRAG is not set. Must fails.

FragBitsTestParse03 test if DONT FRAG is set. Must return success

DetectICodeParseTest07 is a test for setting a valid icode value with "<>" operator and spaces all around

IpOptsTestParse02 is a test for an invalid ipopts value

IpOptsTestParse01 is a test for a valid ipopts value

IKEChosenSaParserTest is a test for valid values

DetectIdTestSig01

DetectIdTestParse04 is a test to make sure that we parse the "id" option correctly when given valid id option but wrapped with "'s <p> \anchor _test000599 DetectIdTestParse03 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL

DetectIdTestParse02 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL

DetectIdTestParse01 is a test to make sure that we parse the "id" option correctly when given valid id option

DetectICodeMatchTest01 is a test for checking the working of icode keyword by creating 5 rules and matching a crafted packet against them. 4 out of 5 rules shall trigger.

DetectICodeParseTest09 is a test for setting an invalid icode value with "<<" operator

DetectICodeParseTest08 is a test for setting an invalid icode value

MQTTConnectFlagsTestParse02 is a test for an invalid value

DetectICodeParseTest06 is a test for setting a valid icode value with ">" operator and spaces all around

DetectICodeParseTest05 is a test for setting a valid icode value with spaces all around

DetectICodeParseTest04 is a test for setting a valid icode value with "<>" operator

DetectICodeParseTest03 is a test for setting a valid icode value with "<" operator

DetectICodeParseTest02 is a test for setting a valid icode value with ">" operator

DetectICodeParseTest01 is a test for setting a valid icode value

DetectIcmpSeqParseTest03 is a test for setting an invalid icmp_seq value

DetectIcmpSeqParseTest02 is a test for setting a valid icmp_seq value with spaces all around

DetectIcmpSeqParseTest01 is a test for setting a valid icmp_seq value

DetectIcmpIdMatchTest02 is a test for checking the working of icmp_id keyword by creating 1 rule and matching a crafted packet against them. The packet is an ICMP packet with no "id" field, therefore the rule should not trigger.

Direction operator validation (invalid)

Ensure that we set a bidirectional Signature correctly and we install it with the rest of the signatures, checking also that it match with the correct addr directions

Ensure that we set a bidirectional Signature correctly

Ensure that we don't set bidirectional in a normal (one direction) Signature

Direction operator validation (valid)

Direction operator validation (valid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Direction operator validation (invalid)

Ensure that we set a bidirectional Signature correctly and we install it with the rest of the signatures, checking also that it match with the correct addr directions

rule ending in carriage return

address parsing

address parsing

rev value too large. Related to bug #779

gid value too large. Related to bug #779

sid value too large. Bug #779

packet/stream sig

packet/stream sig

packet/stream sig

packet/stream sig

packet/stream sig

test tls (app layer) rule

DetectPcreParseTest09 make sure we parse pcre with a content that has slashes

DetectPcreParseTest08 make sure we parse pcre with O opts

DetectPcreParseTest07 make sure we parse pcre with /Ui opts

DetectPcreParseTest06 make sure we parse pcre with smi opts

DetectPcreParseTest05 make sure we parse pcre with no opts

DetectPcreParseTest04 make sure we allow escaped "

DetectPcreParseTest03 make sure we don't allow invalid opts UZi.

DetectPcreParseTest02 make sure we don't allow invalid opts Ui$.

DetectPcreParseTest01 make sure we don't allow invalid opts 7.

test tls (app layer) rule

test tls (app layer) rule

file_data with rawbytes

mpm

mpm

check valid negation bug 1079

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

check that we don't allow invalid negation options

MQTTProtocolVersionTestParse03 is a test for an invalid value

MQTTTypeTestParse03 is a test for an invalid value

MQTTTypeTestParse02 is a test for a valid value

MQTTTypeTestParse01 is a test for a valid value

MQTTReasonCodeTestParse04 is a test for an invalid value

MQTTReasonCodeTestParse03 is a test for an invalid value

MQTTReasonCodeTestParse02 is a test for an invalid value

MQTTReasonCodeTestParse01 is a test for a valid value

MQTTQosTestParse04 is a test for an invalid value

MQTTQosTestParse02 is a test for an invalid value

MQTTQosTestParse01 is a test for a valid value

MQTTProtocolVersionTestParse04 is a test for an invalid value

This is a test for a valid value 1430000000.

MQTTProtocolVersionTestParse02 is a test for a valid value

MQTTProtocolVersionTestParse01 is a test for a valid value

MQTTFlagsTestParse05 is a test for an invalid value

MQTTFlagsTestParse04 is a test for an invalid value

MQTTFlagsTestParse03 is a test for an invalid value

MQTTFlagsTestParse02 is a test for a valid value

MQTTFlagsTestParse01 is a test for a valid value

MQTTConnectFlagsTestParse05 is a test for an invalid value

MQTTConnectFlagsTestParse04 is a test for an invalid value

MQTTConnectFlagsTestParse03 is a test for an invalid value

This is a test for a valid value 1430000000 <> 1490000000.

Parsing sig with trailing space(s) as reported by Morgan Cox on oisf-users.

Parsing duplicate sigs.

Parsing duplicate sigs.

Parsing duplicate sigs.

Parsing duplicate sigs.

Parsing bug debugging at 2010-03-18

Port validation

SigParseTest03 test for invalid direction operator in rule

This is a test for a valid value 1490000000.

This is a test for a valid value < 1490000000.

This is a test for a valid value > 1430000000.

FragBitsTestParse02 is a test for an invalid fragbits value

This is a test for a invalid value 1490000000<>1430000000.

This is a test for a invalid value " ".

This is a test for a invalid value "".

This is a test for a invalid value <>1430000000.

This is a test for a invalid value 1430000000<>.

This is a test for a invalid value >1430000000<>1470000000.

This is a test for a invalid value A.

This is a test for a valid value 1430000000<>1470000000.

This is a test for a valid value <1430000000.

This is a test for a valid value >1430000000.

Check if a negated port range is properly fragmented in the allowed real groups

ProtoTestParse03 is a test to make sure that we parse the protocol correctly, when given "ip" as proto option.

ProtoTestParse02 is a test to make sure that we parse the protocol correctly, when given "tcp" as proto option.

ProtoTestParse01 is a test to make sure that we parse the protocol correctly, when given valid proto option.

Test merging negated port groups

Test merging port groups

Test first port of range being too big

Test second port of range being just right

Test second port of range being too big

Test we don't allow a port that is too big

Check if we autocomplete correctly an open range

Check if we dont allow invalid port range specification

ProtoTestParse04 is a test to make sure that we do not parse the protocol, when given an invalid proto option.

Check if a negated port range is properly fragmented in the allowed real groups, ex !80:81 should allow 0:79 and 82:65535

Check if a negated port range is properly allocated in the DetectPort

Check if two port ranges are properly allocated in the DetectPort group

Check if two ports are properly allocated in the DetectPort group

Check if a DetectPort is properly allocated

Test byte_extract.

Test byte_test.

Test byte_jump.

Test pcre recursive matching - bug #529

normal & negated matching, both absolute and relative

Used to check the working of recursion_limit counter.

Check if SigGroupHeadBuildMatchArray(), correctly updates the match array with the sids.

host tagging: seconds

host tagging: packets

multiple files in a tx. Both files should match. No other matches.

multiple files in a tx. Both files should match

multiple files in a tx

multiple pipelined http transactions

Bug 1061

Order with a different Action priority (as specified from config)

Order with a different Action priority (as specified from config)

Order with a different Action priority (as specified from config)

ICMP(?) sig grouping bug.

Test invalid sig.

Check if SigGroupHeadCopySigs(), correctly copies the sig_array from the source to the destination SigGroupHead.

Check if a SigGroupHeadAppendSig(), correctly appends a sid to a SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates the presence of a sid and SigGroupHeadClearSigs(), correctly clears the SigGroupHead->sig_array and SigGroupHead->sig_cnt.

Check if a SigGroupHeadAppendSig() correctly appends a sid to a SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates the presence of a sid.

Check if a SigGroupHead hash table is properly allocated and deallocated when calling SigGroupHeadHashInit() and SigGroupHeadHashFree() respectively.

signature parsing with tcp-pkt and tcp-stream

DetectrotoTestSetup02 is a test for a icmpv4 and icmpv6 protocol setting up in signature.

DetectIPProtoTestSetup01 is a test for a protocol setting up in signature.

make sure that we properly parse tcp-stream

make sure that we properly parse tcp-pkt

ProtoTestParse05 is a test to make sure that we do not parse the protocol, when given an invalid proto option.

Test content for dce sig.

EngineEventTestParse05 is a test for an invalid char into the decode-event value

EngineEventTestParse04 is a test for an invalid upper case decode-event value

EngineEventTestParse03 is a test for a valid upper case decode-event value

EngineEventTestParse02 is a test for a valid upper + lower case decode-event value

EngineEventTestParse01 is a test for a valid decode-event value

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

EngineEventTestParse06 is a test for match function with valid decode-event value

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

Test content for dce sig.

build IP-only tree

Test invalid sig.

Test invalid sig.

Test pcre recursive matching.

Test multiple relative matches with negative matches and show the need for det_ctx->discontinue_matching.

Test multiple relative matches.

Test multiple relative matches.

Test multiple relative matches.

Test multiple relative matches.

Negative distance matching

Nocase matching

Not the first but the second occurence of "abc" should be used for the 2nd match

host tagging: bytes

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match) with ipv4 and ipv6 mixed

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (all should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)

Test a set of ip only signatures making use a lot of addresses for src and dst (all should match)

check that we set don't set a Signature as IPOnly because it has rule options appending a SigMatch like content, and pcre

check that we don't set a Signature as IPOnly because it has no rule option appending a SigMatch but a port is fixed

check that we set a Signature as IPOnly because it has no rule option appending a SigMatch and no port is fixed

Test that parsing of only_frag and no_frag together fails.

DetectFlowintTestParseVal01 is a test to make sure that we set the DetectFlowint correctly for setting a valid target value

FlowBitsTestSig08 is a test toogle flowbits option

FlowBitsTestSig07 is a test unset flowbits option

FlowBitsTestSig06 is a test set flowbits option

FlowBitsTestSig05 is a test check noalert flag

FlowBitsTestSig04 is a test check idx value

FlowBitsTestSig03 is a test for a invalid flowbits option

FlowBitsTestSig02 is a test for a valid isset,set,isnotset,unset,toggle flowbits options

FlowBitsTestSig01 is a test for a valid noalert flowbits option

Test only_frag matching.

Test no_frag matching.

DetectFlowintTestParseVar01 is a test to make sure that we set the DetectFlowint correctly for setting a valid target variable

Test parsing of the "only_frag" flow argument.

Test parsing of the "no_frag" flow argument.

Test parsing of the not_established keyword.

DetectFlowTestParse21 is a test for an invalid opt between to valid opts

DetectFlowTestParse20 is a test for setting from_server, established, no_stream

DetectFlowTestParse20 is a test for setting from_server, established, no_stream

DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse

DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)

DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)

DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server flowbit flags are the same

DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server

DetectFlowintTestParseVal07 is a test to make sure that we set the DetectFlowint correctly for cheking if greater or equal than a valid target value

FragBitsTestParse01 is a test for a valid fragbits value

DetectFlowintTestPacket03Real

DetectFlowintTestPacket02Real

DetectFlowintTestPacket01Real

DetectFlowintTestParseInvalidSyntaxis01 is a test to make sure that we dont set the DetectFlowint for a invalid input option

DetectFlowintTestParseVar09 is a test to make sure that handle the isset keyword correctly

DetectFlowintTestParseVar09 is a test to make sure that we set the DetectFlowint correctly for checking if lower than a valid target variable

DetectFlowintTestParseVal09 is a test to make sure that we set the DetectFlowint correctly for cheking if lower than a valid target value

DetectFlowintTestParseVar08 is a test to make sure that we set the DetectFlowint correctly for checking if lower or equal than a valid target variable

DetectFlowintTestParseVal08 is a test to make sure that we set the DetectFlowint correctly for cheking if lower or equal than a valid target value

DetectFlowintTestParseVar07 is a test to make sure that we set the DetectFlowint correctly for checking if greater or equal than a valid target variable

DetectFlowTestParse15 is a test for an invalid combo of options established,stateless

DetectFlowintTestParseVar06 is a test to make sure that we set the DetectFlowint correctly for checking if greater than a valid target variable

DetectFlowintTestParseVal06 is a test to make sure that we set the DetectFlowint correctly for cheking if greater than a valid target value

DetectFlowintTestParseVar05 is a test to make sure that we set the DetectFlowint correctly for checking if not equal to a valid target variable

DetectFlowintTestParseVal05 is a test to make sure that we set the DetectFlowint correctly for cheking if not equal to a valid target value

DetectFlowintTestParseVar04 is a test to make sure that we set the DetectFlowint correctly for checking if equal to a valid target variable

DetectFlowintTestParseVal04 is a test to make sure that we set the DetectFlowint correctly for checking if equal to a valid target value

DetectFlowintTestParseVar03 is a test to make sure that we set the DetectFlowint correctly for substract a valid target variable

DetectFlowintTestParseVal03 is a test to make sure that we set the DetectFlowint correctly for substract a valid target value

DetectFlowintTestParseVar02 is a test to make sure that we set the DetectFlowint correctly for adding a valid target variable

DetectFlowintTestParseVal02 is a test to make sure that we set the DetectFlowint correctly for adding a valid target value

Test parser accepting valid rules and rejecting invalid rules

DetectFlowTestParse02 is a test for setting the established flow opt

DetectFlowTestParse01 is a test to make sure that we return "something" when given valid flow opt

DetectFilesizeSetpTest01 is a test for setting up an valid filesize values with valid "<>" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context and setting up the signature itself.

Test the Filesize keyword setup

Test the Filesize keyword setup

Test the Filesize keyword setup

Test the Filesize keyword setup

Test the Filesize keyword setup

DetectFilenameTestParse03

DetectFilenameTestParse02

DetectFilenameTestParse01

DetectFlowTestParse03 is a test for setting the stateless flow opt

DetectFileextTestParse03

DetectFileextTestParse02

DetectFileextTestParse01

Checks to make sure that other sigs work that should when fast_pattern is inspecting on the same payload

Checks if a fast_pattern is registered in a Signature

bug 892 bad values

session tagging: bytes, where a 2nd match makes us tag more

session tagging: bytes

session tagging: seconds

session tagging: packets

DetectFlowTestParseNocase03 is a test for setting the stateless flow opt

DetectFlowTestParse14 is a test for a empty option

DetectFlowTestParse13 is a test for an invalid option

DetectFlowTestParse12 is a test for setting an invalid seperator :

DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around

DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)

DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)

DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts

DetectFlowTestParseNocase07 is a test for setting the from_client flow opt

DetectFlowTestParseNocase06 is a test for setting the from_server flow opt

DetectFlowTestParseNocase05 is a test for setting the to_server flow opt

DetectFlowTestParseNocase04 is a test for setting the to_client flow opt

Why we still get http for connect... obviously because we also match on the reply, duh

DetectFlowTestParseNocase02 is a test for setting the established flow opt

DetectFlowTestParseNocase01 is a test to make sure that we return "something" when given valid flow opt

DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around

DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)

DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)

DetectFlowTestParse08 is a test for setting the established,to_client flow opts

DetectFlowTestParse07 is a test for setting the from_client flow opt

DetectFlowTestParse06 is a test for setting the from_server flow opt

DetectFlowTestParse05 is a test for setting the to_server flow opt

DetectFlowTestParse04 is a test for setting the to_client flow opt