suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
31 
32 static const char *dummy_conf_string =
33  "%YAML 1.1\n"
34  "---\n"
35  "\n"
36  "default-log-dir: /var/log/suricata\n"
37  "\n"
38  "logging:\n"
39  "\n"
40  " default-log-level: debug\n"
41  "\n"
42  " default-format: \"<%t> - <%l>\"\n"
43  "\n"
44  " default-startup-message: Your IDS has started.\n"
45  "\n"
46  " default-output-filter:\n"
47  "\n"
48  " output:\n"
49  "\n"
50  " - interface: console\n"
51  " log-level: info\n"
52  "\n"
53  " - interface: file\n"
54  " filename: /var/log/suricata.log\n"
55  "\n"
56  " - interface: syslog\n"
57  " facility: local5\n"
58  " format: \"%l\"\n"
59  "\n"
60  "pfring:\n"
61  "\n"
62  " interface: eth0\n"
63  "\n"
64  " clusterid: 99\n"
65  "\n"
66  "vars:\n"
67  "\n"
68  " address-groups:\n"
69  "\n"
70  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72  "\n"
73  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74  "\n"
75  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80  "\n"
81  " DNS_SERVERS: any\n"
82  "\n"
83  " TELNET_SERVERS: any\n"
84  "\n"
85  " AIM_SERVERS: any\n"
86  "\n"
87  " port-groups:\n"
88  "\n"
89  " HTTP_PORTS: \"80:81,88\"\n"
90  "\n"
91  " SHELLCODE_PORTS: 80\n"
92  "\n"
93  " ORACLE_PORTS: 1521\n"
94  "\n"
95  " SSH_PORTS: 22\n"
96  "\n";
97 
98 static int SigTest01 (void)
99 {
100  uint8_t *buf = (uint8_t *)
101  "GET /one/ HTTP/1.1\r\n"
102  "Host: one.example.org\r\n"
103  "\r\n\r\n"
104  "GET /two/ HTTP/1.1\r\n"
105  "Host: two.example.org\r\n"
106  "\r\n\r\n";
107  uint16_t buflen = strlen((char *)buf);
108  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109  int result = 0;
110 
111  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112  if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
113  result = 0;
114  goto end;
115  }
116 #if 0
117  //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
118  //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
119 
120  if (p->http_uri.raw_size[0] == 5 &&
121  memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
122  p->http_uri.raw_size[1] == 5 &&
123  memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
124  {
125  result = 1;
126  }
127 
128 #endif
129  result = 1;
130 end:
131  if (p != NULL)
132  UTHFreePacket(p);
133  return result;
134 }
135 
136 static int SigTest02 (void)
137 {
138  uint8_t *buf = (uint8_t *)
139  "GET /one/ HTTP/1.1\r\n"
140  "Host: one.example.org\r\n"
141  "\r\n\r\n"
142  "GET /two/ HTTP/1.1\r\n"
143  "Host: two.example.org\r\n"
144  "\r\n\r\n";
145  uint16_t buflen = strlen((char *)buf);
146  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
147  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
148  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
149  UTHFreePacket(p);
150  return ret;
151 }
152 
153 static int SigTest03 (void)
154 {
155  uint8_t *buf = (uint8_t *)
156  "GET /one/ HTTP/1.1\r\n"
157  "Host: one.example.org\r\n"
158  "\r\n\r\n"
159  "GET /two/ HTTP/1.1\r\n"
160  "Host: two.example.org\r\n"
161  "\r\n\r\n";
162  uint16_t buflen = strlen((char *)buf);
163  Packet *p = NULL;
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx = NULL;
166  int result = 0;
167 
168  memset(&th_v, 0, sizeof(th_v));
169 
170  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
171 
173  if (de_ctx == NULL) {
174  goto end;
175  }
176 
177  de_ctx->flags |= DE_QUIET;
178 
179  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
180  if (de_ctx->sig_list == NULL) {
181  result = 0;
182  goto end;
183  }
184 
186  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
187 
188  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
189  if (PacketAlertCheck(p, 1))
190  result = 1;
191 
194 
195  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
197 end:
198  UTHFreePackets(&p, 1);
199  return result;
200 }
201 
202 static int SigTest04 (void)
203 {
204  uint8_t *buf = (uint8_t *)
205  "GET /one/ HTTP/1.1\r\n" /* 20*/
206  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
207  "\r\n\r\n" /* 4 */
208  "GET /two/ HTTP/1.1\r\n" /* 20 */
209  "Host: two.example.org\r\n" /* 23 */
210  "\r\n\r\n"; /* 4 */
211  uint16_t buflen = strlen((char *)buf);
212 
213  Packet *p = NULL;
214  ThreadVars th_v;
215  DetectEngineThreadCtx *det_ctx = NULL;
216  int result = 0;
217 
218  memset(&th_v, 0, sizeof(th_v));
219 
220  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
221 
223  if (de_ctx == NULL) {
224  goto end;
225  }
226 
227  de_ctx->flags |= DE_QUIET;
228 
229  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
230  if (de_ctx->sig_list == NULL) {
231  result = 0;
232  goto end;
233  }
234 
236  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
237 
238  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
239  if (PacketAlertCheck(p, 1))
240  result = 1;
241 
244 
245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
247 end:
248  UTHFreePackets(&p, 1);
249  return result;
250 }
251 
252 static int SigTest05 (void)
253 {
254  uint8_t *buf = (uint8_t *)
255  "GET /one/ HTTP/1.1\r\n" /* 20 */
256  "Host: one.example.org\r\n" /* 23, 43 */
257  "\r\n\r\n" /* 4, 47 */
258  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
259  "Host: two.example.org\r\n" /* 23, 90 */
260  "\r\n\r\n"; /* 4, 94 */
261  uint16_t buflen = strlen((char *)buf);
262  Packet *p = NULL;
263  ThreadVars th_v;
264  DetectEngineThreadCtx *det_ctx = NULL;
265  int result = 0;
266 
267  memset(&th_v, 0, sizeof(th_v));
268 
269  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
270 
272  if (de_ctx == NULL) {
273  goto end;
274  }
275 
276  de_ctx->flags |= DE_QUIET;
277 
278  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
279  if (de_ctx->sig_list == NULL) {
280  printf("sig parse failed: ");
281  goto end;
282  }
283 
285  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
286 
287  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
288  if (!PacketAlertCheck(p, 1)) {
289  result = 1;
290  } else {
291  printf("sig matched but shouldn't have: ");
292  }
293 
296 
297  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
299 end:
300  UTHFreePackets(&p, 1);
301  return result;
302 }
303 
304 static int SigTest06 (void)
305 {
306  uint8_t *buf = (uint8_t *)
307  "GET /one/ HTTP/1.1\r\n" /* 20 */
308  "Host: one.example.org\r\n" /* 23, 43 */
309  "\r\n\r\n" /* 4, 47 */
310  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
311  "Host: two.example.org\r\n" /* 23, 90 */
312  "\r\n\r\n"; /* 4, 94 */
313  uint16_t buflen = strlen((char *)buf);
314  Packet *p = NULL;
315  ThreadVars th_v;
316  DetectEngineThreadCtx *det_ctx = NULL;
317  Flow f;
318  TcpSession ssn;
321 
322  memset(&th_v, 0, sizeof(th_v));
323  memset(&f, 0, sizeof(f));
324  memset(&ssn, 0, sizeof(ssn));
325 
326  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
327  FAIL_IF_NULL(p);
328 
329  FLOW_INITIALIZE(&f);
330  f.protoctx = (void *)&ssn;
331  f.flags |= FLOW_IPV4;
332  f.proto = IPPROTO_TCP;
333  p->flow = &f;
338 
339  StreamTcpInitConfig(true);
340 
343  de_ctx->flags |= DE_QUIET;
344 
345  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
346  FAIL_IF_NULL(s);
347 
348  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
349  FAIL_IF_NULL(s);
350 
352  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
353  FAIL_IF_NULL(det_ctx);
354 
355  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
356  FAIL_IF(r != 0);
357 
358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
361 
362  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
365  UTHFreePackets(&p, 1);
366  StreamTcpFreeConfig(true);
367  FLOW_DESTROY(&f);
368  PASS;
369 }
370 
371 static int SigTest07 (void)
372 {
373  uint8_t *buf = (uint8_t *)
374  "GET /one/ HTTP/1.1\r\n" /* 20 */
375  "Host: one.example.org\r\n" /* 23, 43 */
376  "\r\n\r\n" /* 4, 47 */
377  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
378  "Host: two.example.org\r\n" /* 23, 90 */
379  "\r\n\r\n"; /* 4, 94 */
380  uint16_t buflen = strlen((char *)buf);
381  Packet *p = NULL;
382  ThreadVars th_v;
383  DetectEngineThreadCtx *det_ctx = NULL;
384  Flow f;
385  TcpSession ssn;
386  int result = 0;
388 
389  memset(&th_v, 0, sizeof(th_v));
390  memset(&f, 0, sizeof(f));
391  memset(&ssn, 0, sizeof(ssn));
392 
393  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
394 
395  FLOW_INITIALIZE(&f);
396  f.protoctx = (void *)&ssn;
397  f.flags |= FLOW_IPV4;
398  f.proto = IPPROTO_TCP;
399  p->flow = &f;
404 
405  StreamTcpInitConfig(true);
406 
408  if (de_ctx == NULL) {
409  goto end;
410  }
411 
412  de_ctx->flags |= DE_QUIET;
413 
414  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
415  if (de_ctx->sig_list == NULL) {
416  result = 0;
417  goto end;
418  }
419  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
420  if (de_ctx->sig_list->next == NULL) {
421  result = 0;
422  goto end;
423  }
424 
426  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
427 
428  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
429  if (r != 0) {
430  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
431  result = 0;
432  goto end;
433  }
434 
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
437  result = 0;
438  else
439  result = 1;
440 
441 end:
442  if (alp_tctx != NULL)
444  UTHFreePackets(&p, 1);
445  StreamTcpFreeConfig(true);
447  FLOW_DESTROY(&f);
450 
451  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
453 
454  return result;
455 }
456 
457 static int SigTest08 (void)
458 {
459  uint8_t *buf = (uint8_t *)
460  "GET /one/ HTTP/1.0\r\n" /* 20 */
461  "Host: one.example.org\r\n" /* 23, 43 */
462  "\r\n\r\n" /* 4, 47 */
463  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
464  "Host: two.example.org\r\n" /* 23, 90 */
465  "\r\n\r\n"; /* 4, 94 */
466  uint16_t buflen = strlen((char *)buf);
467  Packet *p = NULL;
468  ThreadVars th_v;
469  DetectEngineThreadCtx *det_ctx = NULL;
470  Flow f;
471  TcpSession ssn;
472  int result = 0;
474 
475  memset(&f, 0, sizeof(Flow));
476  memset(&th_v, 0, sizeof(th_v));
477  memset(&ssn, 0, sizeof(ssn));
478 
479  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
480 
481  FLOW_INITIALIZE(&f);
482  f.protoctx = (void *)&ssn;
483  f.flags |= FLOW_IPV4;
484  f.proto = IPPROTO_TCP;
485  p->flow = &f;
490 
491  StreamTcpInitConfig(true);
492 
494  if (de_ctx == NULL) {
495  goto end;
496  }
497 
498  de_ctx->flags |= DE_QUIET;
499 
500  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
501  if (de_ctx->sig_list == NULL) {
502  result = 0;
503  goto end;
504  }
505  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
506  if (de_ctx->sig_list->next == NULL) {
507  result = 0;
508  goto end;
509  }
510 
512  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
513 
514  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
515  if (r != 0) {
516  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
517  result = 0;
518  goto end;
519  }
520 
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
523  result = 1;
524  else
525  printf("sid:1 %s, sid:2 %s: ",
526  PacketAlertCheck(p, 1) ? "OK" : "FAIL",
527  PacketAlertCheck(p, 2) ? "OK" : "FAIL");
528 
529 end:
533 
534  if (det_ctx)
535  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
537  if (alp_tctx != NULL)
539  UTHFreePackets(&p, 1);
540  StreamTcpFreeConfig(true);
541  FLOW_DESTROY(&f);
542  return result;
543 }
544 
545 static int SigTest09 (void)
546 {
547  uint8_t *buf = (uint8_t *)
548  "GET /one/ HTTP/1.0\r\n" /* 20 */
549  "Host: one.example.org\r\n" /* 23, 43 */
550  "\r\n\r\n" /* 4, 47 */
551  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
552  "Host: two.example.org\r\n" /* 23, 90 */
553  "\r\n\r\n"; /* 4, 94 */
554  uint16_t buflen = strlen((char *)buf);
555  Packet *p = NULL;
556  ThreadVars th_v;
557  DetectEngineThreadCtx *det_ctx = NULL;
558  Flow f;
559  TcpSession ssn;
561  int result = 0;
562 
563  memset(&th_v, 0, sizeof(th_v));
564  memset(&f, 0, sizeof(f));
565  memset(&ssn, 0, sizeof(ssn));
566 
567  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
568 
569  FLOW_INITIALIZE(&f);
570  f.protoctx = (void *)&ssn;
571  f.flags |= FLOW_IPV4;
572  f.proto = IPPROTO_TCP;
573  p->flow = &f;
578 
579  StreamTcpInitConfig(true);
580 
582  if (de_ctx == NULL) {
583  goto end;
584  }
585 
586  de_ctx->flags |= DE_QUIET;
587 
588  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
589  if (de_ctx->sig_list == NULL) {
590  result = 0;
591  goto end;
592  }
593  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
594  if (de_ctx->sig_list->next == NULL) {
595  result = 0;
596  goto end;
597  }
598 
600  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
601 
602  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
603  if (r != 0) {
604  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
605  result = 0;
606  goto end;
607  }
608 
609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
610  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
611  result = 1;
612  else
613  result = 0;
614 
615 end:
619  if (det_ctx)
620  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
622  if (alp_tctx != NULL)
624  UTHFreePackets(&p, 1);
625  StreamTcpFreeConfig(true);
626  FLOW_DESTROY(&f);
627  return result;
628 }
629 
630 static int SigTest10 (void)
631 {
632  uint8_t *buf = (uint8_t *)
633  "ABC";
634  uint16_t buflen = strlen((char *)buf);
635  Packet *p = NULL;
636  ThreadVars th_v;
637  DetectEngineThreadCtx *det_ctx = NULL;
638  Flow f;
639  TcpSession ssn;
640  int result = 0;
642 
643  memset(&th_v, 0, sizeof(th_v));
644  memset(&f, 0, sizeof(f));
645  memset(&ssn, 0, sizeof(ssn));
646 
647  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
648 
649  FLOW_INITIALIZE(&f);
650  f.protoctx = (void *)&ssn;
651  f.proto = IPPROTO_TCP;
652  f.flags |= FLOW_IPV4;
653  p->flow = &f;
658 
659  StreamTcpInitConfig(true);
660 
662  if (de_ctx == NULL) {
663  goto end;
664  }
665 
666  de_ctx->flags |= DE_QUIET;
667 
668  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
669  if (de_ctx->sig_list == NULL) {
670  result = 0;
671  goto end;
672  }
673  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
674  if (de_ctx->sig_list->next == NULL) {
675  result = 0;
676  goto end;
677  }
678 
680  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
681 
682  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
683  if (r != 0) {
684  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
685  result = 0;
686  goto end;
687  }
688 
689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
690  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
691  result = 0;
692  else
693  result = 1;
694 
695  end:
699  if (det_ctx)
700  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
702  if (alp_tctx != NULL)
704  UTHFreePackets(&p, 1);
705  StreamTcpFreeConfig(true);
706  FLOW_DESTROY(&f);
707  return result;
708 }
709 
710 static int SigTest11 (void)
711 {
712  uint8_t *buf = (uint8_t *)
713  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
714  uint16_t buflen = strlen((char *)buf);
715  Packet *p = NULL;
716  ThreadVars th_v;
717  DetectEngineThreadCtx *det_ctx = NULL;
718  Flow f;
719  TcpSession ssn;
720  int result = 0;
721 
722  memset(&th_v, 0, sizeof(th_v));
723  memset(&f, 0, sizeof(f));
724  memset(&ssn, 0, sizeof(ssn));
725 
726  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
727 
728  FLOW_INITIALIZE(&f);
729  f.protoctx = (void *)&ssn;
730  f.proto = IPPROTO_TCP;
731  f.flags |= FLOW_IPV4;
732  p->flow = &f;
736 
737  StreamTcpInitConfig(true);
738 
740  if (de_ctx == NULL) {
741  goto end;
742  }
743 
744  de_ctx->flags |= DE_QUIET;
745 
746  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
747  if (de_ctx->sig_list == NULL) {
748  goto end;
749  }
750  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
751  if (de_ctx->sig_list->next == NULL) {
752  goto end;
753  }
754 
756  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
757 
758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
759  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
760  result = 1;
761 
762  end:
765  if (det_ctx)
766  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
768  UTHFreePackets(&p, 1);
769  StreamTcpFreeConfig(true);
770  FLOW_DESTROY(&f);
771  return result;
772 }
773 
774 static int SigTest12 (void)
775 {
776  uint8_t *buf = (uint8_t *)
777  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
778  uint16_t buflen = strlen((char *)buf);
779  Packet *p = NULL;
780  ThreadVars th_v;
781  DetectEngineThreadCtx *det_ctx = NULL;
782  int result = 0;
783 
784  memset(&th_v, 0, sizeof(th_v));
785  Flow f;
786  memset(&f, 0, sizeof(Flow));
787 
788  FLOW_INITIALIZE(&f);
789 
790  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
791  p->flow = &f;
793 
795  if (de_ctx == NULL) {
796  goto end;
797  }
798 
799  de_ctx->flags |= DE_QUIET;
800 
801  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
802  if (de_ctx->sig_list == NULL) {
803  result = 0;
804  goto end;
805  }
806 
808  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
809 
810  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811  if (PacketAlertCheck(p, 1))
812  result = 1;
813  else
814  result = 0;
815 
816  if (det_ctx != NULL)
817  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
818 end:
819  UTHFreePackets(&p, 1);
820  if (de_ctx != NULL) {
824  }
825  FLOW_DESTROY(&f);
826  return result;
827 }
828 
829 static int SigTest13 (void)
830 {
831  uint8_t *buf = (uint8_t *)
832  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
833  uint16_t buflen = strlen((char *)buf);
834  Packet *p = NULL;
835  ThreadVars th_v;
836  DetectEngineThreadCtx *det_ctx = NULL;
837  int result = 0;
838 
839  memset(&th_v, 0, sizeof(th_v));
840  Flow f;
841  memset(&f, 0, sizeof(Flow));
842 
843  FLOW_INITIALIZE(&f);
844 
845  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
846  p->flow = &f;
848 
850  if (de_ctx == NULL) {
851  goto end;
852  }
853 
854  de_ctx->flags |= DE_QUIET;
855 
856  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
857  if (de_ctx->sig_list == NULL) {
858  result = 0;
859  goto end;
860  }
861 
863  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
864 
865  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
866  if (PacketAlertCheck(p, 1))
867  result = 1;
868  else
869  result = 0;
870 
873  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
875 end:
876  UTHFreePackets(&p, 1);
877  FLOW_DESTROY(&f);
878  return result;
879 }
880 
881 static int SigTest14 (void)
882 {
883  uint8_t *buf = (uint8_t *)
884  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
885  uint16_t buflen = strlen((char *)buf);
886  Packet *p = NULL;
887  ThreadVars th_v;
888  DetectEngineThreadCtx *det_ctx = NULL;
889  int result = 0;
890 
891  memset(&th_v, 0, sizeof(th_v));
892 
893  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
894 
896  if (de_ctx == NULL) {
897  goto end;
898  }
899 
900  de_ctx->flags |= DE_QUIET;
901 
902  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
903  if (de_ctx->sig_list == NULL) {
904  result = 0;
905  goto end;
906  }
907 
909  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
910 
911  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
912  if (PacketAlertCheck(p, 1))
913  result = 0;
914  else
915  result = 1;
916 
919  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
921 end:
922  UTHFreePackets(&p, 1);
923  return result;
924 }
925 
926 static int SigTest15 (void)
927 {
928  uint8_t *buf = (uint8_t *)
929  "CONNECT 213.92.8.7:31204 HTTP/1.1";
930  uint16_t buflen = strlen((char *)buf);
931  Packet *p = PacketGetFromAlloc();
932  if (unlikely(p == NULL))
933  return 0;
934  ThreadVars th_v;
935  DetectEngineThreadCtx *det_ctx = NULL;
936  int result = 0;
937 
938  memset(&th_v, 0, sizeof(th_v));
939  p->src.family = AF_INET;
940  p->dst.family = AF_INET;
941  p->payload = buf;
942  p->payload_len = buflen;
943  p->proto = IPPROTO_TCP;
944  p->dp = 80;
945 
947  ConfInit();
948  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
949 
951  if (de_ctx == NULL) {
952  goto end;
953  }
954 
955  de_ctx->flags |= DE_QUIET;
956 
957  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
958  if (de_ctx->sig_list == NULL) {
959  result = 0;
960  goto end;
961  }
962 
964  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
965 
966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
967  if (PacketAlertCheck(p, 2008284))
968  result = 0;
969  else
970  result = 1;
971 
974  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
976 end:
977  ConfDeInit();
979  SCFree(p);
980  return result;
981 }
982 
983 static int SigTest16 (void)
984 {
985  uint8_t *buf = (uint8_t *)
986  "CONNECT 213.92.8.7:31204 HTTP/1.1";
987  uint16_t buflen = strlen((char *)buf);
988  Packet *p = NULL;
989  ThreadVars th_v;
990  DetectEngineThreadCtx *det_ctx = NULL;
991  int result = 0;
992 
993  memset(&th_v, 0, sizeof(th_v));
994  memset(&p, 0, sizeof(p));
995 
996  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
997 
999  ConfInit();
1000  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1001 
1003  if (de_ctx == NULL) {
1004  goto end;
1005  }
1006 
1007  de_ctx->flags |= DE_QUIET;
1008 
1009  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1010  if (de_ctx->sig_list == NULL) {
1011  goto end;
1012  }
1013 
1015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1016 
1017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1018  if (PacketAlertCheck(p, 2008284))
1019  result = 1;
1020  else
1021  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1022 
1024  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1026 end:
1027  ConfDeInit();
1029  UTHFreePackets(&p, 1);
1030  return result;
1031 }
1032 
1033 static int SigTest17 (void)
1034 {
1035  uint8_t *buf = (uint8_t *)
1036  "GET /one/ HTTP/1.1\r\n" /* 20 */
1037  "Host: one.example.org\r\n" /* 23, 43 */
1038  "\r\n\r\n" /* 4, 47 */
1039  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1040  "Host: two.example.org\r\n" /* 23, 90 */
1041  "\r\n\r\n"; /* 4, 94 */
1042  uint16_t buflen = strlen((char *)buf);
1043  Packet *p = NULL;
1044  ThreadVars th_v;
1045  DetectEngineThreadCtx *det_ctx = NULL;
1046  memset(&th_v, 0, sizeof(th_v));
1047 
1048  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1049  FAIL_IF_NULL(p);
1050 
1052  ConfInit();
1053  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1054 
1057  de_ctx->flags |= DE_QUIET;
1058 
1059  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1060  FAIL_IF_NULL(s);
1061 
1063  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1064  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065 
1066  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1067  PktVar *pv_hn = PktVarGet(p, capid);
1068  FAIL_IF_NULL(pv_hn);
1069  FAIL_IF(pv_hn->value_len != 15);
1070  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1071 
1072  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1074  ConfDeInit();
1076  UTHFreePackets(&p, 1);
1077 
1078  PASS;
1079 }
1080 
1081 static int SigTest18 (void)
1082 {
1083  uint8_t *buf = (uint8_t *)
1084  "220 (vsFTPd 2.0.5)\r\n";
1085  uint16_t buflen = strlen((char *)buf);
1086  Packet *p = PacketGetFromAlloc();
1087  if (unlikely(p == NULL))
1088  return 0;
1089  ThreadVars th_v;
1090  DetectEngineThreadCtx *det_ctx = NULL;
1091  int result = 0;
1092 
1093  memset(&th_v, 0, sizeof(th_v));
1094  p->src.family = AF_INET;
1095  p->dst.family = AF_INET;
1096  p->payload = buf;
1097  p->payload_len = buflen;
1098  p->proto = IPPROTO_TCP;
1099  p->dp = 34260;
1100  p->sp = 21;
1101 
1103  if (de_ctx == NULL) {
1104  goto end;
1105  }
1106 
1107  de_ctx->flags |= DE_QUIET;
1108 
1109  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1110  if (de_ctx->sig_list == NULL) {
1111  result = 0;
1112  goto end;
1113  }
1114 
1116  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1117 
1118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1119  if (!PacketAlertCheck(p, 2003055))
1120  result = 1;
1121  else
1122  printf("signature shouldn't match, but did: ");
1123 
1126  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1128 end:
1129  SCFree(p);
1130  return result;
1131 }
1132 
1133 static int SigTest19 (void)
1134 {
1135  uint8_t *buf = (uint8_t *)
1136  "220 (vsFTPd 2.0.5)\r\n";
1137  uint16_t buflen = strlen((char *)buf);
1138  Packet *p = PacketGetFromAlloc();
1139  if (unlikely(p == NULL))
1140  return 0;
1141  ThreadVars th_v;
1142  DetectEngineThreadCtx *det_ctx = NULL;
1143  int result = 0;
1144 
1145  memset(&th_v, 0, sizeof(th_v));
1146  p->src.family = AF_INET;
1147  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1148  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1149  p->dst.family = AF_INET;
1150  p->payload = buf;
1151  p->payload_len = buflen;
1152  p->proto = IPPROTO_TCP;
1153  p->dp = 34260;
1154  p->sp = 21;
1156 
1158  ConfInit();
1159  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1160 
1162  if (de_ctx == NULL) {
1163  goto end;
1164  }
1165 
1166  de_ctx->flags |= DE_QUIET;
1167 
1168  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1169  if (de_ctx->sig_list == NULL) {
1170  result = 0;
1171  goto end;
1172  }
1173 
1175  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1176 
1177  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1178  if (PacketAlertCheck(p, 999))
1179  result = 1;
1180  else
1181  printf("signature didn't match, but should have: ");
1182 
1184  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1186 end:
1187  ConfDeInit();
1189  SCFree(p);
1190  return result;
1191 }
1192 
1193 static int SigTest20 (void)
1194 {
1195  uint8_t *buf = (uint8_t *)
1196  "220 (vsFTPd 2.0.5)\r\n";
1197  uint16_t buflen = strlen((char *)buf);
1198  Packet *p = PacketGetFromAlloc();
1199  if (unlikely(p == NULL))
1200  return 0;
1201  ThreadVars th_v;
1202  DetectEngineThreadCtx *det_ctx = NULL;
1203  int result = 0;
1204 
1205  memset(&th_v, 0, sizeof(th_v));
1206  p->src.family = AF_INET;
1207  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1208  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1209  p->dst.family = AF_INET;
1210  p->payload = buf;
1211  p->payload_len = buflen;
1212  p->proto = IPPROTO_TCP;
1213  p->dp = 34260;
1214  p->sp = 21;
1216 
1218  ConfInit();
1219  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1220 
1222  if (de_ctx == NULL) {
1223  goto end;
1224  }
1225 
1226  de_ctx->flags |= DE_QUIET;
1227 
1228  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1229  if (de_ctx->sig_list == NULL) {
1230  result = 0;
1231  goto end;
1232  }
1233 
1235  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1236 
1237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1238  if (PacketAlertCheck(p, 999))
1239  result = 1;
1240  else
1241  printf("signature didn't match, but should have: ");
1242 
1245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1247 end:
1248  ConfDeInit();
1250  SCFree(p);
1251  return result;
1252 }
1253 
1254 static int SigTest21 (void)
1255 {
1256  ThreadVars th_v;
1257  memset(&th_v, 0, sizeof(th_v));
1258  DetectEngineThreadCtx *det_ctx = NULL;
1259  int result = 0;
1260 
1261  Flow f;
1262  memset(&f, 0, sizeof(f));
1263  FLOW_INITIALIZE(&f);
1264 
1265  /* packet 1 */
1266  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1267  "\r\n\r\n";
1268  uint16_t buf1len = strlen((char *)buf1);
1269  Packet *p1 = NULL;
1270  /* packet 2 */
1271  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1272  "\r\n\r\n";
1273  uint16_t buf2len = strlen((char *)buf2);
1274  Packet *p2 = NULL;
1275 
1276  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1277  p1->flow = &f;
1279  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1280  p2->flow = &f;
1282 
1284  if (de_ctx == NULL) {
1285  goto end;
1286  }
1287 
1288  de_ctx->flags |= DE_QUIET;
1289 
1290  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1291  if (de_ctx->sig_list == NULL) {
1292  result = 0;
1293  goto end;
1294  }
1295  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1296  if (de_ctx->sig_list == NULL) {
1297  result = 0;
1298  goto end;
1299  }
1300 
1302  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1303 
1304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1305  if (PacketAlertCheck(p1, 1)) {
1306  printf("sid 1 alerted, but shouldn't: ");
1307  goto end;
1308  }
1309  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1310  if (!(PacketAlertCheck(p2, 2))) {
1311  printf("sid 2 didn't alert, but should have: ");
1312  goto end;
1313  }
1314 
1315  result = 1;
1316 end:
1317  if (de_ctx != NULL) {
1320 
1321  if (det_ctx != NULL) {
1322  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1323  }
1324  }
1326  UTHFreePackets(&p1, 1);
1327  UTHFreePackets(&p2, 1);
1328  FLOW_DESTROY(&f);
1329  return result;
1330 }
1331 
1332 static int SigTest22 (void)
1333 {
1334  ThreadVars th_v;
1335  memset(&th_v, 0, sizeof(th_v));
1336  DetectEngineThreadCtx *det_ctx = NULL;
1337  int result = 0;
1338 
1339  Flow f;
1340  memset(&f, 0, sizeof(f));
1341  FLOW_INITIALIZE(&f);
1342 
1343  /* packet 1 */
1344  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1345  "\r\n\r\n";
1346  uint16_t buf1len = strlen((char *)buf1);
1347  Packet *p1 = NULL;
1348 
1349  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1350  p1->flow = &f;
1352 
1353  /* packet 2 */
1354  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1355  "\r\n\r\n";
1356  uint16_t buf2len = strlen((char *)buf2);
1357  Packet *p2 = NULL;
1358 
1359  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1360  p2->flow = &f;
1362 
1364  if (de_ctx == NULL) {
1365  goto end;
1366  }
1367 
1368  de_ctx->flags |= DE_QUIET;
1369 
1370  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1371  if (de_ctx->sig_list == NULL) {
1372  result = 0;
1373  goto end;
1374  }
1375  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1376  if (de_ctx->sig_list == NULL) {
1377  result = 0;
1378  goto end;
1379  }
1380 
1382  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1383 
1384  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1385  if (PacketAlertCheck(p1, 1)) {
1386  printf("sid 1 alerted, but shouldn't: ");
1387  goto end;
1388  }
1389  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1390  if (!(PacketAlertCheck(p2, 2)))
1391  result = 1;
1392  else
1393  printf("sid 2 alerted, but shouldn't: ");
1394 
1397 
1398  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1400 end:
1401  UTHFreePackets(&p1, 1);
1402  UTHFreePackets(&p2, 1);
1403  FLOW_DESTROY(&f);
1404  return result;
1405 }
1406 
1407 static int SigTest23 (void)
1408 {
1409  ThreadVars th_v;
1410  memset(&th_v, 0, sizeof(th_v));
1411  DetectEngineThreadCtx *det_ctx = NULL;
1412  int result = 0;
1413 
1414  Flow f;
1415  memset(&f, 0, sizeof(f));
1416  FLOW_INITIALIZE(&f);
1417 
1418  /* packet 1 */
1419  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1420  "\r\n\r\n";
1421  uint16_t buf1len = strlen((char *)buf1);
1422  Packet *p1 = NULL;
1423 
1424  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1425  p1->flow = &f;
1427 
1428  /* packet 2 */
1429  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1430  "\r\n\r\n";
1431  uint16_t buf2len = strlen((char *)buf2);
1432  Packet *p2 = NULL;
1433 
1434  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1435  p2->flow = &f;
1437 
1439  if (de_ctx == NULL) {
1440  goto end;
1441  }
1442 
1443  de_ctx->flags |= DE_QUIET;
1444 
1445  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1446  if (de_ctx->sig_list == NULL) {
1447  result = 0;
1448  goto end;
1449  }
1450  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1451  if (de_ctx->sig_list == NULL) {
1452  result = 0;
1453  goto end;
1454  }
1455 
1457  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1458 
1459  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1460  if (PacketAlertCheck(p1, 1)) {
1461  printf("sid 1 alerted, but shouldn't: ");
1462  goto end;
1463  }
1464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1465  if (PacketAlertCheck(p2, 2))
1466  result = 1;
1467  else
1468  printf("sid 2 didn't alert, but should have: ");
1469 
1472 
1473  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1475 end:
1476  UTHFreePackets(&p1, 1);
1477  UTHFreePackets(&p2, 1);
1478  FLOW_DESTROY(&f);
1479  return result;
1480 }
1481 
1482 static int SigTest24IPV4Keyword(void)
1483 {
1484  uint8_t valid_raw_ipv4[] = {
1485  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1486  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1487  0xc0, 0xa8, 0x01, 0x03};
1488 
1489  uint8_t invalid_raw_ipv4[] = {
1490  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1491  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1492  0xc0, 0xa8, 0x01, 0x06};
1493 
1494  Packet *p1 = PacketGetFromAlloc();
1495  if (unlikely(p1 == NULL))
1496  return 0;
1497  Packet *p2 = PacketGetFromAlloc();
1498  if (unlikely(p2 == NULL)) {
1499  SCFree(p1);
1500  return 0;
1501  }
1502  ThreadVars th_v;
1503  DetectEngineThreadCtx *det_ctx = NULL;
1504  int result = 0;
1505 
1506  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1507  "\r\n\r\n";
1508  uint16_t buflen = strlen((char *)buf);
1509 
1510  memset(&th_v, 0, sizeof(ThreadVars));
1513 
1514  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1515 
1516  p1->src.family = AF_INET;
1517  p1->dst.family = AF_INET;
1518  p1->payload = buf;
1519  p1->payload_len = buflen;
1520  p1->proto = IPPROTO_TCP;
1521 
1522  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1523 
1524  p2->src.family = AF_INET;
1525  p2->dst.family = AF_INET;
1526  p2->payload = buf;
1527  p2->payload_len = buflen;
1528  p2->proto = IPPROTO_TCP;
1529 
1531  if (de_ctx == NULL) {
1532  goto end;
1533  }
1534 
1535  de_ctx->flags |= DE_QUIET;
1536 
1538  "alert ip any any -> any any "
1539  "(content:\"/one/\"; ipv4-csum:valid; "
1540  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1541  if (de_ctx->sig_list == NULL) {
1542  printf("sig 1 parse: ");
1543  goto end;
1544  }
1545 
1547  "alert ip any any -> any any "
1548  "(content:\"/one/\"; ipv4-csum:invalid; "
1549  "msg:\"ipv4-csum keyword check(1)\"; "
1550  "sid:2;)");
1551  if (de_ctx->sig_list->next == NULL) {
1552  printf("sig 2 parse: ");
1553  goto end;
1554  }
1555 
1557  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1558 
1559  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1560  if (!(PacketAlertCheck(p1, 1))) {
1561  printf("signature 1 didn't match, but should have: ");
1562  goto end;
1563  }
1564 
1565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1566  if (!((PacketAlertCheck(p2, 2)))) {
1567  printf("signature 2 didn't match, but should have: ");
1568  goto end;
1569  }
1570 
1571  result = 1;
1572 end:
1573  if (det_ctx != NULL) {
1576  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1578  }
1579  SCFree(p1);
1580  SCFree(p2);
1581  return result;
1582 }
1583 
1584 static int SigTest25NegativeIPV4Keyword(void)
1585 {
1586  uint8_t valid_raw_ipv4[] = {
1587  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1588  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1589  0xc0, 0xa8, 0x01, 0x03};
1590 
1591  uint8_t invalid_raw_ipv4[] = {
1592  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1593  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1594  0xc0, 0xa8, 0x01, 0x06};
1595 
1596  Packet *p1 = PacketGetFromAlloc();
1597  if (unlikely(p1 == NULL))
1598  return 0;
1599  Packet *p2 = PacketGetFromAlloc();
1600  if (unlikely(p2 == NULL)) {
1601  SCFree(p1);
1602  return 0;
1603  }
1604  ThreadVars th_v;
1605  DetectEngineThreadCtx *det_ctx = NULL;
1606  int result = 1;
1607 
1608  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1609  "\r\n\r\n";
1610  uint16_t buflen = strlen((char *)buf);
1611 
1612  memset(&th_v, 0, sizeof(ThreadVars));
1615 
1616  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1617 
1618  p1->src.family = AF_INET;
1619  p1->dst.family = AF_INET;
1620  p1->payload = buf;
1621  p1->payload_len = buflen;
1622  p1->proto = IPPROTO_TCP;
1623 
1624  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1625 
1626  p2->src.family = AF_INET;
1627  p2->dst.family = AF_INET;
1628  p2->payload = buf;
1629  p2->payload_len = buflen;
1630  p2->proto = IPPROTO_TCP;
1631 
1633  if (de_ctx == NULL) {
1634  goto end;
1635  }
1636 
1637  de_ctx->flags |= DE_QUIET;
1638 
1640  "alert ip any any -> any any "
1641  "(content:\"/one/\"; ipv4-csum:invalid; "
1642  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1643  if (de_ctx->sig_list == NULL) {
1644  result &= 0;
1645  goto end;
1646  }
1647 
1649  "alert ip any any -> any any "
1650  "(content:\"/one/\"; ipv4-csum:valid; "
1651  "msg:\"ipv4-csum keyword check(1)\"; "
1652  "sid:2;)");
1653  if (de_ctx->sig_list->next == NULL) {
1654  result &= 0;
1655  goto end;
1656  }
1657 
1659  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1660 
1661  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1662  if (PacketAlertCheck(p1, 1))
1663  result &= 0;
1664  else
1665  result &= 1;
1666 
1667  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1668  if (PacketAlertCheck(p2, 2))
1669  result &= 0;
1670  else
1671  result &= 1;
1672 
1675  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1677 end:
1678  SCFree(p1);
1679  SCFree(p2);
1680  return result;
1681 }
1682 
1683 static int SigTest26TCPV4Keyword(void)
1684 {
1685  uint8_t raw_ipv4[] = {
1686  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1687  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1688  0xc0, 0xa8, 0x01, 0x03};
1689 
1690  uint8_t valid_raw_tcp[] = {
1691  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1692  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1693  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1694  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1695  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1696 
1697  uint8_t invalid_raw_tcp[] = {
1698  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1699  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1700  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1701  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1702  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1703 
1704  Packet *p1 = PacketGetFromAlloc();
1705  if (unlikely(p1 == NULL))
1706  return 0;
1707 
1708  Packet *p2 = PacketGetFromAlloc();
1709  if (unlikely(p2 == NULL)) {
1710  SCFree(p1);
1711  return 0;
1712  }
1713 
1714  ThreadVars th_v;
1715  DetectEngineThreadCtx *det_ctx = NULL;
1716 
1717  memset(&th_v, 0, sizeof(ThreadVars));
1718 
1719  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1720  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1721 
1722  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1723  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1724 
1726  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1727  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1728  p1->src.family = AF_INET;
1729  p1->dst.family = AF_INET;
1730  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1731  p1->payload_len = 20;
1732  p1->proto = IPPROTO_TCP;
1733 
1735  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1736  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1737  p2->src.family = AF_INET;
1738  p2->dst.family = AF_INET;
1739  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1740  p2->payload_len = 20;
1741  p2->proto = IPPROTO_TCP;
1742 
1745 
1746  de_ctx->flags |= DE_QUIET;
1747 
1749  "alert ip any any -> any any "
1750  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1751  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1753 
1755  "alert ip any any -> any any "
1756  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1757  "msg:\"tcpv4-csum keyword check(1)\"; "
1758  "sid:2;)");
1760 
1762  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1763 
1764  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1765  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1766 
1767  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1768  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1769 
1772  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1774  SCFree(p1);
1775  SCFree(p2);
1776  PASS;
1777 }
1778 
1779 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1780 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1781 {
1782  uint8_t raw_ipv4[] = {
1783  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1784  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1785  0xc0, 0xa8, 0x01, 0x03};
1786 
1787  uint8_t valid_raw_tcp[] = {
1788  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1789  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1790  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1791  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1792  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1793 
1794  uint8_t invalid_raw_tcp[] = {
1795  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1796  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1797  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1798  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1799  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1800 
1801  Packet *p1 = PacketGetFromAlloc();
1802  if (unlikely(p1 == NULL))
1803  return 0;
1804 
1805  Packet *p2 = PacketGetFromAlloc();
1806  if (unlikely(p2 == NULL)) {
1807  SCFree(p1);
1808  return 0;
1809  }
1810 
1811  ThreadVars th_v;
1812  DetectEngineThreadCtx *det_ctx = NULL;
1813  int result = 0;
1814 
1815  memset(&th_v, 0, sizeof(ThreadVars));
1816 
1817  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1818  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1819 
1820  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1821  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1822 
1824  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1825  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1826  p1->src.family = AF_INET;
1827  p1->dst.family = AF_INET;
1828  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1829  p1->payload_len = 20;
1830  p1->proto = IPPROTO_TCP;
1831 
1833  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1834  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1835  p2->src.family = AF_INET;
1836  p2->dst.family = AF_INET;
1837  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1838  p2->payload_len = 20;
1839  p2->proto = IPPROTO_TCP;
1840 
1842  if (de_ctx == NULL) {
1843  goto end;
1844  }
1845 
1846  de_ctx->flags |= DE_QUIET;
1847 
1849  "alert ip any any -> any any "
1850  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1851  "ipv4-csum:invalid; "
1852  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1853  if (de_ctx->sig_list == NULL) {
1854  goto end;
1855  }
1856 
1858  "alert ip any any -> any any "
1859  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1860  "ipv4-csum:invalid; "
1861  "msg:\"tcpv4-csum keyword check(1)\"; "
1862  "sid:2;)");
1863  if (de_ctx->sig_list->next == NULL) {
1864  goto end;
1865  }
1866 
1868  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1869 
1870  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1871  if (!(PacketAlertCheck(p1, 1))) {
1872  printf("sig 1 didn't match: ");
1873  goto end;
1874  }
1875 
1876  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1877  if (!(PacketAlertCheck(p2, 2))) {
1878  printf("sig 2 didn't match: ");
1879  goto end;
1880  }
1881 
1882  result = 1;
1883 end:
1886  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1888  SCFree(p1);
1889  SCFree(p2);
1890  return result;
1891 }
1892 
1893 /* Similar to SigTest26, but with different packet */
1894 static int SigTest26TCPV4AndIPV4Keyword(void)
1895 {
1896  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1897  * TTL: 64 Flags: Don't Fragment
1898  */
1899  uint8_t raw_ipv4[] = {
1900  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1901  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1902  0xc0, 0xa8, 0xb0, 0x74};
1903 
1904  /* TCP: sport: 49517 dport: 445 Flags: SYN
1905  * Window size: 65535, checksum: 0x2009,
1906  * MTU: 1460, Window scale: 4, TSACK permitted,
1907  * 24 bytes of options, no payload.
1908  */
1909  uint8_t valid_raw_tcp[] = {
1910  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1911  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1912  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1913  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1914  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1915  0x04, 0x02, 0x00, 0x00};
1916 
1917  uint8_t invalid_raw_tcp[] = {
1918  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1919  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1920  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1921  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1922  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1923  0x04, 0x02, 0x00, 0x00};
1924 
1925  Packet *p1 = PacketGetFromAlloc();
1926  if (unlikely(p1 == NULL))
1927  return 0;
1928 
1929  Packet *p2 = PacketGetFromAlloc();
1930  if (unlikely(p2 == NULL)) {
1931  SCFree(p1);
1932  return 0;
1933  }
1934 
1935  ThreadVars th_v;
1936  DetectEngineThreadCtx *det_ctx = NULL;
1937  int result = 0;
1938 
1939  memset(&th_v, 0, sizeof(ThreadVars));
1940 
1941  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1942  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1943 
1944  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1945  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1946 
1948  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1949  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1950  p1->src.family = AF_INET;
1951  p1->dst.family = AF_INET;
1952  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1953  p1->payload_len = 0;
1954  p1->proto = IPPROTO_TCP;
1955 
1957  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1958  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1959  p2->src.family = AF_INET;
1960  p2->dst.family = AF_INET;
1961  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1962  p2->payload_len = 0;
1963  p2->proto = IPPROTO_TCP;
1964 
1966  if (de_ctx == NULL) {
1967  goto end;
1968  }
1969 
1970  de_ctx->flags |= DE_QUIET;
1971 
1973  "alert ip any any -> any any "
1974  "(tcpv4-csum:valid; "
1975  "ipv4-csum:valid; "
1976  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1977  if (de_ctx->sig_list == NULL) {
1978  goto end;
1979  }
1980 
1982  "alert ip any any -> any any "
1983  "(tcpv4-csum:invalid; "
1984  "ipv4-csum:valid; "
1985  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1986  "sid:2;)");
1987  if (de_ctx->sig_list->next == NULL) {
1988  goto end;
1989  }
1990 
1992  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1993 
1994  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1995  if (!(PacketAlertCheck(p1, 1))) {
1996  printf("sig 1 didn't match: ");
1997  goto end;
1998  }
1999 
2000  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2001  if (!(PacketAlertCheck(p2, 2))) {
2002  printf("sig 2 didn't match: ");
2003  goto end;
2004  }
2005 
2006  result = 1;
2007 end:
2010  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2012  SCFree(p1);
2013  SCFree(p2);
2014  return result;
2015 }
2016 
2017 static int SigTest27NegativeTCPV4Keyword(void)
2018 {
2019  uint8_t raw_ipv4[] = {
2020  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2021  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2022  0xc0, 0xa8, 0x01, 0x03};
2023 
2024  uint8_t valid_raw_tcp[] = {
2025  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2026  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2027  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2028  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2029  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2030 
2031  uint8_t invalid_raw_tcp[] = {
2032  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2033  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2034  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2035  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2036  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2037 
2038  Packet *p1 = PacketGetFromAlloc();
2039  if (unlikely(p1 == NULL))
2040  return 0;
2041  Packet *p2 = PacketGetFromAlloc();
2042  if (unlikely(p2 == NULL)) {
2043  SCFree(p1);
2044  return 0;
2045  }
2046  ThreadVars th_v;
2047  DetectEngineThreadCtx *det_ctx = NULL;
2048  int result = 0;
2049 
2050  memset(&th_v, 0, sizeof(ThreadVars));
2051 
2052  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2053  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2054 
2055  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2056  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2057 
2059  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
2060  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
2061  p1->src.family = AF_INET;
2062  p1->dst.family = AF_INET;
2063  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2064  p1->payload_len = 20;
2065  p1->proto = IPPROTO_TCP;
2066 
2068  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
2069  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
2070  p2->src.family = AF_INET;
2071  p2->dst.family = AF_INET;
2072  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2073  p2->payload_len = 20;
2074  p2->proto = IPPROTO_TCP;
2075 
2077  if (de_ctx == NULL) {
2078  goto end;
2079  }
2080 
2081  de_ctx->flags |= DE_QUIET;
2082 
2084  "alert tcp any any -> any any "
2085  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2086  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2087  if (de_ctx->sig_list == NULL) {
2088  goto end;
2089  }
2090 
2092  "alert tcp any any -> any any "
2093  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2094  "msg:\"tcpv4-csum keyword check(2)\"; "
2095  "sid:2;)");
2096  if (de_ctx->sig_list->next == NULL) {
2097  goto end;
2098  }
2099 
2101  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2102 
2103  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2104  if (!PacketAlertCheck(p1, 1)) {
2105  printf("sig 1 didn't match on p1: ");
2106  goto end;
2107  }
2108 
2109  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2110  if (PacketAlertCheck(p2, 2)) {
2111  printf("sig 2 matched on p2: ");
2112  goto end;
2113  }
2114 
2115  result = 1;
2116 end:
2119  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2121  SCFree(p1);
2122  SCFree(p2);
2123  return result;
2124 }
2125 
2126 static int SigTest28TCPV6Keyword(void)
2127 {
2128  static uint8_t valid_raw_ipv6[] = {
2129  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2130  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2131 
2132  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2133  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2134  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2135  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2136  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2137 
2138  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2139  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2140  0xf2, 0xf1, 0x00, 0x00,
2141 
2142  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2143  0x00, 0x01, 0x69, 0x27};
2144 
2145  static uint8_t invalid_raw_ipv6[] = {
2146  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2147  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2148 
2149  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2150  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2151  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2152  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2153  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2154 
2155  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2156  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2157  0xc2, 0xf1, 0x00, 0x00,
2158 
2159  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2160  0x00, 0x01, 0x69, 0x28};
2161 
2162  Packet *p1 = PacketGetFromAlloc();
2163  if (unlikely(p1 == NULL))
2164  return 0;
2165  Packet *p2 = PacketGetFromAlloc();
2166  if (unlikely(p2 == NULL)) {
2167  SCFree(p1);
2168  return 0;
2169  }
2170  ThreadVars th_v;
2171  DetectEngineThreadCtx *det_ctx = NULL;
2172  int result = 0;
2173 
2174  memset(&th_v, 0, sizeof(ThreadVars));
2175 
2177  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2178  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2179  p1->src.family = AF_INET;
2180  p1->dst.family = AF_INET;
2181  p1->payload = valid_raw_ipv6 + 54 + 20;
2182  p1->payload_len = 12;
2183  p1->proto = IPPROTO_TCP;
2184 
2185  if (TCP_GET_HLEN(p1) != 20) {
2186  BUG_ON(1);
2187  }
2188 
2190  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2191  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2192  p2->src.family = AF_INET;
2193  p2->dst.family = AF_INET;
2194  p2->payload = invalid_raw_ipv6 + 54 + 20;
2195  p2->payload_len = 12;
2196  p2->proto = IPPROTO_TCP;
2197 
2198  if (TCP_GET_HLEN(p2) != 20) {
2199  BUG_ON(1);
2200  }
2201 
2203  if (de_ctx == NULL) {
2204  goto end;
2205  }
2206 
2207  de_ctx->flags |= DE_QUIET;
2208 
2210  "alert tcp any any -> any any "
2211  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2212  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2213  if (de_ctx->sig_list == NULL) {
2214  goto end;
2215  }
2216 
2218  "alert tcp any any -> any any "
2219  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2220  "msg:\"tcpv6-csum keyword check(1)\"; "
2221  "sid:2;)");
2222  if (de_ctx->sig_list->next == NULL) {
2223  goto end;
2224  }
2225 
2227  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2228 
2229  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2230  if (!(PacketAlertCheck(p1, 1))) {
2231  printf("sid 1 didn't match on p1: ");
2232  goto end;
2233  }
2234 
2235  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2236  if (!(PacketAlertCheck(p2, 2))) {
2237  printf("sid 2 didn't match on p2: ");
2238  goto end;
2239  }
2240 
2241  result = 1;
2242 end:
2245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2247  SCFree(p1);
2248  SCFree(p2);
2249  return result;
2250 }
2251 
2252 static int SigTest29NegativeTCPV6Keyword(void)
2253 {
2254  static uint8_t valid_raw_ipv6[] = {
2255  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2256  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2257 
2258  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2259  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2260  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2261  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2262  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2263 
2264  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2265  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2266  0xf2, 0xf1, 0x00, 0x00,
2267 
2268  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2269  0x00, 0x01, 0x69, 0x27};
2270 
2271  static uint8_t invalid_raw_ipv6[] = {
2272  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2273  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2274 
2275  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2276  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2277  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2278  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2279  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2280 
2281  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2282  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2283  0xc2, 0xf1, 0x00, 0x00,
2284 
2285  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2286  0x00, 0x01, 0x69, 0x28};
2287 
2288  Packet *p1 = PacketGetFromAlloc();
2289  if (unlikely(p1 == NULL))
2290  return 0;
2291  Packet *p2 = PacketGetFromAlloc();
2292  if (unlikely(p2 == NULL)) {
2293  SCFree(p1);
2294  return 0;
2295  }
2296  ThreadVars th_v;
2297  DetectEngineThreadCtx *det_ctx = NULL;
2298  int result = 0;
2299 
2300  memset(&th_v, 0, sizeof(ThreadVars));
2301 
2303  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2304  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2305  p1->src.family = AF_INET;
2306  p1->dst.family = AF_INET;
2307  p1->payload = valid_raw_ipv6 + 54 + 20;
2308  p1->payload_len = 12;
2309  p1->proto = IPPROTO_TCP;
2310 
2311  if (TCP_GET_HLEN(p1) != 20) {
2312  BUG_ON(1);
2313  }
2314 
2316  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2317  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2318  p2->src.family = AF_INET;
2319  p2->dst.family = AF_INET;
2320  p2->payload = invalid_raw_ipv6 + 54 + 20;
2321  p2->payload_len = 12;
2322  p2->proto = IPPROTO_TCP;
2323 
2324  if (TCP_GET_HLEN(p2) != 20) {
2325  BUG_ON(1);
2326  }
2327 
2329  if (de_ctx == NULL) {
2330  goto end;
2331  }
2332 
2333  de_ctx->flags |= DE_QUIET;
2334 
2336  "alert tcp any any -> any any "
2337  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2338  "msg:\"tcpv6-csum keyword check(1)\"; "
2339  "sid:1;)");
2340  if (de_ctx->sig_list == NULL) {
2341  goto end;
2342  }
2343 
2345  "alert tcp any any -> any any "
2346  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2347  "msg:\"tcpv6-csum keyword check(1)\"; "
2348  "sid:2;)");
2349  if (de_ctx->sig_list->next == NULL) {
2350  goto end;
2351  }
2352 
2354  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2355 
2356  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2357  if (PacketAlertCheck(p1, 1))
2358  goto end;
2359 
2360  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2361  if (PacketAlertCheck(p2, 2))
2362  goto end;
2363 
2364  result = 1;
2365 end:
2368  if (det_ctx != NULL)
2369  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2371  SCFree(p1);
2372  SCFree(p2);
2373  return result;
2374 }
2375 
2376 static int SigTest30UDPV4Keyword(void)
2377 {
2378  uint8_t raw_ipv4[] = {
2379  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2380  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2381  0xc0, 0xa8, 0x01, 0x03};
2382 
2383  uint8_t valid_raw_udp[] = {
2384  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2385  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2386  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2387  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2388  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2389  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2390  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2391  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2392  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2393  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2394  0x67, 0x6c, 0x65, 0xc0, 0x26};
2395 
2396  uint8_t invalid_raw_udp[] = {
2397  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2398  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2399  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2400  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2401  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2402  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2403  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2404  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2405  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2406  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2407  0x67, 0x6c, 0x65, 0xc0, 0x27};
2408 
2409  Packet *p1 = PacketGetFromAlloc();
2410  FAIL_IF_NULL(p1);
2411  Packet *p2 = PacketGetFromAlloc();
2412  FAIL_IF_NULL(p2);
2413 
2414  ThreadVars th_v;
2415  DetectEngineThreadCtx *det_ctx = NULL;
2416 
2417  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2418  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2419 
2420  memset(&th_v, 0, sizeof(ThreadVars));
2421 
2423  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2424  p1->udph = (UDPHdr *)valid_raw_udp;
2425  p1->src.family = AF_INET;
2426  p1->dst.family = AF_INET;
2427  p1->payload = buf;
2428  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2429  p1->proto = IPPROTO_UDP;
2430 
2432  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2433  p2->udph = (UDPHdr *)invalid_raw_udp;
2434  p2->src.family = AF_INET;
2435  p2->dst.family = AF_INET;
2436  p2->payload = buf;
2437  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2438  p2->proto = IPPROTO_UDP;
2439 
2442 
2443  de_ctx->flags |= DE_QUIET;
2444 
2446  "alert udp any any -> any any "
2447  "(content:\"/one/\"; udpv4-csum:valid; "
2448  "msg:\"udpv4-csum keyword check(1)\"; "
2449  "sid:1;)");
2451 
2453  "alert udp any any -> any any "
2454  "(content:\"/one/\"; udpv4-csum:invalid; "
2455  "msg:\"udpv4-csum keyword check(1)\"; "
2456  "sid:2;)");
2458 
2460  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2461 
2462  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2463  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2464 
2465  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2466  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2467 
2470  if (det_ctx != NULL)
2471  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2473  SCFree(p1);
2474  SCFree(p2);
2475  PASS;
2476 }
2477 
2478 static int SigTest31NegativeUDPV4Keyword(void)
2479 {
2480  uint8_t raw_ipv4[] = {
2481  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2483  0xc0, 0xa8, 0x01, 0x03};
2484 
2485  uint8_t valid_raw_udp[] = {
2486  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2487  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2488  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2489  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2490  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2491  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2492  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2493  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2494  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2495  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2496  0x67, 0x6c, 0x65, 0xc0, 0x26};
2497 
2498  uint8_t invalid_raw_udp[] = {
2499  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2500  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2501  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2502  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2503  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2504  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2505  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2506  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2507  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2508  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2509  0x67, 0x6c, 0x65, 0xc0, 0x27};
2510 
2511  Packet *p1 = PacketGetFromAlloc();
2512  if (unlikely(p1 == NULL))
2513  return 0;
2514  Packet *p2 = PacketGetFromAlloc();
2515  if (unlikely(p2 == NULL)) {
2516  SCFree(p1);
2517  return 0;
2518  }
2519  ThreadVars th_v;
2520  DetectEngineThreadCtx *det_ctx = NULL;
2521  int result = 1;
2522 
2523  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2524  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2525 
2526  memset(&th_v, 0, sizeof(ThreadVars));
2527 
2529  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2530  p1->udph = (UDPHdr *)valid_raw_udp;
2531  p1->src.family = AF_INET;
2532  p1->dst.family = AF_INET;
2533  p1->payload = buf;
2534  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2535  p1->proto = IPPROTO_UDP;
2536 
2538  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2539  p2->udph = (UDPHdr *)invalid_raw_udp;
2540  p2->src.family = AF_INET;
2541  p2->dst.family = AF_INET;
2542  p2->payload = buf;
2543  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2544  p2->proto = IPPROTO_UDP;
2545 
2547  if (de_ctx == NULL) {
2548  goto end;
2549  }
2550 
2551  de_ctx->flags |= DE_QUIET;
2552 
2554  "alert udp any any -> any any "
2555  "(content:\"/one/\"; udpv4-csum:invalid; "
2556  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2557  if (de_ctx->sig_list == NULL) {
2558  result &= 0;
2559  goto end;
2560  }
2561 
2563  "alert udp any any -> any any "
2564  "(content:\"/one/\"; udpv4-csum:valid; "
2565  "msg:\"udpv4-csum keyword check(1)\"; "
2566  "sid:2;)");
2567  if (de_ctx->sig_list->next == NULL) {
2568  result &= 0;
2569  goto end;
2570  }
2571 
2573  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2574 
2575  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2576  if (PacketAlertCheck(p1, 1))
2577  result &= 0;
2578  else
2579  result &= 1;
2580 
2581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2582  if (PacketAlertCheck(p2, 2)) {
2583  result &= 0;
2584  }
2585  else
2586  result &= 1;
2587 
2590  if (det_ctx != NULL)
2591  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2593 end:
2594  SCFree(p1);
2595  SCFree(p2);
2596  return result;
2597 }
2598 
2599 
2600 static int SigTest32UDPV6Keyword(void)
2601 {
2602  static uint8_t valid_raw_ipv6[] = {
2603  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2604  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2605  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2606  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2607  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2608  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2609  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2610  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2611  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2612  0x09, 0x00};
2613 
2614  static uint8_t invalid_raw_ipv6[] = {
2615  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2616  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2617  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2618  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2619  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2620  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2621  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2622  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2623  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2624  0x09, 0x01};
2625 
2626  Packet *p1 = PacketGetFromAlloc();
2627  FAIL_IF_NULL(p1);
2628  Packet *p2 = PacketGetFromAlloc();
2629  FAIL_IF_NULL(p2);
2630 
2631  ThreadVars th_v;
2632  DetectEngineThreadCtx *det_ctx = NULL;
2633 
2634  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2635  "\r\n\r\n";
2636 
2637  memset(&th_v, 0, sizeof(ThreadVars));
2638 
2640  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2641  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2642  p1->src.family = AF_INET;
2643  p1->dst.family = AF_INET;
2644  p1->payload = buf;
2646  p1->proto = IPPROTO_UDP;
2647 
2649  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2650  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2651  p2->src.family = AF_INET;
2652  p2->dst.family = AF_INET;
2653  p2->payload = buf;
2655  p2->proto = IPPROTO_UDP;
2656 
2659 
2660  de_ctx->flags |= DE_QUIET;
2661 
2663  "alert udp any any -> any any "
2664  "(content:\"/one/\"; udpv6-csum:valid; "
2665  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2667 
2669  "alert udp any any -> any any "
2670  "(content:\"/one/\"; udpv6-csum:invalid; "
2671  "msg:\"udpv6-csum keyword check(1)\"; "
2672  "sid:2;)");
2674 
2676  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2677 
2678  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2679  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2680 
2681  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2682  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2683 
2686  if (det_ctx != NULL)
2687  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2689 
2690  SCFree(p1);
2691  SCFree(p2);
2692  PASS;
2693 }
2694 
2695 static int SigTest33NegativeUDPV6Keyword(void)
2696 {
2697  static uint8_t valid_raw_ipv6[] = {
2698  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2699  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2700  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2701  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2702  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2703  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2704  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2705  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2706  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2707  0x09, 0x00};
2708 
2709  static uint8_t invalid_raw_ipv6[] = {
2710  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2711  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2712  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2713  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2714  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2715  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2716  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2717  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2718  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2719  0x09, 0x01};
2720 
2721  Packet *p1 = PacketGetFromAlloc();
2722  if (unlikely(p1 == NULL))
2723  return 0;
2724  Packet *p2 = PacketGetFromAlloc();
2725  if (unlikely(p2 == NULL)) {
2726  SCFree(p1);
2727  return 0;
2728  }
2729  ThreadVars th_v;
2730  DetectEngineThreadCtx *det_ctx = NULL;
2731  int result = 1;
2732 
2733  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2734  "\r\n\r\n";
2735 
2736  memset(&th_v, 0, sizeof(ThreadVars));
2737 
2739  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2740  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2741  p1->src.family = AF_INET;
2742  p1->dst.family = AF_INET;
2743  p1->payload = buf;
2745  p1->proto = IPPROTO_UDP;
2746 
2748  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2749  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2750  p2->src.family = AF_INET;
2751  p2->dst.family = AF_INET;
2752  p2->payload = buf;
2754  p2->proto = IPPROTO_UDP;
2755 
2757  if (de_ctx == NULL) {
2758  goto end;
2759  }
2760 
2761  de_ctx->flags |= DE_QUIET;
2762 
2764  "alert udp any any -> any any "
2765  "(content:\"/one/\"; udpv6-csum:invalid; "
2766  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2767  if (de_ctx->sig_list == NULL) {
2768  result &= 0;
2769  goto end;
2770  }
2771 
2773  "alert udp any any -> any any "
2774  "(content:\"/one/\"; udpv6-csum:valid; "
2775  "msg:\"udpv6-csum keyword check(1)\"; "
2776  "sid:2;)");
2777  if (de_ctx->sig_list->next == NULL) {
2778  result &= 0;
2779  goto end;
2780  }
2781 
2783  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2784 
2785  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2786  if (PacketAlertCheck(p1, 1))
2787  result &= 0;
2788  else
2789  result &= 1;
2790 
2791  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2792  if (PacketAlertCheck(p2, 2))
2793  result &= 0;
2794  else
2795  result &= 1;
2796 
2799  if (det_ctx != NULL)
2800  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2802 end:
2803  SCFree(p1);
2804  SCFree(p2);
2805  return result;
2806 }
2807 
2808 static int SigTest34ICMPV4Keyword(void)
2809 {
2810  uint8_t valid_raw_ipv4[] = {
2811  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2812  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2813  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2814  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2815  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2816  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2817  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2818  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2819  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2820  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2821  0x34, 0x35, 0x36, 0x37};
2822 
2823  uint8_t invalid_raw_ipv4[] = {
2824  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2825  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2826  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2827  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2828  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2829  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2830  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2831  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2832  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2833  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2834  0x34, 0x35, 0x36, 0x38};
2835 
2836  Packet *p1 = PacketGetFromAlloc();
2837  if (unlikely(p1 == NULL))
2838  return 0;
2839  Packet *p2 = PacketGetFromAlloc();
2840  if (unlikely(p2 == NULL)) {
2841  SCFree(p1);
2842  return 0;
2843  }
2844  ThreadVars th_v;
2845  DetectEngineThreadCtx *det_ctx = NULL;
2846  int result = 1;
2847 
2848  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2849  "\r\n\r\n";
2850  uint16_t buflen = strlen((char *)buf);
2851 
2852  memset(&th_v, 0, sizeof(ThreadVars));
2853 
2855  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2856  p1->ip4h->ip_verhl = 69;
2857  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2858  p1->src.family = AF_INET;
2859  p1->dst.family = AF_INET;
2860  p1->payload = buf;
2861  p1->payload_len = buflen;
2862  p1->proto = IPPROTO_ICMP;
2863 
2865  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2866  p2->ip4h->ip_verhl = 69;
2867  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2868  p2->src.family = AF_INET;
2869  p2->dst.family = AF_INET;
2870  p2->payload = buf;
2871  p2->payload_len = buflen;
2872  p2->proto = IPPROTO_ICMP;
2873 
2875  if (de_ctx == NULL) {
2876  goto end;
2877  }
2878 
2879  de_ctx->flags |= DE_QUIET;
2880 
2882  "alert icmp any any -> any any "
2883  "(content:\"/one/\"; icmpv4-csum:valid; "
2884  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2885  if (de_ctx->sig_list == NULL) {
2886  result &= 0;
2887  goto end;
2888  }
2889 
2891  "alert icmp any any -> any any "
2892  "(content:\"/one/\"; icmpv4-csum:invalid; "
2893  "msg:\"icmpv4-csum keyword check(1)\"; "
2894  "sid:2;)");
2895  if (de_ctx->sig_list->next == NULL) {
2896  result = 0;
2897  goto end;
2898  }
2899 
2901  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2902 
2903  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2904  if (PacketAlertCheck(p1, 1))
2905  result &= 1;
2906  else
2907  result &= 0;
2908 
2909  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2910  if (PacketAlertCheck(p2, 2))
2911  result &= 1;
2912  else
2913  result &= 0;
2914 
2917  if (det_ctx != NULL)
2918  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2920 end:
2921  SCFree(p1);
2922  SCFree(p2);
2923  return result;
2924 }
2925 
2926 static int SigTest35NegativeICMPV4Keyword(void)
2927 {
2928  uint8_t valid_raw_ipv4[] = {
2929  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2930  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2931  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2932  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2933  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2934  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2935  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2936  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2937  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2938  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2939  0x34, 0x35, 0x36, 0x37};
2940 
2941  uint8_t invalid_raw_ipv4[] = {
2942  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2943  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2944  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2945  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2946  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2947  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2948  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2949  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2950  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2951  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2952  0x34, 0x35, 0x36, 0x38};
2953 
2954  Packet *p1 = PacketGetFromAlloc();
2955  if (unlikely(p1 == NULL))
2956  return 0;
2957  Packet *p2 = PacketGetFromAlloc();
2958  if (unlikely(p2 == NULL)) {
2959  SCFree(p1);
2960  return 0;
2961  }
2962  ThreadVars th_v;
2963  DetectEngineThreadCtx *det_ctx = NULL;
2964  int result = 1;
2965 
2966  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2967  "\r\n\r\n";
2968  uint16_t buflen = strlen((char *)buf);
2969 
2970  memset(&th_v, 0, sizeof(ThreadVars));
2971 
2973  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2974  p1->ip4h->ip_verhl = 69;
2975  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2976  p1->src.family = AF_INET;
2977  p1->dst.family = AF_INET;
2978  p1->payload = buf;
2979  p1->payload_len = buflen;
2980  p1->proto = IPPROTO_ICMP;
2981 
2983  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2984  p2->ip4h->ip_verhl = 69;
2985  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2986  p2->src.family = AF_INET;
2987  p2->dst.family = AF_INET;
2988  p2->payload = buf;
2989  p2->payload_len = buflen;
2990  p2->proto = IPPROTO_ICMP;
2991 
2993  if (de_ctx == NULL) {
2994  goto end;
2995  }
2996 
2997  de_ctx->flags |= DE_QUIET;
2998 
3000  "alert icmp any any -> any any "
3001  "(content:\"/one/\"; icmpv4-csum:invalid; "
3002  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3003  if (de_ctx->sig_list == NULL) {
3004  result &= 0;
3005  goto end;
3006  }
3007 
3009  "alert icmp any any -> any any "
3010  "(content:\"/one/\"; icmpv4-csum:valid; "
3011  "msg:\"icmpv4-csum keyword check(1)\"; "
3012  "sid:2;)");
3013  if (de_ctx->sig_list->next == NULL) {
3014  result &= 0;
3015  goto end;
3016  }
3017 
3019  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3020 
3021  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3022  if (PacketAlertCheck(p1, 1))
3023  result &= 0;
3024  else
3025  result &= 1;
3026 
3027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3028  if (PacketAlertCheck(p2, 2))
3029  result &= 0;
3030  else {
3031  result &= 1;
3032  }
3033 
3036  if (det_ctx != NULL)
3037  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3039 end:
3040  SCFree(p1);
3041  SCFree(p2);
3042  return result;
3043 }
3044 
3045 static int SigTest38(void)
3046 {
3047  Packet *p1 = PacketGetFromAlloc();
3048  if (unlikely(p1 == NULL))
3049  return 0;
3050  ThreadVars th_v;
3051  DetectEngineThreadCtx *det_ctx = NULL;
3052  int result = 1;
3053  uint8_t raw_eth[] = {
3054  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3055  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3056  0x08, 0x00
3057  };
3058  uint8_t raw_ipv4[] = {
3059  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3060  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3061  0x7f, 0x00, 0x00, 0x01
3062  };
3063  uint8_t raw_tcp[] = {
3064  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3065  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3066  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3067  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3068  0x00, 0x22, 0xaa, 0x10
3069  };
3070  uint8_t buf[] = {
3071  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3072  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3073  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3074  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3075  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3076  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3077  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3078  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3079  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3080  0x0a
3081  };
3082  uint16_t ethlen = sizeof(raw_eth);
3083  uint16_t ipv4len = sizeof(raw_ipv4);
3084  uint16_t tcplen = sizeof(raw_tcp);
3085  uint16_t buflen = sizeof(buf);
3086 
3087  memset(&th_v, 0, sizeof(ThreadVars));
3088 
3089  /* Copy raw data into packet */
3090  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3091  SCFree(p1);
3092  return 1;
3093  }
3094  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3095  SCFree(p1);
3096  return 1;
3097  }
3098  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3099  SCFree(p1);
3100  return 1;
3101  }
3102  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3103  SCFree(p1);
3104  return 1;
3105  }
3106  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3107 
3109  p1->ethh = (EthernetHdr *)raw_eth;
3110  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3111  p1->tcph = (TCPHdr *)raw_tcp;
3112  p1->src.family = AF_INET;
3113  p1->dst.family = AF_INET;
3114  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3115  p1->payload_len = buflen;
3116  p1->proto = IPPROTO_TCP;
3117 
3119  if (de_ctx == NULL) {
3120  goto end;
3121  }
3122  de_ctx->flags |= DE_QUIET;
3123 
3125  "alert tcp any any -> any any "
3126  "(content:\"LEN1|20|\"; "
3127  "byte_test:4,=,8,0; "
3128  "msg:\"byte_test keyword check(1)\"; sid:1;)");
3129  if (de_ctx->sig_list == NULL) {
3130  result &= 0;
3131  goto end;
3132  }
3134  "alert tcp any any -> any any "
3135  "(content:\"LEN1|20|\"; "
3136  "byte_test:4,=,8,5,relative,string,dec; "
3137  "msg:\"byte_test keyword check(2)\"; sid:2;)");
3138  if (de_ctx->sig_list->next == NULL) {
3139  result &= 0;
3140  goto end;
3141  }
3142 
3144  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3145 
3146  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3147  if (PacketAlertCheck(p1, 1)) {
3148  result = 1;
3149  } else {
3150  result = 0;
3151  printf("sid 1 didn't alert, but should have: ");
3152  goto cleanup;
3153  }
3154  if (PacketAlertCheck(p1, 2)) {
3155  result = 1;
3156  } else {
3157  result = 0;
3158  printf("sid 2 didn't alert, but should have: ");
3159  goto cleanup;
3160  }
3161 
3162 cleanup:
3165 
3166  if (det_ctx != NULL)
3167  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3169 
3170 end:
3171  SCFree(p1);
3172  return result;
3173 }
3174 
3175 static int SigTest39(void)
3176 {
3177  ThreadVars th_v;
3178  DetectEngineThreadCtx *det_ctx = NULL;
3179  uint8_t raw_eth[] = {
3180  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3181  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3182  0x08, 0x00
3183  };
3184  uint8_t raw_ipv4[] = {
3185  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3186  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3187  0x7f, 0x00, 0x00, 0x01
3188  };
3189  uint8_t raw_tcp[] = {
3190  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3191  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3192  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3193  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3194  0x00, 0x22, 0xaa, 0x10
3195  };
3196  uint8_t buf[] = {
3197  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3198  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3199  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3200  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3201  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3202  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3203  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3204  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3205  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3206  0x0a
3207  };
3208  uint16_t ethlen = sizeof(raw_eth);
3209  uint16_t ipv4len = sizeof(raw_ipv4);
3210  uint16_t tcplen = sizeof(raw_tcp);
3211  uint16_t buflen = sizeof(buf);
3212 
3213  memset(&th_v, 0, sizeof(ThreadVars));
3214 
3215  Packet *p1 = PacketGetFromAlloc();
3216  FAIL_IF_NULL(p1);
3217  /* Copy raw data into packet */
3218  FAIL_IF(PacketCopyData(p1, raw_eth, ethlen) == -1);
3219  FAIL_IF(PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1);
3220  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1);
3221  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1);
3222  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3223 
3225  p1->ethh = (EthernetHdr *)raw_eth;
3226  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3227  p1->tcph = (TCPHdr *)raw_tcp;
3228  p1->src.family = AF_INET;
3229  p1->dst.family = AF_INET;
3230  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3231  p1->payload_len = buflen;
3232  p1->proto = IPPROTO_TCP;
3233 
3236  de_ctx->flags |= DE_QUIET;
3237 
3238  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3239  "(content:\"LEN1|20|\"; "
3240  "byte_test:4,=,8,0; "
3241  "byte_jump:4,0; "
3242  "byte_test:6,=,0x4c454e312038,0,relative; "
3243  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3244  FAIL_IF_NULL(s);
3245  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3246  "(content:\"LEN1|20|\"; "
3247  "byte_test:4,=,8,4,relative,string,dec; "
3248  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3249  "byte_test:4,=,0x4c454e32,0,relative; "
3250  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3251  FAIL_IF_NULL(s);
3253  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3254 
3255  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3256 
3257  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
3258  FAIL_IF_NOT(PacketAlertCheck(p1, 2));
3259 
3260  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3262 
3263  SCFree(p1);
3264  PASS;
3265 }
3266 
3267 /**
3268  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3269  * \brief expecting to match a size
3270  */
3271 
3272 static int SigTest36ContentAndIsdataatKeywords01 (void)
3273 {
3274  int result = 0;
3275 
3276  // Build and decode the packet
3277 
3278  uint8_t raw_eth [] = {
3279  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3280  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3281  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3282  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3283  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3284  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3285  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3286  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3287  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3288  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3289  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3290  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3291  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3292  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3293  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3294  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3295  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3296  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3297  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3298  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3299  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3300  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3301  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3302  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3303  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3304  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3305  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3306  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3307  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3308  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3309 
3310  Packet *p = PacketGetFromAlloc();
3311  if (unlikely(p == NULL))
3312  return 0;
3314 
3315  ThreadVars th_v;
3316  DetectEngineThreadCtx *det_ctx = NULL;
3317 
3318  memset(&dtv, 0, sizeof(DecodeThreadVars));
3319  memset(&th_v, 0, sizeof(th_v));
3320 
3322  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3323 
3324 
3326  if (de_ctx == NULL) {
3327  goto end;
3328  }
3329 
3330  de_ctx->flags |= DE_QUIET;
3331 
3332  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3333  if (de_ctx->sig_list == NULL) {
3334  result = 0;
3335  goto end;
3336  }
3337 
3339  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3340 
3341  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3342  if (PacketAlertCheck(p, 101) == 0) {
3343  result = 0;
3344  goto end;
3345  } else {
3346  result=1;
3347  }
3348 
3351 
3352  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3354  PacketRecycle(p);
3355  FlowShutdown();
3356 
3357  SCFree(p);
3358  return result;
3359 
3360 end:
3361  if(de_ctx)
3362  {
3365  }
3366 
3367  if(det_ctx)
3368  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3369 
3370  //PatternMatchDestroy(mpm_ctx);
3371 
3372  if(de_ctx)
3374 
3375  if (p != NULL)
3376  PacketRecycle(p);
3377 
3378  FlowShutdown();
3379 
3380  SCFree(p);
3381  return result;
3382 }
3383 
3384 
3385 /**
3386  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3387  * \brief not expecting to match a size
3388  */
3389 
3390 static int SigTest37ContentAndIsdataatKeywords02 (void)
3391 {
3392  int result = 0;
3393 
3394  // Build and decode the packet
3395 
3396  uint8_t raw_eth [] = {
3397  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3398  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3399  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3400  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3401  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3402  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3403  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3404  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3405  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3406  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3407  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3408  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3409  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3410  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3411  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3412  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3413  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3414  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3415  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3416  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3417  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3418  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3419  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3420  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3421  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3422  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3423  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3424  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3425  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3426  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3427 
3428  Packet *p = PacketGetFromAlloc();
3429  if (unlikely(p == NULL))
3430  return 0;
3432 
3433  ThreadVars th_v;
3434  DetectEngineThreadCtx *det_ctx = NULL;
3435 
3436  memset(&dtv, 0, sizeof(DecodeThreadVars));
3437  memset(&th_v, 0, sizeof(th_v));
3438 
3440  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3441 
3442 
3444  if (de_ctx == NULL) {
3445  goto end;
3446  }
3447 
3448  de_ctx->flags |= DE_QUIET;
3449 
3450  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3451  if (de_ctx->sig_list == NULL) {
3452  printf("sig parse failed: ");
3453  result = 0;
3454  goto end;
3455  }
3456 
3458  printf("type not content: ");
3459  goto end;
3460  }
3462  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3463 
3464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3465  if (PacketAlertCheck(p, 101) == 0) {
3466  result = 1;
3467  goto end;
3468  } else {
3469  printf("sig matched, but should not have: ");
3470  result=0;
3471  }
3472 
3475 
3476  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3478 
3479  PacketRecycle(p);
3480  FlowShutdown();
3481 
3482  SCFree(p);
3483  return result;
3484 
3485 end:
3486  if(de_ctx)
3487  {
3490  }
3491 
3492  if(det_ctx)
3493  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3494 
3495  if(de_ctx)
3497 
3498  if (p != NULL)
3499  PacketRecycle(p);
3500 
3501  FlowShutdown();
3502 
3503  SCFree(p);
3504  return result;
3505 }
3506 
3507 /**
3508  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3509  * flag is set, we don't need to inspect the packet protocol header or its contents.
3510  */
3511 
3512 static int SigTest40NoPacketInspection01(void)
3513 {
3514 
3515  uint8_t *buf = (uint8_t *)
3516  "220 (vsFTPd 2.0.5)\r\n";
3517  uint16_t buflen = strlen((char *)buf);
3518  Packet *p = PacketGetFromAlloc();
3519  TCPHdr tcphdr;
3520  if (unlikely(p == NULL))
3521  return 0;
3522  ThreadVars th_v;
3523  DetectEngineThreadCtx *det_ctx = NULL;
3524  PacketQueue pq;
3525  Flow f;
3526  int result = 0;
3527 
3528  memset(&th_v, 0, sizeof(th_v));
3529  memset(&pq, 0, sizeof(pq));
3530  memset(&f, 0, sizeof(f));
3531  memset(&tcphdr, 0, sizeof(tcphdr));
3532 
3533  p->src.family = AF_INET;
3534  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3535  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3536  p->dst.family = AF_INET;
3537  p->payload = buf;
3538  p->payload_len = buflen;
3539  p->proto = IPPROTO_TCP;
3540  p->dp = 34260;
3541  p->sp = 21;
3544  p->tcph = &tcphdr;
3545  p->flow = &f;
3546 
3547  FLOW_INITIALIZE(&f);
3548 
3550  if (de_ctx == NULL) {
3551  goto end;
3552  }
3553 
3554  de_ctx->flags |= DE_QUIET;
3555 
3556  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3557  if (de_ctx->sig_list == NULL) {
3558  result = 0;
3559  goto end;
3560  }
3561 
3563  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3564  det_ctx->de_ctx = de_ctx;
3565 
3566  Detect(&th_v, p, det_ctx);
3567  if (PacketAlertCheck(p, 2))
3568  result = 0;
3569  else
3570  result = 1;
3571 
3574  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3575  //PatternMatchDestroy(mpm_ctx);
3577 end:
3578  SCFree(p);
3579  return result;
3580 }
3581 
3582 /**
3583  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3584  * flag is set, we don't need to inspect the packet contents.
3585  */
3586 
3587 static int SigTest40NoPayloadInspection02(void)
3588 {
3589 
3590  uint8_t *buf = (uint8_t *)
3591  "220 (vsFTPd 2.0.5)\r\n";
3592  uint16_t buflen = strlen((char *)buf);
3593  ThreadVars th_v;
3594  memset(&th_v, 0, sizeof(th_v));
3595 
3596  Packet *p = PacketGetFromAlloc();
3597  FAIL_IF_NULL(p);
3598 
3599  p->src.family = AF_INET;
3600  p->dst.family = AF_INET;
3601  p->payload = buf;
3602  p->payload_len = buflen;
3603  p->proto = IPPROTO_TCP;
3605 
3606  DetectEngineThreadCtx *det_ctx = NULL;
3609  de_ctx->flags |= DE_QUIET;
3610 
3612  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3613  FAIL_IF_NULL(s);
3614 
3616  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3617 
3618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3619 
3620  FAIL_IF(PacketAlertCheck(p, 1));
3621 
3622  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3624  SCFree(p);
3625  PASS;
3626 }
3627 
3628 static int SigTestMemory01 (void)
3629 {
3630  uint8_t *buf = (uint8_t *)
3631  "GET /one/ HTTP/1.1\r\n"
3632  "Host: one.example.org\r\n"
3633  "\r\n\r\n"
3634  "GET /two/ HTTP/1.1\r\n"
3635  "Host: two.example.org\r\n"
3636  "\r\n\r\n";
3637  uint16_t buflen = strlen((char *)buf);
3638  Packet *p = PacketGetFromAlloc();
3639  if (unlikely(p == NULL))
3640  return 0;
3641  ThreadVars th_v;
3642  DetectEngineThreadCtx *det_ctx = NULL;
3643  int result = 0;
3644 
3645  memset(&th_v, 0, sizeof(th_v));
3646  p->src.family = AF_INET;
3647  p->dst.family = AF_INET;
3648  p->payload = buf;
3649  p->payload_len = buflen;
3650  p->proto = IPPROTO_TCP;
3651 
3653  if (de_ctx == NULL) {
3654  goto end;
3655  }
3656 
3657  de_ctx->flags |= DE_QUIET;
3658 
3659  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3660  if (de_ctx->sig_list == NULL) {
3661  result = 0;
3662  goto end;
3663  }
3664 
3666  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3667 
3669  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3671 
3672  result = 1;
3673 end:
3674  SCFree(p);
3675  return result;
3676 }
3677 
3678 static int SigTestMemory02 (void)
3679 {
3680  ThreadVars th_v;
3681  int result = 0;
3682 
3683  memset(&th_v, 0, sizeof(th_v));
3684 
3686  if (de_ctx == NULL) {
3687  goto end;
3688  }
3689  de_ctx->flags |= DE_QUIET;
3690 
3691  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3692  if (de_ctx->sig_list == NULL) {
3693  result = 0;
3694  goto end;
3695  }
3696  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3697  if (de_ctx->sig_list->next == NULL) {
3698  result = 0;
3699  goto end;
3700  }
3701 
3703 
3706 
3707  result = 1;
3708 end:
3709  return result;
3710 }
3711 
3712 static int SigTestMemory03 (void)
3713 {
3714  ThreadVars th_v;
3715  int result = 0;
3716 
3717  memset(&th_v, 0, sizeof(th_v));
3718 
3720  if (de_ctx == NULL) {
3721  goto end;
3722  }
3723  de_ctx->flags |= DE_QUIET;
3724 
3725  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3726  if (de_ctx->sig_list == NULL) {
3727  result = 0;
3728  goto end;
3729  }
3730  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3731  if (de_ctx->sig_list->next == NULL) {
3732  result = 0;
3733  goto end;
3734  }
3735  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3736  if (de_ctx->sig_list->next->next == NULL) {
3737  result = 0;
3738  goto end;
3739  }
3740 
3742 
3745 
3746  result = 1;
3747 end:
3748  return result;
3749 }
3750 
3751 static int SigTestContent01 (void)
3752 {
3753  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3754  uint16_t buflen = strlen((char *)buf);
3755  ThreadVars th_v;
3756  DetectEngineThreadCtx *det_ctx = NULL;
3757  int result = 0;
3758 
3759  memset(&th_v, 0, sizeof(th_v));
3760 
3761  Packet *p = NULL;
3762  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3763 
3765  if (de_ctx == NULL) {
3766  goto end;
3767  }
3768  de_ctx->flags |= DE_QUIET;
3769 
3770  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3771  if (de_ctx->sig_list == NULL) {
3772  result = 0;
3773  goto end;
3774  }
3775 
3777  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3778 
3779  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3780  if (PacketAlertCheck(p, 1))
3781  result = 1;
3782  else
3783  printf("sig 1 didn't match: ");
3784 
3787 
3788  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3790 end:
3791  UTHFreePackets(&p, 1);
3792  return result;
3793 }
3794 
3795 static int SigTestContent02 (void)
3796 {
3797  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3798  uint16_t buflen = strlen((char *)buf);
3799  ThreadVars th_v;
3800  DetectEngineThreadCtx *det_ctx = NULL;
3801  int result = 0;
3802 
3803  memset(&th_v, 0, sizeof(th_v));
3804  Packet *p = NULL;
3805  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3806 
3808  if (de_ctx == NULL) {
3809  goto end;
3810  }
3811  de_ctx->flags |= DE_QUIET;
3812 
3813  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3814  if (de_ctx->sig_list == NULL) {
3815  result = 0;
3816  goto end;
3817  }
3818 
3819  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3820  if (de_ctx->sig_list->next == NULL) {
3821  result = 0;
3822  goto end;
3823  }
3824 
3826  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3827 
3828  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3829  if (PacketAlertCheck(p, 1)) {
3830  if (PacketAlertCheck(p, 2)) {
3831  result = 1;
3832  } else
3833  printf("sig 2 didn't match: ");
3834  }
3835  else
3836  printf("sig 1 didn't match: ");
3837 
3840 
3841  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3843 end:
3844  UTHFreePackets(&p, 1);
3845  return result;
3846 }
3847 
3848 static int SigTestContent03 (void)
3849 {
3850  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3851  uint16_t buflen = strlen((char *)buf);
3852  ThreadVars th_v;
3853  DetectEngineThreadCtx *det_ctx = NULL;
3854  int result = 0;
3855 
3856  memset(&th_v, 0, sizeof(th_v));
3857  Packet *p = NULL;
3858  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3859 
3861  if (de_ctx == NULL) {
3862  goto end;
3863  }
3864 
3865  de_ctx->flags |= DE_QUIET;
3866 
3867  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3868  if (de_ctx->sig_list == NULL) {
3869  result = 0;
3870  goto end;
3871  }
3872 
3874  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3875 
3876  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3877  if (PacketAlertCheck(p, 1))
3878  result = 1;
3879  else
3880  printf("sig 1 didn't match: ");
3881 
3884 
3885  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3887 end:
3888  UTHFreePackets(&p, 1);
3889  return result;
3890 }
3891 
3892 static int SigTestContent04 (void)
3893 {
3894  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3895  uint16_t buflen = strlen((char *)buf);
3896  ThreadVars th_v;
3897  DetectEngineThreadCtx *det_ctx = NULL;
3898  int result = 0;
3899 
3900  memset(&th_v, 0, sizeof(th_v));
3901 
3902  Packet *p = NULL;
3903  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3904 
3906  if (de_ctx == NULL) {
3907  goto end;
3908  }
3909 
3910  de_ctx->flags |= DE_QUIET;
3911 
3912  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3913  if (de_ctx->sig_list == NULL) {
3914  result = 0;
3915  goto end;
3916  }
3917 
3919  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3920 
3921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3922  if (PacketAlertCheck(p, 1))
3923  result = 1;
3924  else
3925  printf("sig 1 didn't match: ");
3926 
3929 
3930  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3932 end:
3933  UTHFreePackets(&p, 1);
3934  return result;
3935 }
3936 
3937 /** \test sigs with patterns at the limit of the pm's size limit */
3938 static int SigTestContent05 (void)
3939 {
3940  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3941  uint16_t buflen = strlen((char *)buf);
3942  ThreadVars th_v;
3943  DetectEngineThreadCtx *det_ctx = NULL;
3944  int result = 0;
3945 
3946  memset(&th_v, 0, sizeof(th_v));
3947  Packet *p = NULL;
3948  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3949 
3951  if (de_ctx == NULL) {
3952  printf("de_ctx == NULL: ");
3953  goto end;
3954  }
3955 
3956  de_ctx->flags |= DE_QUIET;
3957 
3958  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3959  if (de_ctx->sig_list == NULL) {
3960  printf("sig1 parse failed: ");
3961  goto end;
3962  }
3963  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3964  if (de_ctx->sig_list->next == NULL) {
3965  printf("sig2 parse failed: ");
3966  goto end;
3967  }
3968 
3970  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3971 
3972  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3973 
3974  if (PacketAlertCheck(p, 1)) {
3975  printf("sig 1 matched but shouldn't: ");
3976  goto end;
3977  }
3978 
3979  if (PacketAlertCheck(p, 2)) {
3980  printf("sig 2 matched but shouldn't: ");
3981  goto end;
3982  }
3983 
3984  result = 1;
3985 end:
3986  UTHFreePackets(&p, 1);
3989 
3990  if (det_ctx != NULL) {
3991  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3992  }
3993  if (de_ctx != NULL) {
3995  }
3996  return result;
3997 }
3998 
3999 static int SigTestContent06 (void)
4000 {
4001  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4002  uint16_t buflen = strlen((char *)buf);
4003  ThreadVars th_v;
4004  DetectEngineThreadCtx *det_ctx = NULL;
4005  int result = 0;
4006 
4007  memset(&th_v, 0, sizeof(th_v));
4008  Packet *p = NULL;
4009  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4010 
4012  if (de_ctx == NULL) {
4013  goto end;
4014  }
4015 
4016  de_ctx->flags |= DE_QUIET;
4017 
4018  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4019  if (de_ctx->sig_list == NULL) {
4020  result = 0;
4021  goto end;
4022  }
4023  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4024  if (de_ctx->sig_list->next == NULL) {
4025  result = 0;
4026  goto end;
4027  }
4028 
4030  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4031 
4032  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4033  if (PacketAlertCheck(p, 1)){
4034  //printf("sig 1 matched :");
4035  }else{
4036  printf("sig 1 didn't match: ");
4037  goto end;
4038  }
4039 
4040  if (PacketAlertCheck(p, 2)){
4041  result = 1;
4042  }else{
4043  printf("sig 2 didn't match: ");
4044  goto end;
4045  }
4046 
4049 
4050  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4052 end:
4053  UTHFreePackets(&p, 1);
4054  return result;
4055 }
4056 
4057 static int SigTestWithin01 (void)
4058 {
4060  ThreadVars th_v;
4061  int result = 0;
4062  Packet *p1 = NULL;
4063  Packet *p2 = NULL;
4064  Packet *p3 = NULL;
4065  Packet *p4 = NULL;
4066 
4067  uint8_t rawpkt1[] = {
4068  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4069  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4070  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4071  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4072  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4073  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4074  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4075  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4076  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4077  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4078  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4079  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4080  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4081  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4082  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4083  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4084  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4085  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4086  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4087  0x00,0x00 }; /* end rawpkt1 */
4088 
4089  uint8_t rawpkt2[] = {
4090  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4091  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4092  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4093  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4094  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4095  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4096  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4097  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4098  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4099  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4100  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4101  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4102  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4103  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4104  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4105  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4106  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4107  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4108  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4109  0x00,0x00 }; /* end rawpkt2 */
4110 
4111  uint8_t rawpkt3[] = {
4112  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4113  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4114  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4115  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4116  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4117  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4118  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4119  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4120  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4121  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4122  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4123  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4124  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4125  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4126  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4127  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4128  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4129  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4130  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4131  0x00,0x00 }; /* end rawpkt3 */
4132 
4133  uint8_t rawpkt4[] = {
4134  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4135  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4136  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4137  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4138  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4139  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4140  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4141  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4142  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4143  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4144  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4145  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4146  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4147  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4148  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4149  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4150  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4151  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4152  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4153  0x00,0x00 }; /* end rawpkt4 */
4154 
4155  memset(&dtv, 0, sizeof(DecodeThreadVars));
4156  memset(&th_v, 0, sizeof(th_v));
4157 
4158  DetectEngineThreadCtx *det_ctx = NULL;
4159 
4161 
4163  if (de_ctx == NULL) {
4164  goto end;
4165  }
4166 
4167  de_ctx->flags |= DE_QUIET;
4168 
4169  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4170  if (de_ctx->sig_list == NULL) {
4171  result = 0;
4172  goto end;
4173  }
4174 
4176  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4177 
4178  /* packet 1 */
4179  p1 = PacketGetFromAlloc();
4180  if (unlikely(p1 == NULL))
4181  return 0;
4182  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4183  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4184  if (!(PacketAlertCheck(p1, 556))) {
4185  printf("failed to match on packet 1: ");
4186  goto end;
4187  }
4188 
4189  /* packet 2 */
4190  p2 = PacketGetFromAlloc();
4191  if (unlikely(p2 == NULL))
4192  return 0;
4193  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4194  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4195  if (!(PacketAlertCheck(p2, 556))) {
4196  printf("failed to match on packet 2: ");
4197  goto end;
4198  }
4199 
4200  /* packet 3 */
4201  p3 = PacketGetFromAlloc();
4202  if (unlikely(p3 == NULL))
4203  return 0;
4204  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4205  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4206  if (!(PacketAlertCheck(p3, 556))) {
4207  printf("failed to match on packet 3: ");
4208  goto end;
4209  }
4210 
4211  /* packet 4 */
4212  p4 = PacketGetFromAlloc();
4213  if (unlikely(p4 == NULL))
4214  return 0;
4215  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4216  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4217  if (!(PacketAlertCheck(p4, 556))) {
4218  printf("failed to match on packet 4: ");
4219  goto end;
4220  }
4221 
4222  /* packet 5 */
4223  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4224  uint16_t p5buflen = strlen((char *)p5buf);
4225  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4226  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4227  if (!(PacketAlertCheck(p5, 556))) {
4228  printf("failed to match on packet 5: ");
4229  goto end;
4230  }
4231  UTHFreePackets(&p5, 1);
4232 
4233  result = 1;
4234 end:
4235  if (de_ctx != NULL) {
4238  }
4239 
4240  if (det_ctx != NULL)
4241  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4242 
4243  if (de_ctx != NULL)
4245 
4246  if (p1 != NULL) {
4247  PacketRecycle(p1);
4248  SCFree(p1);
4249  }
4250  if (p2 != NULL) {
4251  PacketRecycle(p2);
4252  SCFree(p2);
4253  }
4254  if (p3 != NULL) {
4255  PacketRecycle(p3);
4256  SCFree(p3);
4257  }
4258  if (p4 != NULL) {
4259  PacketRecycle(p4);
4260  SCFree(p4);
4261  }
4262  FlowShutdown();
4263  return result;
4264 }
4265 
4266 static int SigTestDepthOffset01 (void)
4267 {
4268  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4269  uint16_t buflen = strlen((char *)buf);
4270  Packet *p = NULL;
4271  ThreadVars th_v;
4272  DetectEngineThreadCtx *det_ctx = NULL;
4273  int result = 0;
4274 
4275  memset(&th_v, 0, sizeof(th_v));
4276 
4277  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4278 
4280  if (de_ctx == NULL) {
4281  goto end;
4282  }
4283 
4284  de_ctx->flags |= DE_QUIET;
4285 
4286  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4287  if (de_ctx->sig_list == NULL) {
4288  result = 0;
4289  goto end;
4290  }
4291 
4293  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4294 
4295  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4296  if (PacketAlertCheck(p, 1))
4297  result = 1;
4298 
4301 
4302  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4304 end:
4305  UTHFreePackets(&p, 1);
4306  return result;
4307 }
4308 
4309 static int SigTestDetectAlertCounter(void)
4310 {
4311  Packet *p = NULL;
4312  ThreadVars tv;
4313  DetectEngineThreadCtx *det_ctx = NULL;
4314  memset(&tv, 0, sizeof(tv));
4315 
4318  de_ctx->flags |= DE_QUIET;
4319 
4320  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4321  "content:\"boo\"; sid:1;)");
4322  FAIL_IF(de_ctx->sig_list == NULL);
4323 
4325  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4326  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4327  /* init counters */
4329 
4330  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4331  Detect(&tv, p, det_ctx);
4333 
4334  Detect(&tv, p, det_ctx);
4336  UTHFreePackets(&p, 1);
4337 
4338  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4339  Detect(&tv, p, det_ctx);
4341  UTHFreePackets(&p, 1);
4342 
4343  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4344  Detect(&tv, p, det_ctx);
4346  UTHFreePackets(&p, 1);
4347 
4348  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4350  PASS;
4351 }
4352 
4353 /** \test test if the engine set flag to drop pkts of a flow that
4354  * triggered a drop action on IPS mode */
4355 static int SigTestDropFlow01(void)
4356 {
4357  Flow f;
4358  HtpState *http_state = NULL;
4359  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4360  "User-Agent: Mozilla/1.0\r\n"
4361  "Cookie: hellocatch\r\n\r\n";
4362  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4363  TcpSession ssn;
4364  Packet *p = NULL;
4365  Signature *s = NULL;
4366  ThreadVars tv;
4367  DetectEngineThreadCtx *det_ctx = NULL;
4369 
4370  memset(&tv, 0, sizeof(ThreadVars));
4371  memset(&f, 0, sizeof(Flow));
4372  memset(&ssn, 0, sizeof(TcpSession));
4373 
4374  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4375 
4376  FLOW_INITIALIZE(&f);
4377  f.protoctx = (void *)&ssn;
4378  f.proto = IPPROTO_TCP;
4379  f.flags |= FLOW_IPV4;
4380 
4381  p->flow = &f;
4385  f.alproto = ALPROTO_HTTP1;
4386 
4387  StreamTcpInitConfig(true);
4388 
4391  de_ctx->flags |= DE_QUIET;
4392 
4393  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4394  "(msg:\"Test proto match\"; "
4395  "sid:1;)");
4396  FAIL_IF_NULL(s);
4397 
4399  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4400 
4401  int r = AppLayerParserParse(
4402  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4403  FAIL_IF_NOT(r == 0);
4404 
4405  http_state = f.alstate;
4406  FAIL_IF_NULL(http_state);
4407 
4408  /* do detect */
4409  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4410 
4412 
4414 
4416  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4418 
4419  StreamTcpFreeConfig(true);
4420  FLOW_DESTROY(&f);
4421 
4422  UTHFreePackets(&p, 1);
4423  PASS;
4424 }
4425 
4426 /** \test test if the engine set flag to drop pkts of a flow that
4427  * triggered a drop action on IPS mode */
4428 static int SigTestDropFlow02(void)
4429 {
4430  int result = 0;
4431  Flow f;
4432  HtpState *http_state = NULL;
4433  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4434  "User-Agent: Mozilla/1.0\r\n"
4435  "Cookie: hellocatch\r\n\r\n";
4436  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4437  TcpSession ssn;
4438  Packet *p = NULL;
4439  Signature *s = NULL;
4440  ThreadVars tv;
4441  DetectEngineThreadCtx *det_ctx = NULL;
4443 
4444  memset(&tv, 0, sizeof(ThreadVars));
4445  memset(&f, 0, sizeof(Flow));
4446  memset(&ssn, 0, sizeof(TcpSession));
4447 
4448  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4449 
4450  FLOW_INITIALIZE(&f);
4451  f.protoctx = (void *)&ssn;
4452  f.proto = IPPROTO_TCP;
4453  f.flags |= FLOW_IPV4;
4454 
4455  p->flow = &f;
4459  f.alproto = ALPROTO_HTTP1;
4460 
4461  StreamTcpInitConfig(true);
4462 
4464  if (de_ctx == NULL) {
4465  goto end;
4466  }
4467  de_ctx->flags |= DE_QUIET;
4468 
4469  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4470  "(msg:\"Test proto match\"; uricontent:\"one\";"
4471  "sid:1;)");
4472  if (s == NULL) {
4473  goto end;
4474  }
4475 
4477  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4478 
4479  int r = AppLayerParserParse(
4480  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4481  if (r != 0) {
4482  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4483  goto end;
4484  }
4485 
4486  http_state = f.alstate;
4487  if (http_state == NULL) {
4488  printf("no http state: ");
4489  goto end;
4490  }
4491 
4492  /* do detect */
4493  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4494 
4495  if (!PacketAlertCheck(p, 1)) {
4496  printf("sig 1 didn't alert, but it should: ");
4497  goto end;
4498  }
4499 
4500  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4501  printf("sig 1 alerted but flow was not flagged correctly: ");
4502  goto end;
4503  }
4504 
4505  /* Ok, now we know that the flag is set for app layer sigs
4506  * (ex: inspecting uricontent) */
4507 
4508  result = 1;
4509 
4510 end:
4511  if (alp_tctx != NULL)
4513  if (det_ctx != NULL)
4514  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4515  if (de_ctx != NULL)
4517  if (de_ctx != NULL)
4519 
4520  StreamTcpFreeConfig(true);
4521  FLOW_DESTROY(&f);
4522 
4523  UTHFreePackets(&p, 1);
4524  return result;
4525 }
4526 
4527 /** \test test if the engine set flag to drop pkts of a flow that
4528  * triggered a drop action on IPS mode, and it doesn't inspect
4529  * any other packet of the stream */
4530 static int SigTestDropFlow03(void)
4531 {
4532  int result = 0;
4533  Flow f;
4534  HtpState *http_state = NULL;
4535  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4536  "User-Agent: Mozilla/1.0\r\n"
4537  "Cookie: hellocatch\r\n\r\n";
4538  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4539 
4540  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4541  "User-Agent: Mozilla/1.0\r\n"
4542  "Cookie: hellocatch\r\n\r\n";
4543  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4544 
4545  /* Set the engine mode to IPS */
4546  EngineModeSetIPS();
4547 
4548  TcpSession ssn;
4549  Packet *p1 = NULL;
4550  Packet *p2 = NULL;
4551  Signature *s = NULL;
4552  ThreadVars tv;
4553  DetectEngineThreadCtx *det_ctx = NULL;
4555 
4556  memset(&tv, 0, sizeof(ThreadVars));
4557  memset(&f, 0, sizeof(Flow));
4558  memset(&ssn, 0, sizeof(TcpSession));
4559 
4560  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4561  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4562 
4563  FLOW_INITIALIZE(&f);
4564  f.protoctx = (void *)&ssn;
4565  f.proto = IPPROTO_TCP;
4566  f.flags |= FLOW_IPV4;
4567 
4568  p1->flow = &f;
4572 
4573  p2->flow = &f;
4577  f.alproto = ALPROTO_HTTP1;
4578 
4579  StreamTcpInitConfig(true);
4580 
4582  if (de_ctx == NULL) {
4583  goto end;
4584  }
4585 
4586  de_ctx->flags |= DE_QUIET;
4587 
4588  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4589  "(msg:\"Test proto match\"; uricontent:\"one\";"
4590  "sid:1;)");
4591  if (s == NULL) {
4592  goto end;
4593  }
4594 
4595  /* the no inspection flag should be set after the first sig gets triggered,
4596  * so the second packet should not match the next sig (because of no inspection) */
4597  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4598  "(msg:\"Test proto match\"; uricontent:\"two\";"
4599  "sid:2;)");
4600  if (s == NULL) {
4601  goto end;
4602  }
4603 
4605  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4606 
4607  int r = AppLayerParserParse(
4608  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4609  if (r != 0) {
4610  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4611  goto end;
4612  }
4613 
4614  http_state = f.alstate;
4615  if (http_state == NULL) {
4616  printf("no http state: ");
4617  goto end;
4618  }
4619 
4620  /* do detect */
4621  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4622 
4623  if (!PacketAlertCheck(p1, 1)) {
4624  printf("sig 1 didn't alert on p1, but it should: ");
4625  goto end;
4626  }
4627 
4628  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4629  printf("sig 1 alerted but flow was not flagged correctly: ");
4630  goto end;
4631  }
4632 
4633  /* Second part.. Let's feed with another packet */
4634  if (StreamTcpCheckFlowDrops(p2) == 1) {
4635  SCLogDebug("This flow/stream triggered a drop rule");
4636  FlowSetNoPacketInspectionFlag(p2->flow);
4637  DecodeSetNoPacketInspectionFlag(p2);
4639  p2->action |= ACTION_DROP;
4640  /* return the segments to the pool */
4642  }
4643 
4644 
4645  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4646  printf("The packet was not flagged with no-inspection: ");
4647  goto end;
4648  }
4649 
4650  r = AppLayerParserParse(
4651  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4652  if (r != 0) {
4653  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4654  goto end;
4655  }
4656 
4657  /* do detect */
4658  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4659 
4660  if (PacketAlertCheck(p2, 1)) {
4661  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4662  goto end;
4663  }
4664 
4665  if (PacketAlertCheck(p2, 2)) {
4666  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4667  goto end;
4668  }
4669 
4670  if (!(PacketTestAction(p2, ACTION_DROP))) {
4671  printf("A \"drop\" action should be set from the flow to the packet: ");
4672  goto end;
4673  }
4674 
4675  result = 1;
4676 
4677 end:
4678  if (alp_tctx != NULL)
4680  if (det_ctx != NULL)
4681  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4682  if (de_ctx != NULL)
4684  if (de_ctx != NULL)
4686 
4687  StreamTcpFreeConfig(true);
4688  FLOW_DESTROY(&f);
4689 
4690  UTHFreePackets(&p1, 1);
4691  UTHFreePackets(&p2, 1);
4692 
4693  /* Restore mode to IDS */
4694  EngineModeSetIDS();
4695  return result;
4696 }
4697 
4698 /** \test ICMP packet shouldn't be matching port based sig
4699  * Bug #611 */
4700 static int SigTestPorts01(void)
4701 {
4702  int result = 0;
4703  Packet *p1 = NULL;
4704  Signature *s = NULL;
4705  ThreadVars tv;
4706  DetectEngineThreadCtx *det_ctx = NULL;
4707  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4708 
4709  memset(&tv, 0, sizeof(ThreadVars));
4710 
4711  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4712 
4714  if (de_ctx == NULL) {
4715  goto end;
4716  }
4717  de_ctx->flags |= DE_QUIET;
4718 
4719  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4720  "(content:\"AAA\"; sid:1;)");
4721  if (s == NULL) {
4722  goto end;
4723  }
4724 
4726  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4727 
4728  /* do detect */
4729  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4730 
4731  if (PacketAlertCheck(p1, 1)) {
4732  printf("sig 1 alerted on p1, but it should not: ");
4733  goto end;
4734  }
4735 
4736  result = 1;
4737 end:
4738  if (det_ctx != NULL)
4739  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4740  if (de_ctx != NULL)
4742  if (de_ctx != NULL)
4744 
4745  UTHFreePackets(&p1, 1);
4746  return result;
4747 }
4748 
4749 /** \test almost identical patterns */
4750 static int SigTestBug01(void)
4751 {
4752  int result = 0;
4753  Packet *p1 = NULL;
4754  Signature *s = NULL;
4755  ThreadVars tv;
4756  DetectEngineThreadCtx *det_ctx = NULL;
4757  uint8_t payload[] = "!mymy";
4758 
4759  memset(&tv, 0, sizeof(ThreadVars));
4760 
4761  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4762 
4764  if (de_ctx == NULL) {
4765  goto end;
4766  }
4767  de_ctx->flags |= DE_QUIET;
4768 
4769  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4770  "(content:\"Omymy\"; nocase; sid:1;)");
4771  if (s == NULL) {
4772  goto end;
4773  }
4774  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4775  "(content:\"!mymy\"; nocase; sid:2;)");
4776  if (s == NULL) {
4777  goto end;
4778  }
4779 
4781  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4782 
4783  /* do detect */
4784  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4785 
4786  if (PacketAlertCheck(p1, 1)) {
4787  printf("sig 1 alerted on p1, but it should not: ");
4788  goto end;
4789  }
4790  if (!(PacketAlertCheck(p1, 2))) {
4791  printf("sig 2 did not p1, but it should have: ");
4792  goto end;
4793  }
4794 
4795  result = 1;
4796 end:
4797  if (det_ctx != NULL)
4798  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4799  if (de_ctx != NULL)
4801  if (de_ctx != NULL)
4803 
4804  UTHFreePackets(&p1, 1);
4805  return result;
4806 }
4807 
4808 static const char *dummy_conf_string2 =
4809  "%YAML 1.1\n"
4810  "---\n"
4811  "vars:\n"
4812  "\n"
4813  " address-groups:\n"
4814  "\n"
4815  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4816  "\n"
4817  " EXTERNAL_NET: \"any\"\n"
4818  "\n"
4819  " port-groups:\n"
4820  "\n"
4821  " HTTP_PORTS: \"80:81,88\"\n"
4822  "\n";
4823 
4824 static int DetectAddressYamlParsing01 (void)
4825 {
4826  int result = 0;
4827 
4829  ConfInit();
4830  ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4831 
4833  if (de_ctx == NULL) {
4834  goto end;
4835  }
4836 
4837  de_ctx->flags |= DE_QUIET;
4838 
4839  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4840  goto end;
4841  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4842  goto end;
4843  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4844  goto end;
4845 
4846  result = 1;
4847 
4849 end:
4850  ConfDeInit();
4852  return result;
4853 }
4854 
4855 static const char *dummy_conf_string3 =
4856  "%YAML 1.1\n"
4857  "---\n"
4858  "vars:\n"
4859  "\n"
4860  " address-groups:\n"
4861  "\n"
4862  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4863  "\n"
4864  " EXTERNAL_NET: \"any\"\n"
4865  "\n"
4866  " port-groups:\n"
4867  "\n"
4868  " HTTP_PORTS: \"80:81,88\"\n"
4869  "\n";
4870 
4871 static int DetectAddressYamlParsing02 (void)
4872 {
4873  int result = 0;
4874 
4876  ConfInit();
4877  ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
4878 
4880  if (de_ctx == NULL) {
4881  goto end;
4882  }
4883 
4884  de_ctx->flags |= DE_QUIET;
4885 
4886  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4887  goto end;
4888  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4889  goto end;
4890  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4891  goto end;
4892 
4893  result = 1;
4894 
4896 end:
4897  ConfDeInit();
4899  return result;
4900 }
4901 
4902 static const char *dummy_conf_string4 =
4903  "%YAML 1.1\n"
4904  "---\n"
4905  "vars:\n"
4906  "\n"
4907  " address-groups:\n"
4908  "\n"
4909  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4910  "\n"
4911  " EXTERNAL_NET: \"any\"\n"
4912  "\n"
4913  " port-groups:\n"
4914  "\n"
4915  " HTTP_PORTS: \"80:81,88\"\n"
4916  "\n";
4917 
4918 static int DetectAddressYamlParsing03 (void)
4919 {
4920  int result = 0;
4921 
4923  ConfInit();
4924  ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
4925 
4927  if (de_ctx == NULL) {
4928  goto end;
4929  }
4930 
4931  de_ctx->flags |= DE_QUIET;
4932 
4933  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4934  goto end;
4935  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4936  goto end;
4937  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4938  goto end;
4939 
4940  result = 1;
4941 
4943 end:
4944  ConfDeInit();
4946  return result;
4947 }
4948 
4949 static const char *dummy_conf_string5 =
4950  "%YAML 1.1\n"
4951  "---\n"
4952  "vars:\n"
4953  "\n"
4954  " address-groups:\n"
4955  "\n"
4956  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4957  "\n"
4958  " EXTERNAL_NET: \"any\"\n"
4959  "\n"
4960  " port-groups:\n"
4961  "\n"
4962  " HTTP_PORTS: \"80:81,88\"\n"
4963  "\n";
4964 
4965 /** \test bug #815 */
4966 static int DetectAddressYamlParsing04 (void)
4967 {
4968  int result = 0;
4969 
4971  ConfInit();
4972  ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
4973 
4975  if (de_ctx == NULL) {
4976  goto end;
4977  }
4978 
4979  de_ctx->flags |= DE_QUIET;
4980 
4981  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4982  goto end;
4983  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4984  goto end;
4985  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4986  goto end;
4987 
4988  result = 1;
4989 
4991 end:
4992  ConfDeInit();
4994  return result;
4995 }
4996 
4998 {
5001 
5002  UtRegisterTest("SigTest01", SigTest01);
5003  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
5004  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
5005  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
5006  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
5007  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5008  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
5009  SigTest07);
5010  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5011  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
5012  SigTest09);
5013  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
5014  SigTest10);
5015  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
5016  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
5017  UtRegisterTest("SigTest13 -- content order matching, diff order",
5018  SigTest13);
5019  UtRegisterTest("SigTest14 -- content order matching, distance 0",
5020  SigTest14);
5021  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
5022  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
5023  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5024  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
5025  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
5026  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
5027  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
5028  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
5029  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
5030 
5031  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
5032  UtRegisterTest("SigTest25NegativeIPV4Keyword",
5033  SigTest25NegativeIPV4Keyword);
5034 
5035  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5036  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5037  SigTest26TCPV4AndNegativeIPV4Keyword);
5038  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5039  SigTest26TCPV4AndIPV4Keyword);
5040  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5041  SigTest27NegativeTCPV4Keyword);
5042 
5043  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5044  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5045  SigTest29NegativeTCPV6Keyword);
5046 
5047  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5048  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5049  SigTest31NegativeUDPV4Keyword);
5050 
5051  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5052  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5053  SigTest33NegativeUDPV6Keyword);
5054 
5055  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5056  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5057  SigTest35NegativeICMPV4Keyword);
5058  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5059  SigTest36ContentAndIsdataatKeywords01);
5060  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5061  SigTest37ContentAndIsdataatKeywords02);
5062 
5063  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5064 
5065  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5066 
5067  UtRegisterTest("SigTest40NoPacketInspection01",
5068  SigTest40NoPacketInspection01);
5069  UtRegisterTest("SigTest40NoPayloadInspection02",
5070  SigTest40NoPayloadInspection02);
5071 
5072  UtRegisterTest("SigTestMemory01", SigTestMemory01);
5073  UtRegisterTest("SigTestMemory02", SigTestMemory02);
5074  UtRegisterTest("SigTestMemory03", SigTestMemory03);
5075 
5076  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5077  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5078  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5079  SigTestContent03);
5080  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5081  SigTestContent04);
5082  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5083  UtRegisterTest("SigTestContent06 -- distance/within ip only",
5084  SigTestContent06);
5085 
5086  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5087  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5088 
5089  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5090 
5091  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5092  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5093  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5094 
5095  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5096  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5097  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5098  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5099 
5100  UtRegisterTest("SigTestPorts01", SigTestPorts01);
5101  UtRegisterTest("SigTestBug01", SigTestBug01);
5102 
5104 }
5105 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2496
Packet_::proto
uint8_t proto
Definition: decode.h:459
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:151
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:382
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:113
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:317
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:578
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1021
PACKET_RESET_CHECKSUMS
#define PACKET_RESET_CHECKSUMS(p)
reset these to -1(indicates that the packet is fresh from the queue)
Definition: decode.h:784
ThreadVars_::name
char name[16]
Definition: threadvars.h:64
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:348
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:373
Packet_::payload
uint8_t * payload
Definition: decode.h:587
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:170
Packet_::action
uint8_t action
Definition: decode.h:591
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4997
Flow_
Flow data structure.
Definition: flow.h:351
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:134
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:771
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2580
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:306
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1224
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
DE_QUIET
#define DE_QUIET
Definition: detect.h:321
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:67
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1884
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:457
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1010
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1805
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:588
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
IPV6_GET_PLEN
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
Signature_::next
struct Signature_ * next
Definition: detect.h:665
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:554
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:225
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time.
Definition: util-var-name.c:322
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4469
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:251
PktVar_::value
uint8_t * value
Definition: decode.h:321
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:221
Packet_::ethh
EthernetHdr * ethh
Definition: decode.h:538
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Packet_::sp
Port sp
Definition: decode.h:444
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
MPM_AC
@ MPM_AC
Definition: util-mpm.h:36
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:246
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:511
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1270
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:437
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:220
ICMPV4Hdr_
Definition: decode-icmpv4.h:165
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:545
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:670
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
IPV4Hdr_
Definition: decode-ipv4.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3291
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1303
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:451
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3501
SigMatch_::type
uint16_t type
Definition: detect.h:348
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:567
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:702
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:682
UDPHdr_
Definition: decode-udp.h:42
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:844
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:575
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:229
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1142
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:686
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:488
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:593
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2541
PktVar_::value_len
uint16_t value_len
Definition: decode.h:319
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:111
Packet_::udph
UDPHdr * udph
Definition: decode.h:569
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1216
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:117
Packet_::dst
Address dst
Definition: decode.h:442
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:42
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1006
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:693
PktVar_
Definition: decode.h:313
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:838
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:547
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
Packet_::dp
Port dp
Definition: decode.h:452
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:73
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
TCPHdr_
Definition: decode-tcp.h:142
Packet_::src
Address src
Definition: decode.h:441
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:32
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1018
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:471