20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
32 static const char *dummy_conf_string =
36 "default-log-dir: /var/log/suricata\n"
40 " default-log-level: debug\n"
42 " default-format: \"<%t> - <%l>\"\n"
44 " default-startup-message: Your IDS has started.\n"
46 " default-output-filter:\n"
50 " - interface: console\n"
53 " - interface: file\n"
54 " filename: /var/log/suricata.log\n"
56 " - interface: syslog\n"
70 " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71 "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
73 " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
75 " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
77 " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
79 " SQL_SERVERS: \"!192.168.0.0/16\"\n"
83 " TELNET_SERVERS: any\n"
89 " HTTP_PORTS: \"80:81,88\"\n"
91 " SHELLCODE_PORTS: 80\n"
93 " ORACLE_PORTS: 1521\n"
98 static int SigTest01 (
void)
100 uint8_t *buf = (uint8_t *)
101 "GET /one/ HTTP/1.1\r\n"
102 "Host: one.example.org\r\n"
104 "GET /two/ HTTP/1.1\r\n"
105 "Host: two.example.org\r\n"
107 uint16_t buflen = strlen((
char *)buf);
111 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
120 if (p->http_uri.raw_size[0] == 5 &&
121 memcmp(p->http_uri.raw[0],
"/one/", 5) == 0 &&
122 p->http_uri.raw_size[1] == 5 &&
123 memcmp(p->http_uri.raw[1],
"/two/", 5) == 0)
136 static int SigTest02 (
void)
138 uint8_t *buf = (uint8_t *)
139 "GET /one/ HTTP/1.1\r\n"
140 "Host: one.example.org\r\n"
142 "GET /two/ HTTP/1.1\r\n"
143 "Host: two.example.org\r\n"
145 uint16_t buflen = strlen((
char *)buf);
147 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
153 static int SigTest03 (
void)
155 uint8_t *buf = (uint8_t *)
156 "GET /one/ HTTP/1.1\r\n"
157 "Host: one.example.org\r\n"
159 "GET /two/ HTTP/1.1\r\n"
160 "Host: two.example.org\r\n"
162 uint16_t buflen = strlen((
char *)buf);
168 memset(&th_v, 0,
sizeof(th_v));
179 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
202 static int SigTest04 (
void)
204 uint8_t *buf = (uint8_t *)
205 "GET /one/ HTTP/1.1\r\n"
206 "Host: one.example.org\r\n"
208 "GET /two/ HTTP/1.1\r\n"
209 "Host: two.example.org\r\n"
211 uint16_t buflen = strlen((
char *)buf);
218 memset(&th_v, 0,
sizeof(th_v));
229 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
252 static int SigTest05 (
void)
254 uint8_t *buf = (uint8_t *)
255 "GET /one/ HTTP/1.1\r\n"
256 "Host: one.example.org\r\n"
258 "GET /two/ HTTP/1.1\r\n"
259 "Host: two.example.org\r\n"
261 uint16_t buflen = strlen((
char *)buf);
267 memset(&th_v, 0,
sizeof(th_v));
278 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
280 printf(
"sig parse failed: ");
291 printf(
"sig matched but shouldn't have: ");
304 static int SigTest06 (
void)
306 uint8_t *buf = (uint8_t *)
307 "GET /one/ HTTP/1.1\r\n"
308 "Host: one.example.org\r\n"
310 "GET /two/ HTTP/1.1\r\n"
311 "Host: two.example.org\r\n"
313 uint16_t buflen = strlen((
char *)buf);
322 memset(&th_v, 0,
sizeof(th_v));
323 memset(&f, 0,
sizeof(f));
324 memset(&ssn, 0,
sizeof(ssn));
332 f.
proto = IPPROTO_TCP;
345 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
371 static int SigTest07 (
void)
373 uint8_t *buf = (uint8_t *)
374 "GET /one/ HTTP/1.1\r\n"
375 "Host: one.example.org\r\n"
377 "GET /two/ HTTP/1.1\r\n"
378 "Host: two.example.org\r\n"
380 uint16_t buflen = strlen((
char *)buf);
389 memset(&th_v, 0,
sizeof(th_v));
390 memset(&f, 0,
sizeof(f));
391 memset(&ssn, 0,
sizeof(ssn));
398 f.
proto = IPPROTO_TCP;
414 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
430 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
457 static int SigTest08 (
void)
459 uint8_t *buf = (uint8_t *)
460 "GET /one/ HTTP/1.0\r\n"
461 "Host: one.example.org\r\n"
463 "GET /two/ HTTP/1.0\r\n"
464 "Host: two.example.org\r\n"
466 uint16_t buflen = strlen((
char *)buf);
475 memset(&f, 0,
sizeof(
Flow));
476 memset(&th_v, 0,
sizeof(th_v));
477 memset(&ssn, 0,
sizeof(ssn));
484 f.
proto = IPPROTO_TCP;
500 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
516 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
525 printf(
"sid:1 %s, sid:2 %s: ",
545 static int SigTest09 (
void)
547 uint8_t *buf = (uint8_t *)
548 "GET /one/ HTTP/1.0\r\n"
549 "Host: one.example.org\r\n"
551 "GET /two/ HTTP/1.0\r\n"
552 "Host: two.example.org\r\n"
554 uint16_t buflen = strlen((
char *)buf);
563 memset(&th_v, 0,
sizeof(th_v));
564 memset(&f, 0,
sizeof(f));
565 memset(&ssn, 0,
sizeof(ssn));
572 f.
proto = IPPROTO_TCP;
588 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
604 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
630 static int SigTest10 (
void)
632 uint8_t *buf = (uint8_t *)
634 uint16_t buflen = strlen((
char *)buf);
643 memset(&th_v, 0,
sizeof(th_v));
644 memset(&f, 0,
sizeof(f));
645 memset(&ssn, 0,
sizeof(ssn));
651 f.
proto = IPPROTO_TCP;
668 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
684 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
710 static int SigTest11 (
void)
712 uint8_t *buf = (uint8_t *)
713 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
714 uint16_t buflen = strlen((
char *)buf);
722 memset(&th_v, 0,
sizeof(th_v));
723 memset(&f, 0,
sizeof(f));
724 memset(&ssn, 0,
sizeof(ssn));
730 f.
proto = IPPROTO_TCP;
746 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
774 static int SigTest12 (
void)
776 uint8_t *buf = (uint8_t *)
777 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
778 uint16_t buflen = strlen((
char *)buf);
784 memset(&th_v, 0,
sizeof(th_v));
786 memset(&f, 0,
sizeof(
Flow));
801 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
829 static int SigTest13 (
void)
831 uint8_t *buf = (uint8_t *)
832 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
833 uint16_t buflen = strlen((
char *)buf);
839 memset(&th_v, 0,
sizeof(th_v));
841 memset(&f, 0,
sizeof(
Flow));
856 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
881 static int SigTest14 (
void)
883 uint8_t *buf = (uint8_t *)
884 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
885 uint16_t buflen = strlen((
char *)buf);
891 memset(&th_v, 0,
sizeof(th_v));
902 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
926 static int SigTest15 (
void)
928 uint8_t *buf = (uint8_t *)
929 "CONNECT 213.92.8.7:31204 HTTP/1.1";
930 uint16_t buflen = strlen((
char *)buf);
938 memset(&th_v, 0,
sizeof(th_v));
943 p->
proto = IPPROTO_TCP;
957 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
983 static int SigTest16 (
void)
985 uint8_t *buf = (uint8_t *)
986 "CONNECT 213.92.8.7:31204 HTTP/1.1";
987 uint16_t buflen = strlen((
char *)buf);
993 memset(&th_v, 0,
sizeof(th_v));
994 memset(&p, 0,
sizeof(p));
1009 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1033 static int SigTest17 (
void)
1035 uint8_t *buf = (uint8_t *)
1036 "GET /one/ HTTP/1.1\r\n"
1037 "Host: one.example.org\r\n"
1039 "GET /two/ HTTP/1.1\r\n"
1040 "Host: two.example.org\r\n"
1042 uint16_t buflen = strlen((
char *)buf);
1046 memset(&th_v, 0,
sizeof(th_v));
1059 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1084 static int SigTest18 (
void)
1086 uint8_t *buf = (uint8_t *)
1087 "220 (vsFTPd 2.0.5)\r\n";
1088 uint16_t buflen = strlen((
char *)buf);
1096 memset(&th_v, 0,
sizeof(th_v));
1101 p->
proto = IPPROTO_TCP;
1112 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1125 printf(
"signature shouldn't match, but did: ");
1136 static int SigTest19 (
void)
1138 uint8_t *buf = (uint8_t *)
1139 "220 (vsFTPd 2.0.5)\r\n";
1140 uint16_t buflen = strlen((
char *)buf);
1148 memset(&th_v, 0,
sizeof(th_v));
1155 p->
proto = IPPROTO_TCP;
1184 printf(
"signature didn't match, but should have: ");
1196 static int SigTest20 (
void)
1198 uint8_t *buf = (uint8_t *)
1199 "220 (vsFTPd 2.0.5)\r\n";
1200 uint16_t buflen = strlen((
char *)buf);
1208 memset(&th_v, 0,
sizeof(th_v));
1215 p->
proto = IPPROTO_TCP;
1231 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1244 printf(
"signature didn't match, but should have: ");
1257 static int SigTest21 (
void)
1260 memset(&th_v, 0,
sizeof(th_v));
1265 memset(&f, 0,
sizeof(f));
1269 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1271 uint16_t buf1len = strlen((
char *)buf1);
1274 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1276 uint16_t buf2len = strlen((
char *)buf2);
1293 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1309 printf(
"sid 1 alerted, but shouldn't: ");
1314 printf(
"sid 2 didn't alert, but should have: ");
1324 if (det_ctx != NULL) {
1335 static int SigTest22 (
void)
1338 memset(&th_v, 0,
sizeof(th_v));
1343 memset(&f, 0,
sizeof(f));
1347 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1349 uint16_t buf1len = strlen((
char *)buf1);
1357 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1359 uint16_t buf2len = strlen((
char *)buf2);
1373 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1389 printf(
"sid 1 alerted, but shouldn't: ");
1396 printf(
"sid 2 alerted, but shouldn't: ");
1410 static int SigTest23 (
void)
1413 memset(&th_v, 0,
sizeof(th_v));
1418 memset(&f, 0,
sizeof(f));
1422 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1424 uint16_t buf1len = strlen((
char *)buf1);
1432 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1434 uint16_t buf2len = strlen((
char *)buf2);
1448 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1464 printf(
"sid 1 alerted, but shouldn't: ");
1471 printf(
"sid 2 didn't alert, but should have: ");
1485 static int SigTest24IPV4Keyword(
void)
1487 uint8_t valid_raw_ipv4[] = {
1488 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1489 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1490 0xc0, 0xa8, 0x01, 0x03};
1492 uint8_t invalid_raw_ipv4[] = {
1493 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1494 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1495 0xc0, 0xa8, 0x01, 0x06};
1509 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1511 uint16_t buflen = strlen((
char *)buf);
1523 p1->
proto = IPPROTO_TCP;
1531 p2->
proto = IPPROTO_TCP;
1541 "alert ip any any -> any any "
1542 "(content:\"/one/\"; ipv4-csum:valid; "
1543 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1545 printf(
"sig 1 parse: ");
1550 "alert ip any any -> any any "
1551 "(content:\"/one/\"; ipv4-csum:invalid; "
1552 "msg:\"ipv4-csum keyword check(1)\"; "
1555 printf(
"sig 2 parse: ");
1564 printf(
"signature 1 didn't match, but should have: ");
1570 printf(
"signature 2 didn't match, but should have: ");
1576 if (det_ctx != NULL) {
1587 static int SigTest25NegativeIPV4Keyword(
void)
1589 uint8_t valid_raw_ipv4[] = {
1590 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1591 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1592 0xc0, 0xa8, 0x01, 0x03};
1594 uint8_t invalid_raw_ipv4[] = {
1595 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1596 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1597 0xc0, 0xa8, 0x01, 0x06};
1611 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1613 uint16_t buflen = strlen((
char *)buf);
1625 p1->
proto = IPPROTO_TCP;
1633 p2->
proto = IPPROTO_TCP;
1643 "alert ip any any -> any any "
1644 "(content:\"/one/\"; ipv4-csum:invalid; "
1645 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1652 "alert ip any any -> any any "
1653 "(content:\"/one/\"; ipv4-csum:valid; "
1654 "msg:\"ipv4-csum keyword check(1)\"; "
1686 static int SigTest26TCPV4Keyword(
void)
1688 uint8_t raw_ipv4[] = {
1689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1691 0xc0, 0xa8, 0x01, 0x03};
1693 uint8_t valid_raw_tcp[] = {
1694 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1695 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1696 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1697 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1698 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1700 uint8_t invalid_raw_tcp[] = {
1701 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1702 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1703 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1704 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1705 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1735 p1->
proto = IPPROTO_TCP;
1744 p2->
proto = IPPROTO_TCP;
1752 "alert ip any any -> any any "
1753 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1754 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1758 "alert ip any any -> any any "
1759 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1760 "msg:\"tcpv4-csum keyword check(1)\"; "
1783 static int SigTest26TCPV4AndNegativeIPV4Keyword(
void)
1785 uint8_t raw_ipv4[] = {
1786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1787 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1788 0xc0, 0xa8, 0x01, 0x03};
1790 uint8_t valid_raw_tcp[] = {
1791 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1792 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1793 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1794 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1795 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1797 uint8_t invalid_raw_tcp[] = {
1798 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1799 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1800 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1801 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1802 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1833 p1->
proto = IPPROTO_TCP;
1842 p2->
proto = IPPROTO_TCP;
1852 "alert ip any any -> any any "
1853 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1854 "ipv4-csum:invalid; "
1855 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1861 "alert ip any any -> any any "
1862 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1863 "ipv4-csum:invalid; "
1864 "msg:\"tcpv4-csum keyword check(1)\"; "
1875 printf(
"sig 1 didn't match: ");
1881 printf(
"sig 2 didn't match: ");
1897 static int SigTest26TCPV4AndIPV4Keyword(
void)
1902 uint8_t raw_ipv4[] = {
1903 0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1904 0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1905 0xc0, 0xa8, 0xb0, 0x74};
1912 uint8_t valid_raw_tcp[] = {
1913 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1914 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1915 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1916 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1917 0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1918 0x04, 0x02, 0x00, 0x00};
1920 uint8_t invalid_raw_tcp[] = {
1921 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1922 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1923 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1924 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1925 0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1926 0x04, 0x02, 0x00, 0x00};
1957 p1->
proto = IPPROTO_TCP;
1966 p2->
proto = IPPROTO_TCP;
1976 "alert ip any any -> any any "
1977 "(tcpv4-csum:valid; "
1979 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1985 "alert ip any any -> any any "
1986 "(tcpv4-csum:invalid; "
1988 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1999 printf(
"sig 1 didn't match: ");
2005 printf(
"sig 2 didn't match: ");
2020 static int SigTest27NegativeTCPV4Keyword(
void)
2022 uint8_t raw_ipv4[] = {
2023 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2024 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2025 0xc0, 0xa8, 0x01, 0x03};
2027 uint8_t valid_raw_tcp[] = {
2028 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2029 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2030 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2031 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2032 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2034 uint8_t invalid_raw_tcp[] = {
2035 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2036 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2037 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2038 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2039 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2068 p1->
proto = IPPROTO_TCP;
2077 p2->
proto = IPPROTO_TCP;
2087 "alert tcp any any -> any any "
2088 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2089 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2095 "alert tcp any any -> any any "
2096 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2097 "msg:\"tcpv4-csum keyword check(2)\"; "
2108 printf(
"sig 1 didn't match on p1: ");
2114 printf(
"sig 2 matched on p2: ");
2129 static int SigTest28TCPV6Keyword(
void)
2131 static uint8_t valid_raw_ipv6[] = {
2132 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2133 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2135 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2136 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2137 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2138 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2139 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2141 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2142 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2143 0xf2, 0xf1, 0x00, 0x00,
2145 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2146 0x00, 0x01, 0x69, 0x27};
2148 static uint8_t invalid_raw_ipv6[] = {
2149 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2150 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2152 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2153 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2154 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2155 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2156 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2158 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2159 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2160 0xc2, 0xf1, 0x00, 0x00,
2162 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2163 0x00, 0x01, 0x69, 0x28};
2181 p1->
tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2184 p1->
payload = valid_raw_ipv6 + 54 + 20;
2186 p1->
proto = IPPROTO_TCP;
2194 p2->
tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2197 p2->
payload = invalid_raw_ipv6 + 54 + 20;
2199 p2->
proto = IPPROTO_TCP;
2213 "alert tcp any any -> any any "
2214 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2215 "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2221 "alert tcp any any -> any any "
2222 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2223 "msg:\"tcpv6-csum keyword check(1)\"; "
2234 printf(
"sid 1 didn't match on p1: ");
2240 printf(
"sid 2 didn't match on p2: ");
2255 static int SigTest29NegativeTCPV6Keyword(
void)
2257 static uint8_t valid_raw_ipv6[] = {
2258 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2259 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2261 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2262 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2263 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2264 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2265 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2267 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2268 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2269 0xf2, 0xf1, 0x00, 0x00,
2271 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2272 0x00, 0x01, 0x69, 0x27};
2274 static uint8_t invalid_raw_ipv6[] = {
2275 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2276 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2278 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2279 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2280 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2281 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2282 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2284 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2285 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2286 0xc2, 0xf1, 0x00, 0x00,
2288 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2289 0x00, 0x01, 0x69, 0x28};
2307 p1->
tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2310 p1->
payload = valid_raw_ipv6 + 54 + 20;
2312 p1->
proto = IPPROTO_TCP;
2320 p2->
tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2323 p2->
payload = invalid_raw_ipv6 + 54 + 20;
2325 p2->
proto = IPPROTO_TCP;
2339 "alert tcp any any -> any any "
2340 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2341 "msg:\"tcpv6-csum keyword check(1)\"; "
2348 "alert tcp any any -> any any "
2349 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2350 "msg:\"tcpv6-csum keyword check(1)\"; "
2371 if (det_ctx != NULL)
2379 static int SigTest30UDPV4Keyword(
void)
2381 uint8_t raw_ipv4[] = {
2382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383 0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2384 0xc0, 0xa8, 0x01, 0x03};
2386 uint8_t valid_raw_udp[] = {
2387 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2388 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2389 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2390 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2391 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2392 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2393 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2394 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2395 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2396 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2397 0x67, 0x6c, 0x65, 0xc0, 0x26};
2399 uint8_t invalid_raw_udp[] = {
2400 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2401 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2402 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2403 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2404 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2405 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2406 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2407 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2408 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2409 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2410 0x67, 0x6c, 0x65, 0xc0, 0x27};
2420 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2421 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2427 p1->
udph = (UDPHdr *)valid_raw_udp;
2432 p1->
proto = IPPROTO_UDP;
2436 p2->
udph = (UDPHdr *)invalid_raw_udp;
2441 p2->
proto = IPPROTO_UDP;
2449 "alert udp any any -> any any "
2450 "(content:\"/one/\"; udpv4-csum:valid; "
2451 "msg:\"udpv4-csum keyword check(1)\"; "
2456 "alert udp any any -> any any "
2457 "(content:\"/one/\"; udpv4-csum:invalid; "
2458 "msg:\"udpv4-csum keyword check(1)\"; "
2473 if (det_ctx != NULL)
2481 static int SigTest31NegativeUDPV4Keyword(
void)
2483 uint8_t raw_ipv4[] = {
2484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2485 0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2486 0xc0, 0xa8, 0x01, 0x03};
2488 uint8_t valid_raw_udp[] = {
2489 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2490 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2491 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2492 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2493 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2494 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2495 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2496 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2497 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2498 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2499 0x67, 0x6c, 0x65, 0xc0, 0x26};
2501 uint8_t invalid_raw_udp[] = {
2502 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2503 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2504 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2505 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2506 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2507 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2508 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2509 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2510 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2511 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2512 0x67, 0x6c, 0x65, 0xc0, 0x27};
2526 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2527 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2533 p1->
udph = (UDPHdr *)valid_raw_udp;
2538 p1->
proto = IPPROTO_UDP;
2542 p2->
udph = (UDPHdr *)invalid_raw_udp;
2547 p2->
proto = IPPROTO_UDP;
2557 "alert udp any any -> any any "
2558 "(content:\"/one/\"; udpv4-csum:invalid; "
2559 "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2566 "alert udp any any -> any any "
2567 "(content:\"/one/\"; udpv4-csum:valid; "
2568 "msg:\"udpv4-csum keyword check(1)\"; "
2593 if (det_ctx != NULL)
2603 static int SigTest32UDPV6Keyword(
void)
2605 static uint8_t valid_raw_ipv6[] = {
2606 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2607 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2608 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2609 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2610 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2611 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2612 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2613 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2614 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2617 static uint8_t invalid_raw_ipv6[] = {
2618 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2619 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2620 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2621 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2622 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2623 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2624 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2625 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2626 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2637 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2644 p1->
udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2649 p1->
proto = IPPROTO_UDP;
2653 p2->
udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2658 p2->
proto = IPPROTO_UDP;
2666 "alert udp any any -> any any "
2667 "(content:\"/one/\"; udpv6-csum:valid; "
2668 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2672 "alert udp any any -> any any "
2673 "(content:\"/one/\"; udpv6-csum:invalid; "
2674 "msg:\"udpv6-csum keyword check(1)\"; "
2689 if (det_ctx != NULL)
2698 static int SigTest33NegativeUDPV6Keyword(
void)
2700 static uint8_t valid_raw_ipv6[] = {
2701 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2702 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2703 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2704 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2705 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2706 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2707 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2708 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2709 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2712 static uint8_t invalid_raw_ipv6[] = {
2713 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2714 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2715 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2716 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2717 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2718 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2719 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2720 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2721 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2736 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2743 p1->
udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2748 p1->
proto = IPPROTO_UDP;
2752 p2->
udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2757 p2->
proto = IPPROTO_UDP;
2767 "alert udp any any -> any any "
2768 "(content:\"/one/\"; udpv6-csum:invalid; "
2769 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2776 "alert udp any any -> any any "
2777 "(content:\"/one/\"; udpv6-csum:valid; "
2778 "msg:\"udpv6-csum keyword check(1)\"; "
2802 if (det_ctx != NULL)
2811 static int SigTest34ICMPV4Keyword(
void)
2813 uint8_t valid_raw_ipv4[] = {
2814 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2815 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2816 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2817 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2818 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2819 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2820 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2821 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2822 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2823 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2824 0x34, 0x35, 0x36, 0x37};
2826 uint8_t invalid_raw_ipv4[] = {
2827 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2828 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2829 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2830 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2831 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2832 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2833 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2834 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2835 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2836 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2837 0x34, 0x35, 0x36, 0x38};
2851 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2853 uint16_t buflen = strlen((
char *)buf);
2865 p1->
proto = IPPROTO_ICMP;
2875 p2->
proto = IPPROTO_ICMP;
2885 "alert icmp any any -> any any "
2886 "(content:\"/one/\"; icmpv4-csum:valid; "
2887 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2894 "alert icmp any any -> any any "
2895 "(content:\"/one/\"; icmpv4-csum:invalid; "
2896 "msg:\"icmpv4-csum keyword check(1)\"; "
2920 if (det_ctx != NULL)
2929 static int SigTest35NegativeICMPV4Keyword(
void)
2931 uint8_t valid_raw_ipv4[] = {
2932 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2933 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2934 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2935 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2936 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2937 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2938 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2939 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2940 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2941 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2942 0x34, 0x35, 0x36, 0x37};
2944 uint8_t invalid_raw_ipv4[] = {
2945 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2946 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2947 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2948 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2949 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2950 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2951 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2952 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2953 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2954 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2955 0x34, 0x35, 0x36, 0x38};
2969 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2971 uint16_t buflen = strlen((
char *)buf);
2983 p1->
proto = IPPROTO_ICMP;
2993 p2->
proto = IPPROTO_ICMP;
3003 "alert icmp any any -> any any "
3004 "(content:\"/one/\"; icmpv4-csum:invalid; "
3005 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3012 "alert icmp any any -> any any "
3013 "(content:\"/one/\"; icmpv4-csum:valid; "
3014 "msg:\"icmpv4-csum keyword check(1)\"; "
3039 if (det_ctx != NULL)
3048 static int SigTest38(
void)
3056 uint8_t raw_eth[] = {
3057 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3061 uint8_t raw_ipv4[] = {
3062 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3063 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3064 0x7f, 0x00, 0x00, 0x01
3066 uint8_t raw_tcp[] = {
3067 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3068 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3069 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3070 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3071 0x00, 0x22, 0xaa, 0x10
3074 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3075 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3076 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30,
3077 0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3078 0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3079 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3080 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3081 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3082 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3085 uint16_t ethlen =
sizeof(raw_eth);
3086 uint16_t ipv4len =
sizeof(raw_ipv4);
3087 uint16_t tcplen =
sizeof(raw_tcp);
3088 uint16_t buflen =
sizeof(buf);
3109 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3112 p1->
ethh = (EthernetHdr *)raw_eth;
3114 p1->
tcph = (TCPHdr *)raw_tcp;
3119 p1->
proto = IPPROTO_TCP;
3128 "alert tcp any any -> any any "
3129 "(content:\"LEN1|20|\"; "
3130 "byte_test:4,=,8,0; "
3131 "msg:\"byte_test keyword check(1)\"; sid:1;)");
3137 "alert tcp any any -> any any "
3138 "(content:\"LEN1|20|\"; "
3139 "byte_test:4,=,8,5,relative,string,dec; "
3140 "msg:\"byte_test keyword check(2)\"; sid:2;)");
3154 printf(
"sid 1 didn't alert, but should have: ");
3161 printf(
"sid 2 didn't alert, but should have: ");
3169 if (det_ctx != NULL)
3178 static int SigTest39(
void)
3186 uint8_t raw_eth[] = {
3187 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3191 uint8_t raw_ipv4[] = {
3192 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3193 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3194 0x7f, 0x00, 0x00, 0x01
3196 uint8_t raw_tcp[] = {
3197 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3198 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3199 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3200 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3201 0x00, 0x22, 0xaa, 0x10
3204 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3205 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3206 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3207 0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3208 0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3209 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3210 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3211 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3212 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3215 uint16_t ethlen =
sizeof(raw_eth);
3216 uint16_t ipv4len =
sizeof(raw_ipv4);
3217 uint16_t tcplen =
sizeof(raw_tcp);
3218 uint16_t buflen =
sizeof(buf);
3239 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3242 p1->
ethh = (EthernetHdr *)raw_eth;
3244 p1->
tcph = (TCPHdr *)raw_tcp;
3249 p1->
proto = IPPROTO_TCP;
3258 "alert tcp any any -> any any "
3259 "(content:\"LEN1|20|\"; "
3260 "byte_test:4,=,8,0; "
3262 "byte_test:6,=,0x4c454e312038,0,relative; "
3263 "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3270 "alert tcp any any -> any any "
3271 "(content:\"LEN1|20|\"; "
3272 "byte_test:4,=,8,4,relative,string,dec; "
3273 "byte_jump:4,4,relative,string,dec,post_offset 2; "
3274 "byte_test:4,=,0x4c454e32,0,relative; "
3275 "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3289 printf(
"sid 1 didn't alert, but should have: ");
3296 printf(
"sid 2 didn't alert, but should have: ");
3303 if (det_ctx != NULL)
3317 static int SigTest36ContentAndIsdataatKeywords01 (
void)
3323 uint8_t raw_eth [] = {
3324 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3325 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3326 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3327 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3328 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3329 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3330 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3331 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3332 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3333 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3334 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3335 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3336 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3337 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3338 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3339 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3340 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3341 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3342 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3343 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3344 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3345 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3346 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3347 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3348 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3349 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3350 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3351 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3352 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3353 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3364 memset(&th_v, 0,
sizeof(th_v));
3377 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3435 static int SigTest37ContentAndIsdataatKeywords02 (
void)
3441 uint8_t raw_eth [] = {
3442 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3443 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3444 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3445 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3446 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3447 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3448 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3449 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3450 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3451 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3452 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3453 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3454 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3455 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3456 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3457 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3458 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3459 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3460 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3461 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3462 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3463 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3464 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3465 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3466 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3467 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3468 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3469 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3470 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3471 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3482 memset(&th_v, 0,
sizeof(th_v));
3495 Signature *s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3497 printf(
"sig parse failed: ");
3503 printf(
"type not content: ");
3514 printf(
"sig matched, but should not have: ");
3557 static int SigTest40NoPacketInspection01(
void)
3560 uint8_t *buf = (uint8_t *)
3561 "220 (vsFTPd 2.0.5)\r\n";
3562 uint16_t buflen = strlen((
char *)buf);
3573 memset(&th_v, 0,
sizeof(th_v));
3574 memset(&pq, 0,
sizeof(pq));
3575 memset(&f, 0,
sizeof(f));
3576 memset(&tcphdr, 0,
sizeof(tcphdr));
3584 p->
proto = IPPROTO_TCP;
3601 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3611 Detect(&th_v, p, det_ctx);
3632 static int SigTest40NoPayloadInspection02(
void)
3635 uint8_t *buf = (uint8_t *)
3636 "220 (vsFTPd 2.0.5)\r\n";
3637 uint16_t buflen = strlen((
char *)buf);
3639 memset(&th_v, 0,
sizeof(th_v));
3648 p->
proto = IPPROTO_TCP;
3657 "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3673 static int SigTestMemory01 (
void)
3675 uint8_t *buf = (uint8_t *)
3676 "GET /one/ HTTP/1.1\r\n"
3677 "Host: one.example.org\r\n"
3679 "GET /two/ HTTP/1.1\r\n"
3680 "Host: two.example.org\r\n"
3682 uint16_t buflen = strlen((
char *)buf);
3690 memset(&th_v, 0,
sizeof(th_v));
3695 p->
proto = IPPROTO_TCP;
3704 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3723 static int SigTestMemory02 (
void)
3728 memset(&th_v, 0,
sizeof(th_v));
3736 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3741 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3757 static int SigTestMemory03 (
void)
3762 memset(&th_v, 0,
sizeof(th_v));
3770 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3775 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3780 de_ctx->
sig_list->
next->
next =
SigInit(
de_ctx,
"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3796 static int SigTestContent01 (
void)
3798 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3799 uint16_t buflen = strlen((
char *)buf);
3804 memset(&th_v, 0,
sizeof(th_v));
3815 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3828 printf(
"sig 1 didn't match: ");
3840 static int SigTestContent02 (
void)
3842 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3843 uint16_t buflen = strlen((
char *)buf);
3848 memset(&th_v, 0,
sizeof(th_v));
3858 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3878 printf(
"sig 2 didn't match: ");
3881 printf(
"sig 1 didn't match: ");
3893 static int SigTestContent03 (
void)
3895 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3896 uint16_t buflen = strlen((
char *)buf);
3901 memset(&th_v, 0,
sizeof(th_v));
3912 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3925 printf(
"sig 1 didn't match: ");
3937 static int SigTestContent04 (
void)
3939 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3940 uint16_t buflen = strlen((
char *)buf);
3945 memset(&th_v, 0,
sizeof(th_v));
3957 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3970 printf(
"sig 1 didn't match: ");
3983 static int SigTestContent05 (
void)
3985 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3986 uint16_t buflen = strlen((
char *)buf);
3991 memset(&th_v, 0,
sizeof(th_v));
3997 printf(
"de_ctx == NULL: ");
4003 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4005 printf(
"sig1 parse failed: ");
4008 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4010 printf(
"sig2 parse failed: ");
4020 printf(
"sig 1 matched but shouldn't: ");
4025 printf(
"sig 2 matched but shouldn't: ");
4035 if (det_ctx != NULL) {
4044 static int SigTestContent06 (
void)
4046 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4047 uint16_t buflen = strlen((
char *)buf);
4052 memset(&th_v, 0,
sizeof(th_v));
4063 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4068 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4081 printf(
"sig 1 didn't match: ");
4088 printf(
"sig 2 didn't match: ");
4102 static int SigTestWithin01 (
void)
4112 uint8_t rawpkt1[] = {
4113 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4114 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4115 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4116 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4117 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4118 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4119 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4120 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4121 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4122 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4123 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4124 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4125 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4126 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4127 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4128 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4129 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4130 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4131 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4134 uint8_t rawpkt2[] = {
4135 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4136 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4137 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4138 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4139 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4140 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4141 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4142 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4143 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4144 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4145 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4146 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4147 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4148 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4149 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4150 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4151 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4152 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4153 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4156 uint8_t rawpkt3[] = {
4157 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4158 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4159 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4160 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4161 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4162 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4163 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4164 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4165 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4166 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4167 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4168 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4169 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4170 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4171 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4172 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4173 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4174 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4175 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4178 uint8_t rawpkt4[] = {
4179 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4180 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4181 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4182 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4183 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4184 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4185 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4186 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4187 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4188 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4189 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4190 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4191 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4192 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4193 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4194 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4195 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4196 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4197 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4201 memset(&th_v, 0,
sizeof(th_v));
4214 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4230 printf(
"failed to match on packet 1: ");
4241 printf(
"failed to match on packet 2: ");
4252 printf(
"failed to match on packet 3: ");
4263 printf(
"failed to match on packet 4: ");
4268 uint8_t *p5buf = (uint8_t *)
"Hi, this is a big test to check content matches";
4269 uint16_t p5buflen = strlen((
char *)p5buf);
4273 printf(
"failed to match on packet 5: ");
4285 if (det_ctx != NULL)
4311 static int SigTestDepthOffset01 (
void)
4313 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4314 uint16_t buflen = strlen((
char *)buf);
4320 memset(&th_v, 0,
sizeof(th_v));
4331 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4354 static int SigTestDetectAlertCounter(
void)
4359 memset(&
tv, 0,
sizeof(
tv));
4366 "content:\"boo\"; sid:1;)");
4375 p =
UTHBuildPacket((uint8_t *)
"boo", strlen(
"boo"), IPPROTO_TCP);
4383 p =
UTHBuildPacket((uint8_t *)
"roo", strlen(
"roo"), IPPROTO_TCP);
4388 p =
UTHBuildPacket((uint8_t *)
"laboosa", strlen(
"laboosa"), IPPROTO_TCP);
4400 static int SigTestDropFlow01(
void)
4404 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4405 "User-Agent: Mozilla/1.0\r\n"
4406 "Cookie: hellocatch\r\n\r\n";
4407 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4416 memset(&f, 0,
sizeof(
Flow));
4423 f.
proto = IPPROTO_TCP;
4439 "(msg:\"Test proto match\"; "
4473 static int SigTestDropFlow02(
void)
4478 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4479 "User-Agent: Mozilla/1.0\r\n"
4480 "Cookie: hellocatch\r\n\r\n";
4481 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4490 memset(&f, 0,
sizeof(
Flow));
4497 f.
proto = IPPROTO_TCP;
4515 "(msg:\"Test proto match\"; uricontent:\"one\";"
4527 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4532 if (http_state == NULL) {
4533 printf(
"no http state: ");
4541 printf(
"sig 1 didn't alert, but it should: ");
4546 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4558 if (det_ctx != NULL)
4575 static int SigTestDropFlow03(
void)
4580 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4581 "User-Agent: Mozilla/1.0\r\n"
4582 "Cookie: hellocatch\r\n\r\n";
4583 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4585 uint8_t http_buf2[] =
"POST /two HTTP/1.0\r\n"
4586 "User-Agent: Mozilla/1.0\r\n"
4587 "Cookie: hellocatch\r\n\r\n";
4588 uint32_t http_buf2_len =
sizeof(http_buf1) - 1;
4602 memset(&f, 0,
sizeof(
Flow));
4610 f.
proto = IPPROTO_TCP;
4634 "(msg:\"Test proto match\"; uricontent:\"one\";"
4643 "(msg:\"Test proto match\"; uricontent:\"two\";"
4655 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4660 if (http_state == NULL) {
4661 printf(
"no http state: ");
4669 printf(
"sig 1 didn't alert on p1, but it should: ");
4674 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4679 if (StreamTcpCheckFlowDrops(p2) == 1) {
4680 SCLogDebug(
"This flow/stream triggered a drop rule");
4681 FlowSetNoPacketInspectionFlag(p2->
flow);
4682 DecodeSetNoPacketInspectionFlag(p2);
4691 printf(
"The packet was not flagged with no-inspection: ");
4698 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
4706 printf(
"sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4711 printf(
"sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4716 printf(
"A \"drop\" action should be set from the flow to the packet: ");
4725 if (det_ctx != NULL)
4746 static int SigTestDropFlow04(
void)
4750 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4751 "User-Agent: Mozilla/1.0\r\n"
4752 "Cookie: hellocatch\r\n\r\n";
4753 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4755 uint8_t http_buf2[] =
"POST /two HTTP/1.0\r\n"
4756 "User-Agent: Mozilla/1.0\r\n"
4757 "Cookie: hellocatch\r\n\r\n";
4758 uint32_t http_buf2_len =
sizeof(http_buf1) - 1;
4769 memset(&f, 0,
sizeof(
Flow));
4777 f.
proto = IPPROTO_TCP;
4798 "(msg:\"Test proto match\"; uricontent:\"one\";"
4805 "(msg:\"Test proto match\"; uricontent:\"two\";"
4856 static int SigTestPorts01(
void)
4863 uint8_t payload[] =
"AAAAAAAAAAAAAAAAAA";
4876 "(content:\"AAA\"; sid:1;)");
4888 printf(
"sig 1 alerted on p1, but it should not: ");
4894 if (det_ctx != NULL)
4906 static int SigTestBug01(
void)
4913 uint8_t payload[] =
"!mymy";
4926 "(content:\"Omymy\"; nocase; sid:1;)");
4931 "(content:\"!mymy\"; nocase; sid:2;)");
4943 printf(
"sig 1 alerted on p1, but it should not: ");
4947 printf(
"sig 2 did not p1, but it should have: ");
4953 if (det_ctx != NULL)
4964 static const char *dummy_conf_string2 =
4969 " address-groups:\n"
4971 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4973 " EXTERNAL_NET: \"any\"\n"
4977 " HTTP_PORTS: \"80:81,88\"\n"
4980 static int DetectAddressYamlParsing01 (
void)
5011 static const char *dummy_conf_string3 =
5016 " address-groups:\n"
5018 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5020 " EXTERNAL_NET: \"any\"\n"
5024 " HTTP_PORTS: \"80:81,88\"\n"
5027 static int DetectAddressYamlParsing02 (
void)
5058 static const char *dummy_conf_string4 =
5063 " address-groups:\n"
5065 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5067 " EXTERNAL_NET: \"any\"\n"
5071 " HTTP_PORTS: \"80:81,88\"\n"
5074 static int DetectAddressYamlParsing03 (
void)
5105 static const char *dummy_conf_string5 =
5110 " address-groups:\n"
5112 " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5114 " EXTERNAL_NET: \"any\"\n"
5118 " HTTP_PORTS: \"80:81,88\"\n"
5122 static int DetectAddressYamlParsing04 (
void)
5162 UtRegisterTest(
"SigTest05 -- distance/within mismatch", SigTest05);
5163 UtRegisterTest(
"SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5166 UtRegisterTest(
"SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5169 UtRegisterTest(
"SigTest10 -- long content match, longer than pkt",
5172 UtRegisterTest(
"SigTest12 -- content order matching, normal", SigTest12);
5173 UtRegisterTest(
"SigTest13 -- content order matching, diff order",
5175 UtRegisterTest(
"SigTest14 -- content order matching, distance 0",
5177 UtRegisterTest(
"SigTest15 -- port negation sig (no match)", SigTest15);
5178 UtRegisterTest(
"SigTest16 -- port negation sig (match)", SigTest16);
5179 UtRegisterTest(
"SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5189 SigTest25NegativeIPV4Keyword);
5193 SigTest26TCPV4AndNegativeIPV4Keyword);
5195 SigTest26TCPV4AndIPV4Keyword);
5197 SigTest27NegativeTCPV4Keyword);
5201 SigTest29NegativeTCPV6Keyword);
5205 SigTest31NegativeUDPV4Keyword);
5209 SigTest33NegativeUDPV6Keyword);
5211 UtRegisterTest(
"SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5213 SigTest35NegativeICMPV4Keyword);
5215 SigTest36ContentAndIsdataatKeywords01);
5217 SigTest37ContentAndIsdataatKeywords02);
5224 SigTest40NoPacketInspection01);
5226 SigTest40NoPayloadInspection02);
5232 UtRegisterTest(
"SigTestContent01 -- 32 byte pattern", SigTestContent01);
5233 UtRegisterTest(
"SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5234 UtRegisterTest(
"SigTestContent03 -- 32 byte pattern, x2 + distance",
5236 UtRegisterTest(
"SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5238 UtRegisterTest(
"SigTestContent05 -- distance/within", SigTestContent05);
5245 UtRegisterTest(
"SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5252 UtRegisterTest(
"DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5253 UtRegisterTest(
"DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5254 UtRegisterTest(
"DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5255 UtRegisterTest(
"DetectAddressYamlParsing04", DetectAddressYamlParsing04);