suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
31 
32 static const char *dummy_conf_string =
33  "%YAML 1.1\n"
34  "---\n"
35  "\n"
36  "default-log-dir: /var/log/suricata\n"
37  "\n"
38  "logging:\n"
39  "\n"
40  " default-log-level: debug\n"
41  "\n"
42  " default-format: \"<%t> - <%l>\"\n"
43  "\n"
44  " default-startup-message: Your IDS has started.\n"
45  "\n"
46  " default-output-filter:\n"
47  "\n"
48  " output:\n"
49  "\n"
50  " - interface: console\n"
51  " log-level: info\n"
52  "\n"
53  " - interface: file\n"
54  " filename: /var/log/suricata.log\n"
55  "\n"
56  " - interface: syslog\n"
57  " facility: local5\n"
58  " format: \"%l\"\n"
59  "\n"
60  "pfring:\n"
61  "\n"
62  " interface: eth0\n"
63  "\n"
64  " clusterid: 99\n"
65  "\n"
66  "vars:\n"
67  "\n"
68  " address-groups:\n"
69  "\n"
70  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72  "\n"
73  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74  "\n"
75  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80  "\n"
81  " DNS_SERVERS: any\n"
82  "\n"
83  " TELNET_SERVERS: any\n"
84  "\n"
85  " AIM_SERVERS: any\n"
86  "\n"
87  " port-groups:\n"
88  "\n"
89  " HTTP_PORTS: \"80:81,88\"\n"
90  "\n"
91  " SHELLCODE_PORTS: 80\n"
92  "\n"
93  " ORACLE_PORTS: 1521\n"
94  "\n"
95  " SSH_PORTS: 22\n"
96  "\n";
97 
98 static int SigTest01 (void)
99 {
100  uint8_t *buf = (uint8_t *)
101  "GET /one/ HTTP/1.1\r\n"
102  "Host: one.example.org\r\n"
103  "\r\n\r\n"
104  "GET /two/ HTTP/1.1\r\n"
105  "Host: two.example.org\r\n"
106  "\r\n\r\n";
107  uint16_t buflen = strlen((char *)buf);
108  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109  FAIL_IF_NULL(p);
110 
111  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112  FAIL_IF(UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0);
113 
114  UTHFreePacket(p);
115  PASS;
116 }
117 
118 static int SigTest02 (void)
119 {
120  uint8_t *buf = (uint8_t *)
121  "GET /one/ HTTP/1.1\r\n"
122  "Host: one.example.org\r\n"
123  "\r\n\r\n"
124  "GET /two/ HTTP/1.1\r\n"
125  "Host: two.example.org\r\n"
126  "\r\n\r\n";
127  uint16_t buflen = strlen((char *)buf);
128  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
129  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
130  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
131  UTHFreePacket(p);
132  return ret;
133 }
134 
135 static int SigTest03 (void)
136 {
137  uint8_t *buf = (uint8_t *)
138  "GET /one/ HTTP/1.1\r\n"
139  "Host: one.example.org\r\n"
140  "\r\n\r\n"
141  "GET /two/ HTTP/1.1\r\n"
142  "Host: two.example.org\r\n"
143  "\r\n\r\n";
144  uint16_t buflen = strlen((char *)buf);
145  ThreadVars th_v;
146  memset(&th_v, 0, sizeof(th_v));
147  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
148  FAIL_IF_NULL(p);
151  de_ctx->flags |= DE_QUIET;
153  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: "
154  "one.example.org\"; offset:20; depth:39; sid:1;)");
155  FAIL_IF_NULL(s);
157  DetectEngineThreadCtx *det_ctx = NULL;
158  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
159  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
161  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
163  UTHFreePackets(&p, 1);
164  StatsThreadCleanup(&th_v);
165  PASS;
166 }
167 
168 static int SigTest04 (void)
169 {
170  uint8_t *buf = (uint8_t *)
171  "GET /one/ HTTP/1.1\r\n" /* 20*/
172  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
173  "\r\n\r\n" /* 4 */
174  "GET /two/ HTTP/1.1\r\n" /* 20 */
175  "Host: two.example.org\r\n" /* 23 */
176  "\r\n\r\n"; /* 4 */
177  uint16_t buflen = strlen((char *)buf);
178  ThreadVars th_v;
179  memset(&th_v, 0, sizeof(th_v));
180  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
181  FAIL_IF_NULL(p);
184  de_ctx->flags |= DE_QUIET;
186  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
187  "offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
188  FAIL_IF_NULL(s);
190  DetectEngineThreadCtx *det_ctx = NULL;
191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
192  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
194  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
196  UTHFreePackets(&p, 1);
197  StatsThreadCleanup(&th_v);
198  PASS;
199 }
200 
201 static int SigTest05 (void)
202 {
203  uint8_t *buf = (uint8_t *)
204  "GET /one/ HTTP/1.1\r\n" /* 20 */
205  "Host: one.example.org\r\n" /* 23, 43 */
206  "\r\n\r\n" /* 4, 47 */
207  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
208  "Host: two.example.org\r\n" /* 23, 90 */
209  "\r\n\r\n"; /* 4, 94 */
210  uint16_t buflen = strlen((char *)buf);
211  ThreadVars th_v;
212  memset(&th_v, 0, sizeof(th_v));
213  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
214  FAIL_IF_NULL(p);
217  de_ctx->flags |= DE_QUIET;
219  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
220  "offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
221  FAIL_IF_NULL(s);
223  DetectEngineThreadCtx *det_ctx = NULL;
224  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
225  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
226  FAIL_IF(PacketAlertCheck(p, 1));
227  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
229  UTHFreePackets(&p, 1);
230  StatsThreadCleanup(&th_v);
231  PASS;
232 }
233 
234 static int SigTest06 (void)
235 {
236  uint8_t *buf = (uint8_t *)
237  "GET /one/ HTTP/1.1\r\n" /* 20 */
238  "Host: one.example.org\r\n" /* 23, 43 */
239  "\r\n\r\n" /* 4, 47 */
240  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
241  "Host: two.example.org\r\n" /* 23, 90 */
242  "\r\n\r\n"; /* 4, 94 */
243  uint16_t buflen = strlen((char *)buf);
244  Packet *p = NULL;
245  ThreadVars th_v;
246  DetectEngineThreadCtx *det_ctx = NULL;
247  Flow f;
248  TcpSession ssn;
251 
252  memset(&th_v, 0, sizeof(th_v));
253  memset(&f, 0, sizeof(f));
254  memset(&ssn, 0, sizeof(ssn));
255 
256  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
257  FAIL_IF_NULL(p);
258 
259  FLOW_INITIALIZE(&f);
260  f.protoctx = (void *)&ssn;
261  f.flags |= FLOW_IPV4;
262  f.proto = IPPROTO_TCP;
263  p->flow = &f;
268 
269  StreamTcpInitConfig(true);
270 
273  de_ctx->flags |= DE_QUIET;
274 
275  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
276  FAIL_IF_NULL(s);
277 
278  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
279  FAIL_IF_NULL(s);
280 
282  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
283  FAIL_IF_NULL(det_ctx);
284 
285  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
286  FAIL_IF(r != 0);
287 
288  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
291 
292  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
295  UTHFreePackets(&p, 1);
296  StreamTcpFreeConfig(true);
297  FLOW_DESTROY(&f);
298  StatsThreadCleanup(&th_v);
299  PASS;
300 }
301 
302 static int SigTest07 (void)
303 {
304  uint8_t *buf = (uint8_t *)
305  "GET /one/ HTTP/1.1\r\n" /* 20 */
306  "Host: one.example.org\r\n" /* 23, 43 */
307  "\r\n\r\n" /* 4, 47 */
308  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
309  "Host: two.example.org\r\n" /* 23, 90 */
310  "\r\n\r\n"; /* 4, 94 */
311  uint16_t buflen = strlen((char *)buf);
312  Packet *p = NULL;
313  ThreadVars th_v;
314  DetectEngineThreadCtx *det_ctx = NULL;
315  Flow f;
316  TcpSession ssn;
318 
319  memset(&th_v, 0, sizeof(th_v));
320  memset(&f, 0, sizeof(f));
321  memset(&ssn, 0, sizeof(ssn));
322  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
323  FAIL_IF_NULL(p);
324  FLOW_INITIALIZE(&f);
325  f.protoctx = (void *)&ssn;
326  f.flags |= FLOW_IPV4;
327  f.proto = IPPROTO_TCP;
328  p->flow = &f;
333 
334  StreamTcpInitConfig(true);
335 
338  de_ctx->flags |= DE_QUIET;
339 
341  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; "
342  "pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
343  FAIL_IF_NULL(s);
345  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
346  FAIL_IF_NULL(s);
347 
349  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
350 
351  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
352  FAIL_IF(r != 0);
353  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
355  FAIL_IF(PacketAlertCheck(p, 2));
356 
358  UTHFreePackets(&p, 1);
359  StreamTcpFreeConfig(true);
361  FLOW_DESTROY(&f);
362 
363  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
365  StatsThreadCleanup(&th_v);
366  PASS;
367 }
368 
369 static int SigTest08 (void)
370 {
371  uint8_t *buf = (uint8_t *)
372  "GET /one/ HTTP/1.0\r\n" /* 20 */
373  "Host: one.example.org\r\n" /* 23, 43 */
374  "\r\n\r\n" /* 4, 47 */
375  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
376  "Host: two.example.org\r\n" /* 23, 90 */
377  "\r\n\r\n"; /* 4, 94 */
378  uint16_t buflen = strlen((char *)buf);
379  ThreadVars th_v;
380  DetectEngineThreadCtx *det_ctx = NULL;
381  Flow f;
382  TcpSession ssn;
384 
385  memset(&f, 0, sizeof(Flow));
386  memset(&th_v, 0, sizeof(th_v));
387  memset(&ssn, 0, sizeof(ssn));
388 
389  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
390  FAIL_IF_NULL(p);
391 
392  FLOW_INITIALIZE(&f);
393  f.protoctx = (void *)&ssn;
394  f.flags |= FLOW_IPV4;
395  f.proto = IPPROTO_TCP;
396  p->flow = &f;
401 
402  StreamTcpInitConfig(true);
403 
406  de_ctx->flags |= DE_QUIET;
407 
409  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
410  "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
411  FAIL_IF_NULL(s);
413  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
414  FAIL_IF_NULL(s);
415 
417  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
418 
419  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
420  FAIL_IF(r != 0);
421 
422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
425 
426  FLOW_DESTROY(&f);
427  UTHFreePackets(&p, 1);
428 
429  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
432  StreamTcpFreeConfig(true);
433  StatsThreadCleanup(&th_v);
434  PASS;
435 }
436 
437 static int SigTest09 (void)
438 {
439  uint8_t *buf = (uint8_t *)
440  "GET /one/ HTTP/1.0\r\n" /* 20 */
441  "Host: one.example.org\r\n" /* 23, 43 */
442  "\r\n\r\n" /* 4, 47 */
443  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
444  "Host: two.example.org\r\n" /* 23, 90 */
445  "\r\n\r\n"; /* 4, 94 */
446  uint16_t buflen = strlen((char *)buf);
447  ThreadVars th_v;
448  DetectEngineThreadCtx *det_ctx = NULL;
449  Flow f;
450  TcpSession ssn;
452 
453  memset(&th_v, 0, sizeof(th_v));
454  memset(&f, 0, sizeof(f));
455  memset(&ssn, 0, sizeof(ssn));
456 
457  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
458  FAIL_IF_NULL(p);
459 
460  FLOW_INITIALIZE(&f);
461  f.protoctx = (void *)&ssn;
462  f.flags |= FLOW_IPV4;
463  f.proto = IPPROTO_TCP;
464  p->flow = &f;
469 
470  StreamTcpInitConfig(true);
471 
474  de_ctx->flags |= DE_QUIET;
475 
477  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
478  "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
479  FAIL_IF_NULL(s);
481  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
482  FAIL_IF_NULL(s);
483 
485  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
486 
487  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
488  FAIL_IF(r != 0);
489 
490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
493 
495  FLOW_DESTROY(&f);
496  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
499  UTHFreePackets(&p, 1);
500  StreamTcpFreeConfig(true);
501  StatsThreadCleanup(&th_v);
502  PASS;
503 }
504 
505 static int SigTest10 (void)
506 {
507  uint8_t *buf = (uint8_t *)"ABC";
508  uint16_t buflen = strlen((char *)buf);
509  ThreadVars th_v;
510  DetectEngineThreadCtx *det_ctx = NULL;
511  Flow f;
512  TcpSession ssn;
514 
515  memset(&th_v, 0, sizeof(th_v));
516  memset(&f, 0, sizeof(f));
517  memset(&ssn, 0, sizeof(ssn));
518 
519  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
520  FAIL_IF_NULL(p);
521 
522  FLOW_INITIALIZE(&f);
523  f.protoctx = (void *)&ssn;
524  f.proto = IPPROTO_TCP;
525  f.flags |= FLOW_IPV4;
526  p->flow = &f;
530 
531  StreamTcpInitConfig(true);
532 
535  de_ctx->flags |= DE_QUIET;
536 
537  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Long content "
538  "test (1)\"; content:\"ABCD\"; depth:4; sid:1;");
539  FAIL_IF_NULL(s);
540  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Long content test "
541  "(2)\"; content:\"VWXYZ\"; sid:2;");
542  FAIL_IF_NULL(s);
543 
545  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
546 
547  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
548  FAIL_IF(r != 0);
549  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
550  FAIL_IF(PacketAlertCheck(p, 1));
551  FAIL_IF(PacketAlertCheck(p, 2));
552 
554  FLOW_DESTROY(&f);
555  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
558  UTHFreePackets(&p, 1);
559  StreamTcpFreeConfig(true);
560  StatsThreadCleanup(&th_v);
561  PASS;
562 }
563 
564 static int SigTest11 (void)
565 {
566  uint8_t *buf = (uint8_t *)
567  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
568  uint16_t buflen = strlen((char *)buf);
569  Packet *p = NULL;
570  ThreadVars th_v;
571  DetectEngineThreadCtx *det_ctx = NULL;
572  Flow f;
573  TcpSession ssn;
574  int result = 0;
575 
576  memset(&th_v, 0, sizeof(th_v));
577  memset(&f, 0, sizeof(f));
578  memset(&ssn, 0, sizeof(ssn));
579 
580  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
581 
582  FLOW_INITIALIZE(&f);
583  f.protoctx = (void *)&ssn;
584  f.proto = IPPROTO_TCP;
585  f.flags |= FLOW_IPV4;
586  p->flow = &f;
590 
591  StreamTcpInitConfig(true);
592 
594  if (de_ctx == NULL) {
595  goto end;
596  }
597 
598  de_ctx->flags |= DE_QUIET;
599 
600  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
601  if (de_ctx->sig_list == NULL) {
602  goto end;
603  }
604  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
605  if (de_ctx->sig_list->next == NULL) {
606  goto end;
607  }
608 
610  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
611 
612  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
613  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
614  result = 1;
615 
616  end:
618  if (det_ctx)
619  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
621  UTHFreePackets(&p, 1);
622  StreamTcpFreeConfig(true);
623  FLOW_DESTROY(&f);
624  StatsThreadCleanup(&th_v);
625  return result;
626 }
627 
628 static int SigTest12 (void)
629 {
630  uint8_t *buf = (uint8_t *)
631  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
632  uint16_t buflen = strlen((char *)buf);
633  Packet *p = NULL;
634  ThreadVars th_v;
635  DetectEngineThreadCtx *det_ctx = NULL;
636  int result = 0;
637 
638  memset(&th_v, 0, sizeof(th_v));
639  Flow f;
640  memset(&f, 0, sizeof(Flow));
641 
642  FLOW_INITIALIZE(&f);
643 
644  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
645  p->flow = &f;
647 
649  if (de_ctx == NULL) {
650  goto end;
651  }
652 
653  de_ctx->flags |= DE_QUIET;
654 
655  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
656  if (de_ctx->sig_list == NULL) {
657  result = 0;
658  goto end;
659  }
660 
662  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
663 
664  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
665  if (PacketAlertCheck(p, 1))
666  result = 1;
667  else
668  result = 0;
669 
670  if (det_ctx != NULL)
671  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
672 end:
673  UTHFreePackets(&p, 1);
674  if (de_ctx != NULL) {
676  }
677  FLOW_DESTROY(&f);
678  StatsThreadCleanup(&th_v);
679  return result;
680 }
681 
682 static int SigTest13 (void)
683 {
684  uint8_t *buf = (uint8_t *)
685  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
686  uint16_t buflen = strlen((char *)buf);
687  Packet *p = NULL;
688  ThreadVars th_v;
689  DetectEngineThreadCtx *det_ctx = NULL;
690  int result = 0;
691 
692  memset(&th_v, 0, sizeof(th_v));
693  Flow f;
694  memset(&f, 0, sizeof(Flow));
695 
696  FLOW_INITIALIZE(&f);
697 
698  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
699  p->flow = &f;
701 
703  if (de_ctx == NULL) {
704  goto end;
705  }
706 
707  de_ctx->flags |= DE_QUIET;
708 
709  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
710  if (de_ctx->sig_list == NULL) {
711  result = 0;
712  goto end;
713  }
714 
716  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
717 
718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
719  if (PacketAlertCheck(p, 1))
720  result = 1;
721  else
722  result = 0;
723 
724  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
726 end:
727  UTHFreePackets(&p, 1);
728  FLOW_DESTROY(&f);
729  StatsThreadCleanup(&th_v);
730  return result;
731 }
732 
733 static int SigTest14 (void)
734 {
735  uint8_t *buf = (uint8_t *)
736  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
737  uint16_t buflen = strlen((char *)buf);
738  Packet *p = NULL;
739  ThreadVars th_v;
740  DetectEngineThreadCtx *det_ctx = NULL;
741  int result = 0;
742 
743  memset(&th_v, 0, sizeof(th_v));
744 
745  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
746 
748  if (de_ctx == NULL) {
749  goto end;
750  }
751 
752  de_ctx->flags |= DE_QUIET;
753 
754  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
755  if (de_ctx->sig_list == NULL) {
756  result = 0;
757  goto end;
758  }
759 
761  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
762 
763  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
764  if (PacketAlertCheck(p, 1))
765  result = 0;
766  else
767  result = 1;
768 
769  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
771 end:
772  UTHFreePackets(&p, 1);
773  StatsThreadCleanup(&th_v);
774  return result;
775 }
776 
777 static int SigTest15 (void)
778 {
779  uint8_t *buf = (uint8_t *)
780  "CONNECT 213.92.8.7:31204 HTTP/1.1";
781  uint16_t buflen = strlen((char *)buf);
782  Packet *p = PacketGetFromAlloc();
783  if (unlikely(p == NULL))
784  return 0;
785  ThreadVars th_v;
786  DetectEngineThreadCtx *det_ctx = NULL;
787  int result = 0;
788 
789  memset(&th_v, 0, sizeof(th_v));
790  p->src.family = AF_INET;
791  p->dst.family = AF_INET;
792  p->payload = buf;
793  p->payload_len = buflen;
794  p->proto = IPPROTO_TCP;
795  p->dp = 80;
796 
798  SCConfInit();
799  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
800 
802  if (de_ctx == NULL) {
803  goto end;
804  }
805 
806  de_ctx->flags |= DE_QUIET;
807 
808  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
809  if (de_ctx->sig_list == NULL) {
810  result = 0;
811  goto end;
812  }
813 
815  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
816 
817  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
818  if (PacketAlertCheck(p, 2008284))
819  result = 0;
820  else
821  result = 1;
822 
823  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
825 end:
826  SCConfDeInit();
828  PacketFree(p);
829  StatsThreadCleanup(&th_v);
830  return result;
831 }
832 
833 static int SigTest16 (void)
834 {
835  uint8_t *buf = (uint8_t *)
836  "CONNECT 213.92.8.7:31204 HTTP/1.1";
837  uint16_t buflen = strlen((char *)buf);
838  Packet *p = NULL;
839  ThreadVars th_v;
840  DetectEngineThreadCtx *det_ctx = NULL;
841  int result = 0;
842 
843  memset(&th_v, 0, sizeof(th_v));
844  memset(&p, 0, sizeof(p));
845 
846  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
847 
849  SCConfInit();
850  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
851 
853  if (de_ctx == NULL) {
854  goto end;
855  }
856 
857  de_ctx->flags |= DE_QUIET;
858 
859  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
860  if (de_ctx->sig_list == NULL) {
861  goto end;
862  }
863 
865  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
866 
867  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
868  if (PacketAlertCheck(p, 2008284))
869  result = 1;
870  else
871  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
872 
873  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
875 end:
876  SCConfDeInit();
878  UTHFreePackets(&p, 1);
879  StatsThreadCleanup(&th_v);
880  return result;
881 }
882 
883 static int SigTest17 (void)
884 {
885  uint8_t *buf = (uint8_t *)
886  "GET /one/ HTTP/1.1\r\n" /* 20 */
887  "Host: one.example.org\r\n" /* 23, 43 */
888  "\r\n\r\n" /* 4, 47 */
889  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
890  "Host: two.example.org\r\n" /* 23, 90 */
891  "\r\n\r\n"; /* 4, 94 */
892  uint16_t buflen = strlen((char *)buf);
893  Packet *p = NULL;
894  ThreadVars th_v;
895  DetectEngineThreadCtx *det_ctx = NULL;
896  memset(&th_v, 0, sizeof(th_v));
897 
898  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
899  FAIL_IF_NULL(p);
900 
902  SCConfInit();
903  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
904 
907  de_ctx->flags |= DE_QUIET;
908 
909  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
910  FAIL_IF_NULL(s);
911 
913  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
914  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
915 
916  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
917  PktVar *pv_hn = PktVarGet(p, capid);
918  FAIL_IF_NULL(pv_hn);
919  FAIL_IF(pv_hn->value_len != 15);
920  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
921 
922  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
924  SCConfDeInit();
926  UTHFreePackets(&p, 1);
927  StatsThreadCleanup(&th_v);
928 
929  PASS;
930 }
931 
932 static int SigTest18 (void)
933 {
934  uint8_t *buf = (uint8_t *)
935  "220 (vsFTPd 2.0.5)\r\n";
936  uint16_t buflen = strlen((char *)buf);
937  Packet *p = PacketGetFromAlloc();
938  if (unlikely(p == NULL))
939  return 0;
940  ThreadVars th_v;
941  DetectEngineThreadCtx *det_ctx = NULL;
942  int result = 0;
943 
944  memset(&th_v, 0, sizeof(th_v));
945  p->src.family = AF_INET;
946  p->dst.family = AF_INET;
947  p->payload = buf;
948  p->payload_len = buflen;
949  p->proto = IPPROTO_TCP;
950  p->dp = 34260;
951  p->sp = 21;
952 
954  if (de_ctx == NULL) {
955  goto end;
956  }
957 
958  de_ctx->flags |= DE_QUIET;
959 
960  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
961  if (de_ctx->sig_list == NULL) {
962  result = 0;
963  goto end;
964  }
965 
967  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
968 
969  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
970  if (!PacketAlertCheck(p, 2003055))
971  result = 1;
972  else
973  printf("signature shouldn't match, but did: ");
974 
975  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
977 end:
978  PacketFree(p);
979  StatsThreadCleanup(&th_v);
980  return result;
981 }
982 
983 static int SigTest19 (void)
984 {
985  uint8_t *buf = (uint8_t *)
986  "220 (vsFTPd 2.0.5)\r\n";
987  uint16_t buflen = strlen((char *)buf);
988  Packet *p = PacketGetFromAlloc();
989  if (unlikely(p == NULL))
990  return 0;
991  ThreadVars th_v;
992  DetectEngineThreadCtx *det_ctx = NULL;
993  int result = 0;
994 
995  memset(&th_v, 0, sizeof(th_v));
996  p->src.family = AF_INET;
997  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
998  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
999  p->dst.family = AF_INET;
1000  p->payload = buf;
1001  p->payload_len = buflen;
1002  p->proto = IPPROTO_TCP;
1003  p->dp = 34260;
1004  p->sp = 21;
1006 
1008  SCConfInit();
1009  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1010 
1012  if (de_ctx == NULL) {
1013  goto end;
1014  }
1015 
1016  de_ctx->flags |= DE_QUIET;
1017 
1018  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1019  if (de_ctx->sig_list == NULL) {
1020  result = 0;
1021  goto end;
1022  }
1023 
1025  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1026 
1027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1028  if (PacketAlertCheck(p, 999))
1029  result = 1;
1030  else
1031  printf("signature didn't match, but should have: ");
1032 
1033  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1035 end:
1036  SCConfDeInit();
1038  PacketFree(p);
1039  StatsThreadCleanup(&th_v);
1040  return result;
1041 }
1042 
1043 static int SigTest20 (void)
1044 {
1045  uint8_t *buf = (uint8_t *)
1046  "220 (vsFTPd 2.0.5)\r\n";
1047  uint16_t buflen = strlen((char *)buf);
1048  Packet *p = PacketGetFromAlloc();
1049  if (unlikely(p == NULL))
1050  return 0;
1051  ThreadVars th_v;
1052  DetectEngineThreadCtx *det_ctx = NULL;
1053  int result = 0;
1054 
1055  memset(&th_v, 0, sizeof(th_v));
1056  p->src.family = AF_INET;
1057  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1058  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1059  p->dst.family = AF_INET;
1060  p->payload = buf;
1061  p->payload_len = buflen;
1062  p->proto = IPPROTO_TCP;
1063  p->dp = 34260;
1064  p->sp = 21;
1066 
1068  SCConfInit();
1069  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1070 
1072  if (de_ctx == NULL) {
1073  goto end;
1074  }
1075 
1076  de_ctx->flags |= DE_QUIET;
1077 
1078  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1079  if (de_ctx->sig_list == NULL) {
1080  result = 0;
1081  goto end;
1082  }
1083 
1085  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1086 
1087  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1088  if (PacketAlertCheck(p, 999))
1089  result = 1;
1090  else
1091  printf("signature didn't match, but should have: ");
1092 
1093  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1095 end:
1096  SCConfDeInit();
1098  PacketFree(p);
1099  StatsThreadCleanup(&th_v);
1100  return result;
1101 }
1102 
1103 static int SigTest21 (void)
1104 {
1105  ThreadVars th_v;
1106  memset(&th_v, 0, sizeof(th_v));
1107  DetectEngineThreadCtx *det_ctx = NULL;
1108  int result = 0;
1109 
1110  Flow f;
1111  memset(&f, 0, sizeof(f));
1112  FLOW_INITIALIZE(&f);
1113 
1114  /* packet 1 */
1115  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1116  "\r\n\r\n";
1117  uint16_t buf1len = strlen((char *)buf1);
1118  Packet *p1 = NULL;
1119  /* packet 2 */
1120  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1121  "\r\n\r\n";
1122  uint16_t buf2len = strlen((char *)buf2);
1123  Packet *p2 = NULL;
1124 
1125  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1126  p1->flow = &f;
1128  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1129  p2->flow = &f;
1131 
1133  if (de_ctx == NULL) {
1134  goto end;
1135  }
1136 
1137  de_ctx->flags |= DE_QUIET;
1138 
1139  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1140  if (de_ctx->sig_list == NULL) {
1141  result = 0;
1142  goto end;
1143  }
1144  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1145  if (de_ctx->sig_list == NULL) {
1146  result = 0;
1147  goto end;
1148  }
1149 
1151  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1152 
1153  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1154  if (PacketAlertCheck(p1, 1)) {
1155  printf("sid 1 alerted, but shouldn't: ");
1156  goto end;
1157  }
1158  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1159  if (!(PacketAlertCheck(p2, 2))) {
1160  printf("sid 2 didn't alert, but should have: ");
1161  goto end;
1162  }
1163 
1164  result = 1;
1165 end:
1166  if (de_ctx != NULL) {
1167  if (det_ctx != NULL) {
1168  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1169  }
1170  }
1172  UTHFreePackets(&p1, 1);
1173  UTHFreePackets(&p2, 1);
1174  FLOW_DESTROY(&f);
1175  StatsThreadCleanup(&th_v);
1176  return result;
1177 }
1178 
1179 static int SigTest22 (void)
1180 {
1181  ThreadVars th_v;
1182  memset(&th_v, 0, sizeof(th_v));
1183  DetectEngineThreadCtx *det_ctx = NULL;
1184  int result = 0;
1185 
1186  Flow f;
1187  memset(&f, 0, sizeof(f));
1188  FLOW_INITIALIZE(&f);
1189 
1190  /* packet 1 */
1191  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1192  "\r\n\r\n";
1193  uint16_t buf1len = strlen((char *)buf1);
1194  Packet *p1 = NULL;
1195 
1196  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1197  p1->flow = &f;
1199 
1200  /* packet 2 */
1201  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1202  "\r\n\r\n";
1203  uint16_t buf2len = strlen((char *)buf2);
1204  Packet *p2 = NULL;
1205 
1206  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1207  p2->flow = &f;
1209 
1211  if (de_ctx == NULL) {
1212  goto end;
1213  }
1214 
1215  de_ctx->flags |= DE_QUIET;
1216 
1217  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1218  if (de_ctx->sig_list == NULL) {
1219  result = 0;
1220  goto end;
1221  }
1222  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1223  if (de_ctx->sig_list == NULL) {
1224  result = 0;
1225  goto end;
1226  }
1227 
1229  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1230 
1231  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1232  if (PacketAlertCheck(p1, 1)) {
1233  printf("sid 1 alerted, but shouldn't: ");
1234  goto end;
1235  }
1236  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1237  if (!(PacketAlertCheck(p2, 2)))
1238  result = 1;
1239  else
1240  printf("sid 2 alerted, but shouldn't: ");
1241 
1242  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1244 end:
1245  UTHFreePackets(&p1, 1);
1246  UTHFreePackets(&p2, 1);
1247  FLOW_DESTROY(&f);
1248  StatsThreadCleanup(&th_v);
1249  return result;
1250 }
1251 
1252 static int SigTest23 (void)
1253 {
1254  ThreadVars th_v;
1255  memset(&th_v, 0, sizeof(th_v));
1256  DetectEngineThreadCtx *det_ctx = NULL;
1257  int result = 0;
1258 
1259  Flow f;
1260  memset(&f, 0, sizeof(f));
1261  FLOW_INITIALIZE(&f);
1262 
1263  /* packet 1 */
1264  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1265  "\r\n\r\n";
1266  uint16_t buf1len = strlen((char *)buf1);
1267  Packet *p1 = NULL;
1268 
1269  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1270  p1->flow = &f;
1272 
1273  /* packet 2 */
1274  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1275  "\r\n\r\n";
1276  uint16_t buf2len = strlen((char *)buf2);
1277  Packet *p2 = NULL;
1278 
1279  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1280  p2->flow = &f;
1282 
1284  if (de_ctx == NULL) {
1285  goto end;
1286  }
1287 
1288  de_ctx->flags |= DE_QUIET;
1289 
1290  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1291  if (de_ctx->sig_list == NULL) {
1292  result = 0;
1293  goto end;
1294  }
1295  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1296  if (de_ctx->sig_list == NULL) {
1297  result = 0;
1298  goto end;
1299  }
1300 
1302  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1303 
1304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1305  if (PacketAlertCheck(p1, 1)) {
1306  printf("sid 1 alerted, but shouldn't: ");
1307  goto end;
1308  }
1309  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1310  if (PacketAlertCheck(p2, 2))
1311  result = 1;
1312  else
1313  printf("sid 2 didn't alert, but should have: ");
1314 
1315  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1317 end:
1318  UTHFreePackets(&p1, 1);
1319  UTHFreePackets(&p2, 1);
1320  FLOW_DESTROY(&f);
1321  StatsThreadCleanup(&th_v);
1322  return result;
1323 }
1324 
1325 static int SigTest24IPV4Keyword(void)
1326 {
1327  uint8_t valid_raw_ipv4[] = {
1328  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1329  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1330  0xc0, 0xa8, 0x01, 0x03};
1331 
1332  uint8_t invalid_raw_ipv4[] = {
1333  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1334  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1335  0xc0, 0xa8, 0x01, 0x06};
1336 
1337  Packet *p1 = PacketGetFromAlloc();
1338  if (unlikely(p1 == NULL))
1339  return 0;
1340  Packet *p2 = PacketGetFromAlloc();
1341  if (unlikely(p2 == NULL)) {
1342  SCFree(p1);
1343  return 0;
1344  }
1345  ThreadVars th_v;
1346  DetectEngineThreadCtx *det_ctx = NULL;
1347  int result = 0;
1348 
1349  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1350  "\r\n\r\n";
1351  uint16_t buflen = strlen((char *)buf);
1352 
1353  memset(&th_v, 0, sizeof(ThreadVars));
1354 
1355  PacketSetIPV4(p1, valid_raw_ipv4);
1356  p1->src.family = AF_INET;
1357  p1->dst.family = AF_INET;
1358  p1->payload = buf;
1359  p1->payload_len = buflen;
1360  p1->proto = IPPROTO_TCP;
1361 
1362  PacketSetIPV4(p2, invalid_raw_ipv4);
1363  p2->src.family = AF_INET;
1364  p2->dst.family = AF_INET;
1365  p2->payload = buf;
1366  p2->payload_len = buflen;
1367  p2->proto = IPPROTO_TCP;
1368 
1370  if (de_ctx == NULL) {
1371  goto end;
1372  }
1373 
1374  de_ctx->flags |= DE_QUIET;
1375 
1377  "alert ip any any -> any any "
1378  "(content:\"/one/\"; ipv4-csum:valid; "
1379  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1380  if (de_ctx->sig_list == NULL) {
1381  printf("sig 1 parse: ");
1382  goto end;
1383  }
1384 
1386  "alert ip any any -> any any "
1387  "(content:\"/one/\"; ipv4-csum:invalid; "
1388  "msg:\"ipv4-csum keyword check(1)\"; "
1389  "sid:2;)");
1390  if (de_ctx->sig_list->next == NULL) {
1391  printf("sig 2 parse: ");
1392  goto end;
1393  }
1394 
1396  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1397 
1398  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1399  if (!(PacketAlertCheck(p1, 1))) {
1400  printf("signature 1 didn't match, but should have: ");
1401  goto end;
1402  }
1403 
1404  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1405  if (!((PacketAlertCheck(p2, 2)))) {
1406  printf("signature 2 didn't match, but should have: ");
1407  goto end;
1408  }
1409 
1410  result = 1;
1411 end:
1412  if (det_ctx != NULL) {
1413  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1415  }
1416  PacketFree(p1);
1417  PacketFree(p2);
1418  StatsThreadCleanup(&th_v);
1419  return result;
1420 }
1421 
1422 static int SigTest25NegativeIPV4Keyword(void)
1423 {
1424  uint8_t valid_raw_ipv4[] = {
1425  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1426  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1427  0xc0, 0xa8, 0x01, 0x03};
1428 
1429  uint8_t invalid_raw_ipv4[] = {
1430  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1431  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1432  0xc0, 0xa8, 0x01, 0x06};
1433 
1434  Packet *p1 = PacketGetFromAlloc();
1435  if (unlikely(p1 == NULL))
1436  return 0;
1437  Packet *p2 = PacketGetFromAlloc();
1438  if (unlikely(p2 == NULL)) {
1439  SCFree(p1);
1440  return 0;
1441  }
1442  ThreadVars th_v;
1443  DetectEngineThreadCtx *det_ctx = NULL;
1444  int result = 1;
1445 
1446  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1447  "\r\n\r\n";
1448  uint16_t buflen = strlen((char *)buf);
1449 
1450  memset(&th_v, 0, sizeof(ThreadVars));
1451 
1452  PacketSetIPV4(p1, valid_raw_ipv4);
1453  p1->src.family = AF_INET;
1454  p1->dst.family = AF_INET;
1455  p1->payload = buf;
1456  p1->payload_len = buflen;
1457  p1->proto = IPPROTO_TCP;
1458 
1459  PacketSetIPV4(p2, invalid_raw_ipv4);
1460  p2->src.family = AF_INET;
1461  p2->dst.family = AF_INET;
1462  p2->payload = buf;
1463  p2->payload_len = buflen;
1464  p2->proto = IPPROTO_TCP;
1465 
1467  if (de_ctx == NULL) {
1468  goto end;
1469  }
1470 
1471  de_ctx->flags |= DE_QUIET;
1472 
1474  "alert ip any any -> any any "
1475  "(content:\"/one/\"; ipv4-csum:invalid; "
1476  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1477  if (de_ctx->sig_list == NULL) {
1478  result &= 0;
1479  goto end;
1480  }
1481 
1483  "alert ip any any -> any any "
1484  "(content:\"/one/\"; ipv4-csum:valid; "
1485  "msg:\"ipv4-csum keyword check(1)\"; "
1486  "sid:2;)");
1487  if (de_ctx->sig_list->next == NULL) {
1488  result &= 0;
1489  goto end;
1490  }
1491 
1493  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1494 
1495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1496  if (PacketAlertCheck(p1, 1))
1497  result &= 0;
1498  else
1499  result &= 1;
1500 
1501  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1502  if (PacketAlertCheck(p2, 2))
1503  result &= 0;
1504  else
1505  result &= 1;
1506 
1507  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1509 end:
1510  PacketFree(p1);
1511  PacketFree(p2);
1512  StatsThreadCleanup(&th_v);
1513  return result;
1514 }
1515 
1516 static int SigTest26TCPV4Keyword(void)
1517 {
1518  uint8_t raw_ipv4[] = {
1519  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1520  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1521  0xc0, 0xa8, 0x01, 0x03};
1522 
1523  uint8_t valid_raw_tcp[] = {
1524  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1525  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1526  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1527  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1528  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1529 
1530  uint8_t invalid_raw_tcp[] = {
1531  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1532  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1533  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1534  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1535  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1536 
1537  Packet *p1 = PacketGetFromAlloc();
1538  if (unlikely(p1 == NULL))
1539  return 0;
1540 
1541  Packet *p2 = PacketGetFromAlloc();
1542  if (unlikely(p2 == NULL)) {
1543  SCFree(p1);
1544  return 0;
1545  }
1546 
1547  ThreadVars th_v;
1548  DetectEngineThreadCtx *det_ctx = NULL;
1549 
1550  memset(&th_v, 0, sizeof(ThreadVars));
1551 
1552  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1553  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1554 
1555  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1556  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1557 
1558  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1559  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1560  p1->src.family = AF_INET;
1561  p1->dst.family = AF_INET;
1562  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1563  p1->payload_len = 20;
1564  p1->proto = IPPROTO_TCP;
1565 
1566  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1567  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1568  p2->src.family = AF_INET;
1569  p2->dst.family = AF_INET;
1570  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1571  p2->payload_len = 20;
1572  p2->proto = IPPROTO_TCP;
1573 
1576 
1577  de_ctx->flags |= DE_QUIET;
1578 
1580  "alert ip any any -> any any "
1581  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1582  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1584 
1586  "alert ip any any -> any any "
1587  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1588  "msg:\"tcpv4-csum keyword check(1)\"; "
1589  "sid:2;)");
1591 
1593  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1594 
1595  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1596  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1597 
1598  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1599  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1600 
1601  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1603  PacketFree(p1);
1604  PacketFree(p2);
1605  StatsThreadCleanup(&th_v);
1606  PASS;
1607 }
1608 
1609 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1610 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1611 {
1612  uint8_t raw_ipv4[] = {
1613  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1614  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1615  0xc0, 0xa8, 0x01, 0x03};
1616 
1617  uint8_t valid_raw_tcp[] = {
1618  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1619  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1620  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1621  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1622  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1623 
1624  uint8_t invalid_raw_tcp[] = {
1625  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1626  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1627  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1628  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1629  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1630 
1631  Packet *p1 = PacketGetFromAlloc();
1632  if (unlikely(p1 == NULL))
1633  return 0;
1634 
1635  Packet *p2 = PacketGetFromAlloc();
1636  if (unlikely(p2 == NULL)) {
1637  SCFree(p1);
1638  return 0;
1639  }
1640 
1641  ThreadVars th_v;
1642  DetectEngineThreadCtx *det_ctx = NULL;
1643  int result = 0;
1644 
1645  memset(&th_v, 0, sizeof(ThreadVars));
1646 
1647  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1648  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1649 
1650  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1651  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1652 
1653  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1654  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1655  p1->src.family = AF_INET;
1656  p1->dst.family = AF_INET;
1657  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1658  p1->payload_len = 20;
1659  p1->proto = IPPROTO_TCP;
1660 
1661  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1662  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1663  p2->src.family = AF_INET;
1664  p2->dst.family = AF_INET;
1665  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1666  p2->payload_len = 20;
1667  p2->proto = IPPROTO_TCP;
1668 
1670  if (de_ctx == NULL) {
1671  goto end;
1672  }
1673 
1674  de_ctx->flags |= DE_QUIET;
1675 
1677  "alert ip any any -> any any "
1678  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1679  "ipv4-csum:invalid; "
1680  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1681  if (de_ctx->sig_list == NULL) {
1682  goto end;
1683  }
1684 
1686  "alert ip any any -> any any "
1687  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1688  "ipv4-csum:invalid; "
1689  "msg:\"tcpv4-csum keyword check(1)\"; "
1690  "sid:2;)");
1691  if (de_ctx->sig_list->next == NULL) {
1692  goto end;
1693  }
1694 
1696  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1697 
1698  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1699  if (!(PacketAlertCheck(p1, 1))) {
1700  printf("sig 1 didn't match: ");
1701  goto end;
1702  }
1703 
1704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1705  if (!(PacketAlertCheck(p2, 2))) {
1706  printf("sig 2 didn't match: ");
1707  goto end;
1708  }
1709 
1710  result = 1;
1711 end:
1712  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1714  PacketFree(p1);
1715  PacketFree(p2);
1716  StatsThreadCleanup(&th_v);
1717  return result;
1718 }
1719 
1720 /* Similar to SigTest26, but with different packet */
1721 static int SigTest26TCPV4AndIPV4Keyword(void)
1722 {
1723  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1724  * TTL: 64 Flags: Don't Fragment
1725  */
1726  uint8_t raw_ipv4[] = {
1727  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1728  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1729  0xc0, 0xa8, 0xb0, 0x74};
1730 
1731  /* TCP: sport: 49517 dport: 445 Flags: SYN
1732  * Window size: 65535, checksum: 0x2009,
1733  * MTU: 1460, Window scale: 4, TSACK permitted,
1734  * 24 bytes of options, no payload.
1735  */
1736  uint8_t valid_raw_tcp[] = {
1737  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1738  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1739  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1740  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1741  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1742  0x04, 0x02, 0x00, 0x00};
1743 
1744  uint8_t invalid_raw_tcp[] = {
1745  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1746  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1747  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1748  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1749  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1750  0x04, 0x02, 0x00, 0x00};
1751 
1752  Packet *p1 = PacketGetFromAlloc();
1753  if (unlikely(p1 == NULL))
1754  return 0;
1755 
1756  Packet *p2 = PacketGetFromAlloc();
1757  if (unlikely(p2 == NULL)) {
1758  SCFree(p1);
1759  return 0;
1760  }
1761 
1762  ThreadVars th_v;
1763  DetectEngineThreadCtx *det_ctx = NULL;
1764  int result = 0;
1765 
1766  memset(&th_v, 0, sizeof(ThreadVars));
1767 
1768  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1769  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1770 
1771  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1772  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1773 
1774  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1775  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1776  p1->src.family = AF_INET;
1777  p1->dst.family = AF_INET;
1778  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1779  p1->payload_len = 0;
1780  p1->proto = IPPROTO_TCP;
1781 
1782  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1783  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1784  p2->src.family = AF_INET;
1785  p2->dst.family = AF_INET;
1786  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1787  p2->payload_len = 0;
1788  p2->proto = IPPROTO_TCP;
1789 
1791  if (de_ctx == NULL) {
1792  goto end;
1793  }
1794 
1795  de_ctx->flags |= DE_QUIET;
1796 
1798  "alert ip any any -> any any "
1799  "(tcpv4-csum:valid; "
1800  "ipv4-csum:valid; "
1801  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1802  if (de_ctx->sig_list == NULL) {
1803  goto end;
1804  }
1805 
1807  "alert ip any any -> any any "
1808  "(tcpv4-csum:invalid; "
1809  "ipv4-csum:valid; "
1810  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1811  "sid:2;)");
1812  if (de_ctx->sig_list->next == NULL) {
1813  goto end;
1814  }
1815 
1817  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1818 
1819  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1820  if (!(PacketAlertCheck(p1, 1))) {
1821  printf("sig 1 didn't match: ");
1822  goto end;
1823  }
1824 
1825  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1826  if (!(PacketAlertCheck(p2, 2))) {
1827  printf("sig 2 didn't match: ");
1828  goto end;
1829  }
1830 
1831  result = 1;
1832 end:
1833  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1835  PacketFree(p1);
1836  PacketFree(p2);
1837  StatsThreadCleanup(&th_v);
1838  return result;
1839 }
1840 
1841 static int SigTest27NegativeTCPV4Keyword(void)
1842 {
1843  uint8_t raw_ipv4[] = {
1844  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1845  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1846  0xc0, 0xa8, 0x01, 0x03};
1847 
1848  uint8_t valid_raw_tcp[] = {
1849  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1850  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1851  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1852  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1853  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1854 
1855  uint8_t invalid_raw_tcp[] = {
1856  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1857  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1858  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1859  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1860  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1861 
1862  Packet *p1 = PacketGetFromAlloc();
1863  if (unlikely(p1 == NULL))
1864  return 0;
1865  Packet *p2 = PacketGetFromAlloc();
1866  if (unlikely(p2 == NULL)) {
1867  SCFree(p1);
1868  return 0;
1869  }
1870  ThreadVars th_v;
1871  DetectEngineThreadCtx *det_ctx = NULL;
1872  int result = 0;
1873 
1874  memset(&th_v, 0, sizeof(ThreadVars));
1875 
1876  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1877  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1878 
1879  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1880  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1881 
1882  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1883  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1884  p1->src.family = AF_INET;
1885  p1->dst.family = AF_INET;
1886  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1887  p1->payload_len = 20;
1888  p1->proto = IPPROTO_TCP;
1889 
1890  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1891  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1892  p2->src.family = AF_INET;
1893  p2->dst.family = AF_INET;
1894  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1895  p2->payload_len = 20;
1896  p2->proto = IPPROTO_TCP;
1897 
1899  if (de_ctx == NULL) {
1900  goto end;
1901  }
1902 
1903  de_ctx->flags |= DE_QUIET;
1904 
1906  "alert tcp any any -> any any "
1907  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
1908  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1909  if (de_ctx->sig_list == NULL) {
1910  goto end;
1911  }
1912 
1914  "alert tcp any any -> any any "
1915  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1916  "msg:\"tcpv4-csum keyword check(2)\"; "
1917  "sid:2;)");
1918  if (de_ctx->sig_list->next == NULL) {
1919  goto end;
1920  }
1921 
1923  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1924 
1925  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1926  if (!PacketAlertCheck(p1, 1)) {
1927  printf("sig 1 didn't match on p1: ");
1928  goto end;
1929  }
1930 
1931  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1932  if (PacketAlertCheck(p2, 2)) {
1933  printf("sig 2 matched on p2: ");
1934  goto end;
1935  }
1936 
1937  result = 1;
1938 end:
1939  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1941  PacketFree(p1);
1942  PacketFree(p2);
1943  StatsThreadCleanup(&th_v);
1944  return result;
1945 }
1946 
1947 static int SigTest28TCPV6Keyword(void)
1948 {
1949  static uint8_t valid_raw_ipv6[] = {
1950  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1951  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1952 
1953  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1954  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1955  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
1956  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
1957  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
1958 
1959  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
1960  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
1961  0xf2, 0xf1, 0x00, 0x00,
1962 
1963  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
1964  0x00, 0x01, 0x69, 0x27};
1965 
1966  static uint8_t invalid_raw_ipv6[] = {
1967  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1968  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1969 
1970  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1971  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1972  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
1973  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
1974  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
1975 
1976  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
1977  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
1978  0xc2, 0xf1, 0x00, 0x00,
1979 
1980  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
1981  0x00, 0x01, 0x69, 0x28};
1982 
1983  Packet *p1 = PacketGetFromAlloc();
1984  if (unlikely(p1 == NULL))
1985  return 0;
1986  Packet *p2 = PacketGetFromAlloc();
1987  if (unlikely(p2 == NULL)) {
1988  SCFree(p1);
1989  return 0;
1990  }
1991  ThreadVars th_v;
1992  DetectEngineThreadCtx *det_ctx = NULL;
1993  int result = 0;
1994 
1995  memset(&th_v, 0, sizeof(ThreadVars));
1996 
1997  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
1998  PacketSetTCP(p1, (valid_raw_ipv6 + 54));
1999  p1->src.family = AF_INET;
2000  p1->dst.family = AF_INET;
2001  p1->payload = valid_raw_ipv6 + 54 + 20;
2002  p1->payload_len = 12;
2003  p1->proto = IPPROTO_TCP;
2004 
2005  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2006  BUG_ON(1);
2007  }
2008 
2009  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2010  PacketSetTCP(p2, (invalid_raw_ipv6 + 54));
2011  p2->src.family = AF_INET;
2012  p2->dst.family = AF_INET;
2013  p2->payload = invalid_raw_ipv6 + 54 + 20;
2014  p2->payload_len = 12;
2015  p2->proto = IPPROTO_TCP;
2016 
2017  if (TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20) {
2018  BUG_ON(1);
2019  }
2020 
2022  if (de_ctx == NULL) {
2023  goto end;
2024  }
2025 
2026  de_ctx->flags |= DE_QUIET;
2027 
2029  "alert tcp any any -> any any "
2030  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2031  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2032  if (de_ctx->sig_list == NULL) {
2033  goto end;
2034  }
2035 
2037  "alert tcp any any -> any any "
2038  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2039  "msg:\"tcpv6-csum keyword check(1)\"; "
2040  "sid:2;)");
2041  if (de_ctx->sig_list->next == NULL) {
2042  goto end;
2043  }
2044 
2046  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2047 
2048  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2049  if (!(PacketAlertCheck(p1, 1))) {
2050  printf("sid 1 didn't match on p1: ");
2051  goto end;
2052  }
2053 
2054  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2055  if (!(PacketAlertCheck(p2, 2))) {
2056  printf("sid 2 didn't match on p2: ");
2057  goto end;
2058  }
2059 
2060  result = 1;
2061 end:
2062  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2064  PacketFree(p1);
2065  PacketFree(p2);
2066  StatsThreadCleanup(&th_v);
2067  return result;
2068 }
2069 
2070 static int SigTest29NegativeTCPV6Keyword(void)
2071 {
2072  static uint8_t valid_raw_ipv6[] = {
2073  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2074  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2075 
2076  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2077  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2078  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2079  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2080  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2081 
2082  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2083  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2084  0xf2, 0xf1, 0x00, 0x00,
2085 
2086  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2087  0x00, 0x01, 0x69, 0x27};
2088 
2089  static uint8_t invalid_raw_ipv6[] = {
2090  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2091  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2092 
2093  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2094  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2095  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2096  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2097  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2098 
2099  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2100  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2101  0xc2, 0xf1, 0x00, 0x00,
2102 
2103  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2104  0x00, 0x01, 0x69, 0x28};
2105 
2106  Packet *p1 = PacketGetFromAlloc();
2107  if (unlikely(p1 == NULL))
2108  return 0;
2109  Packet *p2 = PacketGetFromAlloc();
2110  if (unlikely(p2 == NULL)) {
2111  SCFree(p1);
2112  return 0;
2113  }
2114  ThreadVars th_v;
2115  DetectEngineThreadCtx *det_ctx = NULL;
2116  int result = 0;
2117 
2118  memset(&th_v, 0, sizeof(ThreadVars));
2119 
2120  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2121  PacketSetTCP(p1, valid_raw_ipv6 + 54);
2122  p1->src.family = AF_INET;
2123  p1->dst.family = AF_INET;
2124  p1->payload = valid_raw_ipv6 + 54 + 20;
2125  p1->payload_len = 12;
2126  p1->proto = IPPROTO_TCP;
2127 
2128  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2129  BUG_ON(1);
2130  }
2131 
2132  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2133  PacketSetTCP(p2, invalid_raw_ipv6 + 54);
2134  p2->src.family = AF_INET;
2135  p2->dst.family = AF_INET;
2136  p2->payload = invalid_raw_ipv6 + 54 + 20;
2137  p2->payload_len = 12;
2138  p2->proto = IPPROTO_TCP;
2139 
2140  FAIL_IF(TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20);
2141 
2143  if (de_ctx == NULL) {
2144  goto end;
2145  }
2146 
2147  de_ctx->flags |= DE_QUIET;
2148 
2150  "alert tcp any any -> any any "
2151  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2152  "msg:\"tcpv6-csum keyword check(1)\"; "
2153  "sid:1;)");
2154  if (de_ctx->sig_list == NULL) {
2155  goto end;
2156  }
2157 
2159  "alert tcp any any -> any any "
2160  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2161  "msg:\"tcpv6-csum keyword check(1)\"; "
2162  "sid:2;)");
2163  if (de_ctx->sig_list->next == NULL) {
2164  goto end;
2165  }
2166 
2168  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2169 
2170  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2171  if (PacketAlertCheck(p1, 1))
2172  goto end;
2173 
2174  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2175  if (PacketAlertCheck(p2, 2))
2176  goto end;
2177 
2178  result = 1;
2179 end:
2180  if (det_ctx != NULL)
2181  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2183  PacketFree(p1);
2184  PacketFree(p2);
2185  StatsThreadCleanup(&th_v);
2186  return result;
2187 }
2188 
2189 static int SigTest30UDPV4Keyword(void)
2190 {
2191  uint8_t raw_ipv4[] = {
2192  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2193  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2194  0xc0, 0xa8, 0x01, 0x03};
2195 
2196  uint8_t valid_raw_udp[] = {
2197  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2198  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2199  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2200  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2201  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2202  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2203  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2204  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2205  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2206  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2207  0x67, 0x6c, 0x65, 0xc0, 0x26};
2208 
2209  uint8_t invalid_raw_udp[] = {
2210  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2211  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2212  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2213  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2214  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2215  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2216  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2217  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2218  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2219  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2220  0x67, 0x6c, 0x65, 0xc0, 0x27};
2221 
2222  Packet *p1 = PacketGetFromAlloc();
2223  FAIL_IF_NULL(p1);
2224  Packet *p2 = PacketGetFromAlloc();
2225  FAIL_IF_NULL(p2);
2226 
2227  ThreadVars th_v;
2228  DetectEngineThreadCtx *det_ctx = NULL;
2229 
2230  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2231  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2232 
2233  memset(&th_v, 0, sizeof(ThreadVars));
2234 
2235  PacketSetIPV4(p1, raw_ipv4);
2236  PacketSetUDP(p1, valid_raw_udp);
2237  p1->src.family = AF_INET;
2238  p1->dst.family = AF_INET;
2239  p1->payload = buf;
2240  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2241  p1->proto = IPPROTO_UDP;
2242 
2243  PacketSetIPV4(p2, raw_ipv4);
2244  PacketSetUDP(p2, invalid_raw_udp);
2245  p2->src.family = AF_INET;
2246  p2->dst.family = AF_INET;
2247  p2->payload = buf;
2248  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2249  p2->proto = IPPROTO_UDP;
2250 
2253 
2254  de_ctx->flags |= DE_QUIET;
2255 
2257  "alert udp any any -> any any "
2258  "(content:\"/one/\"; udpv4-csum:valid; "
2259  "msg:\"udpv4-csum keyword check(1)\"; "
2260  "sid:1;)");
2262 
2264  "alert udp any any -> any any "
2265  "(content:\"/one/\"; udpv4-csum:invalid; "
2266  "msg:\"udpv4-csum keyword check(1)\"; "
2267  "sid:2;)");
2269 
2271  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2272 
2273  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2274  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2275 
2276  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2277  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2278 
2279  if (det_ctx != NULL)
2280  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2282  PacketFree(p1);
2283  PacketFree(p2);
2284  StatsThreadCleanup(&th_v);
2285  PASS;
2286 }
2287 
2288 static int SigTest31NegativeUDPV4Keyword(void)
2289 {
2290  uint8_t raw_ipv4[] = {
2291  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2292  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2293  0xc0, 0xa8, 0x01, 0x03};
2294 
2295  uint8_t valid_raw_udp[] = {
2296  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2297  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2298  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2299  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2300  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2301  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2302  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2303  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2304  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2305  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2306  0x67, 0x6c, 0x65, 0xc0, 0x26};
2307 
2308  uint8_t invalid_raw_udp[] = {
2309  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2310  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2311  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2312  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2313  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2314  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2315  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2316  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2317  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2318  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2319  0x67, 0x6c, 0x65, 0xc0, 0x27};
2320 
2321  Packet *p1 = PacketGetFromAlloc();
2322  if (unlikely(p1 == NULL))
2323  return 0;
2324  Packet *p2 = PacketGetFromAlloc();
2325  if (unlikely(p2 == NULL)) {
2326  SCFree(p1);
2327  return 0;
2328  }
2329  ThreadVars th_v;
2330  DetectEngineThreadCtx *det_ctx = NULL;
2331  int result = 1;
2332 
2333  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2334  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2335 
2336  memset(&th_v, 0, sizeof(ThreadVars));
2337 
2338  PacketSetIPV4(p1, raw_ipv4);
2339  PacketSetUDP(p1, valid_raw_udp);
2340  p1->src.family = AF_INET;
2341  p1->dst.family = AF_INET;
2342  p1->payload = buf;
2343  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2344  p1->proto = IPPROTO_UDP;
2345 
2346  PacketSetIPV4(p2, raw_ipv4);
2347  PacketSetUDP(p2, invalid_raw_udp);
2348  p2->src.family = AF_INET;
2349  p2->dst.family = AF_INET;
2350  p2->payload = buf;
2351  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2352  p2->proto = IPPROTO_UDP;
2353 
2355  if (de_ctx == NULL) {
2356  goto end;
2357  }
2358 
2359  de_ctx->flags |= DE_QUIET;
2360 
2362  "alert udp any any -> any any "
2363  "(content:\"/one/\"; udpv4-csum:invalid; "
2364  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2365  if (de_ctx->sig_list == NULL) {
2366  result &= 0;
2367  goto end;
2368  }
2369 
2371  "alert udp any any -> any any "
2372  "(content:\"/one/\"; udpv4-csum:valid; "
2373  "msg:\"udpv4-csum keyword check(1)\"; "
2374  "sid:2;)");
2375  if (de_ctx->sig_list->next == NULL) {
2376  result &= 0;
2377  goto end;
2378  }
2379 
2381  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2382 
2383  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2384  if (PacketAlertCheck(p1, 1))
2385  result &= 0;
2386  else
2387  result &= 1;
2388 
2389  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2390  if (PacketAlertCheck(p2, 2)) {
2391  result &= 0;
2392  }
2393  else
2394  result &= 1;
2395 
2396  if (det_ctx != NULL)
2397  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2399 end:
2400  PacketFree(p1);
2401  PacketFree(p2);
2402  StatsThreadCleanup(&th_v);
2403  return result;
2404 }
2405 
2406 
2407 static int SigTest32UDPV6Keyword(void)
2408 {
2409  static uint8_t valid_raw_ipv6[] = {
2410  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2411  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2412  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2413  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2414  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2415  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2416  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2417  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2418  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2419  0x09, 0x00};
2420 
2421  static uint8_t invalid_raw_ipv6[] = {
2422  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2423  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2424  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2425  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2426  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2427  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2428  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2429  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2430  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2431  0x09, 0x01};
2432 
2433  Packet *p1 = PacketGetFromAlloc();
2434  FAIL_IF_NULL(p1);
2435  Packet *p2 = PacketGetFromAlloc();
2436  FAIL_IF_NULL(p2);
2437 
2438  ThreadVars th_v;
2439  DetectEngineThreadCtx *det_ctx = NULL;
2440 
2441  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2442  "\r\n\r\n";
2443 
2444  memset(&th_v, 0, sizeof(ThreadVars));
2445 
2446  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2447  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2448  p1->src.family = AF_INET;
2449  p1->dst.family = AF_INET;
2450  p1->payload = buf;
2451  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2452  p1->proto = IPPROTO_UDP;
2453 
2454  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2455  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2456  p2->src.family = AF_INET;
2457  p2->dst.family = AF_INET;
2458  p2->payload = buf;
2459  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2460  p2->proto = IPPROTO_UDP;
2461 
2464 
2465  de_ctx->flags |= DE_QUIET;
2466 
2468  "alert udp any any -> any any "
2469  "(content:\"/one/\"; udpv6-csum:valid; "
2470  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2472 
2474  "alert udp any any -> any any "
2475  "(content:\"/one/\"; udpv6-csum:invalid; "
2476  "msg:\"udpv6-csum keyword check(1)\"; "
2477  "sid:2;)");
2479 
2481  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2482 
2483  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2484  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2485 
2486  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2487  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2488 
2489  if (det_ctx != NULL)
2490  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2492 
2493  PacketFree(p1);
2494  PacketFree(p2);
2495  StatsThreadCleanup(&th_v);
2496  PASS;
2497 }
2498 
2499 static int SigTest33NegativeUDPV6Keyword(void)
2500 {
2501  static uint8_t valid_raw_ipv6[] = {
2502  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2503  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2504  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2505  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2506  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2507  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2508  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2509  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2510  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2511  0x09, 0x00};
2512 
2513  static uint8_t invalid_raw_ipv6[] = {
2514  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2515  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2516  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2517  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2518  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2519  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2520  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2521  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2522  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2523  0x09, 0x01};
2524 
2525  Packet *p1 = PacketGetFromAlloc();
2526  if (unlikely(p1 == NULL))
2527  return 0;
2528  Packet *p2 = PacketGetFromAlloc();
2529  if (unlikely(p2 == NULL)) {
2530  SCFree(p1);
2531  return 0;
2532  }
2533  ThreadVars th_v;
2534  DetectEngineThreadCtx *det_ctx = NULL;
2535  int result = 1;
2536 
2537  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2538  "\r\n\r\n";
2539 
2540  memset(&th_v, 0, sizeof(ThreadVars));
2541 
2542  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2543  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2544  p1->src.family = AF_INET;
2545  p1->dst.family = AF_INET;
2546  p1->payload = buf;
2547  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2548  p1->proto = IPPROTO_UDP;
2549 
2550  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2551  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2552  p2->src.family = AF_INET;
2553  p2->dst.family = AF_INET;
2554  p2->payload = buf;
2555  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2556  p2->proto = IPPROTO_UDP;
2557 
2559  if (de_ctx == NULL) {
2560  goto end;
2561  }
2562 
2563  de_ctx->flags |= DE_QUIET;
2564 
2566  "alert udp any any -> any any "
2567  "(content:\"/one/\"; udpv6-csum:invalid; "
2568  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2569  if (de_ctx->sig_list == NULL) {
2570  result &= 0;
2571  goto end;
2572  }
2573 
2575  "alert udp any any -> any any "
2576  "(content:\"/one/\"; udpv6-csum:valid; "
2577  "msg:\"udpv6-csum keyword check(1)\"; "
2578  "sid:2;)");
2579  if (de_ctx->sig_list->next == NULL) {
2580  result &= 0;
2581  goto end;
2582  }
2583 
2585  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2586 
2587  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2588  if (PacketAlertCheck(p1, 1))
2589  result &= 0;
2590  else
2591  result &= 1;
2592 
2593  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2594  if (PacketAlertCheck(p2, 2))
2595  result &= 0;
2596  else
2597  result &= 1;
2598 
2599  if (det_ctx != NULL)
2600  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2602 end:
2603  PacketFree(p1);
2604  PacketFree(p2);
2605  StatsThreadCleanup(&th_v);
2606  return result;
2607 }
2608 
2609 static int SigTest34ICMPV4Keyword(void)
2610 {
2611  uint8_t valid_raw_ipv4[] = {
2612  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2613  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2614  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2615  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2616  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2617  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2618  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2619  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2620  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2621  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2622  0x34, 0x35, 0x36, 0x37};
2623 
2624  uint8_t invalid_raw_ipv4[] = {
2625  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2626  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2627  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2628  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2629  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2630  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2631  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2632  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2633  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2634  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2635  0x34, 0x35, 0x36, 0x38};
2636 
2637  Packet *p1 = PacketGetFromAlloc();
2638  if (unlikely(p1 == NULL))
2639  return 0;
2640  Packet *p2 = PacketGetFromAlloc();
2641  if (unlikely(p2 == NULL)) {
2642  SCFree(p1);
2643  return 0;
2644  }
2645  ThreadVars th_v;
2646  DetectEngineThreadCtx *det_ctx = NULL;
2647  int result = 1;
2648 
2649  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2650  "\r\n\r\n";
2651  uint16_t buflen = strlen((char *)buf);
2652 
2653  memset(&th_v, 0, sizeof(ThreadVars));
2654 
2655  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2656  ip4h->ip_verhl = 69;
2657  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2658  p1->src.family = AF_INET;
2659  p1->dst.family = AF_INET;
2660  p1->payload = buf;
2661  p1->payload_len = buflen;
2662  p1->proto = IPPROTO_ICMP;
2663 
2664  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2665  ip4h->ip_verhl = 69;
2666  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2667  p2->src.family = AF_INET;
2668  p2->dst.family = AF_INET;
2669  p2->payload = buf;
2670  p2->payload_len = buflen;
2671  p2->proto = IPPROTO_ICMP;
2672 
2674  if (de_ctx == NULL) {
2675  goto end;
2676  }
2677 
2678  de_ctx->flags |= DE_QUIET;
2679 
2681  "alert icmp any any -> any any "
2682  "(content:\"/one/\"; icmpv4-csum:valid; "
2683  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2684  if (de_ctx->sig_list == NULL) {
2685  result &= 0;
2686  goto end;
2687  }
2688 
2690  "alert icmp any any -> any any "
2691  "(content:\"/one/\"; icmpv4-csum:invalid; "
2692  "msg:\"icmpv4-csum keyword check(1)\"; "
2693  "sid:2;)");
2694  if (de_ctx->sig_list->next == NULL) {
2695  result = 0;
2696  goto end;
2697  }
2698 
2700  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2701 
2702  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2703  if (PacketAlertCheck(p1, 1))
2704  result &= 1;
2705  else
2706  result &= 0;
2707 
2708  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2709  if (PacketAlertCheck(p2, 2))
2710  result &= 1;
2711  else
2712  result &= 0;
2713 
2714  if (det_ctx != NULL)
2715  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2717 end:
2718  PacketFree(p1);
2719  PacketFree(p2);
2720  StatsThreadCleanup(&th_v);
2721  return result;
2722 }
2723 
2724 static int SigTest35NegativeICMPV4Keyword(void)
2725 {
2726  uint8_t valid_raw_ipv4[] = {
2727  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2728  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2729  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2730  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2731  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2732  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2733  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2734  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2735  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2736  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2737  0x34, 0x35, 0x36, 0x37};
2738 
2739  uint8_t invalid_raw_ipv4[] = {
2740  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2741  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2742  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2743  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2744  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2745  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2746  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2747  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2748  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2749  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2750  0x34, 0x35, 0x36, 0x38};
2751 
2752  Packet *p1 = PacketGetFromAlloc();
2753  if (unlikely(p1 == NULL))
2754  return 0;
2755  Packet *p2 = PacketGetFromAlloc();
2756  if (unlikely(p2 == NULL)) {
2757  SCFree(p1);
2758  return 0;
2759  }
2760  ThreadVars th_v;
2761  DetectEngineThreadCtx *det_ctx = NULL;
2762  int result = 1;
2763 
2764  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2765  "\r\n\r\n";
2766  uint16_t buflen = strlen((char *)buf);
2767 
2768  memset(&th_v, 0, sizeof(ThreadVars));
2769 
2770  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2771  ip4h->ip_verhl = 69;
2772  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2773  p1->src.family = AF_INET;
2774  p1->dst.family = AF_INET;
2775  p1->payload = buf;
2776  p1->payload_len = buflen;
2777  p1->proto = IPPROTO_ICMP;
2778 
2779  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2780  ip4h->ip_verhl = 69;
2781  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2782  p2->src.family = AF_INET;
2783  p2->dst.family = AF_INET;
2784  p2->payload = buf;
2785  p2->payload_len = buflen;
2786  p2->proto = IPPROTO_ICMP;
2787 
2789  if (de_ctx == NULL) {
2790  goto end;
2791  }
2792 
2793  de_ctx->flags |= DE_QUIET;
2794 
2796  "alert icmp any any -> any any "
2797  "(content:\"/one/\"; icmpv4-csum:invalid; "
2798  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2799  if (de_ctx->sig_list == NULL) {
2800  result &= 0;
2801  goto end;
2802  }
2803 
2805  "alert icmp any any -> any any "
2806  "(content:\"/one/\"; icmpv4-csum:valid; "
2807  "msg:\"icmpv4-csum keyword check(1)\"; "
2808  "sid:2;)");
2809  if (de_ctx->sig_list->next == NULL) {
2810  result &= 0;
2811  goto end;
2812  }
2813 
2815  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2816 
2817  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2818  if (PacketAlertCheck(p1, 1))
2819  result &= 0;
2820  else
2821  result &= 1;
2822 
2823  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2824  if (PacketAlertCheck(p2, 2))
2825  result &= 0;
2826  else {
2827  result &= 1;
2828  }
2829 
2830  if (det_ctx != NULL)
2831  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2833 end:
2834  PacketFree(p1);
2835  PacketFree(p2);
2836  StatsThreadCleanup(&th_v);
2837  return result;
2838 }
2839 
2840 static int SigTest38(void)
2841 {
2842  Packet *p1 = PacketGetFromAlloc();
2843  if (unlikely(p1 == NULL))
2844  return 0;
2845  ThreadVars th_v;
2846  DetectEngineThreadCtx *det_ctx = NULL;
2847  int result = 1;
2848  uint8_t raw_eth[] = {
2849  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
2850  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2851  0x08, 0x00
2852  };
2853  uint8_t raw_ipv4[] = {
2854  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
2855  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
2856  0x7f, 0x00, 0x00, 0x01
2857  };
2858  uint8_t raw_tcp[] = {
2859  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
2860  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
2861  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
2862  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
2863  0x00, 0x22, 0xaa, 0x10
2864  };
2865  uint8_t buf[] = {
2866  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
2867  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
2868  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
2869  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
2870  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2871  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2872  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2873  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
2874  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
2875  0x0a
2876  };
2877  uint16_t ethlen = sizeof(raw_eth);
2878  uint16_t ipv4len = sizeof(raw_ipv4);
2879  uint16_t tcplen = sizeof(raw_tcp);
2880  uint16_t buflen = sizeof(buf);
2881 
2882  memset(&th_v, 0, sizeof(ThreadVars));
2883 
2884  /* Copy raw data into packet */
2885  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
2886  SCFree(p1);
2887  return 1;
2888  }
2889  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
2890  SCFree(p1);
2891  return 1;
2892  }
2893  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
2894  SCFree(p1);
2895  return 1;
2896  }
2897  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
2898  SCFree(p1);
2899  return 1;
2900  }
2901  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
2902 
2903  PacketSetEthernet(p1, raw_eth);
2904  PacketSetIPV4(p1, raw_ipv4);
2905  PacketSetTCP(p1, raw_tcp);
2906  p1->src.family = AF_INET;
2907  p1->dst.family = AF_INET;
2908  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
2909  p1->payload_len = buflen;
2910  p1->proto = IPPROTO_TCP;
2911 
2913  if (de_ctx == NULL) {
2914  goto end;
2915  }
2916  de_ctx->flags |= DE_QUIET;
2917 
2919  "alert tcp any any -> any any "
2920  "(content:\"LEN1|20|\"; "
2921  "byte_test:4,=,8,0; "
2922  "msg:\"byte_test keyword check(1)\"; sid:1;)");
2923  if (de_ctx->sig_list == NULL) {
2924  result &= 0;
2925  goto end;
2926  }
2928  "alert tcp any any -> any any "
2929  "(content:\"LEN1|20|\"; "
2930  "byte_test:4,=,8,5,relative,string,dec; "
2931  "msg:\"byte_test keyword check(2)\"; sid:2;)");
2932  if (de_ctx->sig_list->next == NULL) {
2933  result &= 0;
2934  goto end;
2935  }
2936 
2938  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2939 
2940  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2941  if (PacketAlertCheck(p1, 1)) {
2942  result = 1;
2943  } else {
2944  result = 0;
2945  printf("sid 1 didn't alert, but should have: ");
2946  goto cleanup;
2947  }
2948  if (PacketAlertCheck(p1, 2)) {
2949  result = 1;
2950  } else {
2951  result = 0;
2952  printf("sid 2 didn't alert, but should have: ");
2953  goto cleanup;
2954  }
2955 
2956 cleanup:
2957  if (det_ctx != NULL)
2958  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2960 
2961 end:
2962  PacketFree(p1);
2963  StatsThreadCleanup(&th_v);
2964  return result;
2965 }
2966 
2967 static int SigTest39(void)
2968 {
2969  ThreadVars th_v;
2970  DetectEngineThreadCtx *det_ctx = NULL;
2971  uint8_t raw_eth[] = {
2972  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
2973  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2974  0x08, 0x00
2975  };
2976  uint8_t raw_ipv4[] = {
2977  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
2978  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
2979  0x7f, 0x00, 0x00, 0x01
2980  };
2981  uint8_t raw_tcp[] = {
2982  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
2983  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
2984  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
2985  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
2986  0x00, 0x22, 0xaa, 0x10
2987  };
2988  uint8_t buf[] = {
2989  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
2990  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
2991  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
2992  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
2993  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
2994  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2995  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2996  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
2997  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
2998  0x0a
2999  };
3000  uint16_t ethlen = sizeof(raw_eth);
3001  uint16_t ipv4len = sizeof(raw_ipv4);
3002  uint16_t tcplen = sizeof(raw_tcp);
3003  uint16_t buflen = sizeof(buf);
3004 
3005  memset(&th_v, 0, sizeof(ThreadVars));
3006 
3007  Packet *p1 = PacketGetFromAlloc();
3008  FAIL_IF_NULL(p1);
3009  /* Copy raw data into packet */
3010  FAIL_IF(PacketCopyData(p1, raw_eth, ethlen) == -1);
3011  FAIL_IF(PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1);
3012  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1);
3013  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1);
3014  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3015 
3016  PacketSetEthernet(p1, raw_eth);
3017  PacketSetIPV4(p1, raw_ipv4);
3018  PacketSetTCP(p1, raw_tcp);
3019  p1->src.family = AF_INET;
3020  p1->dst.family = AF_INET;
3021  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3022  p1->payload_len = buflen;
3023  p1->proto = IPPROTO_TCP;
3024 
3027  de_ctx->flags |= DE_QUIET;
3028 
3029  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3030  "(content:\"LEN1|20|\"; "
3031  "byte_test:4,=,8,0; "
3032  "byte_jump:4,0; "
3033  "byte_test:6,=,0x4c454e312038,0,relative; "
3034  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3035  FAIL_IF_NULL(s);
3036  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3037  "(content:\"LEN1|20|\"; "
3038  "byte_test:4,=,8,4,relative,string,dec; "
3039  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3040  "byte_test:4,=,0x4c454e32,0,relative; "
3041  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3042  FAIL_IF_NULL(s);
3044  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3045 
3046  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3047 
3048  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
3049  FAIL_IF_NOT(PacketAlertCheck(p1, 2));
3050 
3051  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3053 
3054  PacketFree(p1);
3055  StatsThreadCleanup(&th_v);
3056  PASS;
3057 }
3058 
3059 /**
3060  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3061  * \brief expecting to match a size
3062  */
3063 
3064 static int SigTest36ContentAndIsdataatKeywords01 (void)
3065 {
3066  // Build and decode the packet
3067  uint8_t raw_eth [] = {
3068  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3069  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3070  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3071  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3072  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3073  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3074  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3075  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3076  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3077  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3078  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3079  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3080  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3081  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3082  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3083  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3084  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3085  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3086  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3087  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3088  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3089  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3090  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3091  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3092  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3093  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3094  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3095  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3096  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3097  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3098 
3099  Packet *p = PacketGetFromAlloc();
3100  FAIL_IF_NULL(p);
3102 
3103  ThreadVars th_v;
3104  DetectEngineThreadCtx *det_ctx = NULL;
3105 
3106  memset(&dtv, 0, sizeof(DecodeThreadVars));
3107  memset(&th_v, 0, sizeof(th_v));
3108 
3110  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3111 
3114  de_ctx->flags |= DE_QUIET;
3115 
3117  "alert tcp any any -> any any (content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3118  FAIL_IF_NULL(s);
3119 
3121  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3122 
3123  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3124  FAIL_IF_NOT(PacketAlertCheck(p, 101));
3125 
3126  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3128  PacketFree(p);
3129  FlowShutdown();
3130 
3131  StatsThreadCleanup(&th_v);
3132  PASS;
3133 }
3134 
3135 /**
3136  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3137  * \brief not expecting to match a size
3138  */
3139 
3140 static int SigTest37ContentAndIsdataatKeywords02 (void)
3141 {
3142  int result = 0;
3143 
3144  // Build and decode the packet
3145 
3146  uint8_t raw_eth [] = {
3147  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3148  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3149  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3150  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3151  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3152  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3153  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3154  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3155  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3156  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3157  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3158  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3159  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3160  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3161  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3162  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3163  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3164  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3165  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3166  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3167  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3168  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3169  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3170  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3171  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3172  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3173  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3174  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3175  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3176  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3177 
3178  Packet *p = PacketGetFromAlloc();
3179  if (unlikely(p == NULL))
3180  return 0;
3182 
3183  ThreadVars th_v;
3184  DetectEngineThreadCtx *det_ctx = NULL;
3185 
3186  memset(&dtv, 0, sizeof(DecodeThreadVars));
3187  memset(&th_v, 0, sizeof(th_v));
3188 
3190  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3191 
3192 
3194  if (de_ctx == NULL) {
3195  goto end;
3196  }
3197 
3198  de_ctx->flags |= DE_QUIET;
3199 
3200  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3201  if (de_ctx->sig_list == NULL) {
3202  printf("sig parse failed: ");
3203  result = 0;
3204  goto end;
3205  }
3206 
3208  printf("type not content: ");
3209  goto end;
3210  }
3212  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3213 
3214  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3215  if (PacketAlertCheck(p, 101) == 0) {
3216  result = 1;
3217  goto end;
3218  } else {
3219  printf("sig matched, but should not have: ");
3220  result=0;
3221  }
3222 
3223  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3225 
3226  PacketRecycle(p);
3227  FlowShutdown();
3228 
3229  SCFree(p);
3230  return result;
3231 
3232 end:
3233  if(det_ctx)
3234  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3235 
3236  if(de_ctx)
3238 
3239  if (p != NULL)
3240  PacketRecycle(p);
3241 
3242  FlowShutdown();
3243 
3244  PacketFree(p);
3245  StatsThreadCleanup(&th_v);
3246  return result;
3247 }
3248 
3249 /**
3250  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3251  * flag is set, we don't need to inspect the packet protocol header or its contents.
3252  */
3253 
3254 static int SigTest40NoPacketInspection01(void)
3255 {
3256 
3257  uint8_t *buf = (uint8_t *)
3258  "220 (vsFTPd 2.0.5)\r\n";
3259  uint16_t buflen = strlen((char *)buf);
3260  Packet *p = PacketGetFromAlloc();
3261  TCPHdr tcphdr;
3262  if (unlikely(p == NULL))
3263  return 0;
3264  ThreadVars th_v;
3265  DetectEngineThreadCtx *det_ctx = NULL;
3266  PacketQueue pq;
3267  Flow f;
3268  int result = 0;
3269 
3270  memset(&th_v, 0, sizeof(th_v));
3271  memset(&pq, 0, sizeof(pq));
3272  memset(&f, 0, sizeof(f));
3273  memset(&tcphdr, 0, sizeof(tcphdr));
3274 
3275  p->src.family = AF_INET;
3276  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3277  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3278  p->dst.family = AF_INET;
3279  p->payload = buf;
3280  p->payload_len = buflen;
3281  p->proto = IPPROTO_TCP;
3282  p->dp = 34260;
3283  p->sp = 21;
3286  PacketSetTCP(p, (uint8_t *)&tcphdr);
3287  p->flow = &f;
3288 
3289  FLOW_INITIALIZE(&f);
3290 
3292  if (de_ctx == NULL) {
3293  goto end;
3294  }
3295 
3296  de_ctx->flags |= DE_QUIET;
3297 
3298  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3299  if (de_ctx->sig_list == NULL) {
3300  result = 0;
3301  goto end;
3302  }
3303 
3305  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3306  det_ctx->de_ctx = de_ctx;
3307 
3308  Detect(&th_v, p, det_ctx);
3309  if (PacketAlertCheck(p, 2))
3310  result = 0;
3311  else
3312  result = 1;
3313 
3314  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3316 end:
3317  PacketFree(p);
3318  StatsThreadCleanup(&th_v);
3319  return result;
3320 }
3321 
3322 /**
3323  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3324  * flag is set, we don't need to inspect the packet contents.
3325  */
3326 
3327 static int SigTest40NoPayloadInspection02(void)
3328 {
3329 
3330  uint8_t *buf = (uint8_t *)
3331  "220 (vsFTPd 2.0.5)\r\n";
3332  uint16_t buflen = strlen((char *)buf);
3333  ThreadVars th_v;
3334  memset(&th_v, 0, sizeof(th_v));
3335 
3336  Packet *p = PacketGetFromAlloc();
3337  FAIL_IF_NULL(p);
3338 
3339  p->src.family = AF_INET;
3340  p->dst.family = AF_INET;
3341  p->payload = buf;
3342  p->payload_len = buflen;
3343  p->proto = IPPROTO_TCP;
3345 
3346  DetectEngineThreadCtx *det_ctx = NULL;
3349  de_ctx->flags |= DE_QUIET;
3350 
3352  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3353  FAIL_IF_NULL(s);
3354 
3356  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3357 
3358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3359 
3360  FAIL_IF(PacketAlertCheck(p, 1));
3361 
3362  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3364  PacketFree(p);
3365  StatsThreadCleanup(&th_v);
3366  PASS;
3367 }
3368 
3369 static int SigTestMemory01 (void)
3370 {
3371  uint8_t *buf = (uint8_t *)
3372  "GET /one/ HTTP/1.1\r\n"
3373  "Host: one.example.org\r\n"
3374  "\r\n\r\n"
3375  "GET /two/ HTTP/1.1\r\n"
3376  "Host: two.example.org\r\n"
3377  "\r\n\r\n";
3378  uint16_t buflen = strlen((char *)buf);
3379  Packet *p = PacketGetFromAlloc();
3380  if (unlikely(p == NULL))
3381  return 0;
3382  ThreadVars th_v;
3383  DetectEngineThreadCtx *det_ctx = NULL;
3384  int result = 0;
3385 
3386  memset(&th_v, 0, sizeof(th_v));
3387  p->src.family = AF_INET;
3388  p->dst.family = AF_INET;
3389  p->payload = buf;
3390  p->payload_len = buflen;
3391  p->proto = IPPROTO_TCP;
3392 
3394  if (de_ctx == NULL) {
3395  goto end;
3396  }
3397 
3398  de_ctx->flags |= DE_QUIET;
3399 
3400  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3401  if (de_ctx->sig_list == NULL) {
3402  result = 0;
3403  goto end;
3404  }
3405 
3407  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3408 
3409  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3411 
3412  result = 1;
3413 end:
3414  PacketFree(p);
3415  StatsThreadCleanup(&th_v);
3416  return result;
3417 }
3418 
3419 static int SigTestMemory02 (void)
3420 {
3421  ThreadVars th_v;
3422  int result = 0;
3423 
3424  memset(&th_v, 0, sizeof(th_v));
3425 
3427  if (de_ctx == NULL) {
3428  goto end;
3429  }
3430  de_ctx->flags |= DE_QUIET;
3431 
3432  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3433  if (de_ctx->sig_list == NULL) {
3434  result = 0;
3435  goto end;
3436  }
3437  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3438  if (de_ctx->sig_list->next == NULL) {
3439  result = 0;
3440  goto end;
3441  }
3442 
3444 
3446 
3447  result = 1;
3448 end:
3449  StatsThreadCleanup(&th_v);
3450  return result;
3451 }
3452 
3453 static int SigTestMemory03 (void)
3454 {
3455  ThreadVars th_v;
3456  int result = 0;
3457 
3458  memset(&th_v, 0, sizeof(th_v));
3459 
3461  if (de_ctx == NULL) {
3462  goto end;
3463  }
3464  de_ctx->flags |= DE_QUIET;
3465 
3466  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3467  if (de_ctx->sig_list == NULL) {
3468  result = 0;
3469  goto end;
3470  }
3471  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3472  if (de_ctx->sig_list->next == NULL) {
3473  result = 0;
3474  goto end;
3475  }
3476  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3477  if (de_ctx->sig_list->next->next == NULL) {
3478  result = 0;
3479  goto end;
3480  }
3481 
3483 
3485 
3486  result = 1;
3487 end:
3488  StatsThreadCleanup(&th_v);
3489  return result;
3490 }
3491 
3492 static int SigTestContent01 (void)
3493 {
3494  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3495  uint16_t buflen = strlen((char *)buf);
3496  ThreadVars th_v;
3497  DetectEngineThreadCtx *det_ctx = NULL;
3498  int result = 0;
3499 
3500  memset(&th_v, 0, sizeof(th_v));
3501 
3502  Packet *p = NULL;
3503  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3504 
3506  if (de_ctx == NULL) {
3507  goto end;
3508  }
3509  de_ctx->flags |= DE_QUIET;
3510 
3511  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3512  if (de_ctx->sig_list == NULL) {
3513  result = 0;
3514  goto end;
3515  }
3516 
3518  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3519 
3520  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3521  if (PacketAlertCheck(p, 1))
3522  result = 1;
3523  else
3524  printf("sig 1 didn't match: ");
3525 
3526  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3528 end:
3529  UTHFreePackets(&p, 1);
3530  StatsThreadCleanup(&th_v);
3531  return result;
3532 }
3533 
3534 static int SigTestContent02 (void)
3535 {
3536  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3537  uint16_t buflen = strlen((char *)buf);
3538  ThreadVars th_v;
3539  DetectEngineThreadCtx *det_ctx = NULL;
3540  int result = 0;
3541 
3542  memset(&th_v, 0, sizeof(th_v));
3543  Packet *p = NULL;
3544  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3545 
3547  if (de_ctx == NULL) {
3548  goto end;
3549  }
3550  de_ctx->flags |= DE_QUIET;
3551 
3552  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3553  if (de_ctx->sig_list == NULL) {
3554  result = 0;
3555  goto end;
3556  }
3557 
3558  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3559  if (de_ctx->sig_list->next == NULL) {
3560  result = 0;
3561  goto end;
3562  }
3563 
3565  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3566 
3567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3568  if (PacketAlertCheck(p, 1)) {
3569  if (PacketAlertCheck(p, 2)) {
3570  result = 1;
3571  } else
3572  printf("sig 2 didn't match: ");
3573  }
3574  else
3575  printf("sig 1 didn't match: ");
3576 
3577  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3579 end:
3580  UTHFreePackets(&p, 1);
3581  StatsThreadCleanup(&th_v);
3582  return result;
3583 }
3584 
3585 static int SigTestContent03 (void)
3586 {
3587  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3588  uint16_t buflen = strlen((char *)buf);
3589  ThreadVars th_v;
3590  DetectEngineThreadCtx *det_ctx = NULL;
3591  int result = 0;
3592 
3593  memset(&th_v, 0, sizeof(th_v));
3594  Packet *p = NULL;
3595  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3596 
3598  if (de_ctx == NULL) {
3599  goto end;
3600  }
3601 
3602  de_ctx->flags |= DE_QUIET;
3603 
3604  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3605  if (de_ctx->sig_list == NULL) {
3606  result = 0;
3607  goto end;
3608  }
3609 
3611  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3612 
3613  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3614  if (PacketAlertCheck(p, 1))
3615  result = 1;
3616  else
3617  printf("sig 1 didn't match: ");
3618 
3619  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3621 end:
3622  UTHFreePackets(&p, 1);
3623  StatsThreadCleanup(&th_v);
3624  return result;
3625 }
3626 
3627 static int SigTestContent04 (void)
3628 {
3629  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3630  uint16_t buflen = strlen((char *)buf);
3631  ThreadVars th_v;
3632  DetectEngineThreadCtx *det_ctx = NULL;
3633  int result = 0;
3634 
3635  memset(&th_v, 0, sizeof(th_v));
3636 
3637  Packet *p = NULL;
3638  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3639 
3641  if (de_ctx == NULL) {
3642  goto end;
3643  }
3644 
3645  de_ctx->flags |= DE_QUIET;
3646 
3647  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3648  if (de_ctx->sig_list == NULL) {
3649  result = 0;
3650  goto end;
3651  }
3652 
3654  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3655 
3656  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3657  if (PacketAlertCheck(p, 1))
3658  result = 1;
3659  else
3660  printf("sig 1 didn't match: ");
3661 
3662  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3664 end:
3665  UTHFreePackets(&p, 1);
3666  StatsThreadCleanup(&th_v);
3667  return result;
3668 }
3669 
3670 /** \test sigs with patterns at the limit of the pm's size limit */
3671 static int SigTestContent05 (void)
3672 {
3673  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3674  uint16_t buflen = strlen((char *)buf);
3675  ThreadVars th_v;
3676  DetectEngineThreadCtx *det_ctx = NULL;
3677  int result = 0;
3678 
3679  memset(&th_v, 0, sizeof(th_v));
3680  Packet *p = NULL;
3681  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3682 
3684  if (de_ctx == NULL) {
3685  printf("de_ctx == NULL: ");
3686  goto end;
3687  }
3688 
3689  de_ctx->flags |= DE_QUIET;
3690 
3691  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3692  if (de_ctx->sig_list == NULL) {
3693  printf("sig1 parse failed: ");
3694  goto end;
3695  }
3696  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3697  if (de_ctx->sig_list->next == NULL) {
3698  printf("sig2 parse failed: ");
3699  goto end;
3700  }
3701 
3703  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3704 
3705  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3706 
3707  if (PacketAlertCheck(p, 1)) {
3708  printf("sig 1 matched but shouldn't: ");
3709  goto end;
3710  }
3711 
3712  if (PacketAlertCheck(p, 2)) {
3713  printf("sig 2 matched but shouldn't: ");
3714  goto end;
3715  }
3716 
3717  result = 1;
3718 end:
3719  UTHFreePackets(&p, 1);
3720  if (det_ctx != NULL) {
3721  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3722  }
3723  if (de_ctx != NULL) {
3725  }
3726  StatsThreadCleanup(&th_v);
3727  return result;
3728 }
3729 
3730 static int SigTestContent06 (void)
3731 {
3732  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3733  uint16_t buflen = strlen((char *)buf);
3734  ThreadVars th_v;
3735  DetectEngineThreadCtx *det_ctx = NULL;
3736  int result = 0;
3737 
3738  memset(&th_v, 0, sizeof(th_v));
3739  Packet *p = NULL;
3740  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3741 
3743  if (de_ctx == NULL) {
3744  goto end;
3745  }
3746 
3747  de_ctx->flags |= DE_QUIET;
3748 
3749  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3750  if (de_ctx->sig_list == NULL) {
3751  result = 0;
3752  goto end;
3753  }
3754  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
3755  if (de_ctx->sig_list->next == NULL) {
3756  result = 0;
3757  goto end;
3758  }
3759 
3761  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3762 
3763  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3764  if (PacketAlertCheck(p, 1)){
3765  //printf("sig 1 matched :");
3766  }else{
3767  printf("sig 1 didn't match: ");
3768  goto end;
3769  }
3770 
3771  if (PacketAlertCheck(p, 2)){
3772  result = 1;
3773  }else{
3774  printf("sig 2 didn't match: ");
3775  goto end;
3776  }
3777 
3778  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3780 end:
3781  UTHFreePackets(&p, 1);
3782  StatsThreadCleanup(&th_v);
3783  return result;
3784 }
3785 
3786 static int SigTestWithin01 (void)
3787 {
3789  ThreadVars th_v;
3790  uint8_t rawpkt1[] = {
3791  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3792  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3793  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
3794  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3795  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
3796  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
3797  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
3798  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3799  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3800  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3801  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3802  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3803  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3804  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3805  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3806  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3807  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3808  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3809  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3810  0x00,0x00 }; /* end rawpkt1 */
3811 
3812  uint8_t rawpkt2[] = {
3813  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3814  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3815  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
3816  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3817  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
3818  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
3819  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
3820  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3821  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3822  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3823  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3824  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3825  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3826  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3827  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3828  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3829  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3830  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3831  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3832  0x00,0x00 }; /* end rawpkt2 */
3833 
3834  uint8_t rawpkt3[] = {
3835  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3836  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3837  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
3838  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3839  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
3840  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
3841  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
3842  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3843  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3844  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3845  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3846  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3847  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3848  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3849  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3850  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3851  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3852  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3853  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3854  0x00,0x00 }; /* end rawpkt3 */
3855 
3856  uint8_t rawpkt4[] = {
3857  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3858  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3859  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
3860  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3861  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
3862  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
3863  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
3864  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3865  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3866  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3867  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3868  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3869  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3870  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3871  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3872  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3873  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3874  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3875  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3876  0x00,0x00 }; /* end rawpkt4 */
3877 
3878  memset(&dtv, 0, sizeof(DecodeThreadVars));
3879  memset(&th_v, 0, sizeof(th_v));
3880 
3881  DetectEngineThreadCtx *det_ctx = NULL;
3882 
3884 
3887  de_ctx->flags |= DE_QUIET;
3888 
3890  "alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test "
3891  "to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
3892  FAIL_IF_NULL(s);
3893 
3895  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3896 
3897  /* packet 1 */
3898  Packet *p1 = PacketGetFromAlloc();
3899  FAIL_IF_NULL(p1);
3900  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
3901  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3902  FAIL_IF(!(PacketAlertCheck(p1, 556)));
3903 
3904  /* packet 2 */
3905  Packet *p2 = PacketGetFromAlloc();
3906  FAIL_IF_NULL(p2);
3907  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
3908  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3909  FAIL_IF(!(PacketAlertCheck(p2, 556)));
3910 
3911  /* packet 3 */
3912  Packet *p3 = PacketGetFromAlloc();
3913  FAIL_IF_NULL(p3);
3914  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
3915  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
3916  FAIL_IF(!(PacketAlertCheck(p3, 556)));
3917 
3918  /* packet 4 */
3919  Packet *p4 = PacketGetFromAlloc();
3920  FAIL_IF_NULL(p4);
3921  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
3922  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
3923  FAIL_IF(!(PacketAlertCheck(p4, 556)));
3924 
3925  /* packet 5 */
3926  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
3927  uint16_t p5buflen = strlen((char *)p5buf);
3928  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
3929  FAIL_IF_NULL(p5);
3930  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
3931  FAIL_IF(!(PacketAlertCheck(p5, 556)));
3932  UTHFreePackets(&p5, 1);
3933 
3934  PacketFree(p1);
3935  PacketFree(p2);
3936  PacketFree(p3);
3937  PacketFree(p4);
3938  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3940 
3941  FlowShutdown();
3942  StatsThreadCleanup(&th_v);
3943  PASS;
3944 }
3945 
3946 static int SigTestDepthOffset01 (void)
3947 {
3948  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3949  uint16_t buflen = strlen((char *)buf);
3950  Packet *p = NULL;
3951  ThreadVars th_v;
3952  DetectEngineThreadCtx *det_ctx = NULL;
3953  int result = 0;
3954 
3955  memset(&th_v, 0, sizeof(th_v));
3956 
3957  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
3958 
3960  if (de_ctx == NULL) {
3961  goto end;
3962  }
3963 
3964  de_ctx->flags |= DE_QUIET;
3965 
3966  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
3967  if (de_ctx->sig_list == NULL) {
3968  result = 0;
3969  goto end;
3970  }
3971 
3973  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3974 
3975  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3976  if (PacketAlertCheck(p, 1))
3977  result = 1;
3978 
3979  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3981 end:
3982  UTHFreePackets(&p, 1);
3983  StatsThreadCleanup(&th_v);
3984  return result;
3985 }
3986 
3987 static int SigTestDetectAlertCounter(void)
3988 {
3989  Packet *p = NULL;
3990  ThreadVars tv;
3991  DetectEngineThreadCtx *det_ctx = NULL;
3992  memset(&tv, 0, sizeof(tv));
3993 
3996  de_ctx->flags |= DE_QUIET;
3997 
3998  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
3999  "content:\"boo\"; sid:1;)");
4000  FAIL_IF(de_ctx->sig_list == NULL);
4001 
4003  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4004  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4005  /* init counters */
4007 
4008  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4009  Detect(&tv, p, det_ctx);
4011 
4012  Detect(&tv, p, det_ctx);
4014  UTHFreePackets(&p, 1);
4015 
4016  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4017  Detect(&tv, p, det_ctx);
4019  UTHFreePackets(&p, 1);
4020 
4021  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4022  Detect(&tv, p, det_ctx);
4024  UTHFreePackets(&p, 1);
4025 
4026  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4029  PASS;
4030 }
4031 
4032 /** \test test if the engine set flag to drop pkts of a flow that
4033  * triggered a drop action on IPS mode */
4034 static int SigTestDropFlow01(void)
4035 {
4036  Flow f;
4037  HtpState *http_state = NULL;
4038  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4039  "User-Agent: Mozilla/1.0\r\n"
4040  "Cookie: hellocatch\r\n\r\n";
4041  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4042  TcpSession ssn;
4043  Packet *p = NULL;
4044  Signature *s = NULL;
4045  ThreadVars tv;
4046  DetectEngineThreadCtx *det_ctx = NULL;
4048 
4049  memset(&tv, 0, sizeof(ThreadVars));
4050  memset(&f, 0, sizeof(Flow));
4051  memset(&ssn, 0, sizeof(TcpSession));
4052 
4053  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4054 
4055  FLOW_INITIALIZE(&f);
4056  f.protoctx = (void *)&ssn;
4057  f.proto = IPPROTO_TCP;
4058  f.flags |= FLOW_IPV4;
4059 
4060  p->flow = &f;
4064  f.alproto = ALPROTO_HTTP1;
4065 
4066  StreamTcpInitConfig(true);
4067 
4070  de_ctx->flags |= DE_QUIET;
4071 
4072  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4073  "(msg:\"Test proto match\"; "
4074  "sid:1;)");
4075  FAIL_IF_NULL(s);
4076 
4078  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4079 
4080  int r = AppLayerParserParse(
4081  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4082  FAIL_IF_NOT(r == 0);
4083 
4084  http_state = f.alstate;
4085  FAIL_IF_NULL(http_state);
4086 
4087  /* do detect */
4088  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4089 
4091 
4093 
4095  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4097 
4098  StreamTcpFreeConfig(true);
4099  FLOW_DESTROY(&f);
4100 
4101  UTHFreePackets(&p, 1);
4103  PASS;
4104 }
4105 
4106 /** \test test if the engine set flag to drop pkts of a flow that
4107  * triggered a drop action on IPS mode */
4108 static int SigTestDropFlow02(void)
4109 {
4110  int result = 0;
4111  Flow f;
4112  HtpState *http_state = NULL;
4113  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4114  "User-Agent: Mozilla/1.0\r\n"
4115  "Cookie: hellocatch\r\n\r\n";
4116  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4117  TcpSession ssn;
4118  Packet *p = NULL;
4119  Signature *s = NULL;
4120  ThreadVars tv;
4121  DetectEngineThreadCtx *det_ctx = NULL;
4123 
4124  memset(&tv, 0, sizeof(ThreadVars));
4125  memset(&f, 0, sizeof(Flow));
4126  memset(&ssn, 0, sizeof(TcpSession));
4127 
4128  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4129 
4130  FLOW_INITIALIZE(&f);
4131  f.protoctx = (void *)&ssn;
4132  f.proto = IPPROTO_TCP;
4133  f.flags |= FLOW_IPV4;
4134 
4135  p->flow = &f;
4139  f.alproto = ALPROTO_HTTP1;
4140 
4141  StreamTcpInitConfig(true);
4142 
4144  if (de_ctx == NULL) {
4145  goto end;
4146  }
4147  de_ctx->flags |= DE_QUIET;
4148 
4149  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4150  "(msg:\"Test proto match\"; uricontent:\"one\";"
4151  "sid:1;)");
4152  if (s == NULL) {
4153  goto end;
4154  }
4155 
4157  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4158 
4159  int r = AppLayerParserParse(
4160  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4161  if (r != 0) {
4162  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4163  goto end;
4164  }
4165 
4166  http_state = f.alstate;
4167  if (http_state == NULL) {
4168  printf("no http state: ");
4169  goto end;
4170  }
4171 
4172  /* do detect */
4173  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4174 
4175  if (!PacketAlertCheck(p, 1)) {
4176  printf("sig 1 didn't alert, but it should: ");
4177  goto end;
4178  }
4179 
4180  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4181  printf("sig 1 alerted but flow was not flagged correctly: ");
4182  goto end;
4183  }
4184 
4185  /* Ok, now we know that the flag is set for app layer sigs
4186  * (ex: inspecting uricontent) */
4187 
4188  result = 1;
4189 
4190 end:
4191  if (alp_tctx != NULL)
4193  if (det_ctx != NULL)
4194  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4195  if (de_ctx != NULL)
4197 
4198  StreamTcpFreeConfig(true);
4199  FLOW_DESTROY(&f);
4200 
4201  UTHFreePackets(&p, 1);
4203  return result;
4204 }
4205 
4206 /** \test test if the engine set flag to drop pkts of a flow that
4207  * triggered a drop action on IPS mode, and it doesn't inspect
4208  * any other packet of the stream */
4209 static int SigTestDropFlow03(void)
4210 {
4211  int result = 0;
4212  Flow f;
4213  HtpState *http_state = NULL;
4214  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4215  "User-Agent: Mozilla/1.0\r\n"
4216  "Cookie: hellocatch\r\n\r\n";
4217  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4218 
4219  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4220  "User-Agent: Mozilla/1.0\r\n"
4221  "Cookie: hellocatch\r\n\r\n";
4222  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4223 
4224  /* Set the engine mode to IPS */
4225  EngineModeSetIPS();
4226 
4227  TcpSession ssn;
4228  Packet *p1 = NULL;
4229  Packet *p2 = NULL;
4230  Signature *s = NULL;
4231  ThreadVars tv;
4232  DetectEngineThreadCtx *det_ctx = NULL;
4234 
4235  memset(&tv, 0, sizeof(ThreadVars));
4236  memset(&f, 0, sizeof(Flow));
4237  memset(&ssn, 0, sizeof(TcpSession));
4238 
4239  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4240  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4241 
4242  FLOW_INITIALIZE(&f);
4243  f.protoctx = (void *)&ssn;
4244  f.proto = IPPROTO_TCP;
4245  f.flags |= FLOW_IPV4;
4246 
4247  p1->flow = &f;
4251 
4252  p2->flow = &f;
4256  f.alproto = ALPROTO_HTTP1;
4257 
4258  StreamTcpInitConfig(true);
4259 
4261  if (de_ctx == NULL) {
4262  goto end;
4263  }
4264 
4265  de_ctx->flags |= DE_QUIET;
4266 
4267  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4268  "(msg:\"Test proto match\"; uricontent:\"one\";"
4269  "sid:1;)");
4270  if (s == NULL) {
4271  goto end;
4272  }
4273 
4274  /* the no inspection flag should be set after the first sig gets triggered,
4275  * so the second packet should not match the next sig (because of no inspection) */
4276  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4277  "(msg:\"Test proto match\"; uricontent:\"two\";"
4278  "sid:2;)");
4279  if (s == NULL) {
4280  goto end;
4281  }
4282 
4284  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4285 
4286  int r = AppLayerParserParse(
4287  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4288  if (r != 0) {
4289  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4290  goto end;
4291  }
4292 
4293  http_state = f.alstate;
4294  if (http_state == NULL) {
4295  printf("no http state: ");
4296  goto end;
4297  }
4298 
4299  /* do detect */
4300  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4301 
4302  if (!PacketAlertCheck(p1, 1)) {
4303  printf("sig 1 didn't alert on p1, but it should: ");
4304  goto end;
4305  }
4306 
4307  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4308  printf("sig 1 alerted but flow was not flagged correctly: ");
4309  goto end;
4310  }
4311 
4312  /* Second part.. Let's feed with another packet */
4313  if (StreamTcpCheckFlowDrops(p2) == 1) {
4314  SCLogDebug("This flow/stream triggered a drop rule");
4315  DecodeSetNoPacketInspectionFlag(p2);
4317  p2->action |= ACTION_DROP;
4318  /* return the segments to the pool */
4320  }
4321 
4322 
4323  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4324  printf("The packet was not flagged with no-inspection: ");
4325  goto end;
4326  }
4327 
4328  r = AppLayerParserParse(
4329  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4330  if (r != 0) {
4331  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4332  goto end;
4333  }
4334 
4335  /* do detect */
4336  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4337 
4338  if (PacketAlertCheck(p2, 1)) {
4339  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4340  goto end;
4341  }
4342 
4343  if (PacketAlertCheck(p2, 2)) {
4344  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4345  goto end;
4346  }
4347 
4348  if (!(PacketTestAction(p2, ACTION_DROP))) {
4349  printf("A \"drop\" action should be set from the flow to the packet: ");
4350  goto end;
4351  }
4352 
4353  result = 1;
4354 
4355 end:
4356  if (alp_tctx != NULL)
4358  if (det_ctx != NULL)
4359  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4360  if (de_ctx != NULL)
4362 
4363  StreamTcpFreeConfig(true);
4364  FLOW_DESTROY(&f);
4365 
4366  UTHFreePackets(&p1, 1);
4367  UTHFreePackets(&p2, 1);
4368 
4369  /* Restore mode to IDS */
4370  EngineModeSetIDS();
4372  return result;
4373 }
4374 
4375 /** \test ICMP packet shouldn't be matching port based sig
4376  * Bug #611 */
4377 static int SigTestPorts01(void)
4378 {
4379  int result = 0;
4380  Packet *p1 = NULL;
4381  Signature *s = NULL;
4382  ThreadVars tv;
4383  DetectEngineThreadCtx *det_ctx = NULL;
4384  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4385 
4386  memset(&tv, 0, sizeof(ThreadVars));
4387 
4388  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4389 
4391  if (de_ctx == NULL) {
4392  goto end;
4393  }
4394  de_ctx->flags |= DE_QUIET;
4395 
4396  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4397  "(content:\"AAA\"; sid:1;)");
4398  if (s == NULL) {
4399  goto end;
4400  }
4401 
4403  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4404 
4405  /* do detect */
4406  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4407 
4408  if (PacketAlertCheck(p1, 1)) {
4409  printf("sig 1 alerted on p1, but it should not: ");
4410  goto end;
4411  }
4412 
4413  result = 1;
4414 end:
4415  if (det_ctx != NULL)
4416  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4417  if (de_ctx != NULL)
4419 
4420  UTHFreePackets(&p1, 1);
4422  return result;
4423 }
4424 
4425 /** \test almost identical patterns */
4426 static int SigTestBug01(void)
4427 {
4428  ThreadVars tv;
4429  DetectEngineThreadCtx *det_ctx = NULL;
4430  uint8_t payload[] = "!mymy";
4431  memset(&tv, 0, sizeof(ThreadVars));
4432 
4433  Packet *p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4434  FAIL_IF_NULL(p1);
4437  de_ctx->flags |= DE_QUIET;
4438  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4439  "(content:\"Omymy\"; nocase; sid:1;)");
4440  FAIL_IF_NULL(s);
4441  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4442  "(content:\"!mymy\"; nocase; sid:2;)");
4443  FAIL_IF_NULL(s);
4445  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4446  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4447  FAIL_IF(PacketAlertCheck(p1, 1));
4448  FAIL_IF(!(PacketAlertCheck(p1, 2)));
4449  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4451  UTHFreePackets(&p1, 1);
4453  PASS;
4454 }
4455 
4456 static const char *dummy_conf_string2 =
4457  "%YAML 1.1\n"
4458  "---\n"
4459  "vars:\n"
4460  "\n"
4461  " address-groups:\n"
4462  "\n"
4463  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4464  "\n"
4465  " EXTERNAL_NET: \"any\"\n"
4466  "\n"
4467  " port-groups:\n"
4468  "\n"
4469  " HTTP_PORTS: \"80:81,88\"\n"
4470  "\n";
4471 
4472 static int DetectAddressYamlParsing01 (void)
4473 {
4474  int result = 0;
4475 
4477  SCConfInit();
4478  SCConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4479 
4481  if (de_ctx == NULL) {
4482  goto end;
4483  }
4484 
4485  de_ctx->flags |= DE_QUIET;
4486 
4487  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4488  goto end;
4489  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4490  goto end;
4491  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4492  goto end;
4493 
4494  result = 1;
4495 
4497 end:
4498  SCConfDeInit();
4500  return result;
4501 }
4502 
4503 static const char *dummy_conf_string3 =
4504  "%YAML 1.1\n"
4505  "---\n"
4506  "vars:\n"
4507  "\n"
4508  " address-groups:\n"
4509  "\n"
4510  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4511  "\n"
4512  " EXTERNAL_NET: \"any\"\n"
4513  "\n"
4514  " port-groups:\n"
4515  "\n"
4516  " HTTP_PORTS: \"80:81,88\"\n"
4517  "\n";
4518 
4519 static int DetectAddressYamlParsing02 (void)
4520 {
4521  int result = 0;
4522 
4524  SCConfInit();
4525  SCConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
4526 
4528  if (de_ctx == NULL) {
4529  goto end;
4530  }
4531 
4532  de_ctx->flags |= DE_QUIET;
4533 
4534  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4535  goto end;
4536  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4537  goto end;
4538  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4539  goto end;
4540 
4541  result = 1;
4542 
4544 end:
4545  SCConfDeInit();
4547  return result;
4548 }
4549 
4550 static const char *dummy_conf_string4 =
4551  "%YAML 1.1\n"
4552  "---\n"
4553  "vars:\n"
4554  "\n"
4555  " address-groups:\n"
4556  "\n"
4557  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4558  "\n"
4559  " EXTERNAL_NET: \"any\"\n"
4560  "\n"
4561  " port-groups:\n"
4562  "\n"
4563  " HTTP_PORTS: \"80:81,88\"\n"
4564  "\n";
4565 
4566 static int DetectAddressYamlParsing03 (void)
4567 {
4569  SCConfInit();
4570  SCConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
4573  de_ctx->flags |= DE_QUIET;
4574  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL);
4575  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL);
4576  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) ==
4577  NULL);
4579  SCConfDeInit();
4581  PASS;
4582 }
4583 
4584 static const char *dummy_conf_string5 =
4585  "%YAML 1.1\n"
4586  "---\n"
4587  "vars:\n"
4588  "\n"
4589  " address-groups:\n"
4590  "\n"
4591  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4592  "\n"
4593  " EXTERNAL_NET: \"any\"\n"
4594  "\n"
4595  " port-groups:\n"
4596  "\n"
4597  " HTTP_PORTS: \"80:81,88\"\n"
4598  "\n";
4599 
4600 /** \test bug #815 */
4601 static int DetectAddressYamlParsing04 (void)
4602 {
4604  SCConfInit();
4605  SCConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
4608  de_ctx->flags |= DE_QUIET;
4609  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL);
4610  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL);
4611  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) ==
4612  NULL);
4614  SCConfDeInit();
4616  PASS;
4617 }
4618 
4620 {
4623 
4624  UtRegisterTest("SigTest01", SigTest01);
4625  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
4626  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
4627  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
4628  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
4629  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
4630  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
4631  SigTest07);
4632  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
4633  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
4634  SigTest09);
4635  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
4636  SigTest10);
4637  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
4638  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
4639  UtRegisterTest("SigTest13 -- content order matching, diff order",
4640  SigTest13);
4641  UtRegisterTest("SigTest14 -- content order matching, distance 0",
4642  SigTest14);
4643  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
4644  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
4645  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
4646  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
4647  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
4648  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
4649  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
4650  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
4651  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
4652 
4653  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
4654  UtRegisterTest("SigTest25NegativeIPV4Keyword",
4655  SigTest25NegativeIPV4Keyword);
4656 
4657  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
4658  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
4659  SigTest26TCPV4AndNegativeIPV4Keyword);
4660  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
4661  SigTest26TCPV4AndIPV4Keyword);
4662  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
4663  SigTest27NegativeTCPV4Keyword);
4664 
4665  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
4666  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
4667  SigTest29NegativeTCPV6Keyword);
4668 
4669  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
4670  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
4671  SigTest31NegativeUDPV4Keyword);
4672 
4673  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
4674  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
4675  SigTest33NegativeUDPV6Keyword);
4676 
4677  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
4678  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
4679  SigTest35NegativeICMPV4Keyword);
4680  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
4681  SigTest36ContentAndIsdataatKeywords01);
4682  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
4683  SigTest37ContentAndIsdataatKeywords02);
4684 
4685  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
4686 
4687  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
4688 
4689  UtRegisterTest("SigTest40NoPacketInspection01",
4690  SigTest40NoPacketInspection01);
4691  UtRegisterTest("SigTest40NoPayloadInspection02",
4692  SigTest40NoPayloadInspection02);
4693 
4694  UtRegisterTest("SigTestMemory01", SigTestMemory01);
4695  UtRegisterTest("SigTestMemory02", SigTestMemory02);
4696  UtRegisterTest("SigTestMemory03", SigTestMemory03);
4697 
4698  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
4699  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
4700  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
4701  SigTestContent03);
4702  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
4703  SigTestContent04);
4704  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
4705  UtRegisterTest("SigTestContent06 -- distance/within ip only",
4706  SigTestContent06);
4707 
4708  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
4709  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
4710 
4711  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
4712 
4713  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
4714  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
4715  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
4716 
4717  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
4718  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
4719  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
4720  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
4721 
4722  UtRegisterTest("SigTestPorts01", SigTestPorts01);
4723  UtRegisterTest("SigTestBug01", SigTestBug01);
4724 
4726 }
4727 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2352
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:523
Packet_::proto
uint8_t proto
Definition: decode.h:523
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:380
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:318
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
MPM_AC
@ MPM_AC
Definition: util-mpm.h:38
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:377
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:370
Packet_::payload
uint8_t * payload
Definition: decode.h:605
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:151
Packet_::action
uint8_t action
Definition: decode.h:609
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4619
Flow_
Flow data structure.
Definition: flow.h:348
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:148
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:767
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:335
TCP_GET_RAW_HLEN
#define TCP_GET_RAW_HLEN(tcph)
Definition: decode-tcp.h:72
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1225
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:70
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:442
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1254
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:2337
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
Signature_::next
struct Signature_ * next
Definition: detect.h:750
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:547
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:213
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:319
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:5423
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:264
PktVar_::value
uint8_t * value
Definition: decode.h:319
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
Packet_::sp
Port sp
Definition: decode.h:508
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:219
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:259
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3097
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1271
Packet_
Definition: decode.h:501
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:684
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
IPV4Hdr_
Definition: decode-ipv4.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:447
SigMatch_::type
uint16_t type
Definition: detect.h:357
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:691
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3596
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:703
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:941
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:258
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1289
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:694
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
PktVar_::value_len
uint16_t value_len
Definition: decode.h:317
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1362
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:506
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1249
PktVar_
Definition: decode.h:311
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
Packet_::dp
Port dp
Definition: decode.h:516
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:73
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
TCPHdr_
Definition: decode-tcp.h:149
Packet_::src
Address src
Definition: decode.h:505
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456