suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
31 
32 static const char *dummy_conf_string =
33  "%YAML 1.1\n"
34  "---\n"
35  "\n"
36  "default-log-dir: /var/log/suricata\n"
37  "\n"
38  "logging:\n"
39  "\n"
40  " default-log-level: debug\n"
41  "\n"
42  " default-format: \"<%t> - <%l>\"\n"
43  "\n"
44  " default-startup-message: Your IDS has started.\n"
45  "\n"
46  " default-output-filter:\n"
47  "\n"
48  " output:\n"
49  "\n"
50  " - interface: console\n"
51  " log-level: info\n"
52  "\n"
53  " - interface: file\n"
54  " filename: /var/log/suricata.log\n"
55  "\n"
56  " - interface: syslog\n"
57  " facility: local5\n"
58  " format: \"%l\"\n"
59  "\n"
60  "pfring:\n"
61  "\n"
62  " interface: eth0\n"
63  "\n"
64  " clusterid: 99\n"
65  "\n"
66  "vars:\n"
67  "\n"
68  " address-groups:\n"
69  "\n"
70  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72  "\n"
73  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74  "\n"
75  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80  "\n"
81  " DNS_SERVERS: any\n"
82  "\n"
83  " TELNET_SERVERS: any\n"
84  "\n"
85  " AIM_SERVERS: any\n"
86  "\n"
87  " port-groups:\n"
88  "\n"
89  " HTTP_PORTS: \"80:81,88\"\n"
90  "\n"
91  " SHELLCODE_PORTS: 80\n"
92  "\n"
93  " ORACLE_PORTS: 1521\n"
94  "\n"
95  " SSH_PORTS: 22\n"
96  "\n";
97 
98 static int SigTest01 (void)
99 {
100  uint8_t *buf = (uint8_t *)
101  "GET /one/ HTTP/1.1\r\n"
102  "Host: one.example.org\r\n"
103  "\r\n\r\n"
104  "GET /two/ HTTP/1.1\r\n"
105  "Host: two.example.org\r\n"
106  "\r\n\r\n";
107  uint16_t buflen = strlen((char *)buf);
108  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109  int result = 0;
110 
111  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112  if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
113  result = 0;
114  goto end;
115  }
116 #if 0
117  //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
118  //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
119 
120  if (p->http_uri.raw_size[0] == 5 &&
121  memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
122  p->http_uri.raw_size[1] == 5 &&
123  memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
124  {
125  result = 1;
126  }
127 
128 #endif
129  result = 1;
130 end:
131  if (p != NULL)
132  UTHFreePacket(p);
133  return result;
134 }
135 
136 static int SigTest02 (void)
137 {
138  uint8_t *buf = (uint8_t *)
139  "GET /one/ HTTP/1.1\r\n"
140  "Host: one.example.org\r\n"
141  "\r\n\r\n"
142  "GET /two/ HTTP/1.1\r\n"
143  "Host: two.example.org\r\n"
144  "\r\n\r\n";
145  uint16_t buflen = strlen((char *)buf);
146  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
147  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
148  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
149  UTHFreePacket(p);
150  return ret;
151 }
152 
153 static int SigTest03 (void)
154 {
155  uint8_t *buf = (uint8_t *)
156  "GET /one/ HTTP/1.1\r\n"
157  "Host: one.example.org\r\n"
158  "\r\n\r\n"
159  "GET /two/ HTTP/1.1\r\n"
160  "Host: two.example.org\r\n"
161  "\r\n\r\n";
162  uint16_t buflen = strlen((char *)buf);
163  Packet *p = NULL;
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx = NULL;
166  int result = 0;
167 
168  memset(&th_v, 0, sizeof(th_v));
169 
170  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
171 
173  if (de_ctx == NULL) {
174  goto end;
175  }
176 
177  de_ctx->flags |= DE_QUIET;
178 
179  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
180  if (de_ctx->sig_list == NULL) {
181  result = 0;
182  goto end;
183  }
184 
186  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
187 
188  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
189  if (PacketAlertCheck(p, 1))
190  result = 1;
191 
194 
195  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
197 end:
198  UTHFreePackets(&p, 1);
199  return result;
200 }
201 
202 static int SigTest04 (void)
203 {
204  uint8_t *buf = (uint8_t *)
205  "GET /one/ HTTP/1.1\r\n" /* 20*/
206  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
207  "\r\n\r\n" /* 4 */
208  "GET /two/ HTTP/1.1\r\n" /* 20 */
209  "Host: two.example.org\r\n" /* 23 */
210  "\r\n\r\n"; /* 4 */
211  uint16_t buflen = strlen((char *)buf);
212 
213  Packet *p = NULL;
214  ThreadVars th_v;
215  DetectEngineThreadCtx *det_ctx = NULL;
216  int result = 0;
217 
218  memset(&th_v, 0, sizeof(th_v));
219 
220  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
221 
223  if (de_ctx == NULL) {
224  goto end;
225  }
226 
227  de_ctx->flags |= DE_QUIET;
228 
229  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
230  if (de_ctx->sig_list == NULL) {
231  result = 0;
232  goto end;
233  }
234 
236  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
237 
238  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
239  if (PacketAlertCheck(p, 1))
240  result = 1;
241 
244 
245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
247 end:
248  UTHFreePackets(&p, 1);
249  return result;
250 }
251 
252 static int SigTest05 (void)
253 {
254  uint8_t *buf = (uint8_t *)
255  "GET /one/ HTTP/1.1\r\n" /* 20 */
256  "Host: one.example.org\r\n" /* 23, 43 */
257  "\r\n\r\n" /* 4, 47 */
258  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
259  "Host: two.example.org\r\n" /* 23, 90 */
260  "\r\n\r\n"; /* 4, 94 */
261  uint16_t buflen = strlen((char *)buf);
262  Packet *p = NULL;
263  ThreadVars th_v;
264  DetectEngineThreadCtx *det_ctx = NULL;
265  int result = 0;
266 
267  memset(&th_v, 0, sizeof(th_v));
268 
269  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
270 
272  if (de_ctx == NULL) {
273  goto end;
274  }
275 
276  de_ctx->flags |= DE_QUIET;
277 
278  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
279  if (de_ctx->sig_list == NULL) {
280  printf("sig parse failed: ");
281  goto end;
282  }
283 
285  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
286 
287  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
288  if (!PacketAlertCheck(p, 1)) {
289  result = 1;
290  } else {
291  printf("sig matched but shouldn't have: ");
292  }
293 
296 
297  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
299 end:
300  UTHFreePackets(&p, 1);
301  return result;
302 }
303 
304 static int SigTest06 (void)
305 {
306  uint8_t *buf = (uint8_t *)
307  "GET /one/ HTTP/1.1\r\n" /* 20 */
308  "Host: one.example.org\r\n" /* 23, 43 */
309  "\r\n\r\n" /* 4, 47 */
310  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
311  "Host: two.example.org\r\n" /* 23, 90 */
312  "\r\n\r\n"; /* 4, 94 */
313  uint16_t buflen = strlen((char *)buf);
314  Packet *p = NULL;
315  ThreadVars th_v;
316  DetectEngineThreadCtx *det_ctx = NULL;
317  Flow f;
318  TcpSession ssn;
321 
322  memset(&th_v, 0, sizeof(th_v));
323  memset(&f, 0, sizeof(f));
324  memset(&ssn, 0, sizeof(ssn));
325 
326  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
327  FAIL_IF_NULL(p);
328 
329  FLOW_INITIALIZE(&f);
330  f.protoctx = (void *)&ssn;
331  f.flags |= FLOW_IPV4;
332  f.proto = IPPROTO_TCP;
333  p->flow = &f;
338 
339  StreamTcpInitConfig(true);
340 
343  de_ctx->flags |= DE_QUIET;
344 
345  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
346  FAIL_IF_NULL(s);
347 
348  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
349  FAIL_IF_NULL(s);
350 
352  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
353  FAIL_IF_NULL(det_ctx);
354 
355  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
356  FAIL_IF(r != 0);
357 
358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
361 
362  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
365  UTHFreePackets(&p, 1);
366  StreamTcpFreeConfig(true);
367  FLOW_DESTROY(&f);
368  PASS;
369 }
370 
371 static int SigTest07 (void)
372 {
373  uint8_t *buf = (uint8_t *)
374  "GET /one/ HTTP/1.1\r\n" /* 20 */
375  "Host: one.example.org\r\n" /* 23, 43 */
376  "\r\n\r\n" /* 4, 47 */
377  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
378  "Host: two.example.org\r\n" /* 23, 90 */
379  "\r\n\r\n"; /* 4, 94 */
380  uint16_t buflen = strlen((char *)buf);
381  Packet *p = NULL;
382  ThreadVars th_v;
383  DetectEngineThreadCtx *det_ctx = NULL;
384  Flow f;
385  TcpSession ssn;
386  int result = 0;
388 
389  memset(&th_v, 0, sizeof(th_v));
390  memset(&f, 0, sizeof(f));
391  memset(&ssn, 0, sizeof(ssn));
392 
393  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
394 
395  FLOW_INITIALIZE(&f);
396  f.protoctx = (void *)&ssn;
397  f.flags |= FLOW_IPV4;
398  f.proto = IPPROTO_TCP;
399  p->flow = &f;
404 
405  StreamTcpInitConfig(true);
406 
408  if (de_ctx == NULL) {
409  goto end;
410  }
411 
412  de_ctx->flags |= DE_QUIET;
413 
414  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
415  if (de_ctx->sig_list == NULL) {
416  result = 0;
417  goto end;
418  }
419  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
420  if (de_ctx->sig_list->next == NULL) {
421  result = 0;
422  goto end;
423  }
424 
426  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
427 
428  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
429  if (r != 0) {
430  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
431  result = 0;
432  goto end;
433  }
434 
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
437  result = 0;
438  else
439  result = 1;
440 
441 end:
442  if (alp_tctx != NULL)
444  UTHFreePackets(&p, 1);
445  StreamTcpFreeConfig(true);
447  FLOW_DESTROY(&f);
450 
451  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
453 
454  return result;
455 }
456 
457 static int SigTest08 (void)
458 {
459  uint8_t *buf = (uint8_t *)
460  "GET /one/ HTTP/1.0\r\n" /* 20 */
461  "Host: one.example.org\r\n" /* 23, 43 */
462  "\r\n\r\n" /* 4, 47 */
463  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
464  "Host: two.example.org\r\n" /* 23, 90 */
465  "\r\n\r\n"; /* 4, 94 */
466  uint16_t buflen = strlen((char *)buf);
467  Packet *p = NULL;
468  ThreadVars th_v;
469  DetectEngineThreadCtx *det_ctx = NULL;
470  Flow f;
471  TcpSession ssn;
472  int result = 0;
474 
475  memset(&f, 0, sizeof(Flow));
476  memset(&th_v, 0, sizeof(th_v));
477  memset(&ssn, 0, sizeof(ssn));
478 
479  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
480 
481  FLOW_INITIALIZE(&f);
482  f.protoctx = (void *)&ssn;
483  f.flags |= FLOW_IPV4;
484  f.proto = IPPROTO_TCP;
485  p->flow = &f;
490 
491  StreamTcpInitConfig(true);
492 
494  if (de_ctx == NULL) {
495  goto end;
496  }
497 
498  de_ctx->flags |= DE_QUIET;
499 
500  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
501  if (de_ctx->sig_list == NULL) {
502  result = 0;
503  goto end;
504  }
505  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
506  if (de_ctx->sig_list->next == NULL) {
507  result = 0;
508  goto end;
509  }
510 
512  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
513 
514  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
515  if (r != 0) {
516  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
517  result = 0;
518  goto end;
519  }
520 
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
523  result = 1;
524  else
525  printf("sid:1 %s, sid:2 %s: ",
526  PacketAlertCheck(p, 1) ? "OK" : "FAIL",
527  PacketAlertCheck(p, 2) ? "OK" : "FAIL");
528 
529 end:
533 
534  if (det_ctx)
535  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
537  if (alp_tctx != NULL)
539  UTHFreePackets(&p, 1);
540  StreamTcpFreeConfig(true);
541  FLOW_DESTROY(&f);
542  return result;
543 }
544 
545 static int SigTest09 (void)
546 {
547  uint8_t *buf = (uint8_t *)
548  "GET /one/ HTTP/1.0\r\n" /* 20 */
549  "Host: one.example.org\r\n" /* 23, 43 */
550  "\r\n\r\n" /* 4, 47 */
551  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
552  "Host: two.example.org\r\n" /* 23, 90 */
553  "\r\n\r\n"; /* 4, 94 */
554  uint16_t buflen = strlen((char *)buf);
555  Packet *p = NULL;
556  ThreadVars th_v;
557  DetectEngineThreadCtx *det_ctx = NULL;
558  Flow f;
559  TcpSession ssn;
561  int result = 0;
562 
563  memset(&th_v, 0, sizeof(th_v));
564  memset(&f, 0, sizeof(f));
565  memset(&ssn, 0, sizeof(ssn));
566 
567  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
568 
569  FLOW_INITIALIZE(&f);
570  f.protoctx = (void *)&ssn;
571  f.flags |= FLOW_IPV4;
572  f.proto = IPPROTO_TCP;
573  p->flow = &f;
578 
579  StreamTcpInitConfig(true);
580 
582  if (de_ctx == NULL) {
583  goto end;
584  }
585 
586  de_ctx->flags |= DE_QUIET;
587 
588  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
589  if (de_ctx->sig_list == NULL) {
590  result = 0;
591  goto end;
592  }
593  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
594  if (de_ctx->sig_list->next == NULL) {
595  result = 0;
596  goto end;
597  }
598 
600  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
601 
602  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
603  if (r != 0) {
604  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
605  result = 0;
606  goto end;
607  }
608 
609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
610  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
611  result = 1;
612  else
613  result = 0;
614 
615 end:
619  if (det_ctx)
620  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
622  if (alp_tctx != NULL)
624  UTHFreePackets(&p, 1);
625  StreamTcpFreeConfig(true);
626  FLOW_DESTROY(&f);
627  return result;
628 }
629 
630 static int SigTest10 (void)
631 {
632  uint8_t *buf = (uint8_t *)
633  "ABC";
634  uint16_t buflen = strlen((char *)buf);
635  Packet *p = NULL;
636  ThreadVars th_v;
637  DetectEngineThreadCtx *det_ctx = NULL;
638  Flow f;
639  TcpSession ssn;
640  int result = 0;
642 
643  memset(&th_v, 0, sizeof(th_v));
644  memset(&f, 0, sizeof(f));
645  memset(&ssn, 0, sizeof(ssn));
646 
647  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
648 
649  FLOW_INITIALIZE(&f);
650  f.protoctx = (void *)&ssn;
651  f.proto = IPPROTO_TCP;
652  f.flags |= FLOW_IPV4;
653  p->flow = &f;
658 
659  StreamTcpInitConfig(true);
660 
662  if (de_ctx == NULL) {
663  goto end;
664  }
665 
666  de_ctx->flags |= DE_QUIET;
667 
668  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
669  if (de_ctx->sig_list == NULL) {
670  result = 0;
671  goto end;
672  }
673  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
674  if (de_ctx->sig_list->next == NULL) {
675  result = 0;
676  goto end;
677  }
678 
680  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
681 
682  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
683  if (r != 0) {
684  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
685  result = 0;
686  goto end;
687  }
688 
689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
690  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
691  result = 0;
692  else
693  result = 1;
694 
695  end:
699  if (det_ctx)
700  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
702  if (alp_tctx != NULL)
704  UTHFreePackets(&p, 1);
705  StreamTcpFreeConfig(true);
706  FLOW_DESTROY(&f);
707  return result;
708 }
709 
710 static int SigTest11 (void)
711 {
712  uint8_t *buf = (uint8_t *)
713  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
714  uint16_t buflen = strlen((char *)buf);
715  Packet *p = NULL;
716  ThreadVars th_v;
717  DetectEngineThreadCtx *det_ctx = NULL;
718  Flow f;
719  TcpSession ssn;
720  int result = 0;
721 
722  memset(&th_v, 0, sizeof(th_v));
723  memset(&f, 0, sizeof(f));
724  memset(&ssn, 0, sizeof(ssn));
725 
726  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
727 
728  FLOW_INITIALIZE(&f);
729  f.protoctx = (void *)&ssn;
730  f.proto = IPPROTO_TCP;
731  f.flags |= FLOW_IPV4;
732  p->flow = &f;
736 
737  StreamTcpInitConfig(true);
738 
740  if (de_ctx == NULL) {
741  goto end;
742  }
743 
744  de_ctx->flags |= DE_QUIET;
745 
746  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
747  if (de_ctx->sig_list == NULL) {
748  goto end;
749  }
750  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
751  if (de_ctx->sig_list->next == NULL) {
752  goto end;
753  }
754 
756  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
757 
758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
759  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
760  result = 1;
761 
762  end:
765  if (det_ctx)
766  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
768  UTHFreePackets(&p, 1);
769  StreamTcpFreeConfig(true);
770  FLOW_DESTROY(&f);
771  return result;
772 }
773 
774 static int SigTest12 (void)
775 {
776  uint8_t *buf = (uint8_t *)
777  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
778  uint16_t buflen = strlen((char *)buf);
779  Packet *p = NULL;
780  ThreadVars th_v;
781  DetectEngineThreadCtx *det_ctx = NULL;
782  int result = 0;
783 
784  memset(&th_v, 0, sizeof(th_v));
785  Flow f;
786  memset(&f, 0, sizeof(Flow));
787 
788  FLOW_INITIALIZE(&f);
789 
790  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
791  p->flow = &f;
793 
795  if (de_ctx == NULL) {
796  goto end;
797  }
798 
799  de_ctx->flags |= DE_QUIET;
800 
801  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
802  if (de_ctx->sig_list == NULL) {
803  result = 0;
804  goto end;
805  }
806 
808  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
809 
810  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811  if (PacketAlertCheck(p, 1))
812  result = 1;
813  else
814  result = 0;
815 
816  if (det_ctx != NULL)
817  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
818 end:
819  UTHFreePackets(&p, 1);
820  if (de_ctx != NULL) {
824  }
825  FLOW_DESTROY(&f);
826  return result;
827 }
828 
829 static int SigTest13 (void)
830 {
831  uint8_t *buf = (uint8_t *)
832  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
833  uint16_t buflen = strlen((char *)buf);
834  Packet *p = NULL;
835  ThreadVars th_v;
836  DetectEngineThreadCtx *det_ctx = NULL;
837  int result = 0;
838 
839  memset(&th_v, 0, sizeof(th_v));
840  Flow f;
841  memset(&f, 0, sizeof(Flow));
842 
843  FLOW_INITIALIZE(&f);
844 
845  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
846  p->flow = &f;
848 
850  if (de_ctx == NULL) {
851  goto end;
852  }
853 
854  de_ctx->flags |= DE_QUIET;
855 
856  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
857  if (de_ctx->sig_list == NULL) {
858  result = 0;
859  goto end;
860  }
861 
863  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
864 
865  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
866  if (PacketAlertCheck(p, 1))
867  result = 1;
868  else
869  result = 0;
870 
873  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
875 end:
876  UTHFreePackets(&p, 1);
877  FLOW_DESTROY(&f);
878  return result;
879 }
880 
881 static int SigTest14 (void)
882 {
883  uint8_t *buf = (uint8_t *)
884  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
885  uint16_t buflen = strlen((char *)buf);
886  Packet *p = NULL;
887  ThreadVars th_v;
888  DetectEngineThreadCtx *det_ctx = NULL;
889  int result = 0;
890 
891  memset(&th_v, 0, sizeof(th_v));
892 
893  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
894 
896  if (de_ctx == NULL) {
897  goto end;
898  }
899 
900  de_ctx->flags |= DE_QUIET;
901 
902  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
903  if (de_ctx->sig_list == NULL) {
904  result = 0;
905  goto end;
906  }
907 
909  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
910 
911  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
912  if (PacketAlertCheck(p, 1))
913  result = 0;
914  else
915  result = 1;
916 
919  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
921 end:
922  UTHFreePackets(&p, 1);
923  return result;
924 }
925 
926 static int SigTest15 (void)
927 {
928  uint8_t *buf = (uint8_t *)
929  "CONNECT 213.92.8.7:31204 HTTP/1.1";
930  uint16_t buflen = strlen((char *)buf);
931  Packet *p = PacketGetFromAlloc();
932  if (unlikely(p == NULL))
933  return 0;
934  ThreadVars th_v;
935  DetectEngineThreadCtx *det_ctx = NULL;
936  int result = 0;
937 
938  memset(&th_v, 0, sizeof(th_v));
939  p->src.family = AF_INET;
940  p->dst.family = AF_INET;
941  p->payload = buf;
942  p->payload_len = buflen;
943  p->proto = IPPROTO_TCP;
944  p->dp = 80;
945 
947  ConfInit();
948  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
949 
951  if (de_ctx == NULL) {
952  goto end;
953  }
954 
955  de_ctx->flags |= DE_QUIET;
956 
957  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
958  if (de_ctx->sig_list == NULL) {
959  result = 0;
960  goto end;
961  }
962 
964  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
965 
966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
967  if (PacketAlertCheck(p, 2008284))
968  result = 0;
969  else
970  result = 1;
971 
974  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
976 end:
977  ConfDeInit();
979  SCFree(p);
980  return result;
981 }
982 
983 static int SigTest16 (void)
984 {
985  uint8_t *buf = (uint8_t *)
986  "CONNECT 213.92.8.7:31204 HTTP/1.1";
987  uint16_t buflen = strlen((char *)buf);
988  Packet *p = NULL;
989  ThreadVars th_v;
990  DetectEngineThreadCtx *det_ctx = NULL;
991  int result = 0;
992 
993  memset(&th_v, 0, sizeof(th_v));
994  memset(&p, 0, sizeof(p));
995 
996  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
997 
999  ConfInit();
1000  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1001 
1003  if (de_ctx == NULL) {
1004  goto end;
1005  }
1006 
1007  de_ctx->flags |= DE_QUIET;
1008 
1009  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1010  if (de_ctx->sig_list == NULL) {
1011  goto end;
1012  }
1013 
1015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1016 
1017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1018  if (PacketAlertCheck(p, 2008284))
1019  result = 1;
1020  else
1021  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1022 
1024  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1026 end:
1027  ConfDeInit();
1029  UTHFreePackets(&p, 1);
1030  return result;
1031 }
1032 
1033 static int SigTest17 (void)
1034 {
1035  uint8_t *buf = (uint8_t *)
1036  "GET /one/ HTTP/1.1\r\n" /* 20 */
1037  "Host: one.example.org\r\n" /* 23, 43 */
1038  "\r\n\r\n" /* 4, 47 */
1039  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1040  "Host: two.example.org\r\n" /* 23, 90 */
1041  "\r\n\r\n"; /* 4, 94 */
1042  uint16_t buflen = strlen((char *)buf);
1043  Packet *p = NULL;
1044  ThreadVars th_v;
1045  DetectEngineThreadCtx *det_ctx = NULL;
1046  memset(&th_v, 0, sizeof(th_v));
1047 
1048  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1049  FAIL_IF_NULL(p);
1050 
1052  ConfInit();
1053  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1054 
1057  de_ctx->flags |= DE_QUIET;
1058 
1059  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1060  FAIL_IF_NULL(s);
1061 
1063  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1064  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065 
1066  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1067 
1068  PktVar *pv_hn = PktVarGet(p, capid);
1069  FAIL_IF_NULL(pv_hn);
1070 
1071  FAIL_IF(pv_hn->value_len != 15);
1072  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1073 
1074  PktVarFree(pv_hn);
1075  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1077  ConfDeInit();
1079  UTHFreePackets(&p, 1);
1080 
1081  PASS;
1082 }
1083 
1084 static int SigTest18 (void)
1085 {
1086  uint8_t *buf = (uint8_t *)
1087  "220 (vsFTPd 2.0.5)\r\n";
1088  uint16_t buflen = strlen((char *)buf);
1089  Packet *p = PacketGetFromAlloc();
1090  if (unlikely(p == NULL))
1091  return 0;
1092  ThreadVars th_v;
1093  DetectEngineThreadCtx *det_ctx = NULL;
1094  int result = 0;
1095 
1096  memset(&th_v, 0, sizeof(th_v));
1097  p->src.family = AF_INET;
1098  p->dst.family = AF_INET;
1099  p->payload = buf;
1100  p->payload_len = buflen;
1101  p->proto = IPPROTO_TCP;
1102  p->dp = 34260;
1103  p->sp = 21;
1104 
1106  if (de_ctx == NULL) {
1107  goto end;
1108  }
1109 
1110  de_ctx->flags |= DE_QUIET;
1111 
1112  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1113  if (de_ctx->sig_list == NULL) {
1114  result = 0;
1115  goto end;
1116  }
1117 
1119  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1120 
1121  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1122  if (!PacketAlertCheck(p, 2003055))
1123  result = 1;
1124  else
1125  printf("signature shouldn't match, but did: ");
1126 
1129  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1131 end:
1132  SCFree(p);
1133  return result;
1134 }
1135 
1136 static int SigTest19 (void)
1137 {
1138  uint8_t *buf = (uint8_t *)
1139  "220 (vsFTPd 2.0.5)\r\n";
1140  uint16_t buflen = strlen((char *)buf);
1141  Packet *p = PacketGetFromAlloc();
1142  if (unlikely(p == NULL))
1143  return 0;
1144  ThreadVars th_v;
1145  DetectEngineThreadCtx *det_ctx = NULL;
1146  int result = 0;
1147 
1148  memset(&th_v, 0, sizeof(th_v));
1149  p->src.family = AF_INET;
1150  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1151  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1152  p->dst.family = AF_INET;
1153  p->payload = buf;
1154  p->payload_len = buflen;
1155  p->proto = IPPROTO_TCP;
1156  p->dp = 34260;
1157  p->sp = 21;
1159 
1161  ConfInit();
1162  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1163 
1165  if (de_ctx == NULL) {
1166  goto end;
1167  }
1168 
1169  de_ctx->flags |= DE_QUIET;
1170 
1171  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1172  if (de_ctx->sig_list == NULL) {
1173  result = 0;
1174  goto end;
1175  }
1176 
1178  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1179 
1180  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1181  if (PacketAlertCheck(p, 999))
1182  result = 1;
1183  else
1184  printf("signature didn't match, but should have: ");
1185 
1187  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1189 end:
1190  ConfDeInit();
1192  SCFree(p);
1193  return result;
1194 }
1195 
1196 static int SigTest20 (void)
1197 {
1198  uint8_t *buf = (uint8_t *)
1199  "220 (vsFTPd 2.0.5)\r\n";
1200  uint16_t buflen = strlen((char *)buf);
1201  Packet *p = PacketGetFromAlloc();
1202  if (unlikely(p == NULL))
1203  return 0;
1204  ThreadVars th_v;
1205  DetectEngineThreadCtx *det_ctx = NULL;
1206  int result = 0;
1207 
1208  memset(&th_v, 0, sizeof(th_v));
1209  p->src.family = AF_INET;
1210  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1211  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1212  p->dst.family = AF_INET;
1213  p->payload = buf;
1214  p->payload_len = buflen;
1215  p->proto = IPPROTO_TCP;
1216  p->dp = 34260;
1217  p->sp = 21;
1219 
1221  ConfInit();
1222  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1223 
1225  if (de_ctx == NULL) {
1226  goto end;
1227  }
1228 
1229  de_ctx->flags |= DE_QUIET;
1230 
1231  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1232  if (de_ctx->sig_list == NULL) {
1233  result = 0;
1234  goto end;
1235  }
1236 
1238  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1239 
1240  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1241  if (PacketAlertCheck(p, 999))
1242  result = 1;
1243  else
1244  printf("signature didn't match, but should have: ");
1245 
1248  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1250 end:
1251  ConfDeInit();
1253  SCFree(p);
1254  return result;
1255 }
1256 
1257 static int SigTest21 (void)
1258 {
1259  ThreadVars th_v;
1260  memset(&th_v, 0, sizeof(th_v));
1261  DetectEngineThreadCtx *det_ctx = NULL;
1262  int result = 0;
1263 
1264  Flow f;
1265  memset(&f, 0, sizeof(f));
1266  FLOW_INITIALIZE(&f);
1267 
1268  /* packet 1 */
1269  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1270  "\r\n\r\n";
1271  uint16_t buf1len = strlen((char *)buf1);
1272  Packet *p1 = NULL;
1273  /* packet 2 */
1274  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1275  "\r\n\r\n";
1276  uint16_t buf2len = strlen((char *)buf2);
1277  Packet *p2 = NULL;
1278 
1279  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1280  p1->flow = &f;
1282  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1283  p2->flow = &f;
1285 
1287  if (de_ctx == NULL) {
1288  goto end;
1289  }
1290 
1291  de_ctx->flags |= DE_QUIET;
1292 
1293  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1294  if (de_ctx->sig_list == NULL) {
1295  result = 0;
1296  goto end;
1297  }
1298  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1299  if (de_ctx->sig_list == NULL) {
1300  result = 0;
1301  goto end;
1302  }
1303 
1305  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1306 
1307  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1308  if (PacketAlertCheck(p1, 1)) {
1309  printf("sid 1 alerted, but shouldn't: ");
1310  goto end;
1311  }
1312  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1313  if (!(PacketAlertCheck(p2, 2))) {
1314  printf("sid 2 didn't alert, but should have: ");
1315  goto end;
1316  }
1317 
1318  result = 1;
1319 end:
1320  if (de_ctx != NULL) {
1323 
1324  if (det_ctx != NULL) {
1325  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1326  }
1327  }
1329  UTHFreePackets(&p1, 1);
1330  UTHFreePackets(&p2, 1);
1331  FLOW_DESTROY(&f);
1332  return result;
1333 }
1334 
1335 static int SigTest22 (void)
1336 {
1337  ThreadVars th_v;
1338  memset(&th_v, 0, sizeof(th_v));
1339  DetectEngineThreadCtx *det_ctx = NULL;
1340  int result = 0;
1341 
1342  Flow f;
1343  memset(&f, 0, sizeof(f));
1344  FLOW_INITIALIZE(&f);
1345 
1346  /* packet 1 */
1347  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1348  "\r\n\r\n";
1349  uint16_t buf1len = strlen((char *)buf1);
1350  Packet *p1 = NULL;
1351 
1352  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1353  p1->flow = &f;
1355 
1356  /* packet 2 */
1357  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1358  "\r\n\r\n";
1359  uint16_t buf2len = strlen((char *)buf2);
1360  Packet *p2 = NULL;
1361 
1362  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1363  p2->flow = &f;
1365 
1367  if (de_ctx == NULL) {
1368  goto end;
1369  }
1370 
1371  de_ctx->flags |= DE_QUIET;
1372 
1373  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1374  if (de_ctx->sig_list == NULL) {
1375  result = 0;
1376  goto end;
1377  }
1378  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1379  if (de_ctx->sig_list == NULL) {
1380  result = 0;
1381  goto end;
1382  }
1383 
1385  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1386 
1387  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1388  if (PacketAlertCheck(p1, 1)) {
1389  printf("sid 1 alerted, but shouldn't: ");
1390  goto end;
1391  }
1392  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1393  if (!(PacketAlertCheck(p2, 2)))
1394  result = 1;
1395  else
1396  printf("sid 2 alerted, but shouldn't: ");
1397 
1400 
1401  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1403 end:
1404  UTHFreePackets(&p1, 1);
1405  UTHFreePackets(&p2, 1);
1406  FLOW_DESTROY(&f);
1407  return result;
1408 }
1409 
1410 static int SigTest23 (void)
1411 {
1412  ThreadVars th_v;
1413  memset(&th_v, 0, sizeof(th_v));
1414  DetectEngineThreadCtx *det_ctx = NULL;
1415  int result = 0;
1416 
1417  Flow f;
1418  memset(&f, 0, sizeof(f));
1419  FLOW_INITIALIZE(&f);
1420 
1421  /* packet 1 */
1422  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1423  "\r\n\r\n";
1424  uint16_t buf1len = strlen((char *)buf1);
1425  Packet *p1 = NULL;
1426 
1427  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1428  p1->flow = &f;
1430 
1431  /* packet 2 */
1432  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1433  "\r\n\r\n";
1434  uint16_t buf2len = strlen((char *)buf2);
1435  Packet *p2 = NULL;
1436 
1437  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1438  p2->flow = &f;
1440 
1442  if (de_ctx == NULL) {
1443  goto end;
1444  }
1445 
1446  de_ctx->flags |= DE_QUIET;
1447 
1448  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1449  if (de_ctx->sig_list == NULL) {
1450  result = 0;
1451  goto end;
1452  }
1453  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1454  if (de_ctx->sig_list == NULL) {
1455  result = 0;
1456  goto end;
1457  }
1458 
1460  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1461 
1462  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1463  if (PacketAlertCheck(p1, 1)) {
1464  printf("sid 1 alerted, but shouldn't: ");
1465  goto end;
1466  }
1467  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1468  if (PacketAlertCheck(p2, 2))
1469  result = 1;
1470  else
1471  printf("sid 2 didn't alert, but should have: ");
1472 
1475 
1476  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1478 end:
1479  UTHFreePackets(&p1, 1);
1480  UTHFreePackets(&p2, 1);
1481  FLOW_DESTROY(&f);
1482  return result;
1483 }
1484 
1485 static int SigTest24IPV4Keyword(void)
1486 {
1487  uint8_t valid_raw_ipv4[] = {
1488  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1489  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1490  0xc0, 0xa8, 0x01, 0x03};
1491 
1492  uint8_t invalid_raw_ipv4[] = {
1493  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1494  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1495  0xc0, 0xa8, 0x01, 0x06};
1496 
1497  Packet *p1 = PacketGetFromAlloc();
1498  if (unlikely(p1 == NULL))
1499  return 0;
1500  Packet *p2 = PacketGetFromAlloc();
1501  if (unlikely(p2 == NULL)) {
1502  SCFree(p1);
1503  return 0;
1504  }
1505  ThreadVars th_v;
1506  DetectEngineThreadCtx *det_ctx = NULL;
1507  int result = 0;
1508 
1509  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1510  "\r\n\r\n";
1511  uint16_t buflen = strlen((char *)buf);
1512 
1513  memset(&th_v, 0, sizeof(ThreadVars));
1516 
1517  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1518 
1519  p1->src.family = AF_INET;
1520  p1->dst.family = AF_INET;
1521  p1->payload = buf;
1522  p1->payload_len = buflen;
1523  p1->proto = IPPROTO_TCP;
1524 
1525  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1526 
1527  p2->src.family = AF_INET;
1528  p2->dst.family = AF_INET;
1529  p2->payload = buf;
1530  p2->payload_len = buflen;
1531  p2->proto = IPPROTO_TCP;
1532 
1534  if (de_ctx == NULL) {
1535  goto end;
1536  }
1537 
1538  de_ctx->flags |= DE_QUIET;
1539 
1541  "alert ip any any -> any any "
1542  "(content:\"/one/\"; ipv4-csum:valid; "
1543  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1544  if (de_ctx->sig_list == NULL) {
1545  printf("sig 1 parse: ");
1546  goto end;
1547  }
1548 
1550  "alert ip any any -> any any "
1551  "(content:\"/one/\"; ipv4-csum:invalid; "
1552  "msg:\"ipv4-csum keyword check(1)\"; "
1553  "sid:2;)");
1554  if (de_ctx->sig_list->next == NULL) {
1555  printf("sig 2 parse: ");
1556  goto end;
1557  }
1558 
1560  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1561 
1562  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1563  if (!(PacketAlertCheck(p1, 1))) {
1564  printf("signature 1 didn't match, but should have: ");
1565  goto end;
1566  }
1567 
1568  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1569  if (!((PacketAlertCheck(p2, 2)))) {
1570  printf("signature 2 didn't match, but should have: ");
1571  goto end;
1572  }
1573 
1574  result = 1;
1575 end:
1576  if (det_ctx != NULL) {
1579  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1581  }
1582  SCFree(p1);
1583  SCFree(p2);
1584  return result;
1585 }
1586 
1587 static int SigTest25NegativeIPV4Keyword(void)
1588 {
1589  uint8_t valid_raw_ipv4[] = {
1590  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1591  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1592  0xc0, 0xa8, 0x01, 0x03};
1593 
1594  uint8_t invalid_raw_ipv4[] = {
1595  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1596  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1597  0xc0, 0xa8, 0x01, 0x06};
1598 
1599  Packet *p1 = PacketGetFromAlloc();
1600  if (unlikely(p1 == NULL))
1601  return 0;
1602  Packet *p2 = PacketGetFromAlloc();
1603  if (unlikely(p2 == NULL)) {
1604  SCFree(p1);
1605  return 0;
1606  }
1607  ThreadVars th_v;
1608  DetectEngineThreadCtx *det_ctx = NULL;
1609  int result = 1;
1610 
1611  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1612  "\r\n\r\n";
1613  uint16_t buflen = strlen((char *)buf);
1614 
1615  memset(&th_v, 0, sizeof(ThreadVars));
1618 
1619  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1620 
1621  p1->src.family = AF_INET;
1622  p1->dst.family = AF_INET;
1623  p1->payload = buf;
1624  p1->payload_len = buflen;
1625  p1->proto = IPPROTO_TCP;
1626 
1627  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1628 
1629  p2->src.family = AF_INET;
1630  p2->dst.family = AF_INET;
1631  p2->payload = buf;
1632  p2->payload_len = buflen;
1633  p2->proto = IPPROTO_TCP;
1634 
1636  if (de_ctx == NULL) {
1637  goto end;
1638  }
1639 
1640  de_ctx->flags |= DE_QUIET;
1641 
1643  "alert ip any any -> any any "
1644  "(content:\"/one/\"; ipv4-csum:invalid; "
1645  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1646  if (de_ctx->sig_list == NULL) {
1647  result &= 0;
1648  goto end;
1649  }
1650 
1652  "alert ip any any -> any any "
1653  "(content:\"/one/\"; ipv4-csum:valid; "
1654  "msg:\"ipv4-csum keyword check(1)\"; "
1655  "sid:2;)");
1656  if (de_ctx->sig_list->next == NULL) {
1657  result &= 0;
1658  goto end;
1659  }
1660 
1662  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1663 
1664  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1665  if (PacketAlertCheck(p1, 1))
1666  result &= 0;
1667  else
1668  result &= 1;
1669 
1670  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1671  if (PacketAlertCheck(p2, 2))
1672  result &= 0;
1673  else
1674  result &= 1;
1675 
1678  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1680 end:
1681  SCFree(p1);
1682  SCFree(p2);
1683  return result;
1684 }
1685 
1686 static int SigTest26TCPV4Keyword(void)
1687 {
1688  uint8_t raw_ipv4[] = {
1689  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1690  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1691  0xc0, 0xa8, 0x01, 0x03};
1692 
1693  uint8_t valid_raw_tcp[] = {
1694  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1695  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1696  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1697  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1698  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1699 
1700  uint8_t invalid_raw_tcp[] = {
1701  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1702  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1703  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1704  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1705  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1706 
1707  Packet *p1 = PacketGetFromAlloc();
1708  if (unlikely(p1 == NULL))
1709  return 0;
1710 
1711  Packet *p2 = PacketGetFromAlloc();
1712  if (unlikely(p2 == NULL)) {
1713  SCFree(p1);
1714  return 0;
1715  }
1716 
1717  ThreadVars th_v;
1718  DetectEngineThreadCtx *det_ctx = NULL;
1719 
1720  memset(&th_v, 0, sizeof(ThreadVars));
1721 
1722  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1723  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1724 
1725  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1726  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1727 
1729  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1730  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1731  p1->src.family = AF_INET;
1732  p1->dst.family = AF_INET;
1733  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1734  p1->payload_len = 20;
1735  p1->proto = IPPROTO_TCP;
1736 
1738  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1739  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1740  p2->src.family = AF_INET;
1741  p2->dst.family = AF_INET;
1742  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1743  p2->payload_len = 20;
1744  p2->proto = IPPROTO_TCP;
1745 
1748 
1749  de_ctx->flags |= DE_QUIET;
1750 
1752  "alert ip any any -> any any "
1753  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1754  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1756 
1758  "alert ip any any -> any any "
1759  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1760  "msg:\"tcpv4-csum keyword check(1)\"; "
1761  "sid:2;)");
1763 
1765  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1766 
1767  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1768  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1769 
1770  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1771  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1772 
1775  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1777  SCFree(p1);
1778  SCFree(p2);
1779  PASS;
1780 }
1781 
1782 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1783 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1784 {
1785  uint8_t raw_ipv4[] = {
1786  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1787  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1788  0xc0, 0xa8, 0x01, 0x03};
1789 
1790  uint8_t valid_raw_tcp[] = {
1791  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1792  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1793  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1794  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1795  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1796 
1797  uint8_t invalid_raw_tcp[] = {
1798  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1799  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1800  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1801  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1802  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1803 
1804  Packet *p1 = PacketGetFromAlloc();
1805  if (unlikely(p1 == NULL))
1806  return 0;
1807 
1808  Packet *p2 = PacketGetFromAlloc();
1809  if (unlikely(p2 == NULL)) {
1810  SCFree(p1);
1811  return 0;
1812  }
1813 
1814  ThreadVars th_v;
1815  DetectEngineThreadCtx *det_ctx = NULL;
1816  int result = 0;
1817 
1818  memset(&th_v, 0, sizeof(ThreadVars));
1819 
1820  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1821  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1822 
1823  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1824  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1825 
1827  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1828  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1829  p1->src.family = AF_INET;
1830  p1->dst.family = AF_INET;
1831  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1832  p1->payload_len = 20;
1833  p1->proto = IPPROTO_TCP;
1834 
1836  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1837  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1838  p2->src.family = AF_INET;
1839  p2->dst.family = AF_INET;
1840  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1841  p2->payload_len = 20;
1842  p2->proto = IPPROTO_TCP;
1843 
1845  if (de_ctx == NULL) {
1846  goto end;
1847  }
1848 
1849  de_ctx->flags |= DE_QUIET;
1850 
1852  "alert ip any any -> any any "
1853  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1854  "ipv4-csum:invalid; "
1855  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1856  if (de_ctx->sig_list == NULL) {
1857  goto end;
1858  }
1859 
1861  "alert ip any any -> any any "
1862  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1863  "ipv4-csum:invalid; "
1864  "msg:\"tcpv4-csum keyword check(1)\"; "
1865  "sid:2;)");
1866  if (de_ctx->sig_list->next == NULL) {
1867  goto end;
1868  }
1869 
1871  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1872 
1873  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1874  if (!(PacketAlertCheck(p1, 1))) {
1875  printf("sig 1 didn't match: ");
1876  goto end;
1877  }
1878 
1879  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1880  if (!(PacketAlertCheck(p2, 2))) {
1881  printf("sig 2 didn't match: ");
1882  goto end;
1883  }
1884 
1885  result = 1;
1886 end:
1889  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1891  SCFree(p1);
1892  SCFree(p2);
1893  return result;
1894 }
1895 
1896 /* Similar to SigTest26, but with different packet */
1897 static int SigTest26TCPV4AndIPV4Keyword(void)
1898 {
1899  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1900  * TTL: 64 Flags: Don't Fragment
1901  */
1902  uint8_t raw_ipv4[] = {
1903  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1904  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1905  0xc0, 0xa8, 0xb0, 0x74};
1906 
1907  /* TCP: sport: 49517 dport: 445 Flags: SYN
1908  * Window size: 65535, checksum: 0x2009,
1909  * MTU: 1460, Window scale: 4, TSACK permitted,
1910  * 24 bytes of options, no payload.
1911  */
1912  uint8_t valid_raw_tcp[] = {
1913  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1914  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1915  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1916  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1917  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1918  0x04, 0x02, 0x00, 0x00};
1919 
1920  uint8_t invalid_raw_tcp[] = {
1921  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1922  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1923  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1924  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1925  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1926  0x04, 0x02, 0x00, 0x00};
1927 
1928  Packet *p1 = PacketGetFromAlloc();
1929  if (unlikely(p1 == NULL))
1930  return 0;
1931 
1932  Packet *p2 = PacketGetFromAlloc();
1933  if (unlikely(p2 == NULL)) {
1934  SCFree(p1);
1935  return 0;
1936  }
1937 
1938  ThreadVars th_v;
1939  DetectEngineThreadCtx *det_ctx = NULL;
1940  int result = 0;
1941 
1942  memset(&th_v, 0, sizeof(ThreadVars));
1943 
1944  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1945  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1946 
1947  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1948  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1949 
1951  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1952  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1953  p1->src.family = AF_INET;
1954  p1->dst.family = AF_INET;
1955  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1956  p1->payload_len = 0;
1957  p1->proto = IPPROTO_TCP;
1958 
1960  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1961  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1962  p2->src.family = AF_INET;
1963  p2->dst.family = AF_INET;
1964  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1965  p2->payload_len = 0;
1966  p2->proto = IPPROTO_TCP;
1967 
1969  if (de_ctx == NULL) {
1970  goto end;
1971  }
1972 
1973  de_ctx->flags |= DE_QUIET;
1974 
1976  "alert ip any any -> any any "
1977  "(tcpv4-csum:valid; "
1978  "ipv4-csum:valid; "
1979  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1980  if (de_ctx->sig_list == NULL) {
1981  goto end;
1982  }
1983 
1985  "alert ip any any -> any any "
1986  "(tcpv4-csum:invalid; "
1987  "ipv4-csum:valid; "
1988  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1989  "sid:2;)");
1990  if (de_ctx->sig_list->next == NULL) {
1991  goto end;
1992  }
1993 
1995  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1996 
1997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1998  if (!(PacketAlertCheck(p1, 1))) {
1999  printf("sig 1 didn't match: ");
2000  goto end;
2001  }
2002 
2003  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2004  if (!(PacketAlertCheck(p2, 2))) {
2005  printf("sig 2 didn't match: ");
2006  goto end;
2007  }
2008 
2009  result = 1;
2010 end:
2013  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2015  SCFree(p1);
2016  SCFree(p2);
2017  return result;
2018 }
2019 
2020 static int SigTest27NegativeTCPV4Keyword(void)
2021 {
2022  uint8_t raw_ipv4[] = {
2023  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2024  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2025  0xc0, 0xa8, 0x01, 0x03};
2026 
2027  uint8_t valid_raw_tcp[] = {
2028  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2029  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2030  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2031  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2032  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2033 
2034  uint8_t invalid_raw_tcp[] = {
2035  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2036  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2037  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2038  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2039  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2040 
2041  Packet *p1 = PacketGetFromAlloc();
2042  if (unlikely(p1 == NULL))
2043  return 0;
2044  Packet *p2 = PacketGetFromAlloc();
2045  if (unlikely(p2 == NULL)) {
2046  SCFree(p1);
2047  return 0;
2048  }
2049  ThreadVars th_v;
2050  DetectEngineThreadCtx *det_ctx = NULL;
2051  int result = 0;
2052 
2053  memset(&th_v, 0, sizeof(ThreadVars));
2054 
2055  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2056  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2057 
2058  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2059  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2060 
2062  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
2063  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
2064  p1->src.family = AF_INET;
2065  p1->dst.family = AF_INET;
2066  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2067  p1->payload_len = 20;
2068  p1->proto = IPPROTO_TCP;
2069 
2071  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
2072  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
2073  p2->src.family = AF_INET;
2074  p2->dst.family = AF_INET;
2075  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2076  p2->payload_len = 20;
2077  p2->proto = IPPROTO_TCP;
2078 
2080  if (de_ctx == NULL) {
2081  goto end;
2082  }
2083 
2084  de_ctx->flags |= DE_QUIET;
2085 
2087  "alert tcp any any -> any any "
2088  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2089  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2090  if (de_ctx->sig_list == NULL) {
2091  goto end;
2092  }
2093 
2095  "alert tcp any any -> any any "
2096  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2097  "msg:\"tcpv4-csum keyword check(2)\"; "
2098  "sid:2;)");
2099  if (de_ctx->sig_list->next == NULL) {
2100  goto end;
2101  }
2102 
2104  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2105 
2106  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2107  if (!PacketAlertCheck(p1, 1)) {
2108  printf("sig 1 didn't match on p1: ");
2109  goto end;
2110  }
2111 
2112  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2113  if (PacketAlertCheck(p2, 2)) {
2114  printf("sig 2 matched on p2: ");
2115  goto end;
2116  }
2117 
2118  result = 1;
2119 end:
2122  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2124  SCFree(p1);
2125  SCFree(p2);
2126  return result;
2127 }
2128 
2129 static int SigTest28TCPV6Keyword(void)
2130 {
2131  static uint8_t valid_raw_ipv6[] = {
2132  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2133  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2134 
2135  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2136  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2137  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2138  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2139  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2140 
2141  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2142  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2143  0xf2, 0xf1, 0x00, 0x00,
2144 
2145  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2146  0x00, 0x01, 0x69, 0x27};
2147 
2148  static uint8_t invalid_raw_ipv6[] = {
2149  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2150  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2151 
2152  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2153  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2154  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2155  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2156  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2157 
2158  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2159  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2160  0xc2, 0xf1, 0x00, 0x00,
2161 
2162  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2163  0x00, 0x01, 0x69, 0x28};
2164 
2165  Packet *p1 = PacketGetFromAlloc();
2166  if (unlikely(p1 == NULL))
2167  return 0;
2168  Packet *p2 = PacketGetFromAlloc();
2169  if (unlikely(p2 == NULL)) {
2170  SCFree(p1);
2171  return 0;
2172  }
2173  ThreadVars th_v;
2174  DetectEngineThreadCtx *det_ctx = NULL;
2175  int result = 0;
2176 
2177  memset(&th_v, 0, sizeof(ThreadVars));
2178 
2180  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2181  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2182  p1->src.family = AF_INET;
2183  p1->dst.family = AF_INET;
2184  p1->payload = valid_raw_ipv6 + 54 + 20;
2185  p1->payload_len = 12;
2186  p1->proto = IPPROTO_TCP;
2187 
2188  if (TCP_GET_HLEN(p1) != 20) {
2189  BUG_ON(1);
2190  }
2191 
2193  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2194  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2195  p2->src.family = AF_INET;
2196  p2->dst.family = AF_INET;
2197  p2->payload = invalid_raw_ipv6 + 54 + 20;
2198  p2->payload_len = 12;
2199  p2->proto = IPPROTO_TCP;
2200 
2201  if (TCP_GET_HLEN(p2) != 20) {
2202  BUG_ON(1);
2203  }
2204 
2206  if (de_ctx == NULL) {
2207  goto end;
2208  }
2209 
2210  de_ctx->flags |= DE_QUIET;
2211 
2213  "alert tcp any any -> any any "
2214  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2215  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2216  if (de_ctx->sig_list == NULL) {
2217  goto end;
2218  }
2219 
2221  "alert tcp any any -> any any "
2222  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2223  "msg:\"tcpv6-csum keyword check(1)\"; "
2224  "sid:2;)");
2225  if (de_ctx->sig_list->next == NULL) {
2226  goto end;
2227  }
2228 
2230  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2231 
2232  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2233  if (!(PacketAlertCheck(p1, 1))) {
2234  printf("sid 1 didn't match on p1: ");
2235  goto end;
2236  }
2237 
2238  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2239  if (!(PacketAlertCheck(p2, 2))) {
2240  printf("sid 2 didn't match on p2: ");
2241  goto end;
2242  }
2243 
2244  result = 1;
2245 end:
2248  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2250  SCFree(p1);
2251  SCFree(p2);
2252  return result;
2253 }
2254 
2255 static int SigTest29NegativeTCPV6Keyword(void)
2256 {
2257  static uint8_t valid_raw_ipv6[] = {
2258  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2259  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2260 
2261  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2262  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2263  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2264  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2265  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2266 
2267  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2268  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2269  0xf2, 0xf1, 0x00, 0x00,
2270 
2271  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2272  0x00, 0x01, 0x69, 0x27};
2273 
2274  static uint8_t invalid_raw_ipv6[] = {
2275  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2276  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2277 
2278  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2279  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2280  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2281  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2282  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2283 
2284  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2285  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2286  0xc2, 0xf1, 0x00, 0x00,
2287 
2288  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2289  0x00, 0x01, 0x69, 0x28};
2290 
2291  Packet *p1 = PacketGetFromAlloc();
2292  if (unlikely(p1 == NULL))
2293  return 0;
2294  Packet *p2 = PacketGetFromAlloc();
2295  if (unlikely(p2 == NULL)) {
2296  SCFree(p1);
2297  return 0;
2298  }
2299  ThreadVars th_v;
2300  DetectEngineThreadCtx *det_ctx = NULL;
2301  int result = 0;
2302 
2303  memset(&th_v, 0, sizeof(ThreadVars));
2304 
2306  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2307  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2308  p1->src.family = AF_INET;
2309  p1->dst.family = AF_INET;
2310  p1->payload = valid_raw_ipv6 + 54 + 20;
2311  p1->payload_len = 12;
2312  p1->proto = IPPROTO_TCP;
2313 
2314  if (TCP_GET_HLEN(p1) != 20) {
2315  BUG_ON(1);
2316  }
2317 
2319  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2320  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2321  p2->src.family = AF_INET;
2322  p2->dst.family = AF_INET;
2323  p2->payload = invalid_raw_ipv6 + 54 + 20;
2324  p2->payload_len = 12;
2325  p2->proto = IPPROTO_TCP;
2326 
2327  if (TCP_GET_HLEN(p2) != 20) {
2328  BUG_ON(1);
2329  }
2330 
2332  if (de_ctx == NULL) {
2333  goto end;
2334  }
2335 
2336  de_ctx->flags |= DE_QUIET;
2337 
2339  "alert tcp any any -> any any "
2340  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2341  "msg:\"tcpv6-csum keyword check(1)\"; "
2342  "sid:1;)");
2343  if (de_ctx->sig_list == NULL) {
2344  goto end;
2345  }
2346 
2348  "alert tcp any any -> any any "
2349  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2350  "msg:\"tcpv6-csum keyword check(1)\"; "
2351  "sid:2;)");
2352  if (de_ctx->sig_list->next == NULL) {
2353  goto end;
2354  }
2355 
2357  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2358 
2359  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2360  if (PacketAlertCheck(p1, 1))
2361  goto end;
2362 
2363  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2364  if (PacketAlertCheck(p2, 2))
2365  goto end;
2366 
2367  result = 1;
2368 end:
2371  if (det_ctx != NULL)
2372  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2374  SCFree(p1);
2375  SCFree(p2);
2376  return result;
2377 }
2378 
2379 static int SigTest30UDPV4Keyword(void)
2380 {
2381  uint8_t raw_ipv4[] = {
2382  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2383  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2384  0xc0, 0xa8, 0x01, 0x03};
2385 
2386  uint8_t valid_raw_udp[] = {
2387  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2388  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2389  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2390  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2391  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2392  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2393  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2394  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2395  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2396  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2397  0x67, 0x6c, 0x65, 0xc0, 0x26};
2398 
2399  uint8_t invalid_raw_udp[] = {
2400  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2401  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2402  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2403  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2404  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2405  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2406  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2407  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2408  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2409  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2410  0x67, 0x6c, 0x65, 0xc0, 0x27};
2411 
2412  Packet *p1 = PacketGetFromAlloc();
2413  FAIL_IF_NULL(p1);
2414  Packet *p2 = PacketGetFromAlloc();
2415  FAIL_IF_NULL(p2);
2416 
2417  ThreadVars th_v;
2418  DetectEngineThreadCtx *det_ctx = NULL;
2419 
2420  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2421  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2422 
2423  memset(&th_v, 0, sizeof(ThreadVars));
2424 
2426  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2427  p1->udph = (UDPHdr *)valid_raw_udp;
2428  p1->src.family = AF_INET;
2429  p1->dst.family = AF_INET;
2430  p1->payload = buf;
2431  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2432  p1->proto = IPPROTO_UDP;
2433 
2435  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2436  p2->udph = (UDPHdr *)invalid_raw_udp;
2437  p2->src.family = AF_INET;
2438  p2->dst.family = AF_INET;
2439  p2->payload = buf;
2440  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2441  p2->proto = IPPROTO_UDP;
2442 
2445 
2446  de_ctx->flags |= DE_QUIET;
2447 
2449  "alert udp any any -> any any "
2450  "(content:\"/one/\"; udpv4-csum:valid; "
2451  "msg:\"udpv4-csum keyword check(1)\"; "
2452  "sid:1;)");
2454 
2456  "alert udp any any -> any any "
2457  "(content:\"/one/\"; udpv4-csum:invalid; "
2458  "msg:\"udpv4-csum keyword check(1)\"; "
2459  "sid:2;)");
2461 
2463  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2464 
2465  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2466  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2467 
2468  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2469  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2470 
2473  if (det_ctx != NULL)
2474  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2476  SCFree(p1);
2477  SCFree(p2);
2478  PASS;
2479 }
2480 
2481 static int SigTest31NegativeUDPV4Keyword(void)
2482 {
2483  uint8_t raw_ipv4[] = {
2484  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2485  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2486  0xc0, 0xa8, 0x01, 0x03};
2487 
2488  uint8_t valid_raw_udp[] = {
2489  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2490  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2491  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2492  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2493  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2494  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2495  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2496  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2497  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2498  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2499  0x67, 0x6c, 0x65, 0xc0, 0x26};
2500 
2501  uint8_t invalid_raw_udp[] = {
2502  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2503  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2504  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2505  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2506  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2507  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2508  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2509  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2510  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2511  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2512  0x67, 0x6c, 0x65, 0xc0, 0x27};
2513 
2514  Packet *p1 = PacketGetFromAlloc();
2515  if (unlikely(p1 == NULL))
2516  return 0;
2517  Packet *p2 = PacketGetFromAlloc();
2518  if (unlikely(p2 == NULL)) {
2519  SCFree(p1);
2520  return 0;
2521  }
2522  ThreadVars th_v;
2523  DetectEngineThreadCtx *det_ctx = NULL;
2524  int result = 1;
2525 
2526  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2527  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2528 
2529  memset(&th_v, 0, sizeof(ThreadVars));
2530 
2532  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2533  p1->udph = (UDPHdr *)valid_raw_udp;
2534  p1->src.family = AF_INET;
2535  p1->dst.family = AF_INET;
2536  p1->payload = buf;
2537  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2538  p1->proto = IPPROTO_UDP;
2539 
2541  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2542  p2->udph = (UDPHdr *)invalid_raw_udp;
2543  p2->src.family = AF_INET;
2544  p2->dst.family = AF_INET;
2545  p2->payload = buf;
2546  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2547  p2->proto = IPPROTO_UDP;
2548 
2550  if (de_ctx == NULL) {
2551  goto end;
2552  }
2553 
2554  de_ctx->flags |= DE_QUIET;
2555 
2557  "alert udp any any -> any any "
2558  "(content:\"/one/\"; udpv4-csum:invalid; "
2559  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2560  if (de_ctx->sig_list == NULL) {
2561  result &= 0;
2562  goto end;
2563  }
2564 
2566  "alert udp any any -> any any "
2567  "(content:\"/one/\"; udpv4-csum:valid; "
2568  "msg:\"udpv4-csum keyword check(1)\"; "
2569  "sid:2;)");
2570  if (de_ctx->sig_list->next == NULL) {
2571  result &= 0;
2572  goto end;
2573  }
2574 
2576  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2577 
2578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2579  if (PacketAlertCheck(p1, 1))
2580  result &= 0;
2581  else
2582  result &= 1;
2583 
2584  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2585  if (PacketAlertCheck(p2, 2)) {
2586  result &= 0;
2587  }
2588  else
2589  result &= 1;
2590 
2593  if (det_ctx != NULL)
2594  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2596 end:
2597  SCFree(p1);
2598  SCFree(p2);
2599  return result;
2600 }
2601 
2602 
2603 static int SigTest32UDPV6Keyword(void)
2604 {
2605  static uint8_t valid_raw_ipv6[] = {
2606  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2607  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2608  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2609  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2610  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2611  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2612  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2613  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2614  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2615  0x09, 0x00};
2616 
2617  static uint8_t invalid_raw_ipv6[] = {
2618  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2619  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2620  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2621  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2622  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2623  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2624  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2625  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2626  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2627  0x09, 0x01};
2628 
2629  Packet *p1 = PacketGetFromAlloc();
2630  FAIL_IF_NULL(p1);
2631  Packet *p2 = PacketGetFromAlloc();
2632  FAIL_IF_NULL(p2);
2633 
2634  ThreadVars th_v;
2635  DetectEngineThreadCtx *det_ctx = NULL;
2636 
2637  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2638  "\r\n\r\n";
2639 
2640  memset(&th_v, 0, sizeof(ThreadVars));
2641 
2643  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2644  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2645  p1->src.family = AF_INET;
2646  p1->dst.family = AF_INET;
2647  p1->payload = buf;
2649  p1->proto = IPPROTO_UDP;
2650 
2652  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2653  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2654  p2->src.family = AF_INET;
2655  p2->dst.family = AF_INET;
2656  p2->payload = buf;
2658  p2->proto = IPPROTO_UDP;
2659 
2662 
2663  de_ctx->flags |= DE_QUIET;
2664 
2666  "alert udp any any -> any any "
2667  "(content:\"/one/\"; udpv6-csum:valid; "
2668  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2670 
2672  "alert udp any any -> any any "
2673  "(content:\"/one/\"; udpv6-csum:invalid; "
2674  "msg:\"udpv6-csum keyword check(1)\"; "
2675  "sid:2;)");
2677 
2679  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2680 
2681  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2682  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2683 
2684  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2685  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2686 
2689  if (det_ctx != NULL)
2690  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2692 
2693  SCFree(p1);
2694  SCFree(p2);
2695  PASS;
2696 }
2697 
2698 static int SigTest33NegativeUDPV6Keyword(void)
2699 {
2700  static uint8_t valid_raw_ipv6[] = {
2701  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2702  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2703  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2704  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2705  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2706  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2707  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2708  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2709  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2710  0x09, 0x00};
2711 
2712  static uint8_t invalid_raw_ipv6[] = {
2713  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2714  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2715  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2716  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2717  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2718  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2719  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2720  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2721  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2722  0x09, 0x01};
2723 
2724  Packet *p1 = PacketGetFromAlloc();
2725  if (unlikely(p1 == NULL))
2726  return 0;
2727  Packet *p2 = PacketGetFromAlloc();
2728  if (unlikely(p2 == NULL)) {
2729  SCFree(p1);
2730  return 0;
2731  }
2732  ThreadVars th_v;
2733  DetectEngineThreadCtx *det_ctx = NULL;
2734  int result = 1;
2735 
2736  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2737  "\r\n\r\n";
2738 
2739  memset(&th_v, 0, sizeof(ThreadVars));
2740 
2742  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2743  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2744  p1->src.family = AF_INET;
2745  p1->dst.family = AF_INET;
2746  p1->payload = buf;
2748  p1->proto = IPPROTO_UDP;
2749 
2751  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2752  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2753  p2->src.family = AF_INET;
2754  p2->dst.family = AF_INET;
2755  p2->payload = buf;
2757  p2->proto = IPPROTO_UDP;
2758 
2760  if (de_ctx == NULL) {
2761  goto end;
2762  }
2763 
2764  de_ctx->flags |= DE_QUIET;
2765 
2767  "alert udp any any -> any any "
2768  "(content:\"/one/\"; udpv6-csum:invalid; "
2769  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2770  if (de_ctx->sig_list == NULL) {
2771  result &= 0;
2772  goto end;
2773  }
2774 
2776  "alert udp any any -> any any "
2777  "(content:\"/one/\"; udpv6-csum:valid; "
2778  "msg:\"udpv6-csum keyword check(1)\"; "
2779  "sid:2;)");
2780  if (de_ctx->sig_list->next == NULL) {
2781  result &= 0;
2782  goto end;
2783  }
2784 
2786  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2787 
2788  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2789  if (PacketAlertCheck(p1, 1))
2790  result &= 0;
2791  else
2792  result &= 1;
2793 
2794  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2795  if (PacketAlertCheck(p2, 2))
2796  result &= 0;
2797  else
2798  result &= 1;
2799 
2802  if (det_ctx != NULL)
2803  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2805 end:
2806  SCFree(p1);
2807  SCFree(p2);
2808  return result;
2809 }
2810 
2811 static int SigTest34ICMPV4Keyword(void)
2812 {
2813  uint8_t valid_raw_ipv4[] = {
2814  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2815  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2816  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2817  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2818  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2819  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2820  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2821  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2822  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2823  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2824  0x34, 0x35, 0x36, 0x37};
2825 
2826  uint8_t invalid_raw_ipv4[] = {
2827  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2828  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2829  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2830  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2831  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2832  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2833  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2834  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2835  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2836  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2837  0x34, 0x35, 0x36, 0x38};
2838 
2839  Packet *p1 = PacketGetFromAlloc();
2840  if (unlikely(p1 == NULL))
2841  return 0;
2842  Packet *p2 = PacketGetFromAlloc();
2843  if (unlikely(p2 == NULL)) {
2844  SCFree(p1);
2845  return 0;
2846  }
2847  ThreadVars th_v;
2848  DetectEngineThreadCtx *det_ctx = NULL;
2849  int result = 1;
2850 
2851  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2852  "\r\n\r\n";
2853  uint16_t buflen = strlen((char *)buf);
2854 
2855  memset(&th_v, 0, sizeof(ThreadVars));
2856 
2858  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2859  p1->ip4h->ip_verhl = 69;
2860  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2861  p1->src.family = AF_INET;
2862  p1->dst.family = AF_INET;
2863  p1->payload = buf;
2864  p1->payload_len = buflen;
2865  p1->proto = IPPROTO_ICMP;
2866 
2868  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2869  p2->ip4h->ip_verhl = 69;
2870  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2871  p2->src.family = AF_INET;
2872  p2->dst.family = AF_INET;
2873  p2->payload = buf;
2874  p2->payload_len = buflen;
2875  p2->proto = IPPROTO_ICMP;
2876 
2878  if (de_ctx == NULL) {
2879  goto end;
2880  }
2881 
2882  de_ctx->flags |= DE_QUIET;
2883 
2885  "alert icmp any any -> any any "
2886  "(content:\"/one/\"; icmpv4-csum:valid; "
2887  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2888  if (de_ctx->sig_list == NULL) {
2889  result &= 0;
2890  goto end;
2891  }
2892 
2894  "alert icmp any any -> any any "
2895  "(content:\"/one/\"; icmpv4-csum:invalid; "
2896  "msg:\"icmpv4-csum keyword check(1)\"; "
2897  "sid:2;)");
2898  if (de_ctx->sig_list->next == NULL) {
2899  result = 0;
2900  goto end;
2901  }
2902 
2904  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2905 
2906  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2907  if (PacketAlertCheck(p1, 1))
2908  result &= 1;
2909  else
2910  result &= 0;
2911 
2912  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2913  if (PacketAlertCheck(p2, 2))
2914  result &= 1;
2915  else
2916  result &= 0;
2917 
2920  if (det_ctx != NULL)
2921  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2923 end:
2924  SCFree(p1);
2925  SCFree(p2);
2926  return result;
2927 }
2928 
2929 static int SigTest35NegativeICMPV4Keyword(void)
2930 {
2931  uint8_t valid_raw_ipv4[] = {
2932  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2933  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2934  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2935  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2936  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2937  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2938  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2939  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2940  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2941  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2942  0x34, 0x35, 0x36, 0x37};
2943 
2944  uint8_t invalid_raw_ipv4[] = {
2945  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2946  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2947  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2948  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2949  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2950  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2951  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2952  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2953  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2954  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2955  0x34, 0x35, 0x36, 0x38};
2956 
2957  Packet *p1 = PacketGetFromAlloc();
2958  if (unlikely(p1 == NULL))
2959  return 0;
2960  Packet *p2 = PacketGetFromAlloc();
2961  if (unlikely(p2 == NULL)) {
2962  SCFree(p1);
2963  return 0;
2964  }
2965  ThreadVars th_v;
2966  DetectEngineThreadCtx *det_ctx = NULL;
2967  int result = 1;
2968 
2969  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2970  "\r\n\r\n";
2971  uint16_t buflen = strlen((char *)buf);
2972 
2973  memset(&th_v, 0, sizeof(ThreadVars));
2974 
2976  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2977  p1->ip4h->ip_verhl = 69;
2978  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2979  p1->src.family = AF_INET;
2980  p1->dst.family = AF_INET;
2981  p1->payload = buf;
2982  p1->payload_len = buflen;
2983  p1->proto = IPPROTO_ICMP;
2984 
2986  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2987  p2->ip4h->ip_verhl = 69;
2988  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2989  p2->src.family = AF_INET;
2990  p2->dst.family = AF_INET;
2991  p2->payload = buf;
2992  p2->payload_len = buflen;
2993  p2->proto = IPPROTO_ICMP;
2994 
2996  if (de_ctx == NULL) {
2997  goto end;
2998  }
2999 
3000  de_ctx->flags |= DE_QUIET;
3001 
3003  "alert icmp any any -> any any "
3004  "(content:\"/one/\"; icmpv4-csum:invalid; "
3005  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3006  if (de_ctx->sig_list == NULL) {
3007  result &= 0;
3008  goto end;
3009  }
3010 
3012  "alert icmp any any -> any any "
3013  "(content:\"/one/\"; icmpv4-csum:valid; "
3014  "msg:\"icmpv4-csum keyword check(1)\"; "
3015  "sid:2;)");
3016  if (de_ctx->sig_list->next == NULL) {
3017  result &= 0;
3018  goto end;
3019  }
3020 
3022  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3023 
3024  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3025  if (PacketAlertCheck(p1, 1))
3026  result &= 0;
3027  else
3028  result &= 1;
3029 
3030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3031  if (PacketAlertCheck(p2, 2))
3032  result &= 0;
3033  else {
3034  result &= 1;
3035  }
3036 
3039  if (det_ctx != NULL)
3040  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3042 end:
3043  SCFree(p1);
3044  SCFree(p2);
3045  return result;
3046 }
3047 
3048 static int SigTest38(void)
3049 {
3050  Packet *p1 = PacketGetFromAlloc();
3051  if (unlikely(p1 == NULL))
3052  return 0;
3053  ThreadVars th_v;
3054  DetectEngineThreadCtx *det_ctx = NULL;
3055  int result = 1;
3056  uint8_t raw_eth[] = {
3057  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3058  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3059  0x08, 0x00
3060  };
3061  uint8_t raw_ipv4[] = {
3062  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3063  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3064  0x7f, 0x00, 0x00, 0x01
3065  };
3066  uint8_t raw_tcp[] = {
3067  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3068  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3069  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3070  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3071  0x00, 0x22, 0xaa, 0x10
3072  };
3073  uint8_t buf[] = {
3074  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3075  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3076  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3077  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3078  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3079  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3080  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3081  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3082  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3083  0x0a
3084  };
3085  uint16_t ethlen = sizeof(raw_eth);
3086  uint16_t ipv4len = sizeof(raw_ipv4);
3087  uint16_t tcplen = sizeof(raw_tcp);
3088  uint16_t buflen = sizeof(buf);
3089 
3090  memset(&th_v, 0, sizeof(ThreadVars));
3091 
3092  /* Copy raw data into packet */
3093  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3094  SCFree(p1);
3095  return 1;
3096  }
3097  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3098  SCFree(p1);
3099  return 1;
3100  }
3101  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3102  SCFree(p1);
3103  return 1;
3104  }
3105  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3106  SCFree(p1);
3107  return 1;
3108  }
3109  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3110 
3112  p1->ethh = (EthernetHdr *)raw_eth;
3113  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3114  p1->tcph = (TCPHdr *)raw_tcp;
3115  p1->src.family = AF_INET;
3116  p1->dst.family = AF_INET;
3117  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3118  p1->payload_len = buflen;
3119  p1->proto = IPPROTO_TCP;
3120 
3122  if (de_ctx == NULL) {
3123  goto end;
3124  }
3125  de_ctx->flags |= DE_QUIET;
3126 
3128  "alert tcp any any -> any any "
3129  "(content:\"LEN1|20|\"; "
3130  "byte_test:4,=,8,0; "
3131  "msg:\"byte_test keyword check(1)\"; sid:1;)");
3132  if (de_ctx->sig_list == NULL) {
3133  result &= 0;
3134  goto end;
3135  }
3137  "alert tcp any any -> any any "
3138  "(content:\"LEN1|20|\"; "
3139  "byte_test:4,=,8,5,relative,string,dec; "
3140  "msg:\"byte_test keyword check(2)\"; sid:2;)");
3141  if (de_ctx->sig_list->next == NULL) {
3142  result &= 0;
3143  goto end;
3144  }
3145 
3147  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3148 
3149  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3150  if (PacketAlertCheck(p1, 1)) {
3151  result = 1;
3152  } else {
3153  result = 0;
3154  printf("sid 1 didn't alert, but should have: ");
3155  goto cleanup;
3156  }
3157  if (PacketAlertCheck(p1, 2)) {
3158  result = 1;
3159  } else {
3160  result = 0;
3161  printf("sid 2 didn't alert, but should have: ");
3162  goto cleanup;
3163  }
3164 
3165 cleanup:
3168 
3169  if (det_ctx != NULL)
3170  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3172 
3173 end:
3174  SCFree(p1);
3175  return result;
3176 }
3177 
3178 static int SigTest39(void)
3179 {
3180  Packet *p1 = PacketGetFromAlloc();
3181  if (unlikely(p1 == NULL))
3182  return 0;
3183  ThreadVars th_v;
3184  DetectEngineThreadCtx *det_ctx = NULL;
3185  int result = 1;
3186  uint8_t raw_eth[] = {
3187  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3188  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3189  0x08, 0x00
3190  };
3191  uint8_t raw_ipv4[] = {
3192  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3193  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3194  0x7f, 0x00, 0x00, 0x01
3195  };
3196  uint8_t raw_tcp[] = {
3197  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3198  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3199  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3200  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3201  0x00, 0x22, 0xaa, 0x10
3202  };
3203  uint8_t buf[] = {
3204  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3205  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3206  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3207  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3208  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3209  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3210  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3211  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3212  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3213  0x0a
3214  };
3215  uint16_t ethlen = sizeof(raw_eth);
3216  uint16_t ipv4len = sizeof(raw_ipv4);
3217  uint16_t tcplen = sizeof(raw_tcp);
3218  uint16_t buflen = sizeof(buf);
3219 
3220  memset(&th_v, 0, sizeof(ThreadVars));
3221 
3222  /* Copy raw data into packet */
3223  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3224  SCFree(p1);
3225  return 1;
3226  }
3227  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3228  SCFree(p1);
3229  return 1;
3230  }
3231  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3232  SCFree(p1);
3233  return 1;
3234  }
3235  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3236  SCFree(p1);
3237  return 1;
3238  }
3239  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3240 
3242  p1->ethh = (EthernetHdr *)raw_eth;
3243  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3244  p1->tcph = (TCPHdr *)raw_tcp;
3245  p1->src.family = AF_INET;
3246  p1->dst.family = AF_INET;
3247  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3248  p1->payload_len = buflen;
3249  p1->proto = IPPROTO_TCP;
3250 
3252  if (de_ctx == NULL) {
3253  goto end;
3254  }
3255  de_ctx->flags |= DE_QUIET;
3256 
3258  "alert tcp any any -> any any "
3259  "(content:\"LEN1|20|\"; "
3260  "byte_test:4,=,8,0; "
3261  "byte_jump:4,0; "
3262  "byte_test:6,=,0x4c454e312038,0,relative; "
3263  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3264  if (de_ctx->sig_list == NULL) {
3265  result &= 0;
3266  goto end;
3267  }
3268  // XXX TODO
3270  "alert tcp any any -> any any "
3271  "(content:\"LEN1|20|\"; "
3272  "byte_test:4,=,8,4,relative,string,dec; "
3273  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3274  "byte_test:4,=,0x4c454e32,0,relative; "
3275  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3276  if (de_ctx->sig_list->next == NULL) {
3277  result &= 0;
3278  goto end;
3279  }
3280 
3282  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3283 
3284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3285  if (PacketAlertCheck(p1, 1)) {
3286  result = 1;
3287  } else {
3288  result = 0;
3289  printf("sid 1 didn't alert, but should have: ");
3290  goto cleanup;
3291  }
3292  if (PacketAlertCheck(p1, 2)) {
3293  result = 1;
3294  } else {
3295  result = 0;
3296  printf("sid 2 didn't alert, but should have: ");
3297  goto cleanup;
3298  }
3299 
3300 cleanup:
3303  if (det_ctx != NULL)
3304  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3306 
3307 end:
3308  SCFree(p1);
3309  return result;
3310 }
3311 
3312 /**
3313  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3314  * \brief expecting to match a size
3315  */
3316 
3317 static int SigTest36ContentAndIsdataatKeywords01 (void)
3318 {
3319  int result = 0;
3320 
3321  // Buid and decode the packet
3322 
3323  uint8_t raw_eth [] = {
3324  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3325  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3326  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3327  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3328  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3329  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3330  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3331  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3332  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3333  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3334  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3335  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3336  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3337  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3338  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3339  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3340  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3341  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3342  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3343  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3344  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3345  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3346  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3347  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3348  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3349  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3350  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3351  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3352  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3353  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3354 
3355  Packet *p = PacketGetFromAlloc();
3356  if (unlikely(p == NULL))
3357  return 0;
3359 
3360  ThreadVars th_v;
3361  DetectEngineThreadCtx *det_ctx = NULL;
3362 
3363  memset(&dtv, 0, sizeof(DecodeThreadVars));
3364  memset(&th_v, 0, sizeof(th_v));
3365 
3367  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3368 
3369 
3371  if (de_ctx == NULL) {
3372  goto end;
3373  }
3374 
3375  de_ctx->flags |= DE_QUIET;
3376 
3377  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3378  if (de_ctx->sig_list == NULL) {
3379  result = 0;
3380  goto end;
3381  }
3382 
3384  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3385 
3386  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3387  if (PacketAlertCheck(p, 101) == 0) {
3388  result = 0;
3389  goto end;
3390  } else {
3391  result=1;
3392  }
3393 
3396 
3397  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3399  PacketRecycle(p);
3400  FlowShutdown();
3401 
3402  SCFree(p);
3403  return result;
3404 
3405 end:
3406  if(de_ctx)
3407  {
3410  }
3411 
3412  if(det_ctx)
3413  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3414 
3415  //PatternMatchDestroy(mpm_ctx);
3416 
3417  if(de_ctx)
3419 
3420  if (p != NULL)
3421  PacketRecycle(p);
3422 
3423  FlowShutdown();
3424 
3425  SCFree(p);
3426  return result;
3427 }
3428 
3429 
3430 /**
3431  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3432  * \brief not expecting to match a size
3433  */
3434 
3435 static int SigTest37ContentAndIsdataatKeywords02 (void)
3436 {
3437  int result = 0;
3438 
3439  // Buid and decode the packet
3440 
3441  uint8_t raw_eth [] = {
3442  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3443  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3444  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3445  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3446  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3447  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3448  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3449  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3450  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3451  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3452  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3453  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3454  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3455  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3456  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3457  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3458  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3459  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3460  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3461  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3462  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3463  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3464  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3465  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3466  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3467  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3468  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3469  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3470  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3471  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3472 
3473  Packet *p = PacketGetFromAlloc();
3474  if (unlikely(p == NULL))
3475  return 0;
3477 
3478  ThreadVars th_v;
3479  DetectEngineThreadCtx *det_ctx = NULL;
3480 
3481  memset(&dtv, 0, sizeof(DecodeThreadVars));
3482  memset(&th_v, 0, sizeof(th_v));
3483 
3485  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3486 
3487 
3489  if (de_ctx == NULL) {
3490  goto end;
3491  }
3492 
3493  de_ctx->flags |= DE_QUIET;
3494 
3495  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3496  if (de_ctx->sig_list == NULL) {
3497  printf("sig parse failed: ");
3498  result = 0;
3499  goto end;
3500  }
3501 
3502  if (s->sm_lists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3503  printf("type not content: ");
3504  goto end;
3505  }
3507  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3508 
3509  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3510  if (PacketAlertCheck(p, 101) == 0) {
3511  result = 1;
3512  goto end;
3513  } else {
3514  printf("sig matched, but should not have: ");
3515  result=0;
3516  }
3517 
3520 
3521  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3523 
3524  PacketRecycle(p);
3525  FlowShutdown();
3526 
3527  SCFree(p);
3528  return result;
3529 
3530 end:
3531  if(de_ctx)
3532  {
3535  }
3536 
3537  if(det_ctx)
3538  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3539 
3540  if(de_ctx)
3542 
3543  if (p != NULL)
3544  PacketRecycle(p);
3545 
3546  FlowShutdown();
3547 
3548  SCFree(p);
3549  return result;
3550 }
3551 
3552 /**
3553  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3554  * flag is set, we don't need to inspect the packet protocol header or its contents.
3555  */
3556 
3557 static int SigTest40NoPacketInspection01(void)
3558 {
3559 
3560  uint8_t *buf = (uint8_t *)
3561  "220 (vsFTPd 2.0.5)\r\n";
3562  uint16_t buflen = strlen((char *)buf);
3563  Packet *p = PacketGetFromAlloc();
3564  TCPHdr tcphdr;
3565  if (unlikely(p == NULL))
3566  return 0;
3567  ThreadVars th_v;
3568  DetectEngineThreadCtx *det_ctx = NULL;
3569  PacketQueue pq;
3570  Flow f;
3571  int result = 0;
3572 
3573  memset(&th_v, 0, sizeof(th_v));
3574  memset(&pq, 0, sizeof(pq));
3575  memset(&f, 0, sizeof(f));
3576  memset(&tcphdr, 0, sizeof(tcphdr));
3577 
3578  p->src.family = AF_INET;
3579  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3580  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3581  p->dst.family = AF_INET;
3582  p->payload = buf;
3583  p->payload_len = buflen;
3584  p->proto = IPPROTO_TCP;
3585  p->dp = 34260;
3586  p->sp = 21;
3589  p->tcph = &tcphdr;
3590  p->flow = &f;
3591 
3592  FLOW_INITIALIZE(&f);
3593 
3595  if (de_ctx == NULL) {
3596  goto end;
3597  }
3598 
3599  de_ctx->flags |= DE_QUIET;
3600 
3601  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3602  if (de_ctx->sig_list == NULL) {
3603  result = 0;
3604  goto end;
3605  }
3606 
3608  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3609  det_ctx->de_ctx = de_ctx;
3610 
3611  Detect(&th_v, p, det_ctx);
3612  if (PacketAlertCheck(p, 2))
3613  result = 0;
3614  else
3615  result = 1;
3616 
3619  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3620  //PatternMatchDestroy(mpm_ctx);
3622 end:
3623  SCFree(p);
3624  return result;
3625 }
3626 
3627 /**
3628  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3629  * flasg is set, we don't need to inspect the packet contents.
3630  */
3631 
3632 static int SigTest40NoPayloadInspection02(void)
3633 {
3634 
3635  uint8_t *buf = (uint8_t *)
3636  "220 (vsFTPd 2.0.5)\r\n";
3637  uint16_t buflen = strlen((char *)buf);
3638  ThreadVars th_v;
3639  memset(&th_v, 0, sizeof(th_v));
3640 
3641  Packet *p = PacketGetFromAlloc();
3642  FAIL_IF_NULL(p);
3643 
3644  p->src.family = AF_INET;
3645  p->dst.family = AF_INET;
3646  p->payload = buf;
3647  p->payload_len = buflen;
3648  p->proto = IPPROTO_TCP;
3650 
3651  DetectEngineThreadCtx *det_ctx = NULL;
3654  de_ctx->flags |= DE_QUIET;
3655 
3657  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3658  FAIL_IF_NULL(s);
3659 
3661  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3662 
3663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3664 
3665  FAIL_IF(PacketAlertCheck(p, 1));
3666 
3667  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3669  SCFree(p);
3670  PASS;
3671 }
3672 
3673 static int SigTestMemory01 (void)
3674 {
3675  uint8_t *buf = (uint8_t *)
3676  "GET /one/ HTTP/1.1\r\n"
3677  "Host: one.example.org\r\n"
3678  "\r\n\r\n"
3679  "GET /two/ HTTP/1.1\r\n"
3680  "Host: two.example.org\r\n"
3681  "\r\n\r\n";
3682  uint16_t buflen = strlen((char *)buf);
3683  Packet *p = PacketGetFromAlloc();
3684  if (unlikely(p == NULL))
3685  return 0;
3686  ThreadVars th_v;
3687  DetectEngineThreadCtx *det_ctx = NULL;
3688  int result = 0;
3689 
3690  memset(&th_v, 0, sizeof(th_v));
3691  p->src.family = AF_INET;
3692  p->dst.family = AF_INET;
3693  p->payload = buf;
3694  p->payload_len = buflen;
3695  p->proto = IPPROTO_TCP;
3696 
3698  if (de_ctx == NULL) {
3699  goto end;
3700  }
3701 
3702  de_ctx->flags |= DE_QUIET;
3703 
3704  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3705  if (de_ctx->sig_list == NULL) {
3706  result = 0;
3707  goto end;
3708  }
3709 
3711  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3712 
3714  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3716 
3717  result = 1;
3718 end:
3719  SCFree(p);
3720  return result;
3721 }
3722 
3723 static int SigTestMemory02 (void)
3724 {
3725  ThreadVars th_v;
3726  int result = 0;
3727 
3728  memset(&th_v, 0, sizeof(th_v));
3729 
3731  if (de_ctx == NULL) {
3732  goto end;
3733  }
3734  de_ctx->flags |= DE_QUIET;
3735 
3736  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3737  if (de_ctx->sig_list == NULL) {
3738  result = 0;
3739  goto end;
3740  }
3741  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3742  if (de_ctx->sig_list->next == NULL) {
3743  result = 0;
3744  goto end;
3745  }
3746 
3748 
3751 
3752  result = 1;
3753 end:
3754  return result;
3755 }
3756 
3757 static int SigTestMemory03 (void)
3758 {
3759  ThreadVars th_v;
3760  int result = 0;
3761 
3762  memset(&th_v, 0, sizeof(th_v));
3763 
3765  if (de_ctx == NULL) {
3766  goto end;
3767  }
3768  de_ctx->flags |= DE_QUIET;
3769 
3770  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3771  if (de_ctx->sig_list == NULL) {
3772  result = 0;
3773  goto end;
3774  }
3775  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3776  if (de_ctx->sig_list->next == NULL) {
3777  result = 0;
3778  goto end;
3779  }
3780  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3781  if (de_ctx->sig_list->next->next == NULL) {
3782  result = 0;
3783  goto end;
3784  }
3785 
3787 
3790 
3791  result = 1;
3792 end:
3793  return result;
3794 }
3795 
3796 static int SigTestContent01 (void)
3797 {
3798  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3799  uint16_t buflen = strlen((char *)buf);
3800  ThreadVars th_v;
3801  DetectEngineThreadCtx *det_ctx = NULL;
3802  int result = 0;
3803 
3804  memset(&th_v, 0, sizeof(th_v));
3805 
3806  Packet *p = NULL;
3807  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3808 
3810  if (de_ctx == NULL) {
3811  goto end;
3812  }
3813  de_ctx->flags |= DE_QUIET;
3814 
3815  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3816  if (de_ctx->sig_list == NULL) {
3817  result = 0;
3818  goto end;
3819  }
3820 
3822  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3823 
3824  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3825  if (PacketAlertCheck(p, 1))
3826  result = 1;
3827  else
3828  printf("sig 1 didn't match: ");
3829 
3832 
3833  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3835 end:
3836  UTHFreePackets(&p, 1);
3837  return result;
3838 }
3839 
3840 static int SigTestContent02 (void)
3841 {
3842  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3843  uint16_t buflen = strlen((char *)buf);
3844  ThreadVars th_v;
3845  DetectEngineThreadCtx *det_ctx = NULL;
3846  int result = 0;
3847 
3848  memset(&th_v, 0, sizeof(th_v));
3849  Packet *p = NULL;
3850  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3851 
3853  if (de_ctx == NULL) {
3854  goto end;
3855  }
3856  de_ctx->flags |= DE_QUIET;
3857 
3858  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3859  if (de_ctx->sig_list == NULL) {
3860  result = 0;
3861  goto end;
3862  }
3863 
3864  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3865  if (de_ctx->sig_list->next == NULL) {
3866  result = 0;
3867  goto end;
3868  }
3869 
3871  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3872 
3873  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3874  if (PacketAlertCheck(p, 1)) {
3875  if (PacketAlertCheck(p, 2)) {
3876  result = 1;
3877  } else
3878  printf("sig 2 didn't match: ");
3879  }
3880  else
3881  printf("sig 1 didn't match: ");
3882 
3885 
3886  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3888 end:
3889  UTHFreePackets(&p, 1);
3890  return result;
3891 }
3892 
3893 static int SigTestContent03 (void)
3894 {
3895  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3896  uint16_t buflen = strlen((char *)buf);
3897  ThreadVars th_v;
3898  DetectEngineThreadCtx *det_ctx = NULL;
3899  int result = 0;
3900 
3901  memset(&th_v, 0, sizeof(th_v));
3902  Packet *p = NULL;
3903  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3904 
3906  if (de_ctx == NULL) {
3907  goto end;
3908  }
3909 
3910  de_ctx->flags |= DE_QUIET;
3911 
3912  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3913  if (de_ctx->sig_list == NULL) {
3914  result = 0;
3915  goto end;
3916  }
3917 
3919  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3920 
3921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3922  if (PacketAlertCheck(p, 1))
3923  result = 1;
3924  else
3925  printf("sig 1 didn't match: ");
3926 
3929 
3930  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3932 end:
3933  UTHFreePackets(&p, 1);
3934  return result;
3935 }
3936 
3937 static int SigTestContent04 (void)
3938 {
3939  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3940  uint16_t buflen = strlen((char *)buf);
3941  ThreadVars th_v;
3942  DetectEngineThreadCtx *det_ctx = NULL;
3943  int result = 0;
3944 
3945  memset(&th_v, 0, sizeof(th_v));
3946 
3947  Packet *p = NULL;
3948  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3949 
3951  if (de_ctx == NULL) {
3952  goto end;
3953  }
3954 
3955  de_ctx->flags |= DE_QUIET;
3956 
3957  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3958  if (de_ctx->sig_list == NULL) {
3959  result = 0;
3960  goto end;
3961  }
3962 
3964  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3965 
3966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3967  if (PacketAlertCheck(p, 1))
3968  result = 1;
3969  else
3970  printf("sig 1 didn't match: ");
3971 
3974 
3975  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3977 end:
3978  UTHFreePackets(&p, 1);
3979  return result;
3980 }
3981 
3982 /** \test sigs with patterns at the limit of the pm's size limit */
3983 static int SigTestContent05 (void)
3984 {
3985  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3986  uint16_t buflen = strlen((char *)buf);
3987  ThreadVars th_v;
3988  DetectEngineThreadCtx *det_ctx = NULL;
3989  int result = 0;
3990 
3991  memset(&th_v, 0, sizeof(th_v));
3992  Packet *p = NULL;
3993  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3994 
3996  if (de_ctx == NULL) {
3997  printf("de_ctx == NULL: ");
3998  goto end;
3999  }
4000 
4001  de_ctx->flags |= DE_QUIET;
4002 
4003  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4004  if (de_ctx->sig_list == NULL) {
4005  printf("sig1 parse failed: ");
4006  goto end;
4007  }
4008  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4009  if (de_ctx->sig_list->next == NULL) {
4010  printf("sig2 parse failed: ");
4011  goto end;
4012  }
4013 
4015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4016 
4017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4018 
4019  if (PacketAlertCheck(p, 1)) {
4020  printf("sig 1 matched but shouldn't: ");
4021  goto end;
4022  }
4023 
4024  if (PacketAlertCheck(p, 2)) {
4025  printf("sig 2 matched but shouldn't: ");
4026  goto end;
4027  }
4028 
4029  result = 1;
4030 end:
4031  UTHFreePackets(&p, 1);
4034 
4035  if (det_ctx != NULL) {
4036  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4037  }
4038  if (de_ctx != NULL) {
4040  }
4041  return result;
4042 }
4043 
4044 static int SigTestContent06 (void)
4045 {
4046  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4047  uint16_t buflen = strlen((char *)buf);
4048  ThreadVars th_v;
4049  DetectEngineThreadCtx *det_ctx = NULL;
4050  int result = 0;
4051 
4052  memset(&th_v, 0, sizeof(th_v));
4053  Packet *p = NULL;
4054  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4055 
4057  if (de_ctx == NULL) {
4058  goto end;
4059  }
4060 
4061  de_ctx->flags |= DE_QUIET;
4062 
4063  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4064  if (de_ctx->sig_list == NULL) {
4065  result = 0;
4066  goto end;
4067  }
4068  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4069  if (de_ctx->sig_list->next == NULL) {
4070  result = 0;
4071  goto end;
4072  }
4073 
4075  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4076 
4077  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4078  if (PacketAlertCheck(p, 1)){
4079  //printf("sig 1 matched :");
4080  }else{
4081  printf("sig 1 didn't match: ");
4082  goto end;
4083  }
4084 
4085  if (PacketAlertCheck(p, 2)){
4086  result = 1;
4087  }else{
4088  printf("sig 2 didn't match: ");
4089  goto end;
4090  }
4091 
4094 
4095  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4097 end:
4098  UTHFreePackets(&p, 1);
4099  return result;
4100 }
4101 
4102 static int SigTestWithin01 (void)
4103 {
4105  ThreadVars th_v;
4106  int result = 0;
4107  Packet *p1 = NULL;
4108  Packet *p2 = NULL;
4109  Packet *p3 = NULL;
4110  Packet *p4 = NULL;
4111 
4112  uint8_t rawpkt1[] = {
4113  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4114  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4115  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4116  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4117  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4118  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4119  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4120  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4121  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4122  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4123  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4124  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4125  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4126  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4127  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4128  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4129  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4130  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4131  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4132  0x00,0x00 }; /* end rawpkt1 */
4133 
4134  uint8_t rawpkt2[] = {
4135  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4136  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4137  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4138  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4139  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4140  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4141  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4142  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4143  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4144  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4145  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4146  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4147  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4148  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4149  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4150  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4151  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4152  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4153  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4154  0x00,0x00 }; /* end rawpkt2 */
4155 
4156  uint8_t rawpkt3[] = {
4157  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4158  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4159  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4160  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4161  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4162  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4163  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4164  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4165  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4166  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4167  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4168  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4169  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4170  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4171  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4172  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4173  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4174  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4175  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4176  0x00,0x00 }; /* end rawpkt3 */
4177 
4178  uint8_t rawpkt4[] = {
4179  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4180  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4181  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4182  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4183  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4184  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4185  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4186  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4187  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4188  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4189  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4190  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4191  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4192  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4193  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4194  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4195  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4196  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4197  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4198  0x00,0x00 }; /* end rawpkt4 */
4199 
4200  memset(&dtv, 0, sizeof(DecodeThreadVars));
4201  memset(&th_v, 0, sizeof(th_v));
4202 
4203  DetectEngineThreadCtx *det_ctx = NULL;
4204 
4206 
4208  if (de_ctx == NULL) {
4209  goto end;
4210  }
4211 
4212  de_ctx->flags |= DE_QUIET;
4213 
4214  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4215  if (de_ctx->sig_list == NULL) {
4216  result = 0;
4217  goto end;
4218  }
4219 
4221  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4222 
4223  /* packet 1 */
4224  p1 = PacketGetFromAlloc();
4225  if (unlikely(p1 == NULL))
4226  return 0;
4227  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4228  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4229  if (!(PacketAlertCheck(p1, 556))) {
4230  printf("failed to match on packet 1: ");
4231  goto end;
4232  }
4233 
4234  /* packet 2 */
4235  p2 = PacketGetFromAlloc();
4236  if (unlikely(p2 == NULL))
4237  return 0;
4238  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4239  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4240  if (!(PacketAlertCheck(p2, 556))) {
4241  printf("failed to match on packet 2: ");
4242  goto end;
4243  }
4244 
4245  /* packet 3 */
4246  p3 = PacketGetFromAlloc();
4247  if (unlikely(p3 == NULL))
4248  return 0;
4249  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4250  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4251  if (!(PacketAlertCheck(p3, 556))) {
4252  printf("failed to match on packet 3: ");
4253  goto end;
4254  }
4255 
4256  /* packet 4 */
4257  p4 = PacketGetFromAlloc();
4258  if (unlikely(p4 == NULL))
4259  return 0;
4260  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4261  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4262  if (!(PacketAlertCheck(p4, 556))) {
4263  printf("failed to match on packet 4: ");
4264  goto end;
4265  }
4266 
4267  /* packet 5 */
4268  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4269  uint16_t p5buflen = strlen((char *)p5buf);
4270  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4271  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4272  if (!(PacketAlertCheck(p5, 556))) {
4273  printf("failed to match on packet 5: ");
4274  goto end;
4275  }
4276  UTHFreePackets(&p5, 1);
4277 
4278  result = 1;
4279 end:
4280  if (de_ctx != NULL) {
4283  }
4284 
4285  if (det_ctx != NULL)
4286  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4287 
4288  if (de_ctx != NULL)
4290 
4291  if (p1 != NULL) {
4292  PacketRecycle(p1);
4293  SCFree(p1);
4294  }
4295  if (p2 != NULL) {
4296  PacketRecycle(p2);
4297  SCFree(p2);
4298  }
4299  if (p3 != NULL) {
4300  PacketRecycle(p3);
4301  SCFree(p3);
4302  }
4303  if (p4 != NULL) {
4304  PacketRecycle(p4);
4305  SCFree(p4);
4306  }
4307  FlowShutdown();
4308  return result;
4309 }
4310 
4311 static int SigTestDepthOffset01 (void)
4312 {
4313  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4314  uint16_t buflen = strlen((char *)buf);
4315  Packet *p = NULL;
4316  ThreadVars th_v;
4317  DetectEngineThreadCtx *det_ctx = NULL;
4318  int result = 0;
4319 
4320  memset(&th_v, 0, sizeof(th_v));
4321 
4322  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4323 
4325  if (de_ctx == NULL) {
4326  goto end;
4327  }
4328 
4329  de_ctx->flags |= DE_QUIET;
4330 
4331  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4332  if (de_ctx->sig_list == NULL) {
4333  result = 0;
4334  goto end;
4335  }
4336 
4338  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4339 
4340  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4341  if (PacketAlertCheck(p, 1))
4342  result = 1;
4343 
4346 
4347  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4349 end:
4350  UTHFreePackets(&p, 1);
4351  return result;
4352 }
4353 
4354 static int SigTestDetectAlertCounter(void)
4355 {
4356  Packet *p = NULL;
4357  ThreadVars tv;
4358  DetectEngineThreadCtx *det_ctx = NULL;
4359  memset(&tv, 0, sizeof(tv));
4360 
4363  de_ctx->flags |= DE_QUIET;
4364 
4365  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4366  "content:\"boo\"; sid:1;)");
4367  FAIL_IF(de_ctx->sig_list == NULL);
4368 
4370  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4371  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4372  /* init counters */
4374 
4375  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4376  Detect(&tv, p, det_ctx);
4378 
4379  Detect(&tv, p, det_ctx);
4381  UTHFreePackets(&p, 1);
4382 
4383  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4384  Detect(&tv, p, det_ctx);
4386  UTHFreePackets(&p, 1);
4387 
4388  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4389  Detect(&tv, p, det_ctx);
4391  UTHFreePackets(&p, 1);
4392 
4393  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4395  PASS;
4396 }
4397 
4398 /** \test test if the engine set flag to drop pkts of a flow that
4399  * triggered a drop action on IPS mode */
4400 static int SigTestDropFlow01(void)
4401 {
4402  Flow f;
4403  HtpState *http_state = NULL;
4404  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4405  "User-Agent: Mozilla/1.0\r\n"
4406  "Cookie: hellocatch\r\n\r\n";
4407  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4408  TcpSession ssn;
4409  Packet *p = NULL;
4410  Signature *s = NULL;
4411  ThreadVars tv;
4412  DetectEngineThreadCtx *det_ctx = NULL;
4414 
4415  memset(&tv, 0, sizeof(ThreadVars));
4416  memset(&f, 0, sizeof(Flow));
4417  memset(&ssn, 0, sizeof(TcpSession));
4418 
4419  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4420 
4421  FLOW_INITIALIZE(&f);
4422  f.protoctx = (void *)&ssn;
4423  f.proto = IPPROTO_TCP;
4424  f.flags |= FLOW_IPV4;
4425 
4426  p->flow = &f;
4430  f.alproto = ALPROTO_HTTP1;
4431 
4432  StreamTcpInitConfig(true);
4433 
4436  de_ctx->flags |= DE_QUIET;
4437 
4438  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4439  "(msg:\"Test proto match\"; "
4440  "sid:1;)");
4441  FAIL_IF_NULL(s);
4442 
4444  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4445 
4446  int r = AppLayerParserParse(
4447  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4448  FAIL_IF_NOT(r == 0);
4449 
4450  http_state = f.alstate;
4451  FAIL_IF_NULL(http_state);
4452 
4453  /* do detect */
4454  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4455 
4457 
4459 
4461  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4463 
4464  StreamTcpFreeConfig(true);
4465  FLOW_DESTROY(&f);
4466 
4467  UTHFreePackets(&p, 1);
4468  PASS;
4469 }
4470 
4471 /** \test test if the engine set flag to drop pkts of a flow that
4472  * triggered a drop action on IPS mode */
4473 static int SigTestDropFlow02(void)
4474 {
4475  int result = 0;
4476  Flow f;
4477  HtpState *http_state = NULL;
4478  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4479  "User-Agent: Mozilla/1.0\r\n"
4480  "Cookie: hellocatch\r\n\r\n";
4481  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4482  TcpSession ssn;
4483  Packet *p = NULL;
4484  Signature *s = NULL;
4485  ThreadVars tv;
4486  DetectEngineThreadCtx *det_ctx = NULL;
4488 
4489  memset(&tv, 0, sizeof(ThreadVars));
4490  memset(&f, 0, sizeof(Flow));
4491  memset(&ssn, 0, sizeof(TcpSession));
4492 
4493  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4494 
4495  FLOW_INITIALIZE(&f);
4496  f.protoctx = (void *)&ssn;
4497  f.proto = IPPROTO_TCP;
4498  f.flags |= FLOW_IPV4;
4499 
4500  p->flow = &f;
4504  f.alproto = ALPROTO_HTTP1;
4505 
4506  StreamTcpInitConfig(true);
4507 
4509  if (de_ctx == NULL) {
4510  goto end;
4511  }
4512  de_ctx->flags |= DE_QUIET;
4513 
4514  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4515  "(msg:\"Test proto match\"; uricontent:\"one\";"
4516  "sid:1;)");
4517  if (s == NULL) {
4518  goto end;
4519  }
4520 
4522  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4523 
4524  int r = AppLayerParserParse(
4525  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4526  if (r != 0) {
4527  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4528  goto end;
4529  }
4530 
4531  http_state = f.alstate;
4532  if (http_state == NULL) {
4533  printf("no http state: ");
4534  goto end;
4535  }
4536 
4537  /* do detect */
4538  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4539 
4540  if (!PacketAlertCheck(p, 1)) {
4541  printf("sig 1 didn't alert, but it should: ");
4542  goto end;
4543  }
4544 
4545  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4546  printf("sig 1 alerted but flow was not flagged correctly: ");
4547  goto end;
4548  }
4549 
4550  /* Ok, now we know that the flag is set for app layer sigs
4551  * (ex: inspecting uricontent) */
4552 
4553  result = 1;
4554 
4555 end:
4556  if (alp_tctx != NULL)
4558  if (det_ctx != NULL)
4559  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4560  if (de_ctx != NULL)
4562  if (de_ctx != NULL)
4564 
4565  StreamTcpFreeConfig(true);
4566  FLOW_DESTROY(&f);
4567 
4568  UTHFreePackets(&p, 1);
4569  return result;
4570 }
4571 
4572 /** \test test if the engine set flag to drop pkts of a flow that
4573  * triggered a drop action on IPS mode, and it doesn't inspect
4574  * any other packet of the stream */
4575 static int SigTestDropFlow03(void)
4576 {
4577  int result = 0;
4578  Flow f;
4579  HtpState *http_state = NULL;
4580  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4581  "User-Agent: Mozilla/1.0\r\n"
4582  "Cookie: hellocatch\r\n\r\n";
4583  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4584 
4585  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4586  "User-Agent: Mozilla/1.0\r\n"
4587  "Cookie: hellocatch\r\n\r\n";
4588  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4589 
4590  /* Set the engine mode to IPS */
4591  EngineModeSetIPS();
4592 
4593  TcpSession ssn;
4594  Packet *p1 = NULL;
4595  Packet *p2 = NULL;
4596  Signature *s = NULL;
4597  ThreadVars tv;
4598  DetectEngineThreadCtx *det_ctx = NULL;
4600 
4601  memset(&tv, 0, sizeof(ThreadVars));
4602  memset(&f, 0, sizeof(Flow));
4603  memset(&ssn, 0, sizeof(TcpSession));
4604 
4605  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4606  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4607 
4608  FLOW_INITIALIZE(&f);
4609  f.protoctx = (void *)&ssn;
4610  f.proto = IPPROTO_TCP;
4611  f.flags |= FLOW_IPV4;
4612 
4613  p1->flow = &f;
4617 
4618  p2->flow = &f;
4622  f.alproto = ALPROTO_HTTP1;
4623 
4624  StreamTcpInitConfig(true);
4625 
4627  if (de_ctx == NULL) {
4628  goto end;
4629  }
4630 
4631  de_ctx->flags |= DE_QUIET;
4632 
4633  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4634  "(msg:\"Test proto match\"; uricontent:\"one\";"
4635  "sid:1;)");
4636  if (s == NULL) {
4637  goto end;
4638  }
4639 
4640  /* the no inspection flag should be set after the first sig gets triggered,
4641  * so the second packet should not match the next sig (because of no inspection) */
4642  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4643  "(msg:\"Test proto match\"; uricontent:\"two\";"
4644  "sid:2;)");
4645  if (s == NULL) {
4646  goto end;
4647  }
4648 
4650  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4651 
4652  int r = AppLayerParserParse(
4653  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4654  if (r != 0) {
4655  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4656  goto end;
4657  }
4658 
4659  http_state = f.alstate;
4660  if (http_state == NULL) {
4661  printf("no http state: ");
4662  goto end;
4663  }
4664 
4665  /* do detect */
4666  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4667 
4668  if (!PacketAlertCheck(p1, 1)) {
4669  printf("sig 1 didn't alert on p1, but it should: ");
4670  goto end;
4671  }
4672 
4673  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4674  printf("sig 1 alerted but flow was not flagged correctly: ");
4675  goto end;
4676  }
4677 
4678  /* Second part.. Let's feed with another packet */
4679  if (StreamTcpCheckFlowDrops(p2) == 1) {
4680  SCLogDebug("This flow/stream triggered a drop rule");
4681  FlowSetNoPacketInspectionFlag(p2->flow);
4682  DecodeSetNoPacketInspectionFlag(p2);
4684  p2->action |= ACTION_DROP;
4685  /* return the segments to the pool */
4687  }
4688 
4689 
4690  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4691  printf("The packet was not flagged with no-inspection: ");
4692  goto end;
4693  }
4694 
4695  r = AppLayerParserParse(
4696  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4697  if (r != 0) {
4698  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4699  goto end;
4700  }
4701 
4702  /* do detect */
4703  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4704 
4705  if (PacketAlertCheck(p2, 1)) {
4706  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4707  goto end;
4708  }
4709 
4710  if (PacketAlertCheck(p2, 2)) {
4711  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4712  goto end;
4713  }
4714 
4715  if (!(PacketTestAction(p2, ACTION_DROP))) {
4716  printf("A \"drop\" action should be set from the flow to the packet: ");
4717  goto end;
4718  }
4719 
4720  result = 1;
4721 
4722 end:
4723  if (alp_tctx != NULL)
4725  if (det_ctx != NULL)
4726  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4727  if (de_ctx != NULL)
4729  if (de_ctx != NULL)
4731 
4732  StreamTcpFreeConfig(true);
4733  FLOW_DESTROY(&f);
4734 
4735  UTHFreePackets(&p1, 1);
4736  UTHFreePackets(&p2, 1);
4737 
4738  /* Restore mode to IDS */
4739  EngineModeSetIDS();
4740  return result;
4741 }
4742 
4743 /** \test test if the engine set flag to drop pkts of a flow that
4744  * triggered a drop action on IDS mode, but continue the inspection
4745  * as usual (instead of on IPS mode) */
4746 static int SigTestDropFlow04(void)
4747 {
4748  Flow f;
4749  HtpState *http_state = NULL;
4750  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4751  "User-Agent: Mozilla/1.0\r\n"
4752  "Cookie: hellocatch\r\n\r\n";
4753  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4754 
4755  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4756  "User-Agent: Mozilla/1.0\r\n"
4757  "Cookie: hellocatch\r\n\r\n";
4758  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4759 
4760  TcpSession ssn;
4761  Packet *p1 = NULL;
4762  Packet *p2 = NULL;
4763  Signature *s = NULL;
4764  ThreadVars tv;
4765  DetectEngineThreadCtx *det_ctx = NULL;
4767 
4768  memset(&tv, 0, sizeof(ThreadVars));
4769  memset(&f, 0, sizeof(Flow));
4770  memset(&ssn, 0, sizeof(TcpSession));
4771 
4772  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4773  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4774 
4775  FLOW_INITIALIZE(&f);
4776  f.protoctx = (void *)&ssn;
4777  f.proto = IPPROTO_TCP;
4778  f.flags |= FLOW_IPV4;
4779 
4780  p1->flow = &f;
4784 
4785  p2->flow = &f;
4789  f.alproto = ALPROTO_HTTP1;
4790 
4791  StreamTcpInitConfig(true);
4792 
4795  de_ctx->flags |= DE_QUIET;
4796 
4797  s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 "
4798  "(msg:\"Test proto match\"; uricontent:\"one\";"
4799  "sid:1;)");
4800  FAIL_IF_NULL(s);
4801 
4802  /* the no inspection flag should be set after the first sig gets triggered,
4803  * so the second packet should not match the next sig (because of no inspection) */
4804  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any 80 "
4805  "(msg:\"Test proto match\"; uricontent:\"two\";"
4806  "sid:2;)");
4807  FAIL_IF_NULL(s);
4808 
4810  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4811 
4812  int r = AppLayerParserParse(
4813  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4814  FAIL_IF_NOT(r == 0);
4815 
4816  http_state = f.alstate;
4817  FAIL_IF_NULL(http_state);
4818 
4819  /* do detect */
4820  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4821 
4822  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
4823  FAIL_IF(PacketAlertCheck(p1, 2));
4824 
4826  FAIL_IF_NOT(PacketTestAction(p1, ACTION_DROP));
4827 
4829 
4830  r = AppLayerParserParse(
4831  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4832  FAIL_IF_NOT(r == 0);
4833 
4834  /* do detect */
4835  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4836 
4837  FAIL_IF(PacketAlertCheck(p2, 1));
4838  FAIL_IF(PacketAlertCheck(p2, 2));
4839  FAIL_IF_NOT(PacketTestAction(p2, ACTION_DROP));
4840 
4842  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4844 
4845  StreamTcpFreeConfig(true);
4846  FLOW_DESTROY(&f);
4847 
4848  UTHFreePackets(&p1, 1);
4849  UTHFreePackets(&p2, 1);
4850 
4851  PASS;
4852 }
4853 
4854 /** \test ICMP packet shouldn't be matching port based sig
4855  * Bug #611 */
4856 static int SigTestPorts01(void)
4857 {
4858  int result = 0;
4859  Packet *p1 = NULL;
4860  Signature *s = NULL;
4861  ThreadVars tv;
4862  DetectEngineThreadCtx *det_ctx = NULL;
4863  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4864 
4865  memset(&tv, 0, sizeof(ThreadVars));
4866 
4867  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4868 
4870  if (de_ctx == NULL) {
4871  goto end;
4872  }
4873  de_ctx->flags |= DE_QUIET;
4874 
4875  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4876  "(content:\"AAA\"; sid:1;)");
4877  if (s == NULL) {
4878  goto end;
4879  }
4880 
4882  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4883 
4884  /* do detect */
4885  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4886 
4887  if (PacketAlertCheck(p1, 1)) {
4888  printf("sig 1 alerted on p1, but it should not: ");
4889  goto end;
4890  }
4891 
4892  result = 1;
4893 end:
4894  if (det_ctx != NULL)
4895  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4896  if (de_ctx != NULL)
4898  if (de_ctx != NULL)
4900 
4901  UTHFreePackets(&p1, 1);
4902  return result;
4903 }
4904 
4905 /** \test almost identical patterns */
4906 static int SigTestBug01(void)
4907 {
4908  int result = 0;
4909  Packet *p1 = NULL;
4910  Signature *s = NULL;
4911  ThreadVars tv;
4912  DetectEngineThreadCtx *det_ctx = NULL;
4913  uint8_t payload[] = "!mymy";
4914 
4915  memset(&tv, 0, sizeof(ThreadVars));
4916 
4917  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4918 
4920  if (de_ctx == NULL) {
4921  goto end;
4922  }
4923  de_ctx->flags |= DE_QUIET;
4924 
4925  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4926  "(content:\"Omymy\"; nocase; sid:1;)");
4927  if (s == NULL) {
4928  goto end;
4929  }
4930  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4931  "(content:\"!mymy\"; nocase; sid:2;)");
4932  if (s == NULL) {
4933  goto end;
4934  }
4935 
4937  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4938 
4939  /* do detect */
4940  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4941 
4942  if (PacketAlertCheck(p1, 1)) {
4943  printf("sig 1 alerted on p1, but it should not: ");
4944  goto end;
4945  }
4946  if (!(PacketAlertCheck(p1, 2))) {
4947  printf("sig 2 did not p1, but it should have: ");
4948  goto end;
4949  }
4950 
4951  result = 1;
4952 end:
4953  if (det_ctx != NULL)
4954  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4955  if (de_ctx != NULL)
4957  if (de_ctx != NULL)
4959 
4960  UTHFreePackets(&p1, 1);
4961  return result;
4962 }
4963 
4964 static const char *dummy_conf_string2 =
4965  "%YAML 1.1\n"
4966  "---\n"
4967  "vars:\n"
4968  "\n"
4969  " address-groups:\n"
4970  "\n"
4971  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4972  "\n"
4973  " EXTERNAL_NET: \"any\"\n"
4974  "\n"
4975  " port-groups:\n"
4976  "\n"
4977  " HTTP_PORTS: \"80:81,88\"\n"
4978  "\n";
4979 
4980 static int DetectAddressYamlParsing01 (void)
4981 {
4982  int result = 0;
4983 
4985  ConfInit();
4986  ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4987 
4989  if (de_ctx == NULL) {
4990  goto end;
4991  }
4992 
4993  de_ctx->flags |= DE_QUIET;
4994 
4995  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4996  goto end;
4997  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4998  goto end;
4999  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5000  goto end;
5001 
5002  result = 1;
5003 
5005 end:
5006  ConfDeInit();
5008  return result;
5009 }
5010 
5011 static const char *dummy_conf_string3 =
5012  "%YAML 1.1\n"
5013  "---\n"
5014  "vars:\n"
5015  "\n"
5016  " address-groups:\n"
5017  "\n"
5018  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5019  "\n"
5020  " EXTERNAL_NET: \"any\"\n"
5021  "\n"
5022  " port-groups:\n"
5023  "\n"
5024  " HTTP_PORTS: \"80:81,88\"\n"
5025  "\n";
5026 
5027 static int DetectAddressYamlParsing02 (void)
5028 {
5029  int result = 0;
5030 
5032  ConfInit();
5033  ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
5034 
5036  if (de_ctx == NULL) {
5037  goto end;
5038  }
5039 
5040  de_ctx->flags |= DE_QUIET;
5041 
5042  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5043  goto end;
5044  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5045  goto end;
5046  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5047  goto end;
5048 
5049  result = 1;
5050 
5052 end:
5053  ConfDeInit();
5055  return result;
5056 }
5057 
5058 static const char *dummy_conf_string4 =
5059  "%YAML 1.1\n"
5060  "---\n"
5061  "vars:\n"
5062  "\n"
5063  " address-groups:\n"
5064  "\n"
5065  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5066  "\n"
5067  " EXTERNAL_NET: \"any\"\n"
5068  "\n"
5069  " port-groups:\n"
5070  "\n"
5071  " HTTP_PORTS: \"80:81,88\"\n"
5072  "\n";
5073 
5074 static int DetectAddressYamlParsing03 (void)
5075 {
5076  int result = 0;
5077 
5079  ConfInit();
5080  ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
5081 
5083  if (de_ctx == NULL) {
5084  goto end;
5085  }
5086 
5087  de_ctx->flags |= DE_QUIET;
5088 
5089  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5090  goto end;
5091  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5092  goto end;
5093  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5094  goto end;
5095 
5096  result = 1;
5097 
5099 end:
5100  ConfDeInit();
5102  return result;
5103 }
5104 
5105 static const char *dummy_conf_string5 =
5106  "%YAML 1.1\n"
5107  "---\n"
5108  "vars:\n"
5109  "\n"
5110  " address-groups:\n"
5111  "\n"
5112  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5113  "\n"
5114  " EXTERNAL_NET: \"any\"\n"
5115  "\n"
5116  " port-groups:\n"
5117  "\n"
5118  " HTTP_PORTS: \"80:81,88\"\n"
5119  "\n";
5120 
5121 /** \test bug #815 */
5122 static int DetectAddressYamlParsing04 (void)
5123 {
5124  int result = 0;
5125 
5127  ConfInit();
5128  ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
5129 
5131  if (de_ctx == NULL) {
5132  goto end;
5133  }
5134 
5135  de_ctx->flags |= DE_QUIET;
5136 
5137  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5138  goto end;
5139  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5140  goto end;
5141  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5142  goto end;
5143 
5144  result = 1;
5145 
5147 end:
5148  ConfDeInit();
5150  return result;
5151 }
5152 
5154 {
5157 
5158  UtRegisterTest("SigTest01", SigTest01);
5159  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
5160  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
5161  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
5162  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
5163  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5164  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
5165  SigTest07);
5166  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5167  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
5168  SigTest09);
5169  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
5170  SigTest10);
5171  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
5172  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
5173  UtRegisterTest("SigTest13 -- content order matching, diff order",
5174  SigTest13);
5175  UtRegisterTest("SigTest14 -- content order matching, distance 0",
5176  SigTest14);
5177  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
5178  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
5179  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5180  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
5181  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
5182  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
5183  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
5184  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
5185  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
5186 
5187  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
5188  UtRegisterTest("SigTest25NegativeIPV4Keyword",
5189  SigTest25NegativeIPV4Keyword);
5190 
5191  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5192  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5193  SigTest26TCPV4AndNegativeIPV4Keyword);
5194  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5195  SigTest26TCPV4AndIPV4Keyword);
5196  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5197  SigTest27NegativeTCPV4Keyword);
5198 
5199  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5200  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5201  SigTest29NegativeTCPV6Keyword);
5202 
5203  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5204  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5205  SigTest31NegativeUDPV4Keyword);
5206 
5207  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5208  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5209  SigTest33NegativeUDPV6Keyword);
5210 
5211  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5212  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5213  SigTest35NegativeICMPV4Keyword);
5214  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5215  SigTest36ContentAndIsdataatKeywords01);
5216  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5217  SigTest37ContentAndIsdataatKeywords02);
5218 
5219  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5220 
5221  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5222 
5223  UtRegisterTest("SigTest40NoPacketInspection01",
5224  SigTest40NoPacketInspection01);
5225  UtRegisterTest("SigTest40NoPayloadInspection02",
5226  SigTest40NoPayloadInspection02);
5227 
5228  UtRegisterTest("SigTestMemory01", SigTestMemory01);
5229  UtRegisterTest("SigTestMemory02", SigTestMemory02);
5230  UtRegisterTest("SigTestMemory03", SigTestMemory03);
5231 
5232  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5233  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5234  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5235  SigTestContent03);
5236  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5237  SigTestContent04);
5238  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5239  UtRegisterTest("SigTestContent06 -- distance/within ip only",
5240  SigTestContent06);
5241 
5242  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5243  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5244 
5245  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5246 
5247  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5248  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5249  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5250  UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04);
5251 
5252  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5253  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5254  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5255  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5256 
5257  UtRegisterTest("SigTestPorts01", SigTestPorts01);
5258  UtRegisterTest("SigTestBug01", SigTestBug01);
5259 
5261 }
5262 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2422
Packet_::proto
uint8_t proto
Definition: decode.h:450
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:143
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:274
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:79
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:274
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1003
PACKET_RESET_CHECKSUMS
#define PACKET_RESET_CHECKSUMS(p)
reset these to -1(indicates that the packet is fresh from the queue)
Definition: decode.h:767
ThreadVars_::name
char name[16]
Definition: threadvars.h:64
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:292
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:62
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:379
Packet_::payload
uint8_t * payload
Definition: decode.h:573
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:463
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:167
Packet_::action
uint8_t action
Definition: decode.h:577
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:5153
Flow_
Flow data structure.
Definition: flow.h:357
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:134
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:790
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:250
MPM_AC
@ MPM_AC
Definition: util-mpm.h:35
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1210
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:314
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:227
DE_QUIET
#define DE_QUIET
Definition: detect.h:287
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:67
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1809
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:454
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:992
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1741
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:46
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2434
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:459
Flow_::protoctx
void * protoctx
Definition: flow.h:447
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:574
HtpState_
Definition: app-layer-htp.h:244
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
IPV6_GET_PLEN
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
Signature_::next
struct Signature_ * next
Definition: detect.h:614
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:543
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:223
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:356
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:40
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
Definition: util-var-name.c:309
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4284
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1025
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:226
PktVar_::value
uint8_t * value
Definition: decode.h:320
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:219
Packet_::ethh
EthernetHdr * ethh
Definition: decode.h:524
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Packet_::sp
Port sp
Definition: decode.h:435
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:221
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:491
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2129
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:289
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2019
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1256
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:428
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:218
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:531
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:664
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1951
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:293
IPV4Hdr_
Definition: decode-ipv4.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3153
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:668
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1323
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:445
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3367
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:553
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:689
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:676
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:561
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1061
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:664
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:482
Flow_::flags
uint32_t flags
Definition: flow.h:427
PktVarFree
void PktVarFree(PktVar *pv)
Definition: pkt-var.c:111
Signature_
Signature container.
Definition: detect.h:540
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:229
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2403
PktVar_::value_len
uint16_t value_len
Definition: decode.h:318
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:111
Packet_::udph
UDPHdr * udph
Definition: decode.h:555
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1159
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:115
Packet_::dst
Address dst
Definition: decode.h:433
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:41
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:988
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:687
PktVar_
Definition: decode.h:312
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:786
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:66
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:533
TcpSession_
Definition: stream-tcp-private.h:272
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:456
Packet_::dp
Port dp
Definition: decode.h:443
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:73
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:129
Packet_::src
Address src
Definition: decode.h:432
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:32
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1000
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468