20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../pkt-var.h"
25 #include "../flow-util.h"
26 #include "../stream-tcp-reassemble.h"
27 #include "../util-unittest.h"
28 #include "../util-unittest-helper.h"
30 static const char *dummy_conf_string =
34 "default-log-dir: /var/log/suricata\n"
38 " default-log-level: debug\n"
40 " default-format: \"<%t> - <%l>\"\n"
42 " default-startup-message: Your IDS has started.\n"
44 " default-output-filter:\n"
48 " - interface: console\n"
51 " - interface: file\n"
52 " filename: /var/log/suricata.log\n"
54 " - interface: syslog\n"
68 " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
69 "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
71 " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
73 " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
75 " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
77 " SQL_SERVERS: \"!192.168.0.0/16\"\n"
81 " TELNET_SERVERS: any\n"
87 " HTTP_PORTS: \"80:81,88\"\n"
89 " SHELLCODE_PORTS: 80\n"
91 " ORACLE_PORTS: 1521\n"
96 static int SigTest01 (
void)
98 uint8_t *buf = (uint8_t *)
99 "GET /one/ HTTP/1.1\r\n"
100 "Host: one.example.org\r\n"
102 "GET /two/ HTTP/1.1\r\n"
103 "Host: two.example.org\r\n"
105 uint16_t buflen = strlen((
char *)buf);
109 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
118 if (p->http_uri.raw_size[0] == 5 &&
119 memcmp(p->http_uri.raw[0],
"/one/", 5) == 0 &&
120 p->http_uri.raw_size[1] == 5 &&
121 memcmp(p->http_uri.raw[1],
"/two/", 5) == 0)
134 static int SigTest02 (
void)
136 uint8_t *buf = (uint8_t *)
137 "GET /one/ HTTP/1.1\r\n"
138 "Host: one.example.org\r\n"
140 "GET /two/ HTTP/1.1\r\n"
141 "Host: two.example.org\r\n"
143 uint16_t buflen = strlen((
char *)buf);
145 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
151 static int SigTest03 (
void)
153 uint8_t *buf = (uint8_t *)
154 "GET /one/ HTTP/1.1\r\n"
155 "Host: one.example.org\r\n"
157 "GET /two/ HTTP/1.1\r\n"
158 "Host: two.example.org\r\n"
160 uint16_t buflen = strlen((
char *)buf);
166 memset(&th_v, 0,
sizeof(th_v));
177 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
200 static int SigTest04 (
void)
202 uint8_t *buf = (uint8_t *)
203 "GET /one/ HTTP/1.1\r\n"
204 "Host: one.example.org\r\n"
206 "GET /two/ HTTP/1.1\r\n"
207 "Host: two.example.org\r\n"
209 uint16_t buflen = strlen((
char *)buf);
216 memset(&th_v, 0,
sizeof(th_v));
227 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
250 static int SigTest05 (
void)
252 uint8_t *buf = (uint8_t *)
253 "GET /one/ HTTP/1.1\r\n"
254 "Host: one.example.org\r\n"
256 "GET /two/ HTTP/1.1\r\n"
257 "Host: two.example.org\r\n"
259 uint16_t buflen = strlen((
char *)buf);
265 memset(&th_v, 0,
sizeof(th_v));
276 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
278 printf(
"sig parse failed: ");
289 printf(
"sig matched but shouldn't have: ");
302 static int SigTest06 (
void)
304 uint8_t *buf = (uint8_t *)
305 "GET /one/ HTTP/1.1\r\n"
306 "Host: one.example.org\r\n"
308 "GET /two/ HTTP/1.1\r\n"
309 "Host: two.example.org\r\n"
311 uint16_t buflen = strlen((
char *)buf);
320 memset(&th_v, 0,
sizeof(th_v));
321 memset(&f, 0,
sizeof(f));
322 memset(&ssn, 0,
sizeof(ssn));
330 f.
proto = IPPROTO_TCP;
343 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
369 static int SigTest07 (
void)
371 uint8_t *buf = (uint8_t *)
372 "GET /one/ HTTP/1.1\r\n"
373 "Host: one.example.org\r\n"
375 "GET /two/ HTTP/1.1\r\n"
376 "Host: two.example.org\r\n"
378 uint16_t buflen = strlen((
char *)buf);
387 memset(&th_v, 0,
sizeof(th_v));
388 memset(&f, 0,
sizeof(f));
389 memset(&ssn, 0,
sizeof(ssn));
396 f.
proto = IPPROTO_TCP;
412 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
429 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
458 static int SigTest08 (
void)
460 uint8_t *buf = (uint8_t *)
461 "GET /one/ HTTP/1.0\r\n"
462 "Host: one.example.org\r\n"
464 "GET /two/ HTTP/1.0\r\n"
465 "Host: two.example.org\r\n"
467 uint16_t buflen = strlen((
char *)buf);
476 memset(&f, 0,
sizeof(
Flow));
477 memset(&th_v, 0,
sizeof(th_v));
478 memset(&ssn, 0,
sizeof(ssn));
485 f.
proto = IPPROTO_TCP;
501 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
518 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
529 printf(
"sid:1 %s, sid:2 %s: ",
549 static int SigTest09 (
void)
551 uint8_t *buf = (uint8_t *)
552 "GET /one/ HTTP/1.0\r\n"
553 "Host: one.example.org\r\n"
555 "GET /two/ HTTP/1.0\r\n"
556 "Host: two.example.org\r\n"
558 uint16_t buflen = strlen((
char *)buf);
567 memset(&th_v, 0,
sizeof(th_v));
568 memset(&f, 0,
sizeof(f));
569 memset(&ssn, 0,
sizeof(ssn));
576 f.
proto = IPPROTO_TCP;
592 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
609 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
637 static int SigTest10 (
void)
639 uint8_t *buf = (uint8_t *)
641 uint16_t buflen = strlen((
char *)buf);
650 memset(&th_v, 0,
sizeof(th_v));
651 memset(&f, 0,
sizeof(f));
652 memset(&ssn, 0,
sizeof(ssn));
658 f.
proto = IPPROTO_TCP;
675 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
692 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
720 static int SigTest11 (
void)
722 uint8_t *buf = (uint8_t *)
723 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
724 uint16_t buflen = strlen((
char *)buf);
732 memset(&th_v, 0,
sizeof(th_v));
733 memset(&f, 0,
sizeof(f));
734 memset(&ssn, 0,
sizeof(ssn));
740 f.
proto = IPPROTO_TCP;
756 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
784 static int SigTest12 (
void)
786 uint8_t *buf = (uint8_t *)
787 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
788 uint16_t buflen = strlen((
char *)buf);
794 memset(&th_v, 0,
sizeof(th_v));
796 memset(&f, 0,
sizeof(
Flow));
811 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
839 static int SigTest13 (
void)
841 uint8_t *buf = (uint8_t *)
842 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
843 uint16_t buflen = strlen((
char *)buf);
849 memset(&th_v, 0,
sizeof(th_v));
851 memset(&f, 0,
sizeof(
Flow));
866 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
891 static int SigTest14 (
void)
893 uint8_t *buf = (uint8_t *)
894 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
895 uint16_t buflen = strlen((
char *)buf);
901 memset(&th_v, 0,
sizeof(th_v));
912 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
936 static int SigTest15 (
void)
938 uint8_t *buf = (uint8_t *)
939 "CONNECT 213.92.8.7:31204 HTTP/1.1";
940 uint16_t buflen = strlen((
char *)buf);
948 memset(&th_v, 0,
sizeof(th_v));
953 p->
proto = IPPROTO_TCP;
967 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
993 static int SigTest16 (
void)
995 uint8_t *buf = (uint8_t *)
996 "CONNECT 213.92.8.7:31204 HTTP/1.1";
997 uint16_t buflen = strlen((
char *)buf);
1003 memset(&th_v, 0,
sizeof(th_v));
1004 memset(&p, 0,
sizeof(p));
1019 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1043 static int SigTest17 (
void)
1045 uint8_t *buf = (uint8_t *)
1046 "GET /one/ HTTP/1.1\r\n"
1047 "Host: one.example.org\r\n"
1049 "GET /two/ HTTP/1.1\r\n"
1050 "Host: two.example.org\r\n"
1052 uint16_t buflen = strlen((
char *)buf);
1056 memset(&th_v, 0,
sizeof(th_v));
1069 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1094 static int SigTest18 (
void)
1096 uint8_t *buf = (uint8_t *)
1097 "220 (vsFTPd 2.0.5)\r\n";
1098 uint16_t buflen = strlen((
char *)buf);
1106 memset(&th_v, 0,
sizeof(th_v));
1111 p->
proto = IPPROTO_TCP;
1122 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1135 printf(
"signature shouldn't match, but did: ");
1146 static int SigTest19 (
void)
1148 uint8_t *buf = (uint8_t *)
1149 "220 (vsFTPd 2.0.5)\r\n";
1150 uint16_t buflen = strlen((
char *)buf);
1158 memset(&th_v, 0,
sizeof(th_v));
1165 p->
proto = IPPROTO_TCP;
1194 printf(
"signature didn't match, but should have: ");
1206 static int SigTest20 (
void)
1208 uint8_t *buf = (uint8_t *)
1209 "220 (vsFTPd 2.0.5)\r\n";
1210 uint16_t buflen = strlen((
char *)buf);
1218 memset(&th_v, 0,
sizeof(th_v));
1225 p->
proto = IPPROTO_TCP;
1241 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1254 printf(
"signature didn't match, but should have: ");
1267 static int SigTest21 (
void)
1270 memset(&th_v, 0,
sizeof(th_v));
1275 memset(&f, 0,
sizeof(f));
1279 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1281 uint16_t buf1len = strlen((
char *)buf1);
1284 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1286 uint16_t buf2len = strlen((
char *)buf2);
1303 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1319 printf(
"sid 1 alerted, but shouldn't: ");
1324 printf(
"sid 2 didn't alert, but should have: ");
1334 if (det_ctx != NULL) {
1345 static int SigTest22 (
void)
1348 memset(&th_v, 0,
sizeof(th_v));
1353 memset(&f, 0,
sizeof(f));
1357 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1359 uint16_t buf1len = strlen((
char *)buf1);
1367 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1369 uint16_t buf2len = strlen((
char *)buf2);
1383 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1399 printf(
"sid 1 alerted, but shouldn't: ");
1406 printf(
"sid 2 alerted, but shouldn't: ");
1420 static int SigTest23 (
void)
1423 memset(&th_v, 0,
sizeof(th_v));
1428 memset(&f, 0,
sizeof(f));
1432 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1434 uint16_t buf1len = strlen((
char *)buf1);
1442 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1444 uint16_t buf2len = strlen((
char *)buf2);
1458 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1474 printf(
"sid 1 alerted, but shouldn't: ");
1481 printf(
"sid 2 didn't alert, but should have: ");
1495 static int SigTest24IPV4Keyword(
void)
1497 uint8_t valid_raw_ipv4[] = {
1498 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1499 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1500 0xc0, 0xa8, 0x01, 0x03};
1502 uint8_t invalid_raw_ipv4[] = {
1503 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1504 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1505 0xc0, 0xa8, 0x01, 0x06};
1519 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1521 uint16_t buflen = strlen((
char *)buf);
1533 p1->
proto = IPPROTO_TCP;
1541 p2->
proto = IPPROTO_TCP;
1551 "alert ip any any -> any any "
1552 "(content:\"/one/\"; ipv4-csum:valid; "
1553 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1555 printf(
"sig 1 parse: ");
1560 "alert ip any any -> any any "
1561 "(content:\"/one/\"; ipv4-csum:invalid; "
1562 "msg:\"ipv4-csum keyword check(1)\"; "
1565 printf(
"sig 2 parse: ");
1574 printf(
"signature 1 didn't match, but should have: ");
1580 printf(
"signature 2 didn't match, but should have: ");
1586 if (det_ctx != NULL) {
1597 static int SigTest25NegativeIPV4Keyword(
void)
1599 uint8_t valid_raw_ipv4[] = {
1600 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1601 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1602 0xc0, 0xa8, 0x01, 0x03};
1604 uint8_t invalid_raw_ipv4[] = {
1605 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1606 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1607 0xc0, 0xa8, 0x01, 0x06};
1621 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1623 uint16_t buflen = strlen((
char *)buf);
1635 p1->
proto = IPPROTO_TCP;
1643 p2->
proto = IPPROTO_TCP;
1653 "alert ip any any -> any any "
1654 "(content:\"/one/\"; ipv4-csum:invalid; "
1655 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1662 "alert ip any any -> any any "
1663 "(content:\"/one/\"; ipv4-csum:valid; "
1664 "msg:\"ipv4-csum keyword check(1)\"; "
1696 static int SigTest26TCPV4Keyword(
void)
1698 uint8_t raw_ipv4[] = {
1699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1700 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1701 0xc0, 0xa8, 0x01, 0x03};
1703 uint8_t valid_raw_tcp[] = {
1704 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1705 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1706 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1707 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1708 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1710 uint8_t invalid_raw_tcp[] = {
1711 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1712 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1713 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1714 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1715 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1745 p1->
proto = IPPROTO_TCP;
1754 p2->
proto = IPPROTO_TCP;
1762 "alert ip any any -> any any "
1763 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1764 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1768 "alert ip any any -> any any "
1769 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1770 "msg:\"tcpv4-csum keyword check(1)\"; "
1793 static int SigTest26TCPV4AndNegativeIPV4Keyword(
void)
1795 uint8_t raw_ipv4[] = {
1796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1797 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1798 0xc0, 0xa8, 0x01, 0x03};
1800 uint8_t valid_raw_tcp[] = {
1801 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1802 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1803 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1804 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1805 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1807 uint8_t invalid_raw_tcp[] = {
1808 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1809 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1810 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1811 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1812 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1843 p1->
proto = IPPROTO_TCP;
1852 p2->
proto = IPPROTO_TCP;
1862 "alert ip any any -> any any "
1863 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1864 "ipv4-csum:invalid; "
1865 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1871 "alert ip any any -> any any "
1872 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1873 "ipv4-csum:invalid; "
1874 "msg:\"tcpv4-csum keyword check(1)\"; "
1885 printf(
"sig 1 didn't match: ");
1891 printf(
"sig 2 didn't match: ");
1907 static int SigTest26TCPV4AndIPV4Keyword(
void)
1912 uint8_t raw_ipv4[] = {
1913 0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1914 0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1915 0xc0, 0xa8, 0xb0, 0x74};
1922 uint8_t valid_raw_tcp[] = {
1923 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1924 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1925 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1926 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1927 0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1928 0x04, 0x02, 0x00, 0x00};
1930 uint8_t invalid_raw_tcp[] = {
1931 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1932 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1933 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1934 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1935 0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1936 0x04, 0x02, 0x00, 0x00};
1967 p1->
proto = IPPROTO_TCP;
1976 p2->
proto = IPPROTO_TCP;
1986 "alert ip any any -> any any "
1987 "(tcpv4-csum:valid; "
1989 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1995 "alert ip any any -> any any "
1996 "(tcpv4-csum:invalid; "
1998 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
2009 printf(
"sig 1 didn't match: ");
2015 printf(
"sig 2 didn't match: ");
2030 static int SigTest27NegativeTCPV4Keyword(
void)
2032 uint8_t raw_ipv4[] = {
2033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2034 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2035 0xc0, 0xa8, 0x01, 0x03};
2037 uint8_t valid_raw_tcp[] = {
2038 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2039 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2040 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2041 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2042 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2044 uint8_t invalid_raw_tcp[] = {
2045 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2046 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2047 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2048 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2049 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2078 p1->
proto = IPPROTO_TCP;
2087 p2->
proto = IPPROTO_TCP;
2097 "alert tcp any any -> any any "
2098 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2099 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2105 "alert tcp any any -> any any "
2106 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2107 "msg:\"tcpv4-csum keyword check(2)\"; "
2118 printf(
"sig 1 didn't match on p1: ");
2124 printf(
"sig 2 matched on p2: ");
2139 static int SigTest28TCPV6Keyword(
void)
2141 static uint8_t valid_raw_ipv6[] = {
2142 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2143 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2145 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2146 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2147 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2148 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2149 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2151 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2152 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2153 0xf2, 0xf1, 0x00, 0x00,
2155 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2156 0x00, 0x01, 0x69, 0x27};
2158 static uint8_t invalid_raw_ipv6[] = {
2159 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2160 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2162 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2163 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2164 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2165 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2166 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2168 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2169 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2170 0xc2, 0xf1, 0x00, 0x00,
2172 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2173 0x00, 0x01, 0x69, 0x28};
2191 p1->
tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2194 p1->
payload = valid_raw_ipv6 + 54 + 20;
2196 p1->
proto = IPPROTO_TCP;
2204 p2->
tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2207 p2->
payload = invalid_raw_ipv6 + 54 + 20;;
2209 p2->
proto = IPPROTO_TCP;
2223 "alert tcp any any -> any any "
2224 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2225 "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2231 "alert tcp any any -> any any "
2232 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2233 "msg:\"tcpv6-csum keyword check(1)\"; "
2244 printf(
"sid 1 didn't match on p1: ");
2250 printf(
"sid 2 didn't match on p2: ");
2265 static int SigTest29NegativeTCPV6Keyword(
void)
2267 static uint8_t valid_raw_ipv6[] = {
2268 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2269 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2271 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2272 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2273 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2274 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2275 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2277 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2278 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2279 0xf2, 0xf1, 0x00, 0x00,
2281 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2282 0x00, 0x01, 0x69, 0x27};
2284 static uint8_t invalid_raw_ipv6[] = {
2285 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2286 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2288 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2289 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2290 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2291 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2292 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2294 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2295 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2296 0xc2, 0xf1, 0x00, 0x00,
2298 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2299 0x00, 0x01, 0x69, 0x28};
2317 p1->
tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2320 p1->
payload = valid_raw_ipv6 + 54 + 20;
2322 p1->
proto = IPPROTO_TCP;
2330 p2->
tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2333 p2->
payload = invalid_raw_ipv6 + 54 + 20;;
2335 p2->
proto = IPPROTO_TCP;
2349 "alert tcp any any -> any any "
2350 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2351 "msg:\"tcpv6-csum keyword check(1)\"; "
2358 "alert tcp any any -> any any "
2359 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2360 "msg:\"tcpv6-csum keyword check(1)\"; "
2381 if (det_ctx != NULL)
2389 static int SigTest30UDPV4Keyword(
void)
2391 uint8_t raw_ipv4[] = {
2392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2393 0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2394 0xc0, 0xa8, 0x01, 0x03};
2396 uint8_t valid_raw_udp[] = {
2397 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2398 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2399 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2400 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2401 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2402 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2403 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2404 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2405 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2406 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2407 0x67, 0x6c, 0x65, 0xc0, 0x26};
2409 uint8_t invalid_raw_udp[] = {
2410 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2411 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2412 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2413 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2414 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2415 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2416 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2417 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2418 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2419 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2420 0x67, 0x6c, 0x65, 0xc0, 0x27};
2430 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2431 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2437 p1->
udph = (UDPHdr *)valid_raw_udp;
2442 p1->
proto = IPPROTO_UDP;
2446 p2->
udph = (UDPHdr *)invalid_raw_udp;
2451 p2->
proto = IPPROTO_UDP;
2459 "alert udp any any -> any any "
2460 "(content:\"/one/\"; udpv4-csum:valid; "
2461 "msg:\"udpv4-csum keyword check(1)\"; "
2466 "alert udp any any -> any any "
2467 "(content:\"/one/\"; udpv4-csum:invalid; "
2468 "msg:\"udpv4-csum keyword check(1)\"; "
2483 if (det_ctx != NULL)
2491 static int SigTest31NegativeUDPV4Keyword(
void)
2493 uint8_t raw_ipv4[] = {
2494 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2495 0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2496 0xc0, 0xa8, 0x01, 0x03};
2498 uint8_t valid_raw_udp[] = {
2499 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2500 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2501 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2502 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2503 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2504 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2505 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2506 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2507 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2508 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2509 0x67, 0x6c, 0x65, 0xc0, 0x26};
2511 uint8_t invalid_raw_udp[] = {
2512 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2513 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2514 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2515 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2516 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2517 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2518 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2519 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2520 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2521 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2522 0x67, 0x6c, 0x65, 0xc0, 0x27};
2536 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2537 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2543 p1->
udph = (UDPHdr *)valid_raw_udp;
2548 p1->
proto = IPPROTO_UDP;
2552 p2->
udph = (UDPHdr *)invalid_raw_udp;
2557 p2->
proto = IPPROTO_UDP;
2567 "alert udp any any -> any any "
2568 "(content:\"/one/\"; udpv4-csum:invalid; "
2569 "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2576 "alert udp any any -> any any "
2577 "(content:\"/one/\"; udpv4-csum:valid; "
2578 "msg:\"udpv4-csum keyword check(1)\"; "
2603 if (det_ctx != NULL)
2613 static int SigTest32UDPV6Keyword(
void)
2615 static uint8_t valid_raw_ipv6[] = {
2616 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2617 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2618 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2619 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2620 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2621 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2622 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2623 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2624 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2627 static uint8_t invalid_raw_ipv6[] = {
2628 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2629 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2630 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2631 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2632 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2633 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2634 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2635 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2636 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2647 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2654 p1->
udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2659 p1->
proto = IPPROTO_UDP;
2663 p2->
udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2668 p2->
proto = IPPROTO_UDP;
2676 "alert udp any any -> any any "
2677 "(content:\"/one/\"; udpv6-csum:valid; "
2678 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2682 "alert udp any any -> any any "
2683 "(content:\"/one/\"; udpv6-csum:invalid; "
2684 "msg:\"udpv6-csum keyword check(1)\"; "
2699 if (det_ctx != NULL)
2708 static int SigTest33NegativeUDPV6Keyword(
void)
2710 static uint8_t valid_raw_ipv6[] = {
2711 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2712 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2713 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2714 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2715 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2716 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2717 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2718 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2719 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2722 static uint8_t invalid_raw_ipv6[] = {
2723 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2724 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2725 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2726 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2727 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2728 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2729 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2730 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2731 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2746 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2753 p1->
udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2758 p1->
proto = IPPROTO_UDP;
2762 p2->
udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2767 p2->
proto = IPPROTO_UDP;
2777 "alert udp any any -> any any "
2778 "(content:\"/one/\"; udpv6-csum:invalid; "
2779 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2786 "alert udp any any -> any any "
2787 "(content:\"/one/\"; udpv6-csum:valid; "
2788 "msg:\"udpv6-csum keyword check(1)\"; "
2812 if (det_ctx != NULL)
2821 static int SigTest34ICMPV4Keyword(
void)
2823 uint8_t valid_raw_ipv4[] = {
2824 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2825 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2826 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2827 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2828 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2829 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2830 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2831 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2832 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2833 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2834 0x34, 0x35, 0x36, 0x37};
2836 uint8_t invalid_raw_ipv4[] = {
2837 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2838 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2839 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2840 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2841 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2842 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2843 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2844 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2845 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2846 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2847 0x34, 0x35, 0x36, 0x38};
2861 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2863 uint16_t buflen = strlen((
char *)buf);
2875 p1->
proto = IPPROTO_ICMP;
2885 p2->
proto = IPPROTO_ICMP;
2895 "alert icmp any any -> any any "
2896 "(content:\"/one/\"; icmpv4-csum:valid; "
2897 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2904 "alert icmp any any -> any any "
2905 "(content:\"/one/\"; icmpv4-csum:invalid; "
2906 "msg:\"icmpv4-csum keyword check(1)\"; "
2930 if (det_ctx != NULL)
2939 static int SigTest35NegativeICMPV4Keyword(
void)
2941 uint8_t valid_raw_ipv4[] = {
2942 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2943 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2944 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2945 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2946 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2947 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2948 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2949 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2950 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2951 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2952 0x34, 0x35, 0x36, 0x37};
2954 uint8_t invalid_raw_ipv4[] = {
2955 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2956 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2957 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2958 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2959 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2960 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2961 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2962 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2963 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2964 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2965 0x34, 0x35, 0x36, 0x38};
2979 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2981 uint16_t buflen = strlen((
char *)buf);
2993 p1->
proto = IPPROTO_ICMP;
3003 p2->
proto = IPPROTO_ICMP;
3013 "alert icmp any any -> any any "
3014 "(content:\"/one/\"; icmpv4-csum:invalid; "
3015 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3022 "alert icmp any any -> any any "
3023 "(content:\"/one/\"; icmpv4-csum:valid; "
3024 "msg:\"icmpv4-csum keyword check(1)\"; "
3049 if (det_ctx != NULL)
3058 static int SigTest38(
void)
3066 uint8_t raw_eth[] = {
3067 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3071 uint8_t raw_ipv4[] = {
3072 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3073 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3074 0x7f, 0x00, 0x00, 0x01
3076 uint8_t raw_tcp[] = {
3077 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3078 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3079 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3080 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3081 0x00, 0x22, 0xaa, 0x10
3084 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3085 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3086 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30,
3087 0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3088 0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3089 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3090 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3091 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3092 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3095 uint16_t ethlen =
sizeof(raw_eth);
3096 uint16_t ipv4len =
sizeof(raw_ipv4);
3097 uint16_t tcplen =
sizeof(raw_tcp);
3098 uint16_t buflen =
sizeof(buf);
3119 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3122 p1->
ethh = (EthernetHdr *)raw_eth;
3124 p1->
tcph = (TCPHdr *)raw_tcp;
3129 p1->
proto = IPPROTO_TCP;
3138 "alert tcp any any -> any any "
3139 "(content:\"LEN1|20|\"; "
3140 "byte_test:4,=,8,0; "
3141 "msg:\"byte_test keyword check(1)\"; sid:1;)");
3147 "alert tcp any any -> any any "
3148 "(content:\"LEN1|20|\"; "
3149 "byte_test:4,=,8,5,relative,string,dec; "
3150 "msg:\"byte_test keyword check(2)\"; sid:2;)");
3164 printf(
"sid 1 didn't alert, but should have: ");
3171 printf(
"sid 2 didn't alert, but should have: ");
3179 if (det_ctx != NULL)
3188 static int SigTest39(
void)
3196 uint8_t raw_eth[] = {
3197 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3201 uint8_t raw_ipv4[] = {
3202 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3203 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3204 0x7f, 0x00, 0x00, 0x01
3206 uint8_t raw_tcp[] = {
3207 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3208 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3209 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3210 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3211 0x00, 0x22, 0xaa, 0x10
3214 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3215 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3216 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3217 0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3218 0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3219 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3220 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3221 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3222 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3225 uint16_t ethlen =
sizeof(raw_eth);
3226 uint16_t ipv4len =
sizeof(raw_ipv4);
3227 uint16_t tcplen =
sizeof(raw_tcp);
3228 uint16_t buflen =
sizeof(buf);
3249 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3252 p1->
ethh = (EthernetHdr *)raw_eth;
3254 p1->
tcph = (TCPHdr *)raw_tcp;
3259 p1->
proto = IPPROTO_TCP;
3268 "alert tcp any any -> any any "
3269 "(content:\"LEN1|20|\"; "
3270 "byte_test:4,=,8,0; "
3272 "byte_test:6,=,0x4c454e312038,0,relative; "
3273 "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3280 "alert tcp any any -> any any "
3281 "(content:\"LEN1|20|\"; "
3282 "byte_test:4,=,8,4,relative,string,dec; "
3283 "byte_jump:4,4,relative,string,dec,post_offset 2; "
3284 "byte_test:4,=,0x4c454e32,0,relative; "
3285 "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3299 printf(
"sid 1 didn't alert, but should have: ");
3306 printf(
"sid 2 didn't alert, but should have: ");
3313 if (det_ctx != NULL)
3327 static int SigTest36ContentAndIsdataatKeywords01 (
void)
3333 uint8_t raw_eth [] = {
3334 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3335 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3336 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3337 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3338 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3339 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3340 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3341 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3342 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3343 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3344 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3345 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3346 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3347 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3348 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3349 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3350 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3351 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3352 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3353 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3354 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3355 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3356 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3357 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3358 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3359 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3360 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3361 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3362 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3363 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3374 memset(&th_v, 0,
sizeof(th_v));
3387 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3445 static int SigTest37ContentAndIsdataatKeywords02 (
void)
3451 uint8_t raw_eth [] = {
3452 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3453 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3454 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3455 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3456 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3457 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3458 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3459 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3460 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3461 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3462 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3463 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3464 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3465 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3466 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3467 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3468 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3469 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3470 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3471 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3472 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3473 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3474 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3475 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3476 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3477 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3478 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3479 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3480 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3481 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3492 memset(&th_v, 0,
sizeof(th_v));
3505 Signature *s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3507 printf(
"sig parse failed: ");
3513 printf(
"type not content: ");
3524 printf(
"sig matched, but should not have: ");
3567 static int SigTest40NoPacketInspection01(
void)
3570 uint8_t *buf = (uint8_t *)
3571 "220 (vsFTPd 2.0.5)\r\n";
3572 uint16_t buflen = strlen((
char *)buf);
3583 memset(&th_v, 0,
sizeof(th_v));
3584 memset(&pq, 0,
sizeof(pq));
3585 memset(&f, 0,
sizeof(f));
3586 memset(&tcphdr, 0,
sizeof(tcphdr));
3594 p->
proto = IPPROTO_TCP;
3611 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3621 Detect(&th_v, p, det_ctx);
3642 static int SigTest40NoPayloadInspection02(
void)
3645 uint8_t *buf = (uint8_t *)
3646 "220 (vsFTPd 2.0.5)\r\n";
3647 uint16_t buflen = strlen((
char *)buf);
3649 memset(&th_v, 0,
sizeof(th_v));
3658 p->
proto = IPPROTO_TCP;
3667 "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3683 static int SigTestMemory01 (
void)
3685 uint8_t *buf = (uint8_t *)
3686 "GET /one/ HTTP/1.1\r\n"
3687 "Host: one.example.org\r\n"
3689 "GET /two/ HTTP/1.1\r\n"
3690 "Host: two.example.org\r\n"
3692 uint16_t buflen = strlen((
char *)buf);
3700 memset(&th_v, 0,
sizeof(th_v));
3705 p->
proto = IPPROTO_TCP;
3714 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3733 static int SigTestMemory02 (
void)
3738 memset(&th_v, 0,
sizeof(th_v));
3746 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3751 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3767 static int SigTestMemory03 (
void)
3772 memset(&th_v, 0,
sizeof(th_v));
3780 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3785 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3790 de_ctx->
sig_list->
next->
next =
SigInit(
de_ctx,
"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3806 static int SigTestContent01 (
void)
3808 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3809 uint16_t buflen = strlen((
char *)buf);
3814 memset(&th_v, 0,
sizeof(th_v));
3825 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3838 printf(
"sig 1 didn't match: ");
3850 static int SigTestContent02 (
void)
3852 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3853 uint16_t buflen = strlen((
char *)buf);
3858 memset(&th_v, 0,
sizeof(th_v));
3868 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3888 printf(
"sig 2 didn't match: ");
3891 printf(
"sig 1 didn't match: ");
3903 static int SigTestContent03 (
void)
3905 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3906 uint16_t buflen = strlen((
char *)buf);
3911 memset(&th_v, 0,
sizeof(th_v));
3922 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3935 printf(
"sig 1 didn't match: ");
3947 static int SigTestContent04 (
void)
3949 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3950 uint16_t buflen = strlen((
char *)buf);
3955 memset(&th_v, 0,
sizeof(th_v));
3967 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3980 printf(
"sig 1 didn't match: ");
3993 static int SigTestContent05 (
void)
3995 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3996 uint16_t buflen = strlen((
char *)buf);
4001 memset(&th_v, 0,
sizeof(th_v));
4007 printf(
"de_ctx == NULL: ");
4013 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4015 printf(
"sig1 parse failed: ");
4018 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4020 printf(
"sig2 parse failed: ");
4030 printf(
"sig 1 matched but shouldn't: ");
4035 printf(
"sig 2 matched but shouldn't: ");
4045 if (det_ctx != NULL) {
4054 static int SigTestContent06 (
void)
4056 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4057 uint16_t buflen = strlen((
char *)buf);
4062 memset(&th_v, 0,
sizeof(th_v));
4073 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4078 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4091 printf(
"sig 1 didn't match: ");
4098 printf(
"sig 2 didn't match: ");
4112 static int SigTestWithin01 (
void)
4122 uint8_t rawpkt1[] = {
4123 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4124 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4125 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4126 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4127 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4128 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4129 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4130 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4131 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4132 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4133 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4134 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4135 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4136 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4137 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4138 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4139 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4140 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4141 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4144 uint8_t rawpkt2[] = {
4145 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4146 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4147 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4148 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4149 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4150 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4151 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4152 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4153 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4154 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4155 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4156 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4157 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4158 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4159 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4160 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4161 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4162 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4163 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4166 uint8_t rawpkt3[] = {
4167 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4168 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4169 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4170 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4171 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4172 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4173 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4174 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4175 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4176 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4177 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4178 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4179 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4180 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4181 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4182 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4183 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4184 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4185 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4188 uint8_t rawpkt4[] = {
4189 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4190 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4191 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4192 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4193 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4194 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4195 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4196 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4197 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4198 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4199 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4200 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4201 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4202 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4203 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4204 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4205 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4206 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4207 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4211 memset(&th_v, 0,
sizeof(th_v));
4224 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4240 printf(
"failed to match on packet 1: ");
4251 printf(
"failed to match on packet 2: ");
4262 printf(
"failed to match on packet 3: ");
4273 printf(
"failed to match on packet 4: ");
4278 uint8_t *p5buf = (uint8_t *)
"Hi, this is a big test to check content matches";
4279 uint16_t p5buflen = strlen((
char *)p5buf);
4283 printf(
"failed to match on packet 5: ");
4295 if (det_ctx != NULL)
4321 static int SigTestDepthOffset01 (
void)
4323 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4324 uint16_t buflen = strlen((
char *)buf);
4330 memset(&th_v, 0,
sizeof(th_v));
4341 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4364 static int SigTestDetectAlertCounter(
void)
4369 memset(&
tv, 0,
sizeof(
tv));
4376 "content:\"boo\"; sid:1;)");
4385 p =
UTHBuildPacket((uint8_t *)
"boo", strlen(
"boo"), IPPROTO_TCP);
4393 p =
UTHBuildPacket((uint8_t *)
"roo", strlen(
"roo"), IPPROTO_TCP);
4398 p =
UTHBuildPacket((uint8_t *)
"laboosa", strlen(
"laboosa"), IPPROTO_TCP);
4410 static int SigTestDropFlow01(
void)
4414 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4415 "User-Agent: Mozilla/1.0\r\n"
4416 "Cookie: hellocatch\r\n\r\n";
4417 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4426 memset(&f, 0,
sizeof(
Flow));
4433 f.
proto = IPPROTO_TCP;
4449 "(msg:\"Test proto match\"; "
4483 static int SigTestDropFlow02(
void)
4488 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4489 "User-Agent: Mozilla/1.0\r\n"
4490 "Cookie: hellocatch\r\n\r\n";
4491 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4500 memset(&f, 0,
sizeof(
Flow));
4507 f.
proto = IPPROTO_TCP;
4525 "(msg:\"Test proto match\"; uricontent:\"one\";"
4538 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4545 if (http_state == NULL) {
4546 printf(
"no http state: ");
4554 printf(
"sig 1 didn't alert, but it should: ");
4559 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4571 if (det_ctx != NULL)
4588 static int SigTestDropFlow03(
void)
4593 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4594 "User-Agent: Mozilla/1.0\r\n"
4595 "Cookie: hellocatch\r\n\r\n";
4596 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4598 uint8_t http_buf2[] =
"POST /two HTTP/1.0\r\n"
4599 "User-Agent: Mozilla/1.0\r\n"
4600 "Cookie: hellocatch\r\n\r\n";
4601 uint32_t http_buf2_len =
sizeof(http_buf1) - 1;
4615 memset(&f, 0,
sizeof(
Flow));
4623 f.
proto = IPPROTO_TCP;
4647 "(msg:\"Test proto match\"; uricontent:\"one\";"
4656 "(msg:\"Test proto match\"; uricontent:\"two\";"
4669 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4676 if (http_state == NULL) {
4677 printf(
"no http state: ");
4685 printf(
"sig 1 didn't alert on p1, but it should: ");
4690 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4695 if (StreamTcpCheckFlowDrops(p2) == 1) {
4696 SCLogDebug(
"This flow/stream triggered a drop rule");
4697 FlowSetNoPacketInspectionFlag(p2->
flow);
4707 printf(
"The packet was not flagged with no-inspection: ");
4715 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
4725 printf(
"sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4730 printf(
"sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4735 printf(
"A \"drop\" action should be set from the flow to the packet: ");
4744 if (det_ctx != NULL)
4765 static int SigTestDropFlow04(
void)
4769 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4770 "User-Agent: Mozilla/1.0\r\n"
4771 "Cookie: hellocatch\r\n\r\n";
4772 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4774 uint8_t http_buf2[] =
"POST /two HTTP/1.0\r\n"
4775 "User-Agent: Mozilla/1.0\r\n"
4776 "Cookie: hellocatch\r\n\r\n";
4777 uint32_t http_buf2_len =
sizeof(http_buf1) - 1;
4788 memset(&f, 0,
sizeof(
Flow));
4796 f.
proto = IPPROTO_TCP;
4817 "(msg:\"Test proto match\"; uricontent:\"one\";"
4824 "(msg:\"Test proto match\"; uricontent:\"two\";"
4875 static int SigTestPorts01(
void)
4882 uint8_t payload[] =
"AAAAAAAAAAAAAAAAAA";
4895 "(content:\"AAA\"; sid:1;)");
4907 printf(
"sig 1 alerted on p1, but it should not: ");
4913 if (det_ctx != NULL)
4925 static int SigTestBug01(
void)
4932 uint8_t payload[] =
"!mymy";
4945 "(content:\"Omymy\"; nocase; sid:1;)");
4950 "(content:\"!mymy\"; nocase; sid:2;)");
4962 printf(
"sig 1 alerted on p1, but it should not: ");
4966 printf(
"sig 2 did not p1, but it should have: ");
4972 if (det_ctx != NULL)
4983 static const char *dummy_conf_string2 =
4988 " address-groups:\n"
4990 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4992 " EXTERNAL_NET: \"any\"\n"
4996 " HTTP_PORTS: \"80:81,88\"\n"
4999 static int DetectAddressYamlParsing01 (
void)
5030 static const char *dummy_conf_string3 =
5035 " address-groups:\n"
5037 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5039 " EXTERNAL_NET: \"any\"\n"
5043 " HTTP_PORTS: \"80:81,88\"\n"
5046 static int DetectAddressYamlParsing02 (
void)
5077 static const char *dummy_conf_string4 =
5082 " address-groups:\n"
5084 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5086 " EXTERNAL_NET: \"any\"\n"
5090 " HTTP_PORTS: \"80:81,88\"\n"
5093 static int DetectAddressYamlParsing03 (
void)
5124 static const char *dummy_conf_string5 =
5129 " address-groups:\n"
5131 " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5133 " EXTERNAL_NET: \"any\"\n"
5137 " HTTP_PORTS: \"80:81,88\"\n"
5141 static int DetectAddressYamlParsing04 (
void)
5181 UtRegisterTest(
"SigTest05 -- distance/within mismatch", SigTest05);
5182 UtRegisterTest(
"SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5185 UtRegisterTest(
"SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5188 UtRegisterTest(
"SigTest10 -- long content match, longer than pkt",
5191 UtRegisterTest(
"SigTest12 -- content order matching, normal", SigTest12);
5192 UtRegisterTest(
"SigTest13 -- content order matching, diff order",
5194 UtRegisterTest(
"SigTest14 -- content order matching, distance 0",
5196 UtRegisterTest(
"SigTest15 -- port negation sig (no match)", SigTest15);
5197 UtRegisterTest(
"SigTest16 -- port negation sig (match)", SigTest16);
5198 UtRegisterTest(
"SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5208 SigTest25NegativeIPV4Keyword);
5212 SigTest26TCPV4AndNegativeIPV4Keyword);
5214 SigTest26TCPV4AndIPV4Keyword);
5216 SigTest27NegativeTCPV4Keyword);
5220 SigTest29NegativeTCPV6Keyword);
5224 SigTest31NegativeUDPV4Keyword);
5228 SigTest33NegativeUDPV6Keyword);
5230 UtRegisterTest(
"SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5232 SigTest35NegativeICMPV4Keyword);
5234 SigTest36ContentAndIsdataatKeywords01);
5236 SigTest37ContentAndIsdataatKeywords02);
5243 SigTest40NoPacketInspection01);
5245 SigTest40NoPayloadInspection02);
5251 UtRegisterTest(
"SigTestContent01 -- 32 byte pattern", SigTestContent01);
5252 UtRegisterTest(
"SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5253 UtRegisterTest(
"SigTestContent03 -- 32 byte pattern, x2 + distance",
5255 UtRegisterTest(
"SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5257 UtRegisterTest(
"SigTestContent05 -- distance/within", SigTestContent05);
5264 UtRegisterTest(
"SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5271 UtRegisterTest(
"DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5272 UtRegisterTest(
"DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5273 UtRegisterTest(
"DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5274 UtRegisterTest(
"DetectAddressYamlParsing04", DetectAddressYamlParsing04);