suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
31 
32 static const char *dummy_conf_string =
33  "%YAML 1.1\n"
34  "---\n"
35  "\n"
36  "default-log-dir: /var/log/suricata\n"
37  "\n"
38  "logging:\n"
39  "\n"
40  " default-log-level: debug\n"
41  "\n"
42  " default-format: \"<%t> - <%l>\"\n"
43  "\n"
44  " default-startup-message: Your IDS has started.\n"
45  "\n"
46  " default-output-filter:\n"
47  "\n"
48  " output:\n"
49  "\n"
50  " - interface: console\n"
51  " log-level: info\n"
52  "\n"
53  " - interface: file\n"
54  " filename: /var/log/suricata.log\n"
55  "\n"
56  " - interface: syslog\n"
57  " facility: local5\n"
58  " format: \"%l\"\n"
59  "\n"
60  "pfring:\n"
61  "\n"
62  " interface: eth0\n"
63  "\n"
64  " clusterid: 99\n"
65  "\n"
66  "vars:\n"
67  "\n"
68  " address-groups:\n"
69  "\n"
70  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72  "\n"
73  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74  "\n"
75  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80  "\n"
81  " DNS_SERVERS: any\n"
82  "\n"
83  " TELNET_SERVERS: any\n"
84  "\n"
85  " AIM_SERVERS: any\n"
86  "\n"
87  " port-groups:\n"
88  "\n"
89  " HTTP_PORTS: \"80:81,88\"\n"
90  "\n"
91  " SHELLCODE_PORTS: 80\n"
92  "\n"
93  " ORACLE_PORTS: 1521\n"
94  "\n"
95  " SSH_PORTS: 22\n"
96  "\n";
97 
98 static int SigTest01 (void)
99 {
100  uint8_t *buf = (uint8_t *)
101  "GET /one/ HTTP/1.1\r\n"
102  "Host: one.example.org\r\n"
103  "\r\n\r\n"
104  "GET /two/ HTTP/1.1\r\n"
105  "Host: two.example.org\r\n"
106  "\r\n\r\n";
107  uint16_t buflen = strlen((char *)buf);
108  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109  int result = 0;
110 
111  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112  if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
113  result = 0;
114  goto end;
115  }
116 #if 0
117  //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
118  //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
119 
120  if (p->http_uri.raw_size[0] == 5 &&
121  memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
122  p->http_uri.raw_size[1] == 5 &&
123  memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
124  {
125  result = 1;
126  }
127 
128 #endif
129  result = 1;
130 end:
131  if (p != NULL)
132  UTHFreePacket(p);
133  return result;
134 }
135 
136 static int SigTest02 (void)
137 {
138  uint8_t *buf = (uint8_t *)
139  "GET /one/ HTTP/1.1\r\n"
140  "Host: one.example.org\r\n"
141  "\r\n\r\n"
142  "GET /two/ HTTP/1.1\r\n"
143  "Host: two.example.org\r\n"
144  "\r\n\r\n";
145  uint16_t buflen = strlen((char *)buf);
146  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
147  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
148  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
149  UTHFreePacket(p);
150  return ret;
151 }
152 
153 static int SigTest03 (void)
154 {
155  uint8_t *buf = (uint8_t *)
156  "GET /one/ HTTP/1.1\r\n"
157  "Host: one.example.org\r\n"
158  "\r\n\r\n"
159  "GET /two/ HTTP/1.1\r\n"
160  "Host: two.example.org\r\n"
161  "\r\n\r\n";
162  uint16_t buflen = strlen((char *)buf);
163  Packet *p = NULL;
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx = NULL;
166  int result = 0;
167 
168  memset(&th_v, 0, sizeof(th_v));
169 
170  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
171 
172  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
173  if (de_ctx == NULL) {
174  goto end;
175  }
176 
177  de_ctx->flags |= DE_QUIET;
178 
179  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
180  if (de_ctx->sig_list == NULL) {
181  result = 0;
182  goto end;
183  }
184 
185  SigGroupBuild(de_ctx);
186  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
187 
188  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
189  if (PacketAlertCheck(p, 1))
190  result = 1;
191 
192  SigGroupCleanup(de_ctx);
193  SigCleanSignatures(de_ctx);
194 
195  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
196  DetectEngineCtxFree(de_ctx);
197 end:
198  UTHFreePackets(&p, 1);
199  return result;
200 }
201 
202 static int SigTest04 (void)
203 {
204  uint8_t *buf = (uint8_t *)
205  "GET /one/ HTTP/1.1\r\n" /* 20*/
206  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
207  "\r\n\r\n" /* 4 */
208  "GET /two/ HTTP/1.1\r\n" /* 20 */
209  "Host: two.example.org\r\n" /* 23 */
210  "\r\n\r\n"; /* 4 */
211  uint16_t buflen = strlen((char *)buf);
212 
213  Packet *p = NULL;
214  ThreadVars th_v;
215  DetectEngineThreadCtx *det_ctx = NULL;
216  int result = 0;
217 
218  memset(&th_v, 0, sizeof(th_v));
219 
220  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
221 
222  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
223  if (de_ctx == NULL) {
224  goto end;
225  }
226 
227  de_ctx->flags |= DE_QUIET;
228 
229  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
230  if (de_ctx->sig_list == NULL) {
231  result = 0;
232  goto end;
233  }
234 
235  SigGroupBuild(de_ctx);
236  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
237 
238  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
239  if (PacketAlertCheck(p, 1))
240  result = 1;
241 
242  SigGroupCleanup(de_ctx);
243  SigCleanSignatures(de_ctx);
244 
245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
246  DetectEngineCtxFree(de_ctx);
247 end:
248  UTHFreePackets(&p, 1);
249  return result;
250 }
251 
252 static int SigTest05 (void)
253 {
254  uint8_t *buf = (uint8_t *)
255  "GET /one/ HTTP/1.1\r\n" /* 20 */
256  "Host: one.example.org\r\n" /* 23, 43 */
257  "\r\n\r\n" /* 4, 47 */
258  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
259  "Host: two.example.org\r\n" /* 23, 90 */
260  "\r\n\r\n"; /* 4, 94 */
261  uint16_t buflen = strlen((char *)buf);
262  Packet *p = NULL;
263  ThreadVars th_v;
264  DetectEngineThreadCtx *det_ctx = NULL;
265  int result = 0;
266 
267  memset(&th_v, 0, sizeof(th_v));
268 
269  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
270 
271  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
272  if (de_ctx == NULL) {
273  goto end;
274  }
275 
276  de_ctx->flags |= DE_QUIET;
277 
278  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
279  if (de_ctx->sig_list == NULL) {
280  printf("sig parse failed: ");
281  goto end;
282  }
283 
284  SigGroupBuild(de_ctx);
285  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
286 
287  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
288  if (!PacketAlertCheck(p, 1)) {
289  result = 1;
290  } else {
291  printf("sig matched but shouldn't have: ");
292  }
293 
294  SigGroupCleanup(de_ctx);
295  SigCleanSignatures(de_ctx);
296 
297  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
298  DetectEngineCtxFree(de_ctx);
299 end:
300  UTHFreePackets(&p, 1);
301  return result;
302 }
303 
304 static int SigTest06 (void)
305 {
306  uint8_t *buf = (uint8_t *)
307  "GET /one/ HTTP/1.1\r\n" /* 20 */
308  "Host: one.example.org\r\n" /* 23, 43 */
309  "\r\n\r\n" /* 4, 47 */
310  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
311  "Host: two.example.org\r\n" /* 23, 90 */
312  "\r\n\r\n"; /* 4, 94 */
313  uint16_t buflen = strlen((char *)buf);
314  Packet *p = NULL;
315  ThreadVars th_v;
316  DetectEngineThreadCtx *det_ctx = NULL;
317  Flow f;
318  TcpSession ssn;
319  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
320  FAIL_IF_NULL(alp_tctx);
321 
322  memset(&th_v, 0, sizeof(th_v));
323  memset(&f, 0, sizeof(f));
324  memset(&ssn, 0, sizeof(ssn));
325 
326  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
327  FAIL_IF_NULL(p);
328 
329  FLOW_INITIALIZE(&f);
330  f.protoctx = (void *)&ssn;
331  f.flags |= FLOW_IPV4;
332  f.proto = IPPROTO_TCP;
333  p->flow = &f;
334  p->flowflags |= FLOW_PKT_TOSERVER;
335  p->flowflags |= FLOW_PKT_ESTABLISHED;
336  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
337  f.alproto = ALPROTO_HTTP1;
338 
339  StreamTcpInitConfig(true);
340 
341  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
342  FAIL_IF_NULL(de_ctx);
343  de_ctx->flags |= DE_QUIET;
344 
345  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
346  FAIL_IF_NULL(s);
347 
348  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
349  FAIL_IF_NULL(s);
350 
351  SigGroupBuild(de_ctx);
352  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
353  FAIL_IF_NULL(det_ctx);
354 
355  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
356  FAIL_IF(r != 0);
357 
358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
359  FAIL_IF_NOT(PacketAlertCheck(p, 1));
360  FAIL_IF_NOT(PacketAlertCheck(p, 2));
361 
362  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
363  DetectEngineCtxFree(de_ctx);
364  AppLayerParserThreadCtxFree(alp_tctx);
365  UTHFreePackets(&p, 1);
366  StreamTcpFreeConfig(true);
367  FLOW_DESTROY(&f);
368  PASS;
369 }
370 
371 static int SigTest07 (void)
372 {
373  uint8_t *buf = (uint8_t *)
374  "GET /one/ HTTP/1.1\r\n" /* 20 */
375  "Host: one.example.org\r\n" /* 23, 43 */
376  "\r\n\r\n" /* 4, 47 */
377  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
378  "Host: two.example.org\r\n" /* 23, 90 */
379  "\r\n\r\n"; /* 4, 94 */
380  uint16_t buflen = strlen((char *)buf);
381  Packet *p = NULL;
382  ThreadVars th_v;
383  DetectEngineThreadCtx *det_ctx = NULL;
384  Flow f;
385  TcpSession ssn;
386  int result = 0;
387  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
388 
389  memset(&th_v, 0, sizeof(th_v));
390  memset(&f, 0, sizeof(f));
391  memset(&ssn, 0, sizeof(ssn));
392 
393  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
394 
395  FLOW_INITIALIZE(&f);
396  f.protoctx = (void *)&ssn;
397  f.flags |= FLOW_IPV4;
398  f.proto = IPPROTO_TCP;
399  p->flow = &f;
400  p->flowflags |= FLOW_PKT_TOSERVER;
401  p->flowflags |= FLOW_PKT_ESTABLISHED;
402  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
403  f.alproto = ALPROTO_HTTP1;
404 
405  StreamTcpInitConfig(true);
406 
407  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
408  if (de_ctx == NULL) {
409  goto end;
410  }
411 
412  de_ctx->flags |= DE_QUIET;
413 
414  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
415  if (de_ctx->sig_list == NULL) {
416  result = 0;
417  goto end;
418  }
419  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
420  if (de_ctx->sig_list->next == NULL) {
421  result = 0;
422  goto end;
423  }
424 
425  SigGroupBuild(de_ctx);
426  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
427 
428  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
429  if (r != 0) {
430  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
431  result = 0;
432  goto end;
433  }
434 
435  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
437  result = 0;
438  else
439  result = 1;
440 
441 end:
442  if (alp_tctx != NULL)
443  AppLayerParserThreadCtxFree(alp_tctx);
444  UTHFreePackets(&p, 1);
445  StreamTcpFreeConfig(true);
446  FlowCleanupAppLayer(&f);
447  FLOW_DESTROY(&f);
448  SigGroupCleanup(de_ctx);
449  SigCleanSignatures(de_ctx);
450 
451  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
452  DetectEngineCtxFree(de_ctx);
453 
454  return result;
455 }
456 
457 static int SigTest08 (void)
458 {
459  uint8_t *buf = (uint8_t *)
460  "GET /one/ HTTP/1.0\r\n" /* 20 */
461  "Host: one.example.org\r\n" /* 23, 43 */
462  "\r\n\r\n" /* 4, 47 */
463  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
464  "Host: two.example.org\r\n" /* 23, 90 */
465  "\r\n\r\n"; /* 4, 94 */
466  uint16_t buflen = strlen((char *)buf);
467  Packet *p = NULL;
468  ThreadVars th_v;
469  DetectEngineThreadCtx *det_ctx = NULL;
470  Flow f;
471  TcpSession ssn;
472  int result = 0;
473  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
474 
475  memset(&f, 0, sizeof(Flow));
476  memset(&th_v, 0, sizeof(th_v));
477  memset(&ssn, 0, sizeof(ssn));
478 
479  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
480 
481  FLOW_INITIALIZE(&f);
482  f.protoctx = (void *)&ssn;
483  f.flags |= FLOW_IPV4;
484  f.proto = IPPROTO_TCP;
485  p->flow = &f;
486  p->flowflags |= FLOW_PKT_TOSERVER;
487  p->flowflags |= FLOW_PKT_ESTABLISHED;
488  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
489  f.alproto = ALPROTO_HTTP1;
490 
491  StreamTcpInitConfig(true);
492 
493  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
494  if (de_ctx == NULL) {
495  goto end;
496  }
497 
498  de_ctx->flags |= DE_QUIET;
499 
500  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
501  if (de_ctx->sig_list == NULL) {
502  result = 0;
503  goto end;
504  }
505  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
506  if (de_ctx->sig_list->next == NULL) {
507  result = 0;
508  goto end;
509  }
510 
511  SigGroupBuild(de_ctx);
512  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
513 
514  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
515  if (r != 0) {
516  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
517  result = 0;
518  goto end;
519  }
520 
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
523  result = 1;
524  else
525  printf("sid:1 %s, sid:2 %s: ",
526  PacketAlertCheck(p, 1) ? "OK" : "FAIL",
527  PacketAlertCheck(p, 2) ? "OK" : "FAIL");
528 
529 end:
530  FlowCleanupAppLayer(&f);
531  SigGroupCleanup(de_ctx);
532  SigCleanSignatures(de_ctx);
533 
534  if (det_ctx)
535  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
536  DetectEngineCtxFree(de_ctx);
537  if (alp_tctx != NULL)
538  AppLayerParserThreadCtxFree(alp_tctx);
539  UTHFreePackets(&p, 1);
540  StreamTcpFreeConfig(true);
541  FLOW_DESTROY(&f);
542  return result;
543 }
544 
545 static int SigTest09 (void)
546 {
547  uint8_t *buf = (uint8_t *)
548  "GET /one/ HTTP/1.0\r\n" /* 20 */
549  "Host: one.example.org\r\n" /* 23, 43 */
550  "\r\n\r\n" /* 4, 47 */
551  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
552  "Host: two.example.org\r\n" /* 23, 90 */
553  "\r\n\r\n"; /* 4, 94 */
554  uint16_t buflen = strlen((char *)buf);
555  Packet *p = NULL;
556  ThreadVars th_v;
557  DetectEngineThreadCtx *det_ctx = NULL;
558  Flow f;
559  TcpSession ssn;
560  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
561  int result = 0;
562 
563  memset(&th_v, 0, sizeof(th_v));
564  memset(&f, 0, sizeof(f));
565  memset(&ssn, 0, sizeof(ssn));
566 
567  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
568 
569  FLOW_INITIALIZE(&f);
570  f.protoctx = (void *)&ssn;
571  f.flags |= FLOW_IPV4;
572  f.proto = IPPROTO_TCP;
573  p->flow = &f;
574  p->flowflags |= FLOW_PKT_TOSERVER;
575  p->flowflags |= FLOW_PKT_ESTABLISHED;
576  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
577  f.alproto = ALPROTO_HTTP1;
578 
579  StreamTcpInitConfig(true);
580 
581  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
582  if (de_ctx == NULL) {
583  goto end;
584  }
585 
586  de_ctx->flags |= DE_QUIET;
587 
588  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
589  if (de_ctx->sig_list == NULL) {
590  result = 0;
591  goto end;
592  }
593  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
594  if (de_ctx->sig_list->next == NULL) {
595  result = 0;
596  goto end;
597  }
598 
599  SigGroupBuild(de_ctx);
600  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
601 
602  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
603  if (r != 0) {
604  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
605  result = 0;
606  goto end;
607  }
608 
609  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
610  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
611  result = 1;
612  else
613  result = 0;
614 
615 end:
616  FlowCleanupAppLayer(&f);
617  SigGroupCleanup(de_ctx);
618  SigCleanSignatures(de_ctx);
619  if (det_ctx)
620  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
621  DetectEngineCtxFree(de_ctx);
622  if (alp_tctx != NULL)
623  AppLayerParserThreadCtxFree(alp_tctx);
624  UTHFreePackets(&p, 1);
625  StreamTcpFreeConfig(true);
626  FLOW_DESTROY(&f);
627  return result;
628 }
629 
630 static int SigTest10 (void)
631 {
632  uint8_t *buf = (uint8_t *)
633  "ABC";
634  uint16_t buflen = strlen((char *)buf);
635  Packet *p = NULL;
636  ThreadVars th_v;
637  DetectEngineThreadCtx *det_ctx = NULL;
638  Flow f;
639  TcpSession ssn;
640  int result = 0;
641  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
642 
643  memset(&th_v, 0, sizeof(th_v));
644  memset(&f, 0, sizeof(f));
645  memset(&ssn, 0, sizeof(ssn));
646 
647  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
648 
649  FLOW_INITIALIZE(&f);
650  f.protoctx = (void *)&ssn;
651  f.proto = IPPROTO_TCP;
652  f.flags |= FLOW_IPV4;
653  p->flow = &f;
654  p->flowflags |= FLOW_PKT_TOSERVER;
655  p->flowflags |= FLOW_PKT_ESTABLISHED;
656  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
657  f.alproto = ALPROTO_HTTP1;
658 
659  StreamTcpInitConfig(true);
660 
661  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
662  if (de_ctx == NULL) {
663  goto end;
664  }
665 
666  de_ctx->flags |= DE_QUIET;
667 
668  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
669  if (de_ctx->sig_list == NULL) {
670  result = 0;
671  goto end;
672  }
673  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
674  if (de_ctx->sig_list->next == NULL) {
675  result = 0;
676  goto end;
677  }
678 
679  SigGroupBuild(de_ctx);
680  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
681 
682  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
683  if (r != 0) {
684  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
685  result = 0;
686  goto end;
687  }
688 
689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
690  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
691  result = 0;
692  else
693  result = 1;
694 
695  end:
696  FlowCleanupAppLayer(&f);
697  SigGroupCleanup(de_ctx);
698  SigCleanSignatures(de_ctx);
699  if (det_ctx)
700  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
701  DetectEngineCtxFree(de_ctx);
702  if (alp_tctx != NULL)
703  AppLayerParserThreadCtxFree(alp_tctx);
704  UTHFreePackets(&p, 1);
705  StreamTcpFreeConfig(true);
706  FLOW_DESTROY(&f);
707  return result;
708 }
709 
710 static int SigTest11 (void)
711 {
712  uint8_t *buf = (uint8_t *)
713  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
714  uint16_t buflen = strlen((char *)buf);
715  Packet *p = NULL;
716  ThreadVars th_v;
717  DetectEngineThreadCtx *det_ctx = NULL;
718  Flow f;
719  TcpSession ssn;
720  int result = 0;
721 
722  memset(&th_v, 0, sizeof(th_v));
723  memset(&f, 0, sizeof(f));
724  memset(&ssn, 0, sizeof(ssn));
725 
726  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
727 
728  FLOW_INITIALIZE(&f);
729  f.protoctx = (void *)&ssn;
730  f.proto = IPPROTO_TCP;
731  f.flags |= FLOW_IPV4;
732  p->flow = &f;
733  p->flowflags |= FLOW_PKT_TOSERVER;
734  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
735  f.alproto = ALPROTO_HTTP1;
736 
737  StreamTcpInitConfig(true);
738 
739  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
740  if (de_ctx == NULL) {
741  goto end;
742  }
743 
744  de_ctx->flags |= DE_QUIET;
745 
746  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
747  if (de_ctx->sig_list == NULL) {
748  goto end;
749  }
750  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
751  if (de_ctx->sig_list->next == NULL) {
752  goto end;
753  }
754 
755  SigGroupBuild(de_ctx);
756  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
757 
758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
759  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
760  result = 1;
761 
762  end:
763  FlowCleanupAppLayer(&f);
764  SigGroupCleanup(de_ctx);
765  if (det_ctx)
766  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
767  DetectEngineCtxFree(de_ctx);
768  UTHFreePackets(&p, 1);
769  StreamTcpFreeConfig(true);
770  FLOW_DESTROY(&f);
771  return result;
772 }
773 
774 static int SigTest12 (void)
775 {
776  uint8_t *buf = (uint8_t *)
777  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
778  uint16_t buflen = strlen((char *)buf);
779  Packet *p = NULL;
780  ThreadVars th_v;
781  DetectEngineThreadCtx *det_ctx = NULL;
782  int result = 0;
783 
784  memset(&th_v, 0, sizeof(th_v));
785  Flow f;
786  memset(&f, 0, sizeof(Flow));
787 
788  FLOW_INITIALIZE(&f);
789 
790  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
791  p->flow = &f;
792  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
793 
794  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
795  if (de_ctx == NULL) {
796  goto end;
797  }
798 
799  de_ctx->flags |= DE_QUIET;
800 
801  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
802  if (de_ctx->sig_list == NULL) {
803  result = 0;
804  goto end;
805  }
806 
807  SigGroupBuild(de_ctx);
808  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
809 
810  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811  if (PacketAlertCheck(p, 1))
812  result = 1;
813  else
814  result = 0;
815 
816  if (det_ctx != NULL)
817  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
818 end:
819  UTHFreePackets(&p, 1);
820  if (de_ctx != NULL) {
821  SigGroupCleanup(de_ctx);
822  SigCleanSignatures(de_ctx);
823  DetectEngineCtxFree(de_ctx);
824  }
825  FLOW_DESTROY(&f);
826  return result;
827 }
828 
829 static int SigTest13 (void)
830 {
831  uint8_t *buf = (uint8_t *)
832  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
833  uint16_t buflen = strlen((char *)buf);
834  Packet *p = NULL;
835  ThreadVars th_v;
836  DetectEngineThreadCtx *det_ctx = NULL;
837  int result = 0;
838 
839  memset(&th_v, 0, sizeof(th_v));
840  Flow f;
841  memset(&f, 0, sizeof(Flow));
842 
843  FLOW_INITIALIZE(&f);
844 
845  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
846  p->flow = &f;
847  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
848 
849  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
850  if (de_ctx == NULL) {
851  goto end;
852  }
853 
854  de_ctx->flags |= DE_QUIET;
855 
856  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
857  if (de_ctx->sig_list == NULL) {
858  result = 0;
859  goto end;
860  }
861 
862  SigGroupBuild(de_ctx);
863  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
864 
865  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
866  if (PacketAlertCheck(p, 1))
867  result = 1;
868  else
869  result = 0;
870 
871  SigGroupCleanup(de_ctx);
872  SigCleanSignatures(de_ctx);
873  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
874  DetectEngineCtxFree(de_ctx);
875 end:
876  UTHFreePackets(&p, 1);
877  FLOW_DESTROY(&f);
878  return result;
879 }
880 
881 static int SigTest14 (void)
882 {
883  uint8_t *buf = (uint8_t *)
884  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
885  uint16_t buflen = strlen((char *)buf);
886  Packet *p = NULL;
887  ThreadVars th_v;
888  DetectEngineThreadCtx *det_ctx = NULL;
889  int result = 0;
890 
891  memset(&th_v, 0, sizeof(th_v));
892 
893  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
894 
895  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
896  if (de_ctx == NULL) {
897  goto end;
898  }
899 
900  de_ctx->flags |= DE_QUIET;
901 
902  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
903  if (de_ctx->sig_list == NULL) {
904  result = 0;
905  goto end;
906  }
907 
908  SigGroupBuild(de_ctx);
909  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
910 
911  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
912  if (PacketAlertCheck(p, 1))
913  result = 0;
914  else
915  result = 1;
916 
917  SigGroupCleanup(de_ctx);
918  SigCleanSignatures(de_ctx);
919  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
920  DetectEngineCtxFree(de_ctx);
921 end:
922  UTHFreePackets(&p, 1);
923  return result;
924 }
925 
926 static int SigTest15 (void)
927 {
928  uint8_t *buf = (uint8_t *)
929  "CONNECT 213.92.8.7:31204 HTTP/1.1";
930  uint16_t buflen = strlen((char *)buf);
931  Packet *p = PacketGetFromAlloc();
932  if (unlikely(p == NULL))
933  return 0;
934  ThreadVars th_v;
935  DetectEngineThreadCtx *det_ctx = NULL;
936  int result = 0;
937 
938  memset(&th_v, 0, sizeof(th_v));
939  p->src.family = AF_INET;
940  p->dst.family = AF_INET;
941  p->payload = buf;
942  p->payload_len = buflen;
943  p->proto = IPPROTO_TCP;
944  p->dp = 80;
945 
946  ConfCreateContextBackup();
947  ConfInit();
948  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
949 
950  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
951  if (de_ctx == NULL) {
952  goto end;
953  }
954 
955  de_ctx->flags |= DE_QUIET;
956 
957  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
958  if (de_ctx->sig_list == NULL) {
959  result = 0;
960  goto end;
961  }
962 
963  SigGroupBuild(de_ctx);
964  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
965 
966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
967  if (PacketAlertCheck(p, 2008284))
968  result = 0;
969  else
970  result = 1;
971 
972  SigGroupCleanup(de_ctx);
973  SigCleanSignatures(de_ctx);
974  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
975  DetectEngineCtxFree(de_ctx);
976 end:
977  ConfDeInit();
978  ConfRestoreContextBackup();
979  SCFree(p);
980  return result;
981 }
982 
983 static int SigTest16 (void)
984 {
985  uint8_t *buf = (uint8_t *)
986  "CONNECT 213.92.8.7:31204 HTTP/1.1";
987  uint16_t buflen = strlen((char *)buf);
988  Packet *p = NULL;
989  ThreadVars th_v;
990  DetectEngineThreadCtx *det_ctx = NULL;
991  int result = 0;
992 
993  memset(&th_v, 0, sizeof(th_v));
994  memset(&p, 0, sizeof(p));
995 
996  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
997 
998  ConfCreateContextBackup();
999  ConfInit();
1000  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1001 
1002  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1003  if (de_ctx == NULL) {
1004  goto end;
1005  }
1006 
1007  de_ctx->flags |= DE_QUIET;
1008 
1009  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1010  if (de_ctx->sig_list == NULL) {
1011  goto end;
1012  }
1013 
1014  SigGroupBuild(de_ctx);
1015  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1016 
1017  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1018  if (PacketAlertCheck(p, 2008284))
1019  result = 1;
1020  else
1021  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1022 
1023  SigGroupCleanup(de_ctx);
1024  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1025  DetectEngineCtxFree(de_ctx);
1026 end:
1027  ConfDeInit();
1028  ConfRestoreContextBackup();
1029  UTHFreePackets(&p, 1);
1030  return result;
1031 }
1032 
1033 static int SigTest17 (void)
1034 {
1035  uint8_t *buf = (uint8_t *)
1036  "GET /one/ HTTP/1.1\r\n" /* 20 */
1037  "Host: one.example.org\r\n" /* 23, 43 */
1038  "\r\n\r\n" /* 4, 47 */
1039  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1040  "Host: two.example.org\r\n" /* 23, 90 */
1041  "\r\n\r\n"; /* 4, 94 */
1042  uint16_t buflen = strlen((char *)buf);
1043  Packet *p = NULL;
1044  ThreadVars th_v;
1045  DetectEngineThreadCtx *det_ctx = NULL;
1046  memset(&th_v, 0, sizeof(th_v));
1047 
1048  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1049  FAIL_IF_NULL(p);
1050 
1051  ConfCreateContextBackup();
1052  ConfInit();
1053  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1054 
1055  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1056  FAIL_IF_NULL(de_ctx);
1057  de_ctx->flags |= DE_QUIET;
1058 
1059  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1060  FAIL_IF_NULL(s);
1061 
1062  SigGroupBuild(de_ctx);
1063  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1064  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065 
1066  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1067  PktVar *pv_hn = PktVarGet(p, capid);
1068  FAIL_IF_NULL(pv_hn);
1069  FAIL_IF(pv_hn->value_len != 15);
1070  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1071 
1072  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1073  DetectEngineCtxFree(de_ctx);
1074  ConfDeInit();
1075  ConfRestoreContextBackup();
1076  UTHFreePackets(&p, 1);
1077 
1078  PASS;
1079 }
1080 
1081 static int SigTest18 (void)
1082 {
1083  uint8_t *buf = (uint8_t *)
1084  "220 (vsFTPd 2.0.5)\r\n";
1085  uint16_t buflen = strlen((char *)buf);
1086  Packet *p = PacketGetFromAlloc();
1087  if (unlikely(p == NULL))
1088  return 0;
1089  ThreadVars th_v;
1090  DetectEngineThreadCtx *det_ctx = NULL;
1091  int result = 0;
1092 
1093  memset(&th_v, 0, sizeof(th_v));
1094  p->src.family = AF_INET;
1095  p->dst.family = AF_INET;
1096  p->payload = buf;
1097  p->payload_len = buflen;
1098  p->proto = IPPROTO_TCP;
1099  p->dp = 34260;
1100  p->sp = 21;
1101 
1102  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1103  if (de_ctx == NULL) {
1104  goto end;
1105  }
1106 
1107  de_ctx->flags |= DE_QUIET;
1108 
1109  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1110  if (de_ctx->sig_list == NULL) {
1111  result = 0;
1112  goto end;
1113  }
1114 
1115  SigGroupBuild(de_ctx);
1116  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1117 
1118  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1119  if (!PacketAlertCheck(p, 2003055))
1120  result = 1;
1121  else
1122  printf("signature shouldn't match, but did: ");
1123 
1124  SigGroupCleanup(de_ctx);
1125  SigCleanSignatures(de_ctx);
1126  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1127  DetectEngineCtxFree(de_ctx);
1128 end:
1129  SCFree(p);
1130  return result;
1131 }
1132 
1133 static int SigTest19 (void)
1134 {
1135  uint8_t *buf = (uint8_t *)
1136  "220 (vsFTPd 2.0.5)\r\n";
1137  uint16_t buflen = strlen((char *)buf);
1138  Packet *p = PacketGetFromAlloc();
1139  if (unlikely(p == NULL))
1140  return 0;
1141  ThreadVars th_v;
1142  DetectEngineThreadCtx *det_ctx = NULL;
1143  int result = 0;
1144 
1145  memset(&th_v, 0, sizeof(th_v));
1146  p->src.family = AF_INET;
1147  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1148  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1149  p->dst.family = AF_INET;
1150  p->payload = buf;
1151  p->payload_len = buflen;
1152  p->proto = IPPROTO_TCP;
1153  p->dp = 34260;
1154  p->sp = 21;
1155  p->flowflags |= FLOW_PKT_TOSERVER;
1156 
1157  ConfCreateContextBackup();
1158  ConfInit();
1159  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1160 
1161  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1162  if (de_ctx == NULL) {
1163  goto end;
1164  }
1165 
1166  de_ctx->flags |= DE_QUIET;
1167 
1168  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1169  if (de_ctx->sig_list == NULL) {
1170  result = 0;
1171  goto end;
1172  }
1173 
1174  SigGroupBuild(de_ctx);
1175  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1176 
1177  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1178  if (PacketAlertCheck(p, 999))
1179  result = 1;
1180  else
1181  printf("signature didn't match, but should have: ");
1182 
1183  SigGroupCleanup(de_ctx);
1184  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1185  DetectEngineCtxFree(de_ctx);
1186 end:
1187  ConfDeInit();
1188  ConfRestoreContextBackup();
1189  SCFree(p);
1190  return result;
1191 }
1192 
1193 static int SigTest20 (void)
1194 {
1195  uint8_t *buf = (uint8_t *)
1196  "220 (vsFTPd 2.0.5)\r\n";
1197  uint16_t buflen = strlen((char *)buf);
1198  Packet *p = PacketGetFromAlloc();
1199  if (unlikely(p == NULL))
1200  return 0;
1201  ThreadVars th_v;
1202  DetectEngineThreadCtx *det_ctx = NULL;
1203  int result = 0;
1204 
1205  memset(&th_v, 0, sizeof(th_v));
1206  p->src.family = AF_INET;
1207  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1208  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1209  p->dst.family = AF_INET;
1210  p->payload = buf;
1211  p->payload_len = buflen;
1212  p->proto = IPPROTO_TCP;
1213  p->dp = 34260;
1214  p->sp = 21;
1215  p->flowflags |= FLOW_PKT_TOSERVER;
1216 
1217  ConfCreateContextBackup();
1218  ConfInit();
1219  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1220 
1221  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1222  if (de_ctx == NULL) {
1223  goto end;
1224  }
1225 
1226  de_ctx->flags |= DE_QUIET;
1227 
1228  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1229  if (de_ctx->sig_list == NULL) {
1230  result = 0;
1231  goto end;
1232  }
1233 
1234  SigGroupBuild(de_ctx);
1235  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1236 
1237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1238  if (PacketAlertCheck(p, 999))
1239  result = 1;
1240  else
1241  printf("signature didn't match, but should have: ");
1242 
1243  SigGroupCleanup(de_ctx);
1244  SigCleanSignatures(de_ctx);
1245  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1246  DetectEngineCtxFree(de_ctx);
1247 end:
1248  ConfDeInit();
1249  ConfRestoreContextBackup();
1250  SCFree(p);
1251  return result;
1252 }
1253 
1254 static int SigTest21 (void)
1255 {
1256  ThreadVars th_v;
1257  memset(&th_v, 0, sizeof(th_v));
1258  DetectEngineThreadCtx *det_ctx = NULL;
1259  int result = 0;
1260 
1261  Flow f;
1262  memset(&f, 0, sizeof(f));
1263  FLOW_INITIALIZE(&f);
1264 
1265  /* packet 1 */
1266  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1267  "\r\n\r\n";
1268  uint16_t buf1len = strlen((char *)buf1);
1269  Packet *p1 = NULL;
1270  /* packet 2 */
1271  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1272  "\r\n\r\n";
1273  uint16_t buf2len = strlen((char *)buf2);
1274  Packet *p2 = NULL;
1275 
1276  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1277  p1->flow = &f;
1278  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1279  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1280  p2->flow = &f;
1281  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1282 
1283  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1284  if (de_ctx == NULL) {
1285  goto end;
1286  }
1287 
1288  de_ctx->flags |= DE_QUIET;
1289 
1290  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1291  if (de_ctx->sig_list == NULL) {
1292  result = 0;
1293  goto end;
1294  }
1295  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1296  if (de_ctx->sig_list == NULL) {
1297  result = 0;
1298  goto end;
1299  }
1300 
1301  SigGroupBuild(de_ctx);
1302  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1303 
1304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1305  if (PacketAlertCheck(p1, 1)) {
1306  printf("sid 1 alerted, but shouldn't: ");
1307  goto end;
1308  }
1309  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1310  if (!(PacketAlertCheck(p2, 2))) {
1311  printf("sid 2 didn't alert, but should have: ");
1312  goto end;
1313  }
1314 
1315  result = 1;
1316 end:
1317  if (de_ctx != NULL) {
1318  SigGroupCleanup(de_ctx);
1319  SigCleanSignatures(de_ctx);
1320 
1321  if (det_ctx != NULL) {
1322  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1323  }
1324  }
1325  DetectEngineCtxFree(de_ctx);
1326  UTHFreePackets(&p1, 1);
1327  UTHFreePackets(&p2, 1);
1328  FLOW_DESTROY(&f);
1329  return result;
1330 }
1331 
1332 static int SigTest22 (void)
1333 {
1334  ThreadVars th_v;
1335  memset(&th_v, 0, sizeof(th_v));
1336  DetectEngineThreadCtx *det_ctx = NULL;
1337  int result = 0;
1338 
1339  Flow f;
1340  memset(&f, 0, sizeof(f));
1341  FLOW_INITIALIZE(&f);
1342 
1343  /* packet 1 */
1344  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1345  "\r\n\r\n";
1346  uint16_t buf1len = strlen((char *)buf1);
1347  Packet *p1 = NULL;
1348 
1349  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1350  p1->flow = &f;
1351  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1352 
1353  /* packet 2 */
1354  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1355  "\r\n\r\n";
1356  uint16_t buf2len = strlen((char *)buf2);
1357  Packet *p2 = NULL;
1358 
1359  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1360  p2->flow = &f;
1361  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1362 
1363  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1364  if (de_ctx == NULL) {
1365  goto end;
1366  }
1367 
1368  de_ctx->flags |= DE_QUIET;
1369 
1370  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1371  if (de_ctx->sig_list == NULL) {
1372  result = 0;
1373  goto end;
1374  }
1375  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1376  if (de_ctx->sig_list == NULL) {
1377  result = 0;
1378  goto end;
1379  }
1380 
1381  SigGroupBuild(de_ctx);
1382  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1383 
1384  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1385  if (PacketAlertCheck(p1, 1)) {
1386  printf("sid 1 alerted, but shouldn't: ");
1387  goto end;
1388  }
1389  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1390  if (!(PacketAlertCheck(p2, 2)))
1391  result = 1;
1392  else
1393  printf("sid 2 alerted, but shouldn't: ");
1394 
1395  SigGroupCleanup(de_ctx);
1396  SigCleanSignatures(de_ctx);
1397 
1398  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1399  DetectEngineCtxFree(de_ctx);
1400 end:
1401  UTHFreePackets(&p1, 1);
1402  UTHFreePackets(&p2, 1);
1403  FLOW_DESTROY(&f);
1404  return result;
1405 }
1406 
1407 static int SigTest23 (void)
1408 {
1409  ThreadVars th_v;
1410  memset(&th_v, 0, sizeof(th_v));
1411  DetectEngineThreadCtx *det_ctx = NULL;
1412  int result = 0;
1413 
1414  Flow f;
1415  memset(&f, 0, sizeof(f));
1416  FLOW_INITIALIZE(&f);
1417 
1418  /* packet 1 */
1419  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1420  "\r\n\r\n";
1421  uint16_t buf1len = strlen((char *)buf1);
1422  Packet *p1 = NULL;
1423 
1424  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1425  p1->flow = &f;
1426  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1427 
1428  /* packet 2 */
1429  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1430  "\r\n\r\n";
1431  uint16_t buf2len = strlen((char *)buf2);
1432  Packet *p2 = NULL;
1433 
1434  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1435  p2->flow = &f;
1436  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1437 
1438  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1439  if (de_ctx == NULL) {
1440  goto end;
1441  }
1442 
1443  de_ctx->flags |= DE_QUIET;
1444 
1445  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1446  if (de_ctx->sig_list == NULL) {
1447  result = 0;
1448  goto end;
1449  }
1450  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1451  if (de_ctx->sig_list == NULL) {
1452  result = 0;
1453  goto end;
1454  }
1455 
1456  SigGroupBuild(de_ctx);
1457  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1458 
1459  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1460  if (PacketAlertCheck(p1, 1)) {
1461  printf("sid 1 alerted, but shouldn't: ");
1462  goto end;
1463  }
1464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1465  if (PacketAlertCheck(p2, 2))
1466  result = 1;
1467  else
1468  printf("sid 2 didn't alert, but should have: ");
1469 
1470  SigGroupCleanup(de_ctx);
1471  SigCleanSignatures(de_ctx);
1472 
1473  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1474  DetectEngineCtxFree(de_ctx);
1475 end:
1476  UTHFreePackets(&p1, 1);
1477  UTHFreePackets(&p2, 1);
1478  FLOW_DESTROY(&f);
1479  return result;
1480 }
1481 
1482 static int SigTest24IPV4Keyword(void)
1483 {
1484  uint8_t valid_raw_ipv4[] = {
1485  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1486  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1487  0xc0, 0xa8, 0x01, 0x03};
1488 
1489  uint8_t invalid_raw_ipv4[] = {
1490  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1491  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1492  0xc0, 0xa8, 0x01, 0x06};
1493 
1494  Packet *p1 = PacketGetFromAlloc();
1495  if (unlikely(p1 == NULL))
1496  return 0;
1497  Packet *p2 = PacketGetFromAlloc();
1498  if (unlikely(p2 == NULL)) {
1499  SCFree(p1);
1500  return 0;
1501  }
1502  ThreadVars th_v;
1503  DetectEngineThreadCtx *det_ctx = NULL;
1504  int result = 0;
1505 
1506  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1507  "\r\n\r\n";
1508  uint16_t buflen = strlen((char *)buf);
1509 
1510  memset(&th_v, 0, sizeof(ThreadVars));
1511 
1512  PacketSetIPV4(p1, valid_raw_ipv4);
1513  p1->src.family = AF_INET;
1514  p1->dst.family = AF_INET;
1515  p1->payload = buf;
1516  p1->payload_len = buflen;
1517  p1->proto = IPPROTO_TCP;
1518 
1519  PacketSetIPV4(p2, invalid_raw_ipv4);
1520  p2->src.family = AF_INET;
1521  p2->dst.family = AF_INET;
1522  p2->payload = buf;
1523  p2->payload_len = buflen;
1524  p2->proto = IPPROTO_TCP;
1525 
1526  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1527  if (de_ctx == NULL) {
1528  goto end;
1529  }
1530 
1531  de_ctx->flags |= DE_QUIET;
1532 
1533  de_ctx->sig_list = SigInit(de_ctx,
1534  "alert ip any any -> any any "
1535  "(content:\"/one/\"; ipv4-csum:valid; "
1536  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1537  if (de_ctx->sig_list == NULL) {
1538  printf("sig 1 parse: ");
1539  goto end;
1540  }
1541 
1542  de_ctx->sig_list->next = SigInit(de_ctx,
1543  "alert ip any any -> any any "
1544  "(content:\"/one/\"; ipv4-csum:invalid; "
1545  "msg:\"ipv4-csum keyword check(1)\"; "
1546  "sid:2;)");
1547  if (de_ctx->sig_list->next == NULL) {
1548  printf("sig 2 parse: ");
1549  goto end;
1550  }
1551 
1552  SigGroupBuild(de_ctx);
1553  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1554 
1555  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1556  if (!(PacketAlertCheck(p1, 1))) {
1557  printf("signature 1 didn't match, but should have: ");
1558  goto end;
1559  }
1560 
1561  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1562  if (!((PacketAlertCheck(p2, 2)))) {
1563  printf("signature 2 didn't match, but should have: ");
1564  goto end;
1565  }
1566 
1567  result = 1;
1568 end:
1569  if (det_ctx != NULL) {
1570  SigGroupCleanup(de_ctx);
1571  SigCleanSignatures(de_ctx);
1572  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1573  DetectEngineCtxFree(de_ctx);
1574  }
1575  SCFree(p1);
1576  SCFree(p2);
1577  return result;
1578 }
1579 
1580 static int SigTest25NegativeIPV4Keyword(void)
1581 {
1582  uint8_t valid_raw_ipv4[] = {
1583  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1584  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1585  0xc0, 0xa8, 0x01, 0x03};
1586 
1587  uint8_t invalid_raw_ipv4[] = {
1588  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1589  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1590  0xc0, 0xa8, 0x01, 0x06};
1591 
1592  Packet *p1 = PacketGetFromAlloc();
1593  if (unlikely(p1 == NULL))
1594  return 0;
1595  Packet *p2 = PacketGetFromAlloc();
1596  if (unlikely(p2 == NULL)) {
1597  SCFree(p1);
1598  return 0;
1599  }
1600  ThreadVars th_v;
1601  DetectEngineThreadCtx *det_ctx = NULL;
1602  int result = 1;
1603 
1604  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1605  "\r\n\r\n";
1606  uint16_t buflen = strlen((char *)buf);
1607 
1608  memset(&th_v, 0, sizeof(ThreadVars));
1609 
1610  PacketSetIPV4(p1, valid_raw_ipv4);
1611  p1->src.family = AF_INET;
1612  p1->dst.family = AF_INET;
1613  p1->payload = buf;
1614  p1->payload_len = buflen;
1615  p1->proto = IPPROTO_TCP;
1616 
1617  PacketSetIPV4(p2, invalid_raw_ipv4);
1618  p2->src.family = AF_INET;
1619  p2->dst.family = AF_INET;
1620  p2->payload = buf;
1621  p2->payload_len = buflen;
1622  p2->proto = IPPROTO_TCP;
1623 
1624  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1625  if (de_ctx == NULL) {
1626  goto end;
1627  }
1628 
1629  de_ctx->flags |= DE_QUIET;
1630 
1631  de_ctx->sig_list = SigInit(de_ctx,
1632  "alert ip any any -> any any "
1633  "(content:\"/one/\"; ipv4-csum:invalid; "
1634  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1635  if (de_ctx->sig_list == NULL) {
1636  result &= 0;
1637  goto end;
1638  }
1639 
1640  de_ctx->sig_list->next = SigInit(de_ctx,
1641  "alert ip any any -> any any "
1642  "(content:\"/one/\"; ipv4-csum:valid; "
1643  "msg:\"ipv4-csum keyword check(1)\"; "
1644  "sid:2;)");
1645  if (de_ctx->sig_list->next == NULL) {
1646  result &= 0;
1647  goto end;
1648  }
1649 
1650  SigGroupBuild(de_ctx);
1651  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1652 
1653  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1654  if (PacketAlertCheck(p1, 1))
1655  result &= 0;
1656  else
1657  result &= 1;
1658 
1659  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1660  if (PacketAlertCheck(p2, 2))
1661  result &= 0;
1662  else
1663  result &= 1;
1664 
1665  SigGroupCleanup(de_ctx);
1666  SigCleanSignatures(de_ctx);
1667  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1668  DetectEngineCtxFree(de_ctx);
1669 end:
1670  SCFree(p1);
1671  SCFree(p2);
1672  return result;
1673 }
1674 
1675 static int SigTest26TCPV4Keyword(void)
1676 {
1677  uint8_t raw_ipv4[] = {
1678  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1679  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1680  0xc0, 0xa8, 0x01, 0x03};
1681 
1682  uint8_t valid_raw_tcp[] = {
1683  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1684  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1685  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1686  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1687  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1688 
1689  uint8_t invalid_raw_tcp[] = {
1690  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1691  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1692  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1693  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1694  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1695 
1696  Packet *p1 = PacketGetFromAlloc();
1697  if (unlikely(p1 == NULL))
1698  return 0;
1699 
1700  Packet *p2 = PacketGetFromAlloc();
1701  if (unlikely(p2 == NULL)) {
1702  SCFree(p1);
1703  return 0;
1704  }
1705 
1706  ThreadVars th_v;
1707  DetectEngineThreadCtx *det_ctx = NULL;
1708 
1709  memset(&th_v, 0, sizeof(ThreadVars));
1710 
1711  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1712  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1713 
1714  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1715  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1716 
1717  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1718  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1719  p1->src.family = AF_INET;
1720  p1->dst.family = AF_INET;
1721  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1722  p1->payload_len = 20;
1723  p1->proto = IPPROTO_TCP;
1724 
1725  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1726  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1727  p2->src.family = AF_INET;
1728  p2->dst.family = AF_INET;
1729  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1730  p2->payload_len = 20;
1731  p2->proto = IPPROTO_TCP;
1732 
1733  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1734  FAIL_IF_NULL(de_ctx);
1735 
1736  de_ctx->flags |= DE_QUIET;
1737 
1738  de_ctx->sig_list = SigInit(de_ctx,
1739  "alert ip any any -> any any "
1740  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1741  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1742  FAIL_IF_NULL(de_ctx->sig_list);
1743 
1744  de_ctx->sig_list->next = SigInit(de_ctx,
1745  "alert ip any any -> any any "
1746  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1747  "msg:\"tcpv4-csum keyword check(1)\"; "
1748  "sid:2;)");
1749  FAIL_IF_NULL(de_ctx->sig_list->next);
1750 
1751  SigGroupBuild(de_ctx);
1752  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1753 
1754  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1755  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1756 
1757  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1758  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1759 
1760  SigGroupCleanup(de_ctx);
1761  SigCleanSignatures(de_ctx);
1762  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1763  DetectEngineCtxFree(de_ctx);
1764  SCFree(p1);
1765  SCFree(p2);
1766  PASS;
1767 }
1768 
1769 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1770 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1771 {
1772  uint8_t raw_ipv4[] = {
1773  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1775  0xc0, 0xa8, 0x01, 0x03};
1776 
1777  uint8_t valid_raw_tcp[] = {
1778  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1779  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1780  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1781  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1782  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1783 
1784  uint8_t invalid_raw_tcp[] = {
1785  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1786  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1787  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1788  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1789  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1790 
1791  Packet *p1 = PacketGetFromAlloc();
1792  if (unlikely(p1 == NULL))
1793  return 0;
1794 
1795  Packet *p2 = PacketGetFromAlloc();
1796  if (unlikely(p2 == NULL)) {
1797  SCFree(p1);
1798  return 0;
1799  }
1800 
1801  ThreadVars th_v;
1802  DetectEngineThreadCtx *det_ctx = NULL;
1803  int result = 0;
1804 
1805  memset(&th_v, 0, sizeof(ThreadVars));
1806 
1807  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1808  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1809 
1810  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1811  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1812 
1813  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1814  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1815  p1->src.family = AF_INET;
1816  p1->dst.family = AF_INET;
1817  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1818  p1->payload_len = 20;
1819  p1->proto = IPPROTO_TCP;
1820 
1821  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1822  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1823  p2->src.family = AF_INET;
1824  p2->dst.family = AF_INET;
1825  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1826  p2->payload_len = 20;
1827  p2->proto = IPPROTO_TCP;
1828 
1829  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1830  if (de_ctx == NULL) {
1831  goto end;
1832  }
1833 
1834  de_ctx->flags |= DE_QUIET;
1835 
1836  de_ctx->sig_list = SigInit(de_ctx,
1837  "alert ip any any -> any any "
1838  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1839  "ipv4-csum:invalid; "
1840  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1841  if (de_ctx->sig_list == NULL) {
1842  goto end;
1843  }
1844 
1845  de_ctx->sig_list->next = SigInit(de_ctx,
1846  "alert ip any any -> any any "
1847  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1848  "ipv4-csum:invalid; "
1849  "msg:\"tcpv4-csum keyword check(1)\"; "
1850  "sid:2;)");
1851  if (de_ctx->sig_list->next == NULL) {
1852  goto end;
1853  }
1854 
1855  SigGroupBuild(de_ctx);
1856  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1857 
1858  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1859  if (!(PacketAlertCheck(p1, 1))) {
1860  printf("sig 1 didn't match: ");
1861  goto end;
1862  }
1863 
1864  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1865  if (!(PacketAlertCheck(p2, 2))) {
1866  printf("sig 2 didn't match: ");
1867  goto end;
1868  }
1869 
1870  result = 1;
1871 end:
1872  SigGroupCleanup(de_ctx);
1873  SigCleanSignatures(de_ctx);
1874  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1875  DetectEngineCtxFree(de_ctx);
1876  SCFree(p1);
1877  SCFree(p2);
1878  return result;
1879 }
1880 
1881 /* Similar to SigTest26, but with different packet */
1882 static int SigTest26TCPV4AndIPV4Keyword(void)
1883 {
1884  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1885  * TTL: 64 Flags: Don't Fragment
1886  */
1887  uint8_t raw_ipv4[] = {
1888  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1889  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1890  0xc0, 0xa8, 0xb0, 0x74};
1891 
1892  /* TCP: sport: 49517 dport: 445 Flags: SYN
1893  * Window size: 65535, checksum: 0x2009,
1894  * MTU: 1460, Window scale: 4, TSACK permitted,
1895  * 24 bytes of options, no payload.
1896  */
1897  uint8_t valid_raw_tcp[] = {
1898  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1899  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1900  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1901  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1902  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1903  0x04, 0x02, 0x00, 0x00};
1904 
1905  uint8_t invalid_raw_tcp[] = {
1906  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1907  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1908  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1909  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1910  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1911  0x04, 0x02, 0x00, 0x00};
1912 
1913  Packet *p1 = PacketGetFromAlloc();
1914  if (unlikely(p1 == NULL))
1915  return 0;
1916 
1917  Packet *p2 = PacketGetFromAlloc();
1918  if (unlikely(p2 == NULL)) {
1919  SCFree(p1);
1920  return 0;
1921  }
1922 
1923  ThreadVars th_v;
1924  DetectEngineThreadCtx *det_ctx = NULL;
1925  int result = 0;
1926 
1927  memset(&th_v, 0, sizeof(ThreadVars));
1928 
1929  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1930  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1931 
1932  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1933  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1934 
1935  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1936  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1937  p1->src.family = AF_INET;
1938  p1->dst.family = AF_INET;
1939  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1940  p1->payload_len = 0;
1941  p1->proto = IPPROTO_TCP;
1942 
1943  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1944  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1945  p2->src.family = AF_INET;
1946  p2->dst.family = AF_INET;
1947  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1948  p2->payload_len = 0;
1949  p2->proto = IPPROTO_TCP;
1950 
1951  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1952  if (de_ctx == NULL) {
1953  goto end;
1954  }
1955 
1956  de_ctx->flags |= DE_QUIET;
1957 
1958  de_ctx->sig_list = SigInit(de_ctx,
1959  "alert ip any any -> any any "
1960  "(tcpv4-csum:valid; "
1961  "ipv4-csum:valid; "
1962  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1963  if (de_ctx->sig_list == NULL) {
1964  goto end;
1965  }
1966 
1967  de_ctx->sig_list->next = SigInit(de_ctx,
1968  "alert ip any any -> any any "
1969  "(tcpv4-csum:invalid; "
1970  "ipv4-csum:valid; "
1971  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1972  "sid:2;)");
1973  if (de_ctx->sig_list->next == NULL) {
1974  goto end;
1975  }
1976 
1977  SigGroupBuild(de_ctx);
1978  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1979 
1980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1981  if (!(PacketAlertCheck(p1, 1))) {
1982  printf("sig 1 didn't match: ");
1983  goto end;
1984  }
1985 
1986  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1987  if (!(PacketAlertCheck(p2, 2))) {
1988  printf("sig 2 didn't match: ");
1989  goto end;
1990  }
1991 
1992  result = 1;
1993 end:
1994  SigGroupCleanup(de_ctx);
1995  SigCleanSignatures(de_ctx);
1996  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1997  DetectEngineCtxFree(de_ctx);
1998  SCFree(p1);
1999  SCFree(p2);
2000  return result;
2001 }
2002 
2003 static int SigTest27NegativeTCPV4Keyword(void)
2004 {
2005  uint8_t raw_ipv4[] = {
2006  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2007  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2008  0xc0, 0xa8, 0x01, 0x03};
2009 
2010  uint8_t valid_raw_tcp[] = {
2011  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2012  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2013  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2014  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2015  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2016 
2017  uint8_t invalid_raw_tcp[] = {
2018  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2019  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2020  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2021  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2022  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2023 
2024  Packet *p1 = PacketGetFromAlloc();
2025  if (unlikely(p1 == NULL))
2026  return 0;
2027  Packet *p2 = PacketGetFromAlloc();
2028  if (unlikely(p2 == NULL)) {
2029  SCFree(p1);
2030  return 0;
2031  }
2032  ThreadVars th_v;
2033  DetectEngineThreadCtx *det_ctx = NULL;
2034  int result = 0;
2035 
2036  memset(&th_v, 0, sizeof(ThreadVars));
2037 
2038  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2039  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2040 
2041  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2042  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2043 
2044  PacketSetIPV4(p1, GET_PKT_DATA(p1));
2045  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
2046  p1->src.family = AF_INET;
2047  p1->dst.family = AF_INET;
2048  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2049  p1->payload_len = 20;
2050  p1->proto = IPPROTO_TCP;
2051 
2052  PacketSetIPV4(p2, GET_PKT_DATA(p2));
2053  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
2054  p2->src.family = AF_INET;
2055  p2->dst.family = AF_INET;
2056  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2057  p2->payload_len = 20;
2058  p2->proto = IPPROTO_TCP;
2059 
2060  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2061  if (de_ctx == NULL) {
2062  goto end;
2063  }
2064 
2065  de_ctx->flags |= DE_QUIET;
2066 
2067  de_ctx->sig_list = SigInit(de_ctx,
2068  "alert tcp any any -> any any "
2069  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2070  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2071  if (de_ctx->sig_list == NULL) {
2072  goto end;
2073  }
2074 
2075  de_ctx->sig_list->next = SigInit(de_ctx,
2076  "alert tcp any any -> any any "
2077  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2078  "msg:\"tcpv4-csum keyword check(2)\"; "
2079  "sid:2;)");
2080  if (de_ctx->sig_list->next == NULL) {
2081  goto end;
2082  }
2083 
2084  SigGroupBuild(de_ctx);
2085  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2086 
2087  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2088  if (!PacketAlertCheck(p1, 1)) {
2089  printf("sig 1 didn't match on p1: ");
2090  goto end;
2091  }
2092 
2093  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2094  if (PacketAlertCheck(p2, 2)) {
2095  printf("sig 2 matched on p2: ");
2096  goto end;
2097  }
2098 
2099  result = 1;
2100 end:
2101  SigGroupCleanup(de_ctx);
2102  SigCleanSignatures(de_ctx);
2103  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2104  DetectEngineCtxFree(de_ctx);
2105  SCFree(p1);
2106  SCFree(p2);
2107  return result;
2108 }
2109 
2110 static int SigTest28TCPV6Keyword(void)
2111 {
2112  static uint8_t valid_raw_ipv6[] = {
2113  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2114  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2115 
2116  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2117  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2118  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2119  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2120  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2121 
2122  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2123  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2124  0xf2, 0xf1, 0x00, 0x00,
2125 
2126  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2127  0x00, 0x01, 0x69, 0x27};
2128 
2129  static uint8_t invalid_raw_ipv6[] = {
2130  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2131  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2132 
2133  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2134  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2135  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2136  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2137  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2138 
2139  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2140  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2141  0xc2, 0xf1, 0x00, 0x00,
2142 
2143  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2144  0x00, 0x01, 0x69, 0x28};
2145 
2146  Packet *p1 = PacketGetFromAlloc();
2147  if (unlikely(p1 == NULL))
2148  return 0;
2149  Packet *p2 = PacketGetFromAlloc();
2150  if (unlikely(p2 == NULL)) {
2151  SCFree(p1);
2152  return 0;
2153  }
2154  ThreadVars th_v;
2155  DetectEngineThreadCtx *det_ctx = NULL;
2156  int result = 0;
2157 
2158  memset(&th_v, 0, sizeof(ThreadVars));
2159 
2160  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2161  PacketSetTCP(p1, (valid_raw_ipv6 + 54));
2162  p1->src.family = AF_INET;
2163  p1->dst.family = AF_INET;
2164  p1->payload = valid_raw_ipv6 + 54 + 20;
2165  p1->payload_len = 12;
2166  p1->proto = IPPROTO_TCP;
2167 
2168  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2169  BUG_ON(1);
2170  }
2171 
2172  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2173  PacketSetTCP(p2, (invalid_raw_ipv6 + 54));
2174  p2->src.family = AF_INET;
2175  p2->dst.family = AF_INET;
2176  p2->payload = invalid_raw_ipv6 + 54 + 20;
2177  p2->payload_len = 12;
2178  p2->proto = IPPROTO_TCP;
2179 
2180  if (TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20) {
2181  BUG_ON(1);
2182  }
2183 
2184  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2185  if (de_ctx == NULL) {
2186  goto end;
2187  }
2188 
2189  de_ctx->flags |= DE_QUIET;
2190 
2191  de_ctx->sig_list = SigInit(de_ctx,
2192  "alert tcp any any -> any any "
2193  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2194  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2195  if (de_ctx->sig_list == NULL) {
2196  goto end;
2197  }
2198 
2199  de_ctx->sig_list->next = SigInit(de_ctx,
2200  "alert tcp any any -> any any "
2201  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2202  "msg:\"tcpv6-csum keyword check(1)\"; "
2203  "sid:2;)");
2204  if (de_ctx->sig_list->next == NULL) {
2205  goto end;
2206  }
2207 
2208  SigGroupBuild(de_ctx);
2209  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2210 
2211  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2212  if (!(PacketAlertCheck(p1, 1))) {
2213  printf("sid 1 didn't match on p1: ");
2214  goto end;
2215  }
2216 
2217  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2218  if (!(PacketAlertCheck(p2, 2))) {
2219  printf("sid 2 didn't match on p2: ");
2220  goto end;
2221  }
2222 
2223  result = 1;
2224 end:
2225  SigGroupCleanup(de_ctx);
2226  SigCleanSignatures(de_ctx);
2227  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2228  DetectEngineCtxFree(de_ctx);
2229  SCFree(p1);
2230  SCFree(p2);
2231  return result;
2232 }
2233 
2234 static int SigTest29NegativeTCPV6Keyword(void)
2235 {
2236  static uint8_t valid_raw_ipv6[] = {
2237  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2238  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2239 
2240  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2241  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2242  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2243  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2244  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2245 
2246  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2247  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2248  0xf2, 0xf1, 0x00, 0x00,
2249 
2250  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2251  0x00, 0x01, 0x69, 0x27};
2252 
2253  static uint8_t invalid_raw_ipv6[] = {
2254  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2255  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2256 
2257  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2258  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2259  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2260  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2261  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2262 
2263  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2264  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2265  0xc2, 0xf1, 0x00, 0x00,
2266 
2267  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2268  0x00, 0x01, 0x69, 0x28};
2269 
2270  Packet *p1 = PacketGetFromAlloc();
2271  if (unlikely(p1 == NULL))
2272  return 0;
2273  Packet *p2 = PacketGetFromAlloc();
2274  if (unlikely(p2 == NULL)) {
2275  SCFree(p1);
2276  return 0;
2277  }
2278  ThreadVars th_v;
2279  DetectEngineThreadCtx *det_ctx = NULL;
2280  int result = 0;
2281 
2282  memset(&th_v, 0, sizeof(ThreadVars));
2283 
2284  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2285  PacketSetTCP(p1, valid_raw_ipv6 + 54);
2286  p1->src.family = AF_INET;
2287  p1->dst.family = AF_INET;
2288  p1->payload = valid_raw_ipv6 + 54 + 20;
2289  p1->payload_len = 12;
2290  p1->proto = IPPROTO_TCP;
2291 
2292  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2293  BUG_ON(1);
2294  }
2295 
2296  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2297  PacketSetTCP(p2, invalid_raw_ipv6 + 54);
2298  p2->src.family = AF_INET;
2299  p2->dst.family = AF_INET;
2300  p2->payload = invalid_raw_ipv6 + 54 + 20;
2301  p2->payload_len = 12;
2302  p2->proto = IPPROTO_TCP;
2303 
2304  FAIL_IF(TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20);
2305 
2306  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2307  if (de_ctx == NULL) {
2308  goto end;
2309  }
2310 
2311  de_ctx->flags |= DE_QUIET;
2312 
2313  de_ctx->sig_list = SigInit(de_ctx,
2314  "alert tcp any any -> any any "
2315  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2316  "msg:\"tcpv6-csum keyword check(1)\"; "
2317  "sid:1;)");
2318  if (de_ctx->sig_list == NULL) {
2319  goto end;
2320  }
2321 
2322  de_ctx->sig_list->next = SigInit(de_ctx,
2323  "alert tcp any any -> any any "
2324  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2325  "msg:\"tcpv6-csum keyword check(1)\"; "
2326  "sid:2;)");
2327  if (de_ctx->sig_list->next == NULL) {
2328  goto end;
2329  }
2330 
2331  SigGroupBuild(de_ctx);
2332  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2333 
2334  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2335  if (PacketAlertCheck(p1, 1))
2336  goto end;
2337 
2338  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2339  if (PacketAlertCheck(p2, 2))
2340  goto end;
2341 
2342  result = 1;
2343 end:
2344  SigGroupCleanup(de_ctx);
2345  SigCleanSignatures(de_ctx);
2346  if (det_ctx != NULL)
2347  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2348  DetectEngineCtxFree(de_ctx);
2349  SCFree(p1);
2350  SCFree(p2);
2351  return result;
2352 }
2353 
2354 static int SigTest30UDPV4Keyword(void)
2355 {
2356  uint8_t raw_ipv4[] = {
2357  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2358  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2359  0xc0, 0xa8, 0x01, 0x03};
2360 
2361  uint8_t valid_raw_udp[] = {
2362  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2363  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2364  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2365  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2366  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2367  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2368  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2369  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2370  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2371  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2372  0x67, 0x6c, 0x65, 0xc0, 0x26};
2373 
2374  uint8_t invalid_raw_udp[] = {
2375  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2376  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2377  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2378  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2379  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2380  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2381  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2382  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2383  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2384  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2385  0x67, 0x6c, 0x65, 0xc0, 0x27};
2386 
2387  Packet *p1 = PacketGetFromAlloc();
2388  FAIL_IF_NULL(p1);
2389  Packet *p2 = PacketGetFromAlloc();
2390  FAIL_IF_NULL(p2);
2391 
2392  ThreadVars th_v;
2393  DetectEngineThreadCtx *det_ctx = NULL;
2394 
2395  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2396  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2397 
2398  memset(&th_v, 0, sizeof(ThreadVars));
2399 
2400  PacketSetIPV4(p1, raw_ipv4);
2401  PacketSetUDP(p1, valid_raw_udp);
2402  p1->src.family = AF_INET;
2403  p1->dst.family = AF_INET;
2404  p1->payload = buf;
2405  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2406  p1->proto = IPPROTO_UDP;
2407 
2408  PacketSetIPV4(p2, raw_ipv4);
2409  PacketSetUDP(p2, invalid_raw_udp);
2410  p2->src.family = AF_INET;
2411  p2->dst.family = AF_INET;
2412  p2->payload = buf;
2413  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2414  p2->proto = IPPROTO_UDP;
2415 
2416  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2417  FAIL_IF_NULL(de_ctx);
2418 
2419  de_ctx->flags |= DE_QUIET;
2420 
2421  de_ctx->sig_list = SigInit(de_ctx,
2422  "alert udp any any -> any any "
2423  "(content:\"/one/\"; udpv4-csum:valid; "
2424  "msg:\"udpv4-csum keyword check(1)\"; "
2425  "sid:1;)");
2426  FAIL_IF_NULL(de_ctx->sig_list);
2427 
2428  de_ctx->sig_list->next = SigInit(de_ctx,
2429  "alert udp any any -> any any "
2430  "(content:\"/one/\"; udpv4-csum:invalid; "
2431  "msg:\"udpv4-csum keyword check(1)\"; "
2432  "sid:2;)");
2433  FAIL_IF_NULL(de_ctx->sig_list->next);
2434 
2435  SigGroupBuild(de_ctx);
2436  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2437 
2438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2439  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2440 
2441  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2442  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2443 
2444  SigGroupCleanup(de_ctx);
2445  SigCleanSignatures(de_ctx);
2446  if (det_ctx != NULL)
2447  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2448  DetectEngineCtxFree(de_ctx);
2449  SCFree(p1);
2450  SCFree(p2);
2451  PASS;
2452 }
2453 
2454 static int SigTest31NegativeUDPV4Keyword(void)
2455 {
2456  uint8_t raw_ipv4[] = {
2457  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2458  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2459  0xc0, 0xa8, 0x01, 0x03};
2460 
2461  uint8_t valid_raw_udp[] = {
2462  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2463  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2464  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2465  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2466  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2467  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2468  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2469  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2470  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2471  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2472  0x67, 0x6c, 0x65, 0xc0, 0x26};
2473 
2474  uint8_t invalid_raw_udp[] = {
2475  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2476  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2477  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2478  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2479  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2480  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2481  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2482  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2483  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2484  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2485  0x67, 0x6c, 0x65, 0xc0, 0x27};
2486 
2487  Packet *p1 = PacketGetFromAlloc();
2488  if (unlikely(p1 == NULL))
2489  return 0;
2490  Packet *p2 = PacketGetFromAlloc();
2491  if (unlikely(p2 == NULL)) {
2492  SCFree(p1);
2493  return 0;
2494  }
2495  ThreadVars th_v;
2496  DetectEngineThreadCtx *det_ctx = NULL;
2497  int result = 1;
2498 
2499  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2500  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2501 
2502  memset(&th_v, 0, sizeof(ThreadVars));
2503 
2504  PacketSetIPV4(p1, raw_ipv4);
2505  PacketSetUDP(p1, valid_raw_udp);
2506  p1->src.family = AF_INET;
2507  p1->dst.family = AF_INET;
2508  p1->payload = buf;
2509  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2510  p1->proto = IPPROTO_UDP;
2511 
2512  PacketSetIPV4(p2, raw_ipv4);
2513  PacketSetUDP(p2, invalid_raw_udp);
2514  p2->src.family = AF_INET;
2515  p2->dst.family = AF_INET;
2516  p2->payload = buf;
2517  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2518  p2->proto = IPPROTO_UDP;
2519 
2520  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2521  if (de_ctx == NULL) {
2522  goto end;
2523  }
2524 
2525  de_ctx->flags |= DE_QUIET;
2526 
2527  de_ctx->sig_list = SigInit(de_ctx,
2528  "alert udp any any -> any any "
2529  "(content:\"/one/\"; udpv4-csum:invalid; "
2530  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2531  if (de_ctx->sig_list == NULL) {
2532  result &= 0;
2533  goto end;
2534  }
2535 
2536  de_ctx->sig_list->next = SigInit(de_ctx,
2537  "alert udp any any -> any any "
2538  "(content:\"/one/\"; udpv4-csum:valid; "
2539  "msg:\"udpv4-csum keyword check(1)\"; "
2540  "sid:2;)");
2541  if (de_ctx->sig_list->next == NULL) {
2542  result &= 0;
2543  goto end;
2544  }
2545 
2546  SigGroupBuild(de_ctx);
2547  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2548 
2549  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2550  if (PacketAlertCheck(p1, 1))
2551  result &= 0;
2552  else
2553  result &= 1;
2554 
2555  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2556  if (PacketAlertCheck(p2, 2)) {
2557  result &= 0;
2558  }
2559  else
2560  result &= 1;
2561 
2562  SigGroupCleanup(de_ctx);
2563  SigCleanSignatures(de_ctx);
2564  if (det_ctx != NULL)
2565  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2566  DetectEngineCtxFree(de_ctx);
2567 end:
2568  SCFree(p1);
2569  SCFree(p2);
2570  return result;
2571 }
2572 
2573 
2574 static int SigTest32UDPV6Keyword(void)
2575 {
2576  static uint8_t valid_raw_ipv6[] = {
2577  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2578  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2579  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2580  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2581  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2582  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2583  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2584  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2585  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2586  0x09, 0x00};
2587 
2588  static uint8_t invalid_raw_ipv6[] = {
2589  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2590  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2591  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2592  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2593  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2594  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2595  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2596  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2597  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2598  0x09, 0x01};
2599 
2600  Packet *p1 = PacketGetFromAlloc();
2601  FAIL_IF_NULL(p1);
2602  Packet *p2 = PacketGetFromAlloc();
2603  FAIL_IF_NULL(p2);
2604 
2605  ThreadVars th_v;
2606  DetectEngineThreadCtx *det_ctx = NULL;
2607 
2608  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2609  "\r\n\r\n";
2610 
2611  memset(&th_v, 0, sizeof(ThreadVars));
2612 
2613  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2614  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2615  p1->src.family = AF_INET;
2616  p1->dst.family = AF_INET;
2617  p1->payload = buf;
2618  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2619  p1->proto = IPPROTO_UDP;
2620 
2621  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2622  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2623  p2->src.family = AF_INET;
2624  p2->dst.family = AF_INET;
2625  p2->payload = buf;
2626  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2627  p2->proto = IPPROTO_UDP;
2628 
2629  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2630  FAIL_IF_NULL(de_ctx);
2631 
2632  de_ctx->flags |= DE_QUIET;
2633 
2634  de_ctx->sig_list = SigInit(de_ctx,
2635  "alert udp any any -> any any "
2636  "(content:\"/one/\"; udpv6-csum:valid; "
2637  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2638  FAIL_IF_NULL(de_ctx->sig_list);
2639 
2640  de_ctx->sig_list->next = SigInit(de_ctx,
2641  "alert udp any any -> any any "
2642  "(content:\"/one/\"; udpv6-csum:invalid; "
2643  "msg:\"udpv6-csum keyword check(1)\"; "
2644  "sid:2;)");
2645  FAIL_IF_NULL(de_ctx->sig_list->next);
2646 
2647  SigGroupBuild(de_ctx);
2648  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2649 
2650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2651  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2652 
2653  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2654  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2655 
2656  SigGroupCleanup(de_ctx);
2657  SigCleanSignatures(de_ctx);
2658  if (det_ctx != NULL)
2659  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2660  DetectEngineCtxFree(de_ctx);
2661 
2662  SCFree(p1);
2663  SCFree(p2);
2664  PASS;
2665 }
2666 
2667 static int SigTest33NegativeUDPV6Keyword(void)
2668 {
2669  static uint8_t valid_raw_ipv6[] = {
2670  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2671  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2672  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2673  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2674  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2675  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2676  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2677  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2678  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2679  0x09, 0x00};
2680 
2681  static uint8_t invalid_raw_ipv6[] = {
2682  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2683  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2684  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2685  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2686  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2687  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2688  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2689  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2690  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2691  0x09, 0x01};
2692 
2693  Packet *p1 = PacketGetFromAlloc();
2694  if (unlikely(p1 == NULL))
2695  return 0;
2696  Packet *p2 = PacketGetFromAlloc();
2697  if (unlikely(p2 == NULL)) {
2698  SCFree(p1);
2699  return 0;
2700  }
2701  ThreadVars th_v;
2702  DetectEngineThreadCtx *det_ctx = NULL;
2703  int result = 1;
2704 
2705  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2706  "\r\n\r\n";
2707 
2708  memset(&th_v, 0, sizeof(ThreadVars));
2709 
2710  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2711  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2712  p1->src.family = AF_INET;
2713  p1->dst.family = AF_INET;
2714  p1->payload = buf;
2715  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2716  p1->proto = IPPROTO_UDP;
2717 
2718  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2719  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2720  p2->src.family = AF_INET;
2721  p2->dst.family = AF_INET;
2722  p2->payload = buf;
2723  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2724  p2->proto = IPPROTO_UDP;
2725 
2726  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2727  if (de_ctx == NULL) {
2728  goto end;
2729  }
2730 
2731  de_ctx->flags |= DE_QUIET;
2732 
2733  de_ctx->sig_list = SigInit(de_ctx,
2734  "alert udp any any -> any any "
2735  "(content:\"/one/\"; udpv6-csum:invalid; "
2736  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2737  if (de_ctx->sig_list == NULL) {
2738  result &= 0;
2739  goto end;
2740  }
2741 
2742  de_ctx->sig_list->next = SigInit(de_ctx,
2743  "alert udp any any -> any any "
2744  "(content:\"/one/\"; udpv6-csum:valid; "
2745  "msg:\"udpv6-csum keyword check(1)\"; "
2746  "sid:2;)");
2747  if (de_ctx->sig_list->next == NULL) {
2748  result &= 0;
2749  goto end;
2750  }
2751 
2752  SigGroupBuild(de_ctx);
2753  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2754 
2755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2756  if (PacketAlertCheck(p1, 1))
2757  result &= 0;
2758  else
2759  result &= 1;
2760 
2761  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2762  if (PacketAlertCheck(p2, 2))
2763  result &= 0;
2764  else
2765  result &= 1;
2766 
2767  SigGroupCleanup(de_ctx);
2768  SigCleanSignatures(de_ctx);
2769  if (det_ctx != NULL)
2770  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2771  DetectEngineCtxFree(de_ctx);
2772 end:
2773  SCFree(p1);
2774  SCFree(p2);
2775  return result;
2776 }
2777 
2778 static int SigTest34ICMPV4Keyword(void)
2779 {
2780  uint8_t valid_raw_ipv4[] = {
2781  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2782  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2783  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2784  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2785  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2786  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2787  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2788  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2789  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2790  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2791  0x34, 0x35, 0x36, 0x37};
2792 
2793  uint8_t invalid_raw_ipv4[] = {
2794  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2795  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2796  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2797  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2798  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2799  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2800  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2801  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2802  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2803  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2804  0x34, 0x35, 0x36, 0x38};
2805 
2806  Packet *p1 = PacketGetFromAlloc();
2807  if (unlikely(p1 == NULL))
2808  return 0;
2809  Packet *p2 = PacketGetFromAlloc();
2810  if (unlikely(p2 == NULL)) {
2811  SCFree(p1);
2812  return 0;
2813  }
2814  ThreadVars th_v;
2815  DetectEngineThreadCtx *det_ctx = NULL;
2816  int result = 1;
2817 
2818  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2819  "\r\n\r\n";
2820  uint16_t buflen = strlen((char *)buf);
2821 
2822  memset(&th_v, 0, sizeof(ThreadVars));
2823 
2824  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2825  ip4h->ip_verhl = 69;
2826  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2827  p1->src.family = AF_INET;
2828  p1->dst.family = AF_INET;
2829  p1->payload = buf;
2830  p1->payload_len = buflen;
2831  p1->proto = IPPROTO_ICMP;
2832 
2833  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2834  ip4h->ip_verhl = 69;
2835  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2836  p2->src.family = AF_INET;
2837  p2->dst.family = AF_INET;
2838  p2->payload = buf;
2839  p2->payload_len = buflen;
2840  p2->proto = IPPROTO_ICMP;
2841 
2842  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2843  if (de_ctx == NULL) {
2844  goto end;
2845  }
2846 
2847  de_ctx->flags |= DE_QUIET;
2848 
2849  de_ctx->sig_list = SigInit(de_ctx,
2850  "alert icmp any any -> any any "
2851  "(content:\"/one/\"; icmpv4-csum:valid; "
2852  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2853  if (de_ctx->sig_list == NULL) {
2854  result &= 0;
2855  goto end;
2856  }
2857 
2858  de_ctx->sig_list->next = SigInit(de_ctx,
2859  "alert icmp any any -> any any "
2860  "(content:\"/one/\"; icmpv4-csum:invalid; "
2861  "msg:\"icmpv4-csum keyword check(1)\"; "
2862  "sid:2;)");
2863  if (de_ctx->sig_list->next == NULL) {
2864  result = 0;
2865  goto end;
2866  }
2867 
2868  SigGroupBuild(de_ctx);
2869  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2870 
2871  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2872  if (PacketAlertCheck(p1, 1))
2873  result &= 1;
2874  else
2875  result &= 0;
2876 
2877  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2878  if (PacketAlertCheck(p2, 2))
2879  result &= 1;
2880  else
2881  result &= 0;
2882 
2883  SigGroupCleanup(de_ctx);
2884  SigCleanSignatures(de_ctx);
2885  if (det_ctx != NULL)
2886  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2887  DetectEngineCtxFree(de_ctx);
2888 end:
2889  SCFree(p1);
2890  SCFree(p2);
2891  return result;
2892 }
2893 
2894 static int SigTest35NegativeICMPV4Keyword(void)
2895 {
2896  uint8_t valid_raw_ipv4[] = {
2897  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2898  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2899  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2900  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2901  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2902  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2903  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2904  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2905  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2906  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2907  0x34, 0x35, 0x36, 0x37};
2908 
2909  uint8_t invalid_raw_ipv4[] = {
2910  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2911  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2912  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2913  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2914  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2915  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2916  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2917  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2918  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2919  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2920  0x34, 0x35, 0x36, 0x38};
2921 
2922  Packet *p1 = PacketGetFromAlloc();
2923  if (unlikely(p1 == NULL))
2924  return 0;
2925  Packet *p2 = PacketGetFromAlloc();
2926  if (unlikely(p2 == NULL)) {
2927  SCFree(p1);
2928  return 0;
2929  }
2930  ThreadVars th_v;
2931  DetectEngineThreadCtx *det_ctx = NULL;
2932  int result = 1;
2933 
2934  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2935  "\r\n\r\n";
2936  uint16_t buflen = strlen((char *)buf);
2937 
2938  memset(&th_v, 0, sizeof(ThreadVars));
2939 
2940  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2941  ip4h->ip_verhl = 69;
2942  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2943  p1->src.family = AF_INET;
2944  p1->dst.family = AF_INET;
2945  p1->payload = buf;
2946  p1->payload_len = buflen;
2947  p1->proto = IPPROTO_ICMP;
2948 
2949  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2950  ip4h->ip_verhl = 69;
2951  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2952  p2->src.family = AF_INET;
2953  p2->dst.family = AF_INET;
2954  p2->payload = buf;
2955  p2->payload_len = buflen;
2956  p2->proto = IPPROTO_ICMP;
2957 
2958  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2959  if (de_ctx == NULL) {
2960  goto end;
2961  }
2962 
2963  de_ctx->flags |= DE_QUIET;
2964 
2965  de_ctx->sig_list = SigInit(de_ctx,
2966  "alert icmp any any -> any any "
2967  "(content:\"/one/\"; icmpv4-csum:invalid; "
2968  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2969  if (de_ctx->sig_list == NULL) {
2970  result &= 0;
2971  goto end;
2972  }
2973 
2974  de_ctx->sig_list->next = SigInit(de_ctx,
2975  "alert icmp any any -> any any "
2976  "(content:\"/one/\"; icmpv4-csum:valid; "
2977  "msg:\"icmpv4-csum keyword check(1)\"; "
2978  "sid:2;)");
2979  if (de_ctx->sig_list->next == NULL) {
2980  result &= 0;
2981  goto end;
2982  }
2983 
2984  SigGroupBuild(de_ctx);
2985  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2986 
2987  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2988  if (PacketAlertCheck(p1, 1))
2989  result &= 0;
2990  else
2991  result &= 1;
2992 
2993  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2994  if (PacketAlertCheck(p2, 2))
2995  result &= 0;
2996  else {
2997  result &= 1;
2998  }
2999 
3000  SigGroupCleanup(de_ctx);
3001  SigCleanSignatures(de_ctx);
3002  if (det_ctx != NULL)
3003  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3004  DetectEngineCtxFree(de_ctx);
3005 end:
3006  SCFree(p1);
3007  SCFree(p2);
3008  return result;
3009 }
3010 
3011 static int SigTest38(void)
3012 {
3013  Packet *p1 = PacketGetFromAlloc();
3014  if (unlikely(p1 == NULL))
3015  return 0;
3016  ThreadVars th_v;
3017  DetectEngineThreadCtx *det_ctx = NULL;
3018  int result = 1;
3019  uint8_t raw_eth[] = {
3020  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3021  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3022  0x08, 0x00
3023  };
3024  uint8_t raw_ipv4[] = {
3025  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3026  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3027  0x7f, 0x00, 0x00, 0x01
3028  };
3029  uint8_t raw_tcp[] = {
3030  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3031  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3032  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3033  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3034  0x00, 0x22, 0xaa, 0x10
3035  };
3036  uint8_t buf[] = {
3037  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3038  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3039  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3040  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3041  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3042  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3043  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3044  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3045  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3046  0x0a
3047  };
3048  uint16_t ethlen = sizeof(raw_eth);
3049  uint16_t ipv4len = sizeof(raw_ipv4);
3050  uint16_t tcplen = sizeof(raw_tcp);
3051  uint16_t buflen = sizeof(buf);
3052 
3053  memset(&th_v, 0, sizeof(ThreadVars));
3054 
3055  /* Copy raw data into packet */
3056  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3057  SCFree(p1);
3058  return 1;
3059  }
3060  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3061  SCFree(p1);
3062  return 1;
3063  }
3064  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3065  SCFree(p1);
3066  return 1;
3067  }
3068  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3069  SCFree(p1);
3070  return 1;
3071  }
3072  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3073 
3074  PacketSetEthernet(p1, raw_eth);
3075  PacketSetIPV4(p1, raw_ipv4);
3076  PacketSetTCP(p1, raw_tcp);
3077  p1->src.family = AF_INET;
3078  p1->dst.family = AF_INET;
3079  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3080  p1->payload_len = buflen;
3081  p1->proto = IPPROTO_TCP;
3082 
3083  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3084  if (de_ctx == NULL) {
3085  goto end;
3086  }
3087  de_ctx->flags |= DE_QUIET;
3088 
3089  de_ctx->sig_list = SigInit(de_ctx,
3090  "alert tcp any any -> any any "
3091  "(content:\"LEN1|20|\"; "
3092  "byte_test:4,=,8,0; "
3093  "msg:\"byte_test keyword check(1)\"; sid:1;)");
3094  if (de_ctx->sig_list == NULL) {
3095  result &= 0;
3096  goto end;
3097  }
3098  de_ctx->sig_list->next = SigInit(de_ctx,
3099  "alert tcp any any -> any any "
3100  "(content:\"LEN1|20|\"; "
3101  "byte_test:4,=,8,5,relative,string,dec; "
3102  "msg:\"byte_test keyword check(2)\"; sid:2;)");
3103  if (de_ctx->sig_list->next == NULL) {
3104  result &= 0;
3105  goto end;
3106  }
3107 
3108  SigGroupBuild(de_ctx);
3109  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3110 
3111  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3112  if (PacketAlertCheck(p1, 1)) {
3113  result = 1;
3114  } else {
3115  result = 0;
3116  printf("sid 1 didn't alert, but should have: ");
3117  goto cleanup;
3118  }
3119  if (PacketAlertCheck(p1, 2)) {
3120  result = 1;
3121  } else {
3122  result = 0;
3123  printf("sid 2 didn't alert, but should have: ");
3124  goto cleanup;
3125  }
3126 
3127 cleanup:
3128  SigGroupCleanup(de_ctx);
3129  SigCleanSignatures(de_ctx);
3130 
3131  if (det_ctx != NULL)
3132  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3133  DetectEngineCtxFree(de_ctx);
3134 
3135 end:
3136  SCFree(p1);
3137  return result;
3138 }
3139 
3140 static int SigTest39(void)
3141 {
3142  ThreadVars th_v;
3143  DetectEngineThreadCtx *det_ctx = NULL;
3144  uint8_t raw_eth[] = {
3145  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3146  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3147  0x08, 0x00
3148  };
3149  uint8_t raw_ipv4[] = {
3150  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3151  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3152  0x7f, 0x00, 0x00, 0x01
3153  };
3154  uint8_t raw_tcp[] = {
3155  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3156  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3157  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3158  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3159  0x00, 0x22, 0xaa, 0x10
3160  };
3161  uint8_t buf[] = {
3162  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3163  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3164  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3165  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3166  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3167  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3168  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3169  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3170  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3171  0x0a
3172  };
3173  uint16_t ethlen = sizeof(raw_eth);
3174  uint16_t ipv4len = sizeof(raw_ipv4);
3175  uint16_t tcplen = sizeof(raw_tcp);
3176  uint16_t buflen = sizeof(buf);
3177 
3178  memset(&th_v, 0, sizeof(ThreadVars));
3179 
3180  Packet *p1 = PacketGetFromAlloc();
3181  FAIL_IF_NULL(p1);
3182  /* Copy raw data into packet */
3183  FAIL_IF(PacketCopyData(p1, raw_eth, ethlen) == -1);
3184  FAIL_IF(PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1);
3185  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1);
3186  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1);
3187  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3188 
3189  PacketSetEthernet(p1, raw_eth);
3190  PacketSetIPV4(p1, raw_ipv4);
3191  PacketSetTCP(p1, raw_tcp);
3192  p1->src.family = AF_INET;
3193  p1->dst.family = AF_INET;
3194  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3195  p1->payload_len = buflen;
3196  p1->proto = IPPROTO_TCP;
3197 
3198  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3199  FAIL_IF_NULL(de_ctx);
3200  de_ctx->flags |= DE_QUIET;
3201 
3202  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3203  "(content:\"LEN1|20|\"; "
3204  "byte_test:4,=,8,0; "
3205  "byte_jump:4,0; "
3206  "byte_test:6,=,0x4c454e312038,0,relative; "
3207  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3208  FAIL_IF_NULL(s);
3209  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3210  "(content:\"LEN1|20|\"; "
3211  "byte_test:4,=,8,4,relative,string,dec; "
3212  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3213  "byte_test:4,=,0x4c454e32,0,relative; "
3214  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3215  FAIL_IF_NULL(s);
3216  SigGroupBuild(de_ctx);
3217  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3218 
3219  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3220 
3221  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
3222  FAIL_IF_NOT(PacketAlertCheck(p1, 2));
3223 
3224  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3225  DetectEngineCtxFree(de_ctx);
3226 
3227  SCFree(p1);
3228  PASS;
3229 }
3230 
3231 /**
3232  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3233  * \brief expecting to match a size
3234  */
3235 
3236 static int SigTest36ContentAndIsdataatKeywords01 (void)
3237 {
3238  int result = 0;
3239 
3240  // Build and decode the packet
3241 
3242  uint8_t raw_eth [] = {
3243  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3244  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3245  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3246  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3247  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3248  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3249  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3250  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3251  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3252  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3253  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3254  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3255  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3256  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3257  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3258  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3259  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3260  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3261  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3262  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3263  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3264  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3265  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3266  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3267  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3268  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3269  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3270  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3271  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3272  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3273 
3274  Packet *p = PacketGetFromAlloc();
3275  if (unlikely(p == NULL))
3276  return 0;
3277  DecodeThreadVars dtv;
3278 
3279  ThreadVars th_v;
3280  DetectEngineThreadCtx *det_ctx = NULL;
3281 
3282  memset(&dtv, 0, sizeof(DecodeThreadVars));
3283  memset(&th_v, 0, sizeof(th_v));
3284 
3285  FlowInitConfig(FLOW_QUIET);
3286  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3287 
3288 
3289  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3290  if (de_ctx == NULL) {
3291  goto end;
3292  }
3293 
3294  de_ctx->flags |= DE_QUIET;
3295 
3296  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3297  if (de_ctx->sig_list == NULL) {
3298  result = 0;
3299  goto end;
3300  }
3301 
3302  SigGroupBuild(de_ctx);
3303  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3304 
3305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3306  if (PacketAlertCheck(p, 101) == 0) {
3307  result = 0;
3308  goto end;
3309  } else {
3310  result=1;
3311  }
3312 
3313  SigGroupCleanup(de_ctx);
3314  SigCleanSignatures(de_ctx);
3315 
3316  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3317  DetectEngineCtxFree(de_ctx);
3318  PacketRecycle(p);
3319  FlowShutdown();
3320 
3321  SCFree(p);
3322  return result;
3323 
3324 end:
3325  if(de_ctx)
3326  {
3327  SigGroupCleanup(de_ctx);
3328  SigCleanSignatures(de_ctx);
3329  }
3330 
3331  if(det_ctx)
3332  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3333 
3334  //PatternMatchDestroy(mpm_ctx);
3335 
3336  if(de_ctx)
3337  DetectEngineCtxFree(de_ctx);
3338 
3339  if (p != NULL)
3340  PacketRecycle(p);
3341 
3342  FlowShutdown();
3343 
3344  SCFree(p);
3345  return result;
3346 }
3347 
3348 
3349 /**
3350  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3351  * \brief not expecting to match a size
3352  */
3353 
3354 static int SigTest37ContentAndIsdataatKeywords02 (void)
3355 {
3356  int result = 0;
3357 
3358  // Build and decode the packet
3359 
3360  uint8_t raw_eth [] = {
3361  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3362  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3363  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3364  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3365  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3366  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3367  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3368  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3369  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3370  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3371  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3372  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3373  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3374  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3375  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3376  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3377  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3378  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3379  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3380  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3381  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3382  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3383  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3384  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3385  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3386  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3387  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3388  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3389  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3390  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3391 
3392  Packet *p = PacketGetFromAlloc();
3393  if (unlikely(p == NULL))
3394  return 0;
3395  DecodeThreadVars dtv;
3396 
3397  ThreadVars th_v;
3398  DetectEngineThreadCtx *det_ctx = NULL;
3399 
3400  memset(&dtv, 0, sizeof(DecodeThreadVars));
3401  memset(&th_v, 0, sizeof(th_v));
3402 
3403  FlowInitConfig(FLOW_QUIET);
3404  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3405 
3406 
3407  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3408  if (de_ctx == NULL) {
3409  goto end;
3410  }
3411 
3412  de_ctx->flags |= DE_QUIET;
3413 
3414  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3415  if (de_ctx->sig_list == NULL) {
3416  printf("sig parse failed: ");
3417  result = 0;
3418  goto end;
3419  }
3420 
3421  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3422  printf("type not content: ");
3423  goto end;
3424  }
3425  SigGroupBuild(de_ctx);
3426  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3427 
3428  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3429  if (PacketAlertCheck(p, 101) == 0) {
3430  result = 1;
3431  goto end;
3432  } else {
3433  printf("sig matched, but should not have: ");
3434  result=0;
3435  }
3436 
3437  SigGroupCleanup(de_ctx);
3438  SigCleanSignatures(de_ctx);
3439 
3440  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3441  DetectEngineCtxFree(de_ctx);
3442 
3443  PacketRecycle(p);
3444  FlowShutdown();
3445 
3446  SCFree(p);
3447  return result;
3448 
3449 end:
3450  if(de_ctx)
3451  {
3452  SigGroupCleanup(de_ctx);
3453  SigCleanSignatures(de_ctx);
3454  }
3455 
3456  if(det_ctx)
3457  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3458 
3459  if(de_ctx)
3460  DetectEngineCtxFree(de_ctx);
3461 
3462  if (p != NULL)
3463  PacketRecycle(p);
3464 
3465  FlowShutdown();
3466 
3467  SCFree(p);
3468  return result;
3469 }
3470 
3471 /**
3472  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3473  * flag is set, we don't need to inspect the packet protocol header or its contents.
3474  */
3475 
3476 static int SigTest40NoPacketInspection01(void)
3477 {
3478 
3479  uint8_t *buf = (uint8_t *)
3480  "220 (vsFTPd 2.0.5)\r\n";
3481  uint16_t buflen = strlen((char *)buf);
3482  Packet *p = PacketGetFromAlloc();
3483  TCPHdr tcphdr;
3484  if (unlikely(p == NULL))
3485  return 0;
3486  ThreadVars th_v;
3487  DetectEngineThreadCtx *det_ctx = NULL;
3488  PacketQueue pq;
3489  Flow f;
3490  int result = 0;
3491 
3492  memset(&th_v, 0, sizeof(th_v));
3493  memset(&pq, 0, sizeof(pq));
3494  memset(&f, 0, sizeof(f));
3495  memset(&tcphdr, 0, sizeof(tcphdr));
3496 
3497  p->src.family = AF_INET;
3498  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3499  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3500  p->dst.family = AF_INET;
3501  p->payload = buf;
3502  p->payload_len = buflen;
3503  p->proto = IPPROTO_TCP;
3504  p->dp = 34260;
3505  p->sp = 21;
3506  p->flowflags |= FLOW_PKT_TOSERVER;
3507  p->flags |= PKT_NOPACKET_INSPECTION;
3508  PacketSetTCP(p, (uint8_t *)&tcphdr);
3509  p->flow = &f;
3510 
3511  FLOW_INITIALIZE(&f);
3512 
3513  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3514  if (de_ctx == NULL) {
3515  goto end;
3516  }
3517 
3518  de_ctx->flags |= DE_QUIET;
3519 
3520  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3521  if (de_ctx->sig_list == NULL) {
3522  result = 0;
3523  goto end;
3524  }
3525 
3526  SigGroupBuild(de_ctx);
3527  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3528  det_ctx->de_ctx = de_ctx;
3529 
3530  Detect(&th_v, p, det_ctx);
3531  if (PacketAlertCheck(p, 2))
3532  result = 0;
3533  else
3534  result = 1;
3535 
3536  SigGroupCleanup(de_ctx);
3537  SigCleanSignatures(de_ctx);
3538  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3539  //PatternMatchDestroy(mpm_ctx);
3540  DetectEngineCtxFree(de_ctx);
3541 end:
3542  SCFree(p);
3543  return result;
3544 }
3545 
3546 /**
3547  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3548  * flag is set, we don't need to inspect the packet contents.
3549  */
3550 
3551 static int SigTest40NoPayloadInspection02(void)
3552 {
3553 
3554  uint8_t *buf = (uint8_t *)
3555  "220 (vsFTPd 2.0.5)\r\n";
3556  uint16_t buflen = strlen((char *)buf);
3557  ThreadVars th_v;
3558  memset(&th_v, 0, sizeof(th_v));
3559 
3560  Packet *p = PacketGetFromAlloc();
3561  FAIL_IF_NULL(p);
3562 
3563  p->src.family = AF_INET;
3564  p->dst.family = AF_INET;
3565  p->payload = buf;
3566  p->payload_len = buflen;
3567  p->proto = IPPROTO_TCP;
3568  p->flags |= PKT_NOPAYLOAD_INSPECTION;
3569 
3570  DetectEngineThreadCtx *det_ctx = NULL;
3571  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3572  FAIL_IF_NULL(de_ctx);
3573  de_ctx->flags |= DE_QUIET;
3574 
3575  Signature *s = DetectEngineAppendSig(de_ctx,
3576  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3577  FAIL_IF_NULL(s);
3578 
3579  SigGroupBuild(de_ctx);
3580  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3581 
3582  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3583 
3584  FAIL_IF(PacketAlertCheck(p, 1));
3585 
3586  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3587  DetectEngineCtxFree(de_ctx);
3588  SCFree(p);
3589  PASS;
3590 }
3591 
3592 static int SigTestMemory01 (void)
3593 {
3594  uint8_t *buf = (uint8_t *)
3595  "GET /one/ HTTP/1.1\r\n"
3596  "Host: one.example.org\r\n"
3597  "\r\n\r\n"
3598  "GET /two/ HTTP/1.1\r\n"
3599  "Host: two.example.org\r\n"
3600  "\r\n\r\n";
3601  uint16_t buflen = strlen((char *)buf);
3602  Packet *p = PacketGetFromAlloc();
3603  if (unlikely(p == NULL))
3604  return 0;
3605  ThreadVars th_v;
3606  DetectEngineThreadCtx *det_ctx = NULL;
3607  int result = 0;
3608 
3609  memset(&th_v, 0, sizeof(th_v));
3610  p->src.family = AF_INET;
3611  p->dst.family = AF_INET;
3612  p->payload = buf;
3613  p->payload_len = buflen;
3614  p->proto = IPPROTO_TCP;
3615 
3616  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3617  if (de_ctx == NULL) {
3618  goto end;
3619  }
3620 
3621  de_ctx->flags |= DE_QUIET;
3622 
3623  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3624  if (de_ctx->sig_list == NULL) {
3625  result = 0;
3626  goto end;
3627  }
3628 
3629  SigGroupBuild(de_ctx);
3630  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3631 
3632  SigGroupCleanup(de_ctx);
3633  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3634  DetectEngineCtxFree(de_ctx);
3635 
3636  result = 1;
3637 end:
3638  SCFree(p);
3639  return result;
3640 }
3641 
3642 static int SigTestMemory02 (void)
3643 {
3644  ThreadVars th_v;
3645  int result = 0;
3646 
3647  memset(&th_v, 0, sizeof(th_v));
3648 
3649  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3650  if (de_ctx == NULL) {
3651  goto end;
3652  }
3653  de_ctx->flags |= DE_QUIET;
3654 
3655  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3656  if (de_ctx->sig_list == NULL) {
3657  result = 0;
3658  goto end;
3659  }
3660  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3661  if (de_ctx->sig_list->next == NULL) {
3662  result = 0;
3663  goto end;
3664  }
3665 
3666  SigGroupBuild(de_ctx);
3667 
3668  SigGroupCleanup(de_ctx);
3669  DetectEngineCtxFree(de_ctx);
3670 
3671  result = 1;
3672 end:
3673  return result;
3674 }
3675 
3676 static int SigTestMemory03 (void)
3677 {
3678  ThreadVars th_v;
3679  int result = 0;
3680 
3681  memset(&th_v, 0, sizeof(th_v));
3682 
3683  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3684  if (de_ctx == NULL) {
3685  goto end;
3686  }
3687  de_ctx->flags |= DE_QUIET;
3688 
3689  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3690  if (de_ctx->sig_list == NULL) {
3691  result = 0;
3692  goto end;
3693  }
3694  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3695  if (de_ctx->sig_list->next == NULL) {
3696  result = 0;
3697  goto end;
3698  }
3699  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3700  if (de_ctx->sig_list->next->next == NULL) {
3701  result = 0;
3702  goto end;
3703  }
3704 
3705  SigGroupBuild(de_ctx);
3706 
3707  SigGroupCleanup(de_ctx);
3708  DetectEngineCtxFree(de_ctx);
3709 
3710  result = 1;
3711 end:
3712  return result;
3713 }
3714 
3715 static int SigTestContent01 (void)
3716 {
3717  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3718  uint16_t buflen = strlen((char *)buf);
3719  ThreadVars th_v;
3720  DetectEngineThreadCtx *det_ctx = NULL;
3721  int result = 0;
3722 
3723  memset(&th_v, 0, sizeof(th_v));
3724 
3725  Packet *p = NULL;
3726  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3727 
3728  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3729  if (de_ctx == NULL) {
3730  goto end;
3731  }
3732  de_ctx->flags |= DE_QUIET;
3733 
3734  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3735  if (de_ctx->sig_list == NULL) {
3736  result = 0;
3737  goto end;
3738  }
3739 
3740  SigGroupBuild(de_ctx);
3741  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3742 
3743  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3744  if (PacketAlertCheck(p, 1))
3745  result = 1;
3746  else
3747  printf("sig 1 didn't match: ");
3748 
3749  SigGroupCleanup(de_ctx);
3750  SigCleanSignatures(de_ctx);
3751 
3752  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3753  DetectEngineCtxFree(de_ctx);
3754 end:
3755  UTHFreePackets(&p, 1);
3756  return result;
3757 }
3758 
3759 static int SigTestContent02 (void)
3760 {
3761  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3762  uint16_t buflen = strlen((char *)buf);
3763  ThreadVars th_v;
3764  DetectEngineThreadCtx *det_ctx = NULL;
3765  int result = 0;
3766 
3767  memset(&th_v, 0, sizeof(th_v));
3768  Packet *p = NULL;
3769  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3770 
3771  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3772  if (de_ctx == NULL) {
3773  goto end;
3774  }
3775  de_ctx->flags |= DE_QUIET;
3776 
3777  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3778  if (de_ctx->sig_list == NULL) {
3779  result = 0;
3780  goto end;
3781  }
3782 
3783  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3784  if (de_ctx->sig_list->next == NULL) {
3785  result = 0;
3786  goto end;
3787  }
3788 
3789  SigGroupBuild(de_ctx);
3790  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3791 
3792  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3793  if (PacketAlertCheck(p, 1)) {
3794  if (PacketAlertCheck(p, 2)) {
3795  result = 1;
3796  } else
3797  printf("sig 2 didn't match: ");
3798  }
3799  else
3800  printf("sig 1 didn't match: ");
3801 
3802  SigGroupCleanup(de_ctx);
3803  SigCleanSignatures(de_ctx);
3804 
3805  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3806  DetectEngineCtxFree(de_ctx);
3807 end:
3808  UTHFreePackets(&p, 1);
3809  return result;
3810 }
3811 
3812 static int SigTestContent03 (void)
3813 {
3814  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3815  uint16_t buflen = strlen((char *)buf);
3816  ThreadVars th_v;
3817  DetectEngineThreadCtx *det_ctx = NULL;
3818  int result = 0;
3819 
3820  memset(&th_v, 0, sizeof(th_v));
3821  Packet *p = NULL;
3822  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3823 
3824  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3825  if (de_ctx == NULL) {
3826  goto end;
3827  }
3828 
3829  de_ctx->flags |= DE_QUIET;
3830 
3831  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3832  if (de_ctx->sig_list == NULL) {
3833  result = 0;
3834  goto end;
3835  }
3836 
3837  SigGroupBuild(de_ctx);
3838  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3839 
3840  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3841  if (PacketAlertCheck(p, 1))
3842  result = 1;
3843  else
3844  printf("sig 1 didn't match: ");
3845 
3846  SigGroupCleanup(de_ctx);
3847  SigCleanSignatures(de_ctx);
3848 
3849  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3850  DetectEngineCtxFree(de_ctx);
3851 end:
3852  UTHFreePackets(&p, 1);
3853  return result;
3854 }
3855 
3856 static int SigTestContent04 (void)
3857 {
3858  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3859  uint16_t buflen = strlen((char *)buf);
3860  ThreadVars th_v;
3861  DetectEngineThreadCtx *det_ctx = NULL;
3862  int result = 0;
3863 
3864  memset(&th_v, 0, sizeof(th_v));
3865 
3866  Packet *p = NULL;
3867  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3868 
3869  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3870  if (de_ctx == NULL) {
3871  goto end;
3872  }
3873 
3874  de_ctx->flags |= DE_QUIET;
3875 
3876  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3877  if (de_ctx->sig_list == NULL) {
3878  result = 0;
3879  goto end;
3880  }
3881 
3882  SigGroupBuild(de_ctx);
3883  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3884 
3885  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3886  if (PacketAlertCheck(p, 1))
3887  result = 1;
3888  else
3889  printf("sig 1 didn't match: ");
3890 
3891  SigGroupCleanup(de_ctx);
3892  SigCleanSignatures(de_ctx);
3893 
3894  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3895  DetectEngineCtxFree(de_ctx);
3896 end:
3897  UTHFreePackets(&p, 1);
3898  return result;
3899 }
3900 
3901 /** \test sigs with patterns at the limit of the pm's size limit */
3902 static int SigTestContent05 (void)
3903 {
3904  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3905  uint16_t buflen = strlen((char *)buf);
3906  ThreadVars th_v;
3907  DetectEngineThreadCtx *det_ctx = NULL;
3908  int result = 0;
3909 
3910  memset(&th_v, 0, sizeof(th_v));
3911  Packet *p = NULL;
3912  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3913 
3914  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3915  if (de_ctx == NULL) {
3916  printf("de_ctx == NULL: ");
3917  goto end;
3918  }
3919 
3920  de_ctx->flags |= DE_QUIET;
3921 
3922  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3923  if (de_ctx->sig_list == NULL) {
3924  printf("sig1 parse failed: ");
3925  goto end;
3926  }
3927  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3928  if (de_ctx->sig_list->next == NULL) {
3929  printf("sig2 parse failed: ");
3930  goto end;
3931  }
3932 
3933  SigGroupBuild(de_ctx);
3934  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3935 
3936  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3937 
3938  if (PacketAlertCheck(p, 1)) {
3939  printf("sig 1 matched but shouldn't: ");
3940  goto end;
3941  }
3942 
3943  if (PacketAlertCheck(p, 2)) {
3944  printf("sig 2 matched but shouldn't: ");
3945  goto end;
3946  }
3947 
3948  result = 1;
3949 end:
3950  UTHFreePackets(&p, 1);
3951  SigGroupCleanup(de_ctx);
3952  SigCleanSignatures(de_ctx);
3953 
3954  if (det_ctx != NULL) {
3955  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3956  }
3957  if (de_ctx != NULL) {
3958  DetectEngineCtxFree(de_ctx);
3959  }
3960  return result;
3961 }
3962 
3963 static int SigTestContent06 (void)
3964 {
3965  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3966  uint16_t buflen = strlen((char *)buf);
3967  ThreadVars th_v;
3968  DetectEngineThreadCtx *det_ctx = NULL;
3969  int result = 0;
3970 
3971  memset(&th_v, 0, sizeof(th_v));
3972  Packet *p = NULL;
3973  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3974 
3975  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3976  if (de_ctx == NULL) {
3977  goto end;
3978  }
3979 
3980  de_ctx->flags |= DE_QUIET;
3981 
3982  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3983  if (de_ctx->sig_list == NULL) {
3984  result = 0;
3985  goto end;
3986  }
3987  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
3988  if (de_ctx->sig_list->next == NULL) {
3989  result = 0;
3990  goto end;
3991  }
3992 
3993  SigGroupBuild(de_ctx);
3994  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3995 
3996  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3997  if (PacketAlertCheck(p, 1)){
3998  //printf("sig 1 matched :");
3999  }else{
4000  printf("sig 1 didn't match: ");
4001  goto end;
4002  }
4003 
4004  if (PacketAlertCheck(p, 2)){
4005  result = 1;
4006  }else{
4007  printf("sig 2 didn't match: ");
4008  goto end;
4009  }
4010 
4011  SigGroupCleanup(de_ctx);
4012  SigCleanSignatures(de_ctx);
4013 
4014  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4015  DetectEngineCtxFree(de_ctx);
4016 end:
4017  UTHFreePackets(&p, 1);
4018  return result;
4019 }
4020 
4021 static int SigTestWithin01 (void)
4022 {
4023  DecodeThreadVars dtv;
4024  ThreadVars th_v;
4025  int result = 0;
4026  Packet *p1 = NULL;
4027  Packet *p2 = NULL;
4028  Packet *p3 = NULL;
4029  Packet *p4 = NULL;
4030 
4031  uint8_t rawpkt1[] = {
4032  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4033  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4034  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4035  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4036  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4037  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4038  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4039  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4040  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4041  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4042  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4043  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4044  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4045  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4046  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4047  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4048  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4049  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4050  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4051  0x00,0x00 }; /* end rawpkt1 */
4052 
4053  uint8_t rawpkt2[] = {
4054  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4055  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4056  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4057  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4058  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4059  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4060  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4061  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4062  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4063  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4064  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4065  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4066  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4067  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4068  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4069  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4070  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4071  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4072  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4073  0x00,0x00 }; /* end rawpkt2 */
4074 
4075  uint8_t rawpkt3[] = {
4076  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4077  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4078  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4079  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4080  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4081  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4082  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4083  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4084  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4085  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4086  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4087  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4088  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4089  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4090  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4091  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4092  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4093  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4094  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4095  0x00,0x00 }; /* end rawpkt3 */
4096 
4097  uint8_t rawpkt4[] = {
4098  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4099  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4100  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4101  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4102  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4103  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4104  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4105  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4106  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4107  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4108  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4109  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4110  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4111  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4112  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4113  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4114  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4115  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4116  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4117  0x00,0x00 }; /* end rawpkt4 */
4118 
4119  memset(&dtv, 0, sizeof(DecodeThreadVars));
4120  memset(&th_v, 0, sizeof(th_v));
4121 
4122  DetectEngineThreadCtx *det_ctx = NULL;
4123 
4124  FlowInitConfig(FLOW_QUIET);
4125 
4126  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4127  if (de_ctx == NULL) {
4128  goto end;
4129  }
4130 
4131  de_ctx->flags |= DE_QUIET;
4132 
4133  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4134  if (de_ctx->sig_list == NULL) {
4135  result = 0;
4136  goto end;
4137  }
4138 
4139  SigGroupBuild(de_ctx);
4140  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4141 
4142  /* packet 1 */
4143  p1 = PacketGetFromAlloc();
4144  if (unlikely(p1 == NULL))
4145  return 0;
4146  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4147  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4148  if (!(PacketAlertCheck(p1, 556))) {
4149  printf("failed to match on packet 1: ");
4150  goto end;
4151  }
4152 
4153  /* packet 2 */
4154  p2 = PacketGetFromAlloc();
4155  if (unlikely(p2 == NULL))
4156  return 0;
4157  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4158  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4159  if (!(PacketAlertCheck(p2, 556))) {
4160  printf("failed to match on packet 2: ");
4161  goto end;
4162  }
4163 
4164  /* packet 3 */
4165  p3 = PacketGetFromAlloc();
4166  if (unlikely(p3 == NULL))
4167  return 0;
4168  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4169  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4170  if (!(PacketAlertCheck(p3, 556))) {
4171  printf("failed to match on packet 3: ");
4172  goto end;
4173  }
4174 
4175  /* packet 4 */
4176  p4 = PacketGetFromAlloc();
4177  if (unlikely(p4 == NULL))
4178  return 0;
4179  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4180  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4181  if (!(PacketAlertCheck(p4, 556))) {
4182  printf("failed to match on packet 4: ");
4183  goto end;
4184  }
4185 
4186  /* packet 5 */
4187  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4188  uint16_t p5buflen = strlen((char *)p5buf);
4189  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4190  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4191  if (!(PacketAlertCheck(p5, 556))) {
4192  printf("failed to match on packet 5: ");
4193  goto end;
4194  }
4195  UTHFreePackets(&p5, 1);
4196 
4197  result = 1;
4198 end:
4199  if (de_ctx != NULL) {
4200  SigGroupCleanup(de_ctx);
4201  SigCleanSignatures(de_ctx);
4202  }
4203 
4204  if (det_ctx != NULL)
4205  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4206 
4207  if (de_ctx != NULL)
4208  DetectEngineCtxFree(de_ctx);
4209 
4210  if (p1 != NULL) {
4211  PacketRecycle(p1);
4212  SCFree(p1);
4213  }
4214  if (p2 != NULL) {
4215  PacketRecycle(p2);
4216  SCFree(p2);
4217  }
4218  if (p3 != NULL) {
4219  PacketRecycle(p3);
4220  SCFree(p3);
4221  }
4222  if (p4 != NULL) {
4223  PacketRecycle(p4);
4224  SCFree(p4);
4225  }
4226  FlowShutdown();
4227  return result;
4228 }
4229 
4230 static int SigTestDepthOffset01 (void)
4231 {
4232  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4233  uint16_t buflen = strlen((char *)buf);
4234  Packet *p = NULL;
4235  ThreadVars th_v;
4236  DetectEngineThreadCtx *det_ctx = NULL;
4237  int result = 0;
4238 
4239  memset(&th_v, 0, sizeof(th_v));
4240 
4241  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4242 
4243  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4244  if (de_ctx == NULL) {
4245  goto end;
4246  }
4247 
4248  de_ctx->flags |= DE_QUIET;
4249 
4250  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4251  if (de_ctx->sig_list == NULL) {
4252  result = 0;
4253  goto end;
4254  }
4255 
4256  SigGroupBuild(de_ctx);
4257  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4258 
4259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4260  if (PacketAlertCheck(p, 1))
4261  result = 1;
4262 
4263  SigGroupCleanup(de_ctx);
4264  SigCleanSignatures(de_ctx);
4265 
4266  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4267  DetectEngineCtxFree(de_ctx);
4268 end:
4269  UTHFreePackets(&p, 1);
4270  return result;
4271 }
4272 
4273 static int SigTestDetectAlertCounter(void)
4274 {
4275  Packet *p = NULL;
4276  ThreadVars tv;
4277  DetectEngineThreadCtx *det_ctx = NULL;
4278  memset(&tv, 0, sizeof(tv));
4279 
4280  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4281  FAIL_IF_NULL(de_ctx);
4282  de_ctx->flags |= DE_QUIET;
4283 
4284  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4285  "content:\"boo\"; sid:1;)");
4286  FAIL_IF(de_ctx->sig_list == NULL);
4287 
4288  SigGroupBuild(de_ctx);
4289  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4290  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4291  /* init counters */
4292  StatsSetupPrivate(&tv);
4293 
4294  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4295  Detect(&tv, p, det_ctx);
4296  FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 1);
4297 
4298  Detect(&tv, p, det_ctx);
4299  FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 2);
4300  UTHFreePackets(&p, 1);
4301 
4302  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4303  Detect(&tv, p, det_ctx);
4304  FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 2);
4305  UTHFreePackets(&p, 1);
4306 
4307  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4308  Detect(&tv, p, det_ctx);
4309  FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 3);
4310  UTHFreePackets(&p, 1);
4311 
4312  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4313  DetectEngineCtxFree(de_ctx);
4314  PASS;
4315 }
4316 
4317 /** \test test if the engine set flag to drop pkts of a flow that
4318  * triggered a drop action on IPS mode */
4319 static int SigTestDropFlow01(void)
4320 {
4321  Flow f;
4322  HtpState *http_state = NULL;
4323  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4324  "User-Agent: Mozilla/1.0\r\n"
4325  "Cookie: hellocatch\r\n\r\n";
4326  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4327  TcpSession ssn;
4328  Packet *p = NULL;
4329  Signature *s = NULL;
4330  ThreadVars tv;
4331  DetectEngineThreadCtx *det_ctx = NULL;
4332  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4333 
4334  memset(&tv, 0, sizeof(ThreadVars));
4335  memset(&f, 0, sizeof(Flow));
4336  memset(&ssn, 0, sizeof(TcpSession));
4337 
4338  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4339 
4340  FLOW_INITIALIZE(&f);
4341  f.protoctx = (void *)&ssn;
4342  f.proto = IPPROTO_TCP;
4343  f.flags |= FLOW_IPV4;
4344 
4345  p->flow = &f;
4346  p->flowflags |= FLOW_PKT_TOSERVER;
4347  p->flowflags |= FLOW_PKT_ESTABLISHED;
4348  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4349  f.alproto = ALPROTO_HTTP1;
4350 
4351  StreamTcpInitConfig(true);
4352 
4353  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4354  FAIL_IF_NULL(de_ctx);
4355  de_ctx->flags |= DE_QUIET;
4356 
4357  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4358  "(msg:\"Test proto match\"; "
4359  "sid:1;)");
4360  FAIL_IF_NULL(s);
4361 
4362  SigGroupBuild(de_ctx);
4363  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4364 
4365  int r = AppLayerParserParse(
4366  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4367  FAIL_IF_NOT(r == 0);
4368 
4369  http_state = f.alstate;
4370  FAIL_IF_NULL(http_state);
4371 
4372  /* do detect */
4373  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4374 
4375  FAIL_IF_NOT(PacketAlertCheck(p, 1));
4376 
4377  FAIL_IF_NOT(p->flow->flags & FLOW_ACTION_DROP);
4378 
4379  AppLayerParserThreadCtxFree(alp_tctx);
4380  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4381  DetectEngineCtxFree(de_ctx);
4382 
4383  StreamTcpFreeConfig(true);
4384  FLOW_DESTROY(&f);
4385 
4386  UTHFreePackets(&p, 1);
4387  PASS;
4388 }
4389 
4390 /** \test test if the engine set flag to drop pkts of a flow that
4391  * triggered a drop action on IPS mode */
4392 static int SigTestDropFlow02(void)
4393 {
4394  int result = 0;
4395  Flow f;
4396  HtpState *http_state = NULL;
4397  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4398  "User-Agent: Mozilla/1.0\r\n"
4399  "Cookie: hellocatch\r\n\r\n";
4400  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4401  TcpSession ssn;
4402  Packet *p = NULL;
4403  Signature *s = NULL;
4404  ThreadVars tv;
4405  DetectEngineThreadCtx *det_ctx = NULL;
4406  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4407 
4408  memset(&tv, 0, sizeof(ThreadVars));
4409  memset(&f, 0, sizeof(Flow));
4410  memset(&ssn, 0, sizeof(TcpSession));
4411 
4412  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4413 
4414  FLOW_INITIALIZE(&f);
4415  f.protoctx = (void *)&ssn;
4416  f.proto = IPPROTO_TCP;
4417  f.flags |= FLOW_IPV4;
4418 
4419  p->flow = &f;
4420  p->flowflags |= FLOW_PKT_TOSERVER;
4421  p->flowflags |= FLOW_PKT_ESTABLISHED;
4422  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4423  f.alproto = ALPROTO_HTTP1;
4424 
4425  StreamTcpInitConfig(true);
4426 
4427  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4428  if (de_ctx == NULL) {
4429  goto end;
4430  }
4431  de_ctx->flags |= DE_QUIET;
4432 
4433  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4434  "(msg:\"Test proto match\"; uricontent:\"one\";"
4435  "sid:1;)");
4436  if (s == NULL) {
4437  goto end;
4438  }
4439 
4440  SigGroupBuild(de_ctx);
4441  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4442 
4443  int r = AppLayerParserParse(
4444  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4445  if (r != 0) {
4446  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4447  goto end;
4448  }
4449 
4450  http_state = f.alstate;
4451  if (http_state == NULL) {
4452  printf("no http state: ");
4453  goto end;
4454  }
4455 
4456  /* do detect */
4457  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4458 
4459  if (!PacketAlertCheck(p, 1)) {
4460  printf("sig 1 didn't alert, but it should: ");
4461  goto end;
4462  }
4463 
4464  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4465  printf("sig 1 alerted but flow was not flagged correctly: ");
4466  goto end;
4467  }
4468 
4469  /* Ok, now we know that the flag is set for app layer sigs
4470  * (ex: inspecting uricontent) */
4471 
4472  result = 1;
4473 
4474 end:
4475  if (alp_tctx != NULL)
4476  AppLayerParserThreadCtxFree(alp_tctx);
4477  if (det_ctx != NULL)
4478  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4479  if (de_ctx != NULL)
4480  SigGroupCleanup(de_ctx);
4481  if (de_ctx != NULL)
4482  DetectEngineCtxFree(de_ctx);
4483 
4484  StreamTcpFreeConfig(true);
4485  FLOW_DESTROY(&f);
4486 
4487  UTHFreePackets(&p, 1);
4488  return result;
4489 }
4490 
4491 /** \test test if the engine set flag to drop pkts of a flow that
4492  * triggered a drop action on IPS mode, and it doesn't inspect
4493  * any other packet of the stream */
4494 static int SigTestDropFlow03(void)
4495 {
4496  int result = 0;
4497  Flow f;
4498  HtpState *http_state = NULL;
4499  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4500  "User-Agent: Mozilla/1.0\r\n"
4501  "Cookie: hellocatch\r\n\r\n";
4502  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4503 
4504  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4505  "User-Agent: Mozilla/1.0\r\n"
4506  "Cookie: hellocatch\r\n\r\n";
4507  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4508 
4509  /* Set the engine mode to IPS */
4510  EngineModeSetIPS();
4511 
4512  TcpSession ssn;
4513  Packet *p1 = NULL;
4514  Packet *p2 = NULL;
4515  Signature *s = NULL;
4516  ThreadVars tv;
4517  DetectEngineThreadCtx *det_ctx = NULL;
4518  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4519 
4520  memset(&tv, 0, sizeof(ThreadVars));
4521  memset(&f, 0, sizeof(Flow));
4522  memset(&ssn, 0, sizeof(TcpSession));
4523 
4524  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4525  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4526 
4527  FLOW_INITIALIZE(&f);
4528  f.protoctx = (void *)&ssn;
4529  f.proto = IPPROTO_TCP;
4530  f.flags |= FLOW_IPV4;
4531 
4532  p1->flow = &f;
4533  p1->flowflags |= FLOW_PKT_TOSERVER;
4534  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4535  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4536 
4537  p2->flow = &f;
4538  p2->flowflags |= FLOW_PKT_TOSERVER;
4539  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4540  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4541  f.alproto = ALPROTO_HTTP1;
4542 
4543  StreamTcpInitConfig(true);
4544 
4545  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4546  if (de_ctx == NULL) {
4547  goto end;
4548  }
4549 
4550  de_ctx->flags |= DE_QUIET;
4551 
4552  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4553  "(msg:\"Test proto match\"; uricontent:\"one\";"
4554  "sid:1;)");
4555  if (s == NULL) {
4556  goto end;
4557  }
4558 
4559  /* the no inspection flag should be set after the first sig gets triggered,
4560  * so the second packet should not match the next sig (because of no inspection) */
4561  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4562  "(msg:\"Test proto match\"; uricontent:\"two\";"
4563  "sid:2;)");
4564  if (s == NULL) {
4565  goto end;
4566  }
4567 
4568  SigGroupBuild(de_ctx);
4569  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4570 
4571  int r = AppLayerParserParse(
4572  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4573  if (r != 0) {
4574  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4575  goto end;
4576  }
4577 
4578  http_state = f.alstate;
4579  if (http_state == NULL) {
4580  printf("no http state: ");
4581  goto end;
4582  }
4583 
4584  /* do detect */
4585  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4586 
4587  if (!PacketAlertCheck(p1, 1)) {
4588  printf("sig 1 didn't alert on p1, but it should: ");
4589  goto end;
4590  }
4591 
4592  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4593  printf("sig 1 alerted but flow was not flagged correctly: ");
4594  goto end;
4595  }
4596 
4597  /* Second part.. Let's feed with another packet */
4598  if (StreamTcpCheckFlowDrops(p2) == 1) {
4599  SCLogDebug("This flow/stream triggered a drop rule");
4600  FlowSetNoPacketInspectionFlag(p2->flow);
4601  DecodeSetNoPacketInspectionFlag(p2);
4602  StreamTcpDisableAppLayer(p2->flow);
4603  p2->action |= ACTION_DROP;
4604  /* return the segments to the pool */
4605  StreamTcpSessionPktFree(p2);
4606  }
4607 
4608 
4609  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4610  printf("The packet was not flagged with no-inspection: ");
4611  goto end;
4612  }
4613 
4614  r = AppLayerParserParse(
4615  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4616  if (r != 0) {
4617  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4618  goto end;
4619  }
4620 
4621  /* do detect */
4622  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4623 
4624  if (PacketAlertCheck(p2, 1)) {
4625  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4626  goto end;
4627  }
4628 
4629  if (PacketAlertCheck(p2, 2)) {
4630  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4631  goto end;
4632  }
4633 
4634  if (!(PacketTestAction(p2, ACTION_DROP))) {
4635  printf("A \"drop\" action should be set from the flow to the packet: ");
4636  goto end;
4637  }
4638 
4639  result = 1;
4640 
4641 end:
4642  if (alp_tctx != NULL)
4643  AppLayerParserThreadCtxFree(alp_tctx);
4644  if (det_ctx != NULL)
4645  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4646  if (de_ctx != NULL)
4647  SigGroupCleanup(de_ctx);
4648  if (de_ctx != NULL)
4649  DetectEngineCtxFree(de_ctx);
4650 
4651  StreamTcpFreeConfig(true);
4652  FLOW_DESTROY(&f);
4653 
4654  UTHFreePackets(&p1, 1);
4655  UTHFreePackets(&p2, 1);
4656 
4657  /* Restore mode to IDS */
4658  EngineModeSetIDS();
4659  return result;
4660 }
4661 
4662 /** \test ICMP packet shouldn't be matching port based sig
4663  * Bug #611 */
4664 static int SigTestPorts01(void)
4665 {
4666  int result = 0;
4667  Packet *p1 = NULL;
4668  Signature *s = NULL;
4669  ThreadVars tv;
4670  DetectEngineThreadCtx *det_ctx = NULL;
4671  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4672 
4673  memset(&tv, 0, sizeof(ThreadVars));
4674 
4675  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4676 
4677  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4678  if (de_ctx == NULL) {
4679  goto end;
4680  }
4681  de_ctx->flags |= DE_QUIET;
4682 
4683  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4684  "(content:\"AAA\"; sid:1;)");
4685  if (s == NULL) {
4686  goto end;
4687  }
4688 
4689  SigGroupBuild(de_ctx);
4690  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4691 
4692  /* do detect */
4693  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4694 
4695  if (PacketAlertCheck(p1, 1)) {
4696  printf("sig 1 alerted on p1, but it should not: ");
4697  goto end;
4698  }
4699 
4700  result = 1;
4701 end:
4702  if (det_ctx != NULL)
4703  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4704  if (de_ctx != NULL)
4705  SigGroupCleanup(de_ctx);
4706  if (de_ctx != NULL)
4707  DetectEngineCtxFree(de_ctx);
4708 
4709  UTHFreePackets(&p1, 1);
4710  return result;
4711 }
4712 
4713 /** \test almost identical patterns */
4714 static int SigTestBug01(void)
4715 {
4716  int result = 0;
4717  Packet *p1 = NULL;
4718  Signature *s = NULL;
4719  ThreadVars tv;
4720  DetectEngineThreadCtx *det_ctx = NULL;
4721  uint8_t payload[] = "!mymy";
4722 
4723  memset(&tv, 0, sizeof(ThreadVars));
4724 
4725  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4726 
4727  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4728  if (de_ctx == NULL) {
4729  goto end;
4730  }
4731  de_ctx->flags |= DE_QUIET;
4732 
4733  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4734  "(content:\"Omymy\"; nocase; sid:1;)");
4735  if (s == NULL) {
4736  goto end;
4737  }
4738  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4739  "(content:\"!mymy\"; nocase; sid:2;)");
4740  if (s == NULL) {
4741  goto end;
4742  }
4743 
4744  SigGroupBuild(de_ctx);
4745  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4746 
4747  /* do detect */
4748  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4749 
4750  if (PacketAlertCheck(p1, 1)) {
4751  printf("sig 1 alerted on p1, but it should not: ");
4752  goto end;
4753  }
4754  if (!(PacketAlertCheck(p1, 2))) {
4755  printf("sig 2 did not p1, but it should have: ");
4756  goto end;
4757  }
4758 
4759  result = 1;
4760 end:
4761  if (det_ctx != NULL)
4762  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4763  if (de_ctx != NULL)
4764  SigGroupCleanup(de_ctx);
4765  if (de_ctx != NULL)
4766  DetectEngineCtxFree(de_ctx);
4767 
4768  UTHFreePackets(&p1, 1);
4769  return result;
4770 }
4771 
4772 static const char *dummy_conf_string2 =
4773  "%YAML 1.1\n"
4774  "---\n"
4775  "vars:\n"
4776  "\n"
4777  " address-groups:\n"
4778  "\n"
4779  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4780  "\n"
4781  " EXTERNAL_NET: \"any\"\n"
4782  "\n"
4783  " port-groups:\n"
4784  "\n"
4785  " HTTP_PORTS: \"80:81,88\"\n"
4786  "\n";
4787 
4788 static int DetectAddressYamlParsing01 (void)
4789 {
4790  int result = 0;
4791 
4792  ConfCreateContextBackup();
4793  ConfInit();
4794  ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4795 
4796  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4797  if (de_ctx == NULL) {
4798  goto end;
4799  }
4800 
4801  de_ctx->flags |= DE_QUIET;
4802 
4803  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4804  goto end;
4805  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4806  goto end;
4807  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4808  goto end;
4809 
4810  result = 1;
4811 
4812  DetectEngineCtxFree(de_ctx);
4813 end:
4814  ConfDeInit();
4815  ConfRestoreContextBackup();
4816  return result;
4817 }
4818 
4819 static const char *dummy_conf_string3 =
4820  "%YAML 1.1\n"
4821  "---\n"
4822  "vars:\n"
4823  "\n"
4824  " address-groups:\n"
4825  "\n"
4826  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4827  "\n"
4828  " EXTERNAL_NET: \"any\"\n"
4829  "\n"
4830  " port-groups:\n"
4831  "\n"
4832  " HTTP_PORTS: \"80:81,88\"\n"
4833  "\n";
4834 
4835 static int DetectAddressYamlParsing02 (void)
4836 {
4837  int result = 0;
4838 
4839  ConfCreateContextBackup();
4840  ConfInit();
4841  ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
4842 
4843  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4844  if (de_ctx == NULL) {
4845  goto end;
4846  }
4847 
4848  de_ctx->flags |= DE_QUIET;
4849 
4850  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4851  goto end;
4852  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4853  goto end;
4854  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4855  goto end;
4856 
4857  result = 1;
4858 
4859  DetectEngineCtxFree(de_ctx);
4860 end:
4861  ConfDeInit();
4862  ConfRestoreContextBackup();
4863  return result;
4864 }
4865 
4866 static const char *dummy_conf_string4 =
4867  "%YAML 1.1\n"
4868  "---\n"
4869  "vars:\n"
4870  "\n"
4871  " address-groups:\n"
4872  "\n"
4873  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4874  "\n"
4875  " EXTERNAL_NET: \"any\"\n"
4876  "\n"
4877  " port-groups:\n"
4878  "\n"
4879  " HTTP_PORTS: \"80:81,88\"\n"
4880  "\n";
4881 
4882 static int DetectAddressYamlParsing03 (void)
4883 {
4884  int result = 0;
4885 
4886  ConfCreateContextBackup();
4887  ConfInit();
4888  ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
4889 
4890  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4891  if (de_ctx == NULL) {
4892  goto end;
4893  }
4894 
4895  de_ctx->flags |= DE_QUIET;
4896 
4897  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4898  goto end;
4899  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4900  goto end;
4901  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4902  goto end;
4903 
4904  result = 1;
4905 
4906  DetectEngineCtxFree(de_ctx);
4907 end:
4908  ConfDeInit();
4909  ConfRestoreContextBackup();
4910  return result;
4911 }
4912 
4913 static const char *dummy_conf_string5 =
4914  "%YAML 1.1\n"
4915  "---\n"
4916  "vars:\n"
4917  "\n"
4918  " address-groups:\n"
4919  "\n"
4920  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4921  "\n"
4922  " EXTERNAL_NET: \"any\"\n"
4923  "\n"
4924  " port-groups:\n"
4925  "\n"
4926  " HTTP_PORTS: \"80:81,88\"\n"
4927  "\n";
4928 
4929 /** \test bug #815 */
4930 static int DetectAddressYamlParsing04 (void)
4931 {
4932  int result = 0;
4933 
4934  ConfCreateContextBackup();
4935  ConfInit();
4936  ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
4937 
4938  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4939  if (de_ctx == NULL) {
4940  goto end;
4941  }
4942 
4943  de_ctx->flags |= DE_QUIET;
4944 
4945  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4946  goto end;
4947  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4948  goto end;
4949  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4950  goto end;
4951 
4952  result = 1;
4953 
4954  DetectEngineCtxFree(de_ctx);
4955 end:
4956  ConfDeInit();
4957  ConfRestoreContextBackup();
4958  return result;
4959 }
4960 
4961 void SigRegisterTests(void)
4962 {
4963  SigParseRegisterTests();
4964  IPOnlyRegisterTests();
4965 
4966  UtRegisterTest("SigTest01", SigTest01);
4967  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
4968  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
4969  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
4970  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
4971  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
4972  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
4973  SigTest07);
4974  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
4975  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
4976  SigTest09);
4977  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
4978  SigTest10);
4979  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
4980  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
4981  UtRegisterTest("SigTest13 -- content order matching, diff order",
4982  SigTest13);
4983  UtRegisterTest("SigTest14 -- content order matching, distance 0",
4984  SigTest14);
4985  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
4986  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
4987  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
4988  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
4989  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
4990  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
4991  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
4992  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
4993  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
4994 
4995  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
4996  UtRegisterTest("SigTest25NegativeIPV4Keyword",
4997  SigTest25NegativeIPV4Keyword);
4998 
4999  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5000  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5001  SigTest26TCPV4AndNegativeIPV4Keyword);
5002  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5003  SigTest26TCPV4AndIPV4Keyword);
5004  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5005  SigTest27NegativeTCPV4Keyword);
5006 
5007  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5008  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5009  SigTest29NegativeTCPV6Keyword);
5010 
5011  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5012  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5013  SigTest31NegativeUDPV4Keyword);
5014 
5015  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5016  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5017  SigTest33NegativeUDPV6Keyword);
5018 
5019  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5020  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5021  SigTest35NegativeICMPV4Keyword);
5022  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5023  SigTest36ContentAndIsdataatKeywords01);
5024  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5025  SigTest37ContentAndIsdataatKeywords02);
5026 
5027  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5028 
5029  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5030 
5031  UtRegisterTest("SigTest40NoPacketInspection01",
5032  SigTest40NoPacketInspection01);
5033  UtRegisterTest("SigTest40NoPayloadInspection02",
5034  SigTest40NoPayloadInspection02);
5035 
5036  UtRegisterTest("SigTestMemory01", SigTestMemory01);
5037  UtRegisterTest("SigTestMemory02", SigTestMemory02);
5038  UtRegisterTest("SigTestMemory03", SigTestMemory03);
5039 
5040  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5041  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5042  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5043  SigTestContent03);
5044  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5045  SigTestContent04);
5046  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5047  UtRegisterTest("SigTestContent06 -- distance/within ip only",
5048  SigTestContent06);
5049 
5050  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5051  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5052 
5053  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5054 
5055  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5056  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5057  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5058 
5059  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5060  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5061  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5062  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5063 
5064  UtRegisterTest("SigTestPorts01", SigTestPorts01);
5065  UtRegisterTest("SigTestBug01", SigTestBug01);
5066 
5067  DetectEngineContentInspectionRegisterTests();
5068 }
5069 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2497
Packet_::proto
uint8_t proto
Definition: decode.h:495
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:137
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:380
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:116
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:317
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:586
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1264
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:351
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:70
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:378
Packet_::payload
uint8_t * payload
Definition: decode.h:571
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:510
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:143
Packet_::action
uint8_t action
Definition: decode.h:575
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4961
Flow_
Flow data structure.
Definition: flow.h:356
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:148
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:750
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:309
TCP_GET_RAW_HLEN
#define TCP_GET_RAW_HLEN(tcph)
Definition: decode-tcp.h:72
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1204
MPM_AC
@ MPM_AC
Definition: util-mpm.h:36
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:300
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:69
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:436
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1253
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1859
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:55
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:504
Flow_::protoctx
void * protoctx
Definition: flow.h:446
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:572
HtpState_
Definition: app-layer-htp.h:238
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
Signature_::next
struct Signature_ * next
Definition: detect.h:673
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:533
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:209
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:461
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time.
Definition: util-var-name.c:315
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4445
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:245
PktVar_::value
uint8_t * value
Definition: decode.h:296
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:205
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
Packet_::sp
Port sp
Definition: decode.h:480
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:240
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:523
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2285
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2211
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1250
Packet_
Definition: decode.h:473
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:204
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:670
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:669
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:279
IPV4Hdr_
Definition: decode-ipv4.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:512
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:792
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1265
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:446
SigMatch_::type
uint16_t type
Definition: detect.h:350
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:680
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3574
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:679
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:849
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1143
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:929
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:467
Flow_::alstate
void * alstate
Definition: flow.h:481
Flow_::flags
uint32_t flags
Definition: flow.h:426
Signature_
Signature container.
Definition: detect.h:601
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:234
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
PktVar_::value_len
uint16_t value_len
Definition: decode.h:294
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1215
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:109
Packet_::dst
Address dst
Definition: decode.h:478
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1248
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:688
PktVar_
Definition: decode.h:288
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:58
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:455
Packet_::dp
Port dp
Definition: decode.h:488
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:73
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
TCPHdr_
Definition: decode-tcp.h:149
Packet_::src
Address src
Definition: decode.h:477
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1261
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:450