suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../pkt-var.h"
25 #include "../flow-util.h"
26 #include "../stream-tcp-reassemble.h"
27 #include "../util-unittest.h"
28 #include "../util-unittest-helper.h"
29 
30 static const char *dummy_conf_string =
31  "%YAML 1.1\n"
32  "---\n"
33  "\n"
34  "default-log-dir: /var/log/suricata\n"
35  "\n"
36  "logging:\n"
37  "\n"
38  " default-log-level: debug\n"
39  "\n"
40  " default-format: \"<%t> - <%l>\"\n"
41  "\n"
42  " default-startup-message: Your IDS has started.\n"
43  "\n"
44  " default-output-filter:\n"
45  "\n"
46  " output:\n"
47  "\n"
48  " - interface: console\n"
49  " log-level: info\n"
50  "\n"
51  " - interface: file\n"
52  " filename: /var/log/suricata.log\n"
53  "\n"
54  " - interface: syslog\n"
55  " facility: local5\n"
56  " format: \"%l\"\n"
57  "\n"
58  "pfring:\n"
59  "\n"
60  " interface: eth0\n"
61  "\n"
62  " clusterid: 99\n"
63  "\n"
64  "vars:\n"
65  "\n"
66  " address-groups:\n"
67  "\n"
68  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
69  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
70  "\n"
71  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
72  "\n"
73  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
74  "\n"
75  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " DNS_SERVERS: any\n"
80  "\n"
81  " TELNET_SERVERS: any\n"
82  "\n"
83  " AIM_SERVERS: any\n"
84  "\n"
85  " port-groups:\n"
86  "\n"
87  " HTTP_PORTS: \"80:81,88\"\n"
88  "\n"
89  " SHELLCODE_PORTS: 80\n"
90  "\n"
91  " ORACLE_PORTS: 1521\n"
92  "\n"
93  " SSH_PORTS: 22\n"
94  "\n";
95 
96 static int SigTest01 (void)
97 {
98  uint8_t *buf = (uint8_t *)
99  "GET /one/ HTTP/1.1\r\n"
100  "Host: one.example.org\r\n"
101  "\r\n\r\n"
102  "GET /two/ HTTP/1.1\r\n"
103  "Host: two.example.org\r\n"
104  "\r\n\r\n";
105  uint16_t buflen = strlen((char *)buf);
106  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
107  int result = 0;
108 
109  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
110  if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
111  result = 0;
112  goto end;
113  }
114 #if 0
115  //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
116  //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
117 
118  if (p->http_uri.raw_size[0] == 5 &&
119  memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
120  p->http_uri.raw_size[1] == 5 &&
121  memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
122  {
123  result = 1;
124  }
125 
126 #endif
127  result = 1;
128 end:
129  if (p != NULL)
130  UTHFreePacket(p);
131  return result;
132 }
133 
134 static int SigTest02 (void)
135 {
136  uint8_t *buf = (uint8_t *)
137  "GET /one/ HTTP/1.1\r\n"
138  "Host: one.example.org\r\n"
139  "\r\n\r\n"
140  "GET /two/ HTTP/1.1\r\n"
141  "Host: two.example.org\r\n"
142  "\r\n\r\n";
143  uint16_t buflen = strlen((char *)buf);
144  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
145  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
146  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
147  UTHFreePacket(p);
148  return ret;
149 }
150 
151 static int SigTest03 (void)
152 {
153  uint8_t *buf = (uint8_t *)
154  "GET /one/ HTTP/1.1\r\n"
155  "Host: one.example.org\r\n"
156  "\r\n\r\n"
157  "GET /two/ HTTP/1.1\r\n"
158  "Host: two.example.org\r\n"
159  "\r\n\r\n";
160  uint16_t buflen = strlen((char *)buf);
161  Packet *p = NULL;
162  ThreadVars th_v;
163  DetectEngineThreadCtx *det_ctx = NULL;
164  int result = 0;
165 
166  memset(&th_v, 0, sizeof(th_v));
167 
168  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
169 
171  if (de_ctx == NULL) {
172  goto end;
173  }
174 
175  de_ctx->flags |= DE_QUIET;
176 
177  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
178  if (de_ctx->sig_list == NULL) {
179  result = 0;
180  goto end;
181  }
182 
184  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
185 
186  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
187  if (PacketAlertCheck(p, 1))
188  result = 1;
189 
192 
193  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
195 end:
196  UTHFreePackets(&p, 1);
197  return result;
198 }
199 
200 static int SigTest04 (void)
201 {
202  uint8_t *buf = (uint8_t *)
203  "GET /one/ HTTP/1.1\r\n" /* 20*/
204  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
205  "\r\n\r\n" /* 4 */
206  "GET /two/ HTTP/1.1\r\n" /* 20 */
207  "Host: two.example.org\r\n" /* 23 */
208  "\r\n\r\n"; /* 4 */
209  uint16_t buflen = strlen((char *)buf);
210 
211  Packet *p = NULL;
212  ThreadVars th_v;
213  DetectEngineThreadCtx *det_ctx = NULL;
214  int result = 0;
215 
216  memset(&th_v, 0, sizeof(th_v));
217 
218  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
219 
221  if (de_ctx == NULL) {
222  goto end;
223  }
224 
225  de_ctx->flags |= DE_QUIET;
226 
227  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
228  if (de_ctx->sig_list == NULL) {
229  result = 0;
230  goto end;
231  }
232 
234  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
235 
236  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
237  if (PacketAlertCheck(p, 1))
238  result = 1;
239 
242 
243  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
245 end:
246  UTHFreePackets(&p, 1);
247  return result;
248 }
249 
250 static int SigTest05 (void)
251 {
252  uint8_t *buf = (uint8_t *)
253  "GET /one/ HTTP/1.1\r\n" /* 20 */
254  "Host: one.example.org\r\n" /* 23, 43 */
255  "\r\n\r\n" /* 4, 47 */
256  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
257  "Host: two.example.org\r\n" /* 23, 90 */
258  "\r\n\r\n"; /* 4, 94 */
259  uint16_t buflen = strlen((char *)buf);
260  Packet *p = NULL;
261  ThreadVars th_v;
262  DetectEngineThreadCtx *det_ctx = NULL;
263  int result = 0;
264 
265  memset(&th_v, 0, sizeof(th_v));
266 
267  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
268 
270  if (de_ctx == NULL) {
271  goto end;
272  }
273 
274  de_ctx->flags |= DE_QUIET;
275 
276  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
277  if (de_ctx->sig_list == NULL) {
278  printf("sig parse failed: ");
279  goto end;
280  }
281 
283  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
284 
285  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
286  if (!PacketAlertCheck(p, 1)) {
287  result = 1;
288  } else {
289  printf("sig matched but shouldn't have: ");
290  }
291 
294 
295  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
297 end:
298  UTHFreePackets(&p, 1);
299  return result;
300 }
301 
302 static int SigTest06 (void)
303 {
304  uint8_t *buf = (uint8_t *)
305  "GET /one/ HTTP/1.1\r\n" /* 20 */
306  "Host: one.example.org\r\n" /* 23, 43 */
307  "\r\n\r\n" /* 4, 47 */
308  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
309  "Host: two.example.org\r\n" /* 23, 90 */
310  "\r\n\r\n"; /* 4, 94 */
311  uint16_t buflen = strlen((char *)buf);
312  Packet *p = NULL;
313  ThreadVars th_v;
314  DetectEngineThreadCtx *det_ctx = NULL;
315  Flow f;
316  TcpSession ssn;
319 
320  memset(&th_v, 0, sizeof(th_v));
321  memset(&f, 0, sizeof(f));
322  memset(&ssn, 0, sizeof(ssn));
323 
324  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
325  FAIL_IF_NULL(p);
326 
327  FLOW_INITIALIZE(&f);
328  f.protoctx = (void *)&ssn;
329  f.flags |= FLOW_IPV4;
330  f.proto = IPPROTO_TCP;
331  p->flow = &f;
336 
337  StreamTcpInitConfig(true);
338 
341  de_ctx->flags |= DE_QUIET;
342 
343  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
344  FAIL_IF_NULL(s);
345 
346  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
347  FAIL_IF_NULL(s);
348 
350  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
351  FAIL_IF_NULL(det_ctx);
352 
353  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
354  FAIL_IF(r != 0);
355 
356  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
359 
360  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
363  UTHFreePackets(&p, 1);
364  StreamTcpFreeConfig(true);
365  FLOW_DESTROY(&f);
366  PASS;
367 }
368 
369 static int SigTest07 (void)
370 {
371  uint8_t *buf = (uint8_t *)
372  "GET /one/ HTTP/1.1\r\n" /* 20 */
373  "Host: one.example.org\r\n" /* 23, 43 */
374  "\r\n\r\n" /* 4, 47 */
375  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
376  "Host: two.example.org\r\n" /* 23, 90 */
377  "\r\n\r\n"; /* 4, 94 */
378  uint16_t buflen = strlen((char *)buf);
379  Packet *p = NULL;
380  ThreadVars th_v;
381  DetectEngineThreadCtx *det_ctx = NULL;
382  Flow f;
383  TcpSession ssn;
384  int result = 0;
386 
387  memset(&th_v, 0, sizeof(th_v));
388  memset(&f, 0, sizeof(f));
389  memset(&ssn, 0, sizeof(ssn));
390 
391  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
392 
393  FLOW_INITIALIZE(&f);
394  f.protoctx = (void *)&ssn;
395  f.flags |= FLOW_IPV4;
396  f.proto = IPPROTO_TCP;
397  p->flow = &f;
402 
403  StreamTcpInitConfig(true);
404 
406  if (de_ctx == NULL) {
407  goto end;
408  }
409 
410  de_ctx->flags |= DE_QUIET;
411 
412  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
413  if (de_ctx->sig_list == NULL) {
414  result = 0;
415  goto end;
416  }
417  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
418  if (de_ctx->sig_list->next == NULL) {
419  result = 0;
420  goto end;
421  }
422 
424  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
425 
426  FLOWLOCK_WRLOCK(&f);
427  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
428  if (r != 0) {
429  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
430  result = 0;
431  FLOWLOCK_UNLOCK(&f);
432  goto end;
433  }
434  FLOWLOCK_UNLOCK(&f);
435 
436  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
437  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
438  result = 0;
439  else
440  result = 1;
441 
442 end:
443  if (alp_tctx != NULL)
445  UTHFreePackets(&p, 1);
446  StreamTcpFreeConfig(true);
448  FLOW_DESTROY(&f);
451 
452  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
454 
455  return result;
456 }
457 
458 static int SigTest08 (void)
459 {
460  uint8_t *buf = (uint8_t *)
461  "GET /one/ HTTP/1.0\r\n" /* 20 */
462  "Host: one.example.org\r\n" /* 23, 43 */
463  "\r\n\r\n" /* 4, 47 */
464  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
465  "Host: two.example.org\r\n" /* 23, 90 */
466  "\r\n\r\n"; /* 4, 94 */
467  uint16_t buflen = strlen((char *)buf);
468  Packet *p = NULL;
469  ThreadVars th_v;
470  DetectEngineThreadCtx *det_ctx = NULL;
471  Flow f;
472  TcpSession ssn;
473  int result = 0;
475 
476  memset(&f, 0, sizeof(Flow));
477  memset(&th_v, 0, sizeof(th_v));
478  memset(&ssn, 0, sizeof(ssn));
479 
480  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
481 
482  FLOW_INITIALIZE(&f);
483  f.protoctx = (void *)&ssn;
484  f.flags |= FLOW_IPV4;
485  f.proto = IPPROTO_TCP;
486  p->flow = &f;
491 
492  StreamTcpInitConfig(true);
493 
495  if (de_ctx == NULL) {
496  goto end;
497  }
498 
499  de_ctx->flags |= DE_QUIET;
500 
501  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
502  if (de_ctx->sig_list == NULL) {
503  result = 0;
504  goto end;
505  }
506  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
507  if (de_ctx->sig_list->next == NULL) {
508  result = 0;
509  goto end;
510  }
511 
513  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
514 
515  FLOWLOCK_WRLOCK(&f);
516  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
517  if (r != 0) {
518  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
519  result = 0;
520  FLOWLOCK_UNLOCK(&f);
521  goto end;
522  }
523  FLOWLOCK_UNLOCK(&f);
524 
525  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
526  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
527  result = 1;
528  else
529  printf("sid:1 %s, sid:2 %s: ",
530  PacketAlertCheck(p, 1) ? "OK" : "FAIL",
531  PacketAlertCheck(p, 2) ? "OK" : "FAIL");
532 
533 end:
537 
538  if (det_ctx)
539  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
541  if (alp_tctx != NULL)
543  UTHFreePackets(&p, 1);
544  StreamTcpFreeConfig(true);
545  FLOW_DESTROY(&f);
546  return result;
547 }
548 
549 static int SigTest09 (void)
550 {
551  uint8_t *buf = (uint8_t *)
552  "GET /one/ HTTP/1.0\r\n" /* 20 */
553  "Host: one.example.org\r\n" /* 23, 43 */
554  "\r\n\r\n" /* 4, 47 */
555  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
556  "Host: two.example.org\r\n" /* 23, 90 */
557  "\r\n\r\n"; /* 4, 94 */
558  uint16_t buflen = strlen((char *)buf);
559  Packet *p = NULL;
560  ThreadVars th_v;
561  DetectEngineThreadCtx *det_ctx = NULL;
562  Flow f;
563  TcpSession ssn;
565  int result = 0;
566 
567  memset(&th_v, 0, sizeof(th_v));
568  memset(&f, 0, sizeof(f));
569  memset(&ssn, 0, sizeof(ssn));
570 
571  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
572 
573  FLOW_INITIALIZE(&f);
574  f.protoctx = (void *)&ssn;
575  f.flags |= FLOW_IPV4;
576  f.proto = IPPROTO_TCP;
577  p->flow = &f;
582 
583  StreamTcpInitConfig(true);
584 
586  if (de_ctx == NULL) {
587  goto end;
588  }
589 
590  de_ctx->flags |= DE_QUIET;
591 
592  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
593  if (de_ctx->sig_list == NULL) {
594  result = 0;
595  goto end;
596  }
597  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
598  if (de_ctx->sig_list->next == NULL) {
599  result = 0;
600  goto end;
601  }
602 
604  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
605 
606  FLOWLOCK_WRLOCK(&f);
607  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
608  if (r != 0) {
609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
610  result = 0;
611  FLOWLOCK_UNLOCK(&f);
612  goto end;
613  }
614  FLOWLOCK_UNLOCK(&f);
615 
616  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
617  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
618  result = 1;
619  else
620  result = 0;
621 
622 end:
626  if (det_ctx)
627  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
629  if (alp_tctx != NULL)
631  UTHFreePackets(&p, 1);
632  StreamTcpFreeConfig(true);
633  FLOW_DESTROY(&f);
634  return result;
635 }
636 
637 static int SigTest10 (void)
638 {
639  uint8_t *buf = (uint8_t *)
640  "ABC";
641  uint16_t buflen = strlen((char *)buf);
642  Packet *p = NULL;
643  ThreadVars th_v;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  Flow f;
646  TcpSession ssn;
647  int result = 0;
649 
650  memset(&th_v, 0, sizeof(th_v));
651  memset(&f, 0, sizeof(f));
652  memset(&ssn, 0, sizeof(ssn));
653 
654  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
655 
656  FLOW_INITIALIZE(&f);
657  f.protoctx = (void *)&ssn;
658  f.proto = IPPROTO_TCP;
659  f.flags |= FLOW_IPV4;
660  p->flow = &f;
665 
666  StreamTcpInitConfig(true);
667 
669  if (de_ctx == NULL) {
670  goto end;
671  }
672 
673  de_ctx->flags |= DE_QUIET;
674 
675  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
676  if (de_ctx->sig_list == NULL) {
677  result = 0;
678  goto end;
679  }
680  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
681  if (de_ctx->sig_list->next == NULL) {
682  result = 0;
683  goto end;
684  }
685 
687  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
688 
689  FLOWLOCK_WRLOCK(&f);
690  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
691  if (r != 0) {
692  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
693  result = 0;
694  FLOWLOCK_UNLOCK(&f);
695  goto end;
696  }
697  FLOWLOCK_UNLOCK(&f);
698 
699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
700  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
701  result = 0;
702  else
703  result = 1;
704 
705  end:
709  if (det_ctx)
710  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
712  if (alp_tctx != NULL)
714  UTHFreePackets(&p, 1);
715  StreamTcpFreeConfig(true);
716  FLOW_DESTROY(&f);
717  return result;
718 }
719 
720 static int SigTest11 (void)
721 {
722  uint8_t *buf = (uint8_t *)
723  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
724  uint16_t buflen = strlen((char *)buf);
725  Packet *p = NULL;
726  ThreadVars th_v;
727  DetectEngineThreadCtx *det_ctx = NULL;
728  Flow f;
729  TcpSession ssn;
730  int result = 0;
731 
732  memset(&th_v, 0, sizeof(th_v));
733  memset(&f, 0, sizeof(f));
734  memset(&ssn, 0, sizeof(ssn));
735 
736  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
737 
738  FLOW_INITIALIZE(&f);
739  f.protoctx = (void *)&ssn;
740  f.proto = IPPROTO_TCP;
741  f.flags |= FLOW_IPV4;
742  p->flow = &f;
746 
747  StreamTcpInitConfig(true);
748 
750  if (de_ctx == NULL) {
751  goto end;
752  }
753 
754  de_ctx->flags |= DE_QUIET;
755 
756  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
757  if (de_ctx->sig_list == NULL) {
758  goto end;
759  }
760  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
761  if (de_ctx->sig_list->next == NULL) {
762  goto end;
763  }
764 
766  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
767 
768  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
769  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
770  result = 1;
771 
772  end:
775  if (det_ctx)
776  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
778  UTHFreePackets(&p, 1);
779  StreamTcpFreeConfig(true);
780  FLOW_DESTROY(&f);
781  return result;
782 }
783 
784 static int SigTest12 (void)
785 {
786  uint8_t *buf = (uint8_t *)
787  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
788  uint16_t buflen = strlen((char *)buf);
789  Packet *p = NULL;
790  ThreadVars th_v;
791  DetectEngineThreadCtx *det_ctx = NULL;
792  int result = 0;
793 
794  memset(&th_v, 0, sizeof(th_v));
795  Flow f;
796  memset(&f, 0, sizeof(Flow));
797 
798  FLOW_INITIALIZE(&f);
799 
800  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
801  p->flow = &f;
803 
805  if (de_ctx == NULL) {
806  goto end;
807  }
808 
809  de_ctx->flags |= DE_QUIET;
810 
811  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
812  if (de_ctx->sig_list == NULL) {
813  result = 0;
814  goto end;
815  }
816 
818  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
819 
820  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
821  if (PacketAlertCheck(p, 1))
822  result = 1;
823  else
824  result = 0;
825 
826  if (det_ctx != NULL)
827  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
828 end:
829  UTHFreePackets(&p, 1);
830  if (de_ctx != NULL) {
834  }
835  FLOW_DESTROY(&f);
836  return result;
837 }
838 
839 static int SigTest13 (void)
840 {
841  uint8_t *buf = (uint8_t *)
842  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
843  uint16_t buflen = strlen((char *)buf);
844  Packet *p = NULL;
845  ThreadVars th_v;
846  DetectEngineThreadCtx *det_ctx = NULL;
847  int result = 0;
848 
849  memset(&th_v, 0, sizeof(th_v));
850  Flow f;
851  memset(&f, 0, sizeof(Flow));
852 
853  FLOW_INITIALIZE(&f);
854 
855  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
856  p->flow = &f;
858 
860  if (de_ctx == NULL) {
861  goto end;
862  }
863 
864  de_ctx->flags |= DE_QUIET;
865 
866  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
867  if (de_ctx->sig_list == NULL) {
868  result = 0;
869  goto end;
870  }
871 
873  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
874 
875  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
876  if (PacketAlertCheck(p, 1))
877  result = 1;
878  else
879  result = 0;
880 
883  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
885 end:
886  UTHFreePackets(&p, 1);
887  FLOW_DESTROY(&f);
888  return result;
889 }
890 
891 static int SigTest14 (void)
892 {
893  uint8_t *buf = (uint8_t *)
894  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
895  uint16_t buflen = strlen((char *)buf);
896  Packet *p = NULL;
897  ThreadVars th_v;
898  DetectEngineThreadCtx *det_ctx = NULL;
899  int result = 0;
900 
901  memset(&th_v, 0, sizeof(th_v));
902 
903  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
904 
906  if (de_ctx == NULL) {
907  goto end;
908  }
909 
910  de_ctx->flags |= DE_QUIET;
911 
912  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
913  if (de_ctx->sig_list == NULL) {
914  result = 0;
915  goto end;
916  }
917 
919  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
920 
921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
922  if (PacketAlertCheck(p, 1))
923  result = 0;
924  else
925  result = 1;
926 
929  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
931 end:
932  UTHFreePackets(&p, 1);
933  return result;
934 }
935 
936 static int SigTest15 (void)
937 {
938  uint8_t *buf = (uint8_t *)
939  "CONNECT 213.92.8.7:31204 HTTP/1.1";
940  uint16_t buflen = strlen((char *)buf);
942  if (unlikely(p == NULL))
943  return 0;
944  ThreadVars th_v;
945  DetectEngineThreadCtx *det_ctx = NULL;
946  int result = 0;
947 
948  memset(&th_v, 0, sizeof(th_v));
949  memset(p, 0, SIZE_OF_PACKET);
950  p->src.family = AF_INET;
951  p->dst.family = AF_INET;
952  p->payload = buf;
953  p->payload_len = buflen;
954  p->proto = IPPROTO_TCP;
955  p->dp = 80;
956 
958  ConfInit();
959  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
960 
962  if (de_ctx == NULL) {
963  goto end;
964  }
965 
966  de_ctx->flags |= DE_QUIET;
967 
968  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
969  if (de_ctx->sig_list == NULL) {
970  result = 0;
971  goto end;
972  }
973 
975  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
976 
977  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
978  if (PacketAlertCheck(p, 2008284))
979  result = 0;
980  else
981  result = 1;
982 
985  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
987 end:
988  ConfDeInit();
990  SCFree(p);
991  return result;
992 }
993 
994 static int SigTest16 (void)
995 {
996  uint8_t *buf = (uint8_t *)
997  "CONNECT 213.92.8.7:31204 HTTP/1.1";
998  uint16_t buflen = strlen((char *)buf);
999  Packet *p = NULL;
1000  ThreadVars th_v;
1001  DetectEngineThreadCtx *det_ctx = NULL;
1002  int result = 0;
1003 
1004  memset(&th_v, 0, sizeof(th_v));
1005  memset(&p, 0, sizeof(p));
1006 
1007  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
1008 
1010  ConfInit();
1011  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1012 
1014  if (de_ctx == NULL) {
1015  goto end;
1016  }
1017 
1018  de_ctx->flags |= DE_QUIET;
1019 
1020  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1021  if (de_ctx->sig_list == NULL) {
1022  goto end;
1023  }
1024 
1026  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1027 
1028  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1029  if (PacketAlertCheck(p, 2008284))
1030  result = 1;
1031  else
1032  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1033 
1035  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1037 end:
1038  ConfDeInit();
1040  UTHFreePackets(&p, 1);
1041  return result;
1042 }
1043 
1044 static int SigTest17 (void)
1045 {
1046  uint8_t *buf = (uint8_t *)
1047  "GET /one/ HTTP/1.1\r\n" /* 20 */
1048  "Host: one.example.org\r\n" /* 23, 43 */
1049  "\r\n\r\n" /* 4, 47 */
1050  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1051  "Host: two.example.org\r\n" /* 23, 90 */
1052  "\r\n\r\n"; /* 4, 94 */
1053  uint16_t buflen = strlen((char *)buf);
1054  Packet *p = NULL;
1055  ThreadVars th_v;
1056  DetectEngineThreadCtx *det_ctx = NULL;
1057  memset(&th_v, 0, sizeof(th_v));
1058 
1059  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1060  FAIL_IF_NULL(p);
1061 
1063  ConfInit();
1064  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1065 
1068  de_ctx->flags |= DE_QUIET;
1069 
1070  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1071  FAIL_IF_NULL(s);
1072 
1074  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1075  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1076 
1077  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1078 
1079  PktVar *pv_hn = PktVarGet(p, capid);
1080  FAIL_IF_NULL(pv_hn);
1081 
1082  FAIL_IF(pv_hn->value_len != 15);
1083  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1084 
1085  PktVarFree(pv_hn);
1086  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1088  ConfDeInit();
1090  UTHFreePackets(&p, 1);
1091 
1092  PASS;
1093 }
1094 
1095 static int SigTest18 (void)
1096 {
1097  uint8_t *buf = (uint8_t *)
1098  "220 (vsFTPd 2.0.5)\r\n";
1099  uint16_t buflen = strlen((char *)buf);
1101  if (unlikely(p == NULL))
1102  return 0;
1103  ThreadVars th_v;
1104  DetectEngineThreadCtx *det_ctx = NULL;
1105  int result = 0;
1106 
1107  memset(&th_v, 0, sizeof(th_v));
1108  memset(p, 0, SIZE_OF_PACKET);
1109  p->src.family = AF_INET;
1110  p->dst.family = AF_INET;
1111  p->payload = buf;
1112  p->payload_len = buflen;
1113  p->proto = IPPROTO_TCP;
1114  p->dp = 34260;
1115  p->sp = 21;
1116 
1118  if (de_ctx == NULL) {
1119  goto end;
1120  }
1121 
1122  de_ctx->flags |= DE_QUIET;
1123 
1124  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1125  if (de_ctx->sig_list == NULL) {
1126  result = 0;
1127  goto end;
1128  }
1129 
1131  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1132 
1133  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1134  if (!PacketAlertCheck(p, 2003055))
1135  result = 1;
1136  else
1137  printf("signature shouldn't match, but did: ");
1138 
1141  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1143 end:
1144  SCFree(p);
1145  return result;
1146 }
1147 
1148 static int SigTest19 (void)
1149 {
1150  uint8_t *buf = (uint8_t *)
1151  "220 (vsFTPd 2.0.5)\r\n";
1152  uint16_t buflen = strlen((char *)buf);
1154  if (unlikely(p == NULL))
1155  return 0;
1156  ThreadVars th_v;
1157  DetectEngineThreadCtx *det_ctx = NULL;
1158  int result = 0;
1159 
1160  memset(&th_v, 0, sizeof(th_v));
1161  memset(p, 0, SIZE_OF_PACKET);
1162  p->src.family = AF_INET;
1163  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1164  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1165  p->dst.family = AF_INET;
1166  p->payload = buf;
1167  p->payload_len = buflen;
1168  p->proto = IPPROTO_TCP;
1169  p->dp = 34260;
1170  p->sp = 21;
1172 
1174  ConfInit();
1175  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1176 
1178  if (de_ctx == NULL) {
1179  goto end;
1180  }
1181 
1182  de_ctx->flags |= DE_QUIET;
1183 
1184  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1185  if (de_ctx->sig_list == NULL) {
1186  result = 0;
1187  goto end;
1188  }
1189 
1191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1192 
1193  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1194  if (PacketAlertCheck(p, 999))
1195  result = 1;
1196  else
1197  printf("signature didn't match, but should have: ");
1198 
1200  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1202 end:
1203  ConfDeInit();
1205  SCFree(p);
1206  return result;
1207 }
1208 
1209 static int SigTest20 (void)
1210 {
1211  uint8_t *buf = (uint8_t *)
1212  "220 (vsFTPd 2.0.5)\r\n";
1213  uint16_t buflen = strlen((char *)buf);
1215  if (unlikely(p == NULL))
1216  return 0;
1217  ThreadVars th_v;
1218  DetectEngineThreadCtx *det_ctx = NULL;
1219  int result = 0;
1220 
1221  memset(&th_v, 0, sizeof(th_v));
1222  memset(p, 0, SIZE_OF_PACKET);
1223  p->src.family = AF_INET;
1224  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1225  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1226  p->dst.family = AF_INET;
1227  p->payload = buf;
1228  p->payload_len = buflen;
1229  p->proto = IPPROTO_TCP;
1230  p->dp = 34260;
1231  p->sp = 21;
1233 
1235  ConfInit();
1236  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1237 
1239  if (de_ctx == NULL) {
1240  goto end;
1241  }
1242 
1243  de_ctx->flags |= DE_QUIET;
1244 
1245  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1246  if (de_ctx->sig_list == NULL) {
1247  result = 0;
1248  goto end;
1249  }
1250 
1252  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1253 
1254  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1255  if (PacketAlertCheck(p, 999))
1256  result = 1;
1257  else
1258  printf("signature didn't match, but should have: ");
1259 
1262  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1264 end:
1265  ConfDeInit();
1267  SCFree(p);
1268  return result;
1269 }
1270 
1271 static int SigTest21 (void)
1272 {
1273  ThreadVars th_v;
1274  memset(&th_v, 0, sizeof(th_v));
1275  DetectEngineThreadCtx *det_ctx = NULL;
1276  int result = 0;
1277 
1278  Flow f;
1279  memset(&f, 0, sizeof(f));
1280  FLOW_INITIALIZE(&f);
1281 
1282  /* packet 1 */
1283  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1284  "\r\n\r\n";
1285  uint16_t buf1len = strlen((char *)buf1);
1286  Packet *p1 = NULL;
1287  /* packet 2 */
1288  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1289  "\r\n\r\n";
1290  uint16_t buf2len = strlen((char *)buf2);
1291  Packet *p2 = NULL;
1292 
1293  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1294  p1->flow = &f;
1296  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1297  p2->flow = &f;
1299 
1301  if (de_ctx == NULL) {
1302  goto end;
1303  }
1304 
1305  de_ctx->flags |= DE_QUIET;
1306 
1307  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1308  if (de_ctx->sig_list == NULL) {
1309  result = 0;
1310  goto end;
1311  }
1312  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1313  if (de_ctx->sig_list == NULL) {
1314  result = 0;
1315  goto end;
1316  }
1317 
1319  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1320 
1321  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1322  if (PacketAlertCheck(p1, 1)) {
1323  printf("sid 1 alerted, but shouldn't: ");
1324  goto end;
1325  }
1326  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1327  if (!(PacketAlertCheck(p2, 2))) {
1328  printf("sid 2 didn't alert, but should have: ");
1329  goto end;
1330  }
1331 
1332  result = 1;
1333 end:
1334  if (de_ctx != NULL) {
1337 
1338  if (det_ctx != NULL) {
1339  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1340  }
1341  }
1343  UTHFreePackets(&p1, 1);
1344  UTHFreePackets(&p2, 1);
1345  FLOW_DESTROY(&f);
1346  return result;
1347 }
1348 
1349 static int SigTest22 (void)
1350 {
1351  ThreadVars th_v;
1352  memset(&th_v, 0, sizeof(th_v));
1353  DetectEngineThreadCtx *det_ctx = NULL;
1354  int result = 0;
1355 
1356  Flow f;
1357  memset(&f, 0, sizeof(f));
1358  FLOW_INITIALIZE(&f);
1359 
1360  /* packet 1 */
1361  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1362  "\r\n\r\n";
1363  uint16_t buf1len = strlen((char *)buf1);
1364  Packet *p1 = NULL;
1365 
1366  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1367  p1->flow = &f;
1369 
1370  /* packet 2 */
1371  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1372  "\r\n\r\n";
1373  uint16_t buf2len = strlen((char *)buf2);
1374  Packet *p2 = NULL;
1375 
1376  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1377  p2->flow = &f;
1379 
1381  if (de_ctx == NULL) {
1382  goto end;
1383  }
1384 
1385  de_ctx->flags |= DE_QUIET;
1386 
1387  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1388  if (de_ctx->sig_list == NULL) {
1389  result = 0;
1390  goto end;
1391  }
1392  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1393  if (de_ctx->sig_list == NULL) {
1394  result = 0;
1395  goto end;
1396  }
1397 
1399  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1400 
1401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1402  if (PacketAlertCheck(p1, 1)) {
1403  printf("sid 1 alerted, but shouldn't: ");
1404  goto end;
1405  }
1406  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1407  if (!(PacketAlertCheck(p2, 2)))
1408  result = 1;
1409  else
1410  printf("sid 2 alerted, but shouldn't: ");
1411 
1414 
1415  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1417 end:
1418  UTHFreePackets(&p1, 1);
1419  UTHFreePackets(&p2, 1);
1420  FLOW_DESTROY(&f);
1421  return result;
1422 }
1423 
1424 static int SigTest23 (void)
1425 {
1426  ThreadVars th_v;
1427  memset(&th_v, 0, sizeof(th_v));
1428  DetectEngineThreadCtx *det_ctx = NULL;
1429  int result = 0;
1430 
1431  Flow f;
1432  memset(&f, 0, sizeof(f));
1433  FLOW_INITIALIZE(&f);
1434 
1435  /* packet 1 */
1436  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1437  "\r\n\r\n";
1438  uint16_t buf1len = strlen((char *)buf1);
1439  Packet *p1 = NULL;
1440 
1441  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1442  p1->flow = &f;
1444 
1445  /* packet 2 */
1446  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1447  "\r\n\r\n";
1448  uint16_t buf2len = strlen((char *)buf2);
1449  Packet *p2 = NULL;
1450 
1451  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1452  p2->flow = &f;
1454 
1456  if (de_ctx == NULL) {
1457  goto end;
1458  }
1459 
1460  de_ctx->flags |= DE_QUIET;
1461 
1462  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1463  if (de_ctx->sig_list == NULL) {
1464  result = 0;
1465  goto end;
1466  }
1467  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1468  if (de_ctx->sig_list == NULL) {
1469  result = 0;
1470  goto end;
1471  }
1472 
1474  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1475 
1476  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1477  if (PacketAlertCheck(p1, 1)) {
1478  printf("sid 1 alerted, but shouldn't: ");
1479  goto end;
1480  }
1481  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1482  if (PacketAlertCheck(p2, 2))
1483  result = 1;
1484  else
1485  printf("sid 2 didn't alert, but should have: ");
1486 
1489 
1490  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1492 end:
1493  UTHFreePackets(&p1, 1);
1494  UTHFreePackets(&p2, 1);
1495  FLOW_DESTROY(&f);
1496  return result;
1497 }
1498 
1499 static int SigTest24IPV4Keyword(void)
1500 {
1501  uint8_t valid_raw_ipv4[] = {
1502  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1503  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1504  0xc0, 0xa8, 0x01, 0x03};
1505 
1506  uint8_t invalid_raw_ipv4[] = {
1507  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1508  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1509  0xc0, 0xa8, 0x01, 0x06};
1510 
1512  if (unlikely(p1 == NULL))
1513  return 0;
1515  if (unlikely(p2 == NULL)) {
1516  SCFree(p1);
1517  return 0;
1518  }
1519  ThreadVars th_v;
1520  DetectEngineThreadCtx *det_ctx = NULL;
1521  int result = 0;
1522 
1523  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1524  "\r\n\r\n";
1525  uint16_t buflen = strlen((char *)buf);
1526 
1527  memset(&th_v, 0, sizeof(ThreadVars));
1528  memset(p1, 0, SIZE_OF_PACKET);
1529  memset(p2, 0, SIZE_OF_PACKET);
1532 
1533  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1534 
1535  p1->src.family = AF_INET;
1536  p1->dst.family = AF_INET;
1537  p1->payload = buf;
1538  p1->payload_len = buflen;
1539  p1->proto = IPPROTO_TCP;
1540 
1541  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1542 
1543  p2->src.family = AF_INET;
1544  p2->dst.family = AF_INET;
1545  p2->payload = buf;
1546  p2->payload_len = buflen;
1547  p2->proto = IPPROTO_TCP;
1548 
1550  if (de_ctx == NULL) {
1551  goto end;
1552  }
1553 
1554  de_ctx->flags |= DE_QUIET;
1555 
1557  "alert ip any any -> any any "
1558  "(content:\"/one/\"; ipv4-csum:valid; "
1559  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1560  if (de_ctx->sig_list == NULL) {
1561  printf("sig 1 parse: ");
1562  goto end;
1563  }
1564 
1566  "alert ip any any -> any any "
1567  "(content:\"/one/\"; ipv4-csum:invalid; "
1568  "msg:\"ipv4-csum keyword check(1)\"; "
1569  "sid:2;)");
1570  if (de_ctx->sig_list->next == NULL) {
1571  printf("sig 2 parse: ");
1572  goto end;
1573  }
1574 
1576  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1577 
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1579  if (!(PacketAlertCheck(p1, 1))) {
1580  printf("signature 1 didn't match, but should have: ");
1581  goto end;
1582  }
1583 
1584  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1585  if (!((PacketAlertCheck(p2, 2)))) {
1586  printf("signature 2 didn't match, but should have: ");
1587  goto end;
1588  }
1589 
1590  result = 1;
1591 end:
1592  if (det_ctx != NULL) {
1595  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1597  }
1598  SCFree(p1);
1599  SCFree(p2);
1600  return result;
1601 }
1602 
1603 static int SigTest25NegativeIPV4Keyword(void)
1604 {
1605  uint8_t valid_raw_ipv4[] = {
1606  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1607  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1608  0xc0, 0xa8, 0x01, 0x03};
1609 
1610  uint8_t invalid_raw_ipv4[] = {
1611  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1612  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1613  0xc0, 0xa8, 0x01, 0x06};
1614 
1616  if (unlikely(p1 == NULL))
1617  return 0;
1619  if (unlikely(p2 == NULL)) {
1620  SCFree(p1);
1621  return 0;
1622  }
1623  ThreadVars th_v;
1624  DetectEngineThreadCtx *det_ctx = NULL;
1625  int result = 1;
1626 
1627  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1628  "\r\n\r\n";
1629  uint16_t buflen = strlen((char *)buf);
1630 
1631  memset(&th_v, 0, sizeof(ThreadVars));
1632  memset(p1, 0, SIZE_OF_PACKET);
1633  memset(p2, 0, SIZE_OF_PACKET);
1636 
1637  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1638 
1639  p1->src.family = AF_INET;
1640  p1->dst.family = AF_INET;
1641  p1->payload = buf;
1642  p1->payload_len = buflen;
1643  p1->proto = IPPROTO_TCP;
1644 
1645  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1646 
1647  p2->src.family = AF_INET;
1648  p2->dst.family = AF_INET;
1649  p2->payload = buf;
1650  p2->payload_len = buflen;
1651  p2->proto = IPPROTO_TCP;
1652 
1654  if (de_ctx == NULL) {
1655  goto end;
1656  }
1657 
1658  de_ctx->flags |= DE_QUIET;
1659 
1661  "alert ip any any -> any any "
1662  "(content:\"/one/\"; ipv4-csum:invalid; "
1663  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1664  if (de_ctx->sig_list == NULL) {
1665  result &= 0;
1666  goto end;
1667  }
1668 
1670  "alert ip any any -> any any "
1671  "(content:\"/one/\"; ipv4-csum:valid; "
1672  "msg:\"ipv4-csum keyword check(1)\"; "
1673  "sid:2;)");
1674  if (de_ctx->sig_list->next == NULL) {
1675  result &= 0;
1676  goto end;
1677  }
1678 
1680  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1681 
1682  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1683  if (PacketAlertCheck(p1, 1))
1684  result &= 0;
1685  else
1686  result &= 1;
1687 
1688  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1689  if (PacketAlertCheck(p2, 2))
1690  result &= 0;
1691  else
1692  result &= 1;
1693 
1696  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1698 end:
1699  SCFree(p1);
1700  SCFree(p2);
1701  return result;
1702 }
1703 
1704 static int SigTest26TCPV4Keyword(void)
1705 {
1706  uint8_t raw_ipv4[] = {
1707  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1708  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1709  0xc0, 0xa8, 0x01, 0x03};
1710 
1711  uint8_t valid_raw_tcp[] = {
1712  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1713  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1714  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1715  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1716  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1717 
1718  uint8_t invalid_raw_tcp[] = {
1719  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1720  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1721  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1722  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1723  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1724 
1726  if (unlikely(p1 == NULL))
1727  return 0;
1728 
1730  if (unlikely(p2 == NULL)) {
1731  SCFree(p1);
1732  return 0;
1733  }
1734 
1735  ThreadVars th_v;
1736  DetectEngineThreadCtx *det_ctx = NULL;
1737 
1738  memset(&th_v, 0, sizeof(ThreadVars));
1739  memset(p1, 0, SIZE_OF_PACKET);
1740  memset(p2, 0, SIZE_OF_PACKET);
1741 
1742  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1743  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1744 
1745  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1746  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1747 
1749  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1750  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1751  p1->src.family = AF_INET;
1752  p1->dst.family = AF_INET;
1753  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1754  p1->payload_len = 20;
1755  p1->proto = IPPROTO_TCP;
1756 
1758  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1759  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1760  p2->src.family = AF_INET;
1761  p2->dst.family = AF_INET;
1762  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1763  p2->payload_len = 20;
1764  p2->proto = IPPROTO_TCP;
1765 
1768 
1769  de_ctx->flags |= DE_QUIET;
1770 
1772  "alert ip any any -> any any "
1773  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1774  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1776 
1778  "alert ip any any -> any any "
1779  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1780  "msg:\"tcpv4-csum keyword check(1)\"; "
1781  "sid:2;)");
1783 
1785  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1786 
1787  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1788  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1789 
1790  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1791  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1792 
1795  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1797  SCFree(p1);
1798  SCFree(p2);
1799  PASS;
1800 }
1801 
1802 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1803 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1804 {
1805  uint8_t raw_ipv4[] = {
1806  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1807  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1808  0xc0, 0xa8, 0x01, 0x03};
1809 
1810  uint8_t valid_raw_tcp[] = {
1811  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1812  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1813  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1814  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1815  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1816 
1817  uint8_t invalid_raw_tcp[] = {
1818  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1819  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1820  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1821  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1822  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1823 
1825  if (unlikely(p1 == NULL))
1826  return 0;
1827 
1829  if (unlikely(p2 == NULL)) {
1830  SCFree(p1);
1831  return 0;
1832  }
1833 
1834  ThreadVars th_v;
1835  DetectEngineThreadCtx *det_ctx = NULL;
1836  int result = 0;
1837 
1838  memset(&th_v, 0, sizeof(ThreadVars));
1839  memset(p1, 0, SIZE_OF_PACKET);
1840  memset(p2, 0, SIZE_OF_PACKET);
1841 
1842  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1843  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1844 
1845  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1846  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1847 
1849  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1850  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1851  p1->src.family = AF_INET;
1852  p1->dst.family = AF_INET;
1853  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1854  p1->payload_len = 20;
1855  p1->proto = IPPROTO_TCP;
1856 
1858  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1859  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1860  p2->src.family = AF_INET;
1861  p2->dst.family = AF_INET;
1862  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1863  p2->payload_len = 20;
1864  p2->proto = IPPROTO_TCP;
1865 
1867  if (de_ctx == NULL) {
1868  goto end;
1869  }
1870 
1871  de_ctx->flags |= DE_QUIET;
1872 
1874  "alert ip any any -> any any "
1875  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1876  "ipv4-csum:invalid; "
1877  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1878  if (de_ctx->sig_list == NULL) {
1879  goto end;
1880  }
1881 
1883  "alert ip any any -> any any "
1884  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1885  "ipv4-csum:invalid; "
1886  "msg:\"tcpv4-csum keyword check(1)\"; "
1887  "sid:2;)");
1888  if (de_ctx->sig_list->next == NULL) {
1889  goto end;
1890  }
1891 
1893  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1894 
1895  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1896  if (!(PacketAlertCheck(p1, 1))) {
1897  printf("sig 1 didn't match: ");
1898  goto end;
1899  }
1900 
1901  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1902  if (!(PacketAlertCheck(p2, 2))) {
1903  printf("sig 2 didn't match: ");
1904  goto end;
1905  }
1906 
1907  result = 1;
1908 end:
1911  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1913  SCFree(p1);
1914  SCFree(p2);
1915  return result;
1916 }
1917 
1918 /* Similar to SigTest26, but with different packet */
1919 static int SigTest26TCPV4AndIPV4Keyword(void)
1920 {
1921  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1922  * TTL: 64 Flags: Don't Fragment
1923  */
1924  uint8_t raw_ipv4[] = {
1925  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1926  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1927  0xc0, 0xa8, 0xb0, 0x74};
1928 
1929  /* TCP: sport: 49517 dport: 445 Flags: SYN
1930  * Window size: 65535, checksum: 0x2009,
1931  * MTU: 1460, Window scale: 4, TSACK permitted,
1932  * 24 bytes of options, no payload.
1933  */
1934  uint8_t valid_raw_tcp[] = {
1935  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1936  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1937  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1938  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1939  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1940  0x04, 0x02, 0x00, 0x00};
1941 
1942  uint8_t invalid_raw_tcp[] = {
1943  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1944  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1945  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1946  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1947  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1948  0x04, 0x02, 0x00, 0x00};
1949 
1951  if (unlikely(p1 == NULL))
1952  return 0;
1953 
1955  if (unlikely(p2 == NULL)) {
1956  SCFree(p1);
1957  return 0;
1958  }
1959 
1960  ThreadVars th_v;
1961  DetectEngineThreadCtx *det_ctx = NULL;
1962  int result = 0;
1963 
1964  memset(&th_v, 0, sizeof(ThreadVars));
1965  memset(p1, 0, SIZE_OF_PACKET);
1966  memset(p2, 0, SIZE_OF_PACKET);
1967 
1968  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1969  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1970 
1971  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1972  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1973 
1975  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1976  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1977  p1->src.family = AF_INET;
1978  p1->dst.family = AF_INET;
1979  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1980  p1->payload_len = 0;
1981  p1->proto = IPPROTO_TCP;
1982 
1984  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1985  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1986  p2->src.family = AF_INET;
1987  p2->dst.family = AF_INET;
1988  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1989  p2->payload_len = 0;
1990  p2->proto = IPPROTO_TCP;
1991 
1993  if (de_ctx == NULL) {
1994  goto end;
1995  }
1996 
1997  de_ctx->flags |= DE_QUIET;
1998 
2000  "alert ip any any -> any any "
2001  "(tcpv4-csum:valid; "
2002  "ipv4-csum:valid; "
2003  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
2004  if (de_ctx->sig_list == NULL) {
2005  goto end;
2006  }
2007 
2009  "alert ip any any -> any any "
2010  "(tcpv4-csum:invalid; "
2011  "ipv4-csum:valid; "
2012  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
2013  "sid:2;)");
2014  if (de_ctx->sig_list->next == NULL) {
2015  goto end;
2016  }
2017 
2019  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2020 
2021  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2022  if (!(PacketAlertCheck(p1, 1))) {
2023  printf("sig 1 didn't match: ");
2024  goto end;
2025  }
2026 
2027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2028  if (!(PacketAlertCheck(p2, 2))) {
2029  printf("sig 2 didn't match: ");
2030  goto end;
2031  }
2032 
2033  result = 1;
2034 end:
2037  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2039  SCFree(p1);
2040  SCFree(p2);
2041  return result;
2042 }
2043 
2044 static int SigTest27NegativeTCPV4Keyword(void)
2045 {
2046  uint8_t raw_ipv4[] = {
2047  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2048  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2049  0xc0, 0xa8, 0x01, 0x03};
2050 
2051  uint8_t valid_raw_tcp[] = {
2052  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2053  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2054  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2055  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2056  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2057 
2058  uint8_t invalid_raw_tcp[] = {
2059  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2060  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2061  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2062  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2063  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2064 
2065 
2067  if (unlikely(p1 == NULL))
2068  return 0;
2070  if (unlikely(p2 == NULL)) {
2071  SCFree(p1);
2072  return 0;
2073  }
2074  ThreadVars th_v;
2075  DetectEngineThreadCtx *det_ctx = NULL;
2076  int result = 0;
2077 
2078  memset(&th_v, 0, sizeof(ThreadVars));
2079  memset(p1, 0, SIZE_OF_PACKET);
2080  memset(p2, 0, SIZE_OF_PACKET);
2081 
2082  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2083  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2084 
2085  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2086  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2087 
2089  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
2090  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
2091  p1->src.family = AF_INET;
2092  p1->dst.family = AF_INET;
2093  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2094  p1->payload_len = 20;
2095  p1->proto = IPPROTO_TCP;
2096 
2098  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
2099  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
2100  p2->src.family = AF_INET;
2101  p2->dst.family = AF_INET;
2102  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2103  p2->payload_len = 20;
2104  p2->proto = IPPROTO_TCP;
2105 
2107  if (de_ctx == NULL) {
2108  goto end;
2109  }
2110 
2111  de_ctx->flags |= DE_QUIET;
2112 
2114  "alert tcp any any -> any any "
2115  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2116  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2117  if (de_ctx->sig_list == NULL) {
2118  goto end;
2119  }
2120 
2122  "alert tcp any any -> any any "
2123  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2124  "msg:\"tcpv4-csum keyword check(2)\"; "
2125  "sid:2;)");
2126  if (de_ctx->sig_list->next == NULL) {
2127  goto end;
2128  }
2129 
2131  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2132 
2133  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2134  if (!PacketAlertCheck(p1, 1)) {
2135  printf("sig 1 didn't match on p1: ");
2136  goto end;
2137  }
2138 
2139  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2140  if (PacketAlertCheck(p2, 2)) {
2141  printf("sig 2 matched on p2: ");
2142  goto end;
2143  }
2144 
2145  result = 1;
2146 end:
2149  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2151  SCFree(p1);
2152  SCFree(p2);
2153  return result;
2154 }
2155 
2156 static int SigTest28TCPV6Keyword(void)
2157 {
2158  static uint8_t valid_raw_ipv6[] = {
2159  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2160  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2161 
2162  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2163  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2164  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2165  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2166  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2167 
2168  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2169  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2170  0xf2, 0xf1, 0x00, 0x00,
2171 
2172  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2173  0x00, 0x01, 0x69, 0x27};
2174 
2175  static uint8_t invalid_raw_ipv6[] = {
2176  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2177  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2178 
2179  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2180  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2181  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2182  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2183  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2184 
2185  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2186  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2187  0xc2, 0xf1, 0x00, 0x00,
2188 
2189  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2190  0x00, 0x01, 0x69, 0x28};
2191 
2193  if (unlikely(p1 == NULL))
2194  return 0;
2196  if (unlikely(p2 == NULL)) {
2197  SCFree(p1);
2198  return 0;
2199  }
2200  ThreadVars th_v;
2201  DetectEngineThreadCtx *det_ctx = NULL;
2202  int result = 0;
2203 
2204  memset(&th_v, 0, sizeof(ThreadVars));
2205  memset(p1, 0, SIZE_OF_PACKET);
2206  memset(p2, 0, SIZE_OF_PACKET);
2207 
2209  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2210  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2211  p1->src.family = AF_INET;
2212  p1->dst.family = AF_INET;
2213  p1->payload = valid_raw_ipv6 + 54 + 20;
2214  p1->payload_len = 12;
2215  p1->proto = IPPROTO_TCP;
2216 
2217  if (TCP_GET_HLEN(p1) != 20) {
2218  BUG_ON(1);
2219  }
2220 
2222  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2223  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2224  p2->src.family = AF_INET;
2225  p2->dst.family = AF_INET;
2226  p2->payload = invalid_raw_ipv6 + 54 + 20;;
2227  p2->payload_len = 12;
2228  p2->proto = IPPROTO_TCP;
2229 
2230  if (TCP_GET_HLEN(p2) != 20) {
2231  BUG_ON(1);
2232  }
2233 
2235  if (de_ctx == NULL) {
2236  goto end;
2237  }
2238 
2239  de_ctx->flags |= DE_QUIET;
2240 
2242  "alert tcp any any -> any any "
2243  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2244  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2245  if (de_ctx->sig_list == NULL) {
2246  goto end;
2247  }
2248 
2250  "alert tcp any any -> any any "
2251  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2252  "msg:\"tcpv6-csum keyword check(1)\"; "
2253  "sid:2;)");
2254  if (de_ctx->sig_list->next == NULL) {
2255  goto end;
2256  }
2257 
2259  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2260 
2261  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2262  if (!(PacketAlertCheck(p1, 1))) {
2263  printf("sid 1 didn't match on p1: ");
2264  goto end;
2265  }
2266 
2267  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2268  if (!(PacketAlertCheck(p2, 2))) {
2269  printf("sid 2 didn't match on p2: ");
2270  goto end;
2271  }
2272 
2273  result = 1;
2274 end:
2277  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2279  SCFree(p1);
2280  SCFree(p2);
2281  return result;
2282 }
2283 
2284 static int SigTest29NegativeTCPV6Keyword(void)
2285 {
2286  static uint8_t valid_raw_ipv6[] = {
2287  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2288  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2289 
2290  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2291  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2292  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2293  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2294  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2295 
2296  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2297  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2298  0xf2, 0xf1, 0x00, 0x00,
2299 
2300  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2301  0x00, 0x01, 0x69, 0x27};
2302 
2303  static uint8_t invalid_raw_ipv6[] = {
2304  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2305  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2306 
2307  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2308  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2309  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2310  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2311  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2312 
2313  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2314  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2315  0xc2, 0xf1, 0x00, 0x00,
2316 
2317  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2318  0x00, 0x01, 0x69, 0x28};
2319 
2321  if (unlikely(p1 == NULL))
2322  return 0;
2324  if (unlikely(p2 == NULL)) {
2325  SCFree(p1);
2326  return 0;
2327  }
2328  ThreadVars th_v;
2329  DetectEngineThreadCtx *det_ctx = NULL;
2330  int result = 0;
2331 
2332  memset(&th_v, 0, sizeof(ThreadVars));
2333  memset(p1, 0, SIZE_OF_PACKET);
2334  memset(p2, 0, SIZE_OF_PACKET);
2335 
2337  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2338  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2339  p1->src.family = AF_INET;
2340  p1->dst.family = AF_INET;
2341  p1->payload = valid_raw_ipv6 + 54 + 20;
2342  p1->payload_len = 12;
2343  p1->proto = IPPROTO_TCP;
2344 
2345  if (TCP_GET_HLEN(p1) != 20) {
2346  BUG_ON(1);
2347  }
2348 
2350  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2351  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2352  p2->src.family = AF_INET;
2353  p2->dst.family = AF_INET;
2354  p2->payload = invalid_raw_ipv6 + 54 + 20;;
2355  p2->payload_len = 12;
2356  p2->proto = IPPROTO_TCP;
2357 
2358  if (TCP_GET_HLEN(p2) != 20) {
2359  BUG_ON(1);
2360  }
2361 
2363  if (de_ctx == NULL) {
2364  goto end;
2365  }
2366 
2367  de_ctx->flags |= DE_QUIET;
2368 
2370  "alert tcp any any -> any any "
2371  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2372  "msg:\"tcpv6-csum keyword check(1)\"; "
2373  "sid:1;)");
2374  if (de_ctx->sig_list == NULL) {
2375  goto end;
2376  }
2377 
2379  "alert tcp any any -> any any "
2380  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2381  "msg:\"tcpv6-csum keyword check(1)\"; "
2382  "sid:2;)");
2383  if (de_ctx->sig_list->next == NULL) {
2384  goto end;
2385  }
2386 
2388  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2389 
2390  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2391  if (PacketAlertCheck(p1, 1))
2392  goto end;
2393 
2394  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2395  if (PacketAlertCheck(p2, 2))
2396  goto end;
2397 
2398  result = 1;
2399 end:
2402  if (det_ctx != NULL)
2403  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2405  SCFree(p1);
2406  SCFree(p2);
2407  return result;
2408 }
2409 
2410 static int SigTest30UDPV4Keyword(void)
2411 {
2412  uint8_t raw_ipv4[] = {
2413  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2414  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2415  0xc0, 0xa8, 0x01, 0x03};
2416 
2417  uint8_t valid_raw_udp[] = {
2418  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2419  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2420  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2421  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2422  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2423  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2424  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2425  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2426  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2427  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2428  0x67, 0x6c, 0x65, 0xc0, 0x26};
2429 
2430  uint8_t invalid_raw_udp[] = {
2431  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2432  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2433  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2434  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2435  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2436  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2437  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2438  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2439  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2440  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2441  0x67, 0x6c, 0x65, 0xc0, 0x27};
2442 
2444  FAIL_IF_NULL(p1);
2446  FAIL_IF_NULL(p2);
2447 
2448  ThreadVars th_v;
2449  DetectEngineThreadCtx *det_ctx = NULL;
2450 
2451  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2452  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2453 
2454  memset(&th_v, 0, sizeof(ThreadVars));
2455  memset(p1, 0, SIZE_OF_PACKET);
2456  memset(p2, 0, SIZE_OF_PACKET);
2457 
2459  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2460  p1->udph = (UDPHdr *)valid_raw_udp;
2461  p1->src.family = AF_INET;
2462  p1->dst.family = AF_INET;
2463  p1->payload = buf;
2464  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2465  p1->proto = IPPROTO_UDP;
2466 
2468  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2469  p2->udph = (UDPHdr *)invalid_raw_udp;
2470  p2->src.family = AF_INET;
2471  p2->dst.family = AF_INET;
2472  p2->payload = buf;
2473  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2474  p2->proto = IPPROTO_UDP;
2475 
2478 
2479  de_ctx->flags |= DE_QUIET;
2480 
2482  "alert udp any any -> any any "
2483  "(content:\"/one/\"; udpv4-csum:valid; "
2484  "msg:\"udpv4-csum keyword check(1)\"; "
2485  "sid:1;)");
2487 
2489  "alert udp any any -> any any "
2490  "(content:\"/one/\"; udpv4-csum:invalid; "
2491  "msg:\"udpv4-csum keyword check(1)\"; "
2492  "sid:2;)");
2494 
2496  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2497 
2498  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2499  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2500 
2501  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2502  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2503 
2506  if (det_ctx != NULL)
2507  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2509  SCFree(p1);
2510  SCFree(p2);
2511  PASS;
2512 }
2513 
2514 static int SigTest31NegativeUDPV4Keyword(void)
2515 {
2516  uint8_t raw_ipv4[] = {
2517  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2518  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2519  0xc0, 0xa8, 0x01, 0x03};
2520 
2521  uint8_t valid_raw_udp[] = {
2522  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2523  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2524  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2525  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2526  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2527  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2528  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2529  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2530  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2531  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2532  0x67, 0x6c, 0x65, 0xc0, 0x26};
2533 
2534  uint8_t invalid_raw_udp[] = {
2535  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2536  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2537  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2538  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2539  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2540  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2541  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2542  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2543  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2544  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2545  0x67, 0x6c, 0x65, 0xc0, 0x27};
2546 
2548  if (unlikely(p1 == NULL))
2549  return 0;
2551  if (unlikely(p2 == NULL)) {
2552  SCFree(p1);
2553  return 0;
2554  }
2555  ThreadVars th_v;
2556  DetectEngineThreadCtx *det_ctx = NULL;
2557  int result = 1;
2558 
2559  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2560  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2561 
2562  memset(&th_v, 0, sizeof(ThreadVars));
2563  memset(p1, 0, SIZE_OF_PACKET);
2564  memset(p2, 0, SIZE_OF_PACKET);
2565 
2567  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2568  p1->udph = (UDPHdr *)valid_raw_udp;
2569  p1->src.family = AF_INET;
2570  p1->dst.family = AF_INET;
2571  p1->payload = buf;
2572  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2573  p1->proto = IPPROTO_UDP;
2574 
2576  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2577  p2->udph = (UDPHdr *)invalid_raw_udp;
2578  p2->src.family = AF_INET;
2579  p2->dst.family = AF_INET;
2580  p2->payload = buf;
2581  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2582  p2->proto = IPPROTO_UDP;
2583 
2585  if (de_ctx == NULL) {
2586  goto end;
2587  }
2588 
2589  de_ctx->flags |= DE_QUIET;
2590 
2592  "alert udp any any -> any any "
2593  "(content:\"/one/\"; udpv4-csum:invalid; "
2594  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2595  if (de_ctx->sig_list == NULL) {
2596  result &= 0;
2597  goto end;
2598  }
2599 
2601  "alert udp any any -> any any "
2602  "(content:\"/one/\"; udpv4-csum:valid; "
2603  "msg:\"udpv4-csum keyword check(1)\"; "
2604  "sid:2;)");
2605  if (de_ctx->sig_list->next == NULL) {
2606  result &= 0;
2607  goto end;
2608  }
2609 
2611  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2612 
2613  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2614  if (PacketAlertCheck(p1, 1))
2615  result &= 0;
2616  else
2617  result &= 1;
2618 
2619  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2620  if (PacketAlertCheck(p2, 2)) {
2621  result &= 0;
2622  }
2623  else
2624  result &= 1;
2625 
2628  if (det_ctx != NULL)
2629  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2631 end:
2632  SCFree(p1);
2633  SCFree(p2);
2634  return result;
2635 }
2636 
2637 
2638 static int SigTest32UDPV6Keyword(void)
2639 {
2640  static uint8_t valid_raw_ipv6[] = {
2641  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2642  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2643  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2644  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2645  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2646  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2647  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2648  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2649  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2650  0x09, 0x00};
2651 
2652  static uint8_t invalid_raw_ipv6[] = {
2653  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2654  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2655  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2656  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2657  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2658  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2659  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2660  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2661  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2662  0x09, 0x01};
2663 
2665  FAIL_IF_NULL(p1);
2667  FAIL_IF_NULL(p2);
2668 
2669  ThreadVars th_v;
2670  DetectEngineThreadCtx *det_ctx = NULL;
2671 
2672  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2673  "\r\n\r\n";
2674 
2675  memset(&th_v, 0, sizeof(ThreadVars));
2676  memset(p1, 0, SIZE_OF_PACKET);
2677  memset(p2, 0, SIZE_OF_PACKET);
2678 
2680  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2681  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2682  p1->src.family = AF_INET;
2683  p1->dst.family = AF_INET;
2684  p1->payload = buf;
2686  p1->proto = IPPROTO_UDP;
2687 
2689  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2690  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2691  p2->src.family = AF_INET;
2692  p2->dst.family = AF_INET;
2693  p2->payload = buf;
2695  p2->proto = IPPROTO_UDP;
2696 
2699 
2700  de_ctx->flags |= DE_QUIET;
2701 
2703  "alert udp any any -> any any "
2704  "(content:\"/one/\"; udpv6-csum:valid; "
2705  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2707 
2709  "alert udp any any -> any any "
2710  "(content:\"/one/\"; udpv6-csum:invalid; "
2711  "msg:\"udpv6-csum keyword check(1)\"; "
2712  "sid:2;)");
2714 
2716  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2717 
2718  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2719  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2720 
2721  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2722  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2723 
2726  if (det_ctx != NULL)
2727  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2729 
2730  SCFree(p1);
2731  SCFree(p2);
2732  PASS;
2733 }
2734 
2735 static int SigTest33NegativeUDPV6Keyword(void)
2736 {
2737  static uint8_t valid_raw_ipv6[] = {
2738  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2739  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2740  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2741  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2742  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2743  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2744  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2745  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2746  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2747  0x09, 0x00};
2748 
2749  static uint8_t invalid_raw_ipv6[] = {
2750  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2751  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2752  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2753  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2754  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2755  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2756  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2757  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2758  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2759  0x09, 0x01};
2760 
2762  if (unlikely(p1 == NULL))
2763  return 0;
2765  if (unlikely(p2 == NULL)) {
2766  SCFree(p1);
2767  return 0;
2768  }
2769  ThreadVars th_v;
2770  DetectEngineThreadCtx *det_ctx = NULL;
2771  int result = 1;
2772 
2773  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2774  "\r\n\r\n";
2775 
2776  memset(&th_v, 0, sizeof(ThreadVars));
2777  memset(p1, 0, SIZE_OF_PACKET);
2778  memset(p2, 0, SIZE_OF_PACKET);
2779 
2781  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2782  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2783  p1->src.family = AF_INET;
2784  p1->dst.family = AF_INET;
2785  p1->payload = buf;
2787  p1->proto = IPPROTO_UDP;
2788 
2790  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2791  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2792  p2->src.family = AF_INET;
2793  p2->dst.family = AF_INET;
2794  p2->payload = buf;
2796  p2->proto = IPPROTO_UDP;
2797 
2799  if (de_ctx == NULL) {
2800  goto end;
2801  }
2802 
2803  de_ctx->flags |= DE_QUIET;
2804 
2806  "alert udp any any -> any any "
2807  "(content:\"/one/\"; udpv6-csum:invalid; "
2808  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2809  if (de_ctx->sig_list == NULL) {
2810  result &= 0;
2811  goto end;
2812  }
2813 
2815  "alert udp any any -> any any "
2816  "(content:\"/one/\"; udpv6-csum:valid; "
2817  "msg:\"udpv6-csum keyword check(1)\"; "
2818  "sid:2;)");
2819  if (de_ctx->sig_list->next == NULL) {
2820  result &= 0;
2821  goto end;
2822  }
2823 
2825  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2826 
2827  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2828  if (PacketAlertCheck(p1, 1))
2829  result &= 0;
2830  else
2831  result &= 1;
2832 
2833  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2834  if (PacketAlertCheck(p2, 2))
2835  result &= 0;
2836  else
2837  result &= 1;
2838 
2841  if (det_ctx != NULL)
2842  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2844 end:
2845  SCFree(p1);
2846  SCFree(p2);
2847  return result;
2848 }
2849 
2850 static int SigTest34ICMPV4Keyword(void)
2851 {
2852  uint8_t valid_raw_ipv4[] = {
2853  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2854  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2855  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2856  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2857  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2858  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2859  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2860  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2861  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2862  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2863  0x34, 0x35, 0x36, 0x37};
2864 
2865  uint8_t invalid_raw_ipv4[] = {
2866  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2867  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2868  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2869  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2870  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2871  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2872  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2873  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2874  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2875  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2876  0x34, 0x35, 0x36, 0x38};
2877 
2879  if (unlikely(p1 == NULL))
2880  return 0;
2882  if (unlikely(p2 == NULL)) {
2883  SCFree(p1);
2884  return 0;
2885  }
2886  ThreadVars th_v;
2887  DetectEngineThreadCtx *det_ctx = NULL;
2888  int result = 1;
2889 
2890  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2891  "\r\n\r\n";
2892  uint16_t buflen = strlen((char *)buf);
2893 
2894  memset(&th_v, 0, sizeof(ThreadVars));
2895  memset(p1, 0, SIZE_OF_PACKET);
2896  memset(p2, 0, SIZE_OF_PACKET);
2897 
2899  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2900  p1->ip4h->ip_verhl = 69;
2901  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2902  p1->src.family = AF_INET;
2903  p1->dst.family = AF_INET;
2904  p1->payload = buf;
2905  p1->payload_len = buflen;
2906  p1->proto = IPPROTO_ICMP;
2907 
2909  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2910  p2->ip4h->ip_verhl = 69;
2911  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2912  p2->src.family = AF_INET;
2913  p2->dst.family = AF_INET;
2914  p2->payload = buf;
2915  p2->payload_len = buflen;
2916  p2->proto = IPPROTO_ICMP;
2917 
2919  if (de_ctx == NULL) {
2920  goto end;
2921  }
2922 
2923  de_ctx->flags |= DE_QUIET;
2924 
2926  "alert icmp any any -> any any "
2927  "(content:\"/one/\"; icmpv4-csum:valid; "
2928  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2929  if (de_ctx->sig_list == NULL) {
2930  result &= 0;
2931  goto end;
2932  }
2933 
2935  "alert icmp any any -> any any "
2936  "(content:\"/one/\"; icmpv4-csum:invalid; "
2937  "msg:\"icmpv4-csum keyword check(1)\"; "
2938  "sid:2;)");
2939  if (de_ctx->sig_list->next == NULL) {
2940  result = 0;
2941  goto end;
2942  }
2943 
2945  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2946 
2947  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2948  if (PacketAlertCheck(p1, 1))
2949  result &= 1;
2950  else
2951  result &= 0;
2952 
2953  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2954  if (PacketAlertCheck(p2, 2))
2955  result &= 1;
2956  else
2957  result &= 0;
2958 
2961  if (det_ctx != NULL)
2962  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2964 end:
2965  SCFree(p1);
2966  SCFree(p2);
2967  return result;
2968 }
2969 
2970 static int SigTest35NegativeICMPV4Keyword(void)
2971 {
2972  uint8_t valid_raw_ipv4[] = {
2973  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2974  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2975  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2976  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2977  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2978  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2979  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2980  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2981  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2982  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2983  0x34, 0x35, 0x36, 0x37};
2984 
2985  uint8_t invalid_raw_ipv4[] = {
2986  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2987  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2988  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2989  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2990  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2991  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2992  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2993  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2994  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2995  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2996  0x34, 0x35, 0x36, 0x38};
2997 
2999  if (unlikely(p1 == NULL))
3000  return 0;
3002  if (unlikely(p2 == NULL)) {
3003  SCFree(p1);
3004  return 0;
3005  }
3006  ThreadVars th_v;
3007  DetectEngineThreadCtx *det_ctx = NULL;
3008  int result = 1;
3009 
3010  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
3011  "\r\n\r\n";
3012  uint16_t buflen = strlen((char *)buf);
3013 
3014  memset(&th_v, 0, sizeof(ThreadVars));
3015  memset(p1, 0, SIZE_OF_PACKET);
3016  memset(p2, 0, SIZE_OF_PACKET);
3017 
3019  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
3020  p1->ip4h->ip_verhl = 69;
3021  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
3022  p1->src.family = AF_INET;
3023  p1->dst.family = AF_INET;
3024  p1->payload = buf;
3025  p1->payload_len = buflen;
3026  p1->proto = IPPROTO_ICMP;
3027 
3029  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
3030  p2->ip4h->ip_verhl = 69;
3031  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
3032  p2->src.family = AF_INET;
3033  p2->dst.family = AF_INET;
3034  p2->payload = buf;
3035  p2->payload_len = buflen;
3036  p2->proto = IPPROTO_ICMP;
3037 
3039  if (de_ctx == NULL) {
3040  goto end;
3041  }
3042 
3043  de_ctx->flags |= DE_QUIET;
3044 
3046  "alert icmp any any -> any any "
3047  "(content:\"/one/\"; icmpv4-csum:invalid; "
3048  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3049  if (de_ctx->sig_list == NULL) {
3050  result &= 0;
3051  goto end;
3052  }
3053 
3055  "alert icmp any any -> any any "
3056  "(content:\"/one/\"; icmpv4-csum:valid; "
3057  "msg:\"icmpv4-csum keyword check(1)\"; "
3058  "sid:2;)");
3059  if (de_ctx->sig_list->next == NULL) {
3060  result &= 0;
3061  goto end;
3062  }
3063 
3065  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3066 
3067  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3068  if (PacketAlertCheck(p1, 1))
3069  result &= 0;
3070  else
3071  result &= 1;
3072 
3073  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3074  if (PacketAlertCheck(p2, 2))
3075  result &= 0;
3076  else {
3077  result &= 1;
3078  }
3079 
3082  if (det_ctx != NULL)
3083  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3085 end:
3086  SCFree(p1);
3087  SCFree(p2);
3088  return result;
3089 }
3090 
3091 static int SigTest38(void)
3092 {
3094  if (unlikely(p1 == NULL))
3095  return 0;
3096  ThreadVars th_v;
3097  DetectEngineThreadCtx *det_ctx = NULL;
3098  int result = 1;
3099  uint8_t raw_eth[] = {
3100  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3101  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3102  0x08, 0x00
3103  };
3104  uint8_t raw_ipv4[] = {
3105  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3106  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3107  0x7f, 0x00, 0x00, 0x01
3108  };
3109  uint8_t raw_tcp[] = {
3110  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3111  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3112  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3113  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3114  0x00, 0x22, 0xaa, 0x10
3115  };
3116  uint8_t buf[] = {
3117  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3118  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3119  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3120  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3121  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3122  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3123  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3124  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3125  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3126  0x0a
3127  };
3128  uint16_t ethlen = sizeof(raw_eth);
3129  uint16_t ipv4len = sizeof(raw_ipv4);
3130  uint16_t tcplen = sizeof(raw_tcp);
3131  uint16_t buflen = sizeof(buf);
3132 
3133  memset(&th_v, 0, sizeof(ThreadVars));
3134  memset(p1, 0, SIZE_OF_PACKET);
3135 
3136  /* Copy raw data into packet */
3137  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3138  SCFree(p1);
3139  return 1;
3140  }
3141  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3142  SCFree(p1);
3143  return 1;
3144  }
3145  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3146  SCFree(p1);
3147  return 1;
3148  }
3149  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3150  SCFree(p1);
3151  return 1;
3152  }
3153  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3154 
3156  p1->ethh = (EthernetHdr *)raw_eth;
3157  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3158  p1->tcph = (TCPHdr *)raw_tcp;
3159  p1->src.family = AF_INET;
3160  p1->dst.family = AF_INET;
3161  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3162  p1->payload_len = buflen;
3163  p1->proto = IPPROTO_TCP;
3164 
3166  if (de_ctx == NULL) {
3167  goto end;
3168  }
3169  de_ctx->flags |= DE_QUIET;
3170 
3172  "alert tcp any any -> any any "
3173  "(content:\"LEN1|20|\"; "
3174  "byte_test:4,=,8,0; "
3175  "msg:\"byte_test keyword check(1)\"; sid:1;)");
3176  if (de_ctx->sig_list == NULL) {
3177  result &= 0;
3178  goto end;
3179  }
3181  "alert tcp any any -> any any "
3182  "(content:\"LEN1|20|\"; "
3183  "byte_test:4,=,8,5,relative,string,dec; "
3184  "msg:\"byte_test keyword check(2)\"; sid:2;)");
3185  if (de_ctx->sig_list->next == NULL) {
3186  result &= 0;
3187  goto end;
3188  }
3189 
3191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3192 
3193  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3194  if (PacketAlertCheck(p1, 1)) {
3195  result = 1;
3196  } else {
3197  result = 0;
3198  printf("sid 1 didn't alert, but should have: ");
3199  goto cleanup;
3200  }
3201  if (PacketAlertCheck(p1, 2)) {
3202  result = 1;
3203  } else {
3204  result = 0;
3205  printf("sid 2 didn't alert, but should have: ");
3206  goto cleanup;
3207  }
3208 
3209 cleanup:
3212 
3213  if (det_ctx != NULL)
3214  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3216 
3217 end:
3218  SCFree(p1);
3219  return result;
3220 }
3221 
3222 static int SigTest39(void)
3223 {
3225  if (unlikely(p1 == NULL))
3226  return 0;
3227  ThreadVars th_v;
3228  DetectEngineThreadCtx *det_ctx = NULL;
3229  int result = 1;
3230  uint8_t raw_eth[] = {
3231  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3232  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3233  0x08, 0x00
3234  };
3235  uint8_t raw_ipv4[] = {
3236  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3237  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3238  0x7f, 0x00, 0x00, 0x01
3239  };
3240  uint8_t raw_tcp[] = {
3241  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3242  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3243  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3244  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3245  0x00, 0x22, 0xaa, 0x10
3246  };
3247  uint8_t buf[] = {
3248  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3249  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3250  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3251  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3252  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3253  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3254  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3255  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3256  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3257  0x0a
3258  };
3259  uint16_t ethlen = sizeof(raw_eth);
3260  uint16_t ipv4len = sizeof(raw_ipv4);
3261  uint16_t tcplen = sizeof(raw_tcp);
3262  uint16_t buflen = sizeof(buf);
3263 
3264  memset(&th_v, 0, sizeof(ThreadVars));
3265  memset(p1, 0, SIZE_OF_PACKET);
3266 
3267  /* Copy raw data into packet */
3268  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3269  SCFree(p1);
3270  return 1;
3271  }
3272  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3273  SCFree(p1);
3274  return 1;
3275  }
3276  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3277  SCFree(p1);
3278  return 1;
3279  }
3280  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3281  SCFree(p1);
3282  return 1;
3283  }
3284  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3285 
3287  p1->ethh = (EthernetHdr *)raw_eth;
3288  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3289  p1->tcph = (TCPHdr *)raw_tcp;
3290  p1->src.family = AF_INET;
3291  p1->dst.family = AF_INET;
3292  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3293  p1->payload_len = buflen;
3294  p1->proto = IPPROTO_TCP;
3295 
3297  if (de_ctx == NULL) {
3298  goto end;
3299  }
3300  de_ctx->flags |= DE_QUIET;
3301 
3303  "alert tcp any any -> any any "
3304  "(content:\"LEN1|20|\"; "
3305  "byte_test:4,=,8,0; "
3306  "byte_jump:4,0; "
3307  "byte_test:6,=,0x4c454e312038,0,relative; "
3308  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3309  if (de_ctx->sig_list == NULL) {
3310  result &= 0;
3311  goto end;
3312  }
3313  // XXX TODO
3315  "alert tcp any any -> any any "
3316  "(content:\"LEN1|20|\"; "
3317  "byte_test:4,=,8,4,relative,string,dec; "
3318  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3319  "byte_test:4,=,0x4c454e32,0,relative; "
3320  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3321  if (de_ctx->sig_list->next == NULL) {
3322  result &= 0;
3323  goto end;
3324  }
3325 
3327  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3328 
3329  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3330  if (PacketAlertCheck(p1, 1)) {
3331  result = 1;
3332  } else {
3333  result = 0;
3334  printf("sid 1 didn't alert, but should have: ");
3335  goto cleanup;
3336  }
3337  if (PacketAlertCheck(p1, 2)) {
3338  result = 1;
3339  } else {
3340  result = 0;
3341  printf("sid 2 didn't alert, but should have: ");
3342  goto cleanup;
3343  }
3344 
3345 cleanup:
3348  if (det_ctx != NULL)
3349  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3351 
3352 end:
3353  SCFree(p1);
3354  return result;
3355 }
3356 
3357 /**
3358  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3359  * \brief expecting to match a size
3360  */
3361 
3362 static int SigTest36ContentAndIsdataatKeywords01 (void)
3363 {
3364  int result = 0;
3365 
3366  // Buid and decode the packet
3367 
3368  uint8_t raw_eth [] = {
3369  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3370  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3371  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3372  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3373  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3374  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3375  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3376  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3377  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3378  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3379  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3380  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3381  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3382  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3383  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3384  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3385  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3386  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3387  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3388  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3389  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3390  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3391  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3392  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3393  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3394  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3395  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3396  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3397  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3398  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3399 
3401  if (unlikely(p == NULL))
3402  return 0;
3404 
3405  ThreadVars th_v;
3406  DetectEngineThreadCtx *det_ctx = NULL;
3407 
3408  memset(p, 0, SIZE_OF_PACKET);
3409  memset(&dtv, 0, sizeof(DecodeThreadVars));
3410  memset(&th_v, 0, sizeof(th_v));
3411 
3413  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3414 
3415 
3417  if (de_ctx == NULL) {
3418  goto end;
3419  }
3420 
3421  de_ctx->flags |= DE_QUIET;
3422 
3423  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3424  if (de_ctx->sig_list == NULL) {
3425  result = 0;
3426  goto end;
3427  }
3428 
3430  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3431 
3432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3433  if (PacketAlertCheck(p, 101) == 0) {
3434  result = 0;
3435  goto end;
3436  } else {
3437  result=1;
3438  }
3439 
3442 
3443  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3445  PACKET_RECYCLE(p);
3446  FlowShutdown();
3447 
3448  SCFree(p);
3449  return result;
3450 
3451 end:
3452  if(de_ctx)
3453  {
3456  }
3457 
3458  if(det_ctx)
3459  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3460 
3461  //PatternMatchDestroy(mpm_ctx);
3462 
3463  if(de_ctx)
3465 
3466  if (p != NULL)
3467  PACKET_RECYCLE(p);
3468 
3469  FlowShutdown();
3470 
3471  SCFree(p);
3472  return result;
3473 }
3474 
3475 
3476 /**
3477  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3478  * \brief not expecting to match a size
3479  */
3480 
3481 static int SigTest37ContentAndIsdataatKeywords02 (void)
3482 {
3483  int result = 0;
3484 
3485  // Buid and decode the packet
3486 
3487  uint8_t raw_eth [] = {
3488  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3489  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3490  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3491  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3492  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3493  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3494  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3495  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3496  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3497  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3498  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3499  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3500  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3501  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3502  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3503  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3504  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3505  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3506  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3507  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3508  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3509  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3510  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3511  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3512  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3513  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3514  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3515  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3516  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3517  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3518 
3520  if (unlikely(p == NULL))
3521  return 0;
3523 
3524  ThreadVars th_v;
3525  DetectEngineThreadCtx *det_ctx = NULL;
3526 
3527  memset(p, 0, SIZE_OF_PACKET);
3528  memset(&dtv, 0, sizeof(DecodeThreadVars));
3529  memset(&th_v, 0, sizeof(th_v));
3530 
3532  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3533 
3534 
3536  if (de_ctx == NULL) {
3537  goto end;
3538  }
3539 
3540  de_ctx->flags |= DE_QUIET;
3541 
3542  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3543  if (de_ctx->sig_list == NULL) {
3544  printf("sig parse failed: ");
3545  result = 0;
3546  goto end;
3547  }
3548 
3549  if (s->sm_lists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3550  printf("type not content: ");
3551  goto end;
3552  }
3554  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3555 
3556  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3557  if (PacketAlertCheck(p, 101) == 0) {
3558  result = 1;
3559  goto end;
3560  } else {
3561  printf("sig matched, but should not have: ");
3562  result=0;
3563  }
3564 
3567 
3568  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3570 
3571  PACKET_RECYCLE(p);
3572  FlowShutdown();
3573 
3574  SCFree(p);
3575  return result;
3576 
3577 end:
3578  if(de_ctx)
3579  {
3582  }
3583 
3584  if(det_ctx)
3585  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3586 
3587  if(de_ctx)
3589 
3590  if (p != NULL)
3591  PACKET_RECYCLE(p);
3592 
3593  FlowShutdown();
3594 
3595  SCFree(p);
3596  return result;
3597 }
3598 
3599 /**
3600  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3601  * flag is set, we don't need to inspect the packet protocol header or its contents.
3602  */
3603 
3604 static int SigTest40NoPacketInspection01(void)
3605 {
3606 
3607  uint8_t *buf = (uint8_t *)
3608  "220 (vsFTPd 2.0.5)\r\n";
3609  uint16_t buflen = strlen((char *)buf);
3611  TCPHdr tcphdr;
3612  if (unlikely(p == NULL))
3613  return 0;
3614  ThreadVars th_v;
3615  DetectEngineThreadCtx *det_ctx = NULL;
3616  PacketQueue pq;
3617  Flow f;
3618  int result = 0;
3619 
3620  memset(&th_v, 0, sizeof(th_v));
3621  memset(p, 0, SIZE_OF_PACKET);
3622  memset(&pq, 0, sizeof(pq));
3623  memset(&f, 0, sizeof(f));
3624  memset(&tcphdr, 0, sizeof(tcphdr));
3625 
3626  p->src.family = AF_INET;
3627  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3628  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3629  p->dst.family = AF_INET;
3630  p->payload = buf;
3631  p->payload_len = buflen;
3632  p->proto = IPPROTO_TCP;
3633  p->dp = 34260;
3634  p->sp = 21;
3637  p->tcph = &tcphdr;
3638  p->flow = &f;
3639 
3640  FLOW_INITIALIZE(&f);
3641 
3643  if (de_ctx == NULL) {
3644  goto end;
3645  }
3646 
3647  de_ctx->flags |= DE_QUIET;
3648 
3649  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3650  if (de_ctx->sig_list == NULL) {
3651  result = 0;
3652  goto end;
3653  }
3654 
3656  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3657  det_ctx->de_ctx = de_ctx;
3658 
3659  Detect(&th_v, p, det_ctx);
3660  if (PacketAlertCheck(p, 2))
3661  result = 0;
3662  else
3663  result = 1;
3664 
3667  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3668  //PatternMatchDestroy(mpm_ctx);
3670 end:
3671  SCFree(p);
3672  return result;
3673 }
3674 
3675 /**
3676  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3677  * flasg is set, we don't need to inspect the packet contents.
3678  */
3679 
3680 static int SigTest40NoPayloadInspection02(void)
3681 {
3682 
3683  uint8_t *buf = (uint8_t *)
3684  "220 (vsFTPd 2.0.5)\r\n";
3685  uint16_t buflen = strlen((char *)buf);
3686  ThreadVars th_v;
3687  memset(&th_v, 0, sizeof(th_v));
3688 
3690  FAIL_IF_NULL(p);
3691  memset(p, 0, SIZE_OF_PACKET);
3692 
3693  p->src.family = AF_INET;
3694  p->dst.family = AF_INET;
3695  p->payload = buf;
3696  p->payload_len = buflen;
3697  p->proto = IPPROTO_TCP;
3699 
3700  DetectEngineThreadCtx *det_ctx = NULL;
3703  de_ctx->flags |= DE_QUIET;
3704 
3706  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3707  FAIL_IF_NULL(s);
3708 
3710  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3711 
3712  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3713 
3714  FAIL_IF(PacketAlertCheck(p, 1));
3715 
3716  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3718  SCFree(p);
3719  PASS;
3720 }
3721 
3722 static int SigTestMemory01 (void)
3723 {
3724  uint8_t *buf = (uint8_t *)
3725  "GET /one/ HTTP/1.1\r\n"
3726  "Host: one.example.org\r\n"
3727  "\r\n\r\n"
3728  "GET /two/ HTTP/1.1\r\n"
3729  "Host: two.example.org\r\n"
3730  "\r\n\r\n";
3731  uint16_t buflen = strlen((char *)buf);
3733  if (unlikely(p == NULL))
3734  return 0;
3735  ThreadVars th_v;
3736  DetectEngineThreadCtx *det_ctx = NULL;
3737  int result = 0;
3738 
3739  memset(&th_v, 0, sizeof(th_v));
3740  memset(p, 0, SIZE_OF_PACKET);
3741  p->src.family = AF_INET;
3742  p->dst.family = AF_INET;
3743  p->payload = buf;
3744  p->payload_len = buflen;
3745  p->proto = IPPROTO_TCP;
3746 
3748  if (de_ctx == NULL) {
3749  goto end;
3750  }
3751 
3752  de_ctx->flags |= DE_QUIET;
3753 
3754  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3755  if (de_ctx->sig_list == NULL) {
3756  result = 0;
3757  goto end;
3758  }
3759 
3761  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3762 
3764  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3766 
3767  result = 1;
3768 end:
3769  SCFree(p);
3770  return result;
3771 }
3772 
3773 static int SigTestMemory02 (void)
3774 {
3775  ThreadVars th_v;
3776  int result = 0;
3777 
3778  memset(&th_v, 0, sizeof(th_v));
3779 
3781  if (de_ctx == NULL) {
3782  goto end;
3783  }
3784  de_ctx->flags |= DE_QUIET;
3785 
3786  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3787  if (de_ctx->sig_list == NULL) {
3788  result = 0;
3789  goto end;
3790  }
3791  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3792  if (de_ctx->sig_list->next == NULL) {
3793  result = 0;
3794  goto end;
3795  }
3796 
3798 
3801 
3802  result = 1;
3803 end:
3804  return result;
3805 }
3806 
3807 static int SigTestMemory03 (void)
3808 {
3809  ThreadVars th_v;
3810  int result = 0;
3811 
3812  memset(&th_v, 0, sizeof(th_v));
3813 
3815  if (de_ctx == NULL) {
3816  goto end;
3817  }
3818  de_ctx->flags |= DE_QUIET;
3819 
3820  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3821  if (de_ctx->sig_list == NULL) {
3822  result = 0;
3823  goto end;
3824  }
3825  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3826  if (de_ctx->sig_list->next == NULL) {
3827  result = 0;
3828  goto end;
3829  }
3830  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3831  if (de_ctx->sig_list->next->next == NULL) {
3832  result = 0;
3833  goto end;
3834  }
3835 
3837 
3840 
3841  result = 1;
3842 end:
3843  return result;
3844 }
3845 
3846 static int SigTestContent01 (void)
3847 {
3848  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3849  uint16_t buflen = strlen((char *)buf);
3850  ThreadVars th_v;
3851  DetectEngineThreadCtx *det_ctx = NULL;
3852  int result = 0;
3853 
3854  memset(&th_v, 0, sizeof(th_v));
3855 
3856  Packet *p = NULL;
3857  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3858 
3860  if (de_ctx == NULL) {
3861  goto end;
3862  }
3863  de_ctx->flags |= DE_QUIET;
3864 
3865  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3866  if (de_ctx->sig_list == NULL) {
3867  result = 0;
3868  goto end;
3869  }
3870 
3872  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3873 
3874  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3875  if (PacketAlertCheck(p, 1))
3876  result = 1;
3877  else
3878  printf("sig 1 didn't match: ");
3879 
3882 
3883  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3885 end:
3886  UTHFreePackets(&p, 1);
3887  return result;
3888 }
3889 
3890 static int SigTestContent02 (void)
3891 {
3892  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3893  uint16_t buflen = strlen((char *)buf);
3894  ThreadVars th_v;
3895  DetectEngineThreadCtx *det_ctx = NULL;
3896  int result = 0;
3897 
3898  memset(&th_v, 0, sizeof(th_v));
3899  Packet *p = NULL;
3900  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3901 
3903  if (de_ctx == NULL) {
3904  goto end;
3905  }
3906  de_ctx->flags |= DE_QUIET;
3907 
3908  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3909  if (de_ctx->sig_list == NULL) {
3910  result = 0;
3911  goto end;
3912  }
3913 
3914  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3915  if (de_ctx->sig_list->next == NULL) {
3916  result = 0;
3917  goto end;
3918  }
3919 
3921  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3922 
3923  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3924  if (PacketAlertCheck(p, 1)) {
3925  if (PacketAlertCheck(p, 2)) {
3926  result = 1;
3927  } else
3928  printf("sig 2 didn't match: ");
3929  }
3930  else
3931  printf("sig 1 didn't match: ");
3932 
3935 
3936  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3938 end:
3939  UTHFreePackets(&p, 1);
3940  return result;
3941 }
3942 
3943 static int SigTestContent03 (void)
3944 {
3945  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3946  uint16_t buflen = strlen((char *)buf);
3947  ThreadVars th_v;
3948  DetectEngineThreadCtx *det_ctx = NULL;
3949  int result = 0;
3950 
3951  memset(&th_v, 0, sizeof(th_v));
3952  Packet *p = NULL;
3953  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3954 
3956  if (de_ctx == NULL) {
3957  goto end;
3958  }
3959 
3960  de_ctx->flags |= DE_QUIET;
3961 
3962  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3963  if (de_ctx->sig_list == NULL) {
3964  result = 0;
3965  goto end;
3966  }
3967 
3969  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3970 
3971  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3972  if (PacketAlertCheck(p, 1))
3973  result = 1;
3974  else
3975  printf("sig 1 didn't match: ");
3976 
3979 
3980  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3982 end:
3983  UTHFreePackets(&p, 1);
3984  return result;
3985 }
3986 
3987 static int SigTestContent04 (void)
3988 {
3989  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3990  uint16_t buflen = strlen((char *)buf);
3991  ThreadVars th_v;
3992  DetectEngineThreadCtx *det_ctx = NULL;
3993  int result = 0;
3994 
3995  memset(&th_v, 0, sizeof(th_v));
3996 
3997  Packet *p = NULL;
3998  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3999 
4001  if (de_ctx == NULL) {
4002  goto end;
4003  }
4004 
4005  de_ctx->flags |= DE_QUIET;
4006 
4007  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4008  if (de_ctx->sig_list == NULL) {
4009  result = 0;
4010  goto end;
4011  }
4012 
4014  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4015 
4016  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4017  if (PacketAlertCheck(p, 1))
4018  result = 1;
4019  else
4020  printf("sig 1 didn't match: ");
4021 
4024 
4025  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4027 end:
4028  UTHFreePackets(&p, 1);
4029  return result;
4030 }
4031 
4032 /** \test sigs with patterns at the limit of the pm's size limit */
4033 static int SigTestContent05 (void)
4034 {
4035  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4036  uint16_t buflen = strlen((char *)buf);
4037  ThreadVars th_v;
4038  DetectEngineThreadCtx *det_ctx = NULL;
4039  int result = 0;
4040 
4041  memset(&th_v, 0, sizeof(th_v));
4042  Packet *p = NULL;
4043  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4044 
4046  if (de_ctx == NULL) {
4047  printf("de_ctx == NULL: ");
4048  goto end;
4049  }
4050 
4051  de_ctx->flags |= DE_QUIET;
4052 
4053  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4054  if (de_ctx->sig_list == NULL) {
4055  printf("sig1 parse failed: ");
4056  goto end;
4057  }
4058  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4059  if (de_ctx->sig_list->next == NULL) {
4060  printf("sig2 parse failed: ");
4061  goto end;
4062  }
4063 
4065  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4066 
4067  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4068 
4069  if (PacketAlertCheck(p, 1)) {
4070  printf("sig 1 matched but shouldn't: ");
4071  goto end;
4072  }
4073 
4074  if (PacketAlertCheck(p, 2)) {
4075  printf("sig 2 matched but shouldn't: ");
4076  goto end;
4077  }
4078 
4079  result = 1;
4080 end:
4081  UTHFreePackets(&p, 1);
4084 
4085  if (det_ctx != NULL) {
4086  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4087  }
4088  if (de_ctx != NULL) {
4090  }
4091  return result;
4092 }
4093 
4094 static int SigTestContent06 (void)
4095 {
4096  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4097  uint16_t buflen = strlen((char *)buf);
4098  ThreadVars th_v;
4099  DetectEngineThreadCtx *det_ctx = NULL;
4100  int result = 0;
4101 
4102  memset(&th_v, 0, sizeof(th_v));
4103  Packet *p = NULL;
4104  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4105 
4107  if (de_ctx == NULL) {
4108  goto end;
4109  }
4110 
4111  de_ctx->flags |= DE_QUIET;
4112 
4113  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4114  if (de_ctx->sig_list == NULL) {
4115  result = 0;
4116  goto end;
4117  }
4118  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4119  if (de_ctx->sig_list->next == NULL) {
4120  result = 0;
4121  goto end;
4122  }
4123 
4125  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4126 
4127  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4128  if (PacketAlertCheck(p, 1)){
4129  //printf("sig 1 matched :");
4130  }else{
4131  printf("sig 1 didn't match: ");
4132  goto end;
4133  }
4134 
4135  if (PacketAlertCheck(p, 2)){
4136  result = 1;
4137  }else{
4138  printf("sig 2 didn't match: ");
4139  goto end;
4140  }
4141 
4144 
4145  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4147 end:
4148  UTHFreePackets(&p, 1);
4149  return result;
4150 }
4151 
4152 static int SigTestWithin01 (void)
4153 {
4155  ThreadVars th_v;
4156  int result = 0;
4157  Packet *p1 = NULL;
4158  Packet *p2 = NULL;
4159  Packet *p3 = NULL;
4160  Packet *p4 = NULL;
4161 
4162  uint8_t rawpkt1[] = {
4163  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4164  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4165  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4166  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4167  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4168  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4169  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4170  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4171  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4172  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4173  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4174  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4175  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4176  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4177  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4178  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4179  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4180  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4181  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4182  0x00,0x00 }; /* end rawpkt1 */
4183 
4184  uint8_t rawpkt2[] = {
4185  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4186  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4187  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4188  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4189  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4190  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4191  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4192  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4193  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4194  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4195  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4196  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4197  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4198  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4199  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4200  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4201  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4202  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4203  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4204  0x00,0x00 }; /* end rawpkt2 */
4205 
4206  uint8_t rawpkt3[] = {
4207  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4208  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4209  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4210  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4211  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4212  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4213  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4214  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4215  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4216  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4217  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4218  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4219  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4220  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4221  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4222  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4223  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4224  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4225  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4226  0x00,0x00 }; /* end rawpkt3 */
4227 
4228  uint8_t rawpkt4[] = {
4229  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4230  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4231  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4232  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4233  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4234  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4235  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4236  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4237  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4238  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4239  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4240  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4241  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4242  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4243  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4244  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4245  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4246  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4247  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4248  0x00,0x00 }; /* end rawpkt4 */
4249 
4250  memset(&dtv, 0, sizeof(DecodeThreadVars));
4251  memset(&th_v, 0, sizeof(th_v));
4252 
4253  DetectEngineThreadCtx *det_ctx = NULL;
4254 
4256 
4258  if (de_ctx == NULL) {
4259  goto end;
4260  }
4261 
4262  de_ctx->flags |= DE_QUIET;
4263 
4264  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4265  if (de_ctx->sig_list == NULL) {
4266  result = 0;
4267  goto end;
4268  }
4269 
4271  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4272 
4273  /* packet 1 */
4274  p1 = SCMalloc(SIZE_OF_PACKET);
4275  if (unlikely(p1 == NULL))
4276  return 0;
4277  memset(p1, 0, SIZE_OF_PACKET);
4278  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4279  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4280  if (!(PacketAlertCheck(p1, 556))) {
4281  printf("failed to match on packet 1: ");
4282  goto end;
4283  }
4284 
4285  /* packet 2 */
4286  p2 = SCMalloc(SIZE_OF_PACKET);
4287  if (unlikely(p2 == NULL))
4288  return 0;
4289  memset(p2, 0, SIZE_OF_PACKET);
4290  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4291  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4292  if (!(PacketAlertCheck(p2, 556))) {
4293  printf("failed to match on packet 2: ");
4294  goto end;
4295  }
4296 
4297  /* packet 3 */
4298  p3 = SCMalloc(SIZE_OF_PACKET);
4299  if (unlikely(p3 == NULL))
4300  return 0;
4301  memset(p3, 0, SIZE_OF_PACKET);
4302  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4303  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4304  if (!(PacketAlertCheck(p3, 556))) {
4305  printf("failed to match on packet 3: ");
4306  goto end;
4307  }
4308 
4309  /* packet 4 */
4310  p4 = SCMalloc(SIZE_OF_PACKET);
4311  if (unlikely(p4 == NULL))
4312  return 0;
4313  memset(p4, 0, SIZE_OF_PACKET);
4314  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4315  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4316  if (!(PacketAlertCheck(p4, 556))) {
4317  printf("failed to match on packet 4: ");
4318  goto end;
4319  }
4320 
4321  /* packet 5 */
4322  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4323  uint16_t p5buflen = strlen((char *)p5buf);
4324  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4325  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4326  if (!(PacketAlertCheck(p5, 556))) {
4327  printf("failed to match on packet 5: ");
4328  goto end;
4329  }
4330  UTHFreePackets(&p5, 1);
4331 
4332  result = 1;
4333 end:
4334  if (de_ctx != NULL) {
4337  }
4338 
4339  if (det_ctx != NULL)
4340  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4341 
4342  if (de_ctx != NULL)
4344 
4345  if (p1 != NULL) {
4346  PACKET_RECYCLE(p1);
4347  SCFree(p1);
4348  }
4349  if (p2 != NULL) {
4350  PACKET_RECYCLE(p2);
4351  SCFree(p2);
4352  }
4353  if (p3 != NULL) {
4354  PACKET_RECYCLE(p3);
4355  SCFree(p3);
4356  }
4357  if (p4 != NULL) {
4358  PACKET_RECYCLE(p4);
4359  SCFree(p4);
4360  }
4361  FlowShutdown();
4362  return result;
4363 }
4364 
4365 static int SigTestDepthOffset01 (void)
4366 {
4367  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4368  uint16_t buflen = strlen((char *)buf);
4369  Packet *p = NULL;
4370  ThreadVars th_v;
4371  DetectEngineThreadCtx *det_ctx = NULL;
4372  int result = 0;
4373 
4374  memset(&th_v, 0, sizeof(th_v));
4375 
4376  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4377 
4379  if (de_ctx == NULL) {
4380  goto end;
4381  }
4382 
4383  de_ctx->flags |= DE_QUIET;
4384 
4385  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4386  if (de_ctx->sig_list == NULL) {
4387  result = 0;
4388  goto end;
4389  }
4390 
4392  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4393 
4394  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4395  if (PacketAlertCheck(p, 1))
4396  result = 1;
4397 
4400 
4401  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4403 end:
4404  UTHFreePackets(&p, 1);
4405  return result;
4406 }
4407 
4408 static int SigTestDetectAlertCounter(void)
4409 {
4410  Packet *p = NULL;
4411  ThreadVars tv;
4412  DetectEngineThreadCtx *det_ctx = NULL;
4413  memset(&tv, 0, sizeof(tv));
4414 
4417  de_ctx->flags |= DE_QUIET;
4418 
4419  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4420  "content:\"boo\"; sid:1;)");
4421  FAIL_IF(de_ctx->sig_list == NULL);
4422 
4424  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4425  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4426  /* init counters */
4428 
4429  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4430  Detect(&tv, p, det_ctx);
4432 
4433  Detect(&tv, p, det_ctx);
4435  UTHFreePackets(&p, 1);
4436 
4437  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4438  Detect(&tv, p, det_ctx);
4440  UTHFreePackets(&p, 1);
4441 
4442  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4443  Detect(&tv, p, det_ctx);
4445  UTHFreePackets(&p, 1);
4446 
4447  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4449  PASS;
4450 }
4451 
4452 /** \test test if the engine set flag to drop pkts of a flow that
4453  * triggered a drop action on IPS mode */
4454 static int SigTestDropFlow01(void)
4455 {
4456  Flow f;
4457  HtpState *http_state = NULL;
4458  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4459  "User-Agent: Mozilla/1.0\r\n"
4460  "Cookie: hellocatch\r\n\r\n";
4461  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4462  TcpSession ssn;
4463  Packet *p = NULL;
4464  Signature *s = NULL;
4465  ThreadVars tv;
4466  DetectEngineThreadCtx *det_ctx = NULL;
4468 
4469  memset(&tv, 0, sizeof(ThreadVars));
4470  memset(&f, 0, sizeof(Flow));
4471  memset(&ssn, 0, sizeof(TcpSession));
4472 
4473  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4474 
4475  FLOW_INITIALIZE(&f);
4476  f.protoctx = (void *)&ssn;
4477  f.proto = IPPROTO_TCP;
4478  f.flags |= FLOW_IPV4;
4479 
4480  p->flow = &f;
4484  f.alproto = ALPROTO_HTTP1;
4485 
4486  StreamTcpInitConfig(true);
4487 
4490  de_ctx->flags |= DE_QUIET;
4491 
4492  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4493  "(msg:\"Test proto match\"; "
4494  "sid:1;)");
4495  FAIL_IF_NULL(s);
4496 
4498  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4499 
4500  int r = AppLayerParserParse(
4501  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4502  FAIL_IF_NOT(r == 0);
4503 
4504  http_state = f.alstate;
4505  FAIL_IF_NULL(http_state);
4506 
4507  /* do detect */
4508  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4509 
4511 
4513 
4515  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4517 
4518  StreamTcpFreeConfig(true);
4519  FLOW_DESTROY(&f);
4520 
4521  UTHFreePackets(&p, 1);
4522  PASS;
4523 }
4524 
4525 /** \test test if the engine set flag to drop pkts of a flow that
4526  * triggered a drop action on IPS mode */
4527 static int SigTestDropFlow02(void)
4528 {
4529  int result = 0;
4530  Flow f;
4531  HtpState *http_state = NULL;
4532  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4533  "User-Agent: Mozilla/1.0\r\n"
4534  "Cookie: hellocatch\r\n\r\n";
4535  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4536  TcpSession ssn;
4537  Packet *p = NULL;
4538  Signature *s = NULL;
4539  ThreadVars tv;
4540  DetectEngineThreadCtx *det_ctx = NULL;
4542 
4543  memset(&tv, 0, sizeof(ThreadVars));
4544  memset(&f, 0, sizeof(Flow));
4545  memset(&ssn, 0, sizeof(TcpSession));
4546 
4547  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4548 
4549  FLOW_INITIALIZE(&f);
4550  f.protoctx = (void *)&ssn;
4551  f.proto = IPPROTO_TCP;
4552  f.flags |= FLOW_IPV4;
4553 
4554  p->flow = &f;
4558  f.alproto = ALPROTO_HTTP1;
4559 
4560  StreamTcpInitConfig(true);
4561 
4563  if (de_ctx == NULL) {
4564  goto end;
4565  }
4566  de_ctx->flags |= DE_QUIET;
4567 
4568  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4569  "(msg:\"Test proto match\"; uricontent:\"one\";"
4570  "sid:1;)");
4571  if (s == NULL) {
4572  goto end;
4573  }
4574 
4576  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4577 
4578  FLOWLOCK_WRLOCK(&f);
4579  int r = AppLayerParserParse(
4580  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4581  if (r != 0) {
4582  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4583  FLOWLOCK_UNLOCK(&f);
4584  goto end;
4585  }
4586  FLOWLOCK_UNLOCK(&f);
4587 
4588  http_state = f.alstate;
4589  if (http_state == NULL) {
4590  printf("no http state: ");
4591  goto end;
4592  }
4593 
4594  /* do detect */
4595  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4596 
4597  if (!PacketAlertCheck(p, 1)) {
4598  printf("sig 1 didn't alert, but it should: ");
4599  goto end;
4600  }
4601 
4602  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4603  printf("sig 1 alerted but flow was not flagged correctly: ");
4604  goto end;
4605  }
4606 
4607  /* Ok, now we know that the flag is set for app layer sigs
4608  * (ex: inspecting uricontent) */
4609 
4610  result = 1;
4611 
4612 end:
4613  if (alp_tctx != NULL)
4615  if (det_ctx != NULL)
4616  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4617  if (de_ctx != NULL)
4619  if (de_ctx != NULL)
4621 
4622  StreamTcpFreeConfig(true);
4623  FLOW_DESTROY(&f);
4624 
4625  UTHFreePackets(&p, 1);
4626  return result;
4627 }
4628 
4629 /** \test test if the engine set flag to drop pkts of a flow that
4630  * triggered a drop action on IPS mode, and it doesn't inspect
4631  * any other packet of the stream */
4632 static int SigTestDropFlow03(void)
4633 {
4634  int result = 0;
4635  Flow f;
4636  HtpState *http_state = NULL;
4637  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4638  "User-Agent: Mozilla/1.0\r\n"
4639  "Cookie: hellocatch\r\n\r\n";
4640  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4641 
4642  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4643  "User-Agent: Mozilla/1.0\r\n"
4644  "Cookie: hellocatch\r\n\r\n";
4645  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4646 
4647  /* Set the engine mode to IPS */
4648  EngineModeSetIPS();
4649 
4650  TcpSession ssn;
4651  Packet *p1 = NULL;
4652  Packet *p2 = NULL;
4653  Signature *s = NULL;
4654  ThreadVars tv;
4655  DetectEngineThreadCtx *det_ctx = NULL;
4657 
4658  memset(&tv, 0, sizeof(ThreadVars));
4659  memset(&f, 0, sizeof(Flow));
4660  memset(&ssn, 0, sizeof(TcpSession));
4661 
4662  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4663  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4664 
4665  FLOW_INITIALIZE(&f);
4666  f.protoctx = (void *)&ssn;
4667  f.proto = IPPROTO_TCP;
4668  f.flags |= FLOW_IPV4;
4669 
4670  p1->flow = &f;
4674 
4675  p2->flow = &f;
4679  f.alproto = ALPROTO_HTTP1;
4680 
4681  StreamTcpInitConfig(true);
4682 
4684  if (de_ctx == NULL) {
4685  goto end;
4686  }
4687 
4688  de_ctx->flags |= DE_QUIET;
4689 
4690  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4691  "(msg:\"Test proto match\"; uricontent:\"one\";"
4692  "sid:1;)");
4693  if (s == NULL) {
4694  goto end;
4695  }
4696 
4697  /* the no inspection flag should be set after the first sig gets triggered,
4698  * so the second packet should not match the next sig (because of no inspection) */
4699  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4700  "(msg:\"Test proto match\"; uricontent:\"two\";"
4701  "sid:2;)");
4702  if (s == NULL) {
4703  goto end;
4704  }
4705 
4707  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4708 
4709  FLOWLOCK_WRLOCK(&f);
4710  int r = AppLayerParserParse(
4711  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4712  if (r != 0) {
4713  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4714  FLOWLOCK_UNLOCK(&f);
4715  goto end;
4716  }
4717  FLOWLOCK_UNLOCK(&f);
4718 
4719  http_state = f.alstate;
4720  if (http_state == NULL) {
4721  printf("no http state: ");
4722  goto end;
4723  }
4724 
4725  /* do detect */
4726  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4727 
4728  if (!PacketAlertCheck(p1, 1)) {
4729  printf("sig 1 didn't alert on p1, but it should: ");
4730  goto end;
4731  }
4732 
4733  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4734  printf("sig 1 alerted but flow was not flagged correctly: ");
4735  goto end;
4736  }
4737 
4738  /* Second part.. Let's feed with another packet */
4739  if (StreamTcpCheckFlowDrops(p2) == 1) {
4740  SCLogDebug("This flow/stream triggered a drop rule");
4741  FlowSetNoPacketInspectionFlag(p2->flow);
4744  p2->action |= ACTION_DROP;
4745  /* return the segments to the pool */
4747  }
4748 
4749 
4750  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4751  printf("The packet was not flagged with no-inspection: ");
4752  goto end;
4753  }
4754 
4755  FLOWLOCK_WRLOCK(&f);
4756  r = AppLayerParserParse(
4757  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4758  if (r != 0) {
4759  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4760  FLOWLOCK_UNLOCK(&f);
4761  goto end;
4762  }
4763  FLOWLOCK_UNLOCK(&f);
4764 
4765  /* do detect */
4766  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4767 
4768  if (PacketAlertCheck(p2, 1)) {
4769  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4770  goto end;
4771  }
4772 
4773  if (PacketAlertCheck(p2, 2)) {
4774  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4775  goto end;
4776  }
4777 
4778  if (!(PacketTestAction(p2, ACTION_DROP))) {
4779  printf("A \"drop\" action should be set from the flow to the packet: ");
4780  goto end;
4781  }
4782 
4783  result = 1;
4784 
4785 end:
4786  if (alp_tctx != NULL)
4788  if (det_ctx != NULL)
4789  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4790  if (de_ctx != NULL)
4792  if (de_ctx != NULL)
4794 
4795  StreamTcpFreeConfig(true);
4796  FLOW_DESTROY(&f);
4797 
4798  UTHFreePackets(&p1, 1);
4799  UTHFreePackets(&p2, 1);
4800 
4801  /* Restore mode to IDS */
4802  EngineModeSetIDS();
4803  return result;
4804 }
4805 
4806 /** \test test if the engine set flag to drop pkts of a flow that
4807  * triggered a drop action on IDS mode, but continue the inspection
4808  * as usual (instead of on IPS mode) */
4809 static int SigTestDropFlow04(void)
4810 {
4811  Flow f;
4812  HtpState *http_state = NULL;
4813  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4814  "User-Agent: Mozilla/1.0\r\n"
4815  "Cookie: hellocatch\r\n\r\n";
4816  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4817 
4818  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4819  "User-Agent: Mozilla/1.0\r\n"
4820  "Cookie: hellocatch\r\n\r\n";
4821  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4822 
4823  TcpSession ssn;
4824  Packet *p1 = NULL;
4825  Packet *p2 = NULL;
4826  Signature *s = NULL;
4827  ThreadVars tv;
4828  DetectEngineThreadCtx *det_ctx = NULL;
4830 
4831  memset(&tv, 0, sizeof(ThreadVars));
4832  memset(&f, 0, sizeof(Flow));
4833  memset(&ssn, 0, sizeof(TcpSession));
4834 
4835  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4836  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4837 
4838  FLOW_INITIALIZE(&f);
4839  f.protoctx = (void *)&ssn;
4840  f.proto = IPPROTO_TCP;
4841  f.flags |= FLOW_IPV4;
4842 
4843  p1->flow = &f;
4847 
4848  p2->flow = &f;
4852  f.alproto = ALPROTO_HTTP1;
4853 
4854  StreamTcpInitConfig(true);
4855 
4858  de_ctx->flags |= DE_QUIET;
4859 
4860  s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 "
4861  "(msg:\"Test proto match\"; uricontent:\"one\";"
4862  "sid:1;)");
4863  FAIL_IF_NULL(s);
4864 
4865  /* the no inspection flag should be set after the first sig gets triggered,
4866  * so the second packet should not match the next sig (because of no inspection) */
4867  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any 80 "
4868  "(msg:\"Test proto match\"; uricontent:\"two\";"
4869  "sid:2;)");
4870  FAIL_IF_NULL(s);
4871 
4873  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4874 
4875  int r = AppLayerParserParse(
4876  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4877  FAIL_IF_NOT(r == 0);
4878 
4879  http_state = f.alstate;
4880  FAIL_IF_NULL(http_state);
4881 
4882  /* do detect */
4883  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4884 
4885  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
4886  FAIL_IF(PacketAlertCheck(p1, 2));
4887 
4889  FAIL_IF_NOT(PacketTestAction(p1, ACTION_DROP));
4890 
4892 
4893  r = AppLayerParserParse(
4894  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4895  FAIL_IF_NOT(r == 0);
4896 
4897  /* do detect */
4898  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4899 
4900  FAIL_IF(PacketAlertCheck(p2, 1));
4901  FAIL_IF(PacketAlertCheck(p2, 2));
4902  FAIL_IF_NOT(PacketTestAction(p2, ACTION_DROP));
4903 
4905  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4907 
4908  StreamTcpFreeConfig(true);
4909  FLOW_DESTROY(&f);
4910 
4911  UTHFreePackets(&p1, 1);
4912  UTHFreePackets(&p2, 1);
4913 
4914  PASS;
4915 }
4916 
4917 /** \test ICMP packet shouldn't be matching port based sig
4918  * Bug #611 */
4919 static int SigTestPorts01(void)
4920 {
4921  int result = 0;
4922  Packet *p1 = NULL;
4923  Signature *s = NULL;
4924  ThreadVars tv;
4925  DetectEngineThreadCtx *det_ctx = NULL;
4926  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4927 
4928  memset(&tv, 0, sizeof(ThreadVars));
4929 
4930  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4931 
4933  if (de_ctx == NULL) {
4934  goto end;
4935  }
4936  de_ctx->flags |= DE_QUIET;
4937 
4938  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4939  "(content:\"AAA\"; sid:1;)");
4940  if (s == NULL) {
4941  goto end;
4942  }
4943 
4945  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4946 
4947  /* do detect */
4948  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4949 
4950  if (PacketAlertCheck(p1, 1)) {
4951  printf("sig 1 alerted on p1, but it should not: ");
4952  goto end;
4953  }
4954 
4955  result = 1;
4956 end:
4957  if (det_ctx != NULL)
4958  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4959  if (de_ctx != NULL)
4961  if (de_ctx != NULL)
4963 
4964  UTHFreePackets(&p1, 1);
4965  return result;
4966 }
4967 
4968 /** \test almost identical patterns */
4969 static int SigTestBug01(void)
4970 {
4971  int result = 0;
4972  Packet *p1 = NULL;
4973  Signature *s = NULL;
4974  ThreadVars tv;
4975  DetectEngineThreadCtx *det_ctx = NULL;
4976  uint8_t payload[] = "!mymy";
4977 
4978  memset(&tv, 0, sizeof(ThreadVars));
4979 
4980  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4981 
4983  if (de_ctx == NULL) {
4984  goto end;
4985  }
4986  de_ctx->flags |= DE_QUIET;
4987 
4988  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4989  "(content:\"Omymy\"; nocase; sid:1;)");
4990  if (s == NULL) {
4991  goto end;
4992  }
4993  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4994  "(content:\"!mymy\"; nocase; sid:2;)");
4995  if (s == NULL) {
4996  goto end;
4997  }
4998 
5000  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
5001 
5002  /* do detect */
5003  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
5004 
5005  if (PacketAlertCheck(p1, 1)) {
5006  printf("sig 1 alerted on p1, but it should not: ");
5007  goto end;
5008  }
5009  if (!(PacketAlertCheck(p1, 2))) {
5010  printf("sig 2 did not p1, but it should have: ");
5011  goto end;
5012  }
5013 
5014  result = 1;
5015 end:
5016  if (det_ctx != NULL)
5017  DetectEngineThreadCtxDeinit(&tv, det_ctx);
5018  if (de_ctx != NULL)
5020  if (de_ctx != NULL)
5022 
5023  UTHFreePackets(&p1, 1);
5024  return result;
5025 }
5026 
5027 static const char *dummy_conf_string2 =
5028  "%YAML 1.1\n"
5029  "---\n"
5030  "vars:\n"
5031  "\n"
5032  " address-groups:\n"
5033  "\n"
5034  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
5035  "\n"
5036  " EXTERNAL_NET: \"any\"\n"
5037  "\n"
5038  " port-groups:\n"
5039  "\n"
5040  " HTTP_PORTS: \"80:81,88\"\n"
5041  "\n";
5042 
5043 static int DetectAddressYamlParsing01 (void)
5044 {
5045  int result = 0;
5046 
5048  ConfInit();
5049  ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
5050 
5052  if (de_ctx == NULL) {
5053  goto end;
5054  }
5055 
5056  de_ctx->flags |= DE_QUIET;
5057 
5058  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5059  goto end;
5060  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5061  goto end;
5062  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5063  goto end;
5064 
5065  result = 1;
5066 
5068 end:
5069  ConfDeInit();
5071  return result;
5072 }
5073 
5074 static const char *dummy_conf_string3 =
5075  "%YAML 1.1\n"
5076  "---\n"
5077  "vars:\n"
5078  "\n"
5079  " address-groups:\n"
5080  "\n"
5081  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5082  "\n"
5083  " EXTERNAL_NET: \"any\"\n"
5084  "\n"
5085  " port-groups:\n"
5086  "\n"
5087  " HTTP_PORTS: \"80:81,88\"\n"
5088  "\n";
5089 
5090 static int DetectAddressYamlParsing02 (void)
5091 {
5092  int result = 0;
5093 
5095  ConfInit();
5096  ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
5097 
5099  if (de_ctx == NULL) {
5100  goto end;
5101  }
5102 
5103  de_ctx->flags |= DE_QUIET;
5104 
5105  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5106  goto end;
5107  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5108  goto end;
5109  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5110  goto end;
5111 
5112  result = 1;
5113 
5115 end:
5116  ConfDeInit();
5118  return result;
5119 }
5120 
5121 static const char *dummy_conf_string4 =
5122  "%YAML 1.1\n"
5123  "---\n"
5124  "vars:\n"
5125  "\n"
5126  " address-groups:\n"
5127  "\n"
5128  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5129  "\n"
5130  " EXTERNAL_NET: \"any\"\n"
5131  "\n"
5132  " port-groups:\n"
5133  "\n"
5134  " HTTP_PORTS: \"80:81,88\"\n"
5135  "\n";
5136 
5137 static int DetectAddressYamlParsing03 (void)
5138 {
5139  int result = 0;
5140 
5142  ConfInit();
5143  ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
5144 
5146  if (de_ctx == NULL) {
5147  goto end;
5148  }
5149 
5150  de_ctx->flags |= DE_QUIET;
5151 
5152  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5153  goto end;
5154  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5155  goto end;
5156  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5157  goto end;
5158 
5159  result = 1;
5160 
5162 end:
5163  ConfDeInit();
5165  return result;
5166 }
5167 
5168 static const char *dummy_conf_string5 =
5169  "%YAML 1.1\n"
5170  "---\n"
5171  "vars:\n"
5172  "\n"
5173  " address-groups:\n"
5174  "\n"
5175  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5176  "\n"
5177  " EXTERNAL_NET: \"any\"\n"
5178  "\n"
5179  " port-groups:\n"
5180  "\n"
5181  " HTTP_PORTS: \"80:81,88\"\n"
5182  "\n";
5183 
5184 /** \test bug #815 */
5185 static int DetectAddressYamlParsing04 (void)
5186 {
5187  int result = 0;
5188 
5190  ConfInit();
5191  ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
5192 
5194  if (de_ctx == NULL) {
5195  goto end;
5196  }
5197 
5198  de_ctx->flags |= DE_QUIET;
5199 
5200  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5201  goto end;
5202  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5203  goto end;
5204  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5205  goto end;
5206 
5207  result = 1;
5208 
5210 end:
5211  ConfDeInit();
5213  return result;
5214 }
5215 
5217 {
5220 
5221  UtRegisterTest("SigTest01", SigTest01);
5222  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
5223  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
5224  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
5225  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
5226  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5227  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
5228  SigTest07);
5229  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5230  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
5231  SigTest09);
5232  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
5233  SigTest10);
5234  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
5235  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
5236  UtRegisterTest("SigTest13 -- content order matching, diff order",
5237  SigTest13);
5238  UtRegisterTest("SigTest14 -- content order matching, distance 0",
5239  SigTest14);
5240  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
5241  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
5242  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5243  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
5244  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
5245  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
5246  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
5247  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
5248  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
5249 
5250  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
5251  UtRegisterTest("SigTest25NegativeIPV4Keyword",
5252  SigTest25NegativeIPV4Keyword);
5253 
5254  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5255  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5256  SigTest26TCPV4AndNegativeIPV4Keyword);
5257  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5258  SigTest26TCPV4AndIPV4Keyword);
5259  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5260  SigTest27NegativeTCPV4Keyword);
5261 
5262  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5263  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5264  SigTest29NegativeTCPV6Keyword);
5265 
5266  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5267  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5268  SigTest31NegativeUDPV4Keyword);
5269 
5270  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5271  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5272  SigTest33NegativeUDPV6Keyword);
5273 
5274  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5275  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5276  SigTest35NegativeICMPV4Keyword);
5277  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5278  SigTest36ContentAndIsdataatKeywords01);
5279  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5280  SigTest37ContentAndIsdataatKeywords02);
5281 
5282  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5283 
5284  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5285 
5286  UtRegisterTest("SigTest40NoPacketInspection01",
5287  SigTest40NoPacketInspection01);
5288  UtRegisterTest("SigTest40NoPayloadInspection02",
5289  SigTest40NoPayloadInspection02);
5290 
5291  UtRegisterTest("SigTestMemory01", SigTestMemory01);
5292  UtRegisterTest("SigTestMemory02", SigTestMemory02);
5293  UtRegisterTest("SigTestMemory03", SigTestMemory03);
5294 
5295  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5296  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5297  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5298  SigTestContent03);
5299  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5300  SigTestContent04);
5301  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5302  UtRegisterTest("SigTestContent06 -- distance/within ip only",
5303  SigTestContent06);
5304 
5305  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5306  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5307 
5308  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5309 
5310  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5311  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5312  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5313  UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04);
5314 
5315  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5316  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5317  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5318  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5319 
5320  UtRegisterTest("SigTestPorts01", SigTestPorts01);
5321  UtRegisterTest("SigTestBug01", SigTestBug01);
5322 
5324 }
5325 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2315
Packet_::proto
uint8_t proto
Definition: decode.h:436
DecodeSetNoPacketInspectionFlag
#define DecodeSetNoPacketInspectionFlag(p)
Set the No packet inspection Flag for the packet.
Definition: decode.h:1028
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:142
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:283
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:273
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1152
PACKET_RESET_CHECKSUMS
#define PACKET_RESET_CHECKSUMS(p)
reset these to -1(indicates that the packet is fresh from the queue)
Definition: decode.h:736
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:273
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:47
Flow_::proto
uint8_t proto
Definition: flow.h:375
Packet_::payload
uint8_t * payload
Definition: decode.h:551
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:449
Packet_::action
uint8_t action
Definition: decode.h:555
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:5216
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2076
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:132
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:821
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2069
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:231
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1197
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:273
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:68
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1653
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:454
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1141
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1585
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:41
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:445
Flow_::protoctx
void * protoctx
Definition: flow.h:451
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:552
MPM_AC
@ MPM_AC
Definition: util-mpm.h:35
HtpState_
Definition: app-layer-htp.h:245
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:270
IPV6_GET_PLEN
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
Signature_::next
struct Signature_ * next
Definition: detect.h:590
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:523
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:237
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
Definition: util-var-name.c:309
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4217
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1003
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:261
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
PktVar_::value
uint8_t * value
Definition: decode.h:324
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:267
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:233
Packet_::ethh
EthernetHdr * ethh
Definition: decode.h:502
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
Packet_::sp
Port sp
Definition: decode.h:421
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:256
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:487
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:634
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1999
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1243
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:414
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:232
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:509
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:698
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1932
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:247
IPV4Hdr_
Definition: decode-ipv4.h:71
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2381
Packet_::flow
struct Flow_ * flow
Definition: decode.h:451
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2773
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:670
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1168
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:337
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2981
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:531
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:651
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:710
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:764
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:539
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:113
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1039
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:638
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:486
Flow_::flags
uint32_t flags
Definition: flow.h:431
PktVarFree
void PktVarFree(PktVar *pv)
Definition: pkt-var.c:111
Signature_
Signature container.
Definition: detect.h:517
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2024
PktVar_::value_len
uint16_t value_len
Definition: decode.h:322
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:111
Packet_::udph
UDPHdr * udph
Definition: decode.h:533
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1126
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:120
Packet_::dst
Address dst
Definition: decode.h:419
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:42
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1137
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:721