suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../pkt-var.h"
25 #include "../flow-util.h"
26 #include "../stream-tcp-reassemble.h"
27 #include "../util-unittest.h"
28 #include "../util-unittest-helper.h"
29 
30 static const char *dummy_conf_string =
31  "%YAML 1.1\n"
32  "---\n"
33  "\n"
34  "default-log-dir: /var/log/suricata\n"
35  "\n"
36  "logging:\n"
37  "\n"
38  " default-log-level: debug\n"
39  "\n"
40  " default-format: \"<%t> - <%l>\"\n"
41  "\n"
42  " default-startup-message: Your IDS has started.\n"
43  "\n"
44  " default-output-filter:\n"
45  "\n"
46  " output:\n"
47  "\n"
48  " - interface: console\n"
49  " log-level: info\n"
50  "\n"
51  " - interface: file\n"
52  " filename: /var/log/suricata.log\n"
53  "\n"
54  " - interface: syslog\n"
55  " facility: local5\n"
56  " format: \"%l\"\n"
57  "\n"
58  "pfring:\n"
59  "\n"
60  " interface: eth0\n"
61  "\n"
62  " clusterid: 99\n"
63  "\n"
64  "vars:\n"
65  "\n"
66  " address-groups:\n"
67  "\n"
68  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
69  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
70  "\n"
71  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
72  "\n"
73  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
74  "\n"
75  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " DNS_SERVERS: any\n"
80  "\n"
81  " TELNET_SERVERS: any\n"
82  "\n"
83  " AIM_SERVERS: any\n"
84  "\n"
85  " port-groups:\n"
86  "\n"
87  " HTTP_PORTS: \"80:81,88\"\n"
88  "\n"
89  " SHELLCODE_PORTS: 80\n"
90  "\n"
91  " ORACLE_PORTS: 1521\n"
92  "\n"
93  " SSH_PORTS: 22\n"
94  "\n";
95 
96 static int SigTest01 (void)
97 {
98  uint8_t *buf = (uint8_t *)
99  "GET /one/ HTTP/1.1\r\n"
100  "Host: one.example.org\r\n"
101  "\r\n\r\n"
102  "GET /two/ HTTP/1.1\r\n"
103  "Host: two.example.org\r\n"
104  "\r\n\r\n";
105  uint16_t buflen = strlen((char *)buf);
106  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
107  int result = 0;
108 
109  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
110  if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
111  result = 0;
112  goto end;
113  }
114 #if 0
115  //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
116  //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
117 
118  if (p->http_uri.raw_size[0] == 5 &&
119  memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
120  p->http_uri.raw_size[1] == 5 &&
121  memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
122  {
123  result = 1;
124  }
125 
126 #endif
127  result = 1;
128 end:
129  if (p != NULL)
130  UTHFreePacket(p);
131  return result;
132 }
133 
134 static int SigTest02 (void)
135 {
136  uint8_t *buf = (uint8_t *)
137  "GET /one/ HTTP/1.1\r\n"
138  "Host: one.example.org\r\n"
139  "\r\n\r\n"
140  "GET /two/ HTTP/1.1\r\n"
141  "Host: two.example.org\r\n"
142  "\r\n\r\n";
143  uint16_t buflen = strlen((char *)buf);
144  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
145  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
146  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
147  UTHFreePacket(p);
148  return ret;
149 }
150 
151 static int SigTest03 (void)
152 {
153  uint8_t *buf = (uint8_t *)
154  "GET /one/ HTTP/1.1\r\n"
155  "Host: one.example.org\r\n"
156  "\r\n\r\n"
157  "GET /two/ HTTP/1.1\r\n"
158  "Host: two.example.org\r\n"
159  "\r\n\r\n";
160  uint16_t buflen = strlen((char *)buf);
161  Packet *p = NULL;
162  ThreadVars th_v;
163  DetectEngineThreadCtx *det_ctx = NULL;
164  int result = 0;
165 
166  memset(&th_v, 0, sizeof(th_v));
167 
168  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
169 
171  if (de_ctx == NULL) {
172  goto end;
173  }
174 
175  de_ctx->flags |= DE_QUIET;
176 
177  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
178  if (de_ctx->sig_list == NULL) {
179  result = 0;
180  goto end;
181  }
182 
183  SigGroupBuild(de_ctx);
184  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
185 
186  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
187  if (PacketAlertCheck(p, 1))
188  result = 1;
189 
190  SigGroupCleanup(de_ctx);
191  SigCleanSignatures(de_ctx);
192 
193  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
194  DetectEngineCtxFree(de_ctx);
195 end:
196  UTHFreePackets(&p, 1);
197  return result;
198 }
199 
200 static int SigTest04 (void)
201 {
202  uint8_t *buf = (uint8_t *)
203  "GET /one/ HTTP/1.1\r\n" /* 20*/
204  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
205  "\r\n\r\n" /* 4 */
206  "GET /two/ HTTP/1.1\r\n" /* 20 */
207  "Host: two.example.org\r\n" /* 23 */
208  "\r\n\r\n"; /* 4 */
209  uint16_t buflen = strlen((char *)buf);
210 
211  Packet *p = NULL;
212  ThreadVars th_v;
213  DetectEngineThreadCtx *det_ctx = NULL;
214  int result = 0;
215 
216  memset(&th_v, 0, sizeof(th_v));
217 
218  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
219 
221  if (de_ctx == NULL) {
222  goto end;
223  }
224 
225  de_ctx->flags |= DE_QUIET;
226 
227  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
228  if (de_ctx->sig_list == NULL) {
229  result = 0;
230  goto end;
231  }
232 
233  SigGroupBuild(de_ctx);
234  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
235 
236  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
237  if (PacketAlertCheck(p, 1))
238  result = 1;
239 
240  SigGroupCleanup(de_ctx);
241  SigCleanSignatures(de_ctx);
242 
243  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
244  DetectEngineCtxFree(de_ctx);
245 end:
246  UTHFreePackets(&p, 1);
247  return result;
248 }
249 
250 static int SigTest05 (void)
251 {
252  uint8_t *buf = (uint8_t *)
253  "GET /one/ HTTP/1.1\r\n" /* 20 */
254  "Host: one.example.org\r\n" /* 23, 43 */
255  "\r\n\r\n" /* 4, 47 */
256  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
257  "Host: two.example.org\r\n" /* 23, 90 */
258  "\r\n\r\n"; /* 4, 94 */
259  uint16_t buflen = strlen((char *)buf);
260  Packet *p = NULL;
261  ThreadVars th_v;
262  DetectEngineThreadCtx *det_ctx = NULL;
263  int result = 0;
264 
265  memset(&th_v, 0, sizeof(th_v));
266 
267  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
268 
270  if (de_ctx == NULL) {
271  goto end;
272  }
273 
274  de_ctx->flags |= DE_QUIET;
275 
276  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
277  if (de_ctx->sig_list == NULL) {
278  printf("sig parse failed: ");
279  goto end;
280  }
281 
282  SigGroupBuild(de_ctx);
283  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
284 
285  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
286  if (!PacketAlertCheck(p, 1)) {
287  result = 1;
288  } else {
289  printf("sig matched but shouldn't have: ");
290  }
291 
292  SigGroupCleanup(de_ctx);
293  SigCleanSignatures(de_ctx);
294 
295  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
296  DetectEngineCtxFree(de_ctx);
297 end:
298  UTHFreePackets(&p, 1);
299  return result;
300 }
301 
302 static int SigTest06 (void)
303 {
304  uint8_t *buf = (uint8_t *)
305  "GET /one/ HTTP/1.1\r\n" /* 20 */
306  "Host: one.example.org\r\n" /* 23, 43 */
307  "\r\n\r\n" /* 4, 47 */
308  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
309  "Host: two.example.org\r\n" /* 23, 90 */
310  "\r\n\r\n"; /* 4, 94 */
311  uint16_t buflen = strlen((char *)buf);
312  Packet *p = NULL;
313  ThreadVars th_v;
314  DetectEngineThreadCtx *det_ctx = NULL;
315  Flow f;
316  TcpSession ssn;
318  FAIL_IF_NULL(alp_tctx);
319 
320  memset(&th_v, 0, sizeof(th_v));
321  memset(&f, 0, sizeof(f));
322  memset(&ssn, 0, sizeof(ssn));
323 
324  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
325  FAIL_IF_NULL(p);
326 
327  FLOW_INITIALIZE(&f);
328  f.protoctx = (void *)&ssn;
329  f.flags |= FLOW_IPV4;
330  f.proto = IPPROTO_TCP;
331  p->flow = &f;
335  f.alproto = ALPROTO_HTTP;
336 
338 
340  FAIL_IF_NULL(de_ctx);
341  de_ctx->flags |= DE_QUIET;
342 
343  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
344  FAIL_IF_NULL(s);
345 
346  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
347  FAIL_IF_NULL(s);
348 
349  SigGroupBuild(de_ctx);
350  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
351  FAIL_IF_NULL(det_ctx);
352 
353  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
354  STREAM_TOSERVER, buf, buflen);
355  FAIL_IF(r != 0);
356 
357  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
360 
361  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
362  DetectEngineCtxFree(de_ctx);
363  AppLayerParserThreadCtxFree(alp_tctx);
364  UTHFreePackets(&p, 1);
366  FLOW_DESTROY(&f);
367  PASS;
368 }
369 
370 static int SigTest07 (void)
371 {
372  uint8_t *buf = (uint8_t *)
373  "GET /one/ HTTP/1.1\r\n" /* 20 */
374  "Host: one.example.org\r\n" /* 23, 43 */
375  "\r\n\r\n" /* 4, 47 */
376  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
377  "Host: two.example.org\r\n" /* 23, 90 */
378  "\r\n\r\n"; /* 4, 94 */
379  uint16_t buflen = strlen((char *)buf);
380  Packet *p = NULL;
381  ThreadVars th_v;
382  DetectEngineThreadCtx *det_ctx = NULL;
383  Flow f;
384  TcpSession ssn;
385  int result = 0;
387 
388  memset(&th_v, 0, sizeof(th_v));
389  memset(&f, 0, sizeof(f));
390  memset(&ssn, 0, sizeof(ssn));
391 
392  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
393 
394  FLOW_INITIALIZE(&f);
395  f.protoctx = (void *)&ssn;
396  f.flags |= FLOW_IPV4;
397  f.proto = IPPROTO_TCP;
398  p->flow = &f;
402  f.alproto = ALPROTO_HTTP;
403 
405 
407  if (de_ctx == NULL) {
408  goto end;
409  }
410 
411  de_ctx->flags |= DE_QUIET;
412 
413  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
414  if (de_ctx->sig_list == NULL) {
415  result = 0;
416  goto end;
417  }
418  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
419  if (de_ctx->sig_list->next == NULL) {
420  result = 0;
421  goto end;
422  }
423 
424  SigGroupBuild(de_ctx);
425  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
426 
427  FLOWLOCK_WRLOCK(&f);
428  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
429  STREAM_TOSERVER, buf, buflen);
430  if (r != 0) {
431  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
432  result = 0;
433  FLOWLOCK_UNLOCK(&f);
434  goto end;
435  }
436  FLOWLOCK_UNLOCK(&f);
437 
438  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
439  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
440  result = 0;
441  else
442  result = 1;
443 
444 end:
445  if (alp_tctx != NULL)
446  AppLayerParserThreadCtxFree(alp_tctx);
447  UTHFreePackets(&p, 1);
450  FLOW_DESTROY(&f);
451  SigGroupCleanup(de_ctx);
452  SigCleanSignatures(de_ctx);
453 
454  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
455  DetectEngineCtxFree(de_ctx);
456 
457  return result;
458 }
459 
460 static int SigTest08 (void)
461 {
462  uint8_t *buf = (uint8_t *)
463  "GET /one/ HTTP/1.0\r\n" /* 20 */
464  "Host: one.example.org\r\n" /* 23, 43 */
465  "\r\n\r\n" /* 4, 47 */
466  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
467  "Host: two.example.org\r\n" /* 23, 90 */
468  "\r\n\r\n"; /* 4, 94 */
469  uint16_t buflen = strlen((char *)buf);
470  Packet *p = NULL;
471  ThreadVars th_v;
472  DetectEngineThreadCtx *det_ctx = NULL;
473  Flow f;
474  TcpSession ssn;
475  int result = 0;
477 
478  memset(&f, 0, sizeof(Flow));
479  memset(&th_v, 0, sizeof(th_v));
480  memset(&ssn, 0, sizeof(ssn));
481 
482  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
483 
484  FLOW_INITIALIZE(&f);
485  f.protoctx = (void *)&ssn;
486  f.flags |= FLOW_IPV4;
487  f.proto = IPPROTO_TCP;
488  p->flow = &f;
492  f.alproto = ALPROTO_HTTP;
493 
495 
497  if (de_ctx == NULL) {
498  goto end;
499  }
500 
501  de_ctx->flags |= DE_QUIET;
502 
503  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
504  if (de_ctx->sig_list == NULL) {
505  result = 0;
506  goto end;
507  }
508  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
509  if (de_ctx->sig_list->next == NULL) {
510  result = 0;
511  goto end;
512  }
513 
514  SigGroupBuild(de_ctx);
515  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
516 
517  FLOWLOCK_WRLOCK(&f);
518  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
519  STREAM_TOSERVER, buf, buflen);
520  if (r != 0) {
521  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
522  result = 0;
523  FLOWLOCK_UNLOCK(&f);
524  goto end;
525  }
526  FLOWLOCK_UNLOCK(&f);
527 
528  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
529  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
530  result = 1;
531  else
532  printf("sid:1 %s, sid:2 %s: ",
533  PacketAlertCheck(p, 1) ? "OK" : "FAIL",
534  PacketAlertCheck(p, 2) ? "OK" : "FAIL");
535 
536 end:
538  SigGroupCleanup(de_ctx);
539  SigCleanSignatures(de_ctx);
540 
541  if (det_ctx)
542  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
543  DetectEngineCtxFree(de_ctx);
544  if (alp_tctx != NULL)
545  AppLayerParserThreadCtxFree(alp_tctx);
546  UTHFreePackets(&p, 1);
548  FLOW_DESTROY(&f);
549  return result;
550 }
551 
552 static int SigTest09 (void)
553 {
554  uint8_t *buf = (uint8_t *)
555  "GET /one/ HTTP/1.0\r\n" /* 20 */
556  "Host: one.example.org\r\n" /* 23, 43 */
557  "\r\n\r\n" /* 4, 47 */
558  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
559  "Host: two.example.org\r\n" /* 23, 90 */
560  "\r\n\r\n"; /* 4, 94 */
561  uint16_t buflen = strlen((char *)buf);
562  Packet *p = NULL;
563  ThreadVars th_v;
564  DetectEngineThreadCtx *det_ctx = NULL;
565  Flow f;
566  TcpSession ssn;
568  int result = 0;
569 
570  memset(&th_v, 0, sizeof(th_v));
571  memset(&f, 0, sizeof(f));
572  memset(&ssn, 0, sizeof(ssn));
573 
574  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
575 
576  FLOW_INITIALIZE(&f);
577  f.protoctx = (void *)&ssn;
578  f.flags |= FLOW_IPV4;
579  f.proto = IPPROTO_TCP;
580  p->flow = &f;
584  f.alproto = ALPROTO_HTTP;
585 
587 
589  if (de_ctx == NULL) {
590  goto end;
591  }
592 
593  de_ctx->flags |= DE_QUIET;
594 
595  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
596  if (de_ctx->sig_list == NULL) {
597  result = 0;
598  goto end;
599  }
600  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
601  if (de_ctx->sig_list->next == NULL) {
602  result = 0;
603  goto end;
604  }
605 
606  SigGroupBuild(de_ctx);
607  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
608 
609  FLOWLOCK_WRLOCK(&f);
610  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
611  STREAM_TOSERVER, buf, buflen);
612  if (r != 0) {
613  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
614  result = 0;
615  FLOWLOCK_UNLOCK(&f);
616  goto end;
617  }
618  FLOWLOCK_UNLOCK(&f);
619 
620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
621  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
622  result = 1;
623  else
624  result = 0;
625 
626 end:
628  SigGroupCleanup(de_ctx);
629  SigCleanSignatures(de_ctx);
630  if (det_ctx)
631  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
632  DetectEngineCtxFree(de_ctx);
633  if (alp_tctx != NULL)
634  AppLayerParserThreadCtxFree(alp_tctx);
635  UTHFreePackets(&p, 1);
637  FLOW_DESTROY(&f);
638  return result;
639 }
640 
641 static int SigTest10 (void)
642 {
643  uint8_t *buf = (uint8_t *)
644  "ABC";
645  uint16_t buflen = strlen((char *)buf);
646  Packet *p = NULL;
647  ThreadVars th_v;
648  DetectEngineThreadCtx *det_ctx = NULL;
649  Flow f;
650  TcpSession ssn;
651  int result = 0;
653 
654  memset(&th_v, 0, sizeof(th_v));
655  memset(&f, 0, sizeof(f));
656  memset(&ssn, 0, sizeof(ssn));
657 
658  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
659 
660  FLOW_INITIALIZE(&f);
661  f.protoctx = (void *)&ssn;
662  f.proto = IPPROTO_TCP;
663  f.flags |= FLOW_IPV4;
664  p->flow = &f;
668  f.alproto = ALPROTO_HTTP;
669 
671 
673  if (de_ctx == NULL) {
674  goto end;
675  }
676 
677  de_ctx->flags |= DE_QUIET;
678 
679  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
680  if (de_ctx->sig_list == NULL) {
681  result = 0;
682  goto end;
683  }
684  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
685  if (de_ctx->sig_list->next == NULL) {
686  result = 0;
687  goto end;
688  }
689 
690  SigGroupBuild(de_ctx);
691  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
692 
693  FLOWLOCK_WRLOCK(&f);
694  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
695  STREAM_TOSERVER, buf, buflen);
696  if (r != 0) {
697  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
698  result = 0;
699  FLOWLOCK_UNLOCK(&f);
700  goto end;
701  }
702  FLOWLOCK_UNLOCK(&f);
703 
704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
705  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
706  result = 0;
707  else
708  result = 1;
709 
710  end:
712  SigGroupCleanup(de_ctx);
713  SigCleanSignatures(de_ctx);
714  if (det_ctx)
715  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
716  DetectEngineCtxFree(de_ctx);
717  if (alp_tctx != NULL)
718  AppLayerParserThreadCtxFree(alp_tctx);
719  UTHFreePackets(&p, 1);
721  FLOW_DESTROY(&f);
722  return result;
723 }
724 
725 static int SigTest11 (void)
726 {
727  uint8_t *buf = (uint8_t *)
728  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
729  uint16_t buflen = strlen((char *)buf);
730  Packet *p = NULL;
731  ThreadVars th_v;
732  DetectEngineThreadCtx *det_ctx = NULL;
733  Flow f;
734  TcpSession ssn;
735  int result = 0;
736 
737  memset(&th_v, 0, sizeof(th_v));
738  memset(&f, 0, sizeof(f));
739  memset(&ssn, 0, sizeof(ssn));
740 
741  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
742 
743  FLOW_INITIALIZE(&f);
744  f.protoctx = (void *)&ssn;
745  f.proto = IPPROTO_TCP;
746  f.flags |= FLOW_IPV4;
747  p->flow = &f;
750  f.alproto = ALPROTO_HTTP;
751 
753 
755  if (de_ctx == NULL) {
756  goto end;
757  }
758 
759  de_ctx->flags |= DE_QUIET;
760 
761  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
762  if (de_ctx->sig_list == NULL) {
763  goto end;
764  }
765  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
766  if (de_ctx->sig_list->next == NULL) {
767  goto end;
768  }
769 
770  SigGroupBuild(de_ctx);
771  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
772 
773  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
774  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
775  result = 1;
776 
777  end:
779  SigGroupCleanup(de_ctx);
780  if (det_ctx)
781  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
782  DetectEngineCtxFree(de_ctx);
783  UTHFreePackets(&p, 1);
785  FLOW_DESTROY(&f);
786  return result;
787 }
788 
789 static int SigTest12 (void)
790 {
791  uint8_t *buf = (uint8_t *)
792  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
793  uint16_t buflen = strlen((char *)buf);
794  Packet *p = NULL;
795  ThreadVars th_v;
796  DetectEngineThreadCtx *det_ctx = NULL;
797  int result = 0;
798 
799  memset(&th_v, 0, sizeof(th_v));
800  Flow f;
801  memset(&f, 0, sizeof(Flow));
802 
803  FLOW_INITIALIZE(&f);
804 
805  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
806  p->flow = &f;
808 
810  if (de_ctx == NULL) {
811  goto end;
812  }
813 
814  de_ctx->flags |= DE_QUIET;
815 
816  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
817  if (de_ctx->sig_list == NULL) {
818  result = 0;
819  goto end;
820  }
821 
822  SigGroupBuild(de_ctx);
823  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
824 
825  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
826  if (PacketAlertCheck(p, 1))
827  result = 1;
828  else
829  result = 0;
830 
831  if (det_ctx != NULL)
832  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
833 end:
834  UTHFreePackets(&p, 1);
835  if (de_ctx != NULL) {
836  SigGroupCleanup(de_ctx);
837  SigCleanSignatures(de_ctx);
838  DetectEngineCtxFree(de_ctx);
839  }
840  FLOW_DESTROY(&f);
841  return result;
842 }
843 
844 static int SigTest13 (void)
845 {
846  uint8_t *buf = (uint8_t *)
847  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
848  uint16_t buflen = strlen((char *)buf);
849  Packet *p = NULL;
850  ThreadVars th_v;
851  DetectEngineThreadCtx *det_ctx = NULL;
852  int result = 0;
853 
854  memset(&th_v, 0, sizeof(th_v));
855  Flow f;
856  memset(&f, 0, sizeof(Flow));
857 
858  FLOW_INITIALIZE(&f);
859 
860  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
861  p->flow = &f;
863 
865  if (de_ctx == NULL) {
866  goto end;
867  }
868 
869  de_ctx->flags |= DE_QUIET;
870 
871  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
872  if (de_ctx->sig_list == NULL) {
873  result = 0;
874  goto end;
875  }
876 
877  SigGroupBuild(de_ctx);
878  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
879 
880  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
881  if (PacketAlertCheck(p, 1))
882  result = 1;
883  else
884  result = 0;
885 
886  SigGroupCleanup(de_ctx);
887  SigCleanSignatures(de_ctx);
888  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
889  DetectEngineCtxFree(de_ctx);
890 end:
891  UTHFreePackets(&p, 1);
892  FLOW_DESTROY(&f);
893  return result;
894 }
895 
896 static int SigTest14 (void)
897 {
898  uint8_t *buf = (uint8_t *)
899  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
900  uint16_t buflen = strlen((char *)buf);
901  Packet *p = NULL;
902  ThreadVars th_v;
903  DetectEngineThreadCtx *det_ctx = NULL;
904  int result = 0;
905 
906  memset(&th_v, 0, sizeof(th_v));
907 
908  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
909 
911  if (de_ctx == NULL) {
912  goto end;
913  }
914 
915  de_ctx->flags |= DE_QUIET;
916 
917  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
918  if (de_ctx->sig_list == NULL) {
919  result = 0;
920  goto end;
921  }
922 
923  SigGroupBuild(de_ctx);
924  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
925 
926  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
927  if (PacketAlertCheck(p, 1))
928  result = 0;
929  else
930  result = 1;
931 
932  SigGroupCleanup(de_ctx);
933  SigCleanSignatures(de_ctx);
934  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
935  DetectEngineCtxFree(de_ctx);
936 end:
937  UTHFreePackets(&p, 1);
938  return result;
939 }
940 
941 static int SigTest15 (void)
942 {
943  uint8_t *buf = (uint8_t *)
944  "CONNECT 213.92.8.7:31204 HTTP/1.1";
945  uint16_t buflen = strlen((char *)buf);
947  if (unlikely(p == NULL))
948  return 0;
949  ThreadVars th_v;
950  DetectEngineThreadCtx *det_ctx = NULL;
951  int result = 0;
952 
953  memset(&th_v, 0, sizeof(th_v));
954  memset(p, 0, SIZE_OF_PACKET);
955  p->src.family = AF_INET;
956  p->dst.family = AF_INET;
957  p->payload = buf;
958  p->payload_len = buflen;
959  p->proto = IPPROTO_TCP;
960  p->dp = 80;
961 
963  ConfInit();
964  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
965 
967  if (de_ctx == NULL) {
968  goto end;
969  }
970 
971  de_ctx->flags |= DE_QUIET;
972 
973  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
974  if (de_ctx->sig_list == NULL) {
975  result = 0;
976  goto end;
977  }
978 
979  SigGroupBuild(de_ctx);
980  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
981 
982  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
983  if (PacketAlertCheck(p, 2008284))
984  result = 0;
985  else
986  result = 1;
987 
988  SigGroupCleanup(de_ctx);
989  SigCleanSignatures(de_ctx);
990  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
991  DetectEngineCtxFree(de_ctx);
992 end:
993  ConfDeInit();
995  SCFree(p);
996  return result;
997 }
998 
999 static int SigTest16 (void)
1000 {
1001  uint8_t *buf = (uint8_t *)
1002  "CONNECT 213.92.8.7:31204 HTTP/1.1";
1003  uint16_t buflen = strlen((char *)buf);
1004  Packet *p = NULL;
1005  ThreadVars th_v;
1006  DetectEngineThreadCtx *det_ctx = NULL;
1007  int result = 0;
1008 
1009  memset(&th_v, 0, sizeof(th_v));
1010  memset(&p, 0, sizeof(p));
1011 
1012  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
1013 
1015  ConfInit();
1016  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1017 
1019  if (de_ctx == NULL) {
1020  goto end;
1021  }
1022 
1023  de_ctx->flags |= DE_QUIET;
1024 
1025  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1026  if (de_ctx->sig_list == NULL) {
1027  goto end;
1028  }
1029 
1030  SigGroupBuild(de_ctx);
1031  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1032 
1033  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1034  if (PacketAlertCheck(p, 2008284))
1035  result = 1;
1036  else
1037  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1038 
1039  SigGroupCleanup(de_ctx);
1040  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1041  DetectEngineCtxFree(de_ctx);
1042 end:
1043  ConfDeInit();
1045  UTHFreePackets(&p, 1);
1046  return result;
1047 }
1048 
1049 static int SigTest17 (void)
1050 {
1051  uint8_t *buf = (uint8_t *)
1052  "GET /one/ HTTP/1.1\r\n" /* 20 */
1053  "Host: one.example.org\r\n" /* 23, 43 */
1054  "\r\n\r\n" /* 4, 47 */
1055  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1056  "Host: two.example.org\r\n" /* 23, 90 */
1057  "\r\n\r\n"; /* 4, 94 */
1058  uint16_t buflen = strlen((char *)buf);
1059  Packet *p = NULL;
1060  ThreadVars th_v;
1061  DetectEngineThreadCtx *det_ctx = NULL;
1062  memset(&th_v, 0, sizeof(th_v));
1063 
1064  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1065  FAIL_IF_NULL(p);
1066 
1068  ConfInit();
1069  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1070 
1072  FAIL_IF_NULL(de_ctx);
1073  de_ctx->flags |= DE_QUIET;
1074 
1075  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1076  FAIL_IF_NULL(s);
1077 
1078  SigGroupBuild(de_ctx);
1079  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1080  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1081 
1082  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1083 
1084  PktVar *pv_hn = PktVarGet(p, capid);
1085  FAIL_IF_NULL(pv_hn);
1086 
1087  FAIL_IF(pv_hn->value_len != 15);
1088  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1089 
1090  PktVarFree(pv_hn);
1091  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1092  DetectEngineCtxFree(de_ctx);
1093  ConfDeInit();
1095  UTHFreePackets(&p, 1);
1096 
1097  PASS;
1098 }
1099 
1100 static int SigTest18 (void)
1101 {
1102  uint8_t *buf = (uint8_t *)
1103  "220 (vsFTPd 2.0.5)\r\n";
1104  uint16_t buflen = strlen((char *)buf);
1106  if (unlikely(p == NULL))
1107  return 0;
1108  ThreadVars th_v;
1109  DetectEngineThreadCtx *det_ctx = NULL;
1110  int result = 0;
1111 
1112  memset(&th_v, 0, sizeof(th_v));
1113  memset(p, 0, SIZE_OF_PACKET);
1114  p->src.family = AF_INET;
1115  p->dst.family = AF_INET;
1116  p->payload = buf;
1117  p->payload_len = buflen;
1118  p->proto = IPPROTO_TCP;
1119  p->dp = 34260;
1120  p->sp = 21;
1121 
1123  if (de_ctx == NULL) {
1124  goto end;
1125  }
1126 
1127  de_ctx->flags |= DE_QUIET;
1128 
1129  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1130  if (de_ctx->sig_list == NULL) {
1131  result = 0;
1132  goto end;
1133  }
1134 
1135  SigGroupBuild(de_ctx);
1136  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1137 
1138  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1139  if (!PacketAlertCheck(p, 2003055))
1140  result = 1;
1141  else
1142  printf("signature shouldn't match, but did: ");
1143 
1144  SigGroupCleanup(de_ctx);
1145  SigCleanSignatures(de_ctx);
1146  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1147  DetectEngineCtxFree(de_ctx);
1148 end:
1149  SCFree(p);
1150  return result;
1151 }
1152 
1153 static int SigTest19 (void)
1154 {
1155  uint8_t *buf = (uint8_t *)
1156  "220 (vsFTPd 2.0.5)\r\n";
1157  uint16_t buflen = strlen((char *)buf);
1159  if (unlikely(p == NULL))
1160  return 0;
1161  ThreadVars th_v;
1162  DetectEngineThreadCtx *det_ctx = NULL;
1163  int result = 0;
1164 
1165  memset(&th_v, 0, sizeof(th_v));
1166  memset(p, 0, SIZE_OF_PACKET);
1167  p->src.family = AF_INET;
1168  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1169  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1170  p->dst.family = AF_INET;
1171  p->payload = buf;
1172  p->payload_len = buflen;
1173  p->proto = IPPROTO_TCP;
1174  p->dp = 34260;
1175  p->sp = 21;
1177 
1179  ConfInit();
1180  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1181 
1183  if (de_ctx == NULL) {
1184  goto end;
1185  }
1186 
1187  de_ctx->flags |= DE_QUIET;
1188 
1189  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1190  if (de_ctx->sig_list == NULL) {
1191  result = 0;
1192  goto end;
1193  }
1194 
1195  SigGroupBuild(de_ctx);
1196  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1197 
1198  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1199  if (PacketAlertCheck(p, 999))
1200  result = 1;
1201  else
1202  printf("signature didn't match, but should have: ");
1203 
1204  SigGroupCleanup(de_ctx);
1205  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1206  DetectEngineCtxFree(de_ctx);
1207 end:
1208  ConfDeInit();
1210  SCFree(p);
1211  return result;
1212 }
1213 
1214 static int SigTest20 (void)
1215 {
1216  uint8_t *buf = (uint8_t *)
1217  "220 (vsFTPd 2.0.5)\r\n";
1218  uint16_t buflen = strlen((char *)buf);
1220  if (unlikely(p == NULL))
1221  return 0;
1222  ThreadVars th_v;
1223  DetectEngineThreadCtx *det_ctx = NULL;
1224  int result = 0;
1225 
1226  memset(&th_v, 0, sizeof(th_v));
1227  memset(p, 0, SIZE_OF_PACKET);
1228  p->src.family = AF_INET;
1229  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1230  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1231  p->dst.family = AF_INET;
1232  p->payload = buf;
1233  p->payload_len = buflen;
1234  p->proto = IPPROTO_TCP;
1235  p->dp = 34260;
1236  p->sp = 21;
1238 
1240  ConfInit();
1241  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1242 
1244  if (de_ctx == NULL) {
1245  goto end;
1246  }
1247 
1248  de_ctx->flags |= DE_QUIET;
1249 
1250  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1251  if (de_ctx->sig_list == NULL) {
1252  result = 0;
1253  goto end;
1254  }
1255 
1256  SigGroupBuild(de_ctx);
1257  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1258 
1259  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1260  if (PacketAlertCheck(p, 999))
1261  result = 1;
1262  else
1263  printf("signature didn't match, but should have: ");
1264 
1265  SigGroupCleanup(de_ctx);
1266  SigCleanSignatures(de_ctx);
1267  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1268  DetectEngineCtxFree(de_ctx);
1269 end:
1270  ConfDeInit();
1272  SCFree(p);
1273  return result;
1274 }
1275 
1276 static int SigTest21 (void)
1277 {
1278  ThreadVars th_v;
1279  memset(&th_v, 0, sizeof(th_v));
1280  DetectEngineThreadCtx *det_ctx = NULL;
1281  int result = 0;
1282 
1283  Flow f;
1284  memset(&f, 0, sizeof(f));
1285  FLOW_INITIALIZE(&f);
1286 
1287  /* packet 1 */
1288  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1289  "\r\n\r\n";
1290  uint16_t buf1len = strlen((char *)buf1);
1291  Packet *p1 = NULL;
1292  /* packet 2 */
1293  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1294  "\r\n\r\n";
1295  uint16_t buf2len = strlen((char *)buf2);
1296  Packet *p2 = NULL;
1297 
1298  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1299  p1->flow = &f;
1301  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1302  p2->flow = &f;
1304 
1306  if (de_ctx == NULL) {
1307  goto end;
1308  }
1309 
1310  de_ctx->flags |= DE_QUIET;
1311 
1312  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1313  if (de_ctx->sig_list == NULL) {
1314  result = 0;
1315  goto end;
1316  }
1317  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1318  if (de_ctx->sig_list == NULL) {
1319  result = 0;
1320  goto end;
1321  }
1322 
1323  SigGroupBuild(de_ctx);
1324  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1325 
1326  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1327  if (PacketAlertCheck(p1, 1)) {
1328  printf("sid 1 alerted, but shouldn't: ");
1329  goto end;
1330  }
1331  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1332  if (!(PacketAlertCheck(p2, 2))) {
1333  printf("sid 2 didn't alert, but should have: ");
1334  goto end;
1335  }
1336 
1337  result = 1;
1338 end:
1339  if (de_ctx != NULL) {
1340  SigGroupCleanup(de_ctx);
1341  SigCleanSignatures(de_ctx);
1342 
1343  if (det_ctx != NULL) {
1344  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1345  }
1346  }
1347  DetectEngineCtxFree(de_ctx);
1348  UTHFreePackets(&p1, 1);
1349  UTHFreePackets(&p2, 1);
1350  FLOW_DESTROY(&f);
1351  return result;
1352 }
1353 
1354 static int SigTest22 (void)
1355 {
1356  ThreadVars th_v;
1357  memset(&th_v, 0, sizeof(th_v));
1358  DetectEngineThreadCtx *det_ctx = NULL;
1359  int result = 0;
1360 
1361  Flow f;
1362  memset(&f, 0, sizeof(f));
1363  FLOW_INITIALIZE(&f);
1364 
1365  /* packet 1 */
1366  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1367  "\r\n\r\n";
1368  uint16_t buf1len = strlen((char *)buf1);
1369  Packet *p1 = NULL;
1370 
1371  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1372  p1->flow = &f;
1374 
1375  /* packet 2 */
1376  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1377  "\r\n\r\n";
1378  uint16_t buf2len = strlen((char *)buf2);
1379  Packet *p2 = NULL;
1380 
1381  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1382  p2->flow = &f;
1384 
1386  if (de_ctx == NULL) {
1387  goto end;
1388  }
1389 
1390  de_ctx->flags |= DE_QUIET;
1391 
1392  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1393  if (de_ctx->sig_list == NULL) {
1394  result = 0;
1395  goto end;
1396  }
1397  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1398  if (de_ctx->sig_list == NULL) {
1399  result = 0;
1400  goto end;
1401  }
1402 
1403  SigGroupBuild(de_ctx);
1404  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1405 
1406  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1407  if (PacketAlertCheck(p1, 1)) {
1408  printf("sid 1 alerted, but shouldn't: ");
1409  goto end;
1410  }
1411  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1412  if (!(PacketAlertCheck(p2, 2)))
1413  result = 1;
1414  else
1415  printf("sid 2 alerted, but shouldn't: ");
1416 
1417  SigGroupCleanup(de_ctx);
1418  SigCleanSignatures(de_ctx);
1419 
1420  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1421  DetectEngineCtxFree(de_ctx);
1422 end:
1423  UTHFreePackets(&p1, 1);
1424  UTHFreePackets(&p2, 1);
1425  FLOW_DESTROY(&f);
1426  return result;
1427 }
1428 
1429 static int SigTest23 (void)
1430 {
1431  ThreadVars th_v;
1432  memset(&th_v, 0, sizeof(th_v));
1433  DetectEngineThreadCtx *det_ctx = NULL;
1434  int result = 0;
1435 
1436  Flow f;
1437  memset(&f, 0, sizeof(f));
1438  FLOW_INITIALIZE(&f);
1439 
1440  /* packet 1 */
1441  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1442  "\r\n\r\n";
1443  uint16_t buf1len = strlen((char *)buf1);
1444  Packet *p1 = NULL;
1445 
1446  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1447  p1->flow = &f;
1449 
1450  /* packet 2 */
1451  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1452  "\r\n\r\n";
1453  uint16_t buf2len = strlen((char *)buf2);
1454  Packet *p2 = NULL;
1455 
1456  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1457  p2->flow = &f;
1459 
1461  if (de_ctx == NULL) {
1462  goto end;
1463  }
1464 
1465  de_ctx->flags |= DE_QUIET;
1466 
1467  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1468  if (de_ctx->sig_list == NULL) {
1469  result = 0;
1470  goto end;
1471  }
1472  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1473  if (de_ctx->sig_list == NULL) {
1474  result = 0;
1475  goto end;
1476  }
1477 
1478  SigGroupBuild(de_ctx);
1479  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1480 
1481  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1482  if (PacketAlertCheck(p1, 1)) {
1483  printf("sid 1 alerted, but shouldn't: ");
1484  goto end;
1485  }
1486  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1487  if (PacketAlertCheck(p2, 2))
1488  result = 1;
1489  else
1490  printf("sid 2 didn't alert, but should have: ");
1491 
1492  SigGroupCleanup(de_ctx);
1493  SigCleanSignatures(de_ctx);
1494 
1495  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1496  DetectEngineCtxFree(de_ctx);
1497 end:
1498  UTHFreePackets(&p1, 1);
1499  UTHFreePackets(&p2, 1);
1500  FLOW_DESTROY(&f);
1501  return result;
1502 }
1503 
1504 static int SigTest24IPV4Keyword(void)
1505 {
1506  uint8_t valid_raw_ipv4[] = {
1507  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1508  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1509  0xc0, 0xa8, 0x01, 0x03};
1510 
1511  uint8_t invalid_raw_ipv4[] = {
1512  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1513  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1514  0xc0, 0xa8, 0x01, 0x06};
1515 
1517  if (unlikely(p1 == NULL))
1518  return 0;
1520  if (unlikely(p2 == NULL)) {
1521  SCFree(p1);
1522  return 0;
1523  }
1524  ThreadVars th_v;
1525  DetectEngineThreadCtx *det_ctx = NULL;
1526  int result = 0;
1527 
1528  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1529  "\r\n\r\n";
1530  uint16_t buflen = strlen((char *)buf);
1531 
1532  memset(&th_v, 0, sizeof(ThreadVars));
1533  memset(p1, 0, SIZE_OF_PACKET);
1534  memset(p2, 0, SIZE_OF_PACKET);
1537 
1538  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1539 
1540  p1->src.family = AF_INET;
1541  p1->dst.family = AF_INET;
1542  p1->payload = buf;
1543  p1->payload_len = buflen;
1544  p1->proto = IPPROTO_TCP;
1545 
1546  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1547 
1548  p2->src.family = AF_INET;
1549  p2->dst.family = AF_INET;
1550  p2->payload = buf;
1551  p2->payload_len = buflen;
1552  p2->proto = IPPROTO_TCP;
1553 
1555  if (de_ctx == NULL) {
1556  goto end;
1557  }
1558 
1559  de_ctx->flags |= DE_QUIET;
1560 
1561  de_ctx->sig_list = SigInit(de_ctx,
1562  "alert ip any any -> any any "
1563  "(content:\"/one/\"; ipv4-csum:valid; "
1564  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1565  if (de_ctx->sig_list == NULL) {
1566  printf("sig 1 parse: ");
1567  goto end;
1568  }
1569 
1570  de_ctx->sig_list->next = SigInit(de_ctx,
1571  "alert ip any any -> any any "
1572  "(content:\"/one/\"; ipv4-csum:invalid; "
1573  "msg:\"ipv4-csum keyword check(1)\"; "
1574  "sid:2;)");
1575  if (de_ctx->sig_list->next == NULL) {
1576  printf("sig 2 parse: ");
1577  goto end;
1578  }
1579 
1580  SigGroupBuild(de_ctx);
1581  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1582 
1583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1584  if (!(PacketAlertCheck(p1, 1))) {
1585  printf("signature 1 didn't match, but should have: ");
1586  goto end;
1587  }
1588 
1589  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1590  if (!((PacketAlertCheck(p2, 2)))) {
1591  printf("signature 2 didn't match, but should have: ");
1592  goto end;
1593  }
1594 
1595  result = 1;
1596 end:
1597  if (det_ctx != NULL) {
1598  SigGroupCleanup(de_ctx);
1599  SigCleanSignatures(de_ctx);
1600  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1601  DetectEngineCtxFree(de_ctx);
1602  }
1603  SCFree(p1);
1604  SCFree(p2);
1605  return result;
1606 }
1607 
1608 static int SigTest25NegativeIPV4Keyword(void)
1609 {
1610  uint8_t valid_raw_ipv4[] = {
1611  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1612  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1613  0xc0, 0xa8, 0x01, 0x03};
1614 
1615  uint8_t invalid_raw_ipv4[] = {
1616  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1617  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1618  0xc0, 0xa8, 0x01, 0x06};
1619 
1621  if (unlikely(p1 == NULL))
1622  return 0;
1624  if (unlikely(p2 == NULL)) {
1625  SCFree(p1);
1626  return 0;
1627  }
1628  ThreadVars th_v;
1629  DetectEngineThreadCtx *det_ctx = NULL;
1630  int result = 1;
1631 
1632  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1633  "\r\n\r\n";
1634  uint16_t buflen = strlen((char *)buf);
1635 
1636  memset(&th_v, 0, sizeof(ThreadVars));
1637  memset(p1, 0, SIZE_OF_PACKET);
1638  memset(p2, 0, SIZE_OF_PACKET);
1641 
1642  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1643 
1644  p1->src.family = AF_INET;
1645  p1->dst.family = AF_INET;
1646  p1->payload = buf;
1647  p1->payload_len = buflen;
1648  p1->proto = IPPROTO_TCP;
1649 
1650  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1651 
1652  p2->src.family = AF_INET;
1653  p2->dst.family = AF_INET;
1654  p2->payload = buf;
1655  p2->payload_len = buflen;
1656  p2->proto = IPPROTO_TCP;
1657 
1659  if (de_ctx == NULL) {
1660  goto end;
1661  }
1662 
1663  de_ctx->flags |= DE_QUIET;
1664 
1665  de_ctx->sig_list = SigInit(de_ctx,
1666  "alert ip any any -> any any "
1667  "(content:\"/one/\"; ipv4-csum:invalid; "
1668  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1669  if (de_ctx->sig_list == NULL) {
1670  result &= 0;
1671  goto end;
1672  }
1673 
1674  de_ctx->sig_list->next = SigInit(de_ctx,
1675  "alert ip any any -> any any "
1676  "(content:\"/one/\"; ipv4-csum:valid; "
1677  "msg:\"ipv4-csum keyword check(1)\"; "
1678  "sid:2;)");
1679  if (de_ctx->sig_list->next == NULL) {
1680  result &= 0;
1681  goto end;
1682  }
1683 
1684  SigGroupBuild(de_ctx);
1685  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1686 
1687  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1688  if (PacketAlertCheck(p1, 1))
1689  result &= 0;
1690  else
1691  result &= 1;
1692 
1693  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1694  if (PacketAlertCheck(p2, 2))
1695  result &= 0;
1696  else
1697  result &= 1;
1698 
1699  SigGroupCleanup(de_ctx);
1700  SigCleanSignatures(de_ctx);
1701  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1702  DetectEngineCtxFree(de_ctx);
1703 end:
1704  SCFree(p1);
1705  SCFree(p2);
1706  return result;
1707 }
1708 
1709 static int SigTest26TCPV4Keyword(void)
1710 {
1711  uint8_t raw_ipv4[] = {
1712  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1713  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1714  0xc0, 0xa8, 0x01, 0x03};
1715 
1716  uint8_t valid_raw_tcp[] = {
1717  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1718  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1719  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1720  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1721  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1722 
1723  uint8_t invalid_raw_tcp[] = {
1724  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1725  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1726  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1727  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1728  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1729 
1731  if (unlikely(p1 == NULL))
1732  return 0;
1733 
1735  if (unlikely(p2 == NULL)) {
1736  SCFree(p1);
1737  return 0;
1738  }
1739 
1740  ThreadVars th_v;
1741  DetectEngineThreadCtx *det_ctx = NULL;
1742 
1743  memset(&th_v, 0, sizeof(ThreadVars));
1744  memset(p1, 0, SIZE_OF_PACKET);
1745  memset(p2, 0, SIZE_OF_PACKET);
1746 
1747  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1748  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1749 
1750  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1751  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1752 
1754  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1755  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1756  p1->src.family = AF_INET;
1757  p1->dst.family = AF_INET;
1758  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1759  p1->payload_len = 20;
1760  p1->proto = IPPROTO_TCP;
1761 
1763  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1764  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1765  p2->src.family = AF_INET;
1766  p2->dst.family = AF_INET;
1767  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1768  p2->payload_len = 20;
1769  p2->proto = IPPROTO_TCP;
1770 
1772  FAIL_IF_NULL(de_ctx);
1773 
1774  de_ctx->flags |= DE_QUIET;
1775 
1776  de_ctx->sig_list = SigInit(de_ctx,
1777  "alert ip any any -> any any "
1778  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1779  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1780  FAIL_IF_NULL(de_ctx->sig_list);
1781 
1782  de_ctx->sig_list->next = SigInit(de_ctx,
1783  "alert ip any any -> any any "
1784  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1785  "msg:\"tcpv4-csum keyword check(1)\"; "
1786  "sid:2;)");
1787  FAIL_IF_NULL(de_ctx->sig_list->next);
1788 
1789  SigGroupBuild(de_ctx);
1790  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1791 
1792  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1793  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1794 
1795  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1796  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1797 
1798  SigGroupCleanup(de_ctx);
1799  SigCleanSignatures(de_ctx);
1800  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1801  DetectEngineCtxFree(de_ctx);
1802  SCFree(p1);
1803  SCFree(p2);
1804  PASS;
1805 }
1806 
1807 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1808 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1809 {
1810  uint8_t raw_ipv4[] = {
1811  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1812  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1813  0xc0, 0xa8, 0x01, 0x03};
1814 
1815  uint8_t valid_raw_tcp[] = {
1816  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1817  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1818  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1819  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1820  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1821 
1822  uint8_t invalid_raw_tcp[] = {
1823  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1824  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1825  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1826  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1827  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1828 
1830  if (unlikely(p1 == NULL))
1831  return 0;
1832 
1834  if (unlikely(p2 == NULL)) {
1835  SCFree(p1);
1836  return 0;
1837  }
1838 
1839  ThreadVars th_v;
1840  DetectEngineThreadCtx *det_ctx = NULL;
1841  int result = 0;
1842 
1843  memset(&th_v, 0, sizeof(ThreadVars));
1844  memset(p1, 0, SIZE_OF_PACKET);
1845  memset(p2, 0, SIZE_OF_PACKET);
1846 
1847  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1848  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1849 
1850  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1851  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1852 
1854  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1855  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1856  p1->src.family = AF_INET;
1857  p1->dst.family = AF_INET;
1858  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1859  p1->payload_len = 20;
1860  p1->proto = IPPROTO_TCP;
1861 
1863  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1864  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1865  p2->src.family = AF_INET;
1866  p2->dst.family = AF_INET;
1867  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1868  p2->payload_len = 20;
1869  p2->proto = IPPROTO_TCP;
1870 
1872  if (de_ctx == NULL) {
1873  goto end;
1874  }
1875 
1876  de_ctx->flags |= DE_QUIET;
1877 
1878  de_ctx->sig_list = SigInit(de_ctx,
1879  "alert ip any any -> any any "
1880  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1881  "ipv4-csum:invalid; "
1882  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1883  if (de_ctx->sig_list == NULL) {
1884  goto end;
1885  }
1886 
1887  de_ctx->sig_list->next = SigInit(de_ctx,
1888  "alert ip any any -> any any "
1889  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1890  "ipv4-csum:invalid; "
1891  "msg:\"tcpv4-csum keyword check(1)\"; "
1892  "sid:2;)");
1893  if (de_ctx->sig_list->next == NULL) {
1894  goto end;
1895  }
1896 
1897  SigGroupBuild(de_ctx);
1898  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1899 
1900  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1901  if (!(PacketAlertCheck(p1, 1))) {
1902  printf("sig 1 didn't match: ");
1903  goto end;
1904  }
1905 
1906  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1907  if (!(PacketAlertCheck(p2, 2))) {
1908  printf("sig 2 didn't match: ");
1909  goto end;
1910  }
1911 
1912  result = 1;
1913 end:
1914  SigGroupCleanup(de_ctx);
1915  SigCleanSignatures(de_ctx);
1916  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1917  DetectEngineCtxFree(de_ctx);
1918  SCFree(p1);
1919  SCFree(p2);
1920  return result;
1921 }
1922 
1923 /* Similar to SigTest26, but with different packet */
1924 static int SigTest26TCPV4AndIPV4Keyword(void)
1925 {
1926  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1927  * TTL: 64 Flags: Don't Fragment
1928  */
1929  uint8_t raw_ipv4[] = {
1930  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1931  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1932  0xc0, 0xa8, 0xb0, 0x74};
1933 
1934  /* TCP: sport: 49517 dport: 445 Flags: SYN
1935  * Window size: 65535, checksum: 0x2009,
1936  * MTU: 1460, Window scale: 4, TSACK permitted,
1937  * 24 bytes of options, no payload.
1938  */
1939  uint8_t valid_raw_tcp[] = {
1940  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1941  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1942  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1943  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1944  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1945  0x04, 0x02, 0x00, 0x00};
1946 
1947  uint8_t invalid_raw_tcp[] = {
1948  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1949  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1950  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1951  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1952  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1953  0x04, 0x02, 0x00, 0x00};
1954 
1956  if (unlikely(p1 == NULL))
1957  return 0;
1958 
1960  if (unlikely(p2 == NULL)) {
1961  SCFree(p1);
1962  return 0;
1963  }
1964 
1965  ThreadVars th_v;
1966  DetectEngineThreadCtx *det_ctx = NULL;
1967  int result = 0;
1968 
1969  memset(&th_v, 0, sizeof(ThreadVars));
1970  memset(p1, 0, SIZE_OF_PACKET);
1971  memset(p2, 0, SIZE_OF_PACKET);
1972 
1973  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1974  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1975 
1976  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1977  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1978 
1980  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1981  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1982  p1->src.family = AF_INET;
1983  p1->dst.family = AF_INET;
1984  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1985  p1->payload_len = 0;
1986  p1->proto = IPPROTO_TCP;
1987 
1989  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1990  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1991  p2->src.family = AF_INET;
1992  p2->dst.family = AF_INET;
1993  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1994  p2->payload_len = 0;
1995  p2->proto = IPPROTO_TCP;
1996 
1998  if (de_ctx == NULL) {
1999  goto end;
2000  }
2001 
2002  de_ctx->flags |= DE_QUIET;
2003 
2004  de_ctx->sig_list = SigInit(de_ctx,
2005  "alert ip any any -> any any "
2006  "(tcpv4-csum:valid; "
2007  "ipv4-csum:valid; "
2008  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
2009  if (de_ctx->sig_list == NULL) {
2010  goto end;
2011  }
2012 
2013  de_ctx->sig_list->next = SigInit(de_ctx,
2014  "alert ip any any -> any any "
2015  "(tcpv4-csum:invalid; "
2016  "ipv4-csum:valid; "
2017  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
2018  "sid:2;)");
2019  if (de_ctx->sig_list->next == NULL) {
2020  goto end;
2021  }
2022 
2023  SigGroupBuild(de_ctx);
2024  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2025 
2026  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2027  if (!(PacketAlertCheck(p1, 1))) {
2028  printf("sig 1 didn't match: ");
2029  goto end;
2030  }
2031 
2032  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2033  if (!(PacketAlertCheck(p2, 2))) {
2034  printf("sig 2 didn't match: ");
2035  goto end;
2036  }
2037 
2038  result = 1;
2039 end:
2040  SigGroupCleanup(de_ctx);
2041  SigCleanSignatures(de_ctx);
2042  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2043  DetectEngineCtxFree(de_ctx);
2044  SCFree(p1);
2045  SCFree(p2);
2046  return result;
2047 }
2048 
2049 static int SigTest27NegativeTCPV4Keyword(void)
2050 {
2051  uint8_t raw_ipv4[] = {
2052  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2053  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2054  0xc0, 0xa8, 0x01, 0x03};
2055 
2056  uint8_t valid_raw_tcp[] = {
2057  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2058  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2059  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2060  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2061  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2062 
2063  uint8_t invalid_raw_tcp[] = {
2064  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2065  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2066  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2067  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2068  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2069 
2070 
2072  if (unlikely(p1 == NULL))
2073  return 0;
2075  if (unlikely(p2 == NULL)) {
2076  SCFree(p1);
2077  return 0;
2078  }
2079  ThreadVars th_v;
2080  DetectEngineThreadCtx *det_ctx = NULL;
2081  int result = 0;
2082 
2083  memset(&th_v, 0, sizeof(ThreadVars));
2084  memset(p1, 0, SIZE_OF_PACKET);
2085  memset(p2, 0, SIZE_OF_PACKET);
2086 
2087  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2088  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2089 
2090  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2091  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2092 
2094  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
2095  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
2096  p1->src.family = AF_INET;
2097  p1->dst.family = AF_INET;
2098  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2099  p1->payload_len = 20;
2100  p1->proto = IPPROTO_TCP;
2101 
2103  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
2104  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
2105  p2->src.family = AF_INET;
2106  p2->dst.family = AF_INET;
2107  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2108  p2->payload_len = 20;
2109  p2->proto = IPPROTO_TCP;
2110 
2112  if (de_ctx == NULL) {
2113  goto end;
2114  }
2115 
2116  de_ctx->flags |= DE_QUIET;
2117 
2118  de_ctx->sig_list = SigInit(de_ctx,
2119  "alert tcp any any -> any any "
2120  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2121  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2122  if (de_ctx->sig_list == NULL) {
2123  goto end;
2124  }
2125 
2126  de_ctx->sig_list->next = SigInit(de_ctx,
2127  "alert tcp any any -> any any "
2128  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2129  "msg:\"tcpv4-csum keyword check(2)\"; "
2130  "sid:2;)");
2131  if (de_ctx->sig_list->next == NULL) {
2132  goto end;
2133  }
2134 
2135  SigGroupBuild(de_ctx);
2136  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2137 
2138  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2139  if (!PacketAlertCheck(p1, 1)) {
2140  printf("sig 1 didn't match on p1: ");
2141  goto end;
2142  }
2143 
2144  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2145  if (PacketAlertCheck(p2, 2)) {
2146  printf("sig 2 matched on p2: ");
2147  goto end;
2148  }
2149 
2150  result = 1;
2151 end:
2152  SigGroupCleanup(de_ctx);
2153  SigCleanSignatures(de_ctx);
2154  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2155  DetectEngineCtxFree(de_ctx);
2156  SCFree(p1);
2157  SCFree(p2);
2158  return result;
2159 }
2160 
2161 static int SigTest28TCPV6Keyword(void)
2162 {
2163  static uint8_t valid_raw_ipv6[] = {
2164  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2165  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2166 
2167  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2168  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2169  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2170  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2171  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2172 
2173  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2174  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2175  0xf2, 0xf1, 0x00, 0x00,
2176 
2177  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2178  0x00, 0x01, 0x69, 0x27};
2179 
2180  static uint8_t invalid_raw_ipv6[] = {
2181  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2182  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2183 
2184  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2185  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2186  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2187  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2188  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2189 
2190  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2191  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2192  0xc2, 0xf1, 0x00, 0x00,
2193 
2194  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2195  0x00, 0x01, 0x69, 0x28};
2196 
2198  if (unlikely(p1 == NULL))
2199  return 0;
2201  if (unlikely(p2 == NULL)) {
2202  SCFree(p1);
2203  return 0;
2204  }
2205  ThreadVars th_v;
2206  DetectEngineThreadCtx *det_ctx = NULL;
2207  int result = 0;
2208 
2209  memset(&th_v, 0, sizeof(ThreadVars));
2210  memset(p1, 0, SIZE_OF_PACKET);
2211  memset(p2, 0, SIZE_OF_PACKET);
2212 
2214  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2215  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2216  p1->src.family = AF_INET;
2217  p1->dst.family = AF_INET;
2218  p1->payload = valid_raw_ipv6 + 54 + 20;
2219  p1->payload_len = 12;
2220  p1->proto = IPPROTO_TCP;
2221 
2222  if (TCP_GET_HLEN(p1) != 20) {
2223  BUG_ON(1);
2224  }
2225 
2227  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2228  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2229  p2->src.family = AF_INET;
2230  p2->dst.family = AF_INET;
2231  p2->payload = invalid_raw_ipv6 + 54 + 20;;
2232  p2->payload_len = 12;
2233  p2->proto = IPPROTO_TCP;
2234 
2235  if (TCP_GET_HLEN(p2) != 20) {
2236  BUG_ON(1);
2237  }
2238 
2240  if (de_ctx == NULL) {
2241  goto end;
2242  }
2243 
2244  de_ctx->flags |= DE_QUIET;
2245 
2246  de_ctx->sig_list = SigInit(de_ctx,
2247  "alert tcp any any -> any any "
2248  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2249  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2250  if (de_ctx->sig_list == NULL) {
2251  goto end;
2252  }
2253 
2254  de_ctx->sig_list->next = SigInit(de_ctx,
2255  "alert tcp any any -> any any "
2256  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2257  "msg:\"tcpv6-csum keyword check(1)\"; "
2258  "sid:2;)");
2259  if (de_ctx->sig_list->next == NULL) {
2260  goto end;
2261  }
2262 
2263  SigGroupBuild(de_ctx);
2264  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2265 
2266  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2267  if (!(PacketAlertCheck(p1, 1))) {
2268  printf("sid 1 didn't match on p1: ");
2269  goto end;
2270  }
2271 
2272  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2273  if (!(PacketAlertCheck(p2, 2))) {
2274  printf("sid 2 didn't match on p2: ");
2275  goto end;
2276  }
2277 
2278  result = 1;
2279 end:
2280  SigGroupCleanup(de_ctx);
2281  SigCleanSignatures(de_ctx);
2282  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2283  DetectEngineCtxFree(de_ctx);
2284  SCFree(p1);
2285  SCFree(p2);
2286  return result;
2287 }
2288 
2289 static int SigTest29NegativeTCPV6Keyword(void)
2290 {
2291  static uint8_t valid_raw_ipv6[] = {
2292  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2293  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2294 
2295  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2296  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2297  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2298  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2299  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2300 
2301  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2302  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2303  0xf2, 0xf1, 0x00, 0x00,
2304 
2305  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2306  0x00, 0x01, 0x69, 0x27};
2307 
2308  static uint8_t invalid_raw_ipv6[] = {
2309  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2310  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2311 
2312  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2313  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2314  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2315  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2316  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2317 
2318  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2319  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2320  0xc2, 0xf1, 0x00, 0x00,
2321 
2322  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2323  0x00, 0x01, 0x69, 0x28};
2324 
2326  if (unlikely(p1 == NULL))
2327  return 0;
2329  if (unlikely(p2 == NULL)) {
2330  SCFree(p1);
2331  return 0;
2332  }
2333  ThreadVars th_v;
2334  DetectEngineThreadCtx *det_ctx = NULL;
2335  int result = 0;
2336 
2337  memset(&th_v, 0, sizeof(ThreadVars));
2338  memset(p1, 0, SIZE_OF_PACKET);
2339  memset(p2, 0, SIZE_OF_PACKET);
2340 
2342  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2343  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2344  p1->src.family = AF_INET;
2345  p1->dst.family = AF_INET;
2346  p1->payload = valid_raw_ipv6 + 54 + 20;
2347  p1->payload_len = 12;
2348  p1->proto = IPPROTO_TCP;
2349 
2350  if (TCP_GET_HLEN(p1) != 20) {
2351  BUG_ON(1);
2352  }
2353 
2355  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2356  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2357  p2->src.family = AF_INET;
2358  p2->dst.family = AF_INET;
2359  p2->payload = invalid_raw_ipv6 + 54 + 20;;
2360  p2->payload_len = 12;
2361  p2->proto = IPPROTO_TCP;
2362 
2363  if (TCP_GET_HLEN(p2) != 20) {
2364  BUG_ON(1);
2365  }
2366 
2368  if (de_ctx == NULL) {
2369  goto end;
2370  }
2371 
2372  de_ctx->flags |= DE_QUIET;
2373 
2374  de_ctx->sig_list = SigInit(de_ctx,
2375  "alert tcp any any -> any any "
2376  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2377  "msg:\"tcpv6-csum keyword check(1)\"; "
2378  "sid:1;)");
2379  if (de_ctx->sig_list == NULL) {
2380  goto end;
2381  }
2382 
2383  de_ctx->sig_list->next = SigInit(de_ctx,
2384  "alert tcp any any -> any any "
2385  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2386  "msg:\"tcpv6-csum keyword check(1)\"; "
2387  "sid:2;)");
2388  if (de_ctx->sig_list->next == NULL) {
2389  goto end;
2390  }
2391 
2392  SigGroupBuild(de_ctx);
2393  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2394 
2395  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2396  if (PacketAlertCheck(p1, 1))
2397  goto end;
2398 
2399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2400  if (PacketAlertCheck(p2, 2))
2401  goto end;
2402 
2403  result = 1;
2404 end:
2405  SigGroupCleanup(de_ctx);
2406  SigCleanSignatures(de_ctx);
2407  if (det_ctx != NULL)
2408  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2409  DetectEngineCtxFree(de_ctx);
2410  SCFree(p1);
2411  SCFree(p2);
2412  return result;
2413 }
2414 
2415 static int SigTest30UDPV4Keyword(void)
2416 {
2417  uint8_t raw_ipv4[] = {
2418  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2419  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2420  0xc0, 0xa8, 0x01, 0x03};
2421 
2422  uint8_t valid_raw_udp[] = {
2423  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2424  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2425  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2426  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2427  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2428  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2429  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2430  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2431  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2432  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2433  0x67, 0x6c, 0x65, 0xc0, 0x26};
2434 
2435  uint8_t invalid_raw_udp[] = {
2436  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2437  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2438  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2439  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2440  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2441  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2442  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2443  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2444  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2445  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2446  0x67, 0x6c, 0x65, 0xc0, 0x27};
2447 
2449  FAIL_IF_NULL(p1);
2451  FAIL_IF_NULL(p2);
2452 
2453  ThreadVars th_v;
2454  DetectEngineThreadCtx *det_ctx = NULL;
2455 
2456  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2457  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2458 
2459  memset(&th_v, 0, sizeof(ThreadVars));
2460  memset(p1, 0, SIZE_OF_PACKET);
2461  memset(p2, 0, SIZE_OF_PACKET);
2462 
2464  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2465  p1->udph = (UDPHdr *)valid_raw_udp;
2466  p1->src.family = AF_INET;
2467  p1->dst.family = AF_INET;
2468  p1->payload = buf;
2469  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2470  p1->proto = IPPROTO_UDP;
2471 
2473  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2474  p2->udph = (UDPHdr *)invalid_raw_udp;
2475  p2->src.family = AF_INET;
2476  p2->dst.family = AF_INET;
2477  p2->payload = buf;
2478  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2479  p2->proto = IPPROTO_UDP;
2480 
2482  FAIL_IF_NULL(de_ctx);
2483 
2484  de_ctx->flags |= DE_QUIET;
2485 
2486  de_ctx->sig_list = SigInit(de_ctx,
2487  "alert udp any any -> any any "
2488  "(content:\"/one/\"; udpv4-csum:valid; "
2489  "msg:\"udpv4-csum keyword check(1)\"; "
2490  "sid:1;)");
2491  FAIL_IF_NULL(de_ctx->sig_list);
2492 
2493  de_ctx->sig_list->next = SigInit(de_ctx,
2494  "alert udp any any -> any any "
2495  "(content:\"/one/\"; udpv4-csum:invalid; "
2496  "msg:\"udpv4-csum keyword check(1)\"; "
2497  "sid:2;)");
2498  FAIL_IF_NULL(de_ctx->sig_list->next);
2499 
2500  SigGroupBuild(de_ctx);
2501  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2502 
2503  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2504  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2505 
2506  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2507  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2508 
2509  SigGroupCleanup(de_ctx);
2510  SigCleanSignatures(de_ctx);
2511  if (det_ctx != NULL)
2512  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2513  DetectEngineCtxFree(de_ctx);
2514  SCFree(p1);
2515  SCFree(p2);
2516  PASS;
2517 }
2518 
2519 static int SigTest31NegativeUDPV4Keyword(void)
2520 {
2521  uint8_t raw_ipv4[] = {
2522  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2523  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2524  0xc0, 0xa8, 0x01, 0x03};
2525 
2526  uint8_t valid_raw_udp[] = {
2527  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2528  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2529  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2530  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2531  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2532  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2533  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2534  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2535  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2536  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2537  0x67, 0x6c, 0x65, 0xc0, 0x26};
2538 
2539  uint8_t invalid_raw_udp[] = {
2540  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2541  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2542  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2543  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2544  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2545  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2546  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2547  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2548  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2549  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2550  0x67, 0x6c, 0x65, 0xc0, 0x27};
2551 
2553  if (unlikely(p1 == NULL))
2554  return 0;
2556  if (unlikely(p2 == NULL)) {
2557  SCFree(p1);
2558  return 0;
2559  }
2560  ThreadVars th_v;
2561  DetectEngineThreadCtx *det_ctx = NULL;
2562  int result = 1;
2563 
2564  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2565  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2566 
2567  memset(&th_v, 0, sizeof(ThreadVars));
2568  memset(p1, 0, SIZE_OF_PACKET);
2569  memset(p2, 0, SIZE_OF_PACKET);
2570 
2572  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2573  p1->udph = (UDPHdr *)valid_raw_udp;
2574  p1->src.family = AF_INET;
2575  p1->dst.family = AF_INET;
2576  p1->payload = buf;
2577  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2578  p1->proto = IPPROTO_UDP;
2579 
2581  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2582  p2->udph = (UDPHdr *)invalid_raw_udp;
2583  p2->src.family = AF_INET;
2584  p2->dst.family = AF_INET;
2585  p2->payload = buf;
2586  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2587  p2->proto = IPPROTO_UDP;
2588 
2590  if (de_ctx == NULL) {
2591  goto end;
2592  }
2593 
2594  de_ctx->flags |= DE_QUIET;
2595 
2596  de_ctx->sig_list = SigInit(de_ctx,
2597  "alert udp any any -> any any "
2598  "(content:\"/one/\"; udpv4-csum:invalid; "
2599  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2600  if (de_ctx->sig_list == NULL) {
2601  result &= 0;
2602  goto end;
2603  }
2604 
2605  de_ctx->sig_list->next = SigInit(de_ctx,
2606  "alert udp any any -> any any "
2607  "(content:\"/one/\"; udpv4-csum:valid; "
2608  "msg:\"udpv4-csum keyword check(1)\"; "
2609  "sid:2;)");
2610  if (de_ctx->sig_list->next == NULL) {
2611  result &= 0;
2612  goto end;
2613  }
2614 
2615  SigGroupBuild(de_ctx);
2616  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2617 
2618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2619  if (PacketAlertCheck(p1, 1))
2620  result &= 0;
2621  else
2622  result &= 1;
2623 
2624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2625  if (PacketAlertCheck(p2, 2)) {
2626  result &= 0;
2627  }
2628  else
2629  result &= 1;
2630 
2631  SigGroupCleanup(de_ctx);
2632  SigCleanSignatures(de_ctx);
2633  if (det_ctx != NULL)
2634  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2635  DetectEngineCtxFree(de_ctx);
2636 end:
2637  SCFree(p1);
2638  SCFree(p2);
2639  return result;
2640 }
2641 
2642 
2643 static int SigTest32UDPV6Keyword(void)
2644 {
2645  static uint8_t valid_raw_ipv6[] = {
2646  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2647  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2648  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2649  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2650  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2651  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2652  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2653  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2654  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2655  0x09, 0x00};
2656 
2657  static uint8_t invalid_raw_ipv6[] = {
2658  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2659  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2660  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2661  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2662  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2663  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2664  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2665  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2666  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2667  0x09, 0x01};
2668 
2670  FAIL_IF_NULL(p1);
2672  FAIL_IF_NULL(p2);
2673 
2674  ThreadVars th_v;
2675  DetectEngineThreadCtx *det_ctx = NULL;
2676 
2677  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2678  "\r\n\r\n";
2679 
2680  memset(&th_v, 0, sizeof(ThreadVars));
2681  memset(p1, 0, SIZE_OF_PACKET);
2682  memset(p2, 0, SIZE_OF_PACKET);
2683 
2685  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2686  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2687  p1->src.family = AF_INET;
2688  p1->dst.family = AF_INET;
2689  p1->payload = buf;
2691  p1->proto = IPPROTO_UDP;
2692 
2694  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2695  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2696  p2->src.family = AF_INET;
2697  p2->dst.family = AF_INET;
2698  p2->payload = buf;
2700  p2->proto = IPPROTO_UDP;
2701 
2703  FAIL_IF_NULL(de_ctx);
2704 
2705  de_ctx->flags |= DE_QUIET;
2706 
2707  de_ctx->sig_list = SigInit(de_ctx,
2708  "alert udp any any -> any any "
2709  "(content:\"/one/\"; udpv6-csum:valid; "
2710  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2711  FAIL_IF_NULL(de_ctx->sig_list);
2712 
2713  de_ctx->sig_list->next = SigInit(de_ctx,
2714  "alert udp any any -> any any "
2715  "(content:\"/one/\"; udpv6-csum:invalid; "
2716  "msg:\"udpv6-csum keyword check(1)\"; "
2717  "sid:2;)");
2718  FAIL_IF_NULL(de_ctx->sig_list->next);
2719 
2720  SigGroupBuild(de_ctx);
2721  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2722 
2723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2724  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2725 
2726  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2727  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2728 
2729  SigGroupCleanup(de_ctx);
2730  SigCleanSignatures(de_ctx);
2731  if (det_ctx != NULL)
2732  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2733  DetectEngineCtxFree(de_ctx);
2734 
2735  SCFree(p1);
2736  SCFree(p2);
2737  PASS;
2738 }
2739 
2740 static int SigTest33NegativeUDPV6Keyword(void)
2741 {
2742  static uint8_t valid_raw_ipv6[] = {
2743  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2744  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2745  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2746  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2747  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2748  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2749  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2750  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2751  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2752  0x09, 0x00};
2753 
2754  static uint8_t invalid_raw_ipv6[] = {
2755  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2756  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2757  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2758  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2759  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2760  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2761  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2762  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2763  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2764  0x09, 0x01};
2765 
2767  if (unlikely(p1 == NULL))
2768  return 0;
2770  if (unlikely(p2 == NULL)) {
2771  SCFree(p1);
2772  return 0;
2773  }
2774  ThreadVars th_v;
2775  DetectEngineThreadCtx *det_ctx = NULL;
2776  int result = 1;
2777 
2778  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2779  "\r\n\r\n";
2780 
2781  memset(&th_v, 0, sizeof(ThreadVars));
2782  memset(p1, 0, SIZE_OF_PACKET);
2783  memset(p2, 0, SIZE_OF_PACKET);
2784 
2786  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2787  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2788  p1->src.family = AF_INET;
2789  p1->dst.family = AF_INET;
2790  p1->payload = buf;
2792  p1->proto = IPPROTO_UDP;
2793 
2795  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2796  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2797  p2->src.family = AF_INET;
2798  p2->dst.family = AF_INET;
2799  p2->payload = buf;
2801  p2->proto = IPPROTO_UDP;
2802 
2804  if (de_ctx == NULL) {
2805  goto end;
2806  }
2807 
2808  de_ctx->flags |= DE_QUIET;
2809 
2810  de_ctx->sig_list = SigInit(de_ctx,
2811  "alert udp any any -> any any "
2812  "(content:\"/one/\"; udpv6-csum:invalid; "
2813  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2814  if (de_ctx->sig_list == NULL) {
2815  result &= 0;
2816  goto end;
2817  }
2818 
2819  de_ctx->sig_list->next = SigInit(de_ctx,
2820  "alert udp any any -> any any "
2821  "(content:\"/one/\"; udpv6-csum:valid; "
2822  "msg:\"udpv6-csum keyword check(1)\"; "
2823  "sid:2;)");
2824  if (de_ctx->sig_list->next == NULL) {
2825  result &= 0;
2826  goto end;
2827  }
2828 
2829  SigGroupBuild(de_ctx);
2830  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2831 
2832  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2833  if (PacketAlertCheck(p1, 1))
2834  result &= 0;
2835  else
2836  result &= 1;
2837 
2838  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2839  if (PacketAlertCheck(p2, 2))
2840  result &= 0;
2841  else
2842  result &= 1;
2843 
2844  SigGroupCleanup(de_ctx);
2845  SigCleanSignatures(de_ctx);
2846  if (det_ctx != NULL)
2847  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2848  DetectEngineCtxFree(de_ctx);
2849 end:
2850  SCFree(p1);
2851  SCFree(p2);
2852  return result;
2853 }
2854 
2855 static int SigTest34ICMPV4Keyword(void)
2856 {
2857  uint8_t valid_raw_ipv4[] = {
2858  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2859  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2860  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2861  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2862  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2863  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2864  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2865  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2866  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2867  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2868  0x34, 0x35, 0x36, 0x37};
2869 
2870  uint8_t invalid_raw_ipv4[] = {
2871  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2872  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2873  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2874  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2875  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2876  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2877  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2878  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2879  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2880  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2881  0x34, 0x35, 0x36, 0x38};
2882 
2884  if (unlikely(p1 == NULL))
2885  return 0;
2887  if (unlikely(p2 == NULL)) {
2888  SCFree(p1);
2889  return 0;
2890  }
2891  ThreadVars th_v;
2892  DetectEngineThreadCtx *det_ctx = NULL;
2893  int result = 1;
2894 
2895  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2896  "\r\n\r\n";
2897  uint16_t buflen = strlen((char *)buf);
2898 
2899  memset(&th_v, 0, sizeof(ThreadVars));
2900  memset(p1, 0, SIZE_OF_PACKET);
2901  memset(p2, 0, SIZE_OF_PACKET);
2902 
2904  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2905  p1->ip4h->ip_verhl = 69;
2906  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2907  p1->src.family = AF_INET;
2908  p1->dst.family = AF_INET;
2909  p1->payload = buf;
2910  p1->payload_len = buflen;
2911  p1->proto = IPPROTO_ICMP;
2912 
2914  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2915  p2->ip4h->ip_verhl = 69;
2916  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2917  p2->src.family = AF_INET;
2918  p2->dst.family = AF_INET;
2919  p2->payload = buf;
2920  p2->payload_len = buflen;
2921  p2->proto = IPPROTO_ICMP;
2922 
2924  if (de_ctx == NULL) {
2925  goto end;
2926  }
2927 
2928  de_ctx->flags |= DE_QUIET;
2929 
2930  de_ctx->sig_list = SigInit(de_ctx,
2931  "alert icmp any any -> any any "
2932  "(content:\"/one/\"; icmpv4-csum:valid; "
2933  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2934  if (de_ctx->sig_list == NULL) {
2935  result &= 0;
2936  goto end;
2937  }
2938 
2939  de_ctx->sig_list->next = SigInit(de_ctx,
2940  "alert icmp any any -> any any "
2941  "(content:\"/one/\"; icmpv4-csum:invalid; "
2942  "msg:\"icmpv4-csum keyword check(1)\"; "
2943  "sid:2;)");
2944  if (de_ctx->sig_list->next == NULL) {
2945  result = 0;
2946  goto end;
2947  }
2948 
2949  SigGroupBuild(de_ctx);
2950  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2951 
2952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2953  if (PacketAlertCheck(p1, 1))
2954  result &= 1;
2955  else
2956  result &= 0;
2957 
2958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2959  if (PacketAlertCheck(p2, 2))
2960  result &= 1;
2961  else
2962  result &= 0;
2963 
2964  SigGroupCleanup(de_ctx);
2965  SigCleanSignatures(de_ctx);
2966  if (det_ctx != NULL)
2967  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2968  DetectEngineCtxFree(de_ctx);
2969 end:
2970  SCFree(p1);
2971  SCFree(p2);
2972  return result;
2973 }
2974 
2975 static int SigTest35NegativeICMPV4Keyword(void)
2976 {
2977  uint8_t valid_raw_ipv4[] = {
2978  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2979  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2980  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2981  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2982  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2983  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2984  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2985  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2986  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2987  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2988  0x34, 0x35, 0x36, 0x37};
2989 
2990  uint8_t invalid_raw_ipv4[] = {
2991  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2992  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2993  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2994  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2995  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2996  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2997  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2998  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2999  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
3000  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
3001  0x34, 0x35, 0x36, 0x38};
3002 
3004  if (unlikely(p1 == NULL))
3005  return 0;
3007  if (unlikely(p2 == NULL)) {
3008  SCFree(p1);
3009  return 0;
3010  }
3011  ThreadVars th_v;
3012  DetectEngineThreadCtx *det_ctx = NULL;
3013  int result = 1;
3014 
3015  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
3016  "\r\n\r\n";
3017  uint16_t buflen = strlen((char *)buf);
3018 
3019  memset(&th_v, 0, sizeof(ThreadVars));
3020  memset(p1, 0, SIZE_OF_PACKET);
3021  memset(p2, 0, SIZE_OF_PACKET);
3022 
3024  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
3025  p1->ip4h->ip_verhl = 69;
3026  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
3027  p1->src.family = AF_INET;
3028  p1->dst.family = AF_INET;
3029  p1->payload = buf;
3030  p1->payload_len = buflen;
3031  p1->proto = IPPROTO_ICMP;
3032 
3034  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
3035  p2->ip4h->ip_verhl = 69;
3036  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
3037  p2->src.family = AF_INET;
3038  p2->dst.family = AF_INET;
3039  p2->payload = buf;
3040  p2->payload_len = buflen;
3041  p2->proto = IPPROTO_ICMP;
3042 
3044  if (de_ctx == NULL) {
3045  goto end;
3046  }
3047 
3048  de_ctx->flags |= DE_QUIET;
3049 
3050  de_ctx->sig_list = SigInit(de_ctx,
3051  "alert icmp any any -> any any "
3052  "(content:\"/one/\"; icmpv4-csum:invalid; "
3053  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3054  if (de_ctx->sig_list == NULL) {
3055  result &= 0;
3056  goto end;
3057  }
3058 
3059  de_ctx->sig_list->next = SigInit(de_ctx,
3060  "alert icmp any any -> any any "
3061  "(content:\"/one/\"; icmpv4-csum:valid; "
3062  "msg:\"icmpv4-csum keyword check(1)\"; "
3063  "sid:2;)");
3064  if (de_ctx->sig_list->next == NULL) {
3065  result &= 0;
3066  goto end;
3067  }
3068 
3069  SigGroupBuild(de_ctx);
3070  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3071 
3072  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3073  if (PacketAlertCheck(p1, 1))
3074  result &= 0;
3075  else
3076  result &= 1;
3077 
3078  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3079  if (PacketAlertCheck(p2, 2))
3080  result &= 0;
3081  else {
3082  result &= 1;
3083  }
3084 
3085  SigGroupCleanup(de_ctx);
3086  SigCleanSignatures(de_ctx);
3087  if (det_ctx != NULL)
3088  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3089  DetectEngineCtxFree(de_ctx);
3090 end:
3091  SCFree(p1);
3092  SCFree(p2);
3093  return result;
3094 }
3095 
3096 static int SigTest38(void)
3097 {
3099  if (unlikely(p1 == NULL))
3100  return 0;
3101  ThreadVars th_v;
3102  DetectEngineThreadCtx *det_ctx = NULL;
3103  int result = 1;
3104  uint8_t raw_eth[] = {
3105  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3106  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3107  0x08, 0x00
3108  };
3109  uint8_t raw_ipv4[] = {
3110  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3111  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3112  0x7f, 0x00, 0x00, 0x01
3113  };
3114  uint8_t raw_tcp[] = {
3115  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3116  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3117  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3118  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3119  0x00, 0x22, 0xaa, 0x10
3120  };
3121  uint8_t buf[] = {
3122  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3123  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3124  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3125  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3126  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3127  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3128  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3129  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3130  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3131  0x0a
3132  };
3133  uint16_t ethlen = sizeof(raw_eth);
3134  uint16_t ipv4len = sizeof(raw_ipv4);
3135  uint16_t tcplen = sizeof(raw_tcp);
3136  uint16_t buflen = sizeof(buf);
3137 
3138  memset(&th_v, 0, sizeof(ThreadVars));
3139  memset(p1, 0, SIZE_OF_PACKET);
3140 
3141  /* Copy raw data into packet */
3142  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3143  SCFree(p1);
3144  return 1;
3145  }
3146  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3147  SCFree(p1);
3148  return 1;
3149  }
3150  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3151  SCFree(p1);
3152  return 1;
3153  }
3154  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3155  SCFree(p1);
3156  return 1;
3157  }
3158  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3159 
3161  p1->ethh = (EthernetHdr *)raw_eth;
3162  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3163  p1->tcph = (TCPHdr *)raw_tcp;
3164  p1->src.family = AF_INET;
3165  p1->dst.family = AF_INET;
3166  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3167  p1->payload_len = buflen;
3168  p1->proto = IPPROTO_TCP;
3169 
3171  if (de_ctx == NULL) {
3172  goto end;
3173  }
3174  de_ctx->flags |= DE_QUIET;
3175 
3176  de_ctx->sig_list = SigInit(de_ctx,
3177  "alert tcp any any -> any any "
3178  "(content:\"LEN1|20|\"; "
3179  "byte_test:4,=,8,0; "
3180  "msg:\"byte_test keyword check(1)\"; sid:1;)");
3181  if (de_ctx->sig_list == NULL) {
3182  result &= 0;
3183  goto end;
3184  }
3185  de_ctx->sig_list->next = SigInit(de_ctx,
3186  "alert tcp any any -> any any "
3187  "(content:\"LEN1|20|\"; "
3188  "byte_test:4,=,8,5,relative,string,dec; "
3189  "msg:\"byte_test keyword check(2)\"; sid:2;)");
3190  if (de_ctx->sig_list->next == NULL) {
3191  result &= 0;
3192  goto end;
3193  }
3194 
3195  SigGroupBuild(de_ctx);
3196  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3197 
3198  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3199  if (PacketAlertCheck(p1, 1)) {
3200  result = 1;
3201  } else {
3202  result = 0;
3203  printf("sid 1 didn't alert, but should have: ");
3204  goto cleanup;
3205  }
3206  if (PacketAlertCheck(p1, 2)) {
3207  result = 1;
3208  } else {
3209  result = 0;
3210  printf("sid 2 didn't alert, but should have: ");
3211  goto cleanup;
3212  }
3213 
3214 cleanup:
3215  SigGroupCleanup(de_ctx);
3216  SigCleanSignatures(de_ctx);
3217 
3218  if (det_ctx != NULL)
3219  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3220  DetectEngineCtxFree(de_ctx);
3221 
3222 end:
3223  SCFree(p1);
3224  return result;
3225 }
3226 
3227 static int SigTest39(void)
3228 {
3230  if (unlikely(p1 == NULL))
3231  return 0;
3232  ThreadVars th_v;
3233  DetectEngineThreadCtx *det_ctx = NULL;
3234  int result = 1;
3235  uint8_t raw_eth[] = {
3236  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3237  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3238  0x08, 0x00
3239  };
3240  uint8_t raw_ipv4[] = {
3241  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3242  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3243  0x7f, 0x00, 0x00, 0x01
3244  };
3245  uint8_t raw_tcp[] = {
3246  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3247  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3248  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3249  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3250  0x00, 0x22, 0xaa, 0x10
3251  };
3252  uint8_t buf[] = {
3253  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3254  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3255  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3256  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3257  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3258  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3259  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3260  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3261  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3262  0x0a
3263  };
3264  uint16_t ethlen = sizeof(raw_eth);
3265  uint16_t ipv4len = sizeof(raw_ipv4);
3266  uint16_t tcplen = sizeof(raw_tcp);
3267  uint16_t buflen = sizeof(buf);
3268 
3269  memset(&th_v, 0, sizeof(ThreadVars));
3270  memset(p1, 0, SIZE_OF_PACKET);
3271 
3272  /* Copy raw data into packet */
3273  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3274  SCFree(p1);
3275  return 1;
3276  }
3277  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3278  SCFree(p1);
3279  return 1;
3280  }
3281  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3282  SCFree(p1);
3283  return 1;
3284  }
3285  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3286  SCFree(p1);
3287  return 1;
3288  }
3289  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3290 
3292  p1->ethh = (EthernetHdr *)raw_eth;
3293  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3294  p1->tcph = (TCPHdr *)raw_tcp;
3295  p1->src.family = AF_INET;
3296  p1->dst.family = AF_INET;
3297  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3298  p1->payload_len = buflen;
3299  p1->proto = IPPROTO_TCP;
3300 
3302  if (de_ctx == NULL) {
3303  goto end;
3304  }
3305  de_ctx->flags |= DE_QUIET;
3306 
3307  de_ctx->sig_list = SigInit(de_ctx,
3308  "alert tcp any any -> any any "
3309  "(content:\"LEN1|20|\"; "
3310  "byte_test:4,=,8,0; "
3311  "byte_jump:4,0; "
3312  "byte_test:6,=,0x4c454e312038,0,relative; "
3313  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3314  if (de_ctx->sig_list == NULL) {
3315  result &= 0;
3316  goto end;
3317  }
3318  // XXX TODO
3319  de_ctx->sig_list->next = SigInit(de_ctx,
3320  "alert tcp any any -> any any "
3321  "(content:\"LEN1|20|\"; "
3322  "byte_test:4,=,8,4,relative,string,dec; "
3323  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3324  "byte_test:4,=,0x4c454e32,0,relative; "
3325  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3326  if (de_ctx->sig_list->next == NULL) {
3327  result &= 0;
3328  goto end;
3329  }
3330 
3331  SigGroupBuild(de_ctx);
3332  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3333 
3334  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3335  if (PacketAlertCheck(p1, 1)) {
3336  result = 1;
3337  } else {
3338  result = 0;
3339  printf("sid 1 didn't alert, but should have: ");
3340  goto cleanup;
3341  }
3342  if (PacketAlertCheck(p1, 2)) {
3343  result = 1;
3344  } else {
3345  result = 0;
3346  printf("sid 2 didn't alert, but should have: ");
3347  goto cleanup;
3348  }
3349 
3350 cleanup:
3351  SigGroupCleanup(de_ctx);
3352  SigCleanSignatures(de_ctx);
3353  if (det_ctx != NULL)
3354  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3355  DetectEngineCtxFree(de_ctx);
3356 
3357 end:
3358  SCFree(p1);
3359  return result;
3360 }
3361 
3362 /**
3363  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3364  * \brief expecting to match a size
3365  */
3366 
3367 static int SigTest36ContentAndIsdataatKeywords01 (void)
3368 {
3369  int result = 0;
3370 
3371  // Buid and decode the packet
3372 
3373  uint8_t raw_eth [] = {
3374  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3375  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3376  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3377  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3378  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3379  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3380  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3381  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3382  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3383  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3384  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3385  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3386  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3387  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3388  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3389  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3390  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3391  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3392  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3393  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3394  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3395  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3396  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3397  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3398  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3399  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3400  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3401  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3402  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3403  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3404 
3406  if (unlikely(p == NULL))
3407  return 0;
3408  DecodeThreadVars dtv;
3409 
3410  ThreadVars th_v;
3411  DetectEngineThreadCtx *det_ctx = NULL;
3412 
3413  memset(p, 0, SIZE_OF_PACKET);
3414  memset(&dtv, 0, sizeof(DecodeThreadVars));
3415  memset(&th_v, 0, sizeof(th_v));
3416 
3418  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
3419 
3420 
3422  if (de_ctx == NULL) {
3423  goto end;
3424  }
3425 
3426  de_ctx->flags |= DE_QUIET;
3427 
3428  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3429  if (de_ctx->sig_list == NULL) {
3430  result = 0;
3431  goto end;
3432  }
3433 
3434  SigGroupBuild(de_ctx);
3435  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3436 
3437  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3438  if (PacketAlertCheck(p, 101) == 0) {
3439  result = 0;
3440  goto end;
3441  } else {
3442  result=1;
3443  }
3444 
3445  SigGroupCleanup(de_ctx);
3446  SigCleanSignatures(de_ctx);
3447 
3448  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3449  DetectEngineCtxFree(de_ctx);
3450  PACKET_RECYCLE(p);
3451  FlowShutdown();
3452 
3453  SCFree(p);
3454  return result;
3455 
3456 end:
3457  if(de_ctx)
3458  {
3459  SigGroupCleanup(de_ctx);
3460  SigCleanSignatures(de_ctx);
3461  }
3462 
3463  if(det_ctx)
3464  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3465 
3466  //PatternMatchDestroy(mpm_ctx);
3467 
3468  if(de_ctx)
3469  DetectEngineCtxFree(de_ctx);
3470 
3471  if (p != NULL)
3472  PACKET_RECYCLE(p);
3473 
3474  FlowShutdown();
3475 
3476  SCFree(p);
3477  return result;
3478 }
3479 
3480 
3481 /**
3482  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3483  * \brief not expecting to match a size
3484  */
3485 
3486 static int SigTest37ContentAndIsdataatKeywords02 (void)
3487 {
3488  int result = 0;
3489 
3490  // Buid and decode the packet
3491 
3492  uint8_t raw_eth [] = {
3493  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3494  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3495  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3496  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3497  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3498  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3499  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3500  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3501  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3502  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3503  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3504  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3505  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3506  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3507  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3508  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3509  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3510  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3511  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3512  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3513  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3514  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3515  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3516  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3517  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3518  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3519  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3520  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3521  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3522  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3523 
3525  if (unlikely(p == NULL))
3526  return 0;
3527  DecodeThreadVars dtv;
3528 
3529  ThreadVars th_v;
3530  DetectEngineThreadCtx *det_ctx = NULL;
3531 
3532  memset(p, 0, SIZE_OF_PACKET);
3533  memset(&dtv, 0, sizeof(DecodeThreadVars));
3534  memset(&th_v, 0, sizeof(th_v));
3535 
3537  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth), NULL);
3538 
3539 
3541  if (de_ctx == NULL) {
3542  goto end;
3543  }
3544 
3545  de_ctx->flags |= DE_QUIET;
3546 
3547  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3548  if (de_ctx->sig_list == NULL) {
3549  printf("sig parse failed: ");
3550  result = 0;
3551  goto end;
3552  }
3553 
3554  if (s->sm_lists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3555  printf("type not content: ");
3556  goto end;
3557  }
3558  SigGroupBuild(de_ctx);
3559  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3560 
3561  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3562  if (PacketAlertCheck(p, 101) == 0) {
3563  result = 1;
3564  goto end;
3565  } else {
3566  printf("sig matched, but should not have: ");
3567  result=0;
3568  }
3569 
3570  SigGroupCleanup(de_ctx);
3571  SigCleanSignatures(de_ctx);
3572 
3573  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3574  DetectEngineCtxFree(de_ctx);
3575 
3576  PACKET_RECYCLE(p);
3577  FlowShutdown();
3578 
3579  SCFree(p);
3580  return result;
3581 
3582 end:
3583  if(de_ctx)
3584  {
3585  SigGroupCleanup(de_ctx);
3586  SigCleanSignatures(de_ctx);
3587  }
3588 
3589  if(det_ctx)
3590  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3591 
3592  if(de_ctx)
3593  DetectEngineCtxFree(de_ctx);
3594 
3595  if (p != NULL)
3596  PACKET_RECYCLE(p);
3597 
3598  FlowShutdown();
3599 
3600  SCFree(p);
3601  return result;
3602 }
3603 
3604 /**
3605  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3606  * flag is set, we don't need to inspect the packet protocol header or its contents.
3607  */
3608 
3609 static int SigTest40NoPacketInspection01(void)
3610 {
3611 
3612  uint8_t *buf = (uint8_t *)
3613  "220 (vsFTPd 2.0.5)\r\n";
3614  uint16_t buflen = strlen((char *)buf);
3616  TCPHdr tcphdr;
3617  if (unlikely(p == NULL))
3618  return 0;
3619  ThreadVars th_v;
3620  DetectEngineThreadCtx *det_ctx = NULL;
3621  PacketQueue pq;
3622  Flow f;
3623  int result = 0;
3624 
3625  memset(&th_v, 0, sizeof(th_v));
3626  memset(p, 0, SIZE_OF_PACKET);
3627  memset(&pq, 0, sizeof(pq));
3628  memset(&f, 0, sizeof(f));
3629  memset(&tcphdr, 0, sizeof(tcphdr));
3630 
3631  p->src.family = AF_INET;
3632  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3633  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3634  p->dst.family = AF_INET;
3635  p->payload = buf;
3636  p->payload_len = buflen;
3637  p->proto = IPPROTO_TCP;
3638  p->dp = 34260;
3639  p->sp = 21;
3642  p->tcph = &tcphdr;
3643  p->flow = &f;
3644 
3645  FLOW_INITIALIZE(&f);
3646 
3648  if (de_ctx == NULL) {
3649  goto end;
3650  }
3651 
3652  de_ctx->flags |= DE_QUIET;
3653 
3654  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3655  if (de_ctx->sig_list == NULL) {
3656  result = 0;
3657  goto end;
3658  }
3659 
3660  SigGroupBuild(de_ctx);
3661  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3662  det_ctx->de_ctx = de_ctx;
3663 
3664  Detect(&th_v, p, det_ctx, &pq, NULL);
3665  if (PacketAlertCheck(p, 2))
3666  result = 0;
3667  else
3668  result = 1;
3669 
3670  SigGroupCleanup(de_ctx);
3671  SigCleanSignatures(de_ctx);
3672  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3673  //PatternMatchDestroy(mpm_ctx);
3674  DetectEngineCtxFree(de_ctx);
3675 end:
3676  SCFree(p);
3677  return result;
3678 }
3679 
3680 /**
3681  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3682  * flasg is set, we don't need to inspect the packet contents.
3683  */
3684 
3685 static int SigTest40NoPayloadInspection02(void)
3686 {
3687 
3688  uint8_t *buf = (uint8_t *)
3689  "220 (vsFTPd 2.0.5)\r\n";
3690  uint16_t buflen = strlen((char *)buf);
3691  ThreadVars th_v;
3692  memset(&th_v, 0, sizeof(th_v));
3693 
3695  FAIL_IF_NULL(p);
3696  memset(p, 0, SIZE_OF_PACKET);
3697 
3698  p->src.family = AF_INET;
3699  p->dst.family = AF_INET;
3700  p->payload = buf;
3701  p->payload_len = buflen;
3702  p->proto = IPPROTO_TCP;
3704 
3705  DetectEngineThreadCtx *det_ctx = NULL;
3707  FAIL_IF_NULL(de_ctx);
3708  de_ctx->flags |= DE_QUIET;
3709 
3710  Signature *s = DetectEngineAppendSig(de_ctx,
3711  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3712  FAIL_IF_NULL(s);
3713 
3714  SigGroupBuild(de_ctx);
3715  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3716 
3717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3718 
3719  FAIL_IF(PacketAlertCheck(p, 1));
3720 
3721  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3722  DetectEngineCtxFree(de_ctx);
3723  SCFree(p);
3724  PASS;
3725 }
3726 
3727 static int SigTestMemory01 (void)
3728 {
3729  uint8_t *buf = (uint8_t *)
3730  "GET /one/ HTTP/1.1\r\n"
3731  "Host: one.example.org\r\n"
3732  "\r\n\r\n"
3733  "GET /two/ HTTP/1.1\r\n"
3734  "Host: two.example.org\r\n"
3735  "\r\n\r\n";
3736  uint16_t buflen = strlen((char *)buf);
3738  if (unlikely(p == NULL))
3739  return 0;
3740  ThreadVars th_v;
3741  DetectEngineThreadCtx *det_ctx = NULL;
3742  int result = 0;
3743 
3744  memset(&th_v, 0, sizeof(th_v));
3745  memset(p, 0, SIZE_OF_PACKET);
3746  p->src.family = AF_INET;
3747  p->dst.family = AF_INET;
3748  p->payload = buf;
3749  p->payload_len = buflen;
3750  p->proto = IPPROTO_TCP;
3751 
3753  if (de_ctx == NULL) {
3754  goto end;
3755  }
3756 
3757  de_ctx->flags |= DE_QUIET;
3758 
3759  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3760  if (de_ctx->sig_list == NULL) {
3761  result = 0;
3762  goto end;
3763  }
3764 
3765  SigGroupBuild(de_ctx);
3766  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3767 
3768  SigGroupCleanup(de_ctx);
3769  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3770  DetectEngineCtxFree(de_ctx);
3771 
3772  result = 1;
3773 end:
3774  SCFree(p);
3775  return result;
3776 }
3777 
3778 static int SigTestMemory02 (void)
3779 {
3780  ThreadVars th_v;
3781  int result = 0;
3782 
3783  memset(&th_v, 0, sizeof(th_v));
3784 
3786  if (de_ctx == NULL) {
3787  goto end;
3788  }
3789  de_ctx->flags |= DE_QUIET;
3790 
3791  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3792  if (de_ctx->sig_list == NULL) {
3793  result = 0;
3794  goto end;
3795  }
3796  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3797  if (de_ctx->sig_list->next == NULL) {
3798  result = 0;
3799  goto end;
3800  }
3801 
3802  SigGroupBuild(de_ctx);
3803 
3804  SigGroupCleanup(de_ctx);
3805  DetectEngineCtxFree(de_ctx);
3806 
3807  result = 1;
3808 end:
3809  return result;
3810 }
3811 
3812 static int SigTestMemory03 (void)
3813 {
3814  ThreadVars th_v;
3815  int result = 0;
3816 
3817  memset(&th_v, 0, sizeof(th_v));
3818 
3820  if (de_ctx == NULL) {
3821  goto end;
3822  }
3823  de_ctx->flags |= DE_QUIET;
3824 
3825  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3826  if (de_ctx->sig_list == NULL) {
3827  result = 0;
3828  goto end;
3829  }
3830  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3831  if (de_ctx->sig_list->next == NULL) {
3832  result = 0;
3833  goto end;
3834  }
3835  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3836  if (de_ctx->sig_list->next->next == NULL) {
3837  result = 0;
3838  goto end;
3839  }
3840 
3841  SigGroupBuild(de_ctx);
3842 
3843  SigGroupCleanup(de_ctx);
3844  DetectEngineCtxFree(de_ctx);
3845 
3846  result = 1;
3847 end:
3848  return result;
3849 }
3850 
3851 static int SigTestContent01 (void)
3852 {
3853  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3854  uint16_t buflen = strlen((char *)buf);
3855  ThreadVars th_v;
3856  DetectEngineThreadCtx *det_ctx = NULL;
3857  int result = 0;
3858 
3859  memset(&th_v, 0, sizeof(th_v));
3860 
3861  Packet *p = NULL;
3862  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3863 
3865  if (de_ctx == NULL) {
3866  goto end;
3867  }
3868  de_ctx->flags |= DE_QUIET;
3869 
3870  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3871  if (de_ctx->sig_list == NULL) {
3872  result = 0;
3873  goto end;
3874  }
3875 
3876  SigGroupBuild(de_ctx);
3877  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3878 
3879  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3880  if (PacketAlertCheck(p, 1))
3881  result = 1;
3882  else
3883  printf("sig 1 didn't match: ");
3884 
3885  SigGroupCleanup(de_ctx);
3886  SigCleanSignatures(de_ctx);
3887 
3888  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3889  DetectEngineCtxFree(de_ctx);
3890 end:
3891  UTHFreePackets(&p, 1);
3892  return result;
3893 }
3894 
3895 static int SigTestContent02 (void)
3896 {
3897  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3898  uint16_t buflen = strlen((char *)buf);
3899  ThreadVars th_v;
3900  DetectEngineThreadCtx *det_ctx = NULL;
3901  int result = 0;
3902 
3903  memset(&th_v, 0, sizeof(th_v));
3904  Packet *p = NULL;
3905  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3906 
3908  if (de_ctx == NULL) {
3909  goto end;
3910  }
3911  de_ctx->flags |= DE_QUIET;
3912 
3913  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3914  if (de_ctx->sig_list == NULL) {
3915  result = 0;
3916  goto end;
3917  }
3918 
3919  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3920  if (de_ctx->sig_list->next == NULL) {
3921  result = 0;
3922  goto end;
3923  }
3924 
3925  SigGroupBuild(de_ctx);
3926  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3927 
3928  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3929  if (PacketAlertCheck(p, 1)) {
3930  if (PacketAlertCheck(p, 2)) {
3931  result = 1;
3932  } else
3933  printf("sig 2 didn't match: ");
3934  }
3935  else
3936  printf("sig 1 didn't match: ");
3937 
3938  SigGroupCleanup(de_ctx);
3939  SigCleanSignatures(de_ctx);
3940 
3941  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3942  DetectEngineCtxFree(de_ctx);
3943 end:
3944  UTHFreePackets(&p, 1);
3945  return result;
3946 }
3947 
3948 static int SigTestContent03 (void)
3949 {
3950  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3951  uint16_t buflen = strlen((char *)buf);
3952  ThreadVars th_v;
3953  DetectEngineThreadCtx *det_ctx = NULL;
3954  int result = 0;
3955 
3956  memset(&th_v, 0, sizeof(th_v));
3957  Packet *p = NULL;
3958  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3959 
3961  if (de_ctx == NULL) {
3962  goto end;
3963  }
3964 
3965  de_ctx->flags |= DE_QUIET;
3966 
3967  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3968  if (de_ctx->sig_list == NULL) {
3969  result = 0;
3970  goto end;
3971  }
3972 
3973  SigGroupBuild(de_ctx);
3974  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3975 
3976  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3977  if (PacketAlertCheck(p, 1))
3978  result = 1;
3979  else
3980  printf("sig 1 didn't match: ");
3981 
3982  SigGroupCleanup(de_ctx);
3983  SigCleanSignatures(de_ctx);
3984 
3985  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3986  DetectEngineCtxFree(de_ctx);
3987 end:
3988  UTHFreePackets(&p, 1);
3989  return result;
3990 }
3991 
3992 static int SigTestContent04 (void)
3993 {
3994  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3995  uint16_t buflen = strlen((char *)buf);
3996  ThreadVars th_v;
3997  DetectEngineThreadCtx *det_ctx = NULL;
3998  int result = 0;
3999 
4000  memset(&th_v, 0, sizeof(th_v));
4001 
4002  Packet *p = NULL;
4003  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4004 
4006  if (de_ctx == NULL) {
4007  goto end;
4008  }
4009 
4010  de_ctx->flags |= DE_QUIET;
4011 
4012  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4013  if (de_ctx->sig_list == NULL) {
4014  result = 0;
4015  goto end;
4016  }
4017 
4018  SigGroupBuild(de_ctx);
4019  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4020 
4021  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4022  if (PacketAlertCheck(p, 1))
4023  result = 1;
4024  else
4025  printf("sig 1 didn't match: ");
4026 
4027  SigGroupCleanup(de_ctx);
4028  SigCleanSignatures(de_ctx);
4029 
4030  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4031  DetectEngineCtxFree(de_ctx);
4032 end:
4033  UTHFreePackets(&p, 1);
4034  return result;
4035 }
4036 
4037 /** \test sigs with patterns at the limit of the pm's size limit */
4038 static int SigTestContent05 (void)
4039 {
4040  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4041  uint16_t buflen = strlen((char *)buf);
4042  ThreadVars th_v;
4043  DetectEngineThreadCtx *det_ctx = NULL;
4044  int result = 0;
4045 
4046  memset(&th_v, 0, sizeof(th_v));
4047  Packet *p = NULL;
4048  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4049 
4051  if (de_ctx == NULL) {
4052  printf("de_ctx == NULL: ");
4053  goto end;
4054  }
4055 
4056  de_ctx->flags |= DE_QUIET;
4057 
4058  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4059  if (de_ctx->sig_list == NULL) {
4060  printf("sig1 parse failed: ");
4061  goto end;
4062  }
4063  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4064  if (de_ctx->sig_list->next == NULL) {
4065  printf("sig2 parse failed: ");
4066  goto end;
4067  }
4068 
4069  SigGroupBuild(de_ctx);
4070  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4071 
4072  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4073 
4074  if (PacketAlertCheck(p, 1)) {
4075  printf("sig 1 matched but shouldn't: ");
4076  goto end;
4077  }
4078 
4079  if (PacketAlertCheck(p, 2)) {
4080  printf("sig 2 matched but shouldn't: ");
4081  goto end;
4082  }
4083 
4084  result = 1;
4085 end:
4086  UTHFreePackets(&p, 1);
4087  SigGroupCleanup(de_ctx);
4088  SigCleanSignatures(de_ctx);
4089 
4090  if (det_ctx != NULL) {
4091  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4092  }
4093  if (de_ctx != NULL) {
4094  DetectEngineCtxFree(de_ctx);
4095  }
4096  return result;
4097 }
4098 
4099 static int SigTestContent06 (void)
4100 {
4101  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4102  uint16_t buflen = strlen((char *)buf);
4103  ThreadVars th_v;
4104  DetectEngineThreadCtx *det_ctx = NULL;
4105  int result = 0;
4106 
4107  memset(&th_v, 0, sizeof(th_v));
4108  Packet *p = NULL;
4109  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4110 
4112  if (de_ctx == NULL) {
4113  goto end;
4114  }
4115 
4116  de_ctx->flags |= DE_QUIET;
4117 
4118  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4119  if (de_ctx->sig_list == NULL) {
4120  result = 0;
4121  goto end;
4122  }
4123  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4124  if (de_ctx->sig_list->next == NULL) {
4125  result = 0;
4126  goto end;
4127  }
4128 
4129  SigGroupBuild(de_ctx);
4130  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4131 
4132  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4133  if (PacketAlertCheck(p, 1)){
4134  //printf("sig 1 matched :");
4135  }else{
4136  printf("sig 1 didn't match: ");
4137  goto end;
4138  }
4139 
4140  if (PacketAlertCheck(p, 2)){
4141  result = 1;
4142  }else{
4143  printf("sig 2 didn't match: ");
4144  goto end;
4145  }
4146 
4147  SigGroupCleanup(de_ctx);
4148  SigCleanSignatures(de_ctx);
4149 
4150  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4151  DetectEngineCtxFree(de_ctx);
4152 end:
4153  UTHFreePackets(&p, 1);
4154  return result;
4155 }
4156 
4157 static int SigTestWithin01 (void)
4158 {
4159  DecodeThreadVars dtv;
4160  ThreadVars th_v;
4161  int result = 0;
4162  Packet *p1 = NULL;
4163  Packet *p2 = NULL;
4164  Packet *p3 = NULL;
4165  Packet *p4 = NULL;
4166 
4167  uint8_t rawpkt1[] = {
4168  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4169  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4170  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4171  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4172  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4173  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4174  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4175  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4176  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4177  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4178  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4179  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4180  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4181  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4182  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4183  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4184  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4185  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4186  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4187  0x00,0x00 }; /* end rawpkt1 */
4188 
4189  uint8_t rawpkt2[] = {
4190  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4191  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4192  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4193  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4194  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4195  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4196  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4197  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4198  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4199  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4200  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4201  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4202  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4203  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4204  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4205  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4206  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4207  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4208  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4209  0x00,0x00 }; /* end rawpkt2 */
4210 
4211  uint8_t rawpkt3[] = {
4212  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4213  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4214  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4215  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4216  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4217  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4218  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4219  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4220  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4221  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4222  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4223  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4224  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4225  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4226  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4227  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4228  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4229  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4230  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4231  0x00,0x00 }; /* end rawpkt3 */
4232 
4233  uint8_t rawpkt4[] = {
4234  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4235  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4236  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4237  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4238  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4239  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4240  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4241  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4242  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4243  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4244  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4245  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4246  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4247  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4248  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4249  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4250  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4251  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4252  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4253  0x00,0x00 }; /* end rawpkt4 */
4254 
4255  memset(&dtv, 0, sizeof(DecodeThreadVars));
4256  memset(&th_v, 0, sizeof(th_v));
4257 
4258  DetectEngineThreadCtx *det_ctx = NULL;
4259 
4261 
4263  if (de_ctx == NULL) {
4264  goto end;
4265  }
4266 
4267  de_ctx->flags |= DE_QUIET;
4268 
4269  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4270  if (de_ctx->sig_list == NULL) {
4271  result = 0;
4272  goto end;
4273  }
4274 
4275  SigGroupBuild(de_ctx);
4276  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4277 
4278  /* packet 1 */
4279  p1 = SCMalloc(SIZE_OF_PACKET);
4280  if (unlikely(p1 == NULL))
4281  return 0;
4282  memset(p1, 0, SIZE_OF_PACKET);
4283  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1), NULL);
4284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4285  if (!(PacketAlertCheck(p1, 556))) {
4286  printf("failed to match on packet 1: ");
4287  goto end;
4288  }
4289 
4290  /* packet 2 */
4291  p2 = SCMalloc(SIZE_OF_PACKET);
4292  if (unlikely(p2 == NULL))
4293  return 0;
4294  memset(p2, 0, SIZE_OF_PACKET);
4295  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2), NULL);
4296  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4297  if (!(PacketAlertCheck(p2, 556))) {
4298  printf("failed to match on packet 2: ");
4299  goto end;
4300  }
4301 
4302  /* packet 3 */
4303  p3 = SCMalloc(SIZE_OF_PACKET);
4304  if (unlikely(p3 == NULL))
4305  return 0;
4306  memset(p3, 0, SIZE_OF_PACKET);
4307  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3), NULL);
4308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4309  if (!(PacketAlertCheck(p3, 556))) {
4310  printf("failed to match on packet 3: ");
4311  goto end;
4312  }
4313 
4314  /* packet 4 */
4315  p4 = SCMalloc(SIZE_OF_PACKET);
4316  if (unlikely(p4 == NULL))
4317  return 0;
4318  memset(p4, 0, SIZE_OF_PACKET);
4319  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4), NULL);
4320  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4321  if (!(PacketAlertCheck(p4, 556))) {
4322  printf("failed to match on packet 4: ");
4323  goto end;
4324  }
4325 
4326  /* packet 5 */
4327  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4328  uint16_t p5buflen = strlen((char *)p5buf);
4329  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4330  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4331  if (!(PacketAlertCheck(p5, 556))) {
4332  printf("failed to match on packet 5: ");
4333  goto end;
4334  }
4335  UTHFreePackets(&p5, 1);
4336 
4337  result = 1;
4338 end:
4339  if (de_ctx != NULL) {
4340  SigGroupCleanup(de_ctx);
4341  SigCleanSignatures(de_ctx);
4342  }
4343 
4344  if (det_ctx != NULL)
4345  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4346 
4347  if (de_ctx != NULL)
4348  DetectEngineCtxFree(de_ctx);
4349 
4350  if (p1 != NULL) {
4351  PACKET_RECYCLE(p1);
4352  SCFree(p1);
4353  }
4354  if (p2 != NULL) {
4355  PACKET_RECYCLE(p2);
4356  SCFree(p2);
4357  }
4358  if (p3 != NULL) {
4359  PACKET_RECYCLE(p3);
4360  SCFree(p3);
4361  }
4362  if (p4 != NULL) {
4363  PACKET_RECYCLE(p4);
4364  SCFree(p4);
4365  }
4366  FlowShutdown();
4367  return result;
4368 }
4369 
4370 static int SigTestDepthOffset01 (void)
4371 {
4372  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4373  uint16_t buflen = strlen((char *)buf);
4374  Packet *p = NULL;
4375  ThreadVars th_v;
4376  DetectEngineThreadCtx *det_ctx = NULL;
4377  int result = 0;
4378 
4379  memset(&th_v, 0, sizeof(th_v));
4380 
4381  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4382 
4384  if (de_ctx == NULL) {
4385  goto end;
4386  }
4387 
4388  de_ctx->flags |= DE_QUIET;
4389 
4390  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4391  if (de_ctx->sig_list == NULL) {
4392  result = 0;
4393  goto end;
4394  }
4395 
4396  SigGroupBuild(de_ctx);
4397  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4398 
4399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4400  if (PacketAlertCheck(p, 1))
4401  result = 1;
4402 
4403  SigGroupCleanup(de_ctx);
4404  SigCleanSignatures(de_ctx);
4405 
4406  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4407  DetectEngineCtxFree(de_ctx);
4408 end:
4409  UTHFreePackets(&p, 1);
4410  return result;
4411 }
4412 
4413 static int SigTestDetectAlertCounter(void)
4414 {
4415  Packet *p = NULL;
4416  ThreadVars tv;
4417  DetectEngineThreadCtx *det_ctx = NULL;
4418  memset(&tv, 0, sizeof(tv));
4419 
4421  FAIL_IF_NULL(de_ctx);
4422  de_ctx->flags |= DE_QUIET;
4423 
4424  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4425  "content:\"boo\"; sid:1;)");
4426  FAIL_IF(de_ctx->sig_list == NULL);
4427 
4428  SigGroupBuild(de_ctx);
4429  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4430  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4431  /* init counters */
4432  StatsSetupPrivate(&tv);
4433 
4434  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4435  Detect(&tv, p, det_ctx, NULL, NULL);
4437 
4438  Detect(&tv, p, det_ctx, NULL, NULL);
4440  UTHFreePackets(&p, 1);
4441 
4442  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4443  Detect(&tv, p, det_ctx, NULL, NULL);
4445  UTHFreePackets(&p, 1);
4446 
4447  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4448  Detect(&tv, p, det_ctx, NULL, NULL);
4450  UTHFreePackets(&p, 1);
4451 
4452  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4453  DetectEngineCtxFree(de_ctx);
4454  PASS;
4455 }
4456 
4457 /** \test test if the engine set flag to drop pkts of a flow that
4458  * triggered a drop action on IPS mode */
4459 static int SigTestDropFlow01(void)
4460 {
4461  int result = 0;
4462  Flow f;
4463  HtpState *http_state = NULL;
4464  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4465  "User-Agent: Mozilla/1.0\r\n"
4466  "Cookie: hellocatch\r\n\r\n";
4467  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4468  TcpSession ssn;
4469  Packet *p = NULL;
4470  Signature *s = NULL;
4471  ThreadVars tv;
4472  DetectEngineThreadCtx *det_ctx = NULL;
4474 
4475  memset(&tv, 0, sizeof(ThreadVars));
4476  memset(&f, 0, sizeof(Flow));
4477  memset(&ssn, 0, sizeof(TcpSession));
4478 
4479  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4480 
4481  FLOW_INITIALIZE(&f);
4482  f.protoctx = (void *)&ssn;
4483  f.proto = IPPROTO_TCP;
4484  f.flags |= FLOW_IPV4;
4485 
4486  p->flow = &f;
4490  f.alproto = ALPROTO_HTTP;
4491 
4493 
4495  if (de_ctx == NULL) {
4496  goto end;
4497  }
4498  de_ctx->flags |= DE_QUIET;
4499 
4500  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4501  "(msg:\"Test proto match\"; "
4502  "sid:1;)");
4503  if (s == NULL) {
4504  goto end;
4505  }
4506 
4507  SigGroupBuild(de_ctx);
4508  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4509 
4510  FLOWLOCK_WRLOCK(&f);
4511  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4512  STREAM_TOSERVER, http_buf1, http_buf1_len);
4513  if (r != 0) {
4514  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4515  FLOWLOCK_UNLOCK(&f);
4516  goto end;
4517  }
4518  FLOWLOCK_UNLOCK(&f);
4519 
4520  http_state = f.alstate;
4521  if (http_state == NULL) {
4522  printf("no http state: ");
4523  goto end;
4524  }
4525 
4526  /* do detect */
4527  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4528 
4529  if (!PacketAlertCheck(p, 1)) {
4530  printf("sig 1 didn't alert, but it should: ");
4531  goto end;
4532  }
4533 
4534  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4535  printf("sig 1 alerted but flow was not flagged correctly: ");
4536  goto end;
4537  }
4538 
4539  /* Ok, now we know that the flag is set for proto http */
4540 
4541  result = 1;
4542 
4543 end:
4544  if (alp_tctx != NULL)
4545  AppLayerParserThreadCtxFree(alp_tctx);
4546  if (det_ctx != NULL)
4547  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4548  if (de_ctx != NULL)
4549  SigGroupCleanup(de_ctx);
4550  if (de_ctx != NULL)
4551  DetectEngineCtxFree(de_ctx);
4552 
4554  FLOW_DESTROY(&f);
4555 
4556  UTHFreePackets(&p, 1);
4557  return result;
4558 }
4559 
4560 /** \test test if the engine set flag to drop pkts of a flow that
4561  * triggered a drop action on IPS mode */
4562 static int SigTestDropFlow02(void)
4563 {
4564  int result = 0;
4565  Flow f;
4566  HtpState *http_state = NULL;
4567  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4568  "User-Agent: Mozilla/1.0\r\n"
4569  "Cookie: hellocatch\r\n\r\n";
4570  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4571  TcpSession ssn;
4572  Packet *p = NULL;
4573  Signature *s = NULL;
4574  ThreadVars tv;
4575  DetectEngineThreadCtx *det_ctx = NULL;
4577 
4578  memset(&tv, 0, sizeof(ThreadVars));
4579  memset(&f, 0, sizeof(Flow));
4580  memset(&ssn, 0, sizeof(TcpSession));
4581 
4582  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4583 
4584  FLOW_INITIALIZE(&f);
4585  f.protoctx = (void *)&ssn;
4586  f.proto = IPPROTO_TCP;
4587  f.flags |= FLOW_IPV4;
4588 
4589  p->flow = &f;
4593  f.alproto = ALPROTO_HTTP;
4594 
4596 
4598  if (de_ctx == NULL) {
4599  goto end;
4600  }
4601  de_ctx->flags |= DE_QUIET;
4602 
4603  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4604  "(msg:\"Test proto match\"; uricontent:\"one\";"
4605  "sid:1;)");
4606  if (s == NULL) {
4607  goto end;
4608  }
4609 
4610  SigGroupBuild(de_ctx);
4611  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4612 
4613  FLOWLOCK_WRLOCK(&f);
4614  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4615  STREAM_TOSERVER, http_buf1, http_buf1_len);
4616  if (r != 0) {
4617  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4618  FLOWLOCK_UNLOCK(&f);
4619  goto end;
4620  }
4621  FLOWLOCK_UNLOCK(&f);
4622 
4623  http_state = f.alstate;
4624  if (http_state == NULL) {
4625  printf("no http state: ");
4626  goto end;
4627  }
4628 
4629  /* do detect */
4630  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4631 
4632  if (!PacketAlertCheck(p, 1)) {
4633  printf("sig 1 didn't alert, but it should: ");
4634  goto end;
4635  }
4636 
4637  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4638  printf("sig 1 alerted but flow was not flagged correctly: ");
4639  goto end;
4640  }
4641 
4642  /* Ok, now we know that the flag is set for app layer sigs
4643  * (ex: inspecting uricontent) */
4644 
4645  result = 1;
4646 
4647 end:
4648  if (alp_tctx != NULL)
4649  AppLayerParserThreadCtxFree(alp_tctx);
4650  if (det_ctx != NULL)
4651  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4652  if (de_ctx != NULL)
4653  SigGroupCleanup(de_ctx);
4654  if (de_ctx != NULL)
4655  DetectEngineCtxFree(de_ctx);
4656 
4658  FLOW_DESTROY(&f);
4659 
4660  UTHFreePackets(&p, 1);
4661  return result;
4662 }
4663 
4664 /** \test test if the engine set flag to drop pkts of a flow that
4665  * triggered a drop action on IPS mode, and it doesn't inspect
4666  * any other packet of the stream */
4667 static int SigTestDropFlow03(void)
4668 {
4669  int result = 0;
4670  Flow f;
4671  HtpState *http_state = NULL;
4672  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4673  "User-Agent: Mozilla/1.0\r\n"
4674  "Cookie: hellocatch\r\n\r\n";
4675  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4676 
4677  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4678  "User-Agent: Mozilla/1.0\r\n"
4679  "Cookie: hellocatch\r\n\r\n";
4680  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4681 
4682  /* Set the engine mode to IPS */
4683  EngineModeSetIPS();
4684 
4685  TcpSession ssn;
4686  Packet *p1 = NULL;
4687  Packet *p2 = NULL;
4688  Signature *s = NULL;
4689  ThreadVars tv;
4690  DetectEngineThreadCtx *det_ctx = NULL;
4692 
4693  memset(&tv, 0, sizeof(ThreadVars));
4694  memset(&f, 0, sizeof(Flow));
4695  memset(&ssn, 0, sizeof(TcpSession));
4696 
4697  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4698  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4699 
4700  FLOW_INITIALIZE(&f);
4701  f.protoctx = (void *)&ssn;
4702  f.proto = IPPROTO_TCP;
4703  f.flags |= FLOW_IPV4;
4704 
4705  p1->flow = &f;
4709 
4710  p2->flow = &f;
4714  f.alproto = ALPROTO_HTTP;
4715 
4717 
4719  if (de_ctx == NULL) {
4720  goto end;
4721  }
4722 
4723  de_ctx->flags |= DE_QUIET;
4724 
4725  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4726  "(msg:\"Test proto match\"; uricontent:\"one\";"
4727  "sid:1;)");
4728  if (s == NULL) {
4729  goto end;
4730  }
4731 
4732  /* the no inspection flag should be set after the first sig gets triggered,
4733  * so the second packet should not match the next sig (because of no inspection) */
4734  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4735  "(msg:\"Test proto match\"; uricontent:\"two\";"
4736  "sid:2;)");
4737  if (s == NULL) {
4738  goto end;
4739  }
4740 
4741  SigGroupBuild(de_ctx);
4742  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4743 
4744  FLOWLOCK_WRLOCK(&f);
4745  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4746  STREAM_TOSERVER, http_buf1, http_buf1_len);
4747  if (r != 0) {
4748  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4749  FLOWLOCK_UNLOCK(&f);
4750  goto end;
4751  }
4752  FLOWLOCK_UNLOCK(&f);
4753 
4754  http_state = f.alstate;
4755  if (http_state == NULL) {
4756  printf("no http state: ");
4757  goto end;
4758  }
4759 
4760  /* do detect */
4761  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4762 
4763  if (!PacketAlertCheck(p1, 1)) {
4764  printf("sig 1 didn't alert on p1, but it should: ");
4765  goto end;
4766  }
4767 
4768  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4769  printf("sig 1 alerted but flow was not flagged correctly: ");
4770  goto end;
4771  }
4772 
4773  /* Second part.. Let's feed with another packet */
4774  if (StreamTcpCheckFlowDrops(p2) == 1) {
4775  SCLogDebug("This flow/stream triggered a drop rule");
4776  FlowSetNoPacketInspectionFlag(p2->flow);
4779  p2->action |= ACTION_DROP;
4780  /* return the segments to the pool */
4782  }
4783 
4784 
4785  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4786  printf("The packet was not flagged with no-inspection: ");
4787  goto end;
4788  }
4789 
4790  FLOWLOCK_WRLOCK(&f);
4791  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4792  STREAM_TOSERVER, http_buf2, http_buf2_len);
4793  if (r != 0) {
4794  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4795  FLOWLOCK_UNLOCK(&f);
4796  goto end;
4797  }
4798  FLOWLOCK_UNLOCK(&f);
4799 
4800  /* do detect */
4801  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4802 
4803  if (PacketAlertCheck(p2, 1)) {
4804  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4805  goto end;
4806  }
4807 
4808  if (PacketAlertCheck(p2, 2)) {
4809  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4810  goto end;
4811  }
4812 
4813  if ( !(PACKET_TEST_ACTION(p2, ACTION_DROP))) {
4814  printf("A \"drop\" action should be set from the flow to the packet: ");
4815  goto end;
4816  }
4817 
4818  result = 1;
4819 
4820 end:
4821  if (alp_tctx != NULL)
4822  AppLayerParserThreadCtxFree(alp_tctx);
4823  if (det_ctx != NULL)
4824  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4825  if (de_ctx != NULL)
4826  SigGroupCleanup(de_ctx);
4827  if (de_ctx != NULL)
4828  DetectEngineCtxFree(de_ctx);
4829 
4831  FLOW_DESTROY(&f);
4832 
4833  UTHFreePackets(&p1, 1);
4834  UTHFreePackets(&p2, 1);
4835 
4836  /* Restore mode to IDS */
4837  EngineModeSetIDS();
4838  return result;
4839 }
4840 
4841 /** \test test if the engine set flag to drop pkts of a flow that
4842  * triggered a drop action on IDS mode, but continue the inspection
4843  * as usual (instead of on IPS mode) */
4844 static int SigTestDropFlow04(void)
4845 {
4846  int result = 0;
4847  Flow f;
4848  HtpState *http_state = NULL;
4849  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4850  "User-Agent: Mozilla/1.0\r\n"
4851  "Cookie: hellocatch\r\n\r\n";
4852  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4853 
4854  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4855  "User-Agent: Mozilla/1.0\r\n"
4856  "Cookie: hellocatch\r\n\r\n";
4857  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4858 
4859  TcpSession ssn;
4860  Packet *p1 = NULL;
4861  Packet *p2 = NULL;
4862  Signature *s = NULL;
4863  ThreadVars tv;
4864  DetectEngineThreadCtx *det_ctx = NULL;
4866 
4867  memset(&tv, 0, sizeof(ThreadVars));
4868  memset(&f, 0, sizeof(Flow));
4869  memset(&ssn, 0, sizeof(TcpSession));
4870 
4871  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4872  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4873 
4874  FLOW_INITIALIZE(&f);
4875  f.protoctx = (void *)&ssn;
4876  f.proto = IPPROTO_TCP;
4877  f.flags |= FLOW_IPV4;
4878 
4879  p1->flow = &f;
4883 
4884  p2->flow = &f;
4888  f.alproto = ALPROTO_HTTP;
4889 
4891 
4893  if (de_ctx == NULL) {
4894  goto end;
4895  }
4896  de_ctx->flags |= DE_QUIET;
4897 
4898  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4899  "(msg:\"Test proto match\"; uricontent:\"one\";"
4900  "sid:1;)");
4901  if (s == NULL) {
4902  goto end;
4903  }
4904 
4905  /* the no inspection flag should be set after the first sig gets triggered,
4906  * so the second packet should not match the next sig (because of no inspection) */
4907  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4908  "(msg:\"Test proto match\"; uricontent:\"two\";"
4909  "sid:2;)");
4910  if (s == NULL) {
4911  goto end;
4912  }
4913 
4914  SigGroupBuild(de_ctx);
4915  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4916 
4917  FLOWLOCK_WRLOCK(&f);
4918  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4919  STREAM_TOSERVER, http_buf1, http_buf1_len);
4920  if (r != 0) {
4921  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4922  FLOWLOCK_UNLOCK(&f);
4923  goto end;
4924  }
4925  FLOWLOCK_UNLOCK(&f);
4926 
4927  http_state = f.alstate;
4928  if (http_state == NULL) {
4929  printf("no http state: ");
4930  goto end;
4931  }
4932 
4933  /* do detect */
4934  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4935 
4936  if (!PacketAlertCheck(p1, 1)) {
4937  printf("sig 1 didn't alert on p1, but it should: ");
4938  goto end;
4939  }
4940 
4941  if (PacketAlertCheck(p1, 2)) {
4942  printf("sig 2 alerted on p1, but it should not: ");
4943  goto end;
4944  }
4945 
4946  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4947  printf("sig 1 alerted but flow was not flagged correctly: ");
4948  goto end;
4949  }
4950 
4951  if (!(PACKET_TEST_ACTION(p1, ACTION_DROP))) {
4952  printf("A \"drop\" action was set from the flow to the packet "
4953  "which is right, but setting the flag shouldn't disable "
4954  "inspection on the packet in IDS mode");
4955  goto end;
4956  }
4957 
4958  /* Second part.. Let's feed with another packet */
4959  if (StreamTcpCheckFlowDrops(p2) == 1) {
4960  FlowSetNoPacketInspectionFlag(p2->flow);
4963  p2->action |= ACTION_DROP;
4964  /* return the segments to the pool */
4966  }
4967 
4968  if ( (p2->flags & PKT_NOPACKET_INSPECTION)) {
4969  printf("The packet was flagged with no-inspection but we are not on IPS mode: ");
4970  goto end;
4971  }
4972 
4973  FLOWLOCK_WRLOCK(&f);
4974  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
4975  STREAM_TOSERVER, http_buf2, http_buf2_len);
4976  if (r != 0) {
4977  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4978  FLOWLOCK_UNLOCK(&f);
4979  goto end;
4980  }
4981  FLOWLOCK_UNLOCK(&f);
4982 
4983  /* do detect */
4984  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4985 
4986  if (PacketAlertCheck(p2, 1)) {
4987  printf("sig 1 alerted, but it should not: ");
4988  goto end;
4989  }
4990 
4991  if (!PacketAlertCheck(p2, 2)) {
4992  printf("sig 2 didn't alert, but it should, since we are not on IPS mode: ");
4993  goto end;
4994  }
4995 
4996  if (!(PACKET_TEST_ACTION(p2, ACTION_DROP))) {
4997  printf("A \"drop\" action was set from the flow to the packet "
4998  "which is right, but setting the flag shouldn't disable "
4999  "inspection on the packet in IDS mode");
5000  goto end;
5001  }
5002 
5003  result = 1;
5004 
5005 end:
5006  if (alp_tctx != NULL)
5007  AppLayerParserThreadCtxFree(alp_tctx);
5008  if (det_ctx != NULL)
5009  DetectEngineThreadCtxDeinit(&tv, det_ctx);
5010  if (de_ctx != NULL)
5011  SigGroupCleanup(de_ctx);
5012  if (de_ctx != NULL)
5013  DetectEngineCtxFree(de_ctx);
5014 
5016  FLOW_DESTROY(&f);
5017 
5018  UTHFreePackets(&p1, 1);
5019  UTHFreePackets(&p2, 1);
5020 
5021  return result;
5022 }
5023 
5024 /** \test ICMP packet shouldn't be matching port based sig
5025  * Bug #611 */
5026 static int SigTestPorts01(void)
5027 {
5028  int result = 0;
5029  Packet *p1 = NULL;
5030  Signature *s = NULL;
5031  ThreadVars tv;
5032  DetectEngineThreadCtx *det_ctx = NULL;
5033  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
5034 
5035  memset(&tv, 0, sizeof(ThreadVars));
5036 
5037  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
5038 
5040  if (de_ctx == NULL) {
5041  goto end;
5042  }
5043  de_ctx->flags |= DE_QUIET;
5044 
5045  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
5046  "(content:\"AAA\"; sid:1;)");
5047  if (s == NULL) {
5048  goto end;
5049  }
5050 
5051  SigGroupBuild(de_ctx);
5052  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
5053 
5054  /* do detect */
5055  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
5056 
5057  if (PacketAlertCheck(p1, 1)) {
5058  printf("sig 1 alerted on p1, but it should not: ");
5059  goto end;
5060  }
5061 
5062  result = 1;
5063 end:
5064  if (det_ctx != NULL)
5065  DetectEngineThreadCtxDeinit(&tv, det_ctx);
5066  if (de_ctx != NULL)
5067  SigGroupCleanup(de_ctx);
5068  if (de_ctx != NULL)
5069  DetectEngineCtxFree(de_ctx);
5070 
5071  UTHFreePackets(&p1, 1);
5072  return result;
5073 }
5074 
5075 /** \test almost identical patterns */
5076 static int SigTestBug01(void)
5077 {
5078  int result = 0;
5079  Packet *p1 = NULL;
5080  Signature *s = NULL;
5081  ThreadVars tv;
5082  DetectEngineThreadCtx *det_ctx = NULL;
5083  uint8_t payload[] = "!mymy";
5084 
5085  memset(&tv, 0, sizeof(ThreadVars));
5086 
5087  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
5088 
5090  if (de_ctx == NULL) {
5091  goto end;
5092  }
5093  de_ctx->flags |= DE_QUIET;
5094 
5095  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
5096  "(content:\"Omymy\"; nocase; sid:1;)");
5097  if (s == NULL) {
5098  goto end;
5099  }
5100  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
5101  "(content:\"!mymy\"; nocase; sid:2;)");
5102  if (s == NULL) {
5103  goto end;
5104  }
5105 
5106  SigGroupBuild(de_ctx);
5107  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
5108 
5109  /* do detect */
5110  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
5111 
5112  if (PacketAlertCheck(p1, 1)) {
5113  printf("sig 1 alerted on p1, but it should not: ");
5114  goto end;
5115  }
5116  if (!(PacketAlertCheck(p1, 2))) {
5117  printf("sig 2 did not p1, but it should have: ");
5118  goto end;
5119  }
5120 
5121  result = 1;
5122 end:
5123  if (det_ctx != NULL)
5124  DetectEngineThreadCtxDeinit(&tv, det_ctx);
5125  if (de_ctx != NULL)
5126  SigGroupCleanup(de_ctx);
5127  if (de_ctx != NULL)
5128  DetectEngineCtxFree(de_ctx);
5129 
5130  UTHFreePackets(&p1, 1);
5131  return result;
5132 }
5133 
5134 static const char *dummy_conf_string2 =
5135  "%YAML 1.1\n"
5136  "---\n"
5137  "vars:\n"
5138  "\n"
5139  " address-groups:\n"
5140  "\n"
5141  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
5142  "\n"
5143  " EXTERNAL_NET: \"any\"\n"
5144  "\n"
5145  " port-groups:\n"
5146  "\n"
5147  " HTTP_PORTS: \"80:81,88\"\n"
5148  "\n";
5149 
5150 static int DetectAddressYamlParsing01 (void)
5151 {
5152  int result = 0;
5153 
5155  ConfInit();
5156  ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
5157 
5159  if (de_ctx == NULL) {
5160  goto end;
5161  }
5162 
5163  de_ctx->flags |= DE_QUIET;
5164 
5165  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5166  goto end;
5167  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5168  goto end;
5169  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5170  goto end;
5171 
5172  result = 1;
5173 
5174  DetectEngineCtxFree(de_ctx);
5175 end:
5176  ConfDeInit();
5178  return result;
5179 }
5180 
5181 static const char *dummy_conf_string3 =
5182  "%YAML 1.1\n"
5183  "---\n"
5184  "vars:\n"
5185  "\n"
5186  " address-groups:\n"
5187  "\n"
5188  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5189  "\n"
5190  " EXTERNAL_NET: \"any\"\n"
5191  "\n"
5192  " port-groups:\n"
5193  "\n"
5194  " HTTP_PORTS: \"80:81,88\"\n"
5195  "\n";
5196 
5197 static int DetectAddressYamlParsing02 (void)
5198 {
5199  int result = 0;
5200 
5202  ConfInit();
5203  ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
5204 
5206  if (de_ctx == NULL) {
5207  goto end;
5208  }
5209 
5210  de_ctx->flags |= DE_QUIET;
5211 
5212  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5213  goto end;
5214  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5215  goto end;
5216  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5217  goto end;
5218 
5219  result = 1;
5220 
5221  DetectEngineCtxFree(de_ctx);
5222 end:
5223  ConfDeInit();
5225  return result;
5226 }
5227 
5228 static const char *dummy_conf_string4 =
5229  "%YAML 1.1\n"
5230  "---\n"
5231  "vars:\n"
5232  "\n"
5233  " address-groups:\n"
5234  "\n"
5235  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5236  "\n"
5237  " EXTERNAL_NET: \"any\"\n"
5238  "\n"
5239  " port-groups:\n"
5240  "\n"
5241  " HTTP_PORTS: \"80:81,88\"\n"
5242  "\n";
5243 
5244 static int DetectAddressYamlParsing03 (void)
5245 {
5246  int result = 0;
5247 
5249  ConfInit();
5250  ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
5251 
5253  if (de_ctx == NULL) {
5254  goto end;
5255  }
5256 
5257  de_ctx->flags |= DE_QUIET;
5258 
5259  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5260  goto end;
5261  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5262  goto end;
5263  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5264  goto end;
5265 
5266  result = 1;
5267 
5268  DetectEngineCtxFree(de_ctx);
5269 end:
5270  ConfDeInit();
5272  return result;
5273 }
5274 
5275 static const char *dummy_conf_string5 =
5276  "%YAML 1.1\n"
5277  "---\n"
5278  "vars:\n"
5279  "\n"
5280  " address-groups:\n"
5281  "\n"
5282  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5283  "\n"
5284  " EXTERNAL_NET: \"any\"\n"
5285  "\n"
5286  " port-groups:\n"
5287  "\n"
5288  " HTTP_PORTS: \"80:81,88\"\n"
5289  "\n";
5290 
5291 /** \test bug #815 */
5292 static int DetectAddressYamlParsing04 (void)
5293 {
5294  int result = 0;
5295 
5297  ConfInit();
5298  ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
5299 
5301  if (de_ctx == NULL) {
5302  goto end;
5303  }
5304 
5305  de_ctx->flags |= DE_QUIET;
5306 
5307  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5308  goto end;
5309  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5310  goto end;
5311  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5312  goto end;
5313 
5314  result = 1;
5315 
5316  DetectEngineCtxFree(de_ctx);
5317 end:
5318  ConfDeInit();
5320  return result;
5321 }
5322 
5324 {
5327 
5328  UtRegisterTest("SigTest01", SigTest01);
5329  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
5330  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
5331  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
5332  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
5333  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5334  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
5335  SigTest07);
5336  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5337  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
5338  SigTest09);
5339  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
5340  SigTest10);
5341  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
5342  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
5343  UtRegisterTest("SigTest13 -- content order matching, diff order",
5344  SigTest13);
5345  UtRegisterTest("SigTest14 -- content order matching, distance 0",
5346  SigTest14);
5347  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
5348  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
5349  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5350  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
5351  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
5352  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
5353  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
5354  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
5355  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
5356 
5357  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
5358  UtRegisterTest("SigTest25NegativeIPV4Keyword",
5359  SigTest25NegativeIPV4Keyword);
5360 
5361  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5362  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5363  SigTest26TCPV4AndNegativeIPV4Keyword);
5364  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5365  SigTest26TCPV4AndIPV4Keyword);
5366  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5367  SigTest27NegativeTCPV4Keyword);
5368 
5369  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5370  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5371  SigTest29NegativeTCPV6Keyword);
5372 
5373  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5374  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5375  SigTest31NegativeUDPV4Keyword);
5376 
5377  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5378  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5379  SigTest33NegativeUDPV6Keyword);
5380 
5381  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5382  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5383  SigTest35NegativeICMPV4Keyword);
5384  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5385  SigTest36ContentAndIsdataatKeywords01);
5386  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5387  SigTest37ContentAndIsdataatKeywords02);
5388 
5389  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5390 
5391  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5392 
5393  UtRegisterTest("SigTest40NoPacketInspection01",
5394  SigTest40NoPacketInspection01);
5395  UtRegisterTest("SigTest40NoPayloadInspection02",
5396  SigTest40NoPayloadInspection02);
5397 
5398  UtRegisterTest("SigTestMemory01", SigTestMemory01);
5399  UtRegisterTest("SigTestMemory02", SigTestMemory02);
5400  UtRegisterTest("SigTestMemory03", SigTestMemory03);
5401 
5402  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5403  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5404  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5405  SigTestContent03);
5406  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5407  SigTestContent04);
5408  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5409  UtRegisterTest("SigTestContent06 -- distance/within ip only",
5410  SigTestContent06);
5411 
5412  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5413  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5414 
5415  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5416 
5417  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5418  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5419  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5420  UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04);
5421 
5422  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5423  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5424  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5425  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5426 
5427  UtRegisterTest("SigTestPorts01", SigTestPorts01);
5428  UtRegisterTest("SigTestBug01", SigTestBug01);
5429 
5431 }
5432 #endif /* UNITTESTS */
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
EthernetHdr * ethh
Definition: decode.h:494
UDPHdr * udph
Definition: decode.h:525
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:446
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:282
#define BUG_ON(x)
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:858
uint8_t proto
Definition: flow.h:344
#define SET_PKT_LEN(p, len)
Definition: decode.h:230
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:722
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:243
#define unlikely(expr)
Definition: util-optimize.h:35
#define PASS
Pass the test.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Port sp
Definition: decode.h:416
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Port dp
Definition: decode.h:424
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
ICMPV4Hdr * icmpv4h
Definition: decode.h:529
Signature * sig_list
Definition: detect.h:767
#define FLOW_ACTION_DROP
Definition: flow.h:64
void StreamTcpDisableAppLayer(Flow *f)
#define PACKET_RESET_CHECKSUMS(p)
reset these to -1(indicates that the packet is fresh from the queue)
Definition: decode.h:714
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_QUIET
Definition: flow.h:38
Address dst
Definition: decode.h:414
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:203
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void SigRegisterTests(void)
Definition: detect.c:5323
#define PACKET_RECYCLE(p)
Definition: decode.h:815
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:668
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:240
void DetectEngineContentInspectionRegisterTests(void)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
TCPHdr * tcph
Definition: decode.h:523
Signature container.
Definition: detect.h:522
#define TRUE
#define DecodeSetNoPacketInspectionFlag(p)
Set the No packet inspection Flag for the packet.
Definition: decode.h:985
void * protoctx
Definition: flow.h:400
main detection engine ctx
Definition: detect.h:761
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
void * alstate
Definition: flow.h:438
#define DE_QUIET
Definition: detect.h:292
#define SIZE_OF_PACKET
Definition: decode.h:619
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:699
IPV6Hdr * ip6h
Definition: decode.h:503
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
char family
Definition: decode.h:112
uint16_t value_len
Definition: decode.h:317
uint8_t proto
Definition: decode.h:431
uint8_t flags
Definition: detect.h:762
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
uint16_t counter_alerts
Definition: detect.h:1040
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:113
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:633
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1670
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:364
uint8_t flowflags
Definition: decode.h:440
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:711
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
struct Signature_ * next
Definition: detect.h:594
void IPOnlyRegisterTests(void)
IPV4Hdr * ip4h
Definition: decode.h:501
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
#define SCMalloc(a)
Definition: util-mem.h:222
DetectEngineCtx * de_ctx
Definition: detect.h:1127
void PktVarFree(PktVar *pv)
Definition: pkt-var.c:111
#define SCFree(a)
Definition: util-mem.h:322
uint8_t * value
Definition: decode.h:319
void EngineModeSetIDS(void)
Definition: suricata.c:262
void SigParseRegisterTests(void)
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:670
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1087
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself...
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1198
TmEcode Detect(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
Detection engine thread wrapper.
Definition: detect.c:1602
#define GET_PKT_DATA(p)
Definition: decode.h:226
#define PKT_HAS_FLOW
Definition: decode.h:1094
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
char name[16]
Definition: threadvars.h:59
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:125
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:259
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:110
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:409
#define GET_PKT_LEN(p)
Definition: decode.h:225
#define ACTION_DROP
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1088
uint32_t flags
Definition: decode.h:444
uint16_t payload_len
Definition: decode.h:542
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:218
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void EngineModeSetIPS(void)
Definition: suricata.c:257
Flow data structure.
Definition: flow.h:325
#define FLOW_IPV4
Definition: flow.h:94
uint8_t * payload
Definition: decode.h:541
uint32_t flags
Definition: flow.h:379
#define PKT_STREAM_EST
Definition: decode.h:1092
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
uint8_t ip_verhl
Definition: decode-ipv4.h:72
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address src
Definition: decode.h:413
DetectEngineCtx * DetectEngineCtxInit(void)
uint8_t action
Definition: decode.h:545
void FlowInitConfig(char quiet)
initialize the configuration
Definition: flow.c:515
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1244