suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../pkt-var.h"
25 #include "../flow-util.h"
26 #include "../stream-tcp-reassemble.h"
27 #include "../util-unittest.h"
28 #include "../util-unittest-helper.h"
29 
30 static const char *dummy_conf_string =
31  "%YAML 1.1\n"
32  "---\n"
33  "\n"
34  "default-log-dir: /var/log/suricata\n"
35  "\n"
36  "logging:\n"
37  "\n"
38  " default-log-level: debug\n"
39  "\n"
40  " default-format: \"<%t> - <%l>\"\n"
41  "\n"
42  " default-startup-message: Your IDS has started.\n"
43  "\n"
44  " default-output-filter:\n"
45  "\n"
46  " output:\n"
47  "\n"
48  " - interface: console\n"
49  " log-level: info\n"
50  "\n"
51  " - interface: file\n"
52  " filename: /var/log/suricata.log\n"
53  "\n"
54  " - interface: syslog\n"
55  " facility: local5\n"
56  " format: \"%l\"\n"
57  "\n"
58  "pfring:\n"
59  "\n"
60  " interface: eth0\n"
61  "\n"
62  " clusterid: 99\n"
63  "\n"
64  "vars:\n"
65  "\n"
66  " address-groups:\n"
67  "\n"
68  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
69  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
70  "\n"
71  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
72  "\n"
73  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
74  "\n"
75  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " DNS_SERVERS: any\n"
80  "\n"
81  " TELNET_SERVERS: any\n"
82  "\n"
83  " AIM_SERVERS: any\n"
84  "\n"
85  " port-groups:\n"
86  "\n"
87  " HTTP_PORTS: \"80:81,88\"\n"
88  "\n"
89  " SHELLCODE_PORTS: 80\n"
90  "\n"
91  " ORACLE_PORTS: 1521\n"
92  "\n"
93  " SSH_PORTS: 22\n"
94  "\n";
95 
96 static int SigTest01 (void)
97 {
98  uint8_t *buf = (uint8_t *)
99  "GET /one/ HTTP/1.1\r\n"
100  "Host: one.example.org\r\n"
101  "\r\n\r\n"
102  "GET /two/ HTTP/1.1\r\n"
103  "Host: two.example.org\r\n"
104  "\r\n\r\n";
105  uint16_t buflen = strlen((char *)buf);
106  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
107  int result = 0;
108 
109  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
110  if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
111  result = 0;
112  goto end;
113  }
114 #if 0
115  //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
116  //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
117 
118  if (p->http_uri.raw_size[0] == 5 &&
119  memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
120  p->http_uri.raw_size[1] == 5 &&
121  memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
122  {
123  result = 1;
124  }
125 
126 #endif
127  result = 1;
128 end:
129  if (p != NULL)
130  UTHFreePacket(p);
131  return result;
132 }
133 
134 static int SigTest02 (void)
135 {
136  uint8_t *buf = (uint8_t *)
137  "GET /one/ HTTP/1.1\r\n"
138  "Host: one.example.org\r\n"
139  "\r\n\r\n"
140  "GET /two/ HTTP/1.1\r\n"
141  "Host: two.example.org\r\n"
142  "\r\n\r\n";
143  uint16_t buflen = strlen((char *)buf);
144  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
145  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
146  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
147  UTHFreePacket(p);
148  return ret;
149 }
150 
151 static int SigTest03 (void)
152 {
153  uint8_t *buf = (uint8_t *)
154  "GET /one/ HTTP/1.1\r\n"
155  "Host: one.example.org\r\n"
156  "\r\n\r\n"
157  "GET /two/ HTTP/1.1\r\n"
158  "Host: two.example.org\r\n"
159  "\r\n\r\n";
160  uint16_t buflen = strlen((char *)buf);
161  Packet *p = NULL;
162  ThreadVars th_v;
163  DetectEngineThreadCtx *det_ctx = NULL;
164  int result = 0;
165 
166  memset(&th_v, 0, sizeof(th_v));
167 
168  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
169 
171  if (de_ctx == NULL) {
172  goto end;
173  }
174 
175  de_ctx->flags |= DE_QUIET;
176 
177  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
178  if (de_ctx->sig_list == NULL) {
179  result = 0;
180  goto end;
181  }
182 
184  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
185 
186  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
187  if (PacketAlertCheck(p, 1))
188  result = 1;
189 
192 
193  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
195 end:
196  UTHFreePackets(&p, 1);
197  return result;
198 }
199 
200 static int SigTest04 (void)
201 {
202  uint8_t *buf = (uint8_t *)
203  "GET /one/ HTTP/1.1\r\n" /* 20*/
204  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
205  "\r\n\r\n" /* 4 */
206  "GET /two/ HTTP/1.1\r\n" /* 20 */
207  "Host: two.example.org\r\n" /* 23 */
208  "\r\n\r\n"; /* 4 */
209  uint16_t buflen = strlen((char *)buf);
210 
211  Packet *p = NULL;
212  ThreadVars th_v;
213  DetectEngineThreadCtx *det_ctx = NULL;
214  int result = 0;
215 
216  memset(&th_v, 0, sizeof(th_v));
217 
218  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
219 
221  if (de_ctx == NULL) {
222  goto end;
223  }
224 
225  de_ctx->flags |= DE_QUIET;
226 
227  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
228  if (de_ctx->sig_list == NULL) {
229  result = 0;
230  goto end;
231  }
232 
234  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
235 
236  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
237  if (PacketAlertCheck(p, 1))
238  result = 1;
239 
242 
243  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
245 end:
246  UTHFreePackets(&p, 1);
247  return result;
248 }
249 
250 static int SigTest05 (void)
251 {
252  uint8_t *buf = (uint8_t *)
253  "GET /one/ HTTP/1.1\r\n" /* 20 */
254  "Host: one.example.org\r\n" /* 23, 43 */
255  "\r\n\r\n" /* 4, 47 */
256  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
257  "Host: two.example.org\r\n" /* 23, 90 */
258  "\r\n\r\n"; /* 4, 94 */
259  uint16_t buflen = strlen((char *)buf);
260  Packet *p = NULL;
261  ThreadVars th_v;
262  DetectEngineThreadCtx *det_ctx = NULL;
263  int result = 0;
264 
265  memset(&th_v, 0, sizeof(th_v));
266 
267  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
268 
270  if (de_ctx == NULL) {
271  goto end;
272  }
273 
274  de_ctx->flags |= DE_QUIET;
275 
276  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
277  if (de_ctx->sig_list == NULL) {
278  printf("sig parse failed: ");
279  goto end;
280  }
281 
283  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
284 
285  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
286  if (!PacketAlertCheck(p, 1)) {
287  result = 1;
288  } else {
289  printf("sig matched but shouldn't have: ");
290  }
291 
294 
295  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
297 end:
298  UTHFreePackets(&p, 1);
299  return result;
300 }
301 
302 static int SigTest06 (void)
303 {
304  uint8_t *buf = (uint8_t *)
305  "GET /one/ HTTP/1.1\r\n" /* 20 */
306  "Host: one.example.org\r\n" /* 23, 43 */
307  "\r\n\r\n" /* 4, 47 */
308  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
309  "Host: two.example.org\r\n" /* 23, 90 */
310  "\r\n\r\n"; /* 4, 94 */
311  uint16_t buflen = strlen((char *)buf);
312  Packet *p = NULL;
313  ThreadVars th_v;
314  DetectEngineThreadCtx *det_ctx = NULL;
315  Flow f;
316  TcpSession ssn;
319 
320  memset(&th_v, 0, sizeof(th_v));
321  memset(&f, 0, sizeof(f));
322  memset(&ssn, 0, sizeof(ssn));
323 
324  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
325  FAIL_IF_NULL(p);
326 
327  FLOW_INITIALIZE(&f);
328  f.protoctx = (void *)&ssn;
329  f.flags |= FLOW_IPV4;
330  f.proto = IPPROTO_TCP;
331  p->flow = &f;
336 
337  StreamTcpInitConfig(true);
338 
341  de_ctx->flags |= DE_QUIET;
342 
343  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
344  FAIL_IF_NULL(s);
345 
346  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
347  FAIL_IF_NULL(s);
348 
350  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
351  FAIL_IF_NULL(det_ctx);
352 
353  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
354  FAIL_IF(r != 0);
355 
356  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
359 
360  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
363  UTHFreePackets(&p, 1);
364  StreamTcpFreeConfig(true);
365  FLOW_DESTROY(&f);
366  PASS;
367 }
368 
369 static int SigTest07 (void)
370 {
371  uint8_t *buf = (uint8_t *)
372  "GET /one/ HTTP/1.1\r\n" /* 20 */
373  "Host: one.example.org\r\n" /* 23, 43 */
374  "\r\n\r\n" /* 4, 47 */
375  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
376  "Host: two.example.org\r\n" /* 23, 90 */
377  "\r\n\r\n"; /* 4, 94 */
378  uint16_t buflen = strlen((char *)buf);
379  Packet *p = NULL;
380  ThreadVars th_v;
381  DetectEngineThreadCtx *det_ctx = NULL;
382  Flow f;
383  TcpSession ssn;
384  int result = 0;
386 
387  memset(&th_v, 0, sizeof(th_v));
388  memset(&f, 0, sizeof(f));
389  memset(&ssn, 0, sizeof(ssn));
390 
391  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
392 
393  FLOW_INITIALIZE(&f);
394  f.protoctx = (void *)&ssn;
395  f.flags |= FLOW_IPV4;
396  f.proto = IPPROTO_TCP;
397  p->flow = &f;
402 
403  StreamTcpInitConfig(true);
404 
406  if (de_ctx == NULL) {
407  goto end;
408  }
409 
410  de_ctx->flags |= DE_QUIET;
411 
412  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
413  if (de_ctx->sig_list == NULL) {
414  result = 0;
415  goto end;
416  }
417  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
418  if (de_ctx->sig_list->next == NULL) {
419  result = 0;
420  goto end;
421  }
422 
424  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
425 
426  FLOWLOCK_WRLOCK(&f);
427  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
428  if (r != 0) {
429  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
430  result = 0;
431  FLOWLOCK_UNLOCK(&f);
432  goto end;
433  }
434  FLOWLOCK_UNLOCK(&f);
435 
436  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
437  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
438  result = 0;
439  else
440  result = 1;
441 
442 end:
443  if (alp_tctx != NULL)
445  UTHFreePackets(&p, 1);
446  StreamTcpFreeConfig(true);
448  FLOW_DESTROY(&f);
451 
452  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
454 
455  return result;
456 }
457 
458 static int SigTest08 (void)
459 {
460  uint8_t *buf = (uint8_t *)
461  "GET /one/ HTTP/1.0\r\n" /* 20 */
462  "Host: one.example.org\r\n" /* 23, 43 */
463  "\r\n\r\n" /* 4, 47 */
464  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
465  "Host: two.example.org\r\n" /* 23, 90 */
466  "\r\n\r\n"; /* 4, 94 */
467  uint16_t buflen = strlen((char *)buf);
468  Packet *p = NULL;
469  ThreadVars th_v;
470  DetectEngineThreadCtx *det_ctx = NULL;
471  Flow f;
472  TcpSession ssn;
473  int result = 0;
475 
476  memset(&f, 0, sizeof(Flow));
477  memset(&th_v, 0, sizeof(th_v));
478  memset(&ssn, 0, sizeof(ssn));
479 
480  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
481 
482  FLOW_INITIALIZE(&f);
483  f.protoctx = (void *)&ssn;
484  f.flags |= FLOW_IPV4;
485  f.proto = IPPROTO_TCP;
486  p->flow = &f;
491 
492  StreamTcpInitConfig(true);
493 
495  if (de_ctx == NULL) {
496  goto end;
497  }
498 
499  de_ctx->flags |= DE_QUIET;
500 
501  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
502  if (de_ctx->sig_list == NULL) {
503  result = 0;
504  goto end;
505  }
506  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
507  if (de_ctx->sig_list->next == NULL) {
508  result = 0;
509  goto end;
510  }
511 
513  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
514 
515  FLOWLOCK_WRLOCK(&f);
516  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
517  if (r != 0) {
518  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
519  result = 0;
520  FLOWLOCK_UNLOCK(&f);
521  goto end;
522  }
523  FLOWLOCK_UNLOCK(&f);
524 
525  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
526  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
527  result = 1;
528  else
529  printf("sid:1 %s, sid:2 %s: ",
530  PacketAlertCheck(p, 1) ? "OK" : "FAIL",
531  PacketAlertCheck(p, 2) ? "OK" : "FAIL");
532 
533 end:
537 
538  if (det_ctx)
539  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
541  if (alp_tctx != NULL)
543  UTHFreePackets(&p, 1);
544  StreamTcpFreeConfig(true);
545  FLOW_DESTROY(&f);
546  return result;
547 }
548 
549 static int SigTest09 (void)
550 {
551  uint8_t *buf = (uint8_t *)
552  "GET /one/ HTTP/1.0\r\n" /* 20 */
553  "Host: one.example.org\r\n" /* 23, 43 */
554  "\r\n\r\n" /* 4, 47 */
555  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
556  "Host: two.example.org\r\n" /* 23, 90 */
557  "\r\n\r\n"; /* 4, 94 */
558  uint16_t buflen = strlen((char *)buf);
559  Packet *p = NULL;
560  ThreadVars th_v;
561  DetectEngineThreadCtx *det_ctx = NULL;
562  Flow f;
563  TcpSession ssn;
565  int result = 0;
566 
567  memset(&th_v, 0, sizeof(th_v));
568  memset(&f, 0, sizeof(f));
569  memset(&ssn, 0, sizeof(ssn));
570 
571  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
572 
573  FLOW_INITIALIZE(&f);
574  f.protoctx = (void *)&ssn;
575  f.flags |= FLOW_IPV4;
576  f.proto = IPPROTO_TCP;
577  p->flow = &f;
582 
583  StreamTcpInitConfig(true);
584 
586  if (de_ctx == NULL) {
587  goto end;
588  }
589 
590  de_ctx->flags |= DE_QUIET;
591 
592  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
593  if (de_ctx->sig_list == NULL) {
594  result = 0;
595  goto end;
596  }
597  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
598  if (de_ctx->sig_list->next == NULL) {
599  result = 0;
600  goto end;
601  }
602 
604  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
605 
606  FLOWLOCK_WRLOCK(&f);
607  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
608  if (r != 0) {
609  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
610  result = 0;
611  FLOWLOCK_UNLOCK(&f);
612  goto end;
613  }
614  FLOWLOCK_UNLOCK(&f);
615 
616  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
617  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
618  result = 1;
619  else
620  result = 0;
621 
622 end:
626  if (det_ctx)
627  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
629  if (alp_tctx != NULL)
631  UTHFreePackets(&p, 1);
632  StreamTcpFreeConfig(true);
633  FLOW_DESTROY(&f);
634  return result;
635 }
636 
637 static int SigTest10 (void)
638 {
639  uint8_t *buf = (uint8_t *)
640  "ABC";
641  uint16_t buflen = strlen((char *)buf);
642  Packet *p = NULL;
643  ThreadVars th_v;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  Flow f;
646  TcpSession ssn;
647  int result = 0;
649 
650  memset(&th_v, 0, sizeof(th_v));
651  memset(&f, 0, sizeof(f));
652  memset(&ssn, 0, sizeof(ssn));
653 
654  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
655 
656  FLOW_INITIALIZE(&f);
657  f.protoctx = (void *)&ssn;
658  f.proto = IPPROTO_TCP;
659  f.flags |= FLOW_IPV4;
660  p->flow = &f;
665 
666  StreamTcpInitConfig(true);
667 
669  if (de_ctx == NULL) {
670  goto end;
671  }
672 
673  de_ctx->flags |= DE_QUIET;
674 
675  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
676  if (de_ctx->sig_list == NULL) {
677  result = 0;
678  goto end;
679  }
680  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
681  if (de_ctx->sig_list->next == NULL) {
682  result = 0;
683  goto end;
684  }
685 
687  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
688 
689  FLOWLOCK_WRLOCK(&f);
690  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
691  if (r != 0) {
692  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
693  result = 0;
694  FLOWLOCK_UNLOCK(&f);
695  goto end;
696  }
697  FLOWLOCK_UNLOCK(&f);
698 
699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
700  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
701  result = 0;
702  else
703  result = 1;
704 
705  end:
709  if (det_ctx)
710  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
712  if (alp_tctx != NULL)
714  UTHFreePackets(&p, 1);
715  StreamTcpFreeConfig(true);
716  FLOW_DESTROY(&f);
717  return result;
718 }
719 
720 static int SigTest11 (void)
721 {
722  uint8_t *buf = (uint8_t *)
723  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
724  uint16_t buflen = strlen((char *)buf);
725  Packet *p = NULL;
726  ThreadVars th_v;
727  DetectEngineThreadCtx *det_ctx = NULL;
728  Flow f;
729  TcpSession ssn;
730  int result = 0;
731 
732  memset(&th_v, 0, sizeof(th_v));
733  memset(&f, 0, sizeof(f));
734  memset(&ssn, 0, sizeof(ssn));
735 
736  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
737 
738  FLOW_INITIALIZE(&f);
739  f.protoctx = (void *)&ssn;
740  f.proto = IPPROTO_TCP;
741  f.flags |= FLOW_IPV4;
742  p->flow = &f;
746 
747  StreamTcpInitConfig(true);
748 
750  if (de_ctx == NULL) {
751  goto end;
752  }
753 
754  de_ctx->flags |= DE_QUIET;
755 
756  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
757  if (de_ctx->sig_list == NULL) {
758  goto end;
759  }
760  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
761  if (de_ctx->sig_list->next == NULL) {
762  goto end;
763  }
764 
766  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
767 
768  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
769  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
770  result = 1;
771 
772  end:
775  if (det_ctx)
776  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
778  UTHFreePackets(&p, 1);
779  StreamTcpFreeConfig(true);
780  FLOW_DESTROY(&f);
781  return result;
782 }
783 
784 static int SigTest12 (void)
785 {
786  uint8_t *buf = (uint8_t *)
787  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
788  uint16_t buflen = strlen((char *)buf);
789  Packet *p = NULL;
790  ThreadVars th_v;
791  DetectEngineThreadCtx *det_ctx = NULL;
792  int result = 0;
793 
794  memset(&th_v, 0, sizeof(th_v));
795  Flow f;
796  memset(&f, 0, sizeof(Flow));
797 
798  FLOW_INITIALIZE(&f);
799 
800  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
801  p->flow = &f;
803 
805  if (de_ctx == NULL) {
806  goto end;
807  }
808 
809  de_ctx->flags |= DE_QUIET;
810 
811  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
812  if (de_ctx->sig_list == NULL) {
813  result = 0;
814  goto end;
815  }
816 
818  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
819 
820  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
821  if (PacketAlertCheck(p, 1))
822  result = 1;
823  else
824  result = 0;
825 
826  if (det_ctx != NULL)
827  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
828 end:
829  UTHFreePackets(&p, 1);
830  if (de_ctx != NULL) {
834  }
835  FLOW_DESTROY(&f);
836  return result;
837 }
838 
839 static int SigTest13 (void)
840 {
841  uint8_t *buf = (uint8_t *)
842  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
843  uint16_t buflen = strlen((char *)buf);
844  Packet *p = NULL;
845  ThreadVars th_v;
846  DetectEngineThreadCtx *det_ctx = NULL;
847  int result = 0;
848 
849  memset(&th_v, 0, sizeof(th_v));
850  Flow f;
851  memset(&f, 0, sizeof(Flow));
852 
853  FLOW_INITIALIZE(&f);
854 
855  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
856  p->flow = &f;
858 
860  if (de_ctx == NULL) {
861  goto end;
862  }
863 
864  de_ctx->flags |= DE_QUIET;
865 
866  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
867  if (de_ctx->sig_list == NULL) {
868  result = 0;
869  goto end;
870  }
871 
873  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
874 
875  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
876  if (PacketAlertCheck(p, 1))
877  result = 1;
878  else
879  result = 0;
880 
883  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
885 end:
886  UTHFreePackets(&p, 1);
887  FLOW_DESTROY(&f);
888  return result;
889 }
890 
891 static int SigTest14 (void)
892 {
893  uint8_t *buf = (uint8_t *)
894  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
895  uint16_t buflen = strlen((char *)buf);
896  Packet *p = NULL;
897  ThreadVars th_v;
898  DetectEngineThreadCtx *det_ctx = NULL;
899  int result = 0;
900 
901  memset(&th_v, 0, sizeof(th_v));
902 
903  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
904 
906  if (de_ctx == NULL) {
907  goto end;
908  }
909 
910  de_ctx->flags |= DE_QUIET;
911 
912  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
913  if (de_ctx->sig_list == NULL) {
914  result = 0;
915  goto end;
916  }
917 
919  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
920 
921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
922  if (PacketAlertCheck(p, 1))
923  result = 0;
924  else
925  result = 1;
926 
929  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
931 end:
932  UTHFreePackets(&p, 1);
933  return result;
934 }
935 
936 static int SigTest15 (void)
937 {
938  uint8_t *buf = (uint8_t *)
939  "CONNECT 213.92.8.7:31204 HTTP/1.1";
940  uint16_t buflen = strlen((char *)buf);
941  Packet *p = PacketGetFromAlloc();
942  if (unlikely(p == NULL))
943  return 0;
944  ThreadVars th_v;
945  DetectEngineThreadCtx *det_ctx = NULL;
946  int result = 0;
947 
948  memset(&th_v, 0, sizeof(th_v));
949  p->src.family = AF_INET;
950  p->dst.family = AF_INET;
951  p->payload = buf;
952  p->payload_len = buflen;
953  p->proto = IPPROTO_TCP;
954  p->dp = 80;
955 
957  ConfInit();
958  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
959 
961  if (de_ctx == NULL) {
962  goto end;
963  }
964 
965  de_ctx->flags |= DE_QUIET;
966 
967  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
968  if (de_ctx->sig_list == NULL) {
969  result = 0;
970  goto end;
971  }
972 
974  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
975 
976  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
977  if (PacketAlertCheck(p, 2008284))
978  result = 0;
979  else
980  result = 1;
981 
984  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
986 end:
987  ConfDeInit();
989  SCFree(p);
990  return result;
991 }
992 
993 static int SigTest16 (void)
994 {
995  uint8_t *buf = (uint8_t *)
996  "CONNECT 213.92.8.7:31204 HTTP/1.1";
997  uint16_t buflen = strlen((char *)buf);
998  Packet *p = NULL;
999  ThreadVars th_v;
1000  DetectEngineThreadCtx *det_ctx = NULL;
1001  int result = 0;
1002 
1003  memset(&th_v, 0, sizeof(th_v));
1004  memset(&p, 0, sizeof(p));
1005 
1006  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
1007 
1009  ConfInit();
1010  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1011 
1013  if (de_ctx == NULL) {
1014  goto end;
1015  }
1016 
1017  de_ctx->flags |= DE_QUIET;
1018 
1019  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1020  if (de_ctx->sig_list == NULL) {
1021  goto end;
1022  }
1023 
1025  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1026 
1027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1028  if (PacketAlertCheck(p, 2008284))
1029  result = 1;
1030  else
1031  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1032 
1034  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1036 end:
1037  ConfDeInit();
1039  UTHFreePackets(&p, 1);
1040  return result;
1041 }
1042 
1043 static int SigTest17 (void)
1044 {
1045  uint8_t *buf = (uint8_t *)
1046  "GET /one/ HTTP/1.1\r\n" /* 20 */
1047  "Host: one.example.org\r\n" /* 23, 43 */
1048  "\r\n\r\n" /* 4, 47 */
1049  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1050  "Host: two.example.org\r\n" /* 23, 90 */
1051  "\r\n\r\n"; /* 4, 94 */
1052  uint16_t buflen = strlen((char *)buf);
1053  Packet *p = NULL;
1054  ThreadVars th_v;
1055  DetectEngineThreadCtx *det_ctx = NULL;
1056  memset(&th_v, 0, sizeof(th_v));
1057 
1058  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1059  FAIL_IF_NULL(p);
1060 
1062  ConfInit();
1063  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1064 
1067  de_ctx->flags |= DE_QUIET;
1068 
1069  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1070  FAIL_IF_NULL(s);
1071 
1073  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1074  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1075 
1076  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1077 
1078  PktVar *pv_hn = PktVarGet(p, capid);
1079  FAIL_IF_NULL(pv_hn);
1080 
1081  FAIL_IF(pv_hn->value_len != 15);
1082  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1083 
1084  PktVarFree(pv_hn);
1085  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1087  ConfDeInit();
1089  UTHFreePackets(&p, 1);
1090 
1091  PASS;
1092 }
1093 
1094 static int SigTest18 (void)
1095 {
1096  uint8_t *buf = (uint8_t *)
1097  "220 (vsFTPd 2.0.5)\r\n";
1098  uint16_t buflen = strlen((char *)buf);
1099  Packet *p = PacketGetFromAlloc();
1100  if (unlikely(p == NULL))
1101  return 0;
1102  ThreadVars th_v;
1103  DetectEngineThreadCtx *det_ctx = NULL;
1104  int result = 0;
1105 
1106  memset(&th_v, 0, sizeof(th_v));
1107  p->src.family = AF_INET;
1108  p->dst.family = AF_INET;
1109  p->payload = buf;
1110  p->payload_len = buflen;
1111  p->proto = IPPROTO_TCP;
1112  p->dp = 34260;
1113  p->sp = 21;
1114 
1116  if (de_ctx == NULL) {
1117  goto end;
1118  }
1119 
1120  de_ctx->flags |= DE_QUIET;
1121 
1122  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1123  if (de_ctx->sig_list == NULL) {
1124  result = 0;
1125  goto end;
1126  }
1127 
1129  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1130 
1131  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1132  if (!PacketAlertCheck(p, 2003055))
1133  result = 1;
1134  else
1135  printf("signature shouldn't match, but did: ");
1136 
1139  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1141 end:
1142  SCFree(p);
1143  return result;
1144 }
1145 
1146 static int SigTest19 (void)
1147 {
1148  uint8_t *buf = (uint8_t *)
1149  "220 (vsFTPd 2.0.5)\r\n";
1150  uint16_t buflen = strlen((char *)buf);
1151  Packet *p = PacketGetFromAlloc();
1152  if (unlikely(p == NULL))
1153  return 0;
1154  ThreadVars th_v;
1155  DetectEngineThreadCtx *det_ctx = NULL;
1156  int result = 0;
1157 
1158  memset(&th_v, 0, sizeof(th_v));
1159  p->src.family = AF_INET;
1160  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1161  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1162  p->dst.family = AF_INET;
1163  p->payload = buf;
1164  p->payload_len = buflen;
1165  p->proto = IPPROTO_TCP;
1166  p->dp = 34260;
1167  p->sp = 21;
1169 
1171  ConfInit();
1172  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1173 
1175  if (de_ctx == NULL) {
1176  goto end;
1177  }
1178 
1179  de_ctx->flags |= DE_QUIET;
1180 
1181  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1182  if (de_ctx->sig_list == NULL) {
1183  result = 0;
1184  goto end;
1185  }
1186 
1188  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1189 
1190  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1191  if (PacketAlertCheck(p, 999))
1192  result = 1;
1193  else
1194  printf("signature didn't match, but should have: ");
1195 
1197  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1199 end:
1200  ConfDeInit();
1202  SCFree(p);
1203  return result;
1204 }
1205 
1206 static int SigTest20 (void)
1207 {
1208  uint8_t *buf = (uint8_t *)
1209  "220 (vsFTPd 2.0.5)\r\n";
1210  uint16_t buflen = strlen((char *)buf);
1211  Packet *p = PacketGetFromAlloc();
1212  if (unlikely(p == NULL))
1213  return 0;
1214  ThreadVars th_v;
1215  DetectEngineThreadCtx *det_ctx = NULL;
1216  int result = 0;
1217 
1218  memset(&th_v, 0, sizeof(th_v));
1219  p->src.family = AF_INET;
1220  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1221  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1222  p->dst.family = AF_INET;
1223  p->payload = buf;
1224  p->payload_len = buflen;
1225  p->proto = IPPROTO_TCP;
1226  p->dp = 34260;
1227  p->sp = 21;
1229 
1231  ConfInit();
1232  ConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1233 
1235  if (de_ctx == NULL) {
1236  goto end;
1237  }
1238 
1239  de_ctx->flags |= DE_QUIET;
1240 
1241  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1242  if (de_ctx->sig_list == NULL) {
1243  result = 0;
1244  goto end;
1245  }
1246 
1248  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1249 
1250  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1251  if (PacketAlertCheck(p, 999))
1252  result = 1;
1253  else
1254  printf("signature didn't match, but should have: ");
1255 
1258  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1260 end:
1261  ConfDeInit();
1263  SCFree(p);
1264  return result;
1265 }
1266 
1267 static int SigTest21 (void)
1268 {
1269  ThreadVars th_v;
1270  memset(&th_v, 0, sizeof(th_v));
1271  DetectEngineThreadCtx *det_ctx = NULL;
1272  int result = 0;
1273 
1274  Flow f;
1275  memset(&f, 0, sizeof(f));
1276  FLOW_INITIALIZE(&f);
1277 
1278  /* packet 1 */
1279  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1280  "\r\n\r\n";
1281  uint16_t buf1len = strlen((char *)buf1);
1282  Packet *p1 = NULL;
1283  /* packet 2 */
1284  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1285  "\r\n\r\n";
1286  uint16_t buf2len = strlen((char *)buf2);
1287  Packet *p2 = NULL;
1288 
1289  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1290  p1->flow = &f;
1292  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1293  p2->flow = &f;
1295 
1297  if (de_ctx == NULL) {
1298  goto end;
1299  }
1300 
1301  de_ctx->flags |= DE_QUIET;
1302 
1303  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1304  if (de_ctx->sig_list == NULL) {
1305  result = 0;
1306  goto end;
1307  }
1308  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1309  if (de_ctx->sig_list == NULL) {
1310  result = 0;
1311  goto end;
1312  }
1313 
1315  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1316 
1317  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1318  if (PacketAlertCheck(p1, 1)) {
1319  printf("sid 1 alerted, but shouldn't: ");
1320  goto end;
1321  }
1322  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1323  if (!(PacketAlertCheck(p2, 2))) {
1324  printf("sid 2 didn't alert, but should have: ");
1325  goto end;
1326  }
1327 
1328  result = 1;
1329 end:
1330  if (de_ctx != NULL) {
1333 
1334  if (det_ctx != NULL) {
1335  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1336  }
1337  }
1339  UTHFreePackets(&p1, 1);
1340  UTHFreePackets(&p2, 1);
1341  FLOW_DESTROY(&f);
1342  return result;
1343 }
1344 
1345 static int SigTest22 (void)
1346 {
1347  ThreadVars th_v;
1348  memset(&th_v, 0, sizeof(th_v));
1349  DetectEngineThreadCtx *det_ctx = NULL;
1350  int result = 0;
1351 
1352  Flow f;
1353  memset(&f, 0, sizeof(f));
1354  FLOW_INITIALIZE(&f);
1355 
1356  /* packet 1 */
1357  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1358  "\r\n\r\n";
1359  uint16_t buf1len = strlen((char *)buf1);
1360  Packet *p1 = NULL;
1361 
1362  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1363  p1->flow = &f;
1365 
1366  /* packet 2 */
1367  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1368  "\r\n\r\n";
1369  uint16_t buf2len = strlen((char *)buf2);
1370  Packet *p2 = NULL;
1371 
1372  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1373  p2->flow = &f;
1375 
1377  if (de_ctx == NULL) {
1378  goto end;
1379  }
1380 
1381  de_ctx->flags |= DE_QUIET;
1382 
1383  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1384  if (de_ctx->sig_list == NULL) {
1385  result = 0;
1386  goto end;
1387  }
1388  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1389  if (de_ctx->sig_list == NULL) {
1390  result = 0;
1391  goto end;
1392  }
1393 
1395  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1396 
1397  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1398  if (PacketAlertCheck(p1, 1)) {
1399  printf("sid 1 alerted, but shouldn't: ");
1400  goto end;
1401  }
1402  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1403  if (!(PacketAlertCheck(p2, 2)))
1404  result = 1;
1405  else
1406  printf("sid 2 alerted, but shouldn't: ");
1407 
1410 
1411  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1413 end:
1414  UTHFreePackets(&p1, 1);
1415  UTHFreePackets(&p2, 1);
1416  FLOW_DESTROY(&f);
1417  return result;
1418 }
1419 
1420 static int SigTest23 (void)
1421 {
1422  ThreadVars th_v;
1423  memset(&th_v, 0, sizeof(th_v));
1424  DetectEngineThreadCtx *det_ctx = NULL;
1425  int result = 0;
1426 
1427  Flow f;
1428  memset(&f, 0, sizeof(f));
1429  FLOW_INITIALIZE(&f);
1430 
1431  /* packet 1 */
1432  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1433  "\r\n\r\n";
1434  uint16_t buf1len = strlen((char *)buf1);
1435  Packet *p1 = NULL;
1436 
1437  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1438  p1->flow = &f;
1440 
1441  /* packet 2 */
1442  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1443  "\r\n\r\n";
1444  uint16_t buf2len = strlen((char *)buf2);
1445  Packet *p2 = NULL;
1446 
1447  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1448  p2->flow = &f;
1450 
1452  if (de_ctx == NULL) {
1453  goto end;
1454  }
1455 
1456  de_ctx->flags |= DE_QUIET;
1457 
1458  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1459  if (de_ctx->sig_list == NULL) {
1460  result = 0;
1461  goto end;
1462  }
1463  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1464  if (de_ctx->sig_list == NULL) {
1465  result = 0;
1466  goto end;
1467  }
1468 
1470  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1471 
1472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1473  if (PacketAlertCheck(p1, 1)) {
1474  printf("sid 1 alerted, but shouldn't: ");
1475  goto end;
1476  }
1477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1478  if (PacketAlertCheck(p2, 2))
1479  result = 1;
1480  else
1481  printf("sid 2 didn't alert, but should have: ");
1482 
1485 
1486  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1488 end:
1489  UTHFreePackets(&p1, 1);
1490  UTHFreePackets(&p2, 1);
1491  FLOW_DESTROY(&f);
1492  return result;
1493 }
1494 
1495 static int SigTest24IPV4Keyword(void)
1496 {
1497  uint8_t valid_raw_ipv4[] = {
1498  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1499  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1500  0xc0, 0xa8, 0x01, 0x03};
1501 
1502  uint8_t invalid_raw_ipv4[] = {
1503  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1504  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1505  0xc0, 0xa8, 0x01, 0x06};
1506 
1507  Packet *p1 = PacketGetFromAlloc();
1508  if (unlikely(p1 == NULL))
1509  return 0;
1510  Packet *p2 = PacketGetFromAlloc();
1511  if (unlikely(p2 == NULL)) {
1512  SCFree(p1);
1513  return 0;
1514  }
1515  ThreadVars th_v;
1516  DetectEngineThreadCtx *det_ctx = NULL;
1517  int result = 0;
1518 
1519  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1520  "\r\n\r\n";
1521  uint16_t buflen = strlen((char *)buf);
1522 
1523  memset(&th_v, 0, sizeof(ThreadVars));
1526 
1527  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1528 
1529  p1->src.family = AF_INET;
1530  p1->dst.family = AF_INET;
1531  p1->payload = buf;
1532  p1->payload_len = buflen;
1533  p1->proto = IPPROTO_TCP;
1534 
1535  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1536 
1537  p2->src.family = AF_INET;
1538  p2->dst.family = AF_INET;
1539  p2->payload = buf;
1540  p2->payload_len = buflen;
1541  p2->proto = IPPROTO_TCP;
1542 
1544  if (de_ctx == NULL) {
1545  goto end;
1546  }
1547 
1548  de_ctx->flags |= DE_QUIET;
1549 
1551  "alert ip any any -> any any "
1552  "(content:\"/one/\"; ipv4-csum:valid; "
1553  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1554  if (de_ctx->sig_list == NULL) {
1555  printf("sig 1 parse: ");
1556  goto end;
1557  }
1558 
1560  "alert ip any any -> any any "
1561  "(content:\"/one/\"; ipv4-csum:invalid; "
1562  "msg:\"ipv4-csum keyword check(1)\"; "
1563  "sid:2;)");
1564  if (de_ctx->sig_list->next == NULL) {
1565  printf("sig 2 parse: ");
1566  goto end;
1567  }
1568 
1570  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1571 
1572  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1573  if (!(PacketAlertCheck(p1, 1))) {
1574  printf("signature 1 didn't match, but should have: ");
1575  goto end;
1576  }
1577 
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1579  if (!((PacketAlertCheck(p2, 2)))) {
1580  printf("signature 2 didn't match, but should have: ");
1581  goto end;
1582  }
1583 
1584  result = 1;
1585 end:
1586  if (det_ctx != NULL) {
1589  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1591  }
1592  SCFree(p1);
1593  SCFree(p2);
1594  return result;
1595 }
1596 
1597 static int SigTest25NegativeIPV4Keyword(void)
1598 {
1599  uint8_t valid_raw_ipv4[] = {
1600  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1601  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1602  0xc0, 0xa8, 0x01, 0x03};
1603 
1604  uint8_t invalid_raw_ipv4[] = {
1605  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1606  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1607  0xc0, 0xa8, 0x01, 0x06};
1608 
1609  Packet *p1 = PacketGetFromAlloc();
1610  if (unlikely(p1 == NULL))
1611  return 0;
1612  Packet *p2 = PacketGetFromAlloc();
1613  if (unlikely(p2 == NULL)) {
1614  SCFree(p1);
1615  return 0;
1616  }
1617  ThreadVars th_v;
1618  DetectEngineThreadCtx *det_ctx = NULL;
1619  int result = 1;
1620 
1621  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1622  "\r\n\r\n";
1623  uint16_t buflen = strlen((char *)buf);
1624 
1625  memset(&th_v, 0, sizeof(ThreadVars));
1628 
1629  p1->ip4h = (IPV4Hdr *)valid_raw_ipv4;
1630 
1631  p1->src.family = AF_INET;
1632  p1->dst.family = AF_INET;
1633  p1->payload = buf;
1634  p1->payload_len = buflen;
1635  p1->proto = IPPROTO_TCP;
1636 
1637  p2->ip4h = (IPV4Hdr *)invalid_raw_ipv4;
1638 
1639  p2->src.family = AF_INET;
1640  p2->dst.family = AF_INET;
1641  p2->payload = buf;
1642  p2->payload_len = buflen;
1643  p2->proto = IPPROTO_TCP;
1644 
1646  if (de_ctx == NULL) {
1647  goto end;
1648  }
1649 
1650  de_ctx->flags |= DE_QUIET;
1651 
1653  "alert ip any any -> any any "
1654  "(content:\"/one/\"; ipv4-csum:invalid; "
1655  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1656  if (de_ctx->sig_list == NULL) {
1657  result &= 0;
1658  goto end;
1659  }
1660 
1662  "alert ip any any -> any any "
1663  "(content:\"/one/\"; ipv4-csum:valid; "
1664  "msg:\"ipv4-csum keyword check(1)\"; "
1665  "sid:2;)");
1666  if (de_ctx->sig_list->next == NULL) {
1667  result &= 0;
1668  goto end;
1669  }
1670 
1672  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1673 
1674  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1675  if (PacketAlertCheck(p1, 1))
1676  result &= 0;
1677  else
1678  result &= 1;
1679 
1680  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1681  if (PacketAlertCheck(p2, 2))
1682  result &= 0;
1683  else
1684  result &= 1;
1685 
1688  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1690 end:
1691  SCFree(p1);
1692  SCFree(p2);
1693  return result;
1694 }
1695 
1696 static int SigTest26TCPV4Keyword(void)
1697 {
1698  uint8_t raw_ipv4[] = {
1699  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1700  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1701  0xc0, 0xa8, 0x01, 0x03};
1702 
1703  uint8_t valid_raw_tcp[] = {
1704  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1705  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1706  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1707  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1708  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1709 
1710  uint8_t invalid_raw_tcp[] = {
1711  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1712  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1713  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1714  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1715  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1716 
1717  Packet *p1 = PacketGetFromAlloc();
1718  if (unlikely(p1 == NULL))
1719  return 0;
1720 
1721  Packet *p2 = PacketGetFromAlloc();
1722  if (unlikely(p2 == NULL)) {
1723  SCFree(p1);
1724  return 0;
1725  }
1726 
1727  ThreadVars th_v;
1728  DetectEngineThreadCtx *det_ctx = NULL;
1729 
1730  memset(&th_v, 0, sizeof(ThreadVars));
1731 
1732  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1733  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1734 
1735  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1736  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1737 
1739  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1740  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1741  p1->src.family = AF_INET;
1742  p1->dst.family = AF_INET;
1743  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1744  p1->payload_len = 20;
1745  p1->proto = IPPROTO_TCP;
1746 
1748  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1749  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1750  p2->src.family = AF_INET;
1751  p2->dst.family = AF_INET;
1752  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1753  p2->payload_len = 20;
1754  p2->proto = IPPROTO_TCP;
1755 
1758 
1759  de_ctx->flags |= DE_QUIET;
1760 
1762  "alert ip any any -> any any "
1763  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1764  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1766 
1768  "alert ip any any -> any any "
1769  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1770  "msg:\"tcpv4-csum keyword check(1)\"; "
1771  "sid:2;)");
1773 
1775  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1776 
1777  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1778  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1779 
1780  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1781  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1782 
1785  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1787  SCFree(p1);
1788  SCFree(p2);
1789  PASS;
1790 }
1791 
1792 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1793 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1794 {
1795  uint8_t raw_ipv4[] = {
1796  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1797  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1798  0xc0, 0xa8, 0x01, 0x03};
1799 
1800  uint8_t valid_raw_tcp[] = {
1801  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1802  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1803  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1804  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1805  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1806 
1807  uint8_t invalid_raw_tcp[] = {
1808  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1809  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1810  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1811  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1812  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1813 
1814  Packet *p1 = PacketGetFromAlloc();
1815  if (unlikely(p1 == NULL))
1816  return 0;
1817 
1818  Packet *p2 = PacketGetFromAlloc();
1819  if (unlikely(p2 == NULL)) {
1820  SCFree(p1);
1821  return 0;
1822  }
1823 
1824  ThreadVars th_v;
1825  DetectEngineThreadCtx *det_ctx = NULL;
1826  int result = 0;
1827 
1828  memset(&th_v, 0, sizeof(ThreadVars));
1829 
1830  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1831  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1832 
1833  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1834  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1835 
1837  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1838  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1839  p1->src.family = AF_INET;
1840  p1->dst.family = AF_INET;
1841  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1842  p1->payload_len = 20;
1843  p1->proto = IPPROTO_TCP;
1844 
1846  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1847  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1848  p2->src.family = AF_INET;
1849  p2->dst.family = AF_INET;
1850  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1851  p2->payload_len = 20;
1852  p2->proto = IPPROTO_TCP;
1853 
1855  if (de_ctx == NULL) {
1856  goto end;
1857  }
1858 
1859  de_ctx->flags |= DE_QUIET;
1860 
1862  "alert ip any any -> any any "
1863  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1864  "ipv4-csum:invalid; "
1865  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1866  if (de_ctx->sig_list == NULL) {
1867  goto end;
1868  }
1869 
1871  "alert ip any any -> any any "
1872  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1873  "ipv4-csum:invalid; "
1874  "msg:\"tcpv4-csum keyword check(1)\"; "
1875  "sid:2;)");
1876  if (de_ctx->sig_list->next == NULL) {
1877  goto end;
1878  }
1879 
1881  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1882 
1883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1884  if (!(PacketAlertCheck(p1, 1))) {
1885  printf("sig 1 didn't match: ");
1886  goto end;
1887  }
1888 
1889  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1890  if (!(PacketAlertCheck(p2, 2))) {
1891  printf("sig 2 didn't match: ");
1892  goto end;
1893  }
1894 
1895  result = 1;
1896 end:
1899  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1901  SCFree(p1);
1902  SCFree(p2);
1903  return result;
1904 }
1905 
1906 /* Similar to SigTest26, but with different packet */
1907 static int SigTest26TCPV4AndIPV4Keyword(void)
1908 {
1909  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1910  * TTL: 64 Flags: Don't Fragment
1911  */
1912  uint8_t raw_ipv4[] = {
1913  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1914  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1915  0xc0, 0xa8, 0xb0, 0x74};
1916 
1917  /* TCP: sport: 49517 dport: 445 Flags: SYN
1918  * Window size: 65535, checksum: 0x2009,
1919  * MTU: 1460, Window scale: 4, TSACK permitted,
1920  * 24 bytes of options, no payload.
1921  */
1922  uint8_t valid_raw_tcp[] = {
1923  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1924  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1925  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1926  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1927  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1928  0x04, 0x02, 0x00, 0x00};
1929 
1930  uint8_t invalid_raw_tcp[] = {
1931  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1932  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1933  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1934  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1935  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1936  0x04, 0x02, 0x00, 0x00};
1937 
1938  Packet *p1 = PacketGetFromAlloc();
1939  if (unlikely(p1 == NULL))
1940  return 0;
1941 
1942  Packet *p2 = PacketGetFromAlloc();
1943  if (unlikely(p2 == NULL)) {
1944  SCFree(p1);
1945  return 0;
1946  }
1947 
1948  ThreadVars th_v;
1949  DetectEngineThreadCtx *det_ctx = NULL;
1950  int result = 0;
1951 
1952  memset(&th_v, 0, sizeof(ThreadVars));
1953 
1954  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1955  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1956 
1957  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1958  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1959 
1961  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
1962  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
1963  p1->src.family = AF_INET;
1964  p1->dst.family = AF_INET;
1965  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1966  p1->payload_len = 0;
1967  p1->proto = IPPROTO_TCP;
1968 
1970  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
1971  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
1972  p2->src.family = AF_INET;
1973  p2->dst.family = AF_INET;
1974  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1975  p2->payload_len = 0;
1976  p2->proto = IPPROTO_TCP;
1977 
1979  if (de_ctx == NULL) {
1980  goto end;
1981  }
1982 
1983  de_ctx->flags |= DE_QUIET;
1984 
1986  "alert ip any any -> any any "
1987  "(tcpv4-csum:valid; "
1988  "ipv4-csum:valid; "
1989  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1990  if (de_ctx->sig_list == NULL) {
1991  goto end;
1992  }
1993 
1995  "alert ip any any -> any any "
1996  "(tcpv4-csum:invalid; "
1997  "ipv4-csum:valid; "
1998  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1999  "sid:2;)");
2000  if (de_ctx->sig_list->next == NULL) {
2001  goto end;
2002  }
2003 
2005  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2006 
2007  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2008  if (!(PacketAlertCheck(p1, 1))) {
2009  printf("sig 1 didn't match: ");
2010  goto end;
2011  }
2012 
2013  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2014  if (!(PacketAlertCheck(p2, 2))) {
2015  printf("sig 2 didn't match: ");
2016  goto end;
2017  }
2018 
2019  result = 1;
2020 end:
2023  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2025  SCFree(p1);
2026  SCFree(p2);
2027  return result;
2028 }
2029 
2030 static int SigTest27NegativeTCPV4Keyword(void)
2031 {
2032  uint8_t raw_ipv4[] = {
2033  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2034  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2035  0xc0, 0xa8, 0x01, 0x03};
2036 
2037  uint8_t valid_raw_tcp[] = {
2038  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2039  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2040  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2041  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2042  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2043 
2044  uint8_t invalid_raw_tcp[] = {
2045  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2046  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2047  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2048  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2049  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2050 
2051  Packet *p1 = PacketGetFromAlloc();
2052  if (unlikely(p1 == NULL))
2053  return 0;
2054  Packet *p2 = PacketGetFromAlloc();
2055  if (unlikely(p2 == NULL)) {
2056  SCFree(p1);
2057  return 0;
2058  }
2059  ThreadVars th_v;
2060  DetectEngineThreadCtx *det_ctx = NULL;
2061  int result = 0;
2062 
2063  memset(&th_v, 0, sizeof(ThreadVars));
2064 
2065  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2066  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2067 
2068  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2069  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2070 
2072  p1->ip4h = (IPV4Hdr *)GET_PKT_DATA(p1);
2073  p1->tcph = (TCPHdr *)(GET_PKT_DATA(p1) + sizeof(raw_ipv4));
2074  p1->src.family = AF_INET;
2075  p1->dst.family = AF_INET;
2076  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2077  p1->payload_len = 20;
2078  p1->proto = IPPROTO_TCP;
2079 
2081  p2->ip4h = (IPV4Hdr *)GET_PKT_DATA(p2);
2082  p2->tcph = (TCPHdr *)(GET_PKT_DATA(p2) + sizeof(raw_ipv4));
2083  p2->src.family = AF_INET;
2084  p2->dst.family = AF_INET;
2085  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2086  p2->payload_len = 20;
2087  p2->proto = IPPROTO_TCP;
2088 
2090  if (de_ctx == NULL) {
2091  goto end;
2092  }
2093 
2094  de_ctx->flags |= DE_QUIET;
2095 
2097  "alert tcp any any -> any any "
2098  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2099  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2100  if (de_ctx->sig_list == NULL) {
2101  goto end;
2102  }
2103 
2105  "alert tcp any any -> any any "
2106  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2107  "msg:\"tcpv4-csum keyword check(2)\"; "
2108  "sid:2;)");
2109  if (de_ctx->sig_list->next == NULL) {
2110  goto end;
2111  }
2112 
2114  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2115 
2116  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2117  if (!PacketAlertCheck(p1, 1)) {
2118  printf("sig 1 didn't match on p1: ");
2119  goto end;
2120  }
2121 
2122  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2123  if (PacketAlertCheck(p2, 2)) {
2124  printf("sig 2 matched on p2: ");
2125  goto end;
2126  }
2127 
2128  result = 1;
2129 end:
2132  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2134  SCFree(p1);
2135  SCFree(p2);
2136  return result;
2137 }
2138 
2139 static int SigTest28TCPV6Keyword(void)
2140 {
2141  static uint8_t valid_raw_ipv6[] = {
2142  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2143  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2144 
2145  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2146  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2147  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2148  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2149  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2150 
2151  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2152  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2153  0xf2, 0xf1, 0x00, 0x00,
2154 
2155  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2156  0x00, 0x01, 0x69, 0x27};
2157 
2158  static uint8_t invalid_raw_ipv6[] = {
2159  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2160  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2161 
2162  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2163  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2164  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2165  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2166  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2167 
2168  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2169  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2170  0xc2, 0xf1, 0x00, 0x00,
2171 
2172  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2173  0x00, 0x01, 0x69, 0x28};
2174 
2175  Packet *p1 = PacketGetFromAlloc();
2176  if (unlikely(p1 == NULL))
2177  return 0;
2178  Packet *p2 = PacketGetFromAlloc();
2179  if (unlikely(p2 == NULL)) {
2180  SCFree(p1);
2181  return 0;
2182  }
2183  ThreadVars th_v;
2184  DetectEngineThreadCtx *det_ctx = NULL;
2185  int result = 0;
2186 
2187  memset(&th_v, 0, sizeof(ThreadVars));
2188 
2190  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2191  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2192  p1->src.family = AF_INET;
2193  p1->dst.family = AF_INET;
2194  p1->payload = valid_raw_ipv6 + 54 + 20;
2195  p1->payload_len = 12;
2196  p1->proto = IPPROTO_TCP;
2197 
2198  if (TCP_GET_HLEN(p1) != 20) {
2199  BUG_ON(1);
2200  }
2201 
2203  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2204  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2205  p2->src.family = AF_INET;
2206  p2->dst.family = AF_INET;
2207  p2->payload = invalid_raw_ipv6 + 54 + 20;;
2208  p2->payload_len = 12;
2209  p2->proto = IPPROTO_TCP;
2210 
2211  if (TCP_GET_HLEN(p2) != 20) {
2212  BUG_ON(1);
2213  }
2214 
2216  if (de_ctx == NULL) {
2217  goto end;
2218  }
2219 
2220  de_ctx->flags |= DE_QUIET;
2221 
2223  "alert tcp any any -> any any "
2224  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2225  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2226  if (de_ctx->sig_list == NULL) {
2227  goto end;
2228  }
2229 
2231  "alert tcp any any -> any any "
2232  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2233  "msg:\"tcpv6-csum keyword check(1)\"; "
2234  "sid:2;)");
2235  if (de_ctx->sig_list->next == NULL) {
2236  goto end;
2237  }
2238 
2240  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2241 
2242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2243  if (!(PacketAlertCheck(p1, 1))) {
2244  printf("sid 1 didn't match on p1: ");
2245  goto end;
2246  }
2247 
2248  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2249  if (!(PacketAlertCheck(p2, 2))) {
2250  printf("sid 2 didn't match on p2: ");
2251  goto end;
2252  }
2253 
2254  result = 1;
2255 end:
2258  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2260  SCFree(p1);
2261  SCFree(p2);
2262  return result;
2263 }
2264 
2265 static int SigTest29NegativeTCPV6Keyword(void)
2266 {
2267  static uint8_t valid_raw_ipv6[] = {
2268  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2269  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2270 
2271  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2272  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2273  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2274  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2275  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2276 
2277  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2278  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2279  0xf2, 0xf1, 0x00, 0x00,
2280 
2281  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2282  0x00, 0x01, 0x69, 0x27};
2283 
2284  static uint8_t invalid_raw_ipv6[] = {
2285  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2286  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2287 
2288  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2289  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2290  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2291  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2292  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2293 
2294  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2295  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2296  0xc2, 0xf1, 0x00, 0x00,
2297 
2298  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2299  0x00, 0x01, 0x69, 0x28};
2300 
2301  Packet *p1 = PacketGetFromAlloc();
2302  if (unlikely(p1 == NULL))
2303  return 0;
2304  Packet *p2 = PacketGetFromAlloc();
2305  if (unlikely(p2 == NULL)) {
2306  SCFree(p1);
2307  return 0;
2308  }
2309  ThreadVars th_v;
2310  DetectEngineThreadCtx *det_ctx = NULL;
2311  int result = 0;
2312 
2313  memset(&th_v, 0, sizeof(ThreadVars));
2314 
2316  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2317  p1->tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2318  p1->src.family = AF_INET;
2319  p1->dst.family = AF_INET;
2320  p1->payload = valid_raw_ipv6 + 54 + 20;
2321  p1->payload_len = 12;
2322  p1->proto = IPPROTO_TCP;
2323 
2324  if (TCP_GET_HLEN(p1) != 20) {
2325  BUG_ON(1);
2326  }
2327 
2329  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2330  p2->tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2331  p2->src.family = AF_INET;
2332  p2->dst.family = AF_INET;
2333  p2->payload = invalid_raw_ipv6 + 54 + 20;;
2334  p2->payload_len = 12;
2335  p2->proto = IPPROTO_TCP;
2336 
2337  if (TCP_GET_HLEN(p2) != 20) {
2338  BUG_ON(1);
2339  }
2340 
2342  if (de_ctx == NULL) {
2343  goto end;
2344  }
2345 
2346  de_ctx->flags |= DE_QUIET;
2347 
2349  "alert tcp any any -> any any "
2350  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2351  "msg:\"tcpv6-csum keyword check(1)\"; "
2352  "sid:1;)");
2353  if (de_ctx->sig_list == NULL) {
2354  goto end;
2355  }
2356 
2358  "alert tcp any any -> any any "
2359  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2360  "msg:\"tcpv6-csum keyword check(1)\"; "
2361  "sid:2;)");
2362  if (de_ctx->sig_list->next == NULL) {
2363  goto end;
2364  }
2365 
2367  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2368 
2369  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2370  if (PacketAlertCheck(p1, 1))
2371  goto end;
2372 
2373  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2374  if (PacketAlertCheck(p2, 2))
2375  goto end;
2376 
2377  result = 1;
2378 end:
2381  if (det_ctx != NULL)
2382  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2384  SCFree(p1);
2385  SCFree(p2);
2386  return result;
2387 }
2388 
2389 static int SigTest30UDPV4Keyword(void)
2390 {
2391  uint8_t raw_ipv4[] = {
2392  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2393  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2394  0xc0, 0xa8, 0x01, 0x03};
2395 
2396  uint8_t valid_raw_udp[] = {
2397  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2398  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2399  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2400  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2401  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2402  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2403  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2404  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2405  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2406  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2407  0x67, 0x6c, 0x65, 0xc0, 0x26};
2408 
2409  uint8_t invalid_raw_udp[] = {
2410  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2411  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2412  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2413  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2414  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2415  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2416  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2417  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2418  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2419  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2420  0x67, 0x6c, 0x65, 0xc0, 0x27};
2421 
2422  Packet *p1 = PacketGetFromAlloc();
2423  FAIL_IF_NULL(p1);
2424  Packet *p2 = PacketGetFromAlloc();
2425  FAIL_IF_NULL(p2);
2426 
2427  ThreadVars th_v;
2428  DetectEngineThreadCtx *det_ctx = NULL;
2429 
2430  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2431  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2432 
2433  memset(&th_v, 0, sizeof(ThreadVars));
2434 
2436  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2437  p1->udph = (UDPHdr *)valid_raw_udp;
2438  p1->src.family = AF_INET;
2439  p1->dst.family = AF_INET;
2440  p1->payload = buf;
2441  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2442  p1->proto = IPPROTO_UDP;
2443 
2445  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2446  p2->udph = (UDPHdr *)invalid_raw_udp;
2447  p2->src.family = AF_INET;
2448  p2->dst.family = AF_INET;
2449  p2->payload = buf;
2450  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2451  p2->proto = IPPROTO_UDP;
2452 
2455 
2456  de_ctx->flags |= DE_QUIET;
2457 
2459  "alert udp any any -> any any "
2460  "(content:\"/one/\"; udpv4-csum:valid; "
2461  "msg:\"udpv4-csum keyword check(1)\"; "
2462  "sid:1;)");
2464 
2466  "alert udp any any -> any any "
2467  "(content:\"/one/\"; udpv4-csum:invalid; "
2468  "msg:\"udpv4-csum keyword check(1)\"; "
2469  "sid:2;)");
2471 
2473  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2474 
2475  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2476  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2477 
2478  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2479  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2480 
2483  if (det_ctx != NULL)
2484  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2486  SCFree(p1);
2487  SCFree(p2);
2488  PASS;
2489 }
2490 
2491 static int SigTest31NegativeUDPV4Keyword(void)
2492 {
2493  uint8_t raw_ipv4[] = {
2494  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2495  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2496  0xc0, 0xa8, 0x01, 0x03};
2497 
2498  uint8_t valid_raw_udp[] = {
2499  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2500  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2501  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2502  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2503  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2504  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2505  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2506  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2507  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2508  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2509  0x67, 0x6c, 0x65, 0xc0, 0x26};
2510 
2511  uint8_t invalid_raw_udp[] = {
2512  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2513  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2514  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2515  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2516  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2517  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2518  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2519  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2520  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2521  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2522  0x67, 0x6c, 0x65, 0xc0, 0x27};
2523 
2524  Packet *p1 = PacketGetFromAlloc();
2525  if (unlikely(p1 == NULL))
2526  return 0;
2527  Packet *p2 = PacketGetFromAlloc();
2528  if (unlikely(p2 == NULL)) {
2529  SCFree(p1);
2530  return 0;
2531  }
2532  ThreadVars th_v;
2533  DetectEngineThreadCtx *det_ctx = NULL;
2534  int result = 1;
2535 
2536  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2537  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2538 
2539  memset(&th_v, 0, sizeof(ThreadVars));
2540 
2542  p1->ip4h = (IPV4Hdr *)raw_ipv4;
2543  p1->udph = (UDPHdr *)valid_raw_udp;
2544  p1->src.family = AF_INET;
2545  p1->dst.family = AF_INET;
2546  p1->payload = buf;
2547  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2548  p1->proto = IPPROTO_UDP;
2549 
2551  p2->ip4h = (IPV4Hdr *)raw_ipv4;
2552  p2->udph = (UDPHdr *)invalid_raw_udp;
2553  p2->src.family = AF_INET;
2554  p2->dst.family = AF_INET;
2555  p2->payload = buf;
2556  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2557  p2->proto = IPPROTO_UDP;
2558 
2560  if (de_ctx == NULL) {
2561  goto end;
2562  }
2563 
2564  de_ctx->flags |= DE_QUIET;
2565 
2567  "alert udp any any -> any any "
2568  "(content:\"/one/\"; udpv4-csum:invalid; "
2569  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2570  if (de_ctx->sig_list == NULL) {
2571  result &= 0;
2572  goto end;
2573  }
2574 
2576  "alert udp any any -> any any "
2577  "(content:\"/one/\"; udpv4-csum:valid; "
2578  "msg:\"udpv4-csum keyword check(1)\"; "
2579  "sid:2;)");
2580  if (de_ctx->sig_list->next == NULL) {
2581  result &= 0;
2582  goto end;
2583  }
2584 
2586  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2587 
2588  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2589  if (PacketAlertCheck(p1, 1))
2590  result &= 0;
2591  else
2592  result &= 1;
2593 
2594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2595  if (PacketAlertCheck(p2, 2)) {
2596  result &= 0;
2597  }
2598  else
2599  result &= 1;
2600 
2603  if (det_ctx != NULL)
2604  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2606 end:
2607  SCFree(p1);
2608  SCFree(p2);
2609  return result;
2610 }
2611 
2612 
2613 static int SigTest32UDPV6Keyword(void)
2614 {
2615  static uint8_t valid_raw_ipv6[] = {
2616  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2617  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2618  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2619  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2620  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2621  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2622  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2623  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2624  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2625  0x09, 0x00};
2626 
2627  static uint8_t invalid_raw_ipv6[] = {
2628  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2629  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2630  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2631  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2632  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2633  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2634  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2635  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2636  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2637  0x09, 0x01};
2638 
2639  Packet *p1 = PacketGetFromAlloc();
2640  FAIL_IF_NULL(p1);
2641  Packet *p2 = PacketGetFromAlloc();
2642  FAIL_IF_NULL(p2);
2643 
2644  ThreadVars th_v;
2645  DetectEngineThreadCtx *det_ctx = NULL;
2646 
2647  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2648  "\r\n\r\n";
2649 
2650  memset(&th_v, 0, sizeof(ThreadVars));
2651 
2653  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2654  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2655  p1->src.family = AF_INET;
2656  p1->dst.family = AF_INET;
2657  p1->payload = buf;
2659  p1->proto = IPPROTO_UDP;
2660 
2662  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2663  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2664  p2->src.family = AF_INET;
2665  p2->dst.family = AF_INET;
2666  p2->payload = buf;
2668  p2->proto = IPPROTO_UDP;
2669 
2672 
2673  de_ctx->flags |= DE_QUIET;
2674 
2676  "alert udp any any -> any any "
2677  "(content:\"/one/\"; udpv6-csum:valid; "
2678  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2680 
2682  "alert udp any any -> any any "
2683  "(content:\"/one/\"; udpv6-csum:invalid; "
2684  "msg:\"udpv6-csum keyword check(1)\"; "
2685  "sid:2;)");
2687 
2689  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2690 
2691  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2692  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2693 
2694  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2695  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2696 
2699  if (det_ctx != NULL)
2700  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2702 
2703  SCFree(p1);
2704  SCFree(p2);
2705  PASS;
2706 }
2707 
2708 static int SigTest33NegativeUDPV6Keyword(void)
2709 {
2710  static uint8_t valid_raw_ipv6[] = {
2711  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2712  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2713  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2714  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2715  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2716  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2717  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2718  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2719  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2720  0x09, 0x00};
2721 
2722  static uint8_t invalid_raw_ipv6[] = {
2723  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2724  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2725  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2726  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2727  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2728  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2729  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2730  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2731  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2732  0x09, 0x01};
2733 
2734  Packet *p1 = PacketGetFromAlloc();
2735  if (unlikely(p1 == NULL))
2736  return 0;
2737  Packet *p2 = PacketGetFromAlloc();
2738  if (unlikely(p2 == NULL)) {
2739  SCFree(p1);
2740  return 0;
2741  }
2742  ThreadVars th_v;
2743  DetectEngineThreadCtx *det_ctx = NULL;
2744  int result = 1;
2745 
2746  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2747  "\r\n\r\n";
2748 
2749  memset(&th_v, 0, sizeof(ThreadVars));
2750 
2752  p1->ip6h = (IPV6Hdr *)(valid_raw_ipv6 + 14);
2753  p1->udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2754  p1->src.family = AF_INET;
2755  p1->dst.family = AF_INET;
2756  p1->payload = buf;
2758  p1->proto = IPPROTO_UDP;
2759 
2761  p2->ip6h = (IPV6Hdr *)(invalid_raw_ipv6 + 14);
2762  p2->udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2763  p2->src.family = AF_INET;
2764  p2->dst.family = AF_INET;
2765  p2->payload = buf;
2767  p2->proto = IPPROTO_UDP;
2768 
2770  if (de_ctx == NULL) {
2771  goto end;
2772  }
2773 
2774  de_ctx->flags |= DE_QUIET;
2775 
2777  "alert udp any any -> any any "
2778  "(content:\"/one/\"; udpv6-csum:invalid; "
2779  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2780  if (de_ctx->sig_list == NULL) {
2781  result &= 0;
2782  goto end;
2783  }
2784 
2786  "alert udp any any -> any any "
2787  "(content:\"/one/\"; udpv6-csum:valid; "
2788  "msg:\"udpv6-csum keyword check(1)\"; "
2789  "sid:2;)");
2790  if (de_ctx->sig_list->next == NULL) {
2791  result &= 0;
2792  goto end;
2793  }
2794 
2796  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2797 
2798  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2799  if (PacketAlertCheck(p1, 1))
2800  result &= 0;
2801  else
2802  result &= 1;
2803 
2804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2805  if (PacketAlertCheck(p2, 2))
2806  result &= 0;
2807  else
2808  result &= 1;
2809 
2812  if (det_ctx != NULL)
2813  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2815 end:
2816  SCFree(p1);
2817  SCFree(p2);
2818  return result;
2819 }
2820 
2821 static int SigTest34ICMPV4Keyword(void)
2822 {
2823  uint8_t valid_raw_ipv4[] = {
2824  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2825  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2826  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2827  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2828  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2829  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2830  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2831  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2832  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2833  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2834  0x34, 0x35, 0x36, 0x37};
2835 
2836  uint8_t invalid_raw_ipv4[] = {
2837  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2838  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2839  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2840  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2841  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2842  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2843  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2844  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2845  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2846  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2847  0x34, 0x35, 0x36, 0x38};
2848 
2849  Packet *p1 = PacketGetFromAlloc();
2850  if (unlikely(p1 == NULL))
2851  return 0;
2852  Packet *p2 = PacketGetFromAlloc();
2853  if (unlikely(p2 == NULL)) {
2854  SCFree(p1);
2855  return 0;
2856  }
2857  ThreadVars th_v;
2858  DetectEngineThreadCtx *det_ctx = NULL;
2859  int result = 1;
2860 
2861  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2862  "\r\n\r\n";
2863  uint16_t buflen = strlen((char *)buf);
2864 
2865  memset(&th_v, 0, sizeof(ThreadVars));
2866 
2868  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2869  p1->ip4h->ip_verhl = 69;
2870  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2871  p1->src.family = AF_INET;
2872  p1->dst.family = AF_INET;
2873  p1->payload = buf;
2874  p1->payload_len = buflen;
2875  p1->proto = IPPROTO_ICMP;
2876 
2878  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2879  p2->ip4h->ip_verhl = 69;
2880  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2881  p2->src.family = AF_INET;
2882  p2->dst.family = AF_INET;
2883  p2->payload = buf;
2884  p2->payload_len = buflen;
2885  p2->proto = IPPROTO_ICMP;
2886 
2888  if (de_ctx == NULL) {
2889  goto end;
2890  }
2891 
2892  de_ctx->flags |= DE_QUIET;
2893 
2895  "alert icmp any any -> any any "
2896  "(content:\"/one/\"; icmpv4-csum:valid; "
2897  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2898  if (de_ctx->sig_list == NULL) {
2899  result &= 0;
2900  goto end;
2901  }
2902 
2904  "alert icmp any any -> any any "
2905  "(content:\"/one/\"; icmpv4-csum:invalid; "
2906  "msg:\"icmpv4-csum keyword check(1)\"; "
2907  "sid:2;)");
2908  if (de_ctx->sig_list->next == NULL) {
2909  result = 0;
2910  goto end;
2911  }
2912 
2914  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2915 
2916  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2917  if (PacketAlertCheck(p1, 1))
2918  result &= 1;
2919  else
2920  result &= 0;
2921 
2922  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2923  if (PacketAlertCheck(p2, 2))
2924  result &= 1;
2925  else
2926  result &= 0;
2927 
2930  if (det_ctx != NULL)
2931  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2933 end:
2934  SCFree(p1);
2935  SCFree(p2);
2936  return result;
2937 }
2938 
2939 static int SigTest35NegativeICMPV4Keyword(void)
2940 {
2941  uint8_t valid_raw_ipv4[] = {
2942  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2943  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2944  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2945  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2946  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2947  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2948  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2949  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2950  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2951  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2952  0x34, 0x35, 0x36, 0x37};
2953 
2954  uint8_t invalid_raw_ipv4[] = {
2955  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2956  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2957  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2958  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2959  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2960  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2961  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2962  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2963  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2964  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2965  0x34, 0x35, 0x36, 0x38};
2966 
2967  Packet *p1 = PacketGetFromAlloc();
2968  if (unlikely(p1 == NULL))
2969  return 0;
2970  Packet *p2 = PacketGetFromAlloc();
2971  if (unlikely(p2 == NULL)) {
2972  SCFree(p1);
2973  return 0;
2974  }
2975  ThreadVars th_v;
2976  DetectEngineThreadCtx *det_ctx = NULL;
2977  int result = 1;
2978 
2979  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2980  "\r\n\r\n";
2981  uint16_t buflen = strlen((char *)buf);
2982 
2983  memset(&th_v, 0, sizeof(ThreadVars));
2984 
2986  p1->ip4h = (IPV4Hdr *)(valid_raw_ipv4);
2987  p1->ip4h->ip_verhl = 69;
2988  p1->icmpv4h = (ICMPV4Hdr *) (valid_raw_ipv4 + IPV4_GET_RAW_HLEN(p1->ip4h) * 4);
2989  p1->src.family = AF_INET;
2990  p1->dst.family = AF_INET;
2991  p1->payload = buf;
2992  p1->payload_len = buflen;
2993  p1->proto = IPPROTO_ICMP;
2994 
2996  p2->ip4h = (IPV4Hdr *)(invalid_raw_ipv4);
2997  p2->ip4h->ip_verhl = 69;
2998  p2->icmpv4h = (ICMPV4Hdr *) (invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(p2->ip4h) * 4);
2999  p2->src.family = AF_INET;
3000  p2->dst.family = AF_INET;
3001  p2->payload = buf;
3002  p2->payload_len = buflen;
3003  p2->proto = IPPROTO_ICMP;
3004 
3006  if (de_ctx == NULL) {
3007  goto end;
3008  }
3009 
3010  de_ctx->flags |= DE_QUIET;
3011 
3013  "alert icmp any any -> any any "
3014  "(content:\"/one/\"; icmpv4-csum:invalid; "
3015  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3016  if (de_ctx->sig_list == NULL) {
3017  result &= 0;
3018  goto end;
3019  }
3020 
3022  "alert icmp any any -> any any "
3023  "(content:\"/one/\"; icmpv4-csum:valid; "
3024  "msg:\"icmpv4-csum keyword check(1)\"; "
3025  "sid:2;)");
3026  if (de_ctx->sig_list->next == NULL) {
3027  result &= 0;
3028  goto end;
3029  }
3030 
3032  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3033 
3034  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3035  if (PacketAlertCheck(p1, 1))
3036  result &= 0;
3037  else
3038  result &= 1;
3039 
3040  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3041  if (PacketAlertCheck(p2, 2))
3042  result &= 0;
3043  else {
3044  result &= 1;
3045  }
3046 
3049  if (det_ctx != NULL)
3050  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3052 end:
3053  SCFree(p1);
3054  SCFree(p2);
3055  return result;
3056 }
3057 
3058 static int SigTest38(void)
3059 {
3060  Packet *p1 = PacketGetFromAlloc();
3061  if (unlikely(p1 == NULL))
3062  return 0;
3063  ThreadVars th_v;
3064  DetectEngineThreadCtx *det_ctx = NULL;
3065  int result = 1;
3066  uint8_t raw_eth[] = {
3067  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3068  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3069  0x08, 0x00
3070  };
3071  uint8_t raw_ipv4[] = {
3072  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3073  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3074  0x7f, 0x00, 0x00, 0x01
3075  };
3076  uint8_t raw_tcp[] = {
3077  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3078  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3079  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3080  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3081  0x00, 0x22, 0xaa, 0x10
3082  };
3083  uint8_t buf[] = {
3084  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3085  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3086  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3087  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3088  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3089  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3090  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3091  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3092  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3093  0x0a
3094  };
3095  uint16_t ethlen = sizeof(raw_eth);
3096  uint16_t ipv4len = sizeof(raw_ipv4);
3097  uint16_t tcplen = sizeof(raw_tcp);
3098  uint16_t buflen = sizeof(buf);
3099 
3100  memset(&th_v, 0, sizeof(ThreadVars));
3101 
3102  /* Copy raw data into packet */
3103  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3104  SCFree(p1);
3105  return 1;
3106  }
3107  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3108  SCFree(p1);
3109  return 1;
3110  }
3111  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3112  SCFree(p1);
3113  return 1;
3114  }
3115  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3116  SCFree(p1);
3117  return 1;
3118  }
3119  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3120 
3122  p1->ethh = (EthernetHdr *)raw_eth;
3123  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3124  p1->tcph = (TCPHdr *)raw_tcp;
3125  p1->src.family = AF_INET;
3126  p1->dst.family = AF_INET;
3127  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3128  p1->payload_len = buflen;
3129  p1->proto = IPPROTO_TCP;
3130 
3132  if (de_ctx == NULL) {
3133  goto end;
3134  }
3135  de_ctx->flags |= DE_QUIET;
3136 
3138  "alert tcp any any -> any any "
3139  "(content:\"LEN1|20|\"; "
3140  "byte_test:4,=,8,0; "
3141  "msg:\"byte_test keyword check(1)\"; sid:1;)");
3142  if (de_ctx->sig_list == NULL) {
3143  result &= 0;
3144  goto end;
3145  }
3147  "alert tcp any any -> any any "
3148  "(content:\"LEN1|20|\"; "
3149  "byte_test:4,=,8,5,relative,string,dec; "
3150  "msg:\"byte_test keyword check(2)\"; sid:2;)");
3151  if (de_ctx->sig_list->next == NULL) {
3152  result &= 0;
3153  goto end;
3154  }
3155 
3157  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3158 
3159  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3160  if (PacketAlertCheck(p1, 1)) {
3161  result = 1;
3162  } else {
3163  result = 0;
3164  printf("sid 1 didn't alert, but should have: ");
3165  goto cleanup;
3166  }
3167  if (PacketAlertCheck(p1, 2)) {
3168  result = 1;
3169  } else {
3170  result = 0;
3171  printf("sid 2 didn't alert, but should have: ");
3172  goto cleanup;
3173  }
3174 
3175 cleanup:
3178 
3179  if (det_ctx != NULL)
3180  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3182 
3183 end:
3184  SCFree(p1);
3185  return result;
3186 }
3187 
3188 static int SigTest39(void)
3189 {
3190  Packet *p1 = PacketGetFromAlloc();
3191  if (unlikely(p1 == NULL))
3192  return 0;
3193  ThreadVars th_v;
3194  DetectEngineThreadCtx *det_ctx = NULL;
3195  int result = 1;
3196  uint8_t raw_eth[] = {
3197  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3198  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3199  0x08, 0x00
3200  };
3201  uint8_t raw_ipv4[] = {
3202  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3203  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3204  0x7f, 0x00, 0x00, 0x01
3205  };
3206  uint8_t raw_tcp[] = {
3207  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3208  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3209  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3210  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3211  0x00, 0x22, 0xaa, 0x10
3212  };
3213  uint8_t buf[] = {
3214  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3215  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3216  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3217  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3218  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3219  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3220  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3221  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3222  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3223  0x0a
3224  };
3225  uint16_t ethlen = sizeof(raw_eth);
3226  uint16_t ipv4len = sizeof(raw_ipv4);
3227  uint16_t tcplen = sizeof(raw_tcp);
3228  uint16_t buflen = sizeof(buf);
3229 
3230  memset(&th_v, 0, sizeof(ThreadVars));
3231 
3232  /* Copy raw data into packet */
3233  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3234  SCFree(p1);
3235  return 1;
3236  }
3237  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3238  SCFree(p1);
3239  return 1;
3240  }
3241  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3242  SCFree(p1);
3243  return 1;
3244  }
3245  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3246  SCFree(p1);
3247  return 1;
3248  }
3249  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3250 
3252  p1->ethh = (EthernetHdr *)raw_eth;
3253  p1->ip4h = (IPV4Hdr *)raw_ipv4;
3254  p1->tcph = (TCPHdr *)raw_tcp;
3255  p1->src.family = AF_INET;
3256  p1->dst.family = AF_INET;
3257  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3258  p1->payload_len = buflen;
3259  p1->proto = IPPROTO_TCP;
3260 
3262  if (de_ctx == NULL) {
3263  goto end;
3264  }
3265  de_ctx->flags |= DE_QUIET;
3266 
3268  "alert tcp any any -> any any "
3269  "(content:\"LEN1|20|\"; "
3270  "byte_test:4,=,8,0; "
3271  "byte_jump:4,0; "
3272  "byte_test:6,=,0x4c454e312038,0,relative; "
3273  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3274  if (de_ctx->sig_list == NULL) {
3275  result &= 0;
3276  goto end;
3277  }
3278  // XXX TODO
3280  "alert tcp any any -> any any "
3281  "(content:\"LEN1|20|\"; "
3282  "byte_test:4,=,8,4,relative,string,dec; "
3283  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3284  "byte_test:4,=,0x4c454e32,0,relative; "
3285  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3286  if (de_ctx->sig_list->next == NULL) {
3287  result &= 0;
3288  goto end;
3289  }
3290 
3292  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3293 
3294  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3295  if (PacketAlertCheck(p1, 1)) {
3296  result = 1;
3297  } else {
3298  result = 0;
3299  printf("sid 1 didn't alert, but should have: ");
3300  goto cleanup;
3301  }
3302  if (PacketAlertCheck(p1, 2)) {
3303  result = 1;
3304  } else {
3305  result = 0;
3306  printf("sid 2 didn't alert, but should have: ");
3307  goto cleanup;
3308  }
3309 
3310 cleanup:
3313  if (det_ctx != NULL)
3314  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3316 
3317 end:
3318  SCFree(p1);
3319  return result;
3320 }
3321 
3322 /**
3323  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3324  * \brief expecting to match a size
3325  */
3326 
3327 static int SigTest36ContentAndIsdataatKeywords01 (void)
3328 {
3329  int result = 0;
3330 
3331  // Buid and decode the packet
3332 
3333  uint8_t raw_eth [] = {
3334  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3335  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3336  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3337  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3338  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3339  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3340  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3341  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3342  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3343  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3344  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3345  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3346  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3347  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3348  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3349  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3350  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3351  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3352  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3353  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3354  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3355  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3356  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3357  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3358  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3359  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3360  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3361  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3362  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3363  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3364 
3365  Packet *p = PacketGetFromAlloc();
3366  if (unlikely(p == NULL))
3367  return 0;
3369 
3370  ThreadVars th_v;
3371  DetectEngineThreadCtx *det_ctx = NULL;
3372 
3373  memset(&dtv, 0, sizeof(DecodeThreadVars));
3374  memset(&th_v, 0, sizeof(th_v));
3375 
3377  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3378 
3379 
3381  if (de_ctx == NULL) {
3382  goto end;
3383  }
3384 
3385  de_ctx->flags |= DE_QUIET;
3386 
3387  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3388  if (de_ctx->sig_list == NULL) {
3389  result = 0;
3390  goto end;
3391  }
3392 
3394  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3395 
3396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3397  if (PacketAlertCheck(p, 101) == 0) {
3398  result = 0;
3399  goto end;
3400  } else {
3401  result=1;
3402  }
3403 
3406 
3407  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3409  PACKET_RECYCLE(p);
3410  FlowShutdown();
3411 
3412  SCFree(p);
3413  return result;
3414 
3415 end:
3416  if(de_ctx)
3417  {
3420  }
3421 
3422  if(det_ctx)
3423  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3424 
3425  //PatternMatchDestroy(mpm_ctx);
3426 
3427  if(de_ctx)
3429 
3430  if (p != NULL)
3431  PACKET_RECYCLE(p);
3432 
3433  FlowShutdown();
3434 
3435  SCFree(p);
3436  return result;
3437 }
3438 
3439 
3440 /**
3441  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3442  * \brief not expecting to match a size
3443  */
3444 
3445 static int SigTest37ContentAndIsdataatKeywords02 (void)
3446 {
3447  int result = 0;
3448 
3449  // Buid and decode the packet
3450 
3451  uint8_t raw_eth [] = {
3452  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3453  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3454  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3455  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3456  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3457  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3458  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3459  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3460  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3461  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3462  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3463  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3464  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3465  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3466  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3467  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3468  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3469  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3470  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3471  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3472  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3473  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3474  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3475  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3476  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3477  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3478  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3479  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3480  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3481  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3482 
3483  Packet *p = PacketGetFromAlloc();
3484  if (unlikely(p == NULL))
3485  return 0;
3487 
3488  ThreadVars th_v;
3489  DetectEngineThreadCtx *det_ctx = NULL;
3490 
3491  memset(&dtv, 0, sizeof(DecodeThreadVars));
3492  memset(&th_v, 0, sizeof(th_v));
3493 
3495  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3496 
3497 
3499  if (de_ctx == NULL) {
3500  goto end;
3501  }
3502 
3503  de_ctx->flags |= DE_QUIET;
3504 
3505  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3506  if (de_ctx->sig_list == NULL) {
3507  printf("sig parse failed: ");
3508  result = 0;
3509  goto end;
3510  }
3511 
3512  if (s->sm_lists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3513  printf("type not content: ");
3514  goto end;
3515  }
3517  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3518 
3519  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3520  if (PacketAlertCheck(p, 101) == 0) {
3521  result = 1;
3522  goto end;
3523  } else {
3524  printf("sig matched, but should not have: ");
3525  result=0;
3526  }
3527 
3530 
3531  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3533 
3534  PACKET_RECYCLE(p);
3535  FlowShutdown();
3536 
3537  SCFree(p);
3538  return result;
3539 
3540 end:
3541  if(de_ctx)
3542  {
3545  }
3546 
3547  if(det_ctx)
3548  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3549 
3550  if(de_ctx)
3552 
3553  if (p != NULL)
3554  PACKET_RECYCLE(p);
3555 
3556  FlowShutdown();
3557 
3558  SCFree(p);
3559  return result;
3560 }
3561 
3562 /**
3563  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3564  * flag is set, we don't need to inspect the packet protocol header or its contents.
3565  */
3566 
3567 static int SigTest40NoPacketInspection01(void)
3568 {
3569 
3570  uint8_t *buf = (uint8_t *)
3571  "220 (vsFTPd 2.0.5)\r\n";
3572  uint16_t buflen = strlen((char *)buf);
3573  Packet *p = PacketGetFromAlloc();
3574  TCPHdr tcphdr;
3575  if (unlikely(p == NULL))
3576  return 0;
3577  ThreadVars th_v;
3578  DetectEngineThreadCtx *det_ctx = NULL;
3579  PacketQueue pq;
3580  Flow f;
3581  int result = 0;
3582 
3583  memset(&th_v, 0, sizeof(th_v));
3584  memset(&pq, 0, sizeof(pq));
3585  memset(&f, 0, sizeof(f));
3586  memset(&tcphdr, 0, sizeof(tcphdr));
3587 
3588  p->src.family = AF_INET;
3589  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3590  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3591  p->dst.family = AF_INET;
3592  p->payload = buf;
3593  p->payload_len = buflen;
3594  p->proto = IPPROTO_TCP;
3595  p->dp = 34260;
3596  p->sp = 21;
3599  p->tcph = &tcphdr;
3600  p->flow = &f;
3601 
3602  FLOW_INITIALIZE(&f);
3603 
3605  if (de_ctx == NULL) {
3606  goto end;
3607  }
3608 
3609  de_ctx->flags |= DE_QUIET;
3610 
3611  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3612  if (de_ctx->sig_list == NULL) {
3613  result = 0;
3614  goto end;
3615  }
3616 
3618  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3619  det_ctx->de_ctx = de_ctx;
3620 
3621  Detect(&th_v, p, det_ctx);
3622  if (PacketAlertCheck(p, 2))
3623  result = 0;
3624  else
3625  result = 1;
3626 
3629  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3630  //PatternMatchDestroy(mpm_ctx);
3632 end:
3633  SCFree(p);
3634  return result;
3635 }
3636 
3637 /**
3638  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3639  * flasg is set, we don't need to inspect the packet contents.
3640  */
3641 
3642 static int SigTest40NoPayloadInspection02(void)
3643 {
3644 
3645  uint8_t *buf = (uint8_t *)
3646  "220 (vsFTPd 2.0.5)\r\n";
3647  uint16_t buflen = strlen((char *)buf);
3648  ThreadVars th_v;
3649  memset(&th_v, 0, sizeof(th_v));
3650 
3651  Packet *p = PacketGetFromAlloc();
3652  FAIL_IF_NULL(p);
3653 
3654  p->src.family = AF_INET;
3655  p->dst.family = AF_INET;
3656  p->payload = buf;
3657  p->payload_len = buflen;
3658  p->proto = IPPROTO_TCP;
3660 
3661  DetectEngineThreadCtx *det_ctx = NULL;
3664  de_ctx->flags |= DE_QUIET;
3665 
3667  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3668  FAIL_IF_NULL(s);
3669 
3671  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3672 
3673  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3674 
3675  FAIL_IF(PacketAlertCheck(p, 1));
3676 
3677  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3679  SCFree(p);
3680  PASS;
3681 }
3682 
3683 static int SigTestMemory01 (void)
3684 {
3685  uint8_t *buf = (uint8_t *)
3686  "GET /one/ HTTP/1.1\r\n"
3687  "Host: one.example.org\r\n"
3688  "\r\n\r\n"
3689  "GET /two/ HTTP/1.1\r\n"
3690  "Host: two.example.org\r\n"
3691  "\r\n\r\n";
3692  uint16_t buflen = strlen((char *)buf);
3693  Packet *p = PacketGetFromAlloc();
3694  if (unlikely(p == NULL))
3695  return 0;
3696  ThreadVars th_v;
3697  DetectEngineThreadCtx *det_ctx = NULL;
3698  int result = 0;
3699 
3700  memset(&th_v, 0, sizeof(th_v));
3701  p->src.family = AF_INET;
3702  p->dst.family = AF_INET;
3703  p->payload = buf;
3704  p->payload_len = buflen;
3705  p->proto = IPPROTO_TCP;
3706 
3708  if (de_ctx == NULL) {
3709  goto end;
3710  }
3711 
3712  de_ctx->flags |= DE_QUIET;
3713 
3714  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3715  if (de_ctx->sig_list == NULL) {
3716  result = 0;
3717  goto end;
3718  }
3719 
3721  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3722 
3724  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3726 
3727  result = 1;
3728 end:
3729  SCFree(p);
3730  return result;
3731 }
3732 
3733 static int SigTestMemory02 (void)
3734 {
3735  ThreadVars th_v;
3736  int result = 0;
3737 
3738  memset(&th_v, 0, sizeof(th_v));
3739 
3741  if (de_ctx == NULL) {
3742  goto end;
3743  }
3744  de_ctx->flags |= DE_QUIET;
3745 
3746  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3747  if (de_ctx->sig_list == NULL) {
3748  result = 0;
3749  goto end;
3750  }
3751  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3752  if (de_ctx->sig_list->next == NULL) {
3753  result = 0;
3754  goto end;
3755  }
3756 
3758 
3761 
3762  result = 1;
3763 end:
3764  return result;
3765 }
3766 
3767 static int SigTestMemory03 (void)
3768 {
3769  ThreadVars th_v;
3770  int result = 0;
3771 
3772  memset(&th_v, 0, sizeof(th_v));
3773 
3775  if (de_ctx == NULL) {
3776  goto end;
3777  }
3778  de_ctx->flags |= DE_QUIET;
3779 
3780  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3781  if (de_ctx->sig_list == NULL) {
3782  result = 0;
3783  goto end;
3784  }
3785  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3786  if (de_ctx->sig_list->next == NULL) {
3787  result = 0;
3788  goto end;
3789  }
3790  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3791  if (de_ctx->sig_list->next->next == NULL) {
3792  result = 0;
3793  goto end;
3794  }
3795 
3797 
3800 
3801  result = 1;
3802 end:
3803  return result;
3804 }
3805 
3806 static int SigTestContent01 (void)
3807 {
3808  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3809  uint16_t buflen = strlen((char *)buf);
3810  ThreadVars th_v;
3811  DetectEngineThreadCtx *det_ctx = NULL;
3812  int result = 0;
3813 
3814  memset(&th_v, 0, sizeof(th_v));
3815 
3816  Packet *p = NULL;
3817  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3818 
3820  if (de_ctx == NULL) {
3821  goto end;
3822  }
3823  de_ctx->flags |= DE_QUIET;
3824 
3825  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3826  if (de_ctx->sig_list == NULL) {
3827  result = 0;
3828  goto end;
3829  }
3830 
3832  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3833 
3834  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3835  if (PacketAlertCheck(p, 1))
3836  result = 1;
3837  else
3838  printf("sig 1 didn't match: ");
3839 
3842 
3843  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3845 end:
3846  UTHFreePackets(&p, 1);
3847  return result;
3848 }
3849 
3850 static int SigTestContent02 (void)
3851 {
3852  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3853  uint16_t buflen = strlen((char *)buf);
3854  ThreadVars th_v;
3855  DetectEngineThreadCtx *det_ctx = NULL;
3856  int result = 0;
3857 
3858  memset(&th_v, 0, sizeof(th_v));
3859  Packet *p = NULL;
3860  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3861 
3863  if (de_ctx == NULL) {
3864  goto end;
3865  }
3866  de_ctx->flags |= DE_QUIET;
3867 
3868  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3869  if (de_ctx->sig_list == NULL) {
3870  result = 0;
3871  goto end;
3872  }
3873 
3874  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3875  if (de_ctx->sig_list->next == NULL) {
3876  result = 0;
3877  goto end;
3878  }
3879 
3881  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3882 
3883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3884  if (PacketAlertCheck(p, 1)) {
3885  if (PacketAlertCheck(p, 2)) {
3886  result = 1;
3887  } else
3888  printf("sig 2 didn't match: ");
3889  }
3890  else
3891  printf("sig 1 didn't match: ");
3892 
3895 
3896  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3898 end:
3899  UTHFreePackets(&p, 1);
3900  return result;
3901 }
3902 
3903 static int SigTestContent03 (void)
3904 {
3905  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3906  uint16_t buflen = strlen((char *)buf);
3907  ThreadVars th_v;
3908  DetectEngineThreadCtx *det_ctx = NULL;
3909  int result = 0;
3910 
3911  memset(&th_v, 0, sizeof(th_v));
3912  Packet *p = NULL;
3913  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3914 
3916  if (de_ctx == NULL) {
3917  goto end;
3918  }
3919 
3920  de_ctx->flags |= DE_QUIET;
3921 
3922  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3923  if (de_ctx->sig_list == NULL) {
3924  result = 0;
3925  goto end;
3926  }
3927 
3929  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3930 
3931  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3932  if (PacketAlertCheck(p, 1))
3933  result = 1;
3934  else
3935  printf("sig 1 didn't match: ");
3936 
3939 
3940  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3942 end:
3943  UTHFreePackets(&p, 1);
3944  return result;
3945 }
3946 
3947 static int SigTestContent04 (void)
3948 {
3949  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3950  uint16_t buflen = strlen((char *)buf);
3951  ThreadVars th_v;
3952  DetectEngineThreadCtx *det_ctx = NULL;
3953  int result = 0;
3954 
3955  memset(&th_v, 0, sizeof(th_v));
3956 
3957  Packet *p = NULL;
3958  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3959 
3961  if (de_ctx == NULL) {
3962  goto end;
3963  }
3964 
3965  de_ctx->flags |= DE_QUIET;
3966 
3967  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3968  if (de_ctx->sig_list == NULL) {
3969  result = 0;
3970  goto end;
3971  }
3972 
3974  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3975 
3976  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3977  if (PacketAlertCheck(p, 1))
3978  result = 1;
3979  else
3980  printf("sig 1 didn't match: ");
3981 
3984 
3985  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3987 end:
3988  UTHFreePackets(&p, 1);
3989  return result;
3990 }
3991 
3992 /** \test sigs with patterns at the limit of the pm's size limit */
3993 static int SigTestContent05 (void)
3994 {
3995  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3996  uint16_t buflen = strlen((char *)buf);
3997  ThreadVars th_v;
3998  DetectEngineThreadCtx *det_ctx = NULL;
3999  int result = 0;
4000 
4001  memset(&th_v, 0, sizeof(th_v));
4002  Packet *p = NULL;
4003  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4004 
4006  if (de_ctx == NULL) {
4007  printf("de_ctx == NULL: ");
4008  goto end;
4009  }
4010 
4011  de_ctx->flags |= DE_QUIET;
4012 
4013  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4014  if (de_ctx->sig_list == NULL) {
4015  printf("sig1 parse failed: ");
4016  goto end;
4017  }
4018  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
4019  if (de_ctx->sig_list->next == NULL) {
4020  printf("sig2 parse failed: ");
4021  goto end;
4022  }
4023 
4025  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4026 
4027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4028 
4029  if (PacketAlertCheck(p, 1)) {
4030  printf("sig 1 matched but shouldn't: ");
4031  goto end;
4032  }
4033 
4034  if (PacketAlertCheck(p, 2)) {
4035  printf("sig 2 matched but shouldn't: ");
4036  goto end;
4037  }
4038 
4039  result = 1;
4040 end:
4041  UTHFreePackets(&p, 1);
4044 
4045  if (det_ctx != NULL) {
4046  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4047  }
4048  if (de_ctx != NULL) {
4050  }
4051  return result;
4052 }
4053 
4054 static int SigTestContent06 (void)
4055 {
4056  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4057  uint16_t buflen = strlen((char *)buf);
4058  ThreadVars th_v;
4059  DetectEngineThreadCtx *det_ctx = NULL;
4060  int result = 0;
4061 
4062  memset(&th_v, 0, sizeof(th_v));
4063  Packet *p = NULL;
4064  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
4065 
4067  if (de_ctx == NULL) {
4068  goto end;
4069  }
4070 
4071  de_ctx->flags |= DE_QUIET;
4072 
4073  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4074  if (de_ctx->sig_list == NULL) {
4075  result = 0;
4076  goto end;
4077  }
4078  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4079  if (de_ctx->sig_list->next == NULL) {
4080  result = 0;
4081  goto end;
4082  }
4083 
4085  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4086 
4087  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4088  if (PacketAlertCheck(p, 1)){
4089  //printf("sig 1 matched :");
4090  }else{
4091  printf("sig 1 didn't match: ");
4092  goto end;
4093  }
4094 
4095  if (PacketAlertCheck(p, 2)){
4096  result = 1;
4097  }else{
4098  printf("sig 2 didn't match: ");
4099  goto end;
4100  }
4101 
4104 
4105  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4107 end:
4108  UTHFreePackets(&p, 1);
4109  return result;
4110 }
4111 
4112 static int SigTestWithin01 (void)
4113 {
4115  ThreadVars th_v;
4116  int result = 0;
4117  Packet *p1 = NULL;
4118  Packet *p2 = NULL;
4119  Packet *p3 = NULL;
4120  Packet *p4 = NULL;
4121 
4122  uint8_t rawpkt1[] = {
4123  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4124  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4125  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4126  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4127  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4128  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4129  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4130  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4131  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4132  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4133  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4134  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4135  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4136  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4137  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4138  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4139  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4140  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4141  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4142  0x00,0x00 }; /* end rawpkt1 */
4143 
4144  uint8_t rawpkt2[] = {
4145  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4146  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4147  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4148  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4149  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4150  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4151  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4152  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4153  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4154  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4155  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4156  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4157  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4158  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4159  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4160  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4161  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4162  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4163  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4164  0x00,0x00 }; /* end rawpkt2 */
4165 
4166  uint8_t rawpkt3[] = {
4167  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4168  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4169  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4170  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4171  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4172  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4173  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4174  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4175  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4176  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4177  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4178  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4179  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4180  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4181  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4182  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4183  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4184  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4185  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4186  0x00,0x00 }; /* end rawpkt3 */
4187 
4188  uint8_t rawpkt4[] = {
4189  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4190  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4191  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4192  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4193  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4194  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4195  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4196  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4197  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4198  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4199  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4200  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4201  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4202  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4203  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4204  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4205  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4206  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4207  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4208  0x00,0x00 }; /* end rawpkt4 */
4209 
4210  memset(&dtv, 0, sizeof(DecodeThreadVars));
4211  memset(&th_v, 0, sizeof(th_v));
4212 
4213  DetectEngineThreadCtx *det_ctx = NULL;
4214 
4216 
4218  if (de_ctx == NULL) {
4219  goto end;
4220  }
4221 
4222  de_ctx->flags |= DE_QUIET;
4223 
4224  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4225  if (de_ctx->sig_list == NULL) {
4226  result = 0;
4227  goto end;
4228  }
4229 
4231  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4232 
4233  /* packet 1 */
4234  p1 = PacketGetFromAlloc();
4235  if (unlikely(p1 == NULL))
4236  return 0;
4237  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4238  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4239  if (!(PacketAlertCheck(p1, 556))) {
4240  printf("failed to match on packet 1: ");
4241  goto end;
4242  }
4243 
4244  /* packet 2 */
4245  p2 = PacketGetFromAlloc();
4246  if (unlikely(p2 == NULL))
4247  return 0;
4248  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4249  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4250  if (!(PacketAlertCheck(p2, 556))) {
4251  printf("failed to match on packet 2: ");
4252  goto end;
4253  }
4254 
4255  /* packet 3 */
4256  p3 = PacketGetFromAlloc();
4257  if (unlikely(p3 == NULL))
4258  return 0;
4259  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4260  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4261  if (!(PacketAlertCheck(p3, 556))) {
4262  printf("failed to match on packet 3: ");
4263  goto end;
4264  }
4265 
4266  /* packet 4 */
4267  p4 = PacketGetFromAlloc();
4268  if (unlikely(p4 == NULL))
4269  return 0;
4270  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4271  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4272  if (!(PacketAlertCheck(p4, 556))) {
4273  printf("failed to match on packet 4: ");
4274  goto end;
4275  }
4276 
4277  /* packet 5 */
4278  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4279  uint16_t p5buflen = strlen((char *)p5buf);
4280  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4281  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4282  if (!(PacketAlertCheck(p5, 556))) {
4283  printf("failed to match on packet 5: ");
4284  goto end;
4285  }
4286  UTHFreePackets(&p5, 1);
4287 
4288  result = 1;
4289 end:
4290  if (de_ctx != NULL) {
4293  }
4294 
4295  if (det_ctx != NULL)
4296  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4297 
4298  if (de_ctx != NULL)
4300 
4301  if (p1 != NULL) {
4302  PACKET_RECYCLE(p1);
4303  SCFree(p1);
4304  }
4305  if (p2 != NULL) {
4306  PACKET_RECYCLE(p2);
4307  SCFree(p2);
4308  }
4309  if (p3 != NULL) {
4310  PACKET_RECYCLE(p3);
4311  SCFree(p3);
4312  }
4313  if (p4 != NULL) {
4314  PACKET_RECYCLE(p4);
4315  SCFree(p4);
4316  }
4317  FlowShutdown();
4318  return result;
4319 }
4320 
4321 static int SigTestDepthOffset01 (void)
4322 {
4323  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4324  uint16_t buflen = strlen((char *)buf);
4325  Packet *p = NULL;
4326  ThreadVars th_v;
4327  DetectEngineThreadCtx *det_ctx = NULL;
4328  int result = 0;
4329 
4330  memset(&th_v, 0, sizeof(th_v));
4331 
4332  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4333 
4335  if (de_ctx == NULL) {
4336  goto end;
4337  }
4338 
4339  de_ctx->flags |= DE_QUIET;
4340 
4341  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4342  if (de_ctx->sig_list == NULL) {
4343  result = 0;
4344  goto end;
4345  }
4346 
4348  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4349 
4350  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4351  if (PacketAlertCheck(p, 1))
4352  result = 1;
4353 
4356 
4357  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4359 end:
4360  UTHFreePackets(&p, 1);
4361  return result;
4362 }
4363 
4364 static int SigTestDetectAlertCounter(void)
4365 {
4366  Packet *p = NULL;
4367  ThreadVars tv;
4368  DetectEngineThreadCtx *det_ctx = NULL;
4369  memset(&tv, 0, sizeof(tv));
4370 
4373  de_ctx->flags |= DE_QUIET;
4374 
4375  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4376  "content:\"boo\"; sid:1;)");
4377  FAIL_IF(de_ctx->sig_list == NULL);
4378 
4380  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4381  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4382  /* init counters */
4384 
4385  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4386  Detect(&tv, p, det_ctx);
4388 
4389  Detect(&tv, p, det_ctx);
4391  UTHFreePackets(&p, 1);
4392 
4393  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4394  Detect(&tv, p, det_ctx);
4396  UTHFreePackets(&p, 1);
4397 
4398  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4399  Detect(&tv, p, det_ctx);
4401  UTHFreePackets(&p, 1);
4402 
4403  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4405  PASS;
4406 }
4407 
4408 /** \test test if the engine set flag to drop pkts of a flow that
4409  * triggered a drop action on IPS mode */
4410 static int SigTestDropFlow01(void)
4411 {
4412  Flow f;
4413  HtpState *http_state = NULL;
4414  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4415  "User-Agent: Mozilla/1.0\r\n"
4416  "Cookie: hellocatch\r\n\r\n";
4417  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4418  TcpSession ssn;
4419  Packet *p = NULL;
4420  Signature *s = NULL;
4421  ThreadVars tv;
4422  DetectEngineThreadCtx *det_ctx = NULL;
4424 
4425  memset(&tv, 0, sizeof(ThreadVars));
4426  memset(&f, 0, sizeof(Flow));
4427  memset(&ssn, 0, sizeof(TcpSession));
4428 
4429  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4430 
4431  FLOW_INITIALIZE(&f);
4432  f.protoctx = (void *)&ssn;
4433  f.proto = IPPROTO_TCP;
4434  f.flags |= FLOW_IPV4;
4435 
4436  p->flow = &f;
4440  f.alproto = ALPROTO_HTTP1;
4441 
4442  StreamTcpInitConfig(true);
4443 
4446  de_ctx->flags |= DE_QUIET;
4447 
4448  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4449  "(msg:\"Test proto match\"; "
4450  "sid:1;)");
4451  FAIL_IF_NULL(s);
4452 
4454  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4455 
4456  int r = AppLayerParserParse(
4457  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4458  FAIL_IF_NOT(r == 0);
4459 
4460  http_state = f.alstate;
4461  FAIL_IF_NULL(http_state);
4462 
4463  /* do detect */
4464  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4465 
4467 
4469 
4471  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4473 
4474  StreamTcpFreeConfig(true);
4475  FLOW_DESTROY(&f);
4476 
4477  UTHFreePackets(&p, 1);
4478  PASS;
4479 }
4480 
4481 /** \test test if the engine set flag to drop pkts of a flow that
4482  * triggered a drop action on IPS mode */
4483 static int SigTestDropFlow02(void)
4484 {
4485  int result = 0;
4486  Flow f;
4487  HtpState *http_state = NULL;
4488  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4489  "User-Agent: Mozilla/1.0\r\n"
4490  "Cookie: hellocatch\r\n\r\n";
4491  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4492  TcpSession ssn;
4493  Packet *p = NULL;
4494  Signature *s = NULL;
4495  ThreadVars tv;
4496  DetectEngineThreadCtx *det_ctx = NULL;
4498 
4499  memset(&tv, 0, sizeof(ThreadVars));
4500  memset(&f, 0, sizeof(Flow));
4501  memset(&ssn, 0, sizeof(TcpSession));
4502 
4503  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4504 
4505  FLOW_INITIALIZE(&f);
4506  f.protoctx = (void *)&ssn;
4507  f.proto = IPPROTO_TCP;
4508  f.flags |= FLOW_IPV4;
4509 
4510  p->flow = &f;
4514  f.alproto = ALPROTO_HTTP1;
4515 
4516  StreamTcpInitConfig(true);
4517 
4519  if (de_ctx == NULL) {
4520  goto end;
4521  }
4522  de_ctx->flags |= DE_QUIET;
4523 
4524  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4525  "(msg:\"Test proto match\"; uricontent:\"one\";"
4526  "sid:1;)");
4527  if (s == NULL) {
4528  goto end;
4529  }
4530 
4532  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4533 
4534  FLOWLOCK_WRLOCK(&f);
4535  int r = AppLayerParserParse(
4536  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4537  if (r != 0) {
4538  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4539  FLOWLOCK_UNLOCK(&f);
4540  goto end;
4541  }
4542  FLOWLOCK_UNLOCK(&f);
4543 
4544  http_state = f.alstate;
4545  if (http_state == NULL) {
4546  printf("no http state: ");
4547  goto end;
4548  }
4549 
4550  /* do detect */
4551  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4552 
4553  if (!PacketAlertCheck(p, 1)) {
4554  printf("sig 1 didn't alert, but it should: ");
4555  goto end;
4556  }
4557 
4558  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4559  printf("sig 1 alerted but flow was not flagged correctly: ");
4560  goto end;
4561  }
4562 
4563  /* Ok, now we know that the flag is set for app layer sigs
4564  * (ex: inspecting uricontent) */
4565 
4566  result = 1;
4567 
4568 end:
4569  if (alp_tctx != NULL)
4571  if (det_ctx != NULL)
4572  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4573  if (de_ctx != NULL)
4575  if (de_ctx != NULL)
4577 
4578  StreamTcpFreeConfig(true);
4579  FLOW_DESTROY(&f);
4580 
4581  UTHFreePackets(&p, 1);
4582  return result;
4583 }
4584 
4585 /** \test test if the engine set flag to drop pkts of a flow that
4586  * triggered a drop action on IPS mode, and it doesn't inspect
4587  * any other packet of the stream */
4588 static int SigTestDropFlow03(void)
4589 {
4590  int result = 0;
4591  Flow f;
4592  HtpState *http_state = NULL;
4593  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4594  "User-Agent: Mozilla/1.0\r\n"
4595  "Cookie: hellocatch\r\n\r\n";
4596  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4597 
4598  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4599  "User-Agent: Mozilla/1.0\r\n"
4600  "Cookie: hellocatch\r\n\r\n";
4601  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4602 
4603  /* Set the engine mode to IPS */
4604  EngineModeSetIPS();
4605 
4606  TcpSession ssn;
4607  Packet *p1 = NULL;
4608  Packet *p2 = NULL;
4609  Signature *s = NULL;
4610  ThreadVars tv;
4611  DetectEngineThreadCtx *det_ctx = NULL;
4613 
4614  memset(&tv, 0, sizeof(ThreadVars));
4615  memset(&f, 0, sizeof(Flow));
4616  memset(&ssn, 0, sizeof(TcpSession));
4617 
4618  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4619  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4620 
4621  FLOW_INITIALIZE(&f);
4622  f.protoctx = (void *)&ssn;
4623  f.proto = IPPROTO_TCP;
4624  f.flags |= FLOW_IPV4;
4625 
4626  p1->flow = &f;
4630 
4631  p2->flow = &f;
4635  f.alproto = ALPROTO_HTTP1;
4636 
4637  StreamTcpInitConfig(true);
4638 
4640  if (de_ctx == NULL) {
4641  goto end;
4642  }
4643 
4644  de_ctx->flags |= DE_QUIET;
4645 
4646  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4647  "(msg:\"Test proto match\"; uricontent:\"one\";"
4648  "sid:1;)");
4649  if (s == NULL) {
4650  goto end;
4651  }
4652 
4653  /* the no inspection flag should be set after the first sig gets triggered,
4654  * so the second packet should not match the next sig (because of no inspection) */
4655  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4656  "(msg:\"Test proto match\"; uricontent:\"two\";"
4657  "sid:2;)");
4658  if (s == NULL) {
4659  goto end;
4660  }
4661 
4663  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4664 
4665  FLOWLOCK_WRLOCK(&f);
4666  int r = AppLayerParserParse(
4667  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4668  if (r != 0) {
4669  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4670  FLOWLOCK_UNLOCK(&f);
4671  goto end;
4672  }
4673  FLOWLOCK_UNLOCK(&f);
4674 
4675  http_state = f.alstate;
4676  if (http_state == NULL) {
4677  printf("no http state: ");
4678  goto end;
4679  }
4680 
4681  /* do detect */
4682  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4683 
4684  if (!PacketAlertCheck(p1, 1)) {
4685  printf("sig 1 didn't alert on p1, but it should: ");
4686  goto end;
4687  }
4688 
4689  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4690  printf("sig 1 alerted but flow was not flagged correctly: ");
4691  goto end;
4692  }
4693 
4694  /* Second part.. Let's feed with another packet */
4695  if (StreamTcpCheckFlowDrops(p2) == 1) {
4696  SCLogDebug("This flow/stream triggered a drop rule");
4697  FlowSetNoPacketInspectionFlag(p2->flow);
4700  p2->action |= ACTION_DROP;
4701  /* return the segments to the pool */
4703  }
4704 
4705 
4706  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4707  printf("The packet was not flagged with no-inspection: ");
4708  goto end;
4709  }
4710 
4711  FLOWLOCK_WRLOCK(&f);
4712  r = AppLayerParserParse(
4713  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4714  if (r != 0) {
4715  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4716  FLOWLOCK_UNLOCK(&f);
4717  goto end;
4718  }
4719  FLOWLOCK_UNLOCK(&f);
4720 
4721  /* do detect */
4722  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4723 
4724  if (PacketAlertCheck(p2, 1)) {
4725  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4726  goto end;
4727  }
4728 
4729  if (PacketAlertCheck(p2, 2)) {
4730  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4731  goto end;
4732  }
4733 
4734  if (!(PacketTestAction(p2, ACTION_DROP))) {
4735  printf("A \"drop\" action should be set from the flow to the packet: ");
4736  goto end;
4737  }
4738 
4739  result = 1;
4740 
4741 end:
4742  if (alp_tctx != NULL)
4744  if (det_ctx != NULL)
4745  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4746  if (de_ctx != NULL)
4748  if (de_ctx != NULL)
4750 
4751  StreamTcpFreeConfig(true);
4752  FLOW_DESTROY(&f);
4753 
4754  UTHFreePackets(&p1, 1);
4755  UTHFreePackets(&p2, 1);
4756 
4757  /* Restore mode to IDS */
4758  EngineModeSetIDS();
4759  return result;
4760 }
4761 
4762 /** \test test if the engine set flag to drop pkts of a flow that
4763  * triggered a drop action on IDS mode, but continue the inspection
4764  * as usual (instead of on IPS mode) */
4765 static int SigTestDropFlow04(void)
4766 {
4767  Flow f;
4768  HtpState *http_state = NULL;
4769  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4770  "User-Agent: Mozilla/1.0\r\n"
4771  "Cookie: hellocatch\r\n\r\n";
4772  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4773 
4774  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4775  "User-Agent: Mozilla/1.0\r\n"
4776  "Cookie: hellocatch\r\n\r\n";
4777  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4778 
4779  TcpSession ssn;
4780  Packet *p1 = NULL;
4781  Packet *p2 = NULL;
4782  Signature *s = NULL;
4783  ThreadVars tv;
4784  DetectEngineThreadCtx *det_ctx = NULL;
4786 
4787  memset(&tv, 0, sizeof(ThreadVars));
4788  memset(&f, 0, sizeof(Flow));
4789  memset(&ssn, 0, sizeof(TcpSession));
4790 
4791  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4792  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4793 
4794  FLOW_INITIALIZE(&f);
4795  f.protoctx = (void *)&ssn;
4796  f.proto = IPPROTO_TCP;
4797  f.flags |= FLOW_IPV4;
4798 
4799  p1->flow = &f;
4803 
4804  p2->flow = &f;
4808  f.alproto = ALPROTO_HTTP1;
4809 
4810  StreamTcpInitConfig(true);
4811 
4814  de_ctx->flags |= DE_QUIET;
4815 
4816  s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 "
4817  "(msg:\"Test proto match\"; uricontent:\"one\";"
4818  "sid:1;)");
4819  FAIL_IF_NULL(s);
4820 
4821  /* the no inspection flag should be set after the first sig gets triggered,
4822  * so the second packet should not match the next sig (because of no inspection) */
4823  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any 80 "
4824  "(msg:\"Test proto match\"; uricontent:\"two\";"
4825  "sid:2;)");
4826  FAIL_IF_NULL(s);
4827 
4829  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4830 
4831  int r = AppLayerParserParse(
4832  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4833  FAIL_IF_NOT(r == 0);
4834 
4835  http_state = f.alstate;
4836  FAIL_IF_NULL(http_state);
4837 
4838  /* do detect */
4839  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4840 
4841  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
4842  FAIL_IF(PacketAlertCheck(p1, 2));
4843 
4845  FAIL_IF_NOT(PacketTestAction(p1, ACTION_DROP));
4846 
4848 
4849  r = AppLayerParserParse(
4850  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4851  FAIL_IF_NOT(r == 0);
4852 
4853  /* do detect */
4854  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4855 
4856  FAIL_IF(PacketAlertCheck(p2, 1));
4857  FAIL_IF(PacketAlertCheck(p2, 2));
4858  FAIL_IF_NOT(PacketTestAction(p2, ACTION_DROP));
4859 
4861  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4863 
4864  StreamTcpFreeConfig(true);
4865  FLOW_DESTROY(&f);
4866 
4867  UTHFreePackets(&p1, 1);
4868  UTHFreePackets(&p2, 1);
4869 
4870  PASS;
4871 }
4872 
4873 /** \test ICMP packet shouldn't be matching port based sig
4874  * Bug #611 */
4875 static int SigTestPorts01(void)
4876 {
4877  int result = 0;
4878  Packet *p1 = NULL;
4879  Signature *s = NULL;
4880  ThreadVars tv;
4881  DetectEngineThreadCtx *det_ctx = NULL;
4882  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4883 
4884  memset(&tv, 0, sizeof(ThreadVars));
4885 
4886  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4887 
4889  if (de_ctx == NULL) {
4890  goto end;
4891  }
4892  de_ctx->flags |= DE_QUIET;
4893 
4894  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4895  "(content:\"AAA\"; sid:1;)");
4896  if (s == NULL) {
4897  goto end;
4898  }
4899 
4901  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4902 
4903  /* do detect */
4904  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4905 
4906  if (PacketAlertCheck(p1, 1)) {
4907  printf("sig 1 alerted on p1, but it should not: ");
4908  goto end;
4909  }
4910 
4911  result = 1;
4912 end:
4913  if (det_ctx != NULL)
4914  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4915  if (de_ctx != NULL)
4917  if (de_ctx != NULL)
4919 
4920  UTHFreePackets(&p1, 1);
4921  return result;
4922 }
4923 
4924 /** \test almost identical patterns */
4925 static int SigTestBug01(void)
4926 {
4927  int result = 0;
4928  Packet *p1 = NULL;
4929  Signature *s = NULL;
4930  ThreadVars tv;
4931  DetectEngineThreadCtx *det_ctx = NULL;
4932  uint8_t payload[] = "!mymy";
4933 
4934  memset(&tv, 0, sizeof(ThreadVars));
4935 
4936  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4937 
4939  if (de_ctx == NULL) {
4940  goto end;
4941  }
4942  de_ctx->flags |= DE_QUIET;
4943 
4944  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4945  "(content:\"Omymy\"; nocase; sid:1;)");
4946  if (s == NULL) {
4947  goto end;
4948  }
4949  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4950  "(content:\"!mymy\"; nocase; sid:2;)");
4951  if (s == NULL) {
4952  goto end;
4953  }
4954 
4956  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4957 
4958  /* do detect */
4959  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4960 
4961  if (PacketAlertCheck(p1, 1)) {
4962  printf("sig 1 alerted on p1, but it should not: ");
4963  goto end;
4964  }
4965  if (!(PacketAlertCheck(p1, 2))) {
4966  printf("sig 2 did not p1, but it should have: ");
4967  goto end;
4968  }
4969 
4970  result = 1;
4971 end:
4972  if (det_ctx != NULL)
4973  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4974  if (de_ctx != NULL)
4976  if (de_ctx != NULL)
4978 
4979  UTHFreePackets(&p1, 1);
4980  return result;
4981 }
4982 
4983 static const char *dummy_conf_string2 =
4984  "%YAML 1.1\n"
4985  "---\n"
4986  "vars:\n"
4987  "\n"
4988  " address-groups:\n"
4989  "\n"
4990  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4991  "\n"
4992  " EXTERNAL_NET: \"any\"\n"
4993  "\n"
4994  " port-groups:\n"
4995  "\n"
4996  " HTTP_PORTS: \"80:81,88\"\n"
4997  "\n";
4998 
4999 static int DetectAddressYamlParsing01 (void)
5000 {
5001  int result = 0;
5002 
5004  ConfInit();
5005  ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
5006 
5008  if (de_ctx == NULL) {
5009  goto end;
5010  }
5011 
5012  de_ctx->flags |= DE_QUIET;
5013 
5014  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5015  goto end;
5016  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5017  goto end;
5018  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5019  goto end;
5020 
5021  result = 1;
5022 
5024 end:
5025  ConfDeInit();
5027  return result;
5028 }
5029 
5030 static const char *dummy_conf_string3 =
5031  "%YAML 1.1\n"
5032  "---\n"
5033  "vars:\n"
5034  "\n"
5035  " address-groups:\n"
5036  "\n"
5037  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5038  "\n"
5039  " EXTERNAL_NET: \"any\"\n"
5040  "\n"
5041  " port-groups:\n"
5042  "\n"
5043  " HTTP_PORTS: \"80:81,88\"\n"
5044  "\n";
5045 
5046 static int DetectAddressYamlParsing02 (void)
5047 {
5048  int result = 0;
5049 
5051  ConfInit();
5052  ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
5053 
5055  if (de_ctx == NULL) {
5056  goto end;
5057  }
5058 
5059  de_ctx->flags |= DE_QUIET;
5060 
5061  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5062  goto end;
5063  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5064  goto end;
5065  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5066  goto end;
5067 
5068  result = 1;
5069 
5071 end:
5072  ConfDeInit();
5074  return result;
5075 }
5076 
5077 static const char *dummy_conf_string4 =
5078  "%YAML 1.1\n"
5079  "---\n"
5080  "vars:\n"
5081  "\n"
5082  " address-groups:\n"
5083  "\n"
5084  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
5085  "\n"
5086  " EXTERNAL_NET: \"any\"\n"
5087  "\n"
5088  " port-groups:\n"
5089  "\n"
5090  " HTTP_PORTS: \"80:81,88\"\n"
5091  "\n";
5092 
5093 static int DetectAddressYamlParsing03 (void)
5094 {
5095  int result = 0;
5096 
5098  ConfInit();
5099  ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
5100 
5102  if (de_ctx == NULL) {
5103  goto end;
5104  }
5105 
5106  de_ctx->flags |= DE_QUIET;
5107 
5108  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5109  goto end;
5110  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5111  goto end;
5112  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5113  goto end;
5114 
5115  result = 1;
5116 
5118 end:
5119  ConfDeInit();
5121  return result;
5122 }
5123 
5124 static const char *dummy_conf_string5 =
5125  "%YAML 1.1\n"
5126  "---\n"
5127  "vars:\n"
5128  "\n"
5129  " address-groups:\n"
5130  "\n"
5131  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
5132  "\n"
5133  " EXTERNAL_NET: \"any\"\n"
5134  "\n"
5135  " port-groups:\n"
5136  "\n"
5137  " HTTP_PORTS: \"80:81,88\"\n"
5138  "\n";
5139 
5140 /** \test bug #815 */
5141 static int DetectAddressYamlParsing04 (void)
5142 {
5143  int result = 0;
5144 
5146  ConfInit();
5147  ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
5148 
5150  if (de_ctx == NULL) {
5151  goto end;
5152  }
5153 
5154  de_ctx->flags |= DE_QUIET;
5155 
5156  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
5157  goto end;
5158  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
5159  goto end;
5160  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
5161  goto end;
5162 
5163  result = 1;
5164 
5166 end:
5167  ConfDeInit();
5169  return result;
5170 }
5171 
5173 {
5176 
5177  UtRegisterTest("SigTest01", SigTest01);
5178  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
5179  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
5180  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
5181  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
5182  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5183  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
5184  SigTest07);
5185  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5186  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
5187  SigTest09);
5188  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
5189  SigTest10);
5190  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
5191  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
5192  UtRegisterTest("SigTest13 -- content order matching, diff order",
5193  SigTest13);
5194  UtRegisterTest("SigTest14 -- content order matching, distance 0",
5195  SigTest14);
5196  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
5197  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
5198  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5199  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
5200  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
5201  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
5202  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
5203  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
5204  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
5205 
5206  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
5207  UtRegisterTest("SigTest25NegativeIPV4Keyword",
5208  SigTest25NegativeIPV4Keyword);
5209 
5210  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
5211  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5212  SigTest26TCPV4AndNegativeIPV4Keyword);
5213  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5214  SigTest26TCPV4AndIPV4Keyword);
5215  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5216  SigTest27NegativeTCPV4Keyword);
5217 
5218  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5219  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5220  SigTest29NegativeTCPV6Keyword);
5221 
5222  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5223  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5224  SigTest31NegativeUDPV4Keyword);
5225 
5226  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5227  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5228  SigTest33NegativeUDPV6Keyword);
5229 
5230  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5231  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5232  SigTest35NegativeICMPV4Keyword);
5233  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5234  SigTest36ContentAndIsdataatKeywords01);
5235  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5236  SigTest37ContentAndIsdataatKeywords02);
5237 
5238  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5239 
5240  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5241 
5242  UtRegisterTest("SigTest40NoPacketInspection01",
5243  SigTest40NoPacketInspection01);
5244  UtRegisterTest("SigTest40NoPayloadInspection02",
5245  SigTest40NoPayloadInspection02);
5246 
5247  UtRegisterTest("SigTestMemory01", SigTestMemory01);
5248  UtRegisterTest("SigTestMemory02", SigTestMemory02);
5249  UtRegisterTest("SigTestMemory03", SigTestMemory03);
5250 
5251  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5252  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5253  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5254  SigTestContent03);
5255  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5256  SigTestContent04);
5257  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5258  UtRegisterTest("SigTestContent06 -- distance/within ip only",
5259  SigTestContent06);
5260 
5261  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5262  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5263 
5264  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5265 
5266  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5267  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5268  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5269  UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04);
5270 
5271  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5272  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5273  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5274  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5275 
5276  UtRegisterTest("SigTestPorts01", SigTestPorts01);
5277  UtRegisterTest("SigTestBug01", SigTestBug01);
5278 
5280 }
5281 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2451
Packet_::proto
uint8_t proto
Definition: decode.h:449
DecodeSetNoPacketInspectionFlag
#define DecodeSetNoPacketInspectionFlag(p)
Set the No packet inspection Flag for the packet.
Definition: decode.h:1051
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:142
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:275
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:273
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1175
PACKET_RESET_CHECKSUMS
#define PACKET_RESET_CHECKSUMS(p)
reset these to -1(indicates that the packet is fresh from the queue)
Definition: decode.h:752
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:295
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:47
Flow_::proto
uint8_t proto
Definition: flow.h:375
Packet_::payload
uint8_t * payload
Definition: decode.h:567
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:137
Packet_::flags
uint32_t flags
Definition: decode.h:462
Packet_::action
uint8_t action
Definition: decode.h:571
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:5172
Flow_
Flow data structure.
Definition: flow.h:353
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2115
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:132
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:811
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:821
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2433
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:253
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1191
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:320
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:68
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:337
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1790
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:454
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1164
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:1722
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:42
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:458
Flow_::protoctx
void * protoctx
Definition: flow.h:451
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:98
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:568
HtpState_
Definition: app-layer-htp.h:247
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
FLOWLOCK_UNLOCK
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:270
IPV6_GET_PLEN
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
Signature_::next
struct Signature_ * next
Definition: detect.h:622
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:523
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:240
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:357
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
Definition: util-var-name.c:309
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:4255
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
MPM_AC
@ MPM_AC
Definition: util-mpm.h:35
DetectEngineThreadCtx_
Definition: detect.h:1060
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:265
PktVar_::value
uint8_t * value
Definition: decode.h:337
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:20
FLOWLOCK_WRLOCK
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:267
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:236
Packet_::ethh
EthernetHdr * ethh
Definition: decode.h:518
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
Packet_::sp
Port sp
Definition: decode.h:434
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:95
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:260
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:487
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:281
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2016
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1237
IPV6Hdr_
Definition: decode-ipv6.h:32
Packet_
Definition: decode.h:427
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:235
Packet_::ip4h
IPV4Hdr * ip4h
Definition: decode.h:525
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:698
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1948
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:299
IPV4Hdr_
Definition: decode-ipv4.h:71
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2420
Packet_::flow
struct Flow_ * flow
Definition: decode.h:464
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3142
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:662
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1237
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:361
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3354
Packet_::tcph
TCPHdr * tcph
Definition: decode.h:547
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:667
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:30
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:710
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:817
Packet_::icmpv4h
ICMPV4Hdr * icmpv4h
Definition: decode.h:555
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:113
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition: detect.h:1096
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:654
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:485
Flow_::alstate
void * alstate
Definition: flow.h:486
Flow_::flags
uint32_t flags
Definition: flow.h:431
PktVarFree
void PktVarFree(PktVar *pv)
Definition: pkt-var.c:111
Signature_
Signature container.
Definition: detect.h:548
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2394
PktVar_::value_len
uint16_t value_len
Definition: decode.h:335
TCP_GET_HLEN
#define TCP_GET_HLEN(p)
Definition: decode-tcp.h:111
Packet_::udph
UDPHdr * udph
Definition: decode.h:549
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1192
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:123
Packet_::dst
Address dst
Definition: decode.h:432
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:42
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1160
ConfDeInit
void ConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:721
PktVar_
Definition: decode.h:329
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:812
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:86
Packet_::ip6h
IPV6Hdr * ip6h
Definition: decode.h:527
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
Packet_::dp
Port dp
Definition: decode.h:442
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:72
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:130
Packet_::src
Address src
Definition: decode.h:431
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:32
PACKET_RECYCLE
#define PACKET_RECYCLE(p)
Definition: decode.h:862
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1172
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468