suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
31 
32 static const char *dummy_conf_string =
33  "%YAML 1.1\n"
34  "---\n"
35  "\n"
36  "default-log-dir: /var/log/suricata\n"
37  "\n"
38  "logging:\n"
39  "\n"
40  " default-log-level: debug\n"
41  "\n"
42  " default-format: \"<%t> - <%l>\"\n"
43  "\n"
44  " default-startup-message: Your IDS has started.\n"
45  "\n"
46  " default-output-filter:\n"
47  "\n"
48  " output:\n"
49  "\n"
50  " - interface: console\n"
51  " log-level: info\n"
52  "\n"
53  " - interface: file\n"
54  " filename: /var/log/suricata.log\n"
55  "\n"
56  " - interface: syslog\n"
57  " facility: local5\n"
58  " format: \"%l\"\n"
59  "\n"
60  "pfring:\n"
61  "\n"
62  " interface: eth0\n"
63  "\n"
64  " clusterid: 99\n"
65  "\n"
66  "vars:\n"
67  "\n"
68  " address-groups:\n"
69  "\n"
70  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72  "\n"
73  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74  "\n"
75  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80  "\n"
81  " DNS_SERVERS: any\n"
82  "\n"
83  " TELNET_SERVERS: any\n"
84  "\n"
85  " AIM_SERVERS: any\n"
86  "\n"
87  " port-groups:\n"
88  "\n"
89  " HTTP_PORTS: \"80:81,88\"\n"
90  "\n"
91  " SHELLCODE_PORTS: 80\n"
92  "\n"
93  " ORACLE_PORTS: 1521\n"
94  "\n"
95  " SSH_PORTS: 22\n"
96  "\n";
97 
98 static int SigTest01 (void)
99 {
100  uint8_t *buf = (uint8_t *)
101  "GET /one/ HTTP/1.1\r\n"
102  "Host: one.example.org\r\n"
103  "\r\n\r\n"
104  "GET /two/ HTTP/1.1\r\n"
105  "Host: two.example.org\r\n"
106  "\r\n\r\n";
107  uint16_t buflen = strlen((char *)buf);
108  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109  FAIL_IF_NULL(p);
110 
111  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112  FAIL_IF(UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0);
113 
114  UTHFreePacket(p);
115  PASS;
116 }
117 
118 static int SigTest02 (void)
119 {
120  uint8_t *buf = (uint8_t *)
121  "GET /one/ HTTP/1.1\r\n"
122  "Host: one.example.org\r\n"
123  "\r\n\r\n"
124  "GET /two/ HTTP/1.1\r\n"
125  "Host: two.example.org\r\n"
126  "\r\n\r\n";
127  uint16_t buflen = strlen((char *)buf);
128  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
129  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
130  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
131  UTHFreePacket(p);
132  return ret;
133 }
134 
135 static int SigTest03 (void)
136 {
137  uint8_t *buf = (uint8_t *)
138  "GET /one/ HTTP/1.1\r\n"
139  "Host: one.example.org\r\n"
140  "\r\n\r\n"
141  "GET /two/ HTTP/1.1\r\n"
142  "Host: two.example.org\r\n"
143  "\r\n\r\n";
144  uint16_t buflen = strlen((char *)buf);
145  ThreadVars th_v;
146  memset(&th_v, 0, sizeof(th_v));
147  StatsThreadInit(&th_v.stats);
148  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
149  FAIL_IF_NULL(p);
150  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
151  FAIL_IF_NULL(de_ctx);
152  de_ctx->flags |= DE_QUIET;
153  Signature *s = DetectEngineAppendSig(de_ctx,
154  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: "
155  "one.example.org\"; offset:20; depth:39; sid:1;)");
156  FAIL_IF_NULL(s);
157  SigGroupBuild(de_ctx);
158  DetectEngineThreadCtx *det_ctx = NULL;
159  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
160  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
161  FAIL_IF_NOT(PacketAlertCheck(p, 1));
162  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
163  DetectEngineCtxFree(de_ctx);
164  UTHFreePackets(&p, 1);
165  StatsThreadCleanup(&th_v.stats);
166  PASS;
167 }
168 
169 static int SigTest04 (void)
170 {
171  uint8_t *buf = (uint8_t *)
172  "GET /one/ HTTP/1.1\r\n" /* 20*/
173  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
174  "\r\n\r\n" /* 4 */
175  "GET /two/ HTTP/1.1\r\n" /* 20 */
176  "Host: two.example.org\r\n" /* 23 */
177  "\r\n\r\n"; /* 4 */
178  uint16_t buflen = strlen((char *)buf);
179  ThreadVars th_v;
180  memset(&th_v, 0, sizeof(th_v));
181  StatsThreadInit(&th_v.stats);
182  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
183  FAIL_IF_NULL(p);
184  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
185  FAIL_IF_NULL(de_ctx);
186  de_ctx->flags |= DE_QUIET;
187  Signature *s = DetectEngineAppendSig(de_ctx,
188  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
189  "offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
190  FAIL_IF_NULL(s);
191  SigGroupBuild(de_ctx);
192  DetectEngineThreadCtx *det_ctx = NULL;
193  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
194  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
195  FAIL_IF_NOT(PacketAlertCheck(p, 1));
196  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
197  DetectEngineCtxFree(de_ctx);
198  UTHFreePackets(&p, 1);
199  StatsThreadCleanup(&th_v.stats);
200  PASS;
201 }
202 
203 static int SigTest05 (void)
204 {
205  uint8_t *buf = (uint8_t *)
206  "GET /one/ HTTP/1.1\r\n" /* 20 */
207  "Host: one.example.org\r\n" /* 23, 43 */
208  "\r\n\r\n" /* 4, 47 */
209  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
210  "Host: two.example.org\r\n" /* 23, 90 */
211  "\r\n\r\n"; /* 4, 94 */
212  uint16_t buflen = strlen((char *)buf);
213  ThreadVars th_v;
214  memset(&th_v, 0, sizeof(th_v));
215  StatsThreadInit(&th_v.stats);
216  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
217  FAIL_IF_NULL(p);
218  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
219  FAIL_IF_NULL(de_ctx);
220  de_ctx->flags |= DE_QUIET;
221  Signature *s = DetectEngineAppendSig(de_ctx,
222  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
223  "offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
224  FAIL_IF_NULL(s);
225  SigGroupBuild(de_ctx);
226  DetectEngineThreadCtx *det_ctx = NULL;
227  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
228  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
229  FAIL_IF(PacketAlertCheck(p, 1));
230  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
231  DetectEngineCtxFree(de_ctx);
232  UTHFreePackets(&p, 1);
233  StatsThreadCleanup(&th_v.stats);
234  PASS;
235 }
236 
237 static int SigTest06 (void)
238 {
239  uint8_t *buf = (uint8_t *)
240  "GET /one/ HTTP/1.1\r\n" /* 20 */
241  "Host: one.example.org\r\n" /* 23, 43 */
242  "\r\n\r\n" /* 4, 47 */
243  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
244  "Host: two.example.org\r\n" /* 23, 90 */
245  "\r\n\r\n"; /* 4, 94 */
246  uint16_t buflen = strlen((char *)buf);
247  Packet *p = NULL;
248  ThreadVars th_v;
249  DetectEngineThreadCtx *det_ctx = NULL;
250  Flow f;
251  TcpSession ssn;
252  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
253  FAIL_IF_NULL(alp_tctx);
254 
255  memset(&th_v, 0, sizeof(th_v));
256  StatsThreadInit(&th_v.stats);
257  memset(&f, 0, sizeof(f));
258  memset(&ssn, 0, sizeof(ssn));
259 
260  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
261  FAIL_IF_NULL(p);
262 
263  FLOW_INITIALIZE(&f);
264  f.protoctx = (void *)&ssn;
265  f.flags |= FLOW_IPV4;
266  f.proto = IPPROTO_TCP;
267  p->flow = &f;
268  p->flowflags |= FLOW_PKT_TOSERVER;
269  p->flowflags |= FLOW_PKT_ESTABLISHED;
270  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
271  f.alproto = ALPROTO_HTTP1;
272 
273  StreamTcpInitConfig(true);
274 
275  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
276  FAIL_IF_NULL(de_ctx);
277  de_ctx->flags |= DE_QUIET;
278 
279  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
280  FAIL_IF_NULL(s);
281 
282  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
283  FAIL_IF_NULL(s);
284 
285  SigGroupBuild(de_ctx);
286  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
287  FAIL_IF_NULL(det_ctx);
288 
289  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
290  FAIL_IF(r != 0);
291 
292  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
293  FAIL_IF_NOT(PacketAlertCheck(p, 1));
294  FAIL_IF_NOT(PacketAlertCheck(p, 2));
295 
296  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
297  DetectEngineCtxFree(de_ctx);
298  AppLayerParserThreadCtxFree(alp_tctx);
299  UTHFreePackets(&p, 1);
300  StreamTcpFreeConfig(true);
301  FLOW_DESTROY(&f);
302  StatsThreadCleanup(&th_v.stats);
303  PASS;
304 }
305 
306 static int SigTest07 (void)
307 {
308  uint8_t *buf = (uint8_t *)
309  "GET /one/ HTTP/1.1\r\n" /* 20 */
310  "Host: one.example.org\r\n" /* 23, 43 */
311  "\r\n\r\n" /* 4, 47 */
312  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
313  "Host: two.example.org\r\n" /* 23, 90 */
314  "\r\n\r\n"; /* 4, 94 */
315  uint16_t buflen = strlen((char *)buf);
316  Packet *p = NULL;
317  ThreadVars th_v;
318  DetectEngineThreadCtx *det_ctx = NULL;
319  Flow f;
320  TcpSession ssn;
321  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
322 
323  memset(&th_v, 0, sizeof(th_v));
324  StatsThreadInit(&th_v.stats);
325  memset(&f, 0, sizeof(f));
326  memset(&ssn, 0, sizeof(ssn));
327  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
328  FAIL_IF_NULL(p);
329  FLOW_INITIALIZE(&f);
330  f.protoctx = (void *)&ssn;
331  f.flags |= FLOW_IPV4;
332  f.proto = IPPROTO_TCP;
333  p->flow = &f;
334  p->flowflags |= FLOW_PKT_TOSERVER;
335  p->flowflags |= FLOW_PKT_ESTABLISHED;
336  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
337  f.alproto = ALPROTO_HTTP1;
338 
339  StreamTcpInitConfig(true);
340 
341  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
342  FAIL_IF_NULL(de_ctx);
343  de_ctx->flags |= DE_QUIET;
344 
345  Signature *s = DetectEngineAppendSig(de_ctx,
346  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; "
347  "pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
348  FAIL_IF_NULL(s);
349  s = DetectEngineAppendSig(de_ctx,
350  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
351  FAIL_IF_NULL(s);
352 
353  SigGroupBuild(de_ctx);
354  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
355 
356  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
357  FAIL_IF(r != 0);
358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
359  FAIL_IF_NOT(PacketAlertCheck(p, 1));
360  FAIL_IF(PacketAlertCheck(p, 2));
361 
362  AppLayerParserThreadCtxFree(alp_tctx);
363  UTHFreePackets(&p, 1);
364  StreamTcpFreeConfig(true);
365  FlowCleanupAppLayer(&f);
366  FLOW_DESTROY(&f);
367 
368  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
369  DetectEngineCtxFree(de_ctx);
370  StatsThreadCleanup(&th_v.stats);
371  PASS;
372 }
373 
374 static int SigTest08 (void)
375 {
376  uint8_t *buf = (uint8_t *)
377  "GET /one/ HTTP/1.0\r\n" /* 20 */
378  "Host: one.example.org\r\n" /* 23, 43 */
379  "\r\n\r\n" /* 4, 47 */
380  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
381  "Host: two.example.org\r\n" /* 23, 90 */
382  "\r\n\r\n"; /* 4, 94 */
383  uint16_t buflen = strlen((char *)buf);
384  ThreadVars th_v;
385  DetectEngineThreadCtx *det_ctx = NULL;
386  Flow f;
387  TcpSession ssn;
388  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
389 
390  memset(&f, 0, sizeof(Flow));
391  memset(&th_v, 0, sizeof(th_v));
392  StatsThreadInit(&th_v.stats);
393  memset(&ssn, 0, sizeof(ssn));
394 
395  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
396  FAIL_IF_NULL(p);
397 
398  FLOW_INITIALIZE(&f);
399  f.protoctx = (void *)&ssn;
400  f.flags |= FLOW_IPV4;
401  f.proto = IPPROTO_TCP;
402  p->flow = &f;
403  p->flowflags |= FLOW_PKT_TOSERVER;
404  p->flowflags |= FLOW_PKT_ESTABLISHED;
405  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
406  f.alproto = ALPROTO_HTTP1;
407 
408  StreamTcpInitConfig(true);
409 
410  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
411  FAIL_IF_NULL(de_ctx);
412  de_ctx->flags |= DE_QUIET;
413 
414  Signature *s = DetectEngineAppendSig(de_ctx,
415  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
416  "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
417  FAIL_IF_NULL(s);
418  s = DetectEngineAppendSig(de_ctx,
419  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
420  FAIL_IF_NULL(s);
421 
422  SigGroupBuild(de_ctx);
423  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
424 
425  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
426  FAIL_IF(r != 0);
427 
428  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
429  FAIL_IF_NOT(PacketAlertCheck(p, 1));
430  FAIL_IF_NOT(PacketAlertCheck(p, 2));
431 
432  FLOW_DESTROY(&f);
433  UTHFreePackets(&p, 1);
434 
435  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
436  DetectEngineCtxFree(de_ctx);
437  AppLayerParserThreadCtxFree(alp_tctx);
438  StreamTcpFreeConfig(true);
439  StatsThreadCleanup(&th_v.stats);
440  PASS;
441 }
442 
443 static int SigTest09 (void)
444 {
445  uint8_t *buf = (uint8_t *)
446  "GET /one/ HTTP/1.0\r\n" /* 20 */
447  "Host: one.example.org\r\n" /* 23, 43 */
448  "\r\n\r\n" /* 4, 47 */
449  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
450  "Host: two.example.org\r\n" /* 23, 90 */
451  "\r\n\r\n"; /* 4, 94 */
452  uint16_t buflen = strlen((char *)buf);
453  ThreadVars th_v;
454  DetectEngineThreadCtx *det_ctx = NULL;
455  Flow f;
456  TcpSession ssn;
457  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
458 
459  memset(&th_v, 0, sizeof(th_v));
460  StatsThreadInit(&th_v.stats);
461  memset(&f, 0, sizeof(f));
462  memset(&ssn, 0, sizeof(ssn));
463 
464  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
465  FAIL_IF_NULL(p);
466 
467  FLOW_INITIALIZE(&f);
468  f.protoctx = (void *)&ssn;
469  f.flags |= FLOW_IPV4;
470  f.proto = IPPROTO_TCP;
471  p->flow = &f;
472  p->flowflags |= FLOW_PKT_TOSERVER;
473  p->flowflags |= FLOW_PKT_ESTABLISHED;
474  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
475  f.alproto = ALPROTO_HTTP1;
476 
477  StreamTcpInitConfig(true);
478 
479  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
480  FAIL_IF_NULL(de_ctx);
481  de_ctx->flags |= DE_QUIET;
482 
483  Signature *s = DetectEngineAppendSig(de_ctx,
484  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
485  "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
486  FAIL_IF_NULL(s);
487  s = DetectEngineAppendSig(de_ctx,
488  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
489  FAIL_IF_NULL(s);
490 
491  SigGroupBuild(de_ctx);
492  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
493 
494  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
495  FAIL_IF(r != 0);
496 
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
498  FAIL_IF_NOT(PacketAlertCheck(p, 1));
499  FAIL_IF_NOT(PacketAlertCheck(p, 2));
500 
501  FlowCleanupAppLayer(&f);
502  FLOW_DESTROY(&f);
503  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
504  DetectEngineCtxFree(de_ctx);
505  AppLayerParserThreadCtxFree(alp_tctx);
506  UTHFreePackets(&p, 1);
507  StreamTcpFreeConfig(true);
508  StatsThreadCleanup(&th_v.stats);
509  PASS;
510 }
511 
512 static int SigTest10 (void)
513 {
514  uint8_t *buf = (uint8_t *)"ABC";
515  uint16_t buflen = strlen((char *)buf);
516  ThreadVars th_v;
517  DetectEngineThreadCtx *det_ctx = NULL;
518  Flow f;
519  TcpSession ssn;
520  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
521 
522  memset(&th_v, 0, sizeof(th_v));
523  StatsThreadInit(&th_v.stats);
524  memset(&f, 0, sizeof(f));
525  memset(&ssn, 0, sizeof(ssn));
526 
527  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
528  FAIL_IF_NULL(p);
529 
530  FLOW_INITIALIZE(&f);
531  f.protoctx = (void *)&ssn;
532  f.proto = IPPROTO_TCP;
533  f.flags |= FLOW_IPV4;
534  p->flow = &f;
535  p->flowflags |= FLOW_PKT_TOSERVER | FLOW_PKT_ESTABLISHED;
536  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
537  f.alproto = ALPROTO_HTTP1;
538 
539  StreamTcpInitConfig(true);
540 
541  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
542  FAIL_IF_NULL(de_ctx);
543  de_ctx->flags |= DE_QUIET;
544 
545  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Long content "
546  "test (1)\"; content:\"ABCD\"; depth:4; sid:1;");
547  FAIL_IF_NULL(s);
548  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Long content test "
549  "(2)\"; content:\"VWXYZ\"; sid:2;");
550  FAIL_IF_NULL(s);
551 
552  SigGroupBuild(de_ctx);
553  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
554 
555  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
556  FAIL_IF(r != 0);
557  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
558  FAIL_IF(PacketAlertCheck(p, 1));
559  FAIL_IF(PacketAlertCheck(p, 2));
560 
561  FlowCleanupAppLayer(&f);
562  FLOW_DESTROY(&f);
563  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
564  DetectEngineCtxFree(de_ctx);
565  AppLayerParserThreadCtxFree(alp_tctx);
566  UTHFreePackets(&p, 1);
567  StreamTcpFreeConfig(true);
568  StatsThreadCleanup(&th_v.stats);
569  PASS;
570 }
571 
572 static int SigTest11 (void)
573 {
574  uint8_t *buf = (uint8_t *)
575  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
576  uint16_t buflen = strlen((char *)buf);
577  Packet *p = NULL;
578  ThreadVars th_v;
579  DetectEngineThreadCtx *det_ctx = NULL;
580  Flow f;
581  TcpSession ssn;
582  int result = 0;
583 
584  memset(&th_v, 0, sizeof(th_v));
585  StatsThreadInit(&th_v.stats);
586  memset(&f, 0, sizeof(f));
587  memset(&ssn, 0, sizeof(ssn));
588 
589  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
590 
591  FLOW_INITIALIZE(&f);
592  f.protoctx = (void *)&ssn;
593  f.proto = IPPROTO_TCP;
594  f.flags |= FLOW_IPV4;
595  p->flow = &f;
596  p->flowflags |= FLOW_PKT_TOSERVER;
597  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
598  f.alproto = ALPROTO_HTTP1;
599 
600  StreamTcpInitConfig(true);
601 
602  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
603  if (de_ctx == NULL) {
604  goto end;
605  }
606 
607  de_ctx->flags |= DE_QUIET;
608 
609  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
610  if (de_ctx->sig_list == NULL) {
611  goto end;
612  }
613  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
614  if (de_ctx->sig_list->next == NULL) {
615  goto end;
616  }
617 
618  SigGroupBuild(de_ctx);
619  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
620 
621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
622  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
623  result = 1;
624 
625 end:
626  FlowCleanupAppLayer(&f);
627  if (det_ctx)
628  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
629  DetectEngineCtxFree(de_ctx);
630  UTHFreePackets(&p, 1);
631  StreamTcpFreeConfig(true);
632  FLOW_DESTROY(&f);
633  StatsThreadCleanup(&th_v.stats);
634  return result;
635 }
636 
637 static int SigTest12 (void)
638 {
639  uint8_t *buf = (uint8_t *)
640  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
641  uint16_t buflen = strlen((char *)buf);
642  Packet *p = NULL;
643  ThreadVars th_v;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  int result = 0;
646 
647  memset(&th_v, 0, sizeof(th_v));
648  StatsThreadInit(&th_v.stats);
649  Flow f;
650  memset(&f, 0, sizeof(Flow));
651 
652  FLOW_INITIALIZE(&f);
653 
654  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
655  p->flow = &f;
656  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
657 
658  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
659  if (de_ctx == NULL) {
660  goto end;
661  }
662 
663  de_ctx->flags |= DE_QUIET;
664 
665  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
666  if (de_ctx->sig_list == NULL) {
667  result = 0;
668  goto end;
669  }
670 
671  SigGroupBuild(de_ctx);
672  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
673 
674  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
675  if (PacketAlertCheck(p, 1))
676  result = 1;
677  else
678  result = 0;
679 
680  if (det_ctx != NULL)
681  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
682 end:
683  UTHFreePackets(&p, 1);
684  if (de_ctx != NULL) {
685  DetectEngineCtxFree(de_ctx);
686  }
687  FLOW_DESTROY(&f);
688  StatsThreadCleanup(&th_v.stats);
689  return result;
690 }
691 
692 static int SigTest13 (void)
693 {
694  uint8_t *buf = (uint8_t *)
695  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
696  uint16_t buflen = strlen((char *)buf);
697  Packet *p = NULL;
698  ThreadVars th_v;
699  DetectEngineThreadCtx *det_ctx = NULL;
700  int result = 0;
701 
702  memset(&th_v, 0, sizeof(th_v));
703  StatsThreadInit(&th_v.stats);
704  Flow f;
705  memset(&f, 0, sizeof(Flow));
706 
707  FLOW_INITIALIZE(&f);
708 
709  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
710  p->flow = &f;
711  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
712 
713  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
714  if (de_ctx == NULL) {
715  goto end;
716  }
717 
718  de_ctx->flags |= DE_QUIET;
719 
720  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
721  if (de_ctx->sig_list == NULL) {
722  result = 0;
723  goto end;
724  }
725 
726  SigGroupBuild(de_ctx);
727  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
728 
729  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
730  if (PacketAlertCheck(p, 1))
731  result = 1;
732  else
733  result = 0;
734 
735  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
736  DetectEngineCtxFree(de_ctx);
737 end:
738  UTHFreePackets(&p, 1);
739  FLOW_DESTROY(&f);
740  StatsThreadCleanup(&th_v.stats);
741  return result;
742 }
743 
744 static int SigTest14 (void)
745 {
746  uint8_t *buf = (uint8_t *)
747  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
748  uint16_t buflen = strlen((char *)buf);
749  Packet *p = NULL;
750  ThreadVars th_v;
751  DetectEngineThreadCtx *det_ctx = NULL;
752  int result = 0;
753 
754  memset(&th_v, 0, sizeof(th_v));
755  StatsThreadInit(&th_v.stats);
756 
757  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
758 
759  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
760  if (de_ctx == NULL) {
761  goto end;
762  }
763 
764  de_ctx->flags |= DE_QUIET;
765 
766  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
767  if (de_ctx->sig_list == NULL) {
768  result = 0;
769  goto end;
770  }
771 
772  SigGroupBuild(de_ctx);
773  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
774 
775  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
776  if (PacketAlertCheck(p, 1))
777  result = 0;
778  else
779  result = 1;
780 
781  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
782  DetectEngineCtxFree(de_ctx);
783 end:
784  UTHFreePackets(&p, 1);
785  StatsThreadCleanup(&th_v.stats);
786  return result;
787 }
788 
789 static int SigTest15 (void)
790 {
791  uint8_t *buf = (uint8_t *)
792  "CONNECT 213.92.8.7:31204 HTTP/1.1";
793  uint16_t buflen = strlen((char *)buf);
794  Packet *p = PacketGetFromAlloc();
795  if (unlikely(p == NULL))
796  return 0;
797  ThreadVars th_v;
798  DetectEngineThreadCtx *det_ctx = NULL;
799  int result = 0;
800 
801  memset(&th_v, 0, sizeof(th_v));
802  StatsThreadInit(&th_v.stats);
803  p->src.family = AF_INET;
804  p->dst.family = AF_INET;
805  p->payload = buf;
806  p->payload_len = buflen;
807  p->proto = IPPROTO_TCP;
808  p->dp = 80;
809 
810  SCConfCreateContextBackup();
811  SCConfInit();
812  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
813 
814  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
815  if (de_ctx == NULL) {
816  goto end;
817  }
818 
819  de_ctx->flags |= DE_QUIET;
820 
821  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
822  if (de_ctx->sig_list == NULL) {
823  result = 0;
824  goto end;
825  }
826 
827  SigGroupBuild(de_ctx);
828  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
829 
830  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
831  if (PacketAlertCheck(p, 2008284))
832  result = 0;
833  else
834  result = 1;
835 
836  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
837  DetectEngineCtxFree(de_ctx);
838 end:
839  SCConfDeInit();
840  SCConfRestoreContextBackup();
841  PacketFree(p);
842  StatsThreadCleanup(&th_v.stats);
843  return result;
844 }
845 
846 static int SigTest16 (void)
847 {
848  uint8_t *buf = (uint8_t *)
849  "CONNECT 213.92.8.7:31204 HTTP/1.1";
850  uint16_t buflen = strlen((char *)buf);
851  Packet *p = NULL;
852  ThreadVars th_v;
853  DetectEngineThreadCtx *det_ctx = NULL;
854  int result = 0;
855 
856  memset(&th_v, 0, sizeof(th_v));
857  StatsThreadInit(&th_v.stats);
858  memset(&p, 0, sizeof(p));
859 
860  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
861 
862  SCConfCreateContextBackup();
863  SCConfInit();
864  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
865 
866  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
867  if (de_ctx == NULL) {
868  goto end;
869  }
870 
871  de_ctx->flags |= DE_QUIET;
872 
873  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
874  if (de_ctx->sig_list == NULL) {
875  goto end;
876  }
877 
878  SigGroupBuild(de_ctx);
879  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
880 
881  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
882  if (PacketAlertCheck(p, 2008284))
883  result = 1;
884  else
885  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
886 
887  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
888  DetectEngineCtxFree(de_ctx);
889 end:
890  SCConfDeInit();
891  SCConfRestoreContextBackup();
892  UTHFreePackets(&p, 1);
893  StatsThreadCleanup(&th_v.stats);
894  return result;
895 }
896 
897 static int SigTest17 (void)
898 {
899  uint8_t *buf = (uint8_t *)
900  "GET /one/ HTTP/1.1\r\n" /* 20 */
901  "Host: one.example.org\r\n" /* 23, 43 */
902  "\r\n\r\n" /* 4, 47 */
903  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
904  "Host: two.example.org\r\n" /* 23, 90 */
905  "\r\n\r\n"; /* 4, 94 */
906  uint16_t buflen = strlen((char *)buf);
907  Packet *p = NULL;
908  ThreadVars th_v;
909  DetectEngineThreadCtx *det_ctx = NULL;
910  memset(&th_v, 0, sizeof(th_v));
911  StatsThreadInit(&th_v.stats);
912 
913  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
914  FAIL_IF_NULL(p);
915 
916  SCConfCreateContextBackup();
917  SCConfInit();
918  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
919 
920  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
921  FAIL_IF_NULL(de_ctx);
922  de_ctx->flags |= DE_QUIET;
923 
924  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
925  FAIL_IF_NULL(s);
926 
927  SigGroupBuild(de_ctx);
928  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
929  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
930 
931  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
932  PktVar *pv_hn = PktVarGet(p, capid);
933  FAIL_IF_NULL(pv_hn);
934  FAIL_IF(pv_hn->value_len != 15);
935  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
936 
937  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
938  DetectEngineCtxFree(de_ctx);
939  SCConfDeInit();
940  SCConfRestoreContextBackup();
941  UTHFreePackets(&p, 1);
942  StatsThreadCleanup(&th_v.stats);
943 
944  PASS;
945 }
946 
947 static int SigTest18 (void)
948 {
949  uint8_t *buf = (uint8_t *)
950  "220 (vsFTPd 2.0.5)\r\n";
951  uint16_t buflen = strlen((char *)buf);
952  Packet *p = PacketGetFromAlloc();
953  if (unlikely(p == NULL))
954  return 0;
955  ThreadVars th_v;
956  DetectEngineThreadCtx *det_ctx = NULL;
957  int result = 0;
958 
959  memset(&th_v, 0, sizeof(th_v));
960  StatsThreadInit(&th_v.stats);
961  p->src.family = AF_INET;
962  p->dst.family = AF_INET;
963  p->payload = buf;
964  p->payload_len = buflen;
965  p->proto = IPPROTO_TCP;
966  p->dp = 34260;
967  p->sp = 21;
968 
969  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
970  if (de_ctx == NULL) {
971  goto end;
972  }
973 
974  de_ctx->flags |= DE_QUIET;
975 
976  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
977  if (de_ctx->sig_list == NULL) {
978  result = 0;
979  goto end;
980  }
981 
982  SigGroupBuild(de_ctx);
983  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
984 
985  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
986  if (!PacketAlertCheck(p, 2003055))
987  result = 1;
988  else
989  printf("signature shouldn't match, but did: ");
990 
991  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
992  DetectEngineCtxFree(de_ctx);
993 end:
994  PacketFree(p);
995  StatsThreadCleanup(&th_v.stats);
996  return result;
997 }
998 
999 static int SigTest19 (void)
1000 {
1001  uint8_t *buf = (uint8_t *)
1002  "220 (vsFTPd 2.0.5)\r\n";
1003  uint16_t buflen = strlen((char *)buf);
1004  Packet *p = PacketGetFromAlloc();
1005  if (unlikely(p == NULL))
1006  return 0;
1007  ThreadVars th_v;
1008  DetectEngineThreadCtx *det_ctx = NULL;
1009  int result = 0;
1010 
1011  memset(&th_v, 0, sizeof(th_v));
1012  StatsThreadInit(&th_v.stats);
1013  p->src.family = AF_INET;
1014  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1015  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1016  p->dst.family = AF_INET;
1017  p->payload = buf;
1018  p->payload_len = buflen;
1019  p->proto = IPPROTO_TCP;
1020  p->dp = 34260;
1021  p->sp = 21;
1022  p->flowflags |= FLOW_PKT_TOSERVER;
1023 
1024  SCConfCreateContextBackup();
1025  SCConfInit();
1026  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1027 
1028  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1029  if (de_ctx == NULL) {
1030  goto end;
1031  }
1032 
1033  de_ctx->flags |= DE_QUIET;
1034 
1035  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1036  if (de_ctx->sig_list == NULL) {
1037  result = 0;
1038  goto end;
1039  }
1040 
1041  SigGroupBuild(de_ctx);
1042  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1043 
1044  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1045  if (PacketAlertCheck(p, 999))
1046  result = 1;
1047  else
1048  printf("signature didn't match, but should have: ");
1049 
1050  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1051  DetectEngineCtxFree(de_ctx);
1052 end:
1053  SCConfDeInit();
1054  SCConfRestoreContextBackup();
1055  PacketFree(p);
1056  StatsThreadCleanup(&th_v.stats);
1057  return result;
1058 }
1059 
1060 static int SigTest20 (void)
1061 {
1062  uint8_t *buf = (uint8_t *)
1063  "220 (vsFTPd 2.0.5)\r\n";
1064  uint16_t buflen = strlen((char *)buf);
1065  Packet *p = PacketGetFromAlloc();
1066  if (unlikely(p == NULL))
1067  return 0;
1068  ThreadVars th_v;
1069  DetectEngineThreadCtx *det_ctx = NULL;
1070  int result = 0;
1071 
1072  memset(&th_v, 0, sizeof(th_v));
1073  StatsThreadInit(&th_v.stats);
1074  p->src.family = AF_INET;
1075  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1076  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1077  p->dst.family = AF_INET;
1078  p->payload = buf;
1079  p->payload_len = buflen;
1080  p->proto = IPPROTO_TCP;
1081  p->dp = 34260;
1082  p->sp = 21;
1083  p->flowflags |= FLOW_PKT_TOSERVER;
1084 
1085  SCConfCreateContextBackup();
1086  SCConfInit();
1087  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1088 
1089  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1090  if (de_ctx == NULL) {
1091  goto end;
1092  }
1093 
1094  de_ctx->flags |= DE_QUIET;
1095 
1096  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1097  if (de_ctx->sig_list == NULL) {
1098  result = 0;
1099  goto end;
1100  }
1101 
1102  SigGroupBuild(de_ctx);
1103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1104 
1105  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1106  if (PacketAlertCheck(p, 999))
1107  result = 1;
1108  else
1109  printf("signature didn't match, but should have: ");
1110 
1111  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1112  DetectEngineCtxFree(de_ctx);
1113 end:
1114  SCConfDeInit();
1115  SCConfRestoreContextBackup();
1116  PacketFree(p);
1117  StatsThreadCleanup(&th_v.stats);
1118  return result;
1119 }
1120 
1121 static int SigTest21 (void)
1122 {
1123  ThreadVars th_v;
1124  memset(&th_v, 0, sizeof(th_v));
1125  StatsThreadInit(&th_v.stats);
1126  DetectEngineThreadCtx *det_ctx = NULL;
1127  int result = 0;
1128 
1129  Flow f;
1130  memset(&f, 0, sizeof(f));
1131  FLOW_INITIALIZE(&f);
1132 
1133  /* packet 1 */
1134  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1135  "\r\n\r\n";
1136  uint16_t buf1len = strlen((char *)buf1);
1137  Packet *p1 = NULL;
1138  /* packet 2 */
1139  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1140  "\r\n\r\n";
1141  uint16_t buf2len = strlen((char *)buf2);
1142  Packet *p2 = NULL;
1143 
1144  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1145  p1->flow = &f;
1146  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1147  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1148  p2->flow = &f;
1149  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1150 
1151  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1152  if (de_ctx == NULL) {
1153  goto end;
1154  }
1155 
1156  de_ctx->flags |= DE_QUIET;
1157 
1158  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1159  if (de_ctx->sig_list == NULL) {
1160  result = 0;
1161  goto end;
1162  }
1163  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1164  if (de_ctx->sig_list == NULL) {
1165  result = 0;
1166  goto end;
1167  }
1168 
1169  SigGroupBuild(de_ctx);
1170  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1171 
1172  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1173  if (PacketAlertCheck(p1, 1)) {
1174  printf("sid 1 alerted, but shouldn't: ");
1175  goto end;
1176  }
1177  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1178  if (!(PacketAlertCheck(p2, 2))) {
1179  printf("sid 2 didn't alert, but should have: ");
1180  goto end;
1181  }
1182 
1183  result = 1;
1184 end:
1185  if (de_ctx != NULL) {
1186  if (det_ctx != NULL) {
1187  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1188  }
1189  }
1190  DetectEngineCtxFree(de_ctx);
1191  UTHFreePackets(&p1, 1);
1192  UTHFreePackets(&p2, 1);
1193  FLOW_DESTROY(&f);
1194  StatsThreadCleanup(&th_v.stats);
1195  return result;
1196 }
1197 
1198 static int SigTest22 (void)
1199 {
1200  ThreadVars th_v;
1201  memset(&th_v, 0, sizeof(th_v));
1202  StatsThreadInit(&th_v.stats);
1203  DetectEngineThreadCtx *det_ctx = NULL;
1204  int result = 0;
1205 
1206  Flow f;
1207  memset(&f, 0, sizeof(f));
1208  FLOW_INITIALIZE(&f);
1209 
1210  /* packet 1 */
1211  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1212  "\r\n\r\n";
1213  uint16_t buf1len = strlen((char *)buf1);
1214  Packet *p1 = NULL;
1215 
1216  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1217  p1->flow = &f;
1218  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1219 
1220  /* packet 2 */
1221  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1222  "\r\n\r\n";
1223  uint16_t buf2len = strlen((char *)buf2);
1224  Packet *p2 = NULL;
1225 
1226  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1227  p2->flow = &f;
1228  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1229 
1230  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1231  if (de_ctx == NULL) {
1232  goto end;
1233  }
1234 
1235  de_ctx->flags |= DE_QUIET;
1236 
1237  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1238  if (de_ctx->sig_list == NULL) {
1239  result = 0;
1240  goto end;
1241  }
1242  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1243  if (de_ctx->sig_list == NULL) {
1244  result = 0;
1245  goto end;
1246  }
1247 
1248  SigGroupBuild(de_ctx);
1249  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1250 
1251  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1252  if (PacketAlertCheck(p1, 1)) {
1253  printf("sid 1 alerted, but shouldn't: ");
1254  goto end;
1255  }
1256  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1257  if (!(PacketAlertCheck(p2, 2)))
1258  result = 1;
1259  else
1260  printf("sid 2 alerted, but shouldn't: ");
1261 
1262  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1263  DetectEngineCtxFree(de_ctx);
1264 end:
1265  UTHFreePackets(&p1, 1);
1266  UTHFreePackets(&p2, 1);
1267  FLOW_DESTROY(&f);
1268  StatsThreadCleanup(&th_v.stats);
1269  return result;
1270 }
1271 
1272 static int SigTest23 (void)
1273 {
1274  ThreadVars th_v;
1275  memset(&th_v, 0, sizeof(th_v));
1276  StatsThreadInit(&th_v.stats);
1277  DetectEngineThreadCtx *det_ctx = NULL;
1278  int result = 0;
1279 
1280  Flow f;
1281  memset(&f, 0, sizeof(f));
1282  FLOW_INITIALIZE(&f);
1283 
1284  /* packet 1 */
1285  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1286  "\r\n\r\n";
1287  uint16_t buf1len = strlen((char *)buf1);
1288  Packet *p1 = NULL;
1289 
1290  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1291  p1->flow = &f;
1292  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1293 
1294  /* packet 2 */
1295  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1296  "\r\n\r\n";
1297  uint16_t buf2len = strlen((char *)buf2);
1298  Packet *p2 = NULL;
1299 
1300  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1301  p2->flow = &f;
1302  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1303 
1304  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1305  if (de_ctx == NULL) {
1306  goto end;
1307  }
1308 
1309  de_ctx->flags |= DE_QUIET;
1310 
1311  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1312  if (de_ctx->sig_list == NULL) {
1313  result = 0;
1314  goto end;
1315  }
1316  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1317  if (de_ctx->sig_list == NULL) {
1318  result = 0;
1319  goto end;
1320  }
1321 
1322  SigGroupBuild(de_ctx);
1323  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1324 
1325  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1326  if (PacketAlertCheck(p1, 1)) {
1327  printf("sid 1 alerted, but shouldn't: ");
1328  goto end;
1329  }
1330  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1331  if (PacketAlertCheck(p2, 2))
1332  result = 1;
1333  else
1334  printf("sid 2 didn't alert, but should have: ");
1335 
1336  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1337  DetectEngineCtxFree(de_ctx);
1338 end:
1339  UTHFreePackets(&p1, 1);
1340  UTHFreePackets(&p2, 1);
1341  FLOW_DESTROY(&f);
1342  StatsThreadCleanup(&th_v.stats);
1343  return result;
1344 }
1345 
1346 static int SigTest24IPV4Keyword(void)
1347 {
1348  uint8_t valid_raw_ipv4[] = {
1349  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1350  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1351  0xc0, 0xa8, 0x01, 0x03};
1352 
1353  uint8_t invalid_raw_ipv4[] = {
1354  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1355  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1356  0xc0, 0xa8, 0x01, 0x06};
1357 
1358  Packet *p1 = PacketGetFromAlloc();
1359  if (unlikely(p1 == NULL))
1360  return 0;
1361  Packet *p2 = PacketGetFromAlloc();
1362  if (unlikely(p2 == NULL)) {
1363  SCFree(p1);
1364  return 0;
1365  }
1366  ThreadVars th_v;
1367  DetectEngineThreadCtx *det_ctx = NULL;
1368  int result = 0;
1369 
1370  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1371  "\r\n\r\n";
1372  uint16_t buflen = strlen((char *)buf);
1373 
1374  memset(&th_v, 0, sizeof(ThreadVars));
1375  StatsThreadInit(&th_v.stats);
1376 
1377  PacketSetIPV4(p1, valid_raw_ipv4);
1378  p1->src.family = AF_INET;
1379  p1->dst.family = AF_INET;
1380  p1->payload = buf;
1381  p1->payload_len = buflen;
1382  p1->proto = IPPROTO_TCP;
1383 
1384  PacketSetIPV4(p2, invalid_raw_ipv4);
1385  p2->src.family = AF_INET;
1386  p2->dst.family = AF_INET;
1387  p2->payload = buf;
1388  p2->payload_len = buflen;
1389  p2->proto = IPPROTO_TCP;
1390 
1391  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1392  if (de_ctx == NULL) {
1393  goto end;
1394  }
1395 
1396  de_ctx->flags |= DE_QUIET;
1397 
1398  de_ctx->sig_list = SigInit(de_ctx,
1399  "alert ip any any -> any any "
1400  "(content:\"/one/\"; ipv4-csum:valid; "
1401  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1402  if (de_ctx->sig_list == NULL) {
1403  printf("sig 1 parse: ");
1404  goto end;
1405  }
1406 
1407  de_ctx->sig_list->next = SigInit(de_ctx,
1408  "alert ip any any -> any any "
1409  "(content:\"/one/\"; ipv4-csum:invalid; "
1410  "msg:\"ipv4-csum keyword check(1)\"; "
1411  "sid:2;)");
1412  if (de_ctx->sig_list->next == NULL) {
1413  printf("sig 2 parse: ");
1414  goto end;
1415  }
1416 
1417  SigGroupBuild(de_ctx);
1418  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1419 
1420  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1421  if (!(PacketAlertCheck(p1, 1))) {
1422  printf("signature 1 didn't match, but should have: ");
1423  goto end;
1424  }
1425 
1426  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1427  if (!((PacketAlertCheck(p2, 2)))) {
1428  printf("signature 2 didn't match, but should have: ");
1429  goto end;
1430  }
1431 
1432  result = 1;
1433 end:
1434  if (det_ctx != NULL) {
1435  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1436  DetectEngineCtxFree(de_ctx);
1437  }
1438  PacketFree(p1);
1439  PacketFree(p2);
1440  StatsThreadCleanup(&th_v.stats);
1441  return result;
1442 }
1443 
1444 static int SigTest25NegativeIPV4Keyword(void)
1445 {
1446  uint8_t valid_raw_ipv4[] = {
1447  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1448  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1449  0xc0, 0xa8, 0x01, 0x03};
1450 
1451  uint8_t invalid_raw_ipv4[] = {
1452  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1453  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1454  0xc0, 0xa8, 0x01, 0x06};
1455 
1456  Packet *p1 = PacketGetFromAlloc();
1457  if (unlikely(p1 == NULL))
1458  return 0;
1459  Packet *p2 = PacketGetFromAlloc();
1460  if (unlikely(p2 == NULL)) {
1461  SCFree(p1);
1462  return 0;
1463  }
1464  ThreadVars th_v;
1465  DetectEngineThreadCtx *det_ctx = NULL;
1466  int result = 1;
1467 
1468  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1469  "\r\n\r\n";
1470  uint16_t buflen = strlen((char *)buf);
1471 
1472  memset(&th_v, 0, sizeof(ThreadVars));
1473  StatsThreadInit(&th_v.stats);
1474 
1475  PacketSetIPV4(p1, valid_raw_ipv4);
1476  p1->src.family = AF_INET;
1477  p1->dst.family = AF_INET;
1478  p1->payload = buf;
1479  p1->payload_len = buflen;
1480  p1->proto = IPPROTO_TCP;
1481 
1482  PacketSetIPV4(p2, invalid_raw_ipv4);
1483  p2->src.family = AF_INET;
1484  p2->dst.family = AF_INET;
1485  p2->payload = buf;
1486  p2->payload_len = buflen;
1487  p2->proto = IPPROTO_TCP;
1488 
1489  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1490  if (de_ctx == NULL) {
1491  goto end;
1492  }
1493 
1494  de_ctx->flags |= DE_QUIET;
1495 
1496  de_ctx->sig_list = SigInit(de_ctx,
1497  "alert ip any any -> any any "
1498  "(content:\"/one/\"; ipv4-csum:invalid; "
1499  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1500  if (de_ctx->sig_list == NULL) {
1501  result &= 0;
1502  goto end;
1503  }
1504 
1505  de_ctx->sig_list->next = SigInit(de_ctx,
1506  "alert ip any any -> any any "
1507  "(content:\"/one/\"; ipv4-csum:valid; "
1508  "msg:\"ipv4-csum keyword check(1)\"; "
1509  "sid:2;)");
1510  if (de_ctx->sig_list->next == NULL) {
1511  result &= 0;
1512  goto end;
1513  }
1514 
1515  SigGroupBuild(de_ctx);
1516  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1517 
1518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1519  if (PacketAlertCheck(p1, 1))
1520  result &= 0;
1521  else
1522  result &= 1;
1523 
1524  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1525  if (PacketAlertCheck(p2, 2))
1526  result &= 0;
1527  else
1528  result &= 1;
1529 
1530  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1531  DetectEngineCtxFree(de_ctx);
1532 end:
1533  PacketFree(p1);
1534  PacketFree(p2);
1535  StatsThreadCleanup(&th_v.stats);
1536  return result;
1537 }
1538 
1539 static int SigTest26TCPV4Keyword(void)
1540 {
1541  uint8_t raw_ipv4[] = {
1542  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1543  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1544  0xc0, 0xa8, 0x01, 0x03};
1545 
1546  uint8_t valid_raw_tcp[] = {
1547  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1548  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1549  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1550  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1551  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1552 
1553  uint8_t invalid_raw_tcp[] = {
1554  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1555  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1556  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1557  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1558  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1559 
1560  Packet *p1 = PacketGetFromAlloc();
1561  if (unlikely(p1 == NULL))
1562  return 0;
1563 
1564  Packet *p2 = PacketGetFromAlloc();
1565  if (unlikely(p2 == NULL)) {
1566  SCFree(p1);
1567  return 0;
1568  }
1569 
1570  ThreadVars th_v;
1571  DetectEngineThreadCtx *det_ctx = NULL;
1572 
1573  memset(&th_v, 0, sizeof(ThreadVars));
1574  StatsThreadInit(&th_v.stats);
1575 
1576  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1577  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1578 
1579  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1580  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1581 
1582  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1583  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1584  p1->src.family = AF_INET;
1585  p1->dst.family = AF_INET;
1586  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1587  p1->payload_len = 20;
1588  p1->proto = IPPROTO_TCP;
1589 
1590  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1591  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1592  p2->src.family = AF_INET;
1593  p2->dst.family = AF_INET;
1594  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1595  p2->payload_len = 20;
1596  p2->proto = IPPROTO_TCP;
1597 
1598  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1599  FAIL_IF_NULL(de_ctx);
1600 
1601  de_ctx->flags |= DE_QUIET;
1602 
1603  de_ctx->sig_list = SigInit(de_ctx,
1604  "alert ip any any -> any any "
1605  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1606  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1607  FAIL_IF_NULL(de_ctx->sig_list);
1608 
1609  de_ctx->sig_list->next = SigInit(de_ctx,
1610  "alert ip any any -> any any "
1611  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1612  "msg:\"tcpv4-csum keyword check(1)\"; "
1613  "sid:2;)");
1614  FAIL_IF_NULL(de_ctx->sig_list->next);
1615 
1616  SigGroupBuild(de_ctx);
1617  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1618 
1619  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1620  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1621 
1622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1623  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1624 
1625  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1626  DetectEngineCtxFree(de_ctx);
1627  PacketFree(p1);
1628  PacketFree(p2);
1629  StatsThreadCleanup(&th_v.stats);
1630  PASS;
1631 }
1632 
1633 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1634 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1635 {
1636  uint8_t raw_ipv4[] = {
1637  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1639  0xc0, 0xa8, 0x01, 0x03};
1640 
1641  uint8_t valid_raw_tcp[] = {
1642  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1643  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1644  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1645  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1646  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1647 
1648  uint8_t invalid_raw_tcp[] = {
1649  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1650  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1651  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1652  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1653  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1654 
1655  Packet *p1 = PacketGetFromAlloc();
1656  if (unlikely(p1 == NULL))
1657  return 0;
1658 
1659  Packet *p2 = PacketGetFromAlloc();
1660  if (unlikely(p2 == NULL)) {
1661  SCFree(p1);
1662  return 0;
1663  }
1664 
1665  ThreadVars th_v;
1666  DetectEngineThreadCtx *det_ctx = NULL;
1667  int result = 0;
1668 
1669  memset(&th_v, 0, sizeof(ThreadVars));
1670  StatsThreadInit(&th_v.stats);
1671 
1672  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1673  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1674 
1675  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1676  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1677 
1678  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1679  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1680  p1->src.family = AF_INET;
1681  p1->dst.family = AF_INET;
1682  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1683  p1->payload_len = 20;
1684  p1->proto = IPPROTO_TCP;
1685 
1686  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1687  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1688  p2->src.family = AF_INET;
1689  p2->dst.family = AF_INET;
1690  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1691  p2->payload_len = 20;
1692  p2->proto = IPPROTO_TCP;
1693 
1694  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1695  if (de_ctx == NULL) {
1696  goto end;
1697  }
1698 
1699  de_ctx->flags |= DE_QUIET;
1700 
1701  de_ctx->sig_list = SigInit(de_ctx,
1702  "alert ip any any -> any any "
1703  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1704  "ipv4-csum:invalid; "
1705  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1706  if (de_ctx->sig_list == NULL) {
1707  goto end;
1708  }
1709 
1710  de_ctx->sig_list->next = SigInit(de_ctx,
1711  "alert ip any any -> any any "
1712  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1713  "ipv4-csum:invalid; "
1714  "msg:\"tcpv4-csum keyword check(1)\"; "
1715  "sid:2;)");
1716  if (de_ctx->sig_list->next == NULL) {
1717  goto end;
1718  }
1719 
1720  SigGroupBuild(de_ctx);
1721  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1722 
1723  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1724  if (!(PacketAlertCheck(p1, 1))) {
1725  printf("sig 1 didn't match: ");
1726  goto end;
1727  }
1728 
1729  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1730  if (!(PacketAlertCheck(p2, 2))) {
1731  printf("sig 2 didn't match: ");
1732  goto end;
1733  }
1734 
1735  result = 1;
1736 end:
1737  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1738  DetectEngineCtxFree(de_ctx);
1739  PacketFree(p1);
1740  PacketFree(p2);
1741  StatsThreadCleanup(&th_v.stats);
1742  return result;
1743 }
1744 
1745 /* Similar to SigTest26, but with different packet */
1746 static int SigTest26TCPV4AndIPV4Keyword(void)
1747 {
1748  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1749  * TTL: 64 Flags: Don't Fragment
1750  */
1751  uint8_t raw_ipv4[] = {
1752  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1753  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1754  0xc0, 0xa8, 0xb0, 0x74};
1755 
1756  /* TCP: sport: 49517 dport: 445 Flags: SYN
1757  * Window size: 65535, checksum: 0x2009,
1758  * MTU: 1460, Window scale: 4, TSACK permitted,
1759  * 24 bytes of options, no payload.
1760  */
1761  uint8_t valid_raw_tcp[] = {
1762  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1763  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1764  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1765  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1766  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1767  0x04, 0x02, 0x00, 0x00};
1768 
1769  uint8_t invalid_raw_tcp[] = {
1770  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1771  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1772  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1773  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1774  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1775  0x04, 0x02, 0x00, 0x00};
1776 
1777  Packet *p1 = PacketGetFromAlloc();
1778  if (unlikely(p1 == NULL))
1779  return 0;
1780 
1781  Packet *p2 = PacketGetFromAlloc();
1782  if (unlikely(p2 == NULL)) {
1783  SCFree(p1);
1784  return 0;
1785  }
1786 
1787  ThreadVars th_v;
1788  DetectEngineThreadCtx *det_ctx = NULL;
1789  int result = 0;
1790 
1791  memset(&th_v, 0, sizeof(ThreadVars));
1792  StatsThreadInit(&th_v.stats);
1793 
1794  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1795  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1796 
1797  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1798  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1799 
1800  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1801  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1802  p1->src.family = AF_INET;
1803  p1->dst.family = AF_INET;
1804  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1805  p1->payload_len = 0;
1806  p1->proto = IPPROTO_TCP;
1807 
1808  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1809  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1810  p2->src.family = AF_INET;
1811  p2->dst.family = AF_INET;
1812  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1813  p2->payload_len = 0;
1814  p2->proto = IPPROTO_TCP;
1815 
1816  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1817  if (de_ctx == NULL) {
1818  goto end;
1819  }
1820 
1821  de_ctx->flags |= DE_QUIET;
1822 
1823  de_ctx->sig_list = SigInit(de_ctx,
1824  "alert ip any any -> any any "
1825  "(tcpv4-csum:valid; "
1826  "ipv4-csum:valid; "
1827  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1828  if (de_ctx->sig_list == NULL) {
1829  goto end;
1830  }
1831 
1832  de_ctx->sig_list->next = SigInit(de_ctx,
1833  "alert ip any any -> any any "
1834  "(tcpv4-csum:invalid; "
1835  "ipv4-csum:valid; "
1836  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1837  "sid:2;)");
1838  if (de_ctx->sig_list->next == NULL) {
1839  goto end;
1840  }
1841 
1842  SigGroupBuild(de_ctx);
1843  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1844 
1845  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1846  if (!(PacketAlertCheck(p1, 1))) {
1847  printf("sig 1 didn't match: ");
1848  goto end;
1849  }
1850 
1851  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1852  if (!(PacketAlertCheck(p2, 2))) {
1853  printf("sig 2 didn't match: ");
1854  goto end;
1855  }
1856 
1857  result = 1;
1858 end:
1859  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1860  DetectEngineCtxFree(de_ctx);
1861  PacketFree(p1);
1862  PacketFree(p2);
1863  StatsThreadCleanup(&th_v.stats);
1864  return result;
1865 }
1866 
1867 static int SigTest27NegativeTCPV4Keyword(void)
1868 {
1869  uint8_t raw_ipv4[] = {
1870  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1871  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1872  0xc0, 0xa8, 0x01, 0x03};
1873 
1874  uint8_t valid_raw_tcp[] = {
1875  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1876  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1877  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1878  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1879  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1880 
1881  uint8_t invalid_raw_tcp[] = {
1882  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1883  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1884  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1885  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1886  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1887 
1888  Packet *p1 = PacketGetFromAlloc();
1889  if (unlikely(p1 == NULL))
1890  return 0;
1891  Packet *p2 = PacketGetFromAlloc();
1892  if (unlikely(p2 == NULL)) {
1893  SCFree(p1);
1894  return 0;
1895  }
1896  ThreadVars th_v;
1897  DetectEngineThreadCtx *det_ctx = NULL;
1898  int result = 0;
1899 
1900  memset(&th_v, 0, sizeof(ThreadVars));
1901  StatsThreadInit(&th_v.stats);
1902 
1903  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1904  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1905 
1906  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1907  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1908 
1909  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1910  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1911  p1->src.family = AF_INET;
1912  p1->dst.family = AF_INET;
1913  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1914  p1->payload_len = 20;
1915  p1->proto = IPPROTO_TCP;
1916 
1917  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1918  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1919  p2->src.family = AF_INET;
1920  p2->dst.family = AF_INET;
1921  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1922  p2->payload_len = 20;
1923  p2->proto = IPPROTO_TCP;
1924 
1925  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1926  if (de_ctx == NULL) {
1927  goto end;
1928  }
1929 
1930  de_ctx->flags |= DE_QUIET;
1931 
1932  de_ctx->sig_list = SigInit(de_ctx,
1933  "alert tcp any any -> any any "
1934  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
1935  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1936  if (de_ctx->sig_list == NULL) {
1937  goto end;
1938  }
1939 
1940  de_ctx->sig_list->next = SigInit(de_ctx,
1941  "alert tcp any any -> any any "
1942  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1943  "msg:\"tcpv4-csum keyword check(2)\"; "
1944  "sid:2;)");
1945  if (de_ctx->sig_list->next == NULL) {
1946  goto end;
1947  }
1948 
1949  SigGroupBuild(de_ctx);
1950  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1951 
1952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1953  if (!PacketAlertCheck(p1, 1)) {
1954  printf("sig 1 didn't match on p1: ");
1955  goto end;
1956  }
1957 
1958  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1959  if (PacketAlertCheck(p2, 2)) {
1960  printf("sig 2 matched on p2: ");
1961  goto end;
1962  }
1963 
1964  result = 1;
1965 end:
1966  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1967  DetectEngineCtxFree(de_ctx);
1968  PacketFree(p1);
1969  PacketFree(p2);
1970  StatsThreadCleanup(&th_v.stats);
1971  return result;
1972 }
1973 
1974 static int SigTest28TCPV6Keyword(void)
1975 {
1976  static uint8_t valid_raw_ipv6[] = {
1977  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1978  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1979 
1980  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1981  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1982  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
1983  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
1984  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
1985 
1986  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
1987  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
1988  0xf2, 0xf1, 0x00, 0x00,
1989 
1990  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
1991  0x00, 0x01, 0x69, 0x27};
1992 
1993  static uint8_t invalid_raw_ipv6[] = {
1994  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1995  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1996 
1997  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1998  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1999  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2000  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2001  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2002 
2003  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2004  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2005  0xc2, 0xf1, 0x00, 0x00,
2006 
2007  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2008  0x00, 0x01, 0x69, 0x28};
2009 
2010  Packet *p1 = PacketGetFromAlloc();
2011  if (unlikely(p1 == NULL))
2012  return 0;
2013  Packet *p2 = PacketGetFromAlloc();
2014  if (unlikely(p2 == NULL)) {
2015  SCFree(p1);
2016  return 0;
2017  }
2018  ThreadVars th_v;
2019  DetectEngineThreadCtx *det_ctx = NULL;
2020  int result = 0;
2021 
2022  memset(&th_v, 0, sizeof(ThreadVars));
2023  StatsThreadInit(&th_v.stats);
2024 
2025  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2026  PacketSetTCP(p1, (valid_raw_ipv6 + 54));
2027  p1->src.family = AF_INET;
2028  p1->dst.family = AF_INET;
2029  p1->payload = valid_raw_ipv6 + 54 + 20;
2030  p1->payload_len = 12;
2031  p1->proto = IPPROTO_TCP;
2032 
2033  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2034  BUG_ON(1);
2035  }
2036 
2037  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2038  PacketSetTCP(p2, (invalid_raw_ipv6 + 54));
2039  p2->src.family = AF_INET;
2040  p2->dst.family = AF_INET;
2041  p2->payload = invalid_raw_ipv6 + 54 + 20;
2042  p2->payload_len = 12;
2043  p2->proto = IPPROTO_TCP;
2044 
2045  if (TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20) {
2046  BUG_ON(1);
2047  }
2048 
2049  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2050  if (de_ctx == NULL) {
2051  goto end;
2052  }
2053 
2054  de_ctx->flags |= DE_QUIET;
2055 
2056  de_ctx->sig_list = SigInit(de_ctx,
2057  "alert tcp any any -> any any "
2058  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2059  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2060  if (de_ctx->sig_list == NULL) {
2061  goto end;
2062  }
2063 
2064  de_ctx->sig_list->next = SigInit(de_ctx,
2065  "alert tcp any any -> any any "
2066  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2067  "msg:\"tcpv6-csum keyword check(1)\"; "
2068  "sid:2;)");
2069  if (de_ctx->sig_list->next == NULL) {
2070  goto end;
2071  }
2072 
2073  SigGroupBuild(de_ctx);
2074  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2075 
2076  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2077  if (!(PacketAlertCheck(p1, 1))) {
2078  printf("sid 1 didn't match on p1: ");
2079  goto end;
2080  }
2081 
2082  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2083  if (!(PacketAlertCheck(p2, 2))) {
2084  printf("sid 2 didn't match on p2: ");
2085  goto end;
2086  }
2087 
2088  result = 1;
2089 end:
2090  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2091  DetectEngineCtxFree(de_ctx);
2092  PacketFree(p1);
2093  PacketFree(p2);
2094  StatsThreadCleanup(&th_v.stats);
2095  return result;
2096 }
2097 
2098 static int SigTest29NegativeTCPV6Keyword(void)
2099 {
2100  static uint8_t valid_raw_ipv6[] = {
2101  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2102  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2103 
2104  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2105  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2106  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2107  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2108  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2109 
2110  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2111  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2112  0xf2, 0xf1, 0x00, 0x00,
2113 
2114  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2115  0x00, 0x01, 0x69, 0x27};
2116 
2117  static uint8_t invalid_raw_ipv6[] = {
2118  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2119  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2120 
2121  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2122  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2123  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2124  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2125  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2126 
2127  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2128  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2129  0xc2, 0xf1, 0x00, 0x00,
2130 
2131  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2132  0x00, 0x01, 0x69, 0x28};
2133 
2134  Packet *p1 = PacketGetFromAlloc();
2135  if (unlikely(p1 == NULL))
2136  return 0;
2137  Packet *p2 = PacketGetFromAlloc();
2138  if (unlikely(p2 == NULL)) {
2139  SCFree(p1);
2140  return 0;
2141  }
2142  ThreadVars th_v;
2143  DetectEngineThreadCtx *det_ctx = NULL;
2144  int result = 0;
2145 
2146  memset(&th_v, 0, sizeof(ThreadVars));
2147  StatsThreadInit(&th_v.stats);
2148 
2149  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2150  PacketSetTCP(p1, valid_raw_ipv6 + 54);
2151  p1->src.family = AF_INET;
2152  p1->dst.family = AF_INET;
2153  p1->payload = valid_raw_ipv6 + 54 + 20;
2154  p1->payload_len = 12;
2155  p1->proto = IPPROTO_TCP;
2156 
2157  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2158  BUG_ON(1);
2159  }
2160 
2161  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2162  PacketSetTCP(p2, invalid_raw_ipv6 + 54);
2163  p2->src.family = AF_INET;
2164  p2->dst.family = AF_INET;
2165  p2->payload = invalid_raw_ipv6 + 54 + 20;
2166  p2->payload_len = 12;
2167  p2->proto = IPPROTO_TCP;
2168 
2169  FAIL_IF(TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20);
2170 
2171  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2172  if (de_ctx == NULL) {
2173  goto end;
2174  }
2175 
2176  de_ctx->flags |= DE_QUIET;
2177 
2178  de_ctx->sig_list = SigInit(de_ctx,
2179  "alert tcp any any -> any any "
2180  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2181  "msg:\"tcpv6-csum keyword check(1)\"; "
2182  "sid:1;)");
2183  if (de_ctx->sig_list == NULL) {
2184  goto end;
2185  }
2186 
2187  de_ctx->sig_list->next = SigInit(de_ctx,
2188  "alert tcp any any -> any any "
2189  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2190  "msg:\"tcpv6-csum keyword check(1)\"; "
2191  "sid:2;)");
2192  if (de_ctx->sig_list->next == NULL) {
2193  goto end;
2194  }
2195 
2196  SigGroupBuild(de_ctx);
2197  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2198 
2199  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2200  if (PacketAlertCheck(p1, 1))
2201  goto end;
2202 
2203  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2204  if (PacketAlertCheck(p2, 2))
2205  goto end;
2206 
2207  result = 1;
2208 end:
2209  if (det_ctx != NULL)
2210  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2211  DetectEngineCtxFree(de_ctx);
2212  PacketFree(p1);
2213  PacketFree(p2);
2214  StatsThreadCleanup(&th_v.stats);
2215  return result;
2216 }
2217 
2218 static int SigTest30UDPV4Keyword(void)
2219 {
2220  uint8_t raw_ipv4[] = {
2221  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2222  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2223  0xc0, 0xa8, 0x01, 0x03};
2224 
2225  uint8_t valid_raw_udp[] = {
2226  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2227  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2228  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2229  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2230  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2231  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2232  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2233  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2234  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2235  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2236  0x67, 0x6c, 0x65, 0xc0, 0x26};
2237 
2238  uint8_t invalid_raw_udp[] = {
2239  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2240  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2241  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2242  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2243  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2244  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2245  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2246  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2247  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2248  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2249  0x67, 0x6c, 0x65, 0xc0, 0x27};
2250 
2251  Packet *p1 = PacketGetFromAlloc();
2252  FAIL_IF_NULL(p1);
2253  Packet *p2 = PacketGetFromAlloc();
2254  FAIL_IF_NULL(p2);
2255 
2256  ThreadVars th_v;
2257  DetectEngineThreadCtx *det_ctx = NULL;
2258 
2259  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2260  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2261 
2262  memset(&th_v, 0, sizeof(ThreadVars));
2263  StatsThreadInit(&th_v.stats);
2264 
2265  PacketSetIPV4(p1, raw_ipv4);
2266  PacketSetUDP(p1, valid_raw_udp);
2267  p1->src.family = AF_INET;
2268  p1->dst.family = AF_INET;
2269  p1->payload = buf;
2270  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2271  p1->proto = IPPROTO_UDP;
2272 
2273  PacketSetIPV4(p2, raw_ipv4);
2274  PacketSetUDP(p2, invalid_raw_udp);
2275  p2->src.family = AF_INET;
2276  p2->dst.family = AF_INET;
2277  p2->payload = buf;
2278  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2279  p2->proto = IPPROTO_UDP;
2280 
2281  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2282  FAIL_IF_NULL(de_ctx);
2283 
2284  de_ctx->flags |= DE_QUIET;
2285 
2286  de_ctx->sig_list = SigInit(de_ctx,
2287  "alert udp any any -> any any "
2288  "(content:\"/one/\"; udpv4-csum:valid; "
2289  "msg:\"udpv4-csum keyword check(1)\"; "
2290  "sid:1;)");
2291  FAIL_IF_NULL(de_ctx->sig_list);
2292 
2293  de_ctx->sig_list->next = SigInit(de_ctx,
2294  "alert udp any any -> any any "
2295  "(content:\"/one/\"; udpv4-csum:invalid; "
2296  "msg:\"udpv4-csum keyword check(1)\"; "
2297  "sid:2;)");
2298  FAIL_IF_NULL(de_ctx->sig_list->next);
2299 
2300  SigGroupBuild(de_ctx);
2301  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2302 
2303  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2304  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2305 
2306  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2307  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2308 
2309  if (det_ctx != NULL)
2310  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2311  DetectEngineCtxFree(de_ctx);
2312  PacketFree(p1);
2313  PacketFree(p2);
2314  StatsThreadCleanup(&th_v.stats);
2315  PASS;
2316 }
2317 
2318 static int SigTest31NegativeUDPV4Keyword(void)
2319 {
2320  uint8_t raw_ipv4[] = {
2321  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2322  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2323  0xc0, 0xa8, 0x01, 0x03};
2324 
2325  uint8_t valid_raw_udp[] = {
2326  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2327  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2328  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2329  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2330  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2331  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2332  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2333  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2334  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2335  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2336  0x67, 0x6c, 0x65, 0xc0, 0x26};
2337 
2338  uint8_t invalid_raw_udp[] = {
2339  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2340  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2341  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2342  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2343  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2344  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2345  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2346  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2347  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2348  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2349  0x67, 0x6c, 0x65, 0xc0, 0x27};
2350 
2351  Packet *p1 = PacketGetFromAlloc();
2352  if (unlikely(p1 == NULL))
2353  return 0;
2354  Packet *p2 = PacketGetFromAlloc();
2355  if (unlikely(p2 == NULL)) {
2356  SCFree(p1);
2357  return 0;
2358  }
2359  ThreadVars th_v;
2360  DetectEngineThreadCtx *det_ctx = NULL;
2361  int result = 1;
2362 
2363  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2364  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2365 
2366  memset(&th_v, 0, sizeof(ThreadVars));
2367  StatsThreadInit(&th_v.stats);
2368 
2369  PacketSetIPV4(p1, raw_ipv4);
2370  PacketSetUDP(p1, valid_raw_udp);
2371  p1->src.family = AF_INET;
2372  p1->dst.family = AF_INET;
2373  p1->payload = buf;
2374  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2375  p1->proto = IPPROTO_UDP;
2376 
2377  PacketSetIPV4(p2, raw_ipv4);
2378  PacketSetUDP(p2, invalid_raw_udp);
2379  p2->src.family = AF_INET;
2380  p2->dst.family = AF_INET;
2381  p2->payload = buf;
2382  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2383  p2->proto = IPPROTO_UDP;
2384 
2385  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2386  if (de_ctx == NULL) {
2387  goto end;
2388  }
2389 
2390  de_ctx->flags |= DE_QUIET;
2391 
2392  de_ctx->sig_list = SigInit(de_ctx,
2393  "alert udp any any -> any any "
2394  "(content:\"/one/\"; udpv4-csum:invalid; "
2395  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2396  if (de_ctx->sig_list == NULL) {
2397  result &= 0;
2398  goto end;
2399  }
2400 
2401  de_ctx->sig_list->next = SigInit(de_ctx,
2402  "alert udp any any -> any any "
2403  "(content:\"/one/\"; udpv4-csum:valid; "
2404  "msg:\"udpv4-csum keyword check(1)\"; "
2405  "sid:2;)");
2406  if (de_ctx->sig_list->next == NULL) {
2407  result &= 0;
2408  goto end;
2409  }
2410 
2411  SigGroupBuild(de_ctx);
2412  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2413 
2414  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2415  if (PacketAlertCheck(p1, 1))
2416  result &= 0;
2417  else
2418  result &= 1;
2419 
2420  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2421  if (PacketAlertCheck(p2, 2)) {
2422  result &= 0;
2423  }
2424  else
2425  result &= 1;
2426 
2427  if (det_ctx != NULL)
2428  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2429  DetectEngineCtxFree(de_ctx);
2430 end:
2431  PacketFree(p1);
2432  PacketFree(p2);
2433  StatsThreadCleanup(&th_v.stats);
2434  return result;
2435 }
2436 
2437 
2438 static int SigTest32UDPV6Keyword(void)
2439 {
2440  static uint8_t valid_raw_ipv6[] = {
2441  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2442  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2443  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2444  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2445  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2446  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2447  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2448  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2449  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2450  0x09, 0x00};
2451 
2452  static uint8_t invalid_raw_ipv6[] = {
2453  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2454  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2455  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2456  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2457  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2458  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2459  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2460  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2461  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2462  0x09, 0x01};
2463 
2464  Packet *p1 = PacketGetFromAlloc();
2465  FAIL_IF_NULL(p1);
2466  Packet *p2 = PacketGetFromAlloc();
2467  FAIL_IF_NULL(p2);
2468 
2469  ThreadVars th_v;
2470  DetectEngineThreadCtx *det_ctx = NULL;
2471 
2472  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2473  "\r\n\r\n";
2474 
2475  memset(&th_v, 0, sizeof(ThreadVars));
2476  StatsThreadInit(&th_v.stats);
2477 
2478  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2479  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2480  p1->src.family = AF_INET;
2481  p1->dst.family = AF_INET;
2482  p1->payload = buf;
2483  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2484  p1->proto = IPPROTO_UDP;
2485 
2486  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2487  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2488  p2->src.family = AF_INET;
2489  p2->dst.family = AF_INET;
2490  p2->payload = buf;
2491  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2492  p2->proto = IPPROTO_UDP;
2493 
2494  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2495  FAIL_IF_NULL(de_ctx);
2496 
2497  de_ctx->flags |= DE_QUIET;
2498 
2499  de_ctx->sig_list = SigInit(de_ctx,
2500  "alert udp any any -> any any "
2501  "(content:\"/one/\"; udpv6-csum:valid; "
2502  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2503  FAIL_IF_NULL(de_ctx->sig_list);
2504 
2505  de_ctx->sig_list->next = SigInit(de_ctx,
2506  "alert udp any any -> any any "
2507  "(content:\"/one/\"; udpv6-csum:invalid; "
2508  "msg:\"udpv6-csum keyword check(1)\"; "
2509  "sid:2;)");
2510  FAIL_IF_NULL(de_ctx->sig_list->next);
2511 
2512  SigGroupBuild(de_ctx);
2513  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2514 
2515  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2516  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2517 
2518  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2519  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2520 
2521  if (det_ctx != NULL)
2522  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2523  DetectEngineCtxFree(de_ctx);
2524 
2525  PacketFree(p1);
2526  PacketFree(p2);
2527  StatsThreadCleanup(&th_v.stats);
2528  PASS;
2529 }
2530 
2531 static int SigTest33NegativeUDPV6Keyword(void)
2532 {
2533  static uint8_t valid_raw_ipv6[] = {
2534  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2535  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2536  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2537  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2538  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2539  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2540  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2541  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2542  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2543  0x09, 0x00};
2544 
2545  static uint8_t invalid_raw_ipv6[] = {
2546  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2547  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2548  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2549  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2550  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2551  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2552  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2553  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2554  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2555  0x09, 0x01};
2556 
2557  Packet *p1 = PacketGetFromAlloc();
2558  if (unlikely(p1 == NULL))
2559  return 0;
2560  Packet *p2 = PacketGetFromAlloc();
2561  if (unlikely(p2 == NULL)) {
2562  SCFree(p1);
2563  return 0;
2564  }
2565  ThreadVars th_v;
2566  DetectEngineThreadCtx *det_ctx = NULL;
2567  int result = 1;
2568 
2569  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2570  "\r\n\r\n";
2571 
2572  memset(&th_v, 0, sizeof(ThreadVars));
2573  StatsThreadInit(&th_v.stats);
2574 
2575  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2576  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2577  p1->src.family = AF_INET;
2578  p1->dst.family = AF_INET;
2579  p1->payload = buf;
2580  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2581  p1->proto = IPPROTO_UDP;
2582 
2583  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2584  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2585  p2->src.family = AF_INET;
2586  p2->dst.family = AF_INET;
2587  p2->payload = buf;
2588  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2589  p2->proto = IPPROTO_UDP;
2590 
2591  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2592  if (de_ctx == NULL) {
2593  goto end;
2594  }
2595 
2596  de_ctx->flags |= DE_QUIET;
2597 
2598  de_ctx->sig_list = SigInit(de_ctx,
2599  "alert udp any any -> any any "
2600  "(content:\"/one/\"; udpv6-csum:invalid; "
2601  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2602  if (de_ctx->sig_list == NULL) {
2603  result &= 0;
2604  goto end;
2605  }
2606 
2607  de_ctx->sig_list->next = SigInit(de_ctx,
2608  "alert udp any any -> any any "
2609  "(content:\"/one/\"; udpv6-csum:valid; "
2610  "msg:\"udpv6-csum keyword check(1)\"; "
2611  "sid:2;)");
2612  if (de_ctx->sig_list->next == NULL) {
2613  result &= 0;
2614  goto end;
2615  }
2616 
2617  SigGroupBuild(de_ctx);
2618  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2619 
2620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2621  if (PacketAlertCheck(p1, 1))
2622  result &= 0;
2623  else
2624  result &= 1;
2625 
2626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2627  if (PacketAlertCheck(p2, 2))
2628  result &= 0;
2629  else
2630  result &= 1;
2631 
2632  if (det_ctx != NULL)
2633  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2634  DetectEngineCtxFree(de_ctx);
2635 end:
2636  PacketFree(p1);
2637  PacketFree(p2);
2638  StatsThreadCleanup(&th_v.stats);
2639  return result;
2640 }
2641 
2642 static int SigTest34ICMPV4Keyword(void)
2643 {
2644  uint8_t valid_raw_ipv4[] = {
2645  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2646  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2647  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2648  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2649  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2650  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2651  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2652  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2653  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2654  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2655  0x34, 0x35, 0x36, 0x37};
2656 
2657  uint8_t invalid_raw_ipv4[] = {
2658  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2659  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2660  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2661  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2662  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2663  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2664  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2665  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2666  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2667  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2668  0x34, 0x35, 0x36, 0x38};
2669 
2670  Packet *p1 = PacketGetFromAlloc();
2671  if (unlikely(p1 == NULL))
2672  return 0;
2673  Packet *p2 = PacketGetFromAlloc();
2674  if (unlikely(p2 == NULL)) {
2675  SCFree(p1);
2676  return 0;
2677  }
2678  ThreadVars th_v;
2679  DetectEngineThreadCtx *det_ctx = NULL;
2680  int result = 1;
2681 
2682  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2683  "\r\n\r\n";
2684  uint16_t buflen = strlen((char *)buf);
2685 
2686  memset(&th_v, 0, sizeof(ThreadVars));
2687  StatsThreadInit(&th_v.stats);
2688 
2689  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2690  ip4h->ip_verhl = 69;
2691  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2692  p1->src.family = AF_INET;
2693  p1->dst.family = AF_INET;
2694  p1->payload = buf;
2695  p1->payload_len = buflen;
2696  p1->proto = IPPROTO_ICMP;
2697 
2698  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2699  ip4h->ip_verhl = 69;
2700  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2701  p2->src.family = AF_INET;
2702  p2->dst.family = AF_INET;
2703  p2->payload = buf;
2704  p2->payload_len = buflen;
2705  p2->proto = IPPROTO_ICMP;
2706 
2707  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2708  if (de_ctx == NULL) {
2709  goto end;
2710  }
2711 
2712  de_ctx->flags |= DE_QUIET;
2713 
2714  de_ctx->sig_list = SigInit(de_ctx,
2715  "alert icmp any any -> any any "
2716  "(content:\"/one/\"; icmpv4-csum:valid; "
2717  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2718  if (de_ctx->sig_list == NULL) {
2719  result &= 0;
2720  goto end;
2721  }
2722 
2723  de_ctx->sig_list->next = SigInit(de_ctx,
2724  "alert icmp any any -> any any "
2725  "(content:\"/one/\"; icmpv4-csum:invalid; "
2726  "msg:\"icmpv4-csum keyword check(1)\"; "
2727  "sid:2;)");
2728  if (de_ctx->sig_list->next == NULL) {
2729  result = 0;
2730  goto end;
2731  }
2732 
2733  SigGroupBuild(de_ctx);
2734  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2735 
2736  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2737  if (PacketAlertCheck(p1, 1))
2738  result &= 1;
2739  else
2740  result &= 0;
2741 
2742  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2743  if (PacketAlertCheck(p2, 2))
2744  result &= 1;
2745  else
2746  result &= 0;
2747 
2748  if (det_ctx != NULL)
2749  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2750  DetectEngineCtxFree(de_ctx);
2751 end:
2752  PacketFree(p1);
2753  PacketFree(p2);
2754  StatsThreadCleanup(&th_v.stats);
2755  return result;
2756 }
2757 
2758 static int SigTest35NegativeICMPV4Keyword(void)
2759 {
2760  uint8_t valid_raw_ipv4[] = {
2761  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2762  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2763  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2764  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2765  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2766  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2767  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2768  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2769  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2770  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2771  0x34, 0x35, 0x36, 0x37};
2772 
2773  uint8_t invalid_raw_ipv4[] = {
2774  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2775  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2776  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2777  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2778  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2779  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2780  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2781  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2782  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2783  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2784  0x34, 0x35, 0x36, 0x38};
2785 
2786  Packet *p1 = PacketGetFromAlloc();
2787  if (unlikely(p1 == NULL))
2788  return 0;
2789  Packet *p2 = PacketGetFromAlloc();
2790  if (unlikely(p2 == NULL)) {
2791  SCFree(p1);
2792  return 0;
2793  }
2794  ThreadVars th_v;
2795  DetectEngineThreadCtx *det_ctx = NULL;
2796  int result = 1;
2797 
2798  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2799  "\r\n\r\n";
2800  uint16_t buflen = strlen((char *)buf);
2801 
2802  memset(&th_v, 0, sizeof(ThreadVars));
2803  StatsThreadInit(&th_v.stats);
2804 
2805  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2806  ip4h->ip_verhl = 69;
2807  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2808  p1->src.family = AF_INET;
2809  p1->dst.family = AF_INET;
2810  p1->payload = buf;
2811  p1->payload_len = buflen;
2812  p1->proto = IPPROTO_ICMP;
2813 
2814  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2815  ip4h->ip_verhl = 69;
2816  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2817  p2->src.family = AF_INET;
2818  p2->dst.family = AF_INET;
2819  p2->payload = buf;
2820  p2->payload_len = buflen;
2821  p2->proto = IPPROTO_ICMP;
2822 
2823  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2824  if (de_ctx == NULL) {
2825  goto end;
2826  }
2827 
2828  de_ctx->flags |= DE_QUIET;
2829 
2830  de_ctx->sig_list = SigInit(de_ctx,
2831  "alert icmp any any -> any any "
2832  "(content:\"/one/\"; icmpv4-csum:invalid; "
2833  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2834  if (de_ctx->sig_list == NULL) {
2835  result &= 0;
2836  goto end;
2837  }
2838 
2839  de_ctx->sig_list->next = SigInit(de_ctx,
2840  "alert icmp any any -> any any "
2841  "(content:\"/one/\"; icmpv4-csum:valid; "
2842  "msg:\"icmpv4-csum keyword check(1)\"; "
2843  "sid:2;)");
2844  if (de_ctx->sig_list->next == NULL) {
2845  result &= 0;
2846  goto end;
2847  }
2848 
2849  SigGroupBuild(de_ctx);
2850  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2851 
2852  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2853  if (PacketAlertCheck(p1, 1))
2854  result &= 0;
2855  else
2856  result &= 1;
2857 
2858  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2859  if (PacketAlertCheck(p2, 2))
2860  result &= 0;
2861  else {
2862  result &= 1;
2863  }
2864 
2865  if (det_ctx != NULL)
2866  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2867  DetectEngineCtxFree(de_ctx);
2868 end:
2869  PacketFree(p1);
2870  PacketFree(p2);
2871  StatsThreadCleanup(&th_v.stats);
2872  return result;
2873 }
2874 
2875 static int SigTest38(void)
2876 {
2877  Packet *p1 = PacketGetFromAlloc();
2878  if (unlikely(p1 == NULL))
2879  return 0;
2880  ThreadVars th_v;
2881  DetectEngineThreadCtx *det_ctx = NULL;
2882  int result = 1;
2883  uint8_t raw_eth[] = {
2884  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
2885  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2886  0x08, 0x00
2887  };
2888  uint8_t raw_ipv4[] = {
2889  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
2890  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
2891  0x7f, 0x00, 0x00, 0x01
2892  };
2893  uint8_t raw_tcp[] = {
2894  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
2895  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
2896  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
2897  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
2898  0x00, 0x22, 0xaa, 0x10
2899  };
2900  uint8_t buf[] = {
2901  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
2902  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
2903  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
2904  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
2905  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2906  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2907  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2908  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
2909  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
2910  0x0a
2911  };
2912  uint16_t ethlen = sizeof(raw_eth);
2913  uint16_t ipv4len = sizeof(raw_ipv4);
2914  uint16_t tcplen = sizeof(raw_tcp);
2915  uint16_t buflen = sizeof(buf);
2916 
2917  memset(&th_v, 0, sizeof(ThreadVars));
2918  StatsThreadInit(&th_v.stats);
2919 
2920  /* Copy raw data into packet */
2921  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
2922  SCFree(p1);
2923  return 1;
2924  }
2925  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
2926  SCFree(p1);
2927  return 1;
2928  }
2929  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
2930  SCFree(p1);
2931  return 1;
2932  }
2933  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
2934  SCFree(p1);
2935  return 1;
2936  }
2937  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
2938 
2939  PacketSetEthernet(p1, raw_eth);
2940  PacketSetIPV4(p1, raw_ipv4);
2941  PacketSetTCP(p1, raw_tcp);
2942  p1->src.family = AF_INET;
2943  p1->dst.family = AF_INET;
2944  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
2945  p1->payload_len = buflen;
2946  p1->proto = IPPROTO_TCP;
2947 
2948  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2949  if (de_ctx == NULL) {
2950  goto end;
2951  }
2952  de_ctx->flags |= DE_QUIET;
2953 
2954  de_ctx->sig_list = SigInit(de_ctx,
2955  "alert tcp any any -> any any "
2956  "(content:\"LEN1|20|\"; "
2957  "byte_test:4,=,8,0; "
2958  "msg:\"byte_test keyword check(1)\"; sid:1;)");
2959  if (de_ctx->sig_list == NULL) {
2960  result &= 0;
2961  goto end;
2962  }
2963  de_ctx->sig_list->next = SigInit(de_ctx,
2964  "alert tcp any any -> any any "
2965  "(content:\"LEN1|20|\"; "
2966  "byte_test:4,=,8,5,relative,string,dec; "
2967  "msg:\"byte_test keyword check(2)\"; sid:2;)");
2968  if (de_ctx->sig_list->next == NULL) {
2969  result &= 0;
2970  goto end;
2971  }
2972 
2973  SigGroupBuild(de_ctx);
2974  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2975 
2976  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2977  if (PacketAlertCheck(p1, 1)) {
2978  result = 1;
2979  } else {
2980  result = 0;
2981  printf("sid 1 didn't alert, but should have: ");
2982  goto cleanup;
2983  }
2984  if (PacketAlertCheck(p1, 2)) {
2985  result = 1;
2986  } else {
2987  result = 0;
2988  printf("sid 2 didn't alert, but should have: ");
2989  goto cleanup;
2990  }
2991 
2992 cleanup:
2993  if (det_ctx != NULL)
2994  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2995  DetectEngineCtxFree(de_ctx);
2996 
2997 end:
2998  PacketFree(p1);
2999  StatsThreadCleanup(&th_v.stats);
3000  return result;
3001 }
3002 
3003 static int SigTest39(void)
3004 {
3005  ThreadVars th_v;
3006  DetectEngineThreadCtx *det_ctx = NULL;
3007  uint8_t raw_eth[] = {
3008  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3009  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3010  0x08, 0x00
3011  };
3012  uint8_t raw_ipv4[] = {
3013  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3014  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3015  0x7f, 0x00, 0x00, 0x01
3016  };
3017  uint8_t raw_tcp[] = {
3018  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3019  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3020  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3021  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3022  0x00, 0x22, 0xaa, 0x10
3023  };
3024  uint8_t buf[] = {
3025  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3026  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3027  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3028  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3029  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3030  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3031  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3032  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3033  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3034  0x0a
3035  };
3036  uint16_t ethlen = sizeof(raw_eth);
3037  uint16_t ipv4len = sizeof(raw_ipv4);
3038  uint16_t tcplen = sizeof(raw_tcp);
3039  uint16_t buflen = sizeof(buf);
3040 
3041  memset(&th_v, 0, sizeof(ThreadVars));
3042  StatsThreadInit(&th_v.stats);
3043 
3044  Packet *p1 = PacketGetFromAlloc();
3045  FAIL_IF_NULL(p1);
3046  /* Copy raw data into packet */
3047  FAIL_IF(PacketCopyData(p1, raw_eth, ethlen) == -1);
3048  FAIL_IF(PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1);
3049  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1);
3050  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1);
3051  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3052 
3053  PacketSetEthernet(p1, raw_eth);
3054  PacketSetIPV4(p1, raw_ipv4);
3055  PacketSetTCP(p1, raw_tcp);
3056  p1->src.family = AF_INET;
3057  p1->dst.family = AF_INET;
3058  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3059  p1->payload_len = buflen;
3060  p1->proto = IPPROTO_TCP;
3061 
3062  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3063  FAIL_IF_NULL(de_ctx);
3064  de_ctx->flags |= DE_QUIET;
3065 
3066  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3067  "(content:\"LEN1|20|\"; "
3068  "byte_test:4,=,8,0; "
3069  "byte_jump:4,0; "
3070  "byte_test:6,=,0x4c454e312038,0,relative; "
3071  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3072  FAIL_IF_NULL(s);
3073  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3074  "(content:\"LEN1|20|\"; "
3075  "byte_test:4,=,8,4,relative,string,dec; "
3076  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3077  "byte_test:4,=,0x4c454e32,0,relative; "
3078  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3079  FAIL_IF_NULL(s);
3080  SigGroupBuild(de_ctx);
3081  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3082 
3083  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3084 
3085  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
3086  FAIL_IF_NOT(PacketAlertCheck(p1, 2));
3087 
3088  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3089  DetectEngineCtxFree(de_ctx);
3090 
3091  PacketFree(p1);
3092  StatsThreadCleanup(&th_v.stats);
3093  PASS;
3094 }
3095 
3096 /**
3097  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3098  * \brief expecting to match a size
3099  */
3100 
3101 static int SigTest36ContentAndIsdataatKeywords01 (void)
3102 {
3103  // Build and decode the packet
3104  uint8_t raw_eth [] = {
3105  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3106  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3107  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3108  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3109  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3110  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3111  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3112  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3113  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3114  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3115  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3116  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3117  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3118  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3119  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3120  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3121  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3122  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3123  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3124  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3125  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3126  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3127  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3128  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3129  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3130  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3131  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3132  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3133  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3134  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3135 
3136  Packet *p = PacketGetFromAlloc();
3137  FAIL_IF_NULL(p);
3138  DecodeThreadVars dtv;
3139 
3140  ThreadVars th_v;
3141  DetectEngineThreadCtx *det_ctx = NULL;
3142 
3143  memset(&dtv, 0, sizeof(DecodeThreadVars));
3144  memset(&th_v, 0, sizeof(th_v));
3145  StatsThreadInit(&th_v.stats);
3146 
3147  FlowInitConfig(FLOW_QUIET);
3148  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3149 
3150  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3151  FAIL_IF_NULL(de_ctx);
3152  de_ctx->flags |= DE_QUIET;
3153 
3154  Signature *s = DetectEngineAppendSig(de_ctx,
3155  "alert tcp any any -> any any (content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3156  FAIL_IF_NULL(s);
3157 
3158  SigGroupBuild(de_ctx);
3159  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3160 
3161  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3162  FAIL_IF_NOT(PacketAlertCheck(p, 101));
3163 
3164  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3165  DetectEngineCtxFree(de_ctx);
3166  PacketFree(p);
3167  FlowShutdown();
3168 
3169  StatsThreadCleanup(&th_v.stats);
3170  PASS;
3171 }
3172 
3173 /**
3174  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3175  * \brief not expecting to match a size
3176  */
3177 
3178 static int SigTest37ContentAndIsdataatKeywords02 (void)
3179 {
3180  int result = 0;
3181 
3182  // Build and decode the packet
3183 
3184  uint8_t raw_eth [] = {
3185  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3186  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3187  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3188  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3189  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3190  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3191  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3192  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3193  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3194  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3195  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3196  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3197  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3198  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3199  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3200  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3201  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3202  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3203  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3204  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3205  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3206  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3207  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3208  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3209  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3210  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3211  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3212  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3213  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3214  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3215 
3216  Packet *p = PacketGetFromAlloc();
3217  if (unlikely(p == NULL))
3218  return 0;
3219  DecodeThreadVars dtv;
3220 
3221  ThreadVars th_v;
3222  DetectEngineThreadCtx *det_ctx = NULL;
3223 
3224  memset(&dtv, 0, sizeof(DecodeThreadVars));
3225  memset(&th_v, 0, sizeof(th_v));
3226  StatsThreadInit(&th_v.stats);
3227 
3228  FlowInitConfig(FLOW_QUIET);
3229  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3230 
3231 
3232  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3233  if (de_ctx == NULL) {
3234  goto end;
3235  }
3236 
3237  de_ctx->flags |= DE_QUIET;
3238 
3239  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3240  if (de_ctx->sig_list == NULL) {
3241  printf("sig parse failed: ");
3242  result = 0;
3243  goto end;
3244  }
3245 
3246  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3247  printf("type not content: ");
3248  goto end;
3249  }
3250  SigGroupBuild(de_ctx);
3251  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3252 
3253  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3254  if (PacketAlertCheck(p, 101) == 0) {
3255  result = 1;
3256  goto end;
3257  } else {
3258  printf("sig matched, but should not have: ");
3259  result=0;
3260  }
3261 
3262  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3263  DetectEngineCtxFree(de_ctx);
3264 
3265  PacketRecycle(p);
3266  FlowShutdown();
3267 
3268  SCFree(p);
3269  return result;
3270 
3271 end:
3272  if(det_ctx)
3273  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3274 
3275  if(de_ctx)
3276  DetectEngineCtxFree(de_ctx);
3277 
3278  if (p != NULL)
3279  PacketRecycle(p);
3280 
3281  FlowShutdown();
3282 
3283  PacketFree(p);
3284  StatsThreadCleanup(&th_v.stats);
3285  return result;
3286 }
3287 
3288 /**
3289  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3290  * flag is set, we don't need to inspect the packet protocol header or its contents.
3291  */
3292 
3293 static int SigTest40NoPacketInspection01(void)
3294 {
3295 
3296  uint8_t *buf = (uint8_t *)
3297  "220 (vsFTPd 2.0.5)\r\n";
3298  uint16_t buflen = strlen((char *)buf);
3299  Packet *p = PacketGetFromAlloc();
3300  TCPHdr tcphdr;
3301  if (unlikely(p == NULL))
3302  return 0;
3303  ThreadVars th_v;
3304  DetectEngineThreadCtx *det_ctx = NULL;
3305  PacketQueue pq;
3306  Flow f;
3307  int result = 0;
3308 
3309  memset(&th_v, 0, sizeof(th_v));
3310  StatsThreadInit(&th_v.stats);
3311  memset(&pq, 0, sizeof(pq));
3312  memset(&f, 0, sizeof(f));
3313  memset(&tcphdr, 0, sizeof(tcphdr));
3314 
3315  p->src.family = AF_INET;
3316  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3317  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3318  p->dst.family = AF_INET;
3319  p->payload = buf;
3320  p->payload_len = buflen;
3321  p->proto = IPPROTO_TCP;
3322  p->dp = 34260;
3323  p->sp = 21;
3324  p->flowflags |= FLOW_PKT_TOSERVER;
3325  p->flags |= PKT_NOPACKET_INSPECTION;
3326  PacketSetTCP(p, (uint8_t *)&tcphdr);
3327  p->flow = &f;
3328 
3329  FLOW_INITIALIZE(&f);
3330 
3331  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3332  if (de_ctx == NULL) {
3333  goto end;
3334  }
3335 
3336  de_ctx->flags |= DE_QUIET;
3337 
3338  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3339  if (de_ctx->sig_list == NULL) {
3340  result = 0;
3341  goto end;
3342  }
3343 
3344  SigGroupBuild(de_ctx);
3345  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3346  det_ctx->de_ctx = de_ctx;
3347 
3348  Detect(&th_v, p, det_ctx);
3349  if (PacketAlertCheck(p, 2))
3350  result = 0;
3351  else
3352  result = 1;
3353 
3354  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3355  DetectEngineCtxFree(de_ctx);
3356 end:
3357  PacketFree(p);
3358  StatsThreadCleanup(&th_v.stats);
3359  return result;
3360 }
3361 
3362 /**
3363  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3364  * flag is set, we don't need to inspect the packet contents.
3365  */
3366 
3367 static int SigTest40NoPayloadInspection02(void)
3368 {
3369 
3370  uint8_t *buf = (uint8_t *)
3371  "220 (vsFTPd 2.0.5)\r\n";
3372  uint16_t buflen = strlen((char *)buf);
3373  ThreadVars th_v;
3374  memset(&th_v, 0, sizeof(th_v));
3375  StatsThreadInit(&th_v.stats);
3376 
3377  Packet *p = PacketGetFromAlloc();
3378  FAIL_IF_NULL(p);
3379 
3380  p->src.family = AF_INET;
3381  p->dst.family = AF_INET;
3382  p->payload = buf;
3383  p->payload_len = buflen;
3384  p->proto = IPPROTO_TCP;
3385  p->flags |= PKT_NOPAYLOAD_INSPECTION;
3386 
3387  DetectEngineThreadCtx *det_ctx = NULL;
3388  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3389  FAIL_IF_NULL(de_ctx);
3390  de_ctx->flags |= DE_QUIET;
3391 
3392  Signature *s = DetectEngineAppendSig(de_ctx,
3393  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3394  FAIL_IF_NULL(s);
3395 
3396  SigGroupBuild(de_ctx);
3397  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3398 
3399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3400 
3401  FAIL_IF(PacketAlertCheck(p, 1));
3402 
3403  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3404  DetectEngineCtxFree(de_ctx);
3405  PacketFree(p);
3406  StatsThreadCleanup(&th_v.stats);
3407  PASS;
3408 }
3409 
3410 static int SigTestMemory01 (void)
3411 {
3412  uint8_t *buf = (uint8_t *)
3413  "GET /one/ HTTP/1.1\r\n"
3414  "Host: one.example.org\r\n"
3415  "\r\n\r\n"
3416  "GET /two/ HTTP/1.1\r\n"
3417  "Host: two.example.org\r\n"
3418  "\r\n\r\n";
3419  uint16_t buflen = strlen((char *)buf);
3420  Packet *p = PacketGetFromAlloc();
3421  if (unlikely(p == NULL))
3422  return 0;
3423  ThreadVars th_v;
3424  DetectEngineThreadCtx *det_ctx = NULL;
3425  int result = 0;
3426 
3427  memset(&th_v, 0, sizeof(th_v));
3428  StatsThreadInit(&th_v.stats);
3429  p->src.family = AF_INET;
3430  p->dst.family = AF_INET;
3431  p->payload = buf;
3432  p->payload_len = buflen;
3433  p->proto = IPPROTO_TCP;
3434 
3435  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3436  if (de_ctx == NULL) {
3437  goto end;
3438  }
3439 
3440  de_ctx->flags |= DE_QUIET;
3441 
3442  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3443  if (de_ctx->sig_list == NULL) {
3444  result = 0;
3445  goto end;
3446  }
3447 
3448  SigGroupBuild(de_ctx);
3449  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3450 
3451  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3452  DetectEngineCtxFree(de_ctx);
3453 
3454  result = 1;
3455 end:
3456  PacketFree(p);
3457  StatsThreadCleanup(&th_v.stats);
3458  return result;
3459 }
3460 
3461 static int SigTestMemory02 (void)
3462 {
3463  ThreadVars th_v;
3464  int result = 0;
3465 
3466  memset(&th_v, 0, sizeof(th_v));
3467  StatsThreadInit(&th_v.stats);
3468 
3469  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3470  if (de_ctx == NULL) {
3471  goto end;
3472  }
3473  de_ctx->flags |= DE_QUIET;
3474 
3475  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3476  if (de_ctx->sig_list == NULL) {
3477  result = 0;
3478  goto end;
3479  }
3480  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3481  if (de_ctx->sig_list->next == NULL) {
3482  result = 0;
3483  goto end;
3484  }
3485 
3486  SigGroupBuild(de_ctx);
3487 
3488  DetectEngineCtxFree(de_ctx);
3489 
3490  result = 1;
3491 end:
3492  StatsThreadCleanup(&th_v.stats);
3493  return result;
3494 }
3495 
3496 static int SigTestMemory03 (void)
3497 {
3498  ThreadVars th_v;
3499  int result = 0;
3500 
3501  memset(&th_v, 0, sizeof(th_v));
3502  StatsThreadInit(&th_v.stats);
3503 
3504  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3505  if (de_ctx == NULL) {
3506  goto end;
3507  }
3508  de_ctx->flags |= DE_QUIET;
3509 
3510  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3511  if (de_ctx->sig_list == NULL) {
3512  result = 0;
3513  goto end;
3514  }
3515  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3516  if (de_ctx->sig_list->next == NULL) {
3517  result = 0;
3518  goto end;
3519  }
3520  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3521  if (de_ctx->sig_list->next->next == NULL) {
3522  result = 0;
3523  goto end;
3524  }
3525 
3526  SigGroupBuild(de_ctx);
3527 
3528  DetectEngineCtxFree(de_ctx);
3529 
3530  result = 1;
3531 end:
3532  StatsThreadCleanup(&th_v.stats);
3533  return result;
3534 }
3535 
3536 static int SigTestContent01 (void)
3537 {
3538  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3539  uint16_t buflen = strlen((char *)buf);
3540  ThreadVars th_v;
3541  DetectEngineThreadCtx *det_ctx = NULL;
3542  int result = 0;
3543 
3544  memset(&th_v, 0, sizeof(th_v));
3545  StatsThreadInit(&th_v.stats);
3546 
3547  Packet *p = NULL;
3548  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3549 
3550  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3551  if (de_ctx == NULL) {
3552  goto end;
3553  }
3554  de_ctx->flags |= DE_QUIET;
3555 
3556  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3557  if (de_ctx->sig_list == NULL) {
3558  result = 0;
3559  goto end;
3560  }
3561 
3562  SigGroupBuild(de_ctx);
3563  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3564 
3565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3566  if (PacketAlertCheck(p, 1))
3567  result = 1;
3568  else
3569  printf("sig 1 didn't match: ");
3570 
3571  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3572  DetectEngineCtxFree(de_ctx);
3573 end:
3574  UTHFreePackets(&p, 1);
3575  StatsThreadCleanup(&th_v.stats);
3576  return result;
3577 }
3578 
3579 static int SigTestContent02 (void)
3580 {
3581  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3582  uint16_t buflen = strlen((char *)buf);
3583  ThreadVars th_v;
3584  DetectEngineThreadCtx *det_ctx = NULL;
3585  int result = 0;
3586 
3587  memset(&th_v, 0, sizeof(th_v));
3588  StatsThreadInit(&th_v.stats);
3589  Packet *p = NULL;
3590  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3591 
3592  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3593  if (de_ctx == NULL) {
3594  goto end;
3595  }
3596  de_ctx->flags |= DE_QUIET;
3597 
3598  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3599  if (de_ctx->sig_list == NULL) {
3600  result = 0;
3601  goto end;
3602  }
3603 
3604  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3605  if (de_ctx->sig_list->next == NULL) {
3606  result = 0;
3607  goto end;
3608  }
3609 
3610  SigGroupBuild(de_ctx);
3611  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3612 
3613  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3614  if (PacketAlertCheck(p, 1)) {
3615  if (PacketAlertCheck(p, 2)) {
3616  result = 1;
3617  } else
3618  printf("sig 2 didn't match: ");
3619  }
3620  else
3621  printf("sig 1 didn't match: ");
3622 
3623  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3624  DetectEngineCtxFree(de_ctx);
3625 end:
3626  UTHFreePackets(&p, 1);
3627  StatsThreadCleanup(&th_v.stats);
3628  return result;
3629 }
3630 
3631 static int SigTestContent03 (void)
3632 {
3633  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3634  uint16_t buflen = strlen((char *)buf);
3635  ThreadVars th_v;
3636  DetectEngineThreadCtx *det_ctx = NULL;
3637  int result = 0;
3638 
3639  memset(&th_v, 0, sizeof(th_v));
3640  StatsThreadInit(&th_v.stats);
3641  Packet *p = NULL;
3642  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3643 
3644  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3645  if (de_ctx == NULL) {
3646  goto end;
3647  }
3648 
3649  de_ctx->flags |= DE_QUIET;
3650 
3651  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3652  if (de_ctx->sig_list == NULL) {
3653  result = 0;
3654  goto end;
3655  }
3656 
3657  SigGroupBuild(de_ctx);
3658  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3659 
3660  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3661  if (PacketAlertCheck(p, 1))
3662  result = 1;
3663  else
3664  printf("sig 1 didn't match: ");
3665 
3666  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3667  DetectEngineCtxFree(de_ctx);
3668 end:
3669  UTHFreePackets(&p, 1);
3670  StatsThreadCleanup(&th_v.stats);
3671  return result;
3672 }
3673 
3674 static int SigTestContent04 (void)
3675 {
3676  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3677  uint16_t buflen = strlen((char *)buf);
3678  ThreadVars th_v;
3679  DetectEngineThreadCtx *det_ctx = NULL;
3680  int result = 0;
3681 
3682  memset(&th_v, 0, sizeof(th_v));
3683  StatsThreadInit(&th_v.stats);
3684 
3685  Packet *p = NULL;
3686  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3687 
3688  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3689  if (de_ctx == NULL) {
3690  goto end;
3691  }
3692 
3693  de_ctx->flags |= DE_QUIET;
3694 
3695  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3696  if (de_ctx->sig_list == NULL) {
3697  result = 0;
3698  goto end;
3699  }
3700 
3701  SigGroupBuild(de_ctx);
3702  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3703 
3704  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3705  if (PacketAlertCheck(p, 1))
3706  result = 1;
3707  else
3708  printf("sig 1 didn't match: ");
3709 
3710  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3711  DetectEngineCtxFree(de_ctx);
3712 end:
3713  UTHFreePackets(&p, 1);
3714  StatsThreadCleanup(&th_v.stats);
3715  return result;
3716 }
3717 
3718 /** \test sigs with patterns at the limit of the pm's size limit */
3719 static int SigTestContent05 (void)
3720 {
3721  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3722  uint16_t buflen = strlen((char *)buf);
3723  ThreadVars th_v;
3724  DetectEngineThreadCtx *det_ctx = NULL;
3725  int result = 0;
3726 
3727  memset(&th_v, 0, sizeof(th_v));
3728  StatsThreadInit(&th_v.stats);
3729  Packet *p = NULL;
3730  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3731 
3732  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3733  if (de_ctx == NULL) {
3734  printf("de_ctx == NULL: ");
3735  goto end;
3736  }
3737 
3738  de_ctx->flags |= DE_QUIET;
3739 
3740  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3741  if (de_ctx->sig_list == NULL) {
3742  printf("sig1 parse failed: ");
3743  goto end;
3744  }
3745  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3746  if (de_ctx->sig_list->next == NULL) {
3747  printf("sig2 parse failed: ");
3748  goto end;
3749  }
3750 
3751  SigGroupBuild(de_ctx);
3752  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3753 
3754  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3755 
3756  if (PacketAlertCheck(p, 1)) {
3757  printf("sig 1 matched but shouldn't: ");
3758  goto end;
3759  }
3760 
3761  if (PacketAlertCheck(p, 2)) {
3762  printf("sig 2 matched but shouldn't: ");
3763  goto end;
3764  }
3765 
3766  result = 1;
3767 end:
3768  UTHFreePackets(&p, 1);
3769  if (det_ctx != NULL) {
3770  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3771  }
3772  if (de_ctx != NULL) {
3773  DetectEngineCtxFree(de_ctx);
3774  }
3775  StatsThreadCleanup(&th_v.stats);
3776  return result;
3777 }
3778 
3779 static int SigTestContent06 (void)
3780 {
3781  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3782  uint16_t buflen = strlen((char *)buf);
3783  ThreadVars th_v;
3784  DetectEngineThreadCtx *det_ctx = NULL;
3785  int result = 0;
3786 
3787  memset(&th_v, 0, sizeof(th_v));
3788  StatsThreadInit(&th_v.stats);
3789  Packet *p = NULL;
3790  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3791 
3792  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3793  if (de_ctx == NULL) {
3794  goto end;
3795  }
3796 
3797  de_ctx->flags |= DE_QUIET;
3798 
3799  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3800  if (de_ctx->sig_list == NULL) {
3801  result = 0;
3802  goto end;
3803  }
3804  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
3805  if (de_ctx->sig_list->next == NULL) {
3806  result = 0;
3807  goto end;
3808  }
3809 
3810  SigGroupBuild(de_ctx);
3811  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3812 
3813  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3814  if (PacketAlertCheck(p, 1)){
3815  //printf("sig 1 matched :");
3816  }else{
3817  printf("sig 1 didn't match: ");
3818  goto end;
3819  }
3820 
3821  if (PacketAlertCheck(p, 2)){
3822  result = 1;
3823  }else{
3824  printf("sig 2 didn't match: ");
3825  goto end;
3826  }
3827 
3828  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3829  DetectEngineCtxFree(de_ctx);
3830 end:
3831  UTHFreePackets(&p, 1);
3832  StatsThreadCleanup(&th_v.stats);
3833  return result;
3834 }
3835 
3836 static int SigTestWithin01 (void)
3837 {
3838  DecodeThreadVars dtv;
3839  ThreadVars th_v;
3840  uint8_t rawpkt1[] = {
3841  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3842  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3843  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
3844  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3845  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
3846  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
3847  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
3848  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3849  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3850  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3851  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3852  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3853  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3854  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3855  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3856  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3857  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3858  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3859  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3860  0x00,0x00 }; /* end rawpkt1 */
3861 
3862  uint8_t rawpkt2[] = {
3863  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3864  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3865  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
3866  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3867  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
3868  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
3869  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
3870  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3871  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3872  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3873  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3874  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3875  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3876  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3877  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3878  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3879  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3880  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3881  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3882  0x00,0x00 }; /* end rawpkt2 */
3883 
3884  uint8_t rawpkt3[] = {
3885  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3886  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3887  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
3888  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3889  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
3890  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
3891  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
3892  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3893  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3894  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3895  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3896  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3897  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3898  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3899  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3900  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3901  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3902  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3903  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3904  0x00,0x00 }; /* end rawpkt3 */
3905 
3906  uint8_t rawpkt4[] = {
3907  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3908  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3909  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
3910  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3911  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
3912  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
3913  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
3914  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3915  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3916  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3917  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3918  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3919  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3920  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3921  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3922  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3923  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3924  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3925  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3926  0x00,0x00 }; /* end rawpkt4 */
3927 
3928  memset(&dtv, 0, sizeof(DecodeThreadVars));
3929  memset(&th_v, 0, sizeof(th_v));
3930  StatsThreadInit(&th_v.stats);
3931 
3932  DetectEngineThreadCtx *det_ctx = NULL;
3933 
3934  FlowInitConfig(FLOW_QUIET);
3935 
3936  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3937  FAIL_IF_NULL(de_ctx);
3938  de_ctx->flags |= DE_QUIET;
3939 
3940  Signature *s = DetectEngineAppendSig(de_ctx,
3941  "alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test "
3942  "to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
3943  FAIL_IF_NULL(s);
3944 
3945  SigGroupBuild(de_ctx);
3946  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3947 
3948  /* packet 1 */
3949  Packet *p1 = PacketGetFromAlloc();
3950  FAIL_IF_NULL(p1);
3951  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
3952  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3953  FAIL_IF(!(PacketAlertCheck(p1, 556)));
3954 
3955  /* packet 2 */
3956  Packet *p2 = PacketGetFromAlloc();
3957  FAIL_IF_NULL(p2);
3958  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
3959  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3960  FAIL_IF(!(PacketAlertCheck(p2, 556)));
3961 
3962  /* packet 3 */
3963  Packet *p3 = PacketGetFromAlloc();
3964  FAIL_IF_NULL(p3);
3965  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
3966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
3967  FAIL_IF(!(PacketAlertCheck(p3, 556)));
3968 
3969  /* packet 4 */
3970  Packet *p4 = PacketGetFromAlloc();
3971  FAIL_IF_NULL(p4);
3972  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
3973  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
3974  FAIL_IF(!(PacketAlertCheck(p4, 556)));
3975 
3976  /* packet 5 */
3977  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
3978  uint16_t p5buflen = strlen((char *)p5buf);
3979  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
3980  FAIL_IF_NULL(p5);
3981  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
3982  FAIL_IF(!(PacketAlertCheck(p5, 556)));
3983  UTHFreePackets(&p5, 1);
3984 
3985  PacketFree(p1);
3986  PacketFree(p2);
3987  PacketFree(p3);
3988  PacketFree(p4);
3989  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3990  DetectEngineCtxFree(de_ctx);
3991 
3992  FlowShutdown();
3993  StatsThreadCleanup(&th_v.stats);
3994  PASS;
3995 }
3996 
3997 static int SigTestDepthOffset01 (void)
3998 {
3999  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4000  uint16_t buflen = strlen((char *)buf);
4001  Packet *p = NULL;
4002  ThreadVars th_v;
4003  DetectEngineThreadCtx *det_ctx = NULL;
4004  int result = 0;
4005 
4006  memset(&th_v, 0, sizeof(th_v));
4007  StatsThreadInit(&th_v.stats);
4008 
4009  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4010 
4011  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4012  if (de_ctx == NULL) {
4013  goto end;
4014  }
4015 
4016  de_ctx->flags |= DE_QUIET;
4017 
4018  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4019  if (de_ctx->sig_list == NULL) {
4020  result = 0;
4021  goto end;
4022  }
4023 
4024  SigGroupBuild(de_ctx);
4025  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4026 
4027  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4028  if (PacketAlertCheck(p, 1))
4029  result = 1;
4030 
4031  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4032  DetectEngineCtxFree(de_ctx);
4033 end:
4034  UTHFreePackets(&p, 1);
4035  StatsThreadCleanup(&th_v.stats);
4036  return result;
4037 }
4038 
4039 static int SigTestDetectAlertCounter(void)
4040 {
4041  Packet *p = NULL;
4042  ThreadVars tv;
4043  DetectEngineThreadCtx *det_ctx = NULL;
4044  memset(&tv, 0, sizeof(tv));
4045  StatsThreadInit(&tv.stats);
4046 
4047  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4048  FAIL_IF_NULL(de_ctx);
4049  de_ctx->flags |= DE_QUIET;
4050 
4051  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4052  "content:\"boo\"; sid:1;)");
4053  FAIL_IF(de_ctx->sig_list == NULL);
4054 
4055  SigGroupBuild(de_ctx);
4056  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4057  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4058  /* init counters */
4059  StatsSetupPrivate(&tv.stats, NULL);
4060 
4061  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4062  Detect(&tv, p, det_ctx);
4063  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 1);
4064 
4065  Detect(&tv, p, det_ctx);
4066  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 2);
4067  UTHFreePackets(&p, 1);
4068 
4069  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4070  Detect(&tv, p, det_ctx);
4071  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 2);
4072  UTHFreePackets(&p, 1);
4073 
4074  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4075  Detect(&tv, p, det_ctx);
4076  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 3);
4077  UTHFreePackets(&p, 1);
4078 
4079  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4080  DetectEngineCtxFree(de_ctx);
4081  StatsThreadCleanup(&tv.stats);
4082  PASS;
4083 }
4084 
4085 /** \test test if the engine set flag to drop pkts of a flow that
4086  * triggered a drop action on IPS mode */
4087 static int SigTestDropFlow01(void)
4088 {
4089  Flow f;
4090  HtpState *http_state = NULL;
4091  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4092  "User-Agent: Mozilla/1.0\r\n"
4093  "Cookie: hellocatch\r\n\r\n";
4094  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4095  TcpSession ssn;
4096  Packet *p = NULL;
4097  Signature *s = NULL;
4098  ThreadVars tv;
4099  DetectEngineThreadCtx *det_ctx = NULL;
4100  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4101 
4102  memset(&tv, 0, sizeof(ThreadVars));
4103  StatsThreadInit(&tv.stats);
4104  memset(&f, 0, sizeof(Flow));
4105  memset(&ssn, 0, sizeof(TcpSession));
4106 
4107  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4108 
4109  FLOW_INITIALIZE(&f);
4110  f.protoctx = (void *)&ssn;
4111  f.proto = IPPROTO_TCP;
4112  f.flags |= FLOW_IPV4;
4113 
4114  p->flow = &f;
4115  p->flowflags |= FLOW_PKT_TOSERVER;
4116  p->flowflags |= FLOW_PKT_ESTABLISHED;
4117  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4118  f.alproto = ALPROTO_HTTP1;
4119 
4120  StreamTcpInitConfig(true);
4121 
4122  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4123  FAIL_IF_NULL(de_ctx);
4124  de_ctx->flags |= DE_QUIET;
4125 
4126  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4127  "(msg:\"Test proto match\"; "
4128  "sid:1;)");
4129  FAIL_IF_NULL(s);
4130 
4131  SigGroupBuild(de_ctx);
4132  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4133 
4134  int r = AppLayerParserParse(
4135  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4136  FAIL_IF_NOT(r == 0);
4137 
4138  http_state = f.alstate;
4139  FAIL_IF_NULL(http_state);
4140 
4141  /* do detect */
4142  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4143 
4144  FAIL_IF_NOT(PacketAlertCheck(p, 1));
4145 
4146  FAIL_IF_NOT(p->flow->flags & FLOW_ACTION_DROP);
4147 
4148  AppLayerParserThreadCtxFree(alp_tctx);
4149  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4150  DetectEngineCtxFree(de_ctx);
4151 
4152  StreamTcpFreeConfig(true);
4153  FLOW_DESTROY(&f);
4154 
4155  UTHFreePackets(&p, 1);
4156  StatsThreadCleanup(&tv.stats);
4157  PASS;
4158 }
4159 
4160 /** \test test if the engine set flag to drop pkts of a flow that
4161  * triggered a drop action on IPS mode */
4162 static int SigTestDropFlow02(void)
4163 {
4164  int result = 0;
4165  Flow f;
4166  HtpState *http_state = NULL;
4167  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4168  "User-Agent: Mozilla/1.0\r\n"
4169  "Cookie: hellocatch\r\n\r\n";
4170  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4171  TcpSession ssn;
4172  Packet *p = NULL;
4173  Signature *s = NULL;
4174  ThreadVars tv;
4175  DetectEngineThreadCtx *det_ctx = NULL;
4176  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4177 
4178  memset(&tv, 0, sizeof(ThreadVars));
4179  StatsThreadInit(&tv.stats);
4180  memset(&f, 0, sizeof(Flow));
4181  memset(&ssn, 0, sizeof(TcpSession));
4182 
4183  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4184 
4185  FLOW_INITIALIZE(&f);
4186  f.protoctx = (void *)&ssn;
4187  f.proto = IPPROTO_TCP;
4188  f.flags |= FLOW_IPV4;
4189 
4190  p->flow = &f;
4191  p->flowflags |= FLOW_PKT_TOSERVER;
4192  p->flowflags |= FLOW_PKT_ESTABLISHED;
4193  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4194  f.alproto = ALPROTO_HTTP1;
4195 
4196  StreamTcpInitConfig(true);
4197 
4198  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4199  if (de_ctx == NULL) {
4200  goto end;
4201  }
4202  de_ctx->flags |= DE_QUIET;
4203 
4204  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4205  "(msg:\"Test proto match\"; uricontent:\"one\";"
4206  "sid:1;)");
4207  if (s == NULL) {
4208  goto end;
4209  }
4210 
4211  SigGroupBuild(de_ctx);
4212  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4213 
4214  int r = AppLayerParserParse(
4215  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4216  if (r != 0) {
4217  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4218  goto end;
4219  }
4220 
4221  http_state = f.alstate;
4222  if (http_state == NULL) {
4223  printf("no http state: ");
4224  goto end;
4225  }
4226 
4227  /* do detect */
4228  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4229 
4230  if (!PacketAlertCheck(p, 1)) {
4231  printf("sig 1 didn't alert, but it should: ");
4232  goto end;
4233  }
4234 
4235  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4236  printf("sig 1 alerted but flow was not flagged correctly: ");
4237  goto end;
4238  }
4239 
4240  /* Ok, now we know that the flag is set for app layer sigs
4241  * (ex: inspecting uricontent) */
4242 
4243  result = 1;
4244 
4245 end:
4246  if (alp_tctx != NULL)
4247  AppLayerParserThreadCtxFree(alp_tctx);
4248  if (det_ctx != NULL)
4249  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4250  if (de_ctx != NULL)
4251  DetectEngineCtxFree(de_ctx);
4252 
4253  StreamTcpFreeConfig(true);
4254  FLOW_DESTROY(&f);
4255 
4256  UTHFreePackets(&p, 1);
4257  StatsThreadCleanup(&tv.stats);
4258  return result;
4259 }
4260 
4261 /** \test test if the engine set flag to drop pkts of a flow that
4262  * triggered a drop action on IPS mode, and it doesn't inspect
4263  * any other packet of the stream */
4264 static int SigTestDropFlow03(void)
4265 {
4266  int result = 0;
4267  Flow f;
4268  HtpState *http_state = NULL;
4269  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4270  "User-Agent: Mozilla/1.0\r\n"
4271  "Cookie: hellocatch\r\n\r\n";
4272  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4273 
4274  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4275  "User-Agent: Mozilla/1.0\r\n"
4276  "Cookie: hellocatch\r\n\r\n";
4277  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4278 
4279  /* Set the engine mode to IPS */
4280  EngineModeSetIPS();
4281 
4282  TcpSession ssn;
4283  Packet *p1 = NULL;
4284  Packet *p2 = NULL;
4285  Signature *s = NULL;
4286  ThreadVars tv;
4287  DetectEngineThreadCtx *det_ctx = NULL;
4288  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4289 
4290  memset(&tv, 0, sizeof(ThreadVars));
4291  StatsThreadInit(&tv.stats);
4292  memset(&f, 0, sizeof(Flow));
4293  memset(&ssn, 0, sizeof(TcpSession));
4294 
4295  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4296  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4297 
4298  FLOW_INITIALIZE(&f);
4299  f.protoctx = (void *)&ssn;
4300  f.proto = IPPROTO_TCP;
4301  f.flags |= FLOW_IPV4;
4302 
4303  p1->flow = &f;
4304  p1->flowflags |= FLOW_PKT_TOSERVER;
4305  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4306  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4307 
4308  p2->flow = &f;
4309  p2->flowflags |= FLOW_PKT_TOSERVER;
4310  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4311  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4312  f.alproto = ALPROTO_HTTP1;
4313 
4314  StreamTcpInitConfig(true);
4315 
4316  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4317  if (de_ctx == NULL) {
4318  goto end;
4319  }
4320 
4321  de_ctx->flags |= DE_QUIET;
4322 
4323  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4324  "(msg:\"Test proto match\"; uricontent:\"one\";"
4325  "sid:1;)");
4326  if (s == NULL) {
4327  goto end;
4328  }
4329 
4330  /* the no inspection flag should be set after the first sig gets triggered,
4331  * so the second packet should not match the next sig (because of no inspection) */
4332  s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4333  "(msg:\"Test proto match\"; uricontent:\"two\";"
4334  "sid:2;)");
4335  if (s == NULL) {
4336  goto end;
4337  }
4338 
4339  SigGroupBuild(de_ctx);
4340  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4341 
4342  int r = AppLayerParserParse(
4343  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4344  if (r != 0) {
4345  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4346  goto end;
4347  }
4348 
4349  http_state = f.alstate;
4350  if (http_state == NULL) {
4351  printf("no http state: ");
4352  goto end;
4353  }
4354 
4355  /* do detect */
4356  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4357 
4358  if (!PacketAlertCheck(p1, 1)) {
4359  printf("sig 1 didn't alert on p1, but it should: ");
4360  goto end;
4361  }
4362 
4363  if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4364  printf("sig 1 alerted but flow was not flagged correctly: ");
4365  goto end;
4366  }
4367 
4368  /* Second part.. Let's feed with another packet */
4369  if (StreamTcpCheckFlowDrops(p2) == 1) {
4370  SCLogDebug("This flow/stream triggered a drop rule");
4371  DecodeSetNoPacketInspectionFlag(p2);
4372  StreamTcpDisableAppLayer(p2->flow);
4373  p2->action |= ACTION_DROP;
4374  /* return the segments to the pool */
4375  StreamTcpSessionPktFree(p2);
4376  }
4377 
4378 
4379  if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4380  printf("The packet was not flagged with no-inspection: ");
4381  goto end;
4382  }
4383 
4384  r = AppLayerParserParse(
4385  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4386  if (r != 0) {
4387  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4388  goto end;
4389  }
4390 
4391  /* do detect */
4392  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4393 
4394  if (PacketAlertCheck(p2, 1)) {
4395  printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4396  goto end;
4397  }
4398 
4399  if (PacketAlertCheck(p2, 2)) {
4400  printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4401  goto end;
4402  }
4403 
4404  if (!(PacketTestAction(p2, ACTION_DROP))) {
4405  printf("A \"drop\" action should be set from the flow to the packet: ");
4406  goto end;
4407  }
4408 
4409  result = 1;
4410 
4411 end:
4412  if (alp_tctx != NULL)
4413  AppLayerParserThreadCtxFree(alp_tctx);
4414  if (det_ctx != NULL)
4415  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4416  if (de_ctx != NULL)
4417  DetectEngineCtxFree(de_ctx);
4418 
4419  StreamTcpFreeConfig(true);
4420  FLOW_DESTROY(&f);
4421 
4422  UTHFreePackets(&p1, 1);
4423  UTHFreePackets(&p2, 1);
4424 
4425  /* Restore mode to IDS */
4426  EngineModeSetIDS();
4427  StatsThreadCleanup(&tv.stats);
4428  return result;
4429 }
4430 
4431 /** \test ICMP packet shouldn't be matching port based sig
4432  * Bug #611 */
4433 static int SigTestPorts01(void)
4434 {
4435  int result = 0;
4436  Packet *p1 = NULL;
4437  Signature *s = NULL;
4438  ThreadVars tv;
4439  DetectEngineThreadCtx *det_ctx = NULL;
4440  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4441 
4442  memset(&tv, 0, sizeof(ThreadVars));
4443  StatsThreadInit(&tv.stats);
4444 
4445  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4446 
4447  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4448  if (de_ctx == NULL) {
4449  goto end;
4450  }
4451  de_ctx->flags |= DE_QUIET;
4452 
4453  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4454  "(content:\"AAA\"; sid:1;)");
4455  if (s == NULL) {
4456  goto end;
4457  }
4458 
4459  SigGroupBuild(de_ctx);
4460  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4461 
4462  /* do detect */
4463  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4464 
4465  if (PacketAlertCheck(p1, 1)) {
4466  printf("sig 1 alerted on p1, but it should not: ");
4467  goto end;
4468  }
4469 
4470  result = 1;
4471 end:
4472  if (det_ctx != NULL)
4473  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4474  if (de_ctx != NULL)
4475  DetectEngineCtxFree(de_ctx);
4476 
4477  UTHFreePackets(&p1, 1);
4478  StatsThreadCleanup(&tv.stats);
4479  return result;
4480 }
4481 
4482 /** \test almost identical patterns */
4483 static int SigTestBug01(void)
4484 {
4485  ThreadVars tv;
4486  DetectEngineThreadCtx *det_ctx = NULL;
4487  uint8_t payload[] = "!mymy";
4488  memset(&tv, 0, sizeof(ThreadVars));
4489  StatsThreadInit(&tv.stats);
4490 
4491  Packet *p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4492  FAIL_IF_NULL(p1);
4493  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4494  FAIL_IF_NULL(de_ctx);
4495  de_ctx->flags |= DE_QUIET;
4496  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4497  "(content:\"Omymy\"; nocase; sid:1;)");
4498  FAIL_IF_NULL(s);
4499  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4500  "(content:\"!mymy\"; nocase; sid:2;)");
4501  FAIL_IF_NULL(s);
4502  SigGroupBuild(de_ctx);
4503  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4504  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4505  FAIL_IF(PacketAlertCheck(p1, 1));
4506  FAIL_IF(!(PacketAlertCheck(p1, 2)));
4507  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4508  DetectEngineCtxFree(de_ctx);
4509  UTHFreePackets(&p1, 1);
4510  StatsThreadCleanup(&tv.stats);
4511  PASS;
4512 }
4513 
4514 static const char *dummy_conf_string2 =
4515  "%YAML 1.1\n"
4516  "---\n"
4517  "vars:\n"
4518  "\n"
4519  " address-groups:\n"
4520  "\n"
4521  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4522  "\n"
4523  " EXTERNAL_NET: \"any\"\n"
4524  "\n"
4525  " port-groups:\n"
4526  "\n"
4527  " HTTP_PORTS: \"80:81,88\"\n"
4528  "\n";
4529 
4530 static int DetectAddressYamlParsing01 (void)
4531 {
4532  int result = 0;
4533 
4534  SCConfCreateContextBackup();
4535  SCConfInit();
4536  SCConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4537 
4538  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4539  if (de_ctx == NULL) {
4540  goto end;
4541  }
4542 
4543  de_ctx->flags |= DE_QUIET;
4544 
4545  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4546  goto end;
4547  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4548  goto end;
4549  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4550  goto end;
4551 
4552  result = 1;
4553 
4554  DetectEngineCtxFree(de_ctx);
4555 end:
4556  SCConfDeInit();
4557  SCConfRestoreContextBackup();
4558  return result;
4559 }
4560 
4561 static const char *dummy_conf_string3 =
4562  "%YAML 1.1\n"
4563  "---\n"
4564  "vars:\n"
4565  "\n"
4566  " address-groups:\n"
4567  "\n"
4568  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4569  "\n"
4570  " EXTERNAL_NET: \"any\"\n"
4571  "\n"
4572  " port-groups:\n"
4573  "\n"
4574  " HTTP_PORTS: \"80:81,88\"\n"
4575  "\n";
4576 
4577 static int DetectAddressYamlParsing02 (void)
4578 {
4579  int result = 0;
4580 
4581  SCConfCreateContextBackup();
4582  SCConfInit();
4583  SCConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
4584 
4585  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4586  if (de_ctx == NULL) {
4587  goto end;
4588  }
4589 
4590  de_ctx->flags |= DE_QUIET;
4591 
4592  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4593  goto end;
4594  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4595  goto end;
4596  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4597  goto end;
4598 
4599  result = 1;
4600 
4601  DetectEngineCtxFree(de_ctx);
4602 end:
4603  SCConfDeInit();
4604  SCConfRestoreContextBackup();
4605  return result;
4606 }
4607 
4608 static const char *dummy_conf_string4 =
4609  "%YAML 1.1\n"
4610  "---\n"
4611  "vars:\n"
4612  "\n"
4613  " address-groups:\n"
4614  "\n"
4615  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4616  "\n"
4617  " EXTERNAL_NET: \"any\"\n"
4618  "\n"
4619  " port-groups:\n"
4620  "\n"
4621  " HTTP_PORTS: \"80:81,88\"\n"
4622  "\n";
4623 
4624 static int DetectAddressYamlParsing03 (void)
4625 {
4626  SCConfCreateContextBackup();
4627  SCConfInit();
4628  SCConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
4629  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4630  FAIL_IF_NULL(de_ctx);
4631  de_ctx->flags |= DE_QUIET;
4632  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL);
4633  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL);
4634  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) ==
4635  NULL);
4636  DetectEngineCtxFree(de_ctx);
4637  SCConfDeInit();
4638  SCConfRestoreContextBackup();
4639  PASS;
4640 }
4641 
4642 static const char *dummy_conf_string5 =
4643  "%YAML 1.1\n"
4644  "---\n"
4645  "vars:\n"
4646  "\n"
4647  " address-groups:\n"
4648  "\n"
4649  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4650  "\n"
4651  " EXTERNAL_NET: \"any\"\n"
4652  "\n"
4653  " port-groups:\n"
4654  "\n"
4655  " HTTP_PORTS: \"80:81,88\"\n"
4656  "\n";
4657 
4658 /** \test bug #815 */
4659 static int DetectAddressYamlParsing04 (void)
4660 {
4661  SCConfCreateContextBackup();
4662  SCConfInit();
4663  SCConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
4664  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4665  FAIL_IF_NULL(de_ctx);
4666  de_ctx->flags |= DE_QUIET;
4667  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL);
4668  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL);
4669  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) ==
4670  NULL);
4671  DetectEngineCtxFree(de_ctx);
4672  SCConfDeInit();
4673  SCConfRestoreContextBackup();
4674  PASS;
4675 }
4676 
4677 void SigRegisterTests(void)
4678 {
4679  SigParseRegisterTests();
4680  IPOnlyRegisterTests();
4681 
4682  UtRegisterTest("SigTest01", SigTest01);
4683  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
4684  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
4685  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
4686  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
4687  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
4688  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
4689  SigTest07);
4690  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
4691  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
4692  SigTest09);
4693  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
4694  SigTest10);
4695  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
4696  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
4697  UtRegisterTest("SigTest13 -- content order matching, diff order",
4698  SigTest13);
4699  UtRegisterTest("SigTest14 -- content order matching, distance 0",
4700  SigTest14);
4701  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
4702  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
4703  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
4704  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
4705  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
4706  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
4707  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
4708  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
4709  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
4710 
4711  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
4712  UtRegisterTest("SigTest25NegativeIPV4Keyword",
4713  SigTest25NegativeIPV4Keyword);
4714 
4715  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
4716  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
4717  SigTest26TCPV4AndNegativeIPV4Keyword);
4718  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
4719  SigTest26TCPV4AndIPV4Keyword);
4720  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
4721  SigTest27NegativeTCPV4Keyword);
4722 
4723  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
4724  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
4725  SigTest29NegativeTCPV6Keyword);
4726 
4727  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
4728  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
4729  SigTest31NegativeUDPV4Keyword);
4730 
4731  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
4732  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
4733  SigTest33NegativeUDPV6Keyword);
4734 
4735  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
4736  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
4737  SigTest35NegativeICMPV4Keyword);
4738  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
4739  SigTest36ContentAndIsdataatKeywords01);
4740  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
4741  SigTest37ContentAndIsdataatKeywords02);
4742 
4743  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
4744 
4745  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
4746 
4747  UtRegisterTest("SigTest40NoPacketInspection01",
4748  SigTest40NoPacketInspection01);
4749  UtRegisterTest("SigTest40NoPayloadInspection02",
4750  SigTest40NoPayloadInspection02);
4751 
4752  UtRegisterTest("SigTestMemory01", SigTestMemory01);
4753  UtRegisterTest("SigTestMemory02", SigTestMemory02);
4754  UtRegisterTest("SigTestMemory03", SigTestMemory03);
4755 
4756  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
4757  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
4758  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
4759  SigTestContent03);
4760  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
4761  SigTestContent04);
4762  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
4763  UtRegisterTest("SigTestContent06 -- distance/within ip only",
4764  SigTestContent06);
4765 
4766  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
4767  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
4768 
4769  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
4770 
4771  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
4772  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
4773  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
4774 
4775  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
4776  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
4777  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
4778  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
4779 
4780  UtRegisterTest("SigTestPorts01", SigTestPorts01);
4781  UtRegisterTest("SigTestBug01", SigTestBug01);
4782 
4783  DetectEngineContentInspectionRegisterTests();
4784 }
4785 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2352
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:535
Packet_::proto
uint8_t proto
Definition: decode.h:523
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:388
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:319
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:642
DetectEngineThreadCtx_::counter_alerts
StatsCounterId counter_alerts
Definition: detect.h:1290
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:381
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:69
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:279
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:370
Packet_::payload
uint8_t * payload
Definition: decode.h:605
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:160
Packet_::action
uint8_t action
Definition: decode.h:609
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4677
Flow_
Flow data structure.
Definition: flow.h:348
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:148
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:769
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:339
TCP_GET_RAW_HLEN
#define TCP_GET_RAW_HLEN(tcph)
Definition: decode-tcp.h:72
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:70
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:442
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1254
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:2339
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:606
HtpState_
Definition: app-layer-htp.h:181
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:120
Signature_::next
struct Signature_ * next
Definition: detect.h:750
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:549
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:213
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:326
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:5432
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1245
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:267
PktVar_::value
uint8_t * value
Definition: decode.h:319
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:209
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
Packet_::sp
Port sp
Definition: decode.h:508
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:223
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition: suricata.c:262
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3105
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:317
Packet_
Definition: decode.h:501
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:747
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:684
StatsSetupPrivate
int StatsSetupPrivate(StatsThreadContext *stats, const char *thread_name)
Definition: counters.c:1238
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
IPV4Hdr_
Definition: decode-ipv4.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:447
SigMatch_::type
uint16_t type
Definition: detect.h:357
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:693
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
StatsCounterGetLocalValue
int64_t StatsCounterGetLocalValue(StatsThreadContext *stats, StatsCounterId id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1301
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:703
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:942
MPM_AC
@ MPM_AC
Definition: util-mpm.h:38
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:262
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
Flow_::alstate
void * alstate
Definition: flow.h:471
Flow_::flags
uint32_t flags
Definition: flow.h:413
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:694
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
PktVar_::value_len
uint16_t value_len
Definition: decode.h:317
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1363
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:113
Packet_::dst
Address dst
Definition: decode.h:506
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1249
PktVar_
Definition: decode.h:311
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
Packet_::dp
Port dp
Definition: decode.h:516
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:73
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
TCPHdr_
Definition: decode-tcp.h:149
Packet_::src
Address src
Definition: decode.h:505
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456