suricata
detect.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #ifdef UNITTESTS
19 
20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
31 
32 static const char *dummy_conf_string =
33  "%YAML 1.1\n"
34  "---\n"
35  "\n"
36  "default-log-dir: /var/log/suricata\n"
37  "\n"
38  "logging:\n"
39  "\n"
40  " default-log-level: debug\n"
41  "\n"
42  " default-format: \"<%t> - <%l>\"\n"
43  "\n"
44  " default-startup-message: Your IDS has started.\n"
45  "\n"
46  " default-output-filter:\n"
47  "\n"
48  " output:\n"
49  "\n"
50  " - interface: console\n"
51  " log-level: info\n"
52  "\n"
53  " - interface: file\n"
54  " filename: /var/log/suricata.log\n"
55  "\n"
56  " - interface: syslog\n"
57  " facility: local5\n"
58  " format: \"%l\"\n"
59  "\n"
60  "pfring:\n"
61  "\n"
62  " interface: eth0\n"
63  "\n"
64  " clusterid: 99\n"
65  "\n"
66  "vars:\n"
67  "\n"
68  " address-groups:\n"
69  "\n"
70  " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71  "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72  "\n"
73  " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74  "\n"
75  " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76  "\n"
77  " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78  "\n"
79  " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80  "\n"
81  " DNS_SERVERS: any\n"
82  "\n"
83  " TELNET_SERVERS: any\n"
84  "\n"
85  " AIM_SERVERS: any\n"
86  "\n"
87  " port-groups:\n"
88  "\n"
89  " HTTP_PORTS: \"80:81,88\"\n"
90  "\n"
91  " SHELLCODE_PORTS: 80\n"
92  "\n"
93  " ORACLE_PORTS: 1521\n"
94  "\n"
95  " SSH_PORTS: 22\n"
96  "\n";
97 
98 static int SigTest01 (void)
99 {
100  uint8_t *buf = (uint8_t *)
101  "GET /one/ HTTP/1.1\r\n"
102  "Host: one.example.org\r\n"
103  "\r\n\r\n"
104  "GET /two/ HTTP/1.1\r\n"
105  "Host: two.example.org\r\n"
106  "\r\n\r\n";
107  uint16_t buflen = strlen((char *)buf);
108  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109  FAIL_IF_NULL(p);
110 
111  char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112  FAIL_IF(UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0);
113 
114  UTHFreePacket(p);
115  PASS;
116 }
117 
118 static int SigTest02 (void)
119 {
120  uint8_t *buf = (uint8_t *)
121  "GET /one/ HTTP/1.1\r\n"
122  "Host: one.example.org\r\n"
123  "\r\n\r\n"
124  "GET /two/ HTTP/1.1\r\n"
125  "Host: two.example.org\r\n"
126  "\r\n\r\n";
127  uint16_t buflen = strlen((char *)buf);
128  Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
129  char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
130  int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
131  UTHFreePacket(p);
132  return ret;
133 }
134 
135 static int SigTest03 (void)
136 {
137  uint8_t *buf = (uint8_t *)
138  "GET /one/ HTTP/1.1\r\n"
139  "Host: one.example.org\r\n"
140  "\r\n\r\n"
141  "GET /two/ HTTP/1.1\r\n"
142  "Host: two.example.org\r\n"
143  "\r\n\r\n";
144  uint16_t buflen = strlen((char *)buf);
145  ThreadVars th_v;
146  memset(&th_v, 0, sizeof(th_v));
147  StatsThreadInit(&th_v.stats);
148  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
149  FAIL_IF_NULL(p);
150  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
151  FAIL_IF_NULL(de_ctx);
152  de_ctx->flags |= DE_QUIET;
153  Signature *s = DetectEngineAppendSig(de_ctx,
154  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: "
155  "one.example.org\"; offset:20; depth:39; sid:1;)");
156  FAIL_IF_NULL(s);
157  SigGroupBuild(de_ctx);
158  DetectEngineThreadCtx *det_ctx = NULL;
159  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
160  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
161  FAIL_IF_NOT(PacketAlertCheck(p, 1));
162  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
163  DetectEngineCtxFree(de_ctx);
164  UTHFreePackets(&p, 1);
165  StatsThreadCleanup(&th_v.stats);
166  PASS;
167 }
168 
169 static int SigTest04 (void)
170 {
171  uint8_t *buf = (uint8_t *)
172  "GET /one/ HTTP/1.1\r\n" /* 20*/
173  "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
174  "\r\n\r\n" /* 4 */
175  "GET /two/ HTTP/1.1\r\n" /* 20 */
176  "Host: two.example.org\r\n" /* 23 */
177  "\r\n\r\n"; /* 4 */
178  uint16_t buflen = strlen((char *)buf);
179  ThreadVars th_v;
180  memset(&th_v, 0, sizeof(th_v));
181  StatsThreadInit(&th_v.stats);
182  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
183  FAIL_IF_NULL(p);
184  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
185  FAIL_IF_NULL(de_ctx);
186  de_ctx->flags |= DE_QUIET;
187  Signature *s = DetectEngineAppendSig(de_ctx,
188  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
189  "offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
190  FAIL_IF_NULL(s);
191  SigGroupBuild(de_ctx);
192  DetectEngineThreadCtx *det_ctx = NULL;
193  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
194  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
195  FAIL_IF_NOT(PacketAlertCheck(p, 1));
196  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
197  DetectEngineCtxFree(de_ctx);
198  UTHFreePackets(&p, 1);
199  StatsThreadCleanup(&th_v.stats);
200  PASS;
201 }
202 
203 static int SigTest05 (void)
204 {
205  uint8_t *buf = (uint8_t *)
206  "GET /one/ HTTP/1.1\r\n" /* 20 */
207  "Host: one.example.org\r\n" /* 23, 43 */
208  "\r\n\r\n" /* 4, 47 */
209  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
210  "Host: two.example.org\r\n" /* 23, 90 */
211  "\r\n\r\n"; /* 4, 94 */
212  uint16_t buflen = strlen((char *)buf);
213  ThreadVars th_v;
214  memset(&th_v, 0, sizeof(th_v));
215  StatsThreadInit(&th_v.stats);
216  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
217  FAIL_IF_NULL(p);
218  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
219  FAIL_IF_NULL(de_ctx);
220  de_ctx->flags |= DE_QUIET;
221  Signature *s = DetectEngineAppendSig(de_ctx,
222  "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
223  "offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
224  FAIL_IF_NULL(s);
225  SigGroupBuild(de_ctx);
226  DetectEngineThreadCtx *det_ctx = NULL;
227  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
228  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
229  FAIL_IF(PacketAlertCheck(p, 1));
230  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
231  DetectEngineCtxFree(de_ctx);
232  UTHFreePackets(&p, 1);
233  StatsThreadCleanup(&th_v.stats);
234  PASS;
235 }
236 
237 static int SigTest06 (void)
238 {
239  uint8_t *buf = (uint8_t *)
240  "GET /one/ HTTP/1.1\r\n" /* 20 */
241  "Host: one.example.org\r\n" /* 23, 43 */
242  "\r\n\r\n" /* 4, 47 */
243  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
244  "Host: two.example.org\r\n" /* 23, 90 */
245  "\r\n\r\n"; /* 4, 94 */
246  uint16_t buflen = strlen((char *)buf);
247  Packet *p = NULL;
248  ThreadVars th_v;
249  DetectEngineThreadCtx *det_ctx = NULL;
250  Flow f;
251  TcpSession ssn;
252  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
253  FAIL_IF_NULL(alp_tctx);
254 
255  memset(&th_v, 0, sizeof(th_v));
256  StatsThreadInit(&th_v.stats);
257  memset(&f, 0, sizeof(f));
258  memset(&ssn, 0, sizeof(ssn));
259 
260  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
261  FAIL_IF_NULL(p);
262 
263  FLOW_INITIALIZE(&f);
264  f.protoctx = (void *)&ssn;
265  f.flags |= FLOW_IPV4;
266  f.proto = IPPROTO_TCP;
267  p->flow = &f;
268  p->flowflags |= FLOW_PKT_TOSERVER;
269  p->flowflags |= FLOW_PKT_ESTABLISHED;
270  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
271  f.alproto = ALPROTO_HTTP1;
272 
273  StreamTcpInitConfig(true);
274 
275  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
276  FAIL_IF_NULL(de_ctx);
277  de_ctx->flags |= DE_QUIET;
278 
279  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
280  FAIL_IF_NULL(s);
281 
282  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
283  FAIL_IF_NULL(s);
284 
285  SigGroupBuild(de_ctx);
286  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
287  FAIL_IF_NULL(det_ctx);
288 
289  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
290  FAIL_IF(r != 0);
291 
292  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
293  FAIL_IF_NOT(PacketAlertCheck(p, 1));
294  FAIL_IF_NOT(PacketAlertCheck(p, 2));
295 
296  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
297  DetectEngineCtxFree(de_ctx);
298  AppLayerParserThreadCtxFree(alp_tctx);
299  UTHFreePackets(&p, 1);
300  StreamTcpFreeConfig(true);
301  FLOW_DESTROY(&f);
302  StatsThreadCleanup(&th_v.stats);
303  PASS;
304 }
305 
306 static int SigTest07 (void)
307 {
308  uint8_t *buf = (uint8_t *)
309  "GET /one/ HTTP/1.1\r\n" /* 20 */
310  "Host: one.example.org\r\n" /* 23, 43 */
311  "\r\n\r\n" /* 4, 47 */
312  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
313  "Host: two.example.org\r\n" /* 23, 90 */
314  "\r\n\r\n"; /* 4, 94 */
315  uint16_t buflen = strlen((char *)buf);
316  Packet *p = NULL;
317  ThreadVars th_v;
318  DetectEngineThreadCtx *det_ctx = NULL;
319  Flow f;
320  TcpSession ssn;
321  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
322 
323  memset(&th_v, 0, sizeof(th_v));
324  StatsThreadInit(&th_v.stats);
325  memset(&f, 0, sizeof(f));
326  memset(&ssn, 0, sizeof(ssn));
327  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
328  FAIL_IF_NULL(p);
329  FLOW_INITIALIZE(&f);
330  f.protoctx = (void *)&ssn;
331  f.flags |= FLOW_IPV4;
332  f.proto = IPPROTO_TCP;
333  p->flow = &f;
334  p->flowflags |= FLOW_PKT_TOSERVER;
335  p->flowflags |= FLOW_PKT_ESTABLISHED;
336  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
337  f.alproto = ALPROTO_HTTP1;
338 
339  StreamTcpInitConfig(true);
340 
341  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
342  FAIL_IF_NULL(de_ctx);
343  de_ctx->flags |= DE_QUIET;
344 
345  Signature *s = DetectEngineAppendSig(de_ctx,
346  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; "
347  "pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
348  FAIL_IF_NULL(s);
349  s = DetectEngineAppendSig(de_ctx,
350  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
351  FAIL_IF_NULL(s);
352 
353  SigGroupBuild(de_ctx);
354  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
355 
356  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
357  FAIL_IF(r != 0);
358  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
359  FAIL_IF_NOT(PacketAlertCheck(p, 1));
360  FAIL_IF(PacketAlertCheck(p, 2));
361 
362  AppLayerParserThreadCtxFree(alp_tctx);
363  UTHFreePackets(&p, 1);
364  StreamTcpFreeConfig(true);
365  FlowCleanupAppLayer(&f);
366  FLOW_DESTROY(&f);
367 
368  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
369  DetectEngineCtxFree(de_ctx);
370  StatsThreadCleanup(&th_v.stats);
371  PASS;
372 }
373 
374 static int SigTest08 (void)
375 {
376  uint8_t *buf = (uint8_t *)
377  "GET /one/ HTTP/1.0\r\n" /* 20 */
378  "Host: one.example.org\r\n" /* 23, 43 */
379  "\r\n\r\n" /* 4, 47 */
380  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
381  "Host: two.example.org\r\n" /* 23, 90 */
382  "\r\n\r\n"; /* 4, 94 */
383  uint16_t buflen = strlen((char *)buf);
384  ThreadVars th_v;
385  DetectEngineThreadCtx *det_ctx = NULL;
386  Flow f;
387  TcpSession ssn;
388  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
389 
390  memset(&f, 0, sizeof(Flow));
391  memset(&th_v, 0, sizeof(th_v));
392  StatsThreadInit(&th_v.stats);
393  memset(&ssn, 0, sizeof(ssn));
394 
395  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
396  FAIL_IF_NULL(p);
397 
398  FLOW_INITIALIZE(&f);
399  f.protoctx = (void *)&ssn;
400  f.flags |= FLOW_IPV4;
401  f.proto = IPPROTO_TCP;
402  p->flow = &f;
403  p->flowflags |= FLOW_PKT_TOSERVER;
404  p->flowflags |= FLOW_PKT_ESTABLISHED;
405  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
406  f.alproto = ALPROTO_HTTP1;
407 
408  StreamTcpInitConfig(true);
409 
410  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
411  FAIL_IF_NULL(de_ctx);
412  de_ctx->flags |= DE_QUIET;
413 
414  Signature *s = DetectEngineAppendSig(de_ctx,
415  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
416  "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
417  FAIL_IF_NULL(s);
418  s = DetectEngineAppendSig(de_ctx,
419  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
420  FAIL_IF_NULL(s);
421 
422  SigGroupBuild(de_ctx);
423  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
424 
425  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
426  FAIL_IF(r != 0);
427 
428  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
429  FAIL_IF_NOT(PacketAlertCheck(p, 1));
430  FAIL_IF_NOT(PacketAlertCheck(p, 2));
431 
432  FLOW_DESTROY(&f);
433  UTHFreePackets(&p, 1);
434 
435  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
436  DetectEngineCtxFree(de_ctx);
437  AppLayerParserThreadCtxFree(alp_tctx);
438  StreamTcpFreeConfig(true);
439  StatsThreadCleanup(&th_v.stats);
440  PASS;
441 }
442 
443 static int SigTest09 (void)
444 {
445  uint8_t *buf = (uint8_t *)
446  "GET /one/ HTTP/1.0\r\n" /* 20 */
447  "Host: one.example.org\r\n" /* 23, 43 */
448  "\r\n\r\n" /* 4, 47 */
449  "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
450  "Host: two.example.org\r\n" /* 23, 90 */
451  "\r\n\r\n"; /* 4, 94 */
452  uint16_t buflen = strlen((char *)buf);
453  ThreadVars th_v;
454  DetectEngineThreadCtx *det_ctx = NULL;
455  Flow f;
456  TcpSession ssn;
457  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
458 
459  memset(&th_v, 0, sizeof(th_v));
460  StatsThreadInit(&th_v.stats);
461  memset(&f, 0, sizeof(f));
462  memset(&ssn, 0, sizeof(ssn));
463 
464  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
465  FAIL_IF_NULL(p);
466 
467  FLOW_INITIALIZE(&f);
468  f.protoctx = (void *)&ssn;
469  f.flags |= FLOW_IPV4;
470  f.proto = IPPROTO_TCP;
471  p->flow = &f;
472  p->flowflags |= FLOW_PKT_TOSERVER;
473  p->flowflags |= FLOW_PKT_ESTABLISHED;
474  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
475  f.alproto = ALPROTO_HTTP1;
476 
477  StreamTcpInitConfig(true);
478 
479  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
480  FAIL_IF_NULL(de_ctx);
481  de_ctx->flags |= DE_QUIET;
482 
483  Signature *s = DetectEngineAppendSig(de_ctx,
484  "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
485  "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
486  FAIL_IF_NULL(s);
487  s = DetectEngineAppendSig(de_ctx,
488  "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
489  FAIL_IF_NULL(s);
490 
491  SigGroupBuild(de_ctx);
492  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
493 
494  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
495  FAIL_IF(r != 0);
496 
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
498  FAIL_IF_NOT(PacketAlertCheck(p, 1));
499  FAIL_IF_NOT(PacketAlertCheck(p, 2));
500 
501  FlowCleanupAppLayer(&f);
502  FLOW_DESTROY(&f);
503  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
504  DetectEngineCtxFree(de_ctx);
505  AppLayerParserThreadCtxFree(alp_tctx);
506  UTHFreePackets(&p, 1);
507  StreamTcpFreeConfig(true);
508  StatsThreadCleanup(&th_v.stats);
509  PASS;
510 }
511 
512 static int SigTest10 (void)
513 {
514  uint8_t *buf = (uint8_t *)"ABC";
515  uint16_t buflen = strlen((char *)buf);
516  ThreadVars th_v;
517  DetectEngineThreadCtx *det_ctx = NULL;
518  Flow f;
519  TcpSession ssn;
520  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
521 
522  memset(&th_v, 0, sizeof(th_v));
523  StatsThreadInit(&th_v.stats);
524  memset(&f, 0, sizeof(f));
525  memset(&ssn, 0, sizeof(ssn));
526 
527  Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
528  FAIL_IF_NULL(p);
529 
530  FLOW_INITIALIZE(&f);
531  f.protoctx = (void *)&ssn;
532  f.proto = IPPROTO_TCP;
533  f.flags |= FLOW_IPV4;
534  p->flow = &f;
535  p->flowflags |= FLOW_PKT_TOSERVER | FLOW_PKT_ESTABLISHED;
536  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
537  f.alproto = ALPROTO_HTTP1;
538 
539  StreamTcpInitConfig(true);
540 
541  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
542  FAIL_IF_NULL(de_ctx);
543  de_ctx->flags |= DE_QUIET;
544 
545  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Long content "
546  "test (1)\"; content:\"ABCD\"; depth:4; sid:1;");
547  FAIL_IF_NULL(s);
548  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"Long content test "
549  "(2)\"; content:\"VWXYZ\"; sid:2;");
550  FAIL_IF_NULL(s);
551 
552  SigGroupBuild(de_ctx);
553  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
554 
555  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
556  FAIL_IF(r != 0);
557  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
558  FAIL_IF(PacketAlertCheck(p, 1));
559  FAIL_IF(PacketAlertCheck(p, 2));
560 
561  FlowCleanupAppLayer(&f);
562  FLOW_DESTROY(&f);
563  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
564  DetectEngineCtxFree(de_ctx);
565  AppLayerParserThreadCtxFree(alp_tctx);
566  UTHFreePackets(&p, 1);
567  StreamTcpFreeConfig(true);
568  StatsThreadCleanup(&th_v.stats);
569  PASS;
570 }
571 
572 static int SigTest11 (void)
573 {
574  uint8_t *buf = (uint8_t *)
575  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
576  uint16_t buflen = strlen((char *)buf);
577  Packet *p = NULL;
578  ThreadVars th_v;
579  DetectEngineThreadCtx *det_ctx = NULL;
580  Flow f;
581  TcpSession ssn;
582  int result = 0;
583 
584  memset(&th_v, 0, sizeof(th_v));
585  StatsThreadInit(&th_v.stats);
586  memset(&f, 0, sizeof(f));
587  memset(&ssn, 0, sizeof(ssn));
588 
589  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
590 
591  FLOW_INITIALIZE(&f);
592  f.protoctx = (void *)&ssn;
593  f.proto = IPPROTO_TCP;
594  f.flags |= FLOW_IPV4;
595  p->flow = &f;
596  p->flowflags |= FLOW_PKT_TOSERVER;
597  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
598  f.alproto = ALPROTO_HTTP1;
599 
600  StreamTcpInitConfig(true);
601 
602  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
603  if (de_ctx == NULL) {
604  goto end;
605  }
606 
607  de_ctx->flags |= DE_QUIET;
608 
609  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
610  if (de_ctx->sig_list == NULL) {
611  goto end;
612  }
613  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
614  if (de_ctx->sig_list->next == NULL) {
615  goto end;
616  }
617 
618  SigGroupBuild(de_ctx);
619  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
620 
621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
622  if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
623  result = 1;
624 
625 end:
626  FlowCleanupAppLayer(&f);
627  if (det_ctx)
628  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
629  DetectEngineCtxFree(de_ctx);
630  UTHFreePackets(&p, 1);
631  StreamTcpFreeConfig(true);
632  FLOW_DESTROY(&f);
633  StatsThreadCleanup(&th_v.stats);
634  return result;
635 }
636 
637 static int SigTest12 (void)
638 {
639  uint8_t *buf = (uint8_t *)
640  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
641  uint16_t buflen = strlen((char *)buf);
642  Packet *p = NULL;
643  ThreadVars th_v;
644  DetectEngineThreadCtx *det_ctx = NULL;
645  int result = 0;
646 
647  memset(&th_v, 0, sizeof(th_v));
648  StatsThreadInit(&th_v.stats);
649  Flow f;
650  memset(&f, 0, sizeof(Flow));
651 
652  FLOW_INITIALIZE(&f);
653 
654  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
655  p->flow = &f;
656  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
657 
658  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
659  if (de_ctx == NULL) {
660  goto end;
661  }
662 
663  de_ctx->flags |= DE_QUIET;
664 
665  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
666  if (de_ctx->sig_list == NULL) {
667  result = 0;
668  goto end;
669  }
670 
671  SigGroupBuild(de_ctx);
672  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
673 
674  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
675  if (PacketAlertCheck(p, 1))
676  result = 1;
677  else
678  result = 0;
679 
680  if (det_ctx != NULL)
681  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
682 end:
683  UTHFreePackets(&p, 1);
684  if (de_ctx != NULL) {
685  DetectEngineCtxFree(de_ctx);
686  }
687  FLOW_DESTROY(&f);
688  StatsThreadCleanup(&th_v.stats);
689  return result;
690 }
691 
692 static int SigTest13 (void)
693 {
694  uint8_t *buf = (uint8_t *)
695  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
696  uint16_t buflen = strlen((char *)buf);
697  Packet *p = NULL;
698  ThreadVars th_v;
699  DetectEngineThreadCtx *det_ctx = NULL;
700  int result = 0;
701 
702  memset(&th_v, 0, sizeof(th_v));
703  StatsThreadInit(&th_v.stats);
704  Flow f;
705  memset(&f, 0, sizeof(Flow));
706 
707  FLOW_INITIALIZE(&f);
708 
709  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
710  p->flow = &f;
711  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
712 
713  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
714  if (de_ctx == NULL) {
715  goto end;
716  }
717 
718  de_ctx->flags |= DE_QUIET;
719 
720  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
721  if (de_ctx->sig_list == NULL) {
722  result = 0;
723  goto end;
724  }
725 
726  SigGroupBuild(de_ctx);
727  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
728 
729  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
730  if (PacketAlertCheck(p, 1))
731  result = 1;
732  else
733  result = 0;
734 
735  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
736  DetectEngineCtxFree(de_ctx);
737 end:
738  UTHFreePackets(&p, 1);
739  FLOW_DESTROY(&f);
740  StatsThreadCleanup(&th_v.stats);
741  return result;
742 }
743 
744 static int SigTest14 (void)
745 {
746  uint8_t *buf = (uint8_t *)
747  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
748  uint16_t buflen = strlen((char *)buf);
749  Packet *p = NULL;
750  ThreadVars th_v;
751  DetectEngineThreadCtx *det_ctx = NULL;
752  int result = 0;
753 
754  memset(&th_v, 0, sizeof(th_v));
755  StatsThreadInit(&th_v.stats);
756 
757  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
758 
759  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
760  if (de_ctx == NULL) {
761  goto end;
762  }
763 
764  de_ctx->flags |= DE_QUIET;
765 
766  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
767  if (de_ctx->sig_list == NULL) {
768  result = 0;
769  goto end;
770  }
771 
772  SigGroupBuild(de_ctx);
773  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
774 
775  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
776  if (PacketAlertCheck(p, 1))
777  result = 0;
778  else
779  result = 1;
780 
781  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
782  DetectEngineCtxFree(de_ctx);
783 end:
784  UTHFreePackets(&p, 1);
785  StatsThreadCleanup(&th_v.stats);
786  return result;
787 }
788 
789 static int SigTest15 (void)
790 {
791  uint8_t *buf = (uint8_t *)
792  "CONNECT 213.92.8.7:31204 HTTP/1.1";
793  uint16_t buflen = strlen((char *)buf);
794  Packet *p = PacketGetFromAlloc();
795  if (unlikely(p == NULL))
796  return 0;
797  ThreadVars th_v;
798  DetectEngineThreadCtx *det_ctx = NULL;
799  int result = 0;
800 
801  memset(&th_v, 0, sizeof(th_v));
802  StatsThreadInit(&th_v.stats);
803  p->src.family = AF_INET;
804  p->dst.family = AF_INET;
805  p->payload = buf;
806  p->payload_len = buflen;
807  p->proto = IPPROTO_TCP;
808  p->dp = 80;
809 
810  SCConfCreateContextBackup();
811  SCConfInit();
812  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
813 
814  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
815  if (de_ctx == NULL) {
816  goto end;
817  }
818 
819  de_ctx->flags |= DE_QUIET;
820 
821  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
822  if (de_ctx->sig_list == NULL) {
823  result = 0;
824  goto end;
825  }
826 
827  SigGroupBuild(de_ctx);
828  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
829 
830  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
831  if (PacketAlertCheck(p, 2008284))
832  result = 0;
833  else
834  result = 1;
835 
836  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
837  DetectEngineCtxFree(de_ctx);
838 end:
839  SCConfDeInit();
840  SCConfRestoreContextBackup();
841  PacketFree(p);
842  StatsThreadCleanup(&th_v.stats);
843  return result;
844 }
845 
846 static int SigTest16 (void)
847 {
848  uint8_t *buf = (uint8_t *)
849  "CONNECT 213.92.8.7:31204 HTTP/1.1";
850  uint16_t buflen = strlen((char *)buf);
851  Packet *p = NULL;
852  ThreadVars th_v;
853  DetectEngineThreadCtx *det_ctx = NULL;
854  int result = 0;
855 
856  memset(&th_v, 0, sizeof(th_v));
857  StatsThreadInit(&th_v.stats);
858  memset(&p, 0, sizeof(p));
859 
860  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
861 
862  SCConfCreateContextBackup();
863  SCConfInit();
864  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
865 
866  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
867  if (de_ctx == NULL) {
868  goto end;
869  }
870 
871  de_ctx->flags |= DE_QUIET;
872 
873  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
874  if (de_ctx->sig_list == NULL) {
875  goto end;
876  }
877 
878  SigGroupBuild(de_ctx);
879  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
880 
881  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
882  if (PacketAlertCheck(p, 2008284))
883  result = 1;
884  else
885  printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
886 
887  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
888  DetectEngineCtxFree(de_ctx);
889 end:
890  SCConfDeInit();
891  SCConfRestoreContextBackup();
892  UTHFreePackets(&p, 1);
893  StatsThreadCleanup(&th_v.stats);
894  return result;
895 }
896 
897 static int SigTest17 (void)
898 {
899  uint8_t *buf = (uint8_t *)
900  "GET /one/ HTTP/1.1\r\n" /* 20 */
901  "Host: one.example.org\r\n" /* 23, 43 */
902  "\r\n\r\n" /* 4, 47 */
903  "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
904  "Host: two.example.org\r\n" /* 23, 90 */
905  "\r\n\r\n"; /* 4, 94 */
906  uint16_t buflen = strlen((char *)buf);
907  Packet *p = NULL;
908  ThreadVars th_v;
909  DetectEngineThreadCtx *det_ctx = NULL;
910  memset(&th_v, 0, sizeof(th_v));
911  StatsThreadInit(&th_v.stats);
912 
913  p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
914  FAIL_IF_NULL(p);
915 
916  SCConfCreateContextBackup();
917  SCConfInit();
918  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
919 
920  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
921  FAIL_IF_NULL(de_ctx);
922  de_ctx->flags |= DE_QUIET;
923 
924  Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
925  FAIL_IF_NULL(s);
926 
927  SigGroupBuild(de_ctx);
928  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
929  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
930 
931  uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
932  PktVar *pv_hn = PktVarGet(p, capid);
933  FAIL_IF_NULL(pv_hn);
934  FAIL_IF(pv_hn->value_len != 15);
935  FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
936 
937  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
938  DetectEngineCtxFree(de_ctx);
939  SCConfDeInit();
940  SCConfRestoreContextBackup();
941  UTHFreePackets(&p, 1);
942  StatsThreadCleanup(&th_v.stats);
943 
944  PASS;
945 }
946 
947 static int SigTest18 (void)
948 {
949  uint8_t *buf = (uint8_t *)
950  "220 (vsFTPd 2.0.5)\r\n";
951  uint16_t buflen = strlen((char *)buf);
952  Packet *p = PacketGetFromAlloc();
953  if (unlikely(p == NULL))
954  return 0;
955  ThreadVars th_v;
956  DetectEngineThreadCtx *det_ctx = NULL;
957  int result = 0;
958 
959  memset(&th_v, 0, sizeof(th_v));
960  StatsThreadInit(&th_v.stats);
961  p->src.family = AF_INET;
962  p->dst.family = AF_INET;
963  p->payload = buf;
964  p->payload_len = buflen;
965  p->proto = IPPROTO_TCP;
966  p->dp = 34260;
967  p->sp = 21;
968 
969  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
970  if (de_ctx == NULL) {
971  goto end;
972  }
973 
974  de_ctx->flags |= DE_QUIET;
975 
976  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
977  if (de_ctx->sig_list == NULL) {
978  result = 0;
979  goto end;
980  }
981 
982  SigGroupBuild(de_ctx);
983  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
984 
985  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
986  if (!PacketAlertCheck(p, 2003055))
987  result = 1;
988  else
989  printf("signature shouldn't match, but did: ");
990 
991  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
992  DetectEngineCtxFree(de_ctx);
993 end:
994  PacketFree(p);
995  StatsThreadCleanup(&th_v.stats);
996  return result;
997 }
998 
999 static int SigTest19 (void)
1000 {
1001  uint8_t *buf = (uint8_t *)
1002  "220 (vsFTPd 2.0.5)\r\n";
1003  uint16_t buflen = strlen((char *)buf);
1004  Packet *p = PacketGetFromAlloc();
1005  if (unlikely(p == NULL))
1006  return 0;
1007  ThreadVars th_v;
1008  DetectEngineThreadCtx *det_ctx = NULL;
1009  int result = 0;
1010 
1011  memset(&th_v, 0, sizeof(th_v));
1012  StatsThreadInit(&th_v.stats);
1013  p->src.family = AF_INET;
1014  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1015  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1016  p->dst.family = AF_INET;
1017  p->payload = buf;
1018  p->payload_len = buflen;
1019  p->proto = IPPROTO_TCP;
1020  p->dp = 34260;
1021  p->sp = 21;
1022  p->flowflags |= FLOW_PKT_TOSERVER;
1023 
1024  SCConfCreateContextBackup();
1025  SCConfInit();
1026  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1027 
1028  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1029  if (de_ctx == NULL) {
1030  goto end;
1031  }
1032 
1033  de_ctx->flags |= DE_QUIET;
1034 
1035  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1036  if (de_ctx->sig_list == NULL) {
1037  result = 0;
1038  goto end;
1039  }
1040 
1041  SigGroupBuild(de_ctx);
1042  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1043 
1044  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1045  if (PacketAlertCheck(p, 999))
1046  result = 1;
1047  else
1048  printf("signature didn't match, but should have: ");
1049 
1050  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1051  DetectEngineCtxFree(de_ctx);
1052 end:
1053  SCConfDeInit();
1054  SCConfRestoreContextBackup();
1055  PacketFree(p);
1056  StatsThreadCleanup(&th_v.stats);
1057  return result;
1058 }
1059 
1060 static int SigTest20 (void)
1061 {
1062  uint8_t *buf = (uint8_t *)
1063  "220 (vsFTPd 2.0.5)\r\n";
1064  uint16_t buflen = strlen((char *)buf);
1065  Packet *p = PacketGetFromAlloc();
1066  if (unlikely(p == NULL))
1067  return 0;
1068  ThreadVars th_v;
1069  DetectEngineThreadCtx *det_ctx = NULL;
1070  int result = 0;
1071 
1072  memset(&th_v, 0, sizeof(th_v));
1073  StatsThreadInit(&th_v.stats);
1074  p->src.family = AF_INET;
1075  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1076  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1077  p->dst.family = AF_INET;
1078  p->payload = buf;
1079  p->payload_len = buflen;
1080  p->proto = IPPROTO_TCP;
1081  p->dp = 34260;
1082  p->sp = 21;
1083  p->flowflags |= FLOW_PKT_TOSERVER;
1084 
1085  SCConfCreateContextBackup();
1086  SCConfInit();
1087  SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1088 
1089  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1090  if (de_ctx == NULL) {
1091  goto end;
1092  }
1093 
1094  de_ctx->flags |= DE_QUIET;
1095 
1096  de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1097  if (de_ctx->sig_list == NULL) {
1098  result = 0;
1099  goto end;
1100  }
1101 
1102  SigGroupBuild(de_ctx);
1103  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1104 
1105  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1106  if (PacketAlertCheck(p, 999))
1107  result = 1;
1108  else
1109  printf("signature didn't match, but should have: ");
1110 
1111  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1112  DetectEngineCtxFree(de_ctx);
1113 end:
1114  SCConfDeInit();
1115  SCConfRestoreContextBackup();
1116  PacketFree(p);
1117  StatsThreadCleanup(&th_v.stats);
1118  return result;
1119 }
1120 
1121 static int SigTest21 (void)
1122 {
1123  ThreadVars th_v;
1124  memset(&th_v, 0, sizeof(th_v));
1125  StatsThreadInit(&th_v.stats);
1126  DetectEngineThreadCtx *det_ctx = NULL;
1127  int result = 0;
1128 
1129  Flow f;
1130  memset(&f, 0, sizeof(f));
1131  FLOW_INITIALIZE(&f);
1132 
1133  /* packet 1 */
1134  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1135  "\r\n\r\n";
1136  uint16_t buf1len = strlen((char *)buf1);
1137  Packet *p1 = NULL;
1138  /* packet 2 */
1139  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1140  "\r\n\r\n";
1141  uint16_t buf2len = strlen((char *)buf2);
1142  Packet *p2 = NULL;
1143 
1144  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1145  p1->flow = &f;
1146  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1147  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1148  p2->flow = &f;
1149  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1150 
1151  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1152  if (de_ctx == NULL) {
1153  goto end;
1154  }
1155 
1156  de_ctx->flags |= DE_QUIET;
1157 
1158  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1159  if (de_ctx->sig_list == NULL) {
1160  result = 0;
1161  goto end;
1162  }
1163  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1164  if (de_ctx->sig_list == NULL) {
1165  result = 0;
1166  goto end;
1167  }
1168 
1169  SigGroupBuild(de_ctx);
1170  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1171 
1172  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1173  if (PacketAlertCheck(p1, 1)) {
1174  printf("sid 1 alerted, but shouldn't: ");
1175  goto end;
1176  }
1177  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1178  if (!(PacketAlertCheck(p2, 2))) {
1179  printf("sid 2 didn't alert, but should have: ");
1180  goto end;
1181  }
1182 
1183  result = 1;
1184 end:
1185  if (de_ctx != NULL) {
1186  if (det_ctx != NULL) {
1187  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1188  }
1189  }
1190  DetectEngineCtxFree(de_ctx);
1191  UTHFreePackets(&p1, 1);
1192  UTHFreePackets(&p2, 1);
1193  FLOW_DESTROY(&f);
1194  StatsThreadCleanup(&th_v.stats);
1195  return result;
1196 }
1197 
1198 static int SigTest22 (void)
1199 {
1200  ThreadVars th_v;
1201  memset(&th_v, 0, sizeof(th_v));
1202  StatsThreadInit(&th_v.stats);
1203  DetectEngineThreadCtx *det_ctx = NULL;
1204  int result = 0;
1205 
1206  Flow f;
1207  memset(&f, 0, sizeof(f));
1208  FLOW_INITIALIZE(&f);
1209 
1210  /* packet 1 */
1211  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1212  "\r\n\r\n";
1213  uint16_t buf1len = strlen((char *)buf1);
1214  Packet *p1 = NULL;
1215 
1216  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1217  p1->flow = &f;
1218  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1219 
1220  /* packet 2 */
1221  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1222  "\r\n\r\n";
1223  uint16_t buf2len = strlen((char *)buf2);
1224  Packet *p2 = NULL;
1225 
1226  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1227  p2->flow = &f;
1228  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1229 
1230  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1231  if (de_ctx == NULL) {
1232  goto end;
1233  }
1234 
1235  de_ctx->flags |= DE_QUIET;
1236 
1237  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1238  if (de_ctx->sig_list == NULL) {
1239  result = 0;
1240  goto end;
1241  }
1242  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1243  if (de_ctx->sig_list == NULL) {
1244  result = 0;
1245  goto end;
1246  }
1247 
1248  SigGroupBuild(de_ctx);
1249  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1250 
1251  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1252  if (PacketAlertCheck(p1, 1)) {
1253  printf("sid 1 alerted, but shouldn't: ");
1254  goto end;
1255  }
1256  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1257  if (!(PacketAlertCheck(p2, 2)))
1258  result = 1;
1259  else
1260  printf("sid 2 alerted, but shouldn't: ");
1261 
1262  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1263  DetectEngineCtxFree(de_ctx);
1264 end:
1265  UTHFreePackets(&p1, 1);
1266  UTHFreePackets(&p2, 1);
1267  FLOW_DESTROY(&f);
1268  StatsThreadCleanup(&th_v.stats);
1269  return result;
1270 }
1271 
1272 static int SigTest23 (void)
1273 {
1274  ThreadVars th_v;
1275  memset(&th_v, 0, sizeof(th_v));
1276  StatsThreadInit(&th_v.stats);
1277  DetectEngineThreadCtx *det_ctx = NULL;
1278  int result = 0;
1279 
1280  Flow f;
1281  memset(&f, 0, sizeof(f));
1282  FLOW_INITIALIZE(&f);
1283 
1284  /* packet 1 */
1285  uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1286  "\r\n\r\n";
1287  uint16_t buf1len = strlen((char *)buf1);
1288  Packet *p1 = NULL;
1289 
1290  p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1291  p1->flow = &f;
1292  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1293 
1294  /* packet 2 */
1295  uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1296  "\r\n\r\n";
1297  uint16_t buf2len = strlen((char *)buf2);
1298  Packet *p2 = NULL;
1299 
1300  p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1301  p2->flow = &f;
1302  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1303 
1304  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1305  if (de_ctx == NULL) {
1306  goto end;
1307  }
1308 
1309  de_ctx->flags |= DE_QUIET;
1310 
1311  de_ctx->sig_list =
1312  SigInit(de_ctx, "alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; "
1313  "flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1314  if (de_ctx->sig_list == NULL) {
1315  result = 0;
1316  goto end;
1317  }
1318  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1319  if (de_ctx->sig_list == NULL) {
1320  result = 0;
1321  goto end;
1322  }
1323 
1324  SigGroupBuild(de_ctx);
1325  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1326 
1327  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1328  if (PacketAlertCheck(p1, 1)) {
1329  printf("sid 1 alerted, but shouldn't: ");
1330  goto end;
1331  }
1332  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1333  if (PacketAlertCheck(p2, 2))
1334  result = 1;
1335  else
1336  printf("sid 2 didn't alert, but should have: ");
1337 
1338  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1339  DetectEngineCtxFree(de_ctx);
1340 end:
1341  UTHFreePackets(&p1, 1);
1342  UTHFreePackets(&p2, 1);
1343  FLOW_DESTROY(&f);
1344  StatsThreadCleanup(&th_v.stats);
1345  return result;
1346 }
1347 
1348 static int SigTest24IPV4Keyword(void)
1349 {
1350  uint8_t valid_raw_ipv4[] = {
1351  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1352  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1353  0xc0, 0xa8, 0x01, 0x03};
1354 
1355  uint8_t invalid_raw_ipv4[] = {
1356  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1357  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1358  0xc0, 0xa8, 0x01, 0x06};
1359 
1360  Packet *p1 = PacketGetFromAlloc();
1361  if (unlikely(p1 == NULL))
1362  return 0;
1363  Packet *p2 = PacketGetFromAlloc();
1364  if (unlikely(p2 == NULL)) {
1365  SCFree(p1);
1366  return 0;
1367  }
1368  ThreadVars th_v;
1369  DetectEngineThreadCtx *det_ctx = NULL;
1370  int result = 0;
1371 
1372  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1373  "\r\n\r\n";
1374  uint16_t buflen = strlen((char *)buf);
1375 
1376  memset(&th_v, 0, sizeof(ThreadVars));
1377  StatsThreadInit(&th_v.stats);
1378 
1379  PacketSetIPV4(p1, valid_raw_ipv4);
1380  p1->src.family = AF_INET;
1381  p1->dst.family = AF_INET;
1382  p1->payload = buf;
1383  p1->payload_len = buflen;
1384  p1->proto = IPPROTO_TCP;
1385 
1386  PacketSetIPV4(p2, invalid_raw_ipv4);
1387  p2->src.family = AF_INET;
1388  p2->dst.family = AF_INET;
1389  p2->payload = buf;
1390  p2->payload_len = buflen;
1391  p2->proto = IPPROTO_TCP;
1392 
1393  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1394  if (de_ctx == NULL) {
1395  goto end;
1396  }
1397 
1398  de_ctx->flags |= DE_QUIET;
1399 
1400  de_ctx->sig_list = SigInit(de_ctx,
1401  "alert ip any any -> any any "
1402  "(content:\"/one/\"; ipv4-csum:valid; "
1403  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1404  if (de_ctx->sig_list == NULL) {
1405  printf("sig 1 parse: ");
1406  goto end;
1407  }
1408 
1409  de_ctx->sig_list->next = SigInit(de_ctx,
1410  "alert ip any any -> any any "
1411  "(content:\"/one/\"; ipv4-csum:invalid; "
1412  "msg:\"ipv4-csum keyword check(1)\"; "
1413  "sid:2;)");
1414  if (de_ctx->sig_list->next == NULL) {
1415  printf("sig 2 parse: ");
1416  goto end;
1417  }
1418 
1419  SigGroupBuild(de_ctx);
1420  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1421 
1422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1423  if (!(PacketAlertCheck(p1, 1))) {
1424  printf("signature 1 didn't match, but should have: ");
1425  goto end;
1426  }
1427 
1428  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1429  if (!((PacketAlertCheck(p2, 2)))) {
1430  printf("signature 2 didn't match, but should have: ");
1431  goto end;
1432  }
1433 
1434  result = 1;
1435 end:
1436  if (det_ctx != NULL) {
1437  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1438  DetectEngineCtxFree(de_ctx);
1439  }
1440  PacketFree(p1);
1441  PacketFree(p2);
1442  StatsThreadCleanup(&th_v.stats);
1443  return result;
1444 }
1445 
1446 static int SigTest25NegativeIPV4Keyword(void)
1447 {
1448  uint8_t valid_raw_ipv4[] = {
1449  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1450  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1451  0xc0, 0xa8, 0x01, 0x03};
1452 
1453  uint8_t invalid_raw_ipv4[] = {
1454  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1455  0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1456  0xc0, 0xa8, 0x01, 0x06};
1457 
1458  Packet *p1 = PacketGetFromAlloc();
1459  if (unlikely(p1 == NULL))
1460  return 0;
1461  Packet *p2 = PacketGetFromAlloc();
1462  if (unlikely(p2 == NULL)) {
1463  SCFree(p1);
1464  return 0;
1465  }
1466  ThreadVars th_v;
1467  DetectEngineThreadCtx *det_ctx = NULL;
1468  int result = 1;
1469 
1470  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1471  "\r\n\r\n";
1472  uint16_t buflen = strlen((char *)buf);
1473 
1474  memset(&th_v, 0, sizeof(ThreadVars));
1475  StatsThreadInit(&th_v.stats);
1476 
1477  PacketSetIPV4(p1, valid_raw_ipv4);
1478  p1->src.family = AF_INET;
1479  p1->dst.family = AF_INET;
1480  p1->payload = buf;
1481  p1->payload_len = buflen;
1482  p1->proto = IPPROTO_TCP;
1483 
1484  PacketSetIPV4(p2, invalid_raw_ipv4);
1485  p2->src.family = AF_INET;
1486  p2->dst.family = AF_INET;
1487  p2->payload = buf;
1488  p2->payload_len = buflen;
1489  p2->proto = IPPROTO_TCP;
1490 
1491  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1492  if (de_ctx == NULL) {
1493  goto end;
1494  }
1495 
1496  de_ctx->flags |= DE_QUIET;
1497 
1498  de_ctx->sig_list = SigInit(de_ctx,
1499  "alert ip any any -> any any "
1500  "(content:\"/one/\"; ipv4-csum:invalid; "
1501  "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1502  if (de_ctx->sig_list == NULL) {
1503  result &= 0;
1504  goto end;
1505  }
1506 
1507  de_ctx->sig_list->next = SigInit(de_ctx,
1508  "alert ip any any -> any any "
1509  "(content:\"/one/\"; ipv4-csum:valid; "
1510  "msg:\"ipv4-csum keyword check(1)\"; "
1511  "sid:2;)");
1512  if (de_ctx->sig_list->next == NULL) {
1513  result &= 0;
1514  goto end;
1515  }
1516 
1517  SigGroupBuild(de_ctx);
1518  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1519 
1520  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1521  if (PacketAlertCheck(p1, 1))
1522  result &= 0;
1523  else
1524  result &= 1;
1525 
1526  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1527  if (PacketAlertCheck(p2, 2))
1528  result &= 0;
1529  else
1530  result &= 1;
1531 
1532  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1533  DetectEngineCtxFree(de_ctx);
1534 end:
1535  PacketFree(p1);
1536  PacketFree(p2);
1537  StatsThreadCleanup(&th_v.stats);
1538  return result;
1539 }
1540 
1541 static int SigTest26TCPV4Keyword(void)
1542 {
1543  uint8_t raw_ipv4[] = {
1544  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1545  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1546  0xc0, 0xa8, 0x01, 0x03};
1547 
1548  uint8_t valid_raw_tcp[] = {
1549  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1550  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1551  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1552  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1553  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1554 
1555  uint8_t invalid_raw_tcp[] = {
1556  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1557  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1558  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1559  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1560  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1561 
1562  Packet *p1 = PacketGetFromAlloc();
1563  if (unlikely(p1 == NULL))
1564  return 0;
1565 
1566  Packet *p2 = PacketGetFromAlloc();
1567  if (unlikely(p2 == NULL)) {
1568  SCFree(p1);
1569  return 0;
1570  }
1571 
1572  ThreadVars th_v;
1573  DetectEngineThreadCtx *det_ctx = NULL;
1574 
1575  memset(&th_v, 0, sizeof(ThreadVars));
1576  StatsThreadInit(&th_v.stats);
1577 
1578  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1579  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1580 
1581  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1582  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1583 
1584  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1585  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1586  p1->src.family = AF_INET;
1587  p1->dst.family = AF_INET;
1588  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1589  p1->payload_len = 20;
1590  p1->proto = IPPROTO_TCP;
1591 
1592  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1593  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1594  p2->src.family = AF_INET;
1595  p2->dst.family = AF_INET;
1596  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1597  p2->payload_len = 20;
1598  p2->proto = IPPROTO_TCP;
1599 
1600  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1601  FAIL_IF_NULL(de_ctx);
1602 
1603  de_ctx->flags |= DE_QUIET;
1604 
1605  de_ctx->sig_list = SigInit(de_ctx,
1606  "alert ip any any -> any any "
1607  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1608  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1609  FAIL_IF_NULL(de_ctx->sig_list);
1610 
1611  de_ctx->sig_list->next = SigInit(de_ctx,
1612  "alert ip any any -> any any "
1613  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1614  "msg:\"tcpv4-csum keyword check(1)\"; "
1615  "sid:2;)");
1616  FAIL_IF_NULL(de_ctx->sig_list->next);
1617 
1618  SigGroupBuild(de_ctx);
1619  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1620 
1621  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1622  FAIL_IF(!(PacketAlertCheck(p1, 1)));
1623 
1624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1625  FAIL_IF(!(PacketAlertCheck(p2, 2)));
1626 
1627  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1628  DetectEngineCtxFree(de_ctx);
1629  PacketFree(p1);
1630  PacketFree(p2);
1631  StatsThreadCleanup(&th_v.stats);
1632  PASS;
1633 }
1634 
1635 /* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1636 static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1637 {
1638  uint8_t raw_ipv4[] = {
1639  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1640  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1641  0xc0, 0xa8, 0x01, 0x03};
1642 
1643  uint8_t valid_raw_tcp[] = {
1644  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1645  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1646  0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1647  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1648  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1649 
1650  uint8_t invalid_raw_tcp[] = {
1651  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1652  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1653  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1654  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1655  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1656 
1657  Packet *p1 = PacketGetFromAlloc();
1658  if (unlikely(p1 == NULL))
1659  return 0;
1660 
1661  Packet *p2 = PacketGetFromAlloc();
1662  if (unlikely(p2 == NULL)) {
1663  SCFree(p1);
1664  return 0;
1665  }
1666 
1667  ThreadVars th_v;
1668  DetectEngineThreadCtx *det_ctx = NULL;
1669  int result = 0;
1670 
1671  memset(&th_v, 0, sizeof(ThreadVars));
1672  StatsThreadInit(&th_v.stats);
1673 
1674  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1675  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1676 
1677  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1678  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1679 
1680  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1681  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1682  p1->src.family = AF_INET;
1683  p1->dst.family = AF_INET;
1684  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1685  p1->payload_len = 20;
1686  p1->proto = IPPROTO_TCP;
1687 
1688  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1689  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1690  p2->src.family = AF_INET;
1691  p2->dst.family = AF_INET;
1692  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1693  p2->payload_len = 20;
1694  p2->proto = IPPROTO_TCP;
1695 
1696  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1697  if (de_ctx == NULL) {
1698  goto end;
1699  }
1700 
1701  de_ctx->flags |= DE_QUIET;
1702 
1703  de_ctx->sig_list = SigInit(de_ctx,
1704  "alert ip any any -> any any "
1705  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1706  "ipv4-csum:invalid; "
1707  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1708  if (de_ctx->sig_list == NULL) {
1709  goto end;
1710  }
1711 
1712  de_ctx->sig_list->next = SigInit(de_ctx,
1713  "alert ip any any -> any any "
1714  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1715  "ipv4-csum:invalid; "
1716  "msg:\"tcpv4-csum keyword check(1)\"; "
1717  "sid:2;)");
1718  if (de_ctx->sig_list->next == NULL) {
1719  goto end;
1720  }
1721 
1722  SigGroupBuild(de_ctx);
1723  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1724 
1725  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1726  if (!(PacketAlertCheck(p1, 1))) {
1727  printf("sig 1 didn't match: ");
1728  goto end;
1729  }
1730 
1731  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1732  if (!(PacketAlertCheck(p2, 2))) {
1733  printf("sig 2 didn't match: ");
1734  goto end;
1735  }
1736 
1737  result = 1;
1738 end:
1739  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1740  DetectEngineCtxFree(de_ctx);
1741  PacketFree(p1);
1742  PacketFree(p2);
1743  StatsThreadCleanup(&th_v.stats);
1744  return result;
1745 }
1746 
1747 /* Similar to SigTest26, but with different packet */
1748 static int SigTest26TCPV4AndIPV4Keyword(void)
1749 {
1750  /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1751  * TTL: 64 Flags: Don't Fragment
1752  */
1753  uint8_t raw_ipv4[] = {
1754  0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1755  0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1756  0xc0, 0xa8, 0xb0, 0x74};
1757 
1758  /* TCP: sport: 49517 dport: 445 Flags: SYN
1759  * Window size: 65535, checksum: 0x2009,
1760  * MTU: 1460, Window scale: 4, TSACK permitted,
1761  * 24 bytes of options, no payload.
1762  */
1763  uint8_t valid_raw_tcp[] = {
1764  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1765  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1766  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1767  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1768  0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1769  0x04, 0x02, 0x00, 0x00};
1770 
1771  uint8_t invalid_raw_tcp[] = {
1772  0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1773  0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1774  0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1775  0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1776  0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1777  0x04, 0x02, 0x00, 0x00};
1778 
1779  Packet *p1 = PacketGetFromAlloc();
1780  if (unlikely(p1 == NULL))
1781  return 0;
1782 
1783  Packet *p2 = PacketGetFromAlloc();
1784  if (unlikely(p2 == NULL)) {
1785  SCFree(p1);
1786  return 0;
1787  }
1788 
1789  ThreadVars th_v;
1790  DetectEngineThreadCtx *det_ctx = NULL;
1791  int result = 0;
1792 
1793  memset(&th_v, 0, sizeof(ThreadVars));
1794  StatsThreadInit(&th_v.stats);
1795 
1796  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1797  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1798 
1799  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1800  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1801 
1802  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1803  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1804  p1->src.family = AF_INET;
1805  p1->dst.family = AF_INET;
1806  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1807  p1->payload_len = 0;
1808  p1->proto = IPPROTO_TCP;
1809 
1810  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1811  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1812  p2->src.family = AF_INET;
1813  p2->dst.family = AF_INET;
1814  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1815  p2->payload_len = 0;
1816  p2->proto = IPPROTO_TCP;
1817 
1818  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1819  if (de_ctx == NULL) {
1820  goto end;
1821  }
1822 
1823  de_ctx->flags |= DE_QUIET;
1824 
1825  de_ctx->sig_list = SigInit(de_ctx,
1826  "alert ip any any -> any any "
1827  "(tcpv4-csum:valid; "
1828  "ipv4-csum:valid; "
1829  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1830  if (de_ctx->sig_list == NULL) {
1831  goto end;
1832  }
1833 
1834  de_ctx->sig_list->next = SigInit(de_ctx,
1835  "alert ip any any -> any any "
1836  "(tcpv4-csum:invalid; "
1837  "ipv4-csum:valid; "
1838  "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1839  "sid:2;)");
1840  if (de_ctx->sig_list->next == NULL) {
1841  goto end;
1842  }
1843 
1844  SigGroupBuild(de_ctx);
1845  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1846 
1847  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1848  if (!(PacketAlertCheck(p1, 1))) {
1849  printf("sig 1 didn't match: ");
1850  goto end;
1851  }
1852 
1853  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1854  if (!(PacketAlertCheck(p2, 2))) {
1855  printf("sig 2 didn't match: ");
1856  goto end;
1857  }
1858 
1859  result = 1;
1860 end:
1861  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1862  DetectEngineCtxFree(de_ctx);
1863  PacketFree(p1);
1864  PacketFree(p2);
1865  StatsThreadCleanup(&th_v.stats);
1866  return result;
1867 }
1868 
1869 static int SigTest27NegativeTCPV4Keyword(void)
1870 {
1871  uint8_t raw_ipv4[] = {
1872  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1873  0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1874  0xc0, 0xa8, 0x01, 0x03};
1875 
1876  uint8_t valid_raw_tcp[] = {
1877  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1878  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1879  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1880  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1881  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1882 
1883  uint8_t invalid_raw_tcp[] = {
1884  0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1885  0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1886  0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1887  0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1888  0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1889 
1890  Packet *p1 = PacketGetFromAlloc();
1891  if (unlikely(p1 == NULL))
1892  return 0;
1893  Packet *p2 = PacketGetFromAlloc();
1894  if (unlikely(p2 == NULL)) {
1895  SCFree(p1);
1896  return 0;
1897  }
1898  ThreadVars th_v;
1899  DetectEngineThreadCtx *det_ctx = NULL;
1900  int result = 0;
1901 
1902  memset(&th_v, 0, sizeof(ThreadVars));
1903  StatsThreadInit(&th_v.stats);
1904 
1905  PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1906  PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1907 
1908  PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1909  PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1910 
1911  PacketSetIPV4(p1, GET_PKT_DATA(p1));
1912  PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1913  p1->src.family = AF_INET;
1914  p1->dst.family = AF_INET;
1915  p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1916  p1->payload_len = 20;
1917  p1->proto = IPPROTO_TCP;
1918 
1919  PacketSetIPV4(p2, GET_PKT_DATA(p2));
1920  PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1921  p2->src.family = AF_INET;
1922  p2->dst.family = AF_INET;
1923  p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1924  p2->payload_len = 20;
1925  p2->proto = IPPROTO_TCP;
1926 
1927  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1928  if (de_ctx == NULL) {
1929  goto end;
1930  }
1931 
1932  de_ctx->flags |= DE_QUIET;
1933 
1934  de_ctx->sig_list = SigInit(de_ctx,
1935  "alert tcp any any -> any any "
1936  "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
1937  "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1938  if (de_ctx->sig_list == NULL) {
1939  goto end;
1940  }
1941 
1942  de_ctx->sig_list->next = SigInit(de_ctx,
1943  "alert tcp any any -> any any "
1944  "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1945  "msg:\"tcpv4-csum keyword check(2)\"; "
1946  "sid:2;)");
1947  if (de_ctx->sig_list->next == NULL) {
1948  goto end;
1949  }
1950 
1951  SigGroupBuild(de_ctx);
1952  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1953 
1954  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1955  if (!PacketAlertCheck(p1, 1)) {
1956  printf("sig 1 didn't match on p1: ");
1957  goto end;
1958  }
1959 
1960  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1961  if (PacketAlertCheck(p2, 2)) {
1962  printf("sig 2 matched on p2: ");
1963  goto end;
1964  }
1965 
1966  result = 1;
1967 end:
1968  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1969  DetectEngineCtxFree(de_ctx);
1970  PacketFree(p1);
1971  PacketFree(p2);
1972  StatsThreadCleanup(&th_v.stats);
1973  return result;
1974 }
1975 
1976 static int SigTest28TCPV6Keyword(void)
1977 {
1978  static uint8_t valid_raw_ipv6[] = {
1979  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1980  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1981 
1982  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1983  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1984  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
1985  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
1986  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
1987 
1988  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
1989  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
1990  0xf2, 0xf1, 0x00, 0x00,
1991 
1992  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
1993  0x00, 0x01, 0x69, 0x27};
1994 
1995  static uint8_t invalid_raw_ipv6[] = {
1996  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1997  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1998 
1999  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2000  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2001  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2002  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2003  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2004 
2005  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2006  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2007  0xc2, 0xf1, 0x00, 0x00,
2008 
2009  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2010  0x00, 0x01, 0x69, 0x28};
2011 
2012  Packet *p1 = PacketGetFromAlloc();
2013  if (unlikely(p1 == NULL))
2014  return 0;
2015  Packet *p2 = PacketGetFromAlloc();
2016  if (unlikely(p2 == NULL)) {
2017  SCFree(p1);
2018  return 0;
2019  }
2020  ThreadVars th_v;
2021  DetectEngineThreadCtx *det_ctx = NULL;
2022  int result = 0;
2023 
2024  memset(&th_v, 0, sizeof(ThreadVars));
2025  StatsThreadInit(&th_v.stats);
2026 
2027  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2028  PacketSetTCP(p1, (valid_raw_ipv6 + 54));
2029  p1->src.family = AF_INET;
2030  p1->dst.family = AF_INET;
2031  p1->payload = valid_raw_ipv6 + 54 + 20;
2032  p1->payload_len = 12;
2033  p1->proto = IPPROTO_TCP;
2034 
2035  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2036  BUG_ON(1);
2037  }
2038 
2039  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2040  PacketSetTCP(p2, (invalid_raw_ipv6 + 54));
2041  p2->src.family = AF_INET;
2042  p2->dst.family = AF_INET;
2043  p2->payload = invalid_raw_ipv6 + 54 + 20;
2044  p2->payload_len = 12;
2045  p2->proto = IPPROTO_TCP;
2046 
2047  if (TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20) {
2048  BUG_ON(1);
2049  }
2050 
2051  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2052  if (de_ctx == NULL) {
2053  goto end;
2054  }
2055 
2056  de_ctx->flags |= DE_QUIET;
2057 
2058  de_ctx->sig_list = SigInit(de_ctx,
2059  "alert tcp any any -> any any "
2060  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2061  "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2062  if (de_ctx->sig_list == NULL) {
2063  goto end;
2064  }
2065 
2066  de_ctx->sig_list->next = SigInit(de_ctx,
2067  "alert tcp any any -> any any "
2068  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2069  "msg:\"tcpv6-csum keyword check(1)\"; "
2070  "sid:2;)");
2071  if (de_ctx->sig_list->next == NULL) {
2072  goto end;
2073  }
2074 
2075  SigGroupBuild(de_ctx);
2076  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2077 
2078  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2079  if (!(PacketAlertCheck(p1, 1))) {
2080  printf("sid 1 didn't match on p1: ");
2081  goto end;
2082  }
2083 
2084  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2085  if (!(PacketAlertCheck(p2, 2))) {
2086  printf("sid 2 didn't match on p2: ");
2087  goto end;
2088  }
2089 
2090  result = 1;
2091 end:
2092  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2093  DetectEngineCtxFree(de_ctx);
2094  PacketFree(p1);
2095  PacketFree(p2);
2096  StatsThreadCleanup(&th_v.stats);
2097  return result;
2098 }
2099 
2100 static int SigTest29NegativeTCPV6Keyword(void)
2101 {
2102  static uint8_t valid_raw_ipv6[] = {
2103  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2104  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2105 
2106  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2107  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2108  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2109  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2110  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2111 
2112  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2113  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2114  0xf2, 0xf1, 0x00, 0x00,
2115 
2116  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2117  0x00, 0x01, 0x69, 0x27};
2118 
2119  static uint8_t invalid_raw_ipv6[] = {
2120  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2121  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2122 
2123  0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2124  0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2125  0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2126  0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2127  0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2128 
2129  0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2130  0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2131  0xc2, 0xf1, 0x00, 0x00,
2132 
2133  0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2134  0x00, 0x01, 0x69, 0x28};
2135 
2136  Packet *p1 = PacketGetFromAlloc();
2137  if (unlikely(p1 == NULL))
2138  return 0;
2139  Packet *p2 = PacketGetFromAlloc();
2140  if (unlikely(p2 == NULL)) {
2141  SCFree(p1);
2142  return 0;
2143  }
2144  ThreadVars th_v;
2145  DetectEngineThreadCtx *det_ctx = NULL;
2146  int result = 0;
2147 
2148  memset(&th_v, 0, sizeof(ThreadVars));
2149  StatsThreadInit(&th_v.stats);
2150 
2151  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2152  PacketSetTCP(p1, valid_raw_ipv6 + 54);
2153  p1->src.family = AF_INET;
2154  p1->dst.family = AF_INET;
2155  p1->payload = valid_raw_ipv6 + 54 + 20;
2156  p1->payload_len = 12;
2157  p1->proto = IPPROTO_TCP;
2158 
2159  if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2160  BUG_ON(1);
2161  }
2162 
2163  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2164  PacketSetTCP(p2, invalid_raw_ipv6 + 54);
2165  p2->src.family = AF_INET;
2166  p2->dst.family = AF_INET;
2167  p2->payload = invalid_raw_ipv6 + 54 + 20;
2168  p2->payload_len = 12;
2169  p2->proto = IPPROTO_TCP;
2170 
2171  FAIL_IF(TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20);
2172 
2173  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2174  if (de_ctx == NULL) {
2175  goto end;
2176  }
2177 
2178  de_ctx->flags |= DE_QUIET;
2179 
2180  de_ctx->sig_list = SigInit(de_ctx,
2181  "alert tcp any any -> any any "
2182  "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2183  "msg:\"tcpv6-csum keyword check(1)\"; "
2184  "sid:1;)");
2185  if (de_ctx->sig_list == NULL) {
2186  goto end;
2187  }
2188 
2189  de_ctx->sig_list->next = SigInit(de_ctx,
2190  "alert tcp any any -> any any "
2191  "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2192  "msg:\"tcpv6-csum keyword check(1)\"; "
2193  "sid:2;)");
2194  if (de_ctx->sig_list->next == NULL) {
2195  goto end;
2196  }
2197 
2198  SigGroupBuild(de_ctx);
2199  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2200 
2201  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2202  if (PacketAlertCheck(p1, 1))
2203  goto end;
2204 
2205  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2206  if (PacketAlertCheck(p2, 2))
2207  goto end;
2208 
2209  result = 1;
2210 end:
2211  if (det_ctx != NULL)
2212  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2213  DetectEngineCtxFree(de_ctx);
2214  PacketFree(p1);
2215  PacketFree(p2);
2216  StatsThreadCleanup(&th_v.stats);
2217  return result;
2218 }
2219 
2220 static int SigTest30UDPV4Keyword(void)
2221 {
2222  uint8_t raw_ipv4[] = {
2223  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2224  0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2225  0xc0, 0xa8, 0x01, 0x03};
2226 
2227  uint8_t valid_raw_udp[] = {
2228  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2229  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2230  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2231  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2232  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2233  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2234  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2235  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2236  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2237  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2238  0x67, 0x6c, 0x65, 0xc0, 0x26};
2239 
2240  uint8_t invalid_raw_udp[] = {
2241  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2242  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2243  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2244  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2245  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2246  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2247  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2248  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2249  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2250  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2251  0x67, 0x6c, 0x65, 0xc0, 0x27};
2252 
2253  Packet *p1 = PacketGetFromAlloc();
2254  FAIL_IF_NULL(p1);
2255  Packet *p2 = PacketGetFromAlloc();
2256  FAIL_IF_NULL(p2);
2257 
2258  ThreadVars th_v;
2259  DetectEngineThreadCtx *det_ctx = NULL;
2260 
2261  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2262  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2263 
2264  memset(&th_v, 0, sizeof(ThreadVars));
2265  StatsThreadInit(&th_v.stats);
2266 
2267  PacketSetIPV4(p1, raw_ipv4);
2268  PacketSetUDP(p1, valid_raw_udp);
2269  p1->src.family = AF_INET;
2270  p1->dst.family = AF_INET;
2271  p1->payload = buf;
2272  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2273  p1->proto = IPPROTO_UDP;
2274 
2275  PacketSetIPV4(p2, raw_ipv4);
2276  PacketSetUDP(p2, invalid_raw_udp);
2277  p2->src.family = AF_INET;
2278  p2->dst.family = AF_INET;
2279  p2->payload = buf;
2280  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2281  p2->proto = IPPROTO_UDP;
2282 
2283  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2284  FAIL_IF_NULL(de_ctx);
2285 
2286  de_ctx->flags |= DE_QUIET;
2287 
2288  de_ctx->sig_list = SigInit(de_ctx,
2289  "alert udp any any -> any any "
2290  "(content:\"/one/\"; udpv4-csum:valid; "
2291  "msg:\"udpv4-csum keyword check(1)\"; "
2292  "sid:1;)");
2293  FAIL_IF_NULL(de_ctx->sig_list);
2294 
2295  de_ctx->sig_list->next = SigInit(de_ctx,
2296  "alert udp any any -> any any "
2297  "(content:\"/one/\"; udpv4-csum:invalid; "
2298  "msg:\"udpv4-csum keyword check(1)\"; "
2299  "sid:2;)");
2300  FAIL_IF_NULL(de_ctx->sig_list->next);
2301 
2302  SigGroupBuild(de_ctx);
2303  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2304 
2305  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2306  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2307 
2308  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2309  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2310 
2311  if (det_ctx != NULL)
2312  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2313  DetectEngineCtxFree(de_ctx);
2314  PacketFree(p1);
2315  PacketFree(p2);
2316  StatsThreadCleanup(&th_v.stats);
2317  PASS;
2318 }
2319 
2320 static int SigTest31NegativeUDPV4Keyword(void)
2321 {
2322  uint8_t raw_ipv4[] = {
2323  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2324  0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2325  0xc0, 0xa8, 0x01, 0x03};
2326 
2327  uint8_t valid_raw_udp[] = {
2328  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2329  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2330  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2331  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2332  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2333  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2334  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2335  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2336  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2337  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2338  0x67, 0x6c, 0x65, 0xc0, 0x26};
2339 
2340  uint8_t invalid_raw_udp[] = {
2341  0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2342  0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2343  0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2344  0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2345  0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2346  0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2347  0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2348  0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2349  0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2350  0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2351  0x67, 0x6c, 0x65, 0xc0, 0x27};
2352 
2353  Packet *p1 = PacketGetFromAlloc();
2354  if (unlikely(p1 == NULL))
2355  return 0;
2356  Packet *p2 = PacketGetFromAlloc();
2357  if (unlikely(p2 == NULL)) {
2358  SCFree(p1);
2359  return 0;
2360  }
2361  ThreadVars th_v;
2362  DetectEngineThreadCtx *det_ctx = NULL;
2363  int result = 1;
2364 
2365  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2366  "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2367 
2368  memset(&th_v, 0, sizeof(ThreadVars));
2369  StatsThreadInit(&th_v.stats);
2370 
2371  PacketSetIPV4(p1, raw_ipv4);
2372  PacketSetUDP(p1, valid_raw_udp);
2373  p1->src.family = AF_INET;
2374  p1->dst.family = AF_INET;
2375  p1->payload = buf;
2376  p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2377  p1->proto = IPPROTO_UDP;
2378 
2379  PacketSetIPV4(p2, raw_ipv4);
2380  PacketSetUDP(p2, invalid_raw_udp);
2381  p2->src.family = AF_INET;
2382  p2->dst.family = AF_INET;
2383  p2->payload = buf;
2384  p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2385  p2->proto = IPPROTO_UDP;
2386 
2387  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2388  if (de_ctx == NULL) {
2389  goto end;
2390  }
2391 
2392  de_ctx->flags |= DE_QUIET;
2393 
2394  de_ctx->sig_list = SigInit(de_ctx,
2395  "alert udp any any -> any any "
2396  "(content:\"/one/\"; udpv4-csum:invalid; "
2397  "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2398  if (de_ctx->sig_list == NULL) {
2399  result &= 0;
2400  goto end;
2401  }
2402 
2403  de_ctx->sig_list->next = SigInit(de_ctx,
2404  "alert udp any any -> any any "
2405  "(content:\"/one/\"; udpv4-csum:valid; "
2406  "msg:\"udpv4-csum keyword check(1)\"; "
2407  "sid:2;)");
2408  if (de_ctx->sig_list->next == NULL) {
2409  result &= 0;
2410  goto end;
2411  }
2412 
2413  SigGroupBuild(de_ctx);
2414  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2415 
2416  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2417  if (PacketAlertCheck(p1, 1))
2418  result &= 0;
2419  else
2420  result &= 1;
2421 
2422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2423  if (PacketAlertCheck(p2, 2)) {
2424  result &= 0;
2425  }
2426  else
2427  result &= 1;
2428 
2429  if (det_ctx != NULL)
2430  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2431  DetectEngineCtxFree(de_ctx);
2432 end:
2433  PacketFree(p1);
2434  PacketFree(p2);
2435  StatsThreadCleanup(&th_v.stats);
2436  return result;
2437 }
2438 
2439 
2440 static int SigTest32UDPV6Keyword(void)
2441 {
2442  static uint8_t valid_raw_ipv6[] = {
2443  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2444  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2445  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2446  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2447  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2448  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2449  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2450  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2451  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2452  0x09, 0x00};
2453 
2454  static uint8_t invalid_raw_ipv6[] = {
2455  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2456  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2457  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2458  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2459  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2460  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2461  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2462  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2463  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2464  0x09, 0x01};
2465 
2466  Packet *p1 = PacketGetFromAlloc();
2467  FAIL_IF_NULL(p1);
2468  Packet *p2 = PacketGetFromAlloc();
2469  FAIL_IF_NULL(p2);
2470 
2471  ThreadVars th_v;
2472  DetectEngineThreadCtx *det_ctx = NULL;
2473 
2474  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2475  "\r\n\r\n";
2476 
2477  memset(&th_v, 0, sizeof(ThreadVars));
2478  StatsThreadInit(&th_v.stats);
2479 
2480  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2481  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2482  p1->src.family = AF_INET;
2483  p1->dst.family = AF_INET;
2484  p1->payload = buf;
2485  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2486  p1->proto = IPPROTO_UDP;
2487 
2488  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2489  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2490  p2->src.family = AF_INET;
2491  p2->dst.family = AF_INET;
2492  p2->payload = buf;
2493  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2494  p2->proto = IPPROTO_UDP;
2495 
2496  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2497  FAIL_IF_NULL(de_ctx);
2498 
2499  de_ctx->flags |= DE_QUIET;
2500 
2501  de_ctx->sig_list = SigInit(de_ctx,
2502  "alert udp any any -> any any "
2503  "(content:\"/one/\"; udpv6-csum:valid; "
2504  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2505  FAIL_IF_NULL(de_ctx->sig_list);
2506 
2507  de_ctx->sig_list->next = SigInit(de_ctx,
2508  "alert udp any any -> any any "
2509  "(content:\"/one/\"; udpv6-csum:invalid; "
2510  "msg:\"udpv6-csum keyword check(1)\"; "
2511  "sid:2;)");
2512  FAIL_IF_NULL(de_ctx->sig_list->next);
2513 
2514  SigGroupBuild(de_ctx);
2515  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2516 
2517  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2518  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2519 
2520  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2521  FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2522 
2523  if (det_ctx != NULL)
2524  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2525  DetectEngineCtxFree(de_ctx);
2526 
2527  PacketFree(p1);
2528  PacketFree(p2);
2529  StatsThreadCleanup(&th_v.stats);
2530  PASS;
2531 }
2532 
2533 static int SigTest33NegativeUDPV6Keyword(void)
2534 {
2535  static uint8_t valid_raw_ipv6[] = {
2536  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2537  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2538  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2539  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2540  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2541  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2542  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2543  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2544  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2545  0x09, 0x00};
2546 
2547  static uint8_t invalid_raw_ipv6[] = {
2548  0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2549  0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2550  0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2551  0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2552  0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2553  0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2554  0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2555  0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2556  0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2557  0x09, 0x01};
2558 
2559  Packet *p1 = PacketGetFromAlloc();
2560  if (unlikely(p1 == NULL))
2561  return 0;
2562  Packet *p2 = PacketGetFromAlloc();
2563  if (unlikely(p2 == NULL)) {
2564  SCFree(p1);
2565  return 0;
2566  }
2567  ThreadVars th_v;
2568  DetectEngineThreadCtx *det_ctx = NULL;
2569  int result = 1;
2570 
2571  uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2572  "\r\n\r\n";
2573 
2574  memset(&th_v, 0, sizeof(ThreadVars));
2575  StatsThreadInit(&th_v.stats);
2576 
2577  PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2578  PacketSetUDP(p1, valid_raw_ipv6 + 54);
2579  p1->src.family = AF_INET;
2580  p1->dst.family = AF_INET;
2581  p1->payload = buf;
2582  p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2583  p1->proto = IPPROTO_UDP;
2584 
2585  PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2586  PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2587  p2->src.family = AF_INET;
2588  p2->dst.family = AF_INET;
2589  p2->payload = buf;
2590  p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2591  p2->proto = IPPROTO_UDP;
2592 
2593  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2594  if (de_ctx == NULL) {
2595  goto end;
2596  }
2597 
2598  de_ctx->flags |= DE_QUIET;
2599 
2600  de_ctx->sig_list = SigInit(de_ctx,
2601  "alert udp any any -> any any "
2602  "(content:\"/one/\"; udpv6-csum:invalid; "
2603  "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2604  if (de_ctx->sig_list == NULL) {
2605  result &= 0;
2606  goto end;
2607  }
2608 
2609  de_ctx->sig_list->next = SigInit(de_ctx,
2610  "alert udp any any -> any any "
2611  "(content:\"/one/\"; udpv6-csum:valid; "
2612  "msg:\"udpv6-csum keyword check(1)\"; "
2613  "sid:2;)");
2614  if (de_ctx->sig_list->next == NULL) {
2615  result &= 0;
2616  goto end;
2617  }
2618 
2619  SigGroupBuild(de_ctx);
2620  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2621 
2622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2623  if (PacketAlertCheck(p1, 1))
2624  result &= 0;
2625  else
2626  result &= 1;
2627 
2628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2629  if (PacketAlertCheck(p2, 2))
2630  result &= 0;
2631  else
2632  result &= 1;
2633 
2634  if (det_ctx != NULL)
2635  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2636  DetectEngineCtxFree(de_ctx);
2637 end:
2638  PacketFree(p1);
2639  PacketFree(p2);
2640  StatsThreadCleanup(&th_v.stats);
2641  return result;
2642 }
2643 
2644 static int SigTest34ICMPV4Keyword(void)
2645 {
2646  uint8_t valid_raw_ipv4[] = {
2647  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2648  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2649  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2650  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2651  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2652  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2653  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2654  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2655  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2656  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2657  0x34, 0x35, 0x36, 0x37};
2658 
2659  uint8_t invalid_raw_ipv4[] = {
2660  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2661  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2662  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2663  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2664  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2665  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2666  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2667  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2668  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2669  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2670  0x34, 0x35, 0x36, 0x38};
2671 
2672  Packet *p1 = PacketGetFromAlloc();
2673  if (unlikely(p1 == NULL))
2674  return 0;
2675  Packet *p2 = PacketGetFromAlloc();
2676  if (unlikely(p2 == NULL)) {
2677  SCFree(p1);
2678  return 0;
2679  }
2680  ThreadVars th_v;
2681  DetectEngineThreadCtx *det_ctx = NULL;
2682  int result = 1;
2683 
2684  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2685  "\r\n\r\n";
2686  uint16_t buflen = strlen((char *)buf);
2687 
2688  memset(&th_v, 0, sizeof(ThreadVars));
2689  StatsThreadInit(&th_v.stats);
2690 
2691  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2692  ip4h->ip_verhl = 69;
2693  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2694  p1->src.family = AF_INET;
2695  p1->dst.family = AF_INET;
2696  p1->payload = buf;
2697  p1->payload_len = buflen;
2698  p1->proto = IPPROTO_ICMP;
2699 
2700  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2701  ip4h->ip_verhl = 69;
2702  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2703  p2->src.family = AF_INET;
2704  p2->dst.family = AF_INET;
2705  p2->payload = buf;
2706  p2->payload_len = buflen;
2707  p2->proto = IPPROTO_ICMP;
2708 
2709  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2710  if (de_ctx == NULL) {
2711  goto end;
2712  }
2713 
2714  de_ctx->flags |= DE_QUIET;
2715 
2716  de_ctx->sig_list = SigInit(de_ctx,
2717  "alert icmp any any -> any any "
2718  "(content:\"/one/\"; icmpv4-csum:valid; "
2719  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2720  if (de_ctx->sig_list == NULL) {
2721  result &= 0;
2722  goto end;
2723  }
2724 
2725  de_ctx->sig_list->next = SigInit(de_ctx,
2726  "alert icmp any any -> any any "
2727  "(content:\"/one/\"; icmpv4-csum:invalid; "
2728  "msg:\"icmpv4-csum keyword check(1)\"; "
2729  "sid:2;)");
2730  if (de_ctx->sig_list->next == NULL) {
2731  result = 0;
2732  goto end;
2733  }
2734 
2735  SigGroupBuild(de_ctx);
2736  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2737 
2738  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2739  if (PacketAlertCheck(p1, 1))
2740  result &= 1;
2741  else
2742  result &= 0;
2743 
2744  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2745  if (PacketAlertCheck(p2, 2))
2746  result &= 1;
2747  else
2748  result &= 0;
2749 
2750  if (det_ctx != NULL)
2751  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2752  DetectEngineCtxFree(de_ctx);
2753 end:
2754  PacketFree(p1);
2755  PacketFree(p2);
2756  StatsThreadCleanup(&th_v.stats);
2757  return result;
2758 }
2759 
2760 static int SigTest35NegativeICMPV4Keyword(void)
2761 {
2762  uint8_t valid_raw_ipv4[] = {
2763  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2764  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2765  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2766  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2767  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2768  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2769  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2770  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2771  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2772  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2773  0x34, 0x35, 0x36, 0x37};
2774 
2775  uint8_t invalid_raw_ipv4[] = {
2776  0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2777  0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2778  0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2779  0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2780  0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2781  0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2782  0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2783  0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2784  0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2785  0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2786  0x34, 0x35, 0x36, 0x38};
2787 
2788  Packet *p1 = PacketGetFromAlloc();
2789  if (unlikely(p1 == NULL))
2790  return 0;
2791  Packet *p2 = PacketGetFromAlloc();
2792  if (unlikely(p2 == NULL)) {
2793  SCFree(p1);
2794  return 0;
2795  }
2796  ThreadVars th_v;
2797  DetectEngineThreadCtx *det_ctx = NULL;
2798  int result = 1;
2799 
2800  uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2801  "\r\n\r\n";
2802  uint16_t buflen = strlen((char *)buf);
2803 
2804  memset(&th_v, 0, sizeof(ThreadVars));
2805  StatsThreadInit(&th_v.stats);
2806 
2807  IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2808  ip4h->ip_verhl = 69;
2809  (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2810  p1->src.family = AF_INET;
2811  p1->dst.family = AF_INET;
2812  p1->payload = buf;
2813  p1->payload_len = buflen;
2814  p1->proto = IPPROTO_ICMP;
2815 
2816  ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2817  ip4h->ip_verhl = 69;
2818  (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2819  p2->src.family = AF_INET;
2820  p2->dst.family = AF_INET;
2821  p2->payload = buf;
2822  p2->payload_len = buflen;
2823  p2->proto = IPPROTO_ICMP;
2824 
2825  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2826  if (de_ctx == NULL) {
2827  goto end;
2828  }
2829 
2830  de_ctx->flags |= DE_QUIET;
2831 
2832  de_ctx->sig_list = SigInit(de_ctx,
2833  "alert icmp any any -> any any "
2834  "(content:\"/one/\"; icmpv4-csum:invalid; "
2835  "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2836  if (de_ctx->sig_list == NULL) {
2837  result &= 0;
2838  goto end;
2839  }
2840 
2841  de_ctx->sig_list->next = SigInit(de_ctx,
2842  "alert icmp any any -> any any "
2843  "(content:\"/one/\"; icmpv4-csum:valid; "
2844  "msg:\"icmpv4-csum keyword check(1)\"; "
2845  "sid:2;)");
2846  if (de_ctx->sig_list->next == NULL) {
2847  result &= 0;
2848  goto end;
2849  }
2850 
2851  SigGroupBuild(de_ctx);
2852  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2853 
2854  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2855  if (PacketAlertCheck(p1, 1))
2856  result &= 0;
2857  else
2858  result &= 1;
2859 
2860  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2861  if (PacketAlertCheck(p2, 2))
2862  result &= 0;
2863  else {
2864  result &= 1;
2865  }
2866 
2867  if (det_ctx != NULL)
2868  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2869  DetectEngineCtxFree(de_ctx);
2870 end:
2871  PacketFree(p1);
2872  PacketFree(p2);
2873  StatsThreadCleanup(&th_v.stats);
2874  return result;
2875 }
2876 
2877 static int SigTest38(void)
2878 {
2879  Packet *p1 = PacketGetFromAlloc();
2880  if (unlikely(p1 == NULL))
2881  return 0;
2882  ThreadVars th_v;
2883  DetectEngineThreadCtx *det_ctx = NULL;
2884  int result = 1;
2885  uint8_t raw_eth[] = {
2886  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
2887  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2888  0x08, 0x00
2889  };
2890  uint8_t raw_ipv4[] = {
2891  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
2892  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
2893  0x7f, 0x00, 0x00, 0x01
2894  };
2895  uint8_t raw_tcp[] = {
2896  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
2897  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
2898  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
2899  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
2900  0x00, 0x22, 0xaa, 0x10
2901  };
2902  uint8_t buf[] = {
2903  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
2904  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
2905  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
2906  0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
2907  0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2908  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2909  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2910  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
2911  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
2912  0x0a
2913  };
2914  uint16_t ethlen = sizeof(raw_eth);
2915  uint16_t ipv4len = sizeof(raw_ipv4);
2916  uint16_t tcplen = sizeof(raw_tcp);
2917  uint16_t buflen = sizeof(buf);
2918 
2919  memset(&th_v, 0, sizeof(ThreadVars));
2920  StatsThreadInit(&th_v.stats);
2921 
2922  /* Copy raw data into packet */
2923  if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
2924  SCFree(p1);
2925  return 1;
2926  }
2927  if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
2928  SCFree(p1);
2929  return 1;
2930  }
2931  if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
2932  SCFree(p1);
2933  return 1;
2934  }
2935  if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
2936  SCFree(p1);
2937  return 1;
2938  }
2939  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
2940 
2941  PacketSetEthernet(p1, raw_eth);
2942  PacketSetIPV4(p1, raw_ipv4);
2943  PacketSetTCP(p1, raw_tcp);
2944  p1->src.family = AF_INET;
2945  p1->dst.family = AF_INET;
2946  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
2947  p1->payload_len = buflen;
2948  p1->proto = IPPROTO_TCP;
2949 
2950  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2951  if (de_ctx == NULL) {
2952  goto end;
2953  }
2954  de_ctx->flags |= DE_QUIET;
2955 
2956  de_ctx->sig_list = SigInit(de_ctx,
2957  "alert tcp any any -> any any "
2958  "(content:\"LEN1|20|\"; "
2959  "byte_test:4,=,8,0; "
2960  "msg:\"byte_test keyword check(1)\"; sid:1;)");
2961  if (de_ctx->sig_list == NULL) {
2962  result &= 0;
2963  goto end;
2964  }
2965  de_ctx->sig_list->next = SigInit(de_ctx,
2966  "alert tcp any any -> any any "
2967  "(content:\"LEN1|20|\"; "
2968  "byte_test:4,=,8,5,relative,string,dec; "
2969  "msg:\"byte_test keyword check(2)\"; sid:2;)");
2970  if (de_ctx->sig_list->next == NULL) {
2971  result &= 0;
2972  goto end;
2973  }
2974 
2975  SigGroupBuild(de_ctx);
2976  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
2977 
2978  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2979  if (PacketAlertCheck(p1, 1)) {
2980  result = 1;
2981  } else {
2982  result = 0;
2983  printf("sid 1 didn't alert, but should have: ");
2984  goto cleanup;
2985  }
2986  if (PacketAlertCheck(p1, 2)) {
2987  result = 1;
2988  } else {
2989  result = 0;
2990  printf("sid 2 didn't alert, but should have: ");
2991  goto cleanup;
2992  }
2993 
2994 cleanup:
2995  if (det_ctx != NULL)
2996  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2997  DetectEngineCtxFree(de_ctx);
2998 
2999 end:
3000  PacketFree(p1);
3001  StatsThreadCleanup(&th_v.stats);
3002  return result;
3003 }
3004 
3005 static int SigTest39(void)
3006 {
3007  ThreadVars th_v;
3008  DetectEngineThreadCtx *det_ctx = NULL;
3009  uint8_t raw_eth[] = {
3010  0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3011  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3012  0x08, 0x00
3013  };
3014  uint8_t raw_ipv4[] = {
3015  0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3016  0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3017  0x7f, 0x00, 0x00, 0x01
3018  };
3019  uint8_t raw_tcp[] = {
3020  0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3021  0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3022  0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3023  0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3024  0x00, 0x22, 0xaa, 0x10
3025  };
3026  uint8_t buf[] = {
3027  0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3028  0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3029  0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3030  0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3031  0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3032  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3033  0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3034  0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3035  0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3036  0x0a
3037  };
3038  uint16_t ethlen = sizeof(raw_eth);
3039  uint16_t ipv4len = sizeof(raw_ipv4);
3040  uint16_t tcplen = sizeof(raw_tcp);
3041  uint16_t buflen = sizeof(buf);
3042 
3043  memset(&th_v, 0, sizeof(ThreadVars));
3044  StatsThreadInit(&th_v.stats);
3045 
3046  Packet *p1 = PacketGetFromAlloc();
3047  FAIL_IF_NULL(p1);
3048  /* Copy raw data into packet */
3049  FAIL_IF(PacketCopyData(p1, raw_eth, ethlen) == -1);
3050  FAIL_IF(PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1);
3051  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1);
3052  FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1);
3053  SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3054 
3055  PacketSetEthernet(p1, raw_eth);
3056  PacketSetIPV4(p1, raw_ipv4);
3057  PacketSetTCP(p1, raw_tcp);
3058  p1->src.family = AF_INET;
3059  p1->dst.family = AF_INET;
3060  p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3061  p1->payload_len = buflen;
3062  p1->proto = IPPROTO_TCP;
3063 
3064  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3065  FAIL_IF_NULL(de_ctx);
3066  de_ctx->flags |= DE_QUIET;
3067 
3068  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3069  "(content:\"LEN1|20|\"; "
3070  "byte_test:4,=,8,0; "
3071  "byte_jump:4,0; "
3072  "byte_test:6,=,0x4c454e312038,0,relative; "
3073  "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3074  FAIL_IF_NULL(s);
3075  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3076  "(content:\"LEN1|20|\"; "
3077  "byte_test:4,=,8,4,relative,string,dec; "
3078  "byte_jump:4,4,relative,string,dec,post_offset 2; "
3079  "byte_test:4,=,0x4c454e32,0,relative; "
3080  "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3081  FAIL_IF_NULL(s);
3082  SigGroupBuild(de_ctx);
3083  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3084 
3085  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3086 
3087  FAIL_IF_NOT(PacketAlertCheck(p1, 1));
3088  FAIL_IF_NOT(PacketAlertCheck(p1, 2));
3089 
3090  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3091  DetectEngineCtxFree(de_ctx);
3092 
3093  PacketFree(p1);
3094  StatsThreadCleanup(&th_v.stats);
3095  PASS;
3096 }
3097 
3098 /**
3099  * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3100  * \brief expecting to match a size
3101  */
3102 
3103 static int SigTest36ContentAndIsdataatKeywords01 (void)
3104 {
3105  // Build and decode the packet
3106  uint8_t raw_eth [] = {
3107  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3108  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3109  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3110  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3111  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3112  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3113  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3114  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3115  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3116  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3117  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3118  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3119  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3120  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3121  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3122  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3123  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3124  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3125  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3126  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3127  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3128  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3129  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3130  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3131  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3132  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3133  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3134  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3135  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3136  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3137 
3138  Packet *p = PacketGetFromAlloc();
3139  FAIL_IF_NULL(p);
3140  DecodeThreadVars dtv;
3141 
3142  ThreadVars th_v;
3143  DetectEngineThreadCtx *det_ctx = NULL;
3144 
3145  memset(&dtv, 0, sizeof(DecodeThreadVars));
3146  memset(&th_v, 0, sizeof(th_v));
3147  StatsThreadInit(&th_v.stats);
3148 
3149  FlowInitConfig(FLOW_QUIET);
3150  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3151 
3152  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3153  FAIL_IF_NULL(de_ctx);
3154  de_ctx->flags |= DE_QUIET;
3155 
3156  Signature *s = DetectEngineAppendSig(de_ctx,
3157  "alert tcp any any -> any any (content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3158  FAIL_IF_NULL(s);
3159 
3160  SigGroupBuild(de_ctx);
3161  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3162 
3163  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3164  FAIL_IF_NOT(PacketAlertCheck(p, 101));
3165 
3166  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3167  DetectEngineCtxFree(de_ctx);
3168  PacketFree(p);
3169  FlowShutdown();
3170 
3171  StatsThreadCleanup(&th_v.stats);
3172  PASS;
3173 }
3174 
3175 /**
3176  * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3177  * \brief not expecting to match a size
3178  */
3179 
3180 static int SigTest37ContentAndIsdataatKeywords02 (void)
3181 {
3182  int result = 0;
3183 
3184  // Build and decode the packet
3185 
3186  uint8_t raw_eth [] = {
3187  0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3188  ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3189  ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3190  ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3191  ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3192  ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3193  ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3194  ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3195  ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3196  ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3197  ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3198  ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3199  ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3200  ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3201  ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3202  ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3203  ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3204  ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3205  ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3206  ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3207  ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3208  ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3209  ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3210  ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3211  ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3212  ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3213  ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3214  ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3215  ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3216  ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3217 
3218  Packet *p = PacketGetFromAlloc();
3219  if (unlikely(p == NULL))
3220  return 0;
3221  DecodeThreadVars dtv;
3222 
3223  ThreadVars th_v;
3224  DetectEngineThreadCtx *det_ctx = NULL;
3225 
3226  memset(&dtv, 0, sizeof(DecodeThreadVars));
3227  memset(&th_v, 0, sizeof(th_v));
3228  StatsThreadInit(&th_v.stats);
3229 
3230  FlowInitConfig(FLOW_QUIET);
3231  DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3232 
3233 
3234  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3235  if (de_ctx == NULL) {
3236  goto end;
3237  }
3238 
3239  de_ctx->flags |= DE_QUIET;
3240 
3241  Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3242  if (de_ctx->sig_list == NULL) {
3243  printf("sig parse failed: ");
3244  result = 0;
3245  goto end;
3246  }
3247 
3248  if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3249  printf("type not content: ");
3250  goto end;
3251  }
3252  SigGroupBuild(de_ctx);
3253  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3254 
3255  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3256  if (PacketAlertCheck(p, 101) == 0) {
3257  result = 1;
3258  goto end;
3259  } else {
3260  printf("sig matched, but should not have: ");
3261  result=0;
3262  }
3263 
3264  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3265  DetectEngineCtxFree(de_ctx);
3266 
3267  PacketRecycle(p);
3268  FlowShutdown();
3269 
3270  SCFree(p);
3271  return result;
3272 
3273 end:
3274  if(det_ctx)
3275  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3276 
3277  if(de_ctx)
3278  DetectEngineCtxFree(de_ctx);
3279 
3280  if (p != NULL)
3281  PacketRecycle(p);
3282 
3283  FlowShutdown();
3284 
3285  PacketFree(p);
3286  StatsThreadCleanup(&th_v.stats);
3287  return result;
3288 }
3289 
3290 /**
3291  * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3292  * flag is set, we don't need to inspect the packet protocol header or its contents.
3293  */
3294 
3295 static int SigTest40NoPacketInspection01(void)
3296 {
3297 
3298  uint8_t *buf = (uint8_t *)
3299  "220 (vsFTPd 2.0.5)\r\n";
3300  uint16_t buflen = strlen((char *)buf);
3301  Packet *p = PacketGetFromAlloc();
3302  TCPHdr tcphdr;
3303  if (unlikely(p == NULL))
3304  return 0;
3305  ThreadVars th_v;
3306  DetectEngineThreadCtx *det_ctx = NULL;
3307  PacketQueue pq;
3308  Flow f;
3309  int result = 0;
3310 
3311  memset(&th_v, 0, sizeof(th_v));
3312  StatsThreadInit(&th_v.stats);
3313  memset(&pq, 0, sizeof(pq));
3314  memset(&f, 0, sizeof(f));
3315  memset(&tcphdr, 0, sizeof(tcphdr));
3316 
3317  p->src.family = AF_INET;
3318  p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3319  p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3320  p->dst.family = AF_INET;
3321  p->payload = buf;
3322  p->payload_len = buflen;
3323  p->proto = IPPROTO_TCP;
3324  p->dp = 34260;
3325  p->sp = 21;
3326  p->flowflags |= FLOW_PKT_TOSERVER;
3327  p->flags |= PKT_NOPACKET_INSPECTION;
3328  PacketSetTCP(p, (uint8_t *)&tcphdr);
3329  p->flow = &f;
3330 
3331  FLOW_INITIALIZE(&f);
3332 
3333  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3334  if (de_ctx == NULL) {
3335  goto end;
3336  }
3337 
3338  de_ctx->flags |= DE_QUIET;
3339 
3340  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3341  if (de_ctx->sig_list == NULL) {
3342  result = 0;
3343  goto end;
3344  }
3345 
3346  SigGroupBuild(de_ctx);
3347  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3348  det_ctx->de_ctx = de_ctx;
3349 
3350  Detect(&th_v, p, det_ctx);
3351  if (PacketAlertCheck(p, 2))
3352  result = 0;
3353  else
3354  result = 1;
3355 
3356  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3357  DetectEngineCtxFree(de_ctx);
3358 end:
3359  PacketFree(p);
3360  StatsThreadCleanup(&th_v.stats);
3361  return result;
3362 }
3363 
3364 /**
3365  * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3366  * flag is set, we don't need to inspect the packet contents.
3367  */
3368 
3369 static int SigTest40NoPayloadInspection02(void)
3370 {
3371 
3372  uint8_t *buf = (uint8_t *)
3373  "220 (vsFTPd 2.0.5)\r\n";
3374  uint16_t buflen = strlen((char *)buf);
3375  ThreadVars th_v;
3376  memset(&th_v, 0, sizeof(th_v));
3377  StatsThreadInit(&th_v.stats);
3378 
3379  Packet *p = PacketGetFromAlloc();
3380  FAIL_IF_NULL(p);
3381 
3382  p->src.family = AF_INET;
3383  p->dst.family = AF_INET;
3384  p->payload = buf;
3385  p->payload_len = buflen;
3386  p->proto = IPPROTO_TCP;
3387  p->flags |= PKT_NOPAYLOAD_INSPECTION;
3388 
3389  DetectEngineThreadCtx *det_ctx = NULL;
3390  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3391  FAIL_IF_NULL(de_ctx);
3392  de_ctx->flags |= DE_QUIET;
3393 
3394  Signature *s = DetectEngineAppendSig(de_ctx,
3395  "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3396  FAIL_IF_NULL(s);
3397 
3398  SigGroupBuild(de_ctx);
3399  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3400 
3401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3402 
3403  FAIL_IF(PacketAlertCheck(p, 1));
3404 
3405  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3406  DetectEngineCtxFree(de_ctx);
3407  PacketFree(p);
3408  StatsThreadCleanup(&th_v.stats);
3409  PASS;
3410 }
3411 
3412 static int SigTestMemory01 (void)
3413 {
3414  uint8_t *buf = (uint8_t *)
3415  "GET /one/ HTTP/1.1\r\n"
3416  "Host: one.example.org\r\n"
3417  "\r\n\r\n"
3418  "GET /two/ HTTP/1.1\r\n"
3419  "Host: two.example.org\r\n"
3420  "\r\n\r\n";
3421  uint16_t buflen = strlen((char *)buf);
3422  Packet *p = PacketGetFromAlloc();
3423  if (unlikely(p == NULL))
3424  return 0;
3425  ThreadVars th_v;
3426  DetectEngineThreadCtx *det_ctx = NULL;
3427  int result = 0;
3428 
3429  memset(&th_v, 0, sizeof(th_v));
3430  StatsThreadInit(&th_v.stats);
3431  p->src.family = AF_INET;
3432  p->dst.family = AF_INET;
3433  p->payload = buf;
3434  p->payload_len = buflen;
3435  p->proto = IPPROTO_TCP;
3436 
3437  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3438  if (de_ctx == NULL) {
3439  goto end;
3440  }
3441 
3442  de_ctx->flags |= DE_QUIET;
3443 
3444  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3445  if (de_ctx->sig_list == NULL) {
3446  result = 0;
3447  goto end;
3448  }
3449 
3450  SigGroupBuild(de_ctx);
3451  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3452 
3453  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3454  DetectEngineCtxFree(de_ctx);
3455 
3456  result = 1;
3457 end:
3458  PacketFree(p);
3459  StatsThreadCleanup(&th_v.stats);
3460  return result;
3461 }
3462 
3463 static int SigTestMemory02 (void)
3464 {
3465  ThreadVars th_v;
3466  int result = 0;
3467 
3468  memset(&th_v, 0, sizeof(th_v));
3469  StatsThreadInit(&th_v.stats);
3470 
3471  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3472  if (de_ctx == NULL) {
3473  goto end;
3474  }
3475  de_ctx->flags |= DE_QUIET;
3476 
3477  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3478  if (de_ctx->sig_list == NULL) {
3479  result = 0;
3480  goto end;
3481  }
3482  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3483  if (de_ctx->sig_list->next == NULL) {
3484  result = 0;
3485  goto end;
3486  }
3487 
3488  SigGroupBuild(de_ctx);
3489 
3490  DetectEngineCtxFree(de_ctx);
3491 
3492  result = 1;
3493 end:
3494  StatsThreadCleanup(&th_v.stats);
3495  return result;
3496 }
3497 
3498 static int SigTestMemory03 (void)
3499 {
3500  ThreadVars th_v;
3501  int result = 0;
3502 
3503  memset(&th_v, 0, sizeof(th_v));
3504  StatsThreadInit(&th_v.stats);
3505 
3506  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3507  if (de_ctx == NULL) {
3508  goto end;
3509  }
3510  de_ctx->flags |= DE_QUIET;
3511 
3512  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3513  if (de_ctx->sig_list == NULL) {
3514  result = 0;
3515  goto end;
3516  }
3517  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3518  if (de_ctx->sig_list->next == NULL) {
3519  result = 0;
3520  goto end;
3521  }
3522  de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3523  if (de_ctx->sig_list->next->next == NULL) {
3524  result = 0;
3525  goto end;
3526  }
3527 
3528  SigGroupBuild(de_ctx);
3529 
3530  DetectEngineCtxFree(de_ctx);
3531 
3532  result = 1;
3533 end:
3534  StatsThreadCleanup(&th_v.stats);
3535  return result;
3536 }
3537 
3538 static int SigTestContent01 (void)
3539 {
3540  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3541  uint16_t buflen = strlen((char *)buf);
3542  ThreadVars th_v;
3543  DetectEngineThreadCtx *det_ctx = NULL;
3544  int result = 0;
3545 
3546  memset(&th_v, 0, sizeof(th_v));
3547  StatsThreadInit(&th_v.stats);
3548 
3549  Packet *p = NULL;
3550  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3551 
3552  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3553  if (de_ctx == NULL) {
3554  goto end;
3555  }
3556  de_ctx->flags |= DE_QUIET;
3557 
3558  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3559  if (de_ctx->sig_list == NULL) {
3560  result = 0;
3561  goto end;
3562  }
3563 
3564  SigGroupBuild(de_ctx);
3565  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3566 
3567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3568  if (PacketAlertCheck(p, 1))
3569  result = 1;
3570  else
3571  printf("sig 1 didn't match: ");
3572 
3573  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3574  DetectEngineCtxFree(de_ctx);
3575 end:
3576  UTHFreePackets(&p, 1);
3577  StatsThreadCleanup(&th_v.stats);
3578  return result;
3579 }
3580 
3581 static int SigTestContent02 (void)
3582 {
3583  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3584  uint16_t buflen = strlen((char *)buf);
3585  ThreadVars th_v;
3586  DetectEngineThreadCtx *det_ctx = NULL;
3587  int result = 0;
3588 
3589  memset(&th_v, 0, sizeof(th_v));
3590  StatsThreadInit(&th_v.stats);
3591  Packet *p = NULL;
3592  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3593 
3594  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3595  if (de_ctx == NULL) {
3596  goto end;
3597  }
3598  de_ctx->flags |= DE_QUIET;
3599 
3600  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3601  if (de_ctx->sig_list == NULL) {
3602  result = 0;
3603  goto end;
3604  }
3605 
3606  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3607  if (de_ctx->sig_list->next == NULL) {
3608  result = 0;
3609  goto end;
3610  }
3611 
3612  SigGroupBuild(de_ctx);
3613  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3614 
3615  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3616  if (PacketAlertCheck(p, 1)) {
3617  if (PacketAlertCheck(p, 2)) {
3618  result = 1;
3619  } else
3620  printf("sig 2 didn't match: ");
3621  }
3622  else
3623  printf("sig 1 didn't match: ");
3624 
3625  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3626  DetectEngineCtxFree(de_ctx);
3627 end:
3628  UTHFreePackets(&p, 1);
3629  StatsThreadCleanup(&th_v.stats);
3630  return result;
3631 }
3632 
3633 static int SigTestContent03 (void)
3634 {
3635  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3636  uint16_t buflen = strlen((char *)buf);
3637  ThreadVars th_v;
3638  DetectEngineThreadCtx *det_ctx = NULL;
3639  int result = 0;
3640 
3641  memset(&th_v, 0, sizeof(th_v));
3642  StatsThreadInit(&th_v.stats);
3643  Packet *p = NULL;
3644  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3645 
3646  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3647  if (de_ctx == NULL) {
3648  goto end;
3649  }
3650 
3651  de_ctx->flags |= DE_QUIET;
3652 
3653  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3654  if (de_ctx->sig_list == NULL) {
3655  result = 0;
3656  goto end;
3657  }
3658 
3659  SigGroupBuild(de_ctx);
3660  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3661 
3662  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3663  if (PacketAlertCheck(p, 1))
3664  result = 1;
3665  else
3666  printf("sig 1 didn't match: ");
3667 
3668  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3669  DetectEngineCtxFree(de_ctx);
3670 end:
3671  UTHFreePackets(&p, 1);
3672  StatsThreadCleanup(&th_v.stats);
3673  return result;
3674 }
3675 
3676 static int SigTestContent04 (void)
3677 {
3678  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3679  uint16_t buflen = strlen((char *)buf);
3680  ThreadVars th_v;
3681  DetectEngineThreadCtx *det_ctx = NULL;
3682  int result = 0;
3683 
3684  memset(&th_v, 0, sizeof(th_v));
3685  StatsThreadInit(&th_v.stats);
3686 
3687  Packet *p = NULL;
3688  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3689 
3690  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3691  if (de_ctx == NULL) {
3692  goto end;
3693  }
3694 
3695  de_ctx->flags |= DE_QUIET;
3696 
3697  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3698  if (de_ctx->sig_list == NULL) {
3699  result = 0;
3700  goto end;
3701  }
3702 
3703  SigGroupBuild(de_ctx);
3704  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3705 
3706  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3707  if (PacketAlertCheck(p, 1))
3708  result = 1;
3709  else
3710  printf("sig 1 didn't match: ");
3711 
3712  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3713  DetectEngineCtxFree(de_ctx);
3714 end:
3715  UTHFreePackets(&p, 1);
3716  StatsThreadCleanup(&th_v.stats);
3717  return result;
3718 }
3719 
3720 /** \test sigs with patterns at the limit of the pm's size limit */
3721 static int SigTestContent05 (void)
3722 {
3723  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3724  uint16_t buflen = strlen((char *)buf);
3725  ThreadVars th_v;
3726  DetectEngineThreadCtx *det_ctx = NULL;
3727  int result = 0;
3728 
3729  memset(&th_v, 0, sizeof(th_v));
3730  StatsThreadInit(&th_v.stats);
3731  Packet *p = NULL;
3732  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3733 
3734  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3735  if (de_ctx == NULL) {
3736  printf("de_ctx == NULL: ");
3737  goto end;
3738  }
3739 
3740  de_ctx->flags |= DE_QUIET;
3741 
3742  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3743  if (de_ctx->sig_list == NULL) {
3744  printf("sig1 parse failed: ");
3745  goto end;
3746  }
3747  de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3748  if (de_ctx->sig_list->next == NULL) {
3749  printf("sig2 parse failed: ");
3750  goto end;
3751  }
3752 
3753  SigGroupBuild(de_ctx);
3754  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3755 
3756  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3757 
3758  if (PacketAlertCheck(p, 1)) {
3759  printf("sig 1 matched but shouldn't: ");
3760  goto end;
3761  }
3762 
3763  if (PacketAlertCheck(p, 2)) {
3764  printf("sig 2 matched but shouldn't: ");
3765  goto end;
3766  }
3767 
3768  result = 1;
3769 end:
3770  UTHFreePackets(&p, 1);
3771  if (det_ctx != NULL) {
3772  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3773  }
3774  if (de_ctx != NULL) {
3775  DetectEngineCtxFree(de_ctx);
3776  }
3777  StatsThreadCleanup(&th_v.stats);
3778  return result;
3779 }
3780 
3781 static int SigTestContent06 (void)
3782 {
3783  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3784  uint16_t buflen = strlen((char *)buf);
3785  ThreadVars th_v;
3786  DetectEngineThreadCtx *det_ctx = NULL;
3787  int result = 0;
3788 
3789  memset(&th_v, 0, sizeof(th_v));
3790  StatsThreadInit(&th_v.stats);
3791  Packet *p = NULL;
3792  p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3793 
3794  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3795  if (de_ctx == NULL) {
3796  goto end;
3797  }
3798 
3799  de_ctx->flags |= DE_QUIET;
3800 
3801  de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3802  if (de_ctx->sig_list == NULL) {
3803  result = 0;
3804  goto end;
3805  }
3806  de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
3807  if (de_ctx->sig_list->next == NULL) {
3808  result = 0;
3809  goto end;
3810  }
3811 
3812  SigGroupBuild(de_ctx);
3813  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3814 
3815  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3816  if (PacketAlertCheck(p, 1)){
3817  //printf("sig 1 matched :");
3818  }else{
3819  printf("sig 1 didn't match: ");
3820  goto end;
3821  }
3822 
3823  if (PacketAlertCheck(p, 2)){
3824  result = 1;
3825  }else{
3826  printf("sig 2 didn't match: ");
3827  goto end;
3828  }
3829 
3830  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3831  DetectEngineCtxFree(de_ctx);
3832 end:
3833  UTHFreePackets(&p, 1);
3834  StatsThreadCleanup(&th_v.stats);
3835  return result;
3836 }
3837 
3838 static int SigTestWithin01 (void)
3839 {
3840  DecodeThreadVars dtv;
3841  ThreadVars th_v;
3842  uint8_t rawpkt1[] = {
3843  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3844  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3845  0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
3846  0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3847  0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
3848  0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
3849  0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
3850  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3851  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3852  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3853  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3854  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3855  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3856  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3857  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3858  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3859  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3860  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3861  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3862  0x00,0x00 }; /* end rawpkt1 */
3863 
3864  uint8_t rawpkt2[] = {
3865  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3866  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3867  0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
3868  0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3869  0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
3870  0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
3871  0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
3872  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3873  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3874  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3875  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3876  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3877  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3878  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3879  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3880  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3881  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3882  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3883  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3884  0x00,0x00 }; /* end rawpkt2 */
3885 
3886  uint8_t rawpkt3[] = {
3887  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3888  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3889  0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
3890  0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3891  0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
3892  0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
3893  0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
3894  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3895  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3896  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3897  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3898  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3899  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3900  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3901  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3902  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3903  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3904  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3905  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3906  0x00,0x00 }; /* end rawpkt3 */
3907 
3908  uint8_t rawpkt4[] = {
3909  0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3910  0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3911  0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
3912  0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3913  0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
3914  0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
3915  0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
3916  0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3917  0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3918  0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3919  0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3920  0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3921  0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3922  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3923  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3924  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3925  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3926  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3927  0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3928  0x00,0x00 }; /* end rawpkt4 */
3929 
3930  memset(&dtv, 0, sizeof(DecodeThreadVars));
3931  memset(&th_v, 0, sizeof(th_v));
3932  StatsThreadInit(&th_v.stats);
3933 
3934  DetectEngineThreadCtx *det_ctx = NULL;
3935 
3936  FlowInitConfig(FLOW_QUIET);
3937 
3938  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3939  FAIL_IF_NULL(de_ctx);
3940  de_ctx->flags |= DE_QUIET;
3941 
3942  Signature *s = DetectEngineAppendSig(de_ctx,
3943  "alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test "
3944  "to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
3945  FAIL_IF_NULL(s);
3946 
3947  SigGroupBuild(de_ctx);
3948  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3949 
3950  /* packet 1 */
3951  Packet *p1 = PacketGetFromAlloc();
3952  FAIL_IF_NULL(p1);
3953  DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
3954  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3955  FAIL_IF(!(PacketAlertCheck(p1, 556)));
3956 
3957  /* packet 2 */
3958  Packet *p2 = PacketGetFromAlloc();
3959  FAIL_IF_NULL(p2);
3960  DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
3961  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
3962  FAIL_IF(!(PacketAlertCheck(p2, 556)));
3963 
3964  /* packet 3 */
3965  Packet *p3 = PacketGetFromAlloc();
3966  FAIL_IF_NULL(p3);
3967  DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
3968  SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
3969  FAIL_IF(!(PacketAlertCheck(p3, 556)));
3970 
3971  /* packet 4 */
3972  Packet *p4 = PacketGetFromAlloc();
3973  FAIL_IF_NULL(p4);
3974  DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
3975  SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
3976  FAIL_IF(!(PacketAlertCheck(p4, 556)));
3977 
3978  /* packet 5 */
3979  uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
3980  uint16_t p5buflen = strlen((char *)p5buf);
3981  Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
3982  FAIL_IF_NULL(p5);
3983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
3984  FAIL_IF(!(PacketAlertCheck(p5, 556)));
3985  UTHFreePackets(&p5, 1);
3986 
3987  PacketFree(p1);
3988  PacketFree(p2);
3989  PacketFree(p3);
3990  PacketFree(p4);
3991  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3992  DetectEngineCtxFree(de_ctx);
3993 
3994  FlowShutdown();
3995  StatsThreadCleanup(&th_v.stats);
3996  PASS;
3997 }
3998 
3999 static int SigTestDepthOffset01 (void)
4000 {
4001  uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4002  uint16_t buflen = strlen((char *)buf);
4003  Packet *p = NULL;
4004  ThreadVars th_v;
4005  DetectEngineThreadCtx *det_ctx = NULL;
4006  int result = 0;
4007 
4008  memset(&th_v, 0, sizeof(th_v));
4009  StatsThreadInit(&th_v.stats);
4010 
4011  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4012 
4013  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4014  if (de_ctx == NULL) {
4015  goto end;
4016  }
4017 
4018  de_ctx->flags |= DE_QUIET;
4019 
4020  de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4021  if (de_ctx->sig_list == NULL) {
4022  result = 0;
4023  goto end;
4024  }
4025 
4026  SigGroupBuild(de_ctx);
4027  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4028 
4029  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4030  if (PacketAlertCheck(p, 1))
4031  result = 1;
4032 
4033  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4034  DetectEngineCtxFree(de_ctx);
4035 end:
4036  UTHFreePackets(&p, 1);
4037  StatsThreadCleanup(&th_v.stats);
4038  return result;
4039 }
4040 
4041 static int SigTestDetectAlertCounter(void)
4042 {
4043  Packet *p = NULL;
4044  ThreadVars tv;
4045  DetectEngineThreadCtx *det_ctx = NULL;
4046  memset(&tv, 0, sizeof(tv));
4047  StatsThreadInit(&tv.stats);
4048 
4049  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4050  FAIL_IF_NULL(de_ctx);
4051  de_ctx->flags |= DE_QUIET;
4052 
4053  de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4054  "content:\"boo\"; sid:1;)");
4055  FAIL_IF(de_ctx->sig_list == NULL);
4056 
4057  SigGroupBuild(de_ctx);
4058  strlcpy(tv.name, "detect_test", sizeof(tv.name));
4059  DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4060  /* init counters */
4061  StatsSetupPrivate(&tv.stats, NULL);
4062 
4063  p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4064  Detect(&tv, p, det_ctx);
4065  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 1);
4066 
4067  Detect(&tv, p, det_ctx);
4068  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 2);
4069  UTHFreePackets(&p, 1);
4070 
4071  p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4072  Detect(&tv, p, det_ctx);
4073  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 2);
4074  UTHFreePackets(&p, 1);
4075 
4076  p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4077  Detect(&tv, p, det_ctx);
4078  FAIL_IF_NOT(StatsCounterGetLocalValue(&tv.stats, det_ctx->counter_alerts) == 3);
4079  UTHFreePackets(&p, 1);
4080 
4081  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4082  DetectEngineCtxFree(de_ctx);
4083  StatsThreadCleanup(&tv.stats);
4084  PASS;
4085 }
4086 
4087 /** \test test if the engine set flag to drop pkts of a flow that
4088  * triggered a drop action on IPS mode */
4089 static int SigTestDropFlow01(void)
4090 {
4091  Flow f;
4092  HtpState *http_state = NULL;
4093  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4094  "User-Agent: Mozilla/1.0\r\n"
4095  "Cookie: hellocatch\r\n\r\n";
4096  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4097  TcpSession ssn;
4098  Packet *p = NULL;
4099  Signature *s = NULL;
4100  ThreadVars tv;
4101  DetectEngineThreadCtx *det_ctx = NULL;
4102  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4103 
4104  memset(&tv, 0, sizeof(ThreadVars));
4105  StatsThreadInit(&tv.stats);
4106  memset(&f, 0, sizeof(Flow));
4107  memset(&ssn, 0, sizeof(TcpSession));
4108 
4109  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4110 
4111  FLOW_INITIALIZE(&f);
4112  f.protoctx = (void *)&ssn;
4113  f.proto = IPPROTO_TCP;
4114  f.flags |= FLOW_IPV4;
4115 
4116  p->flow = &f;
4117  p->flowflags |= FLOW_PKT_TOSERVER;
4118  p->flowflags |= FLOW_PKT_ESTABLISHED;
4119  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4120  f.alproto = ALPROTO_HTTP1;
4121 
4122  StreamTcpInitConfig(true);
4123 
4124  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4125  FAIL_IF_NULL(de_ctx);
4126  de_ctx->flags |= DE_QUIET;
4127 
4128  s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4129  "(msg:\"Test proto match\"; "
4130  "sid:1;)");
4131  FAIL_IF_NULL(s);
4132 
4133  SigGroupBuild(de_ctx);
4134  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4135 
4136  int r = AppLayerParserParse(
4137  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4138  FAIL_IF_NOT(r == 0);
4139 
4140  http_state = f.alstate;
4141  FAIL_IF_NULL(http_state);
4142 
4143  /* do detect */
4144  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4145 
4146  FAIL_IF_NOT(PacketAlertCheck(p, 1));
4147 
4148  FAIL_IF_NOT(p->flow->flags & FLOW_ACTION_DROP);
4149 
4150  AppLayerParserThreadCtxFree(alp_tctx);
4151  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4152  DetectEngineCtxFree(de_ctx);
4153 
4154  StreamTcpFreeConfig(true);
4155  FLOW_DESTROY(&f);
4156 
4157  UTHFreePackets(&p, 1);
4158  StatsThreadCleanup(&tv.stats);
4159  PASS;
4160 }
4161 
4162 /** \test test if the engine set flag to drop pkts of a flow that
4163  * triggered a drop action on IPS mode */
4164 static int SigTestDropFlow02(void)
4165 {
4166  int result = 0;
4167  Flow f;
4168  HtpState *http_state = NULL;
4169  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4170  "User-Agent: Mozilla/1.0\r\n"
4171  "Cookie: hellocatch\r\n\r\n";
4172  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4173  TcpSession ssn;
4174  Packet *p = NULL;
4175  Signature *s = NULL;
4176  ThreadVars tv;
4177  DetectEngineThreadCtx *det_ctx = NULL;
4178  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4179 
4180  memset(&tv, 0, sizeof(ThreadVars));
4181  StatsThreadInit(&tv.stats);
4182  memset(&f, 0, sizeof(Flow));
4183  memset(&ssn, 0, sizeof(TcpSession));
4184 
4185  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4186 
4187  FLOW_INITIALIZE(&f);
4188  f.protoctx = (void *)&ssn;
4189  f.proto = IPPROTO_TCP;
4190  f.flags |= FLOW_IPV4;
4191 
4192  p->flow = &f;
4193  p->flowflags |= FLOW_PKT_TOSERVER;
4194  p->flowflags |= FLOW_PKT_ESTABLISHED;
4195  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4196  f.alproto = ALPROTO_HTTP1;
4197 
4198  StreamTcpInitConfig(true);
4199 
4200  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4201  if (de_ctx == NULL) {
4202  goto end;
4203  }
4204  de_ctx->flags |= DE_QUIET;
4205 
4206  s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4207  "(msg:\"Test proto match\"; uricontent:\"one\";"
4208  "sid:1;)");
4209  if (s == NULL) {
4210  goto end;
4211  }
4212 
4213  SigGroupBuild(de_ctx);
4214  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4215 
4216  int r = AppLayerParserParse(
4217  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4218  if (r != 0) {
4219  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4220  goto end;
4221  }
4222 
4223  http_state = f.alstate;
4224  if (http_state == NULL) {
4225  printf("no http state: ");
4226  goto end;
4227  }
4228 
4229  /* do detect */
4230  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4231 
4232  if (!PacketAlertCheck(p, 1)) {
4233  printf("sig 1 didn't alert, but it should: ");
4234  goto end;
4235  }
4236 
4237  if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4238  printf("sig 1 alerted but flow was not flagged correctly: ");
4239  goto end;
4240  }
4241 
4242  /* Ok, now we know that the flag is set for app layer sigs
4243  * (ex: inspecting uricontent) */
4244 
4245  result = 1;
4246 
4247 end:
4248  if (alp_tctx != NULL)
4249  AppLayerParserThreadCtxFree(alp_tctx);
4250  if (det_ctx != NULL)
4251  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4252  if (de_ctx != NULL)
4253  DetectEngineCtxFree(de_ctx);
4254 
4255  StreamTcpFreeConfig(true);
4256  FLOW_DESTROY(&f);
4257 
4258  UTHFreePackets(&p, 1);
4259  StatsThreadCleanup(&tv.stats);
4260  return result;
4261 }
4262 
4263 /** \test test if the engine set flag to drop pkts of a flow that
4264  * triggered a drop action on IPS mode, and it doesn't inspect
4265  * any other packet of the stream */
4266 static int SigTestDropFlow03(void)
4267 {
4268  Flow f;
4269  HtpState *http_state = NULL;
4270  uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4271  "User-Agent: Mozilla/1.0\r\n"
4272  "Cookie: hellocatch\r\n\r\n";
4273  uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4274 
4275  uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4276  "User-Agent: Mozilla/1.0\r\n"
4277  "Cookie: hellocatch\r\n\r\n";
4278  uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4279 
4280  /* Set the engine mode to IPS */
4281  EngineModeSetIPS(ENGINE_HOST_IS_ROUTER);
4282 
4283  TcpSession ssn;
4284  Packet *p1 = NULL;
4285  Packet *p2 = NULL;
4286  ThreadVars tv;
4287  DetectEngineThreadCtx *det_ctx = NULL;
4288  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4289 
4290  memset(&tv, 0, sizeof(ThreadVars));
4291  StatsThreadInit(&tv.stats);
4292  memset(&f, 0, sizeof(Flow));
4293  memset(&ssn, 0, sizeof(TcpSession));
4294 
4295  p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4296  p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4297 
4298  FLOW_INITIALIZE(&f);
4299  f.protoctx = (void *)&ssn;
4300  f.proto = IPPROTO_TCP;
4301  f.flags |= FLOW_IPV4;
4302 
4303  p1->flow = &f;
4304  p1->flowflags |= FLOW_PKT_TOSERVER;
4305  p1->flowflags |= FLOW_PKT_ESTABLISHED;
4306  p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4307 
4308  p2->flow = &f;
4309  p2->flowflags |= FLOW_PKT_TOSERVER;
4310  p2->flowflags |= FLOW_PKT_ESTABLISHED;
4311  p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4312  f.alproto = ALPROTO_HTTP1;
4313 
4314  StreamTcpInitConfig(true);
4315 
4316  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4317  FAIL_IF_NULL(de_ctx);
4318  de_ctx->flags |= DE_QUIET;
4319 
4320  Signature *s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 "
4321  "(msg:\"Test proto match\"; uricontent:\"one\";"
4322  "sid:1;)");
4323  FAIL_IF_NULL(s);
4324 
4325  /* the no inspection flag should be set after the first sig gets triggered,
4326  * so the second packet should not match the next sig (because of no inspection) */
4327  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any 80 "
4328  "(msg:\"Test proto match\"; uricontent:\"two\";"
4329  "sid:2;)");
4330  FAIL_IF_NULL(s);
4331 
4332  SigGroupBuild(de_ctx);
4333  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4334 
4335  int r = AppLayerParserParse(
4336  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4337  FAIL_IF(r != 0);
4338 
4339  http_state = f.alstate;
4340  FAIL_IF_NULL(http_state);
4341 
4342  /* do detect */
4343  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4344  FAIL_IF(!PacketAlertCheck(p1, 1));
4345  FAIL_IF(!(p1->flow->flags & FLOW_ACTION_DROP));
4346 
4347  /* Second part.. Let's feed with another packet */
4348  FAIL_IF_NOT(StreamTcpCheckFlowDrops(p2) == 1);
4349 
4350  SCLogDebug("This flow/stream triggered a drop rule");
4351  DecodeSetNoPacketInspectionFlag(p2);
4352  StreamTcpDisableAppLayer(p2->flow);
4353  p2->action |= ACTION_DROP;
4354  /* return the segments to the pool */
4355  StreamTcpSessionPktFree(p2);
4356 
4357  FAIL_IF(!(p2->flags & PKT_NOPACKET_INSPECTION));
4358 
4359  r = AppLayerParserParse(
4360  NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4361  FAIL_IF(r != 0);
4362 
4363  /* do detect */
4364  SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4365 
4366  FAIL_IF(PacketAlertCheck(p2, 1));
4367  FAIL_IF(PacketAlertCheck(p2, 2));
4368  FAIL_IF(!(PacketTestAction(p2, ACTION_DROP)));
4369 
4370  AppLayerParserThreadCtxFree(alp_tctx);
4371  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4372  DetectEngineCtxFree(de_ctx);
4373 
4374  StreamTcpFreeConfig(true);
4375  FLOW_DESTROY(&f);
4376 
4377  UTHFreePackets(&p1, 1);
4378  UTHFreePackets(&p2, 1);
4379 
4380  /* Restore mode to IDS */
4381  EngineModeSetIDS();
4382  StatsThreadCleanup(&tv.stats);
4383  PASS;
4384 }
4385 
4386 /** \test ICMP packet shouldn't be matching port based sig
4387  * Bug #611 */
4388 static int SigTestPorts01(void)
4389 {
4390  int result = 0;
4391  Packet *p1 = NULL;
4392  Signature *s = NULL;
4393  ThreadVars tv;
4394  DetectEngineThreadCtx *det_ctx = NULL;
4395  uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4396 
4397  memset(&tv, 0, sizeof(ThreadVars));
4398  StatsThreadInit(&tv.stats);
4399 
4400  p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4401 
4402  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4403  if (de_ctx == NULL) {
4404  goto end;
4405  }
4406  de_ctx->flags |= DE_QUIET;
4407 
4408  s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4409  "(content:\"AAA\"; sid:1;)");
4410  if (s == NULL) {
4411  goto end;
4412  }
4413 
4414  SigGroupBuild(de_ctx);
4415  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4416 
4417  /* do detect */
4418  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4419 
4420  if (PacketAlertCheck(p1, 1)) {
4421  printf("sig 1 alerted on p1, but it should not: ");
4422  goto end;
4423  }
4424 
4425  result = 1;
4426 end:
4427  if (det_ctx != NULL)
4428  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4429  if (de_ctx != NULL)
4430  DetectEngineCtxFree(de_ctx);
4431 
4432  UTHFreePackets(&p1, 1);
4433  StatsThreadCleanup(&tv.stats);
4434  return result;
4435 }
4436 
4437 /** \test almost identical patterns */
4438 static int SigTestBug01(void)
4439 {
4440  ThreadVars tv;
4441  DetectEngineThreadCtx *det_ctx = NULL;
4442  uint8_t payload[] = "!mymy";
4443  memset(&tv, 0, sizeof(ThreadVars));
4444  StatsThreadInit(&tv.stats);
4445 
4446  Packet *p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4447  FAIL_IF_NULL(p1);
4448  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4449  FAIL_IF_NULL(de_ctx);
4450  de_ctx->flags |= DE_QUIET;
4451  Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4452  "(content:\"Omymy\"; nocase; sid:1;)");
4453  FAIL_IF_NULL(s);
4454  s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4455  "(content:\"!mymy\"; nocase; sid:2;)");
4456  FAIL_IF_NULL(s);
4457  SigGroupBuild(de_ctx);
4458  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4459  SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4460  FAIL_IF(PacketAlertCheck(p1, 1));
4461  FAIL_IF(!(PacketAlertCheck(p1, 2)));
4462  DetectEngineThreadCtxDeinit(&tv, det_ctx);
4463  DetectEngineCtxFree(de_ctx);
4464  UTHFreePackets(&p1, 1);
4465  StatsThreadCleanup(&tv.stats);
4466  PASS;
4467 }
4468 
4469 static const char *dummy_conf_string2 =
4470  "%YAML 1.1\n"
4471  "---\n"
4472  "vars:\n"
4473  "\n"
4474  " address-groups:\n"
4475  "\n"
4476  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4477  "\n"
4478  " EXTERNAL_NET: \"any\"\n"
4479  "\n"
4480  " port-groups:\n"
4481  "\n"
4482  " HTTP_PORTS: \"80:81,88\"\n"
4483  "\n";
4484 
4485 static int DetectAddressYamlParsing01 (void)
4486 {
4487  int result = 0;
4488 
4489  SCConfCreateContextBackup();
4490  SCConfInit();
4491  SCConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4492 
4493  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4494  if (de_ctx == NULL) {
4495  goto end;
4496  }
4497 
4498  de_ctx->flags |= DE_QUIET;
4499 
4500  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4501  goto end;
4502  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4503  goto end;
4504  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4505  goto end;
4506 
4507  result = 1;
4508 
4509  DetectEngineCtxFree(de_ctx);
4510 end:
4511  SCConfDeInit();
4512  SCConfRestoreContextBackup();
4513  return result;
4514 }
4515 
4516 static const char *dummy_conf_string3 =
4517  "%YAML 1.1\n"
4518  "---\n"
4519  "vars:\n"
4520  "\n"
4521  " address-groups:\n"
4522  "\n"
4523  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4524  "\n"
4525  " EXTERNAL_NET: \"any\"\n"
4526  "\n"
4527  " port-groups:\n"
4528  "\n"
4529  " HTTP_PORTS: \"80:81,88\"\n"
4530  "\n";
4531 
4532 static int DetectAddressYamlParsing02 (void)
4533 {
4534  int result = 0;
4535 
4536  SCConfCreateContextBackup();
4537  SCConfInit();
4538  SCConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
4539 
4540  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4541  if (de_ctx == NULL) {
4542  goto end;
4543  }
4544 
4545  de_ctx->flags |= DE_QUIET;
4546 
4547  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4548  goto end;
4549  if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4550  goto end;
4551  if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4552  goto end;
4553 
4554  result = 1;
4555 
4556  DetectEngineCtxFree(de_ctx);
4557 end:
4558  SCConfDeInit();
4559  SCConfRestoreContextBackup();
4560  return result;
4561 }
4562 
4563 static const char *dummy_conf_string4 =
4564  "%YAML 1.1\n"
4565  "---\n"
4566  "vars:\n"
4567  "\n"
4568  " address-groups:\n"
4569  "\n"
4570  " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4571  "\n"
4572  " EXTERNAL_NET: \"any\"\n"
4573  "\n"
4574  " port-groups:\n"
4575  "\n"
4576  " HTTP_PORTS: \"80:81,88\"\n"
4577  "\n";
4578 
4579 static int DetectAddressYamlParsing03 (void)
4580 {
4581  SCConfCreateContextBackup();
4582  SCConfInit();
4583  SCConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
4584  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4585  FAIL_IF_NULL(de_ctx);
4586  de_ctx->flags |= DE_QUIET;
4587  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL);
4588  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL);
4589  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) ==
4590  NULL);
4591  DetectEngineCtxFree(de_ctx);
4592  SCConfDeInit();
4593  SCConfRestoreContextBackup();
4594  PASS;
4595 }
4596 
4597 static const char *dummy_conf_string5 =
4598  "%YAML 1.1\n"
4599  "---\n"
4600  "vars:\n"
4601  "\n"
4602  " address-groups:\n"
4603  "\n"
4604  " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4605  "\n"
4606  " EXTERNAL_NET: \"any\"\n"
4607  "\n"
4608  " port-groups:\n"
4609  "\n"
4610  " HTTP_PORTS: \"80:81,88\"\n"
4611  "\n";
4612 
4613 /** \test bug #815 */
4614 static int DetectAddressYamlParsing04 (void)
4615 {
4616  SCConfCreateContextBackup();
4617  SCConfInit();
4618  SCConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
4619  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4620  FAIL_IF_NULL(de_ctx);
4621  de_ctx->flags |= DE_QUIET;
4622  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL);
4623  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL);
4624  FAIL_IF((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) ==
4625  NULL);
4626  DetectEngineCtxFree(de_ctx);
4627  SCConfDeInit();
4628  SCConfRestoreContextBackup();
4629  PASS;
4630 }
4631 
4632 void SigRegisterTests(void)
4633 {
4634  SigParseRegisterTests();
4635  IPOnlyRegisterTests();
4636 
4637  UtRegisterTest("SigTest01", SigTest01);
4638  UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
4639  UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
4640  UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
4641  UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
4642  UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
4643  UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
4644  SigTest07);
4645  UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
4646  UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
4647  SigTest09);
4648  UtRegisterTest("SigTest10 -- long content match, longer than pkt",
4649  SigTest10);
4650  UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
4651  UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
4652  UtRegisterTest("SigTest13 -- content order matching, diff order",
4653  SigTest13);
4654  UtRegisterTest("SigTest14 -- content order matching, distance 0",
4655  SigTest14);
4656  UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
4657  UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
4658  UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
4659  UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
4660  UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
4661  UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
4662  UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
4663  UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
4664  UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
4665 
4666  UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
4667  UtRegisterTest("SigTest25NegativeIPV4Keyword",
4668  SigTest25NegativeIPV4Keyword);
4669 
4670  UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
4671  UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
4672  SigTest26TCPV4AndNegativeIPV4Keyword);
4673  UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
4674  SigTest26TCPV4AndIPV4Keyword);
4675  UtRegisterTest("SigTest27NegativeTCPV4Keyword",
4676  SigTest27NegativeTCPV4Keyword);
4677 
4678  UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
4679  UtRegisterTest("SigTest29NegativeTCPV6Keyword",
4680  SigTest29NegativeTCPV6Keyword);
4681 
4682  UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
4683  UtRegisterTest("SigTest31NegativeUDPV4Keyword",
4684  SigTest31NegativeUDPV4Keyword);
4685 
4686  UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
4687  UtRegisterTest("SigTest33NegativeUDPV6Keyword",
4688  SigTest33NegativeUDPV6Keyword);
4689 
4690  UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
4691  UtRegisterTest("SigTest35NegativeICMPV4Keyword",
4692  SigTest35NegativeICMPV4Keyword);
4693  UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
4694  SigTest36ContentAndIsdataatKeywords01);
4695  UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
4696  SigTest37ContentAndIsdataatKeywords02);
4697 
4698  UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
4699 
4700  UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
4701 
4702  UtRegisterTest("SigTest40NoPacketInspection01",
4703  SigTest40NoPacketInspection01);
4704  UtRegisterTest("SigTest40NoPayloadInspection02",
4705  SigTest40NoPayloadInspection02);
4706 
4707  UtRegisterTest("SigTestMemory01", SigTestMemory01);
4708  UtRegisterTest("SigTestMemory02", SigTestMemory02);
4709  UtRegisterTest("SigTestMemory03", SigTestMemory03);
4710 
4711  UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
4712  UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
4713  UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
4714  SigTestContent03);
4715  UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
4716  SigTestContent04);
4717  UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
4718  UtRegisterTest("SigTestContent06 -- distance/within ip only",
4719  SigTestContent06);
4720 
4721  UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
4722  UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
4723 
4724  UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
4725 
4726  UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
4727  UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
4728  UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
4729 
4730  UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
4731  UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
4732  UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
4733  UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
4734 
4735  UtRegisterTest("SigTestPorts01", SigTestPorts01);
4736  UtRegisterTest("SigTestBug01", SigTestBug01);
4737 
4738  DetectEngineContentInspectionRegisterTests();
4739 }
4740 #endif /* UNITTESTS */
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition: detect-engine-iponly.c:2354
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:536
Packet_::proto
uint8_t proto
Definition: decode.h:536
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition: pkt-var.c:40
MPM_AC
@ MPM_AC
Definition: util-mpm.h:38
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition: flow.c:140
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition: stream-tcp.c:390
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:119
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition: detect-engine-content-inspection.c:319
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition: decode-ipv6.h:66
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:649
DetectEngineThreadCtx_::counter_alerts
StatsCounterId counter_alerts
Definition: detect.h:1336
Flow_::flags
uint64_t flags
Definition: flow.h:403
EngineModeSetIPS
void EngineModeSetIPS(const enum EngineHostMode mode)
Definition: suricata.c:264
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1304
ThreadVars_::name
char name[16]
Definition: threadvars.h:65
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:383
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:71
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:282
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition: packet-queue.h:49
Flow_::proto
uint8_t proto
Definition: flow.h:376
Packet_::payload
uint8_t * payload
Definition: decode.h:618
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:144
Packet_::flags
uint32_t flags
Definition: decode.h:560
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:162
Packet_::action
uint8_t action
Definition: decode.h:622
SigRegisterTests
void SigRegisterTests(void)
Definition: detect.c:4632
Flow_
Flow data structure.
Definition: flow.h:354
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition: util-unittest-helper.c:275
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:973
th_v
ThreadVars * th_v
Definition: fuzz_iprep.c:20
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition: util-unittest-helper.c:768
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2715
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:341
TCP_GET_RAW_HLEN
#define TCP_GET_RAW_HLEN(tcph)
Definition: decode-tcp.h:72
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:231
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition: flow.h:69
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:243
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2971
p
Packet * p
Definition: fuzz_iprep.c:21
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition: util-unittest-helper.c:441
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition: decode.h:1290
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition: detect.c:2892
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3580
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:545
Flow_::protoctx
void * protoctx
Definition: flow.h:433
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
Packet_::payload_len
uint16_t payload_len
Definition: decode.h:619
HtpState_
Definition: app-layer-htp.h:183
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition: conf.c:121
Signature_::next
struct Signature_ * next
Definition: detect.h:757
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition: flow.c:577
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:214
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition: util-var-name.c:326
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition: detect-parse.c:5920
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:22
DetectEngineThreadCtx_
Definition: detect.h:1291
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition: suricata.c:276
PktVar_::value
uint8_t * value
Definition: decode.h:321
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
ENGINE_HOST_IS_ROUTER
@ ENGINE_HOST_IS_ROUTER
Definition: suricata.h:117
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:210
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3461
Packet_::sp
Port sp
Definition: decode.h:521
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition: decode-ipv4.h:96
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:225
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:3238
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:325
Packet_
Definition: decode.h:514
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:209
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:754
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:715
StatsSetupPrivate
int StatsSetupPrivate(StatsThreadContext *stats, const char *thread_name)
Definition: counters.c:1313
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2286
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:34
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1333
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
IPV4Hdr_
Definition: decode-ipv4.h:72
Packet_::flow
struct Flow_ * flow
Definition: decode.h:562
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:866
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1316
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition: stream-tcp-reassemble.c:445
SigMatch_::type
uint16_t type
Definition: detect.h:357
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition: flow.c:721
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition: app-layer-protos.h:36
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3706
StatsCounterGetLocalValue
int64_t StatsCounterGetLocalValue(StatsThreadContext *stats, StatsCounterId id)
Get the value of the local copy of the counter that hold this id.
Definition: counters.c:1376
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition: conf.c:734
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:982
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:264
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:993
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:472
Flow_::alstate
void * alstate
Definition: flow.h:479
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:725
Signature_
Signature container.
Definition: detect.h:675
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:233
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2676
PktVar_::value_len
uint16_t value_len
Definition: decode.h:319
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1414
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition: decode-udp.h:27
Address_::family
char family
Definition: decode.h:114
Packet_::dst
Address dst
Definition: decode.h:519
FLOW_QUIET
#define FLOW_QUIET
Definition: flow.h:43
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition: decode.h:1285
PktVar_
Definition: decode.h:313
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:975
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
Packet_::dp
Port dp
Definition: decode.h:529
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1429
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition: decode-ipv4.h:73
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
TCPHdr_
Definition: decode-tcp.h:149
Packet_::src
Address src
Definition: decode.h:518
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition: util-var.h:33
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1300
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:455