20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
32 static const char *dummy_conf_string =
36 "default-log-dir: /var/log/suricata\n"
40 " default-log-level: debug\n"
42 " default-format: \"<%t> - <%l>\"\n"
44 " default-startup-message: Your IDS has started.\n"
46 " default-output-filter:\n"
50 " - interface: console\n"
53 " - interface: file\n"
54 " filename: /var/log/suricata.log\n"
56 " - interface: syslog\n"
70 " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71 "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
73 " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
75 " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
77 " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
79 " SQL_SERVERS: \"!192.168.0.0/16\"\n"
83 " TELNET_SERVERS: any\n"
89 " HTTP_PORTS: \"80:81,88\"\n"
91 " SHELLCODE_PORTS: 80\n"
93 " ORACLE_PORTS: 1521\n"
98 static int SigTest01 (
void)
100 uint8_t *buf = (uint8_t *)
101 "GET /one/ HTTP/1.1\r\n"
102 "Host: one.example.org\r\n"
104 "GET /two/ HTTP/1.1\r\n"
105 "Host: two.example.org\r\n"
107 uint16_t buflen = strlen((
char *)buf);
111 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
118 static int SigTest02 (
void)
120 uint8_t *buf = (uint8_t *)
121 "GET /one/ HTTP/1.1\r\n"
122 "Host: one.example.org\r\n"
124 "GET /two/ HTTP/1.1\r\n"
125 "Host: two.example.org\r\n"
127 uint16_t buflen = strlen((
char *)buf);
129 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
135 static int SigTest03 (
void)
137 uint8_t *buf = (uint8_t *)
138 "GET /one/ HTTP/1.1\r\n"
139 "Host: one.example.org\r\n"
141 "GET /two/ HTTP/1.1\r\n"
142 "Host: two.example.org\r\n"
144 uint16_t buflen = strlen((
char *)buf);
146 memset(&th_v, 0,
sizeof(th_v));
153 "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: "
154 "one.example.org\"; offset:20; depth:39; sid:1;)");
168 static int SigTest04 (
void)
170 uint8_t *buf = (uint8_t *)
171 "GET /one/ HTTP/1.1\r\n"
172 "Host: one.example.org\r\n"
174 "GET /two/ HTTP/1.1\r\n"
175 "Host: two.example.org\r\n"
177 uint16_t buflen = strlen((
char *)buf);
179 memset(&th_v, 0,
sizeof(th_v));
186 "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
187 "offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
201 static int SigTest05 (
void)
203 uint8_t *buf = (uint8_t *)
204 "GET /one/ HTTP/1.1\r\n"
205 "Host: one.example.org\r\n"
207 "GET /two/ HTTP/1.1\r\n"
208 "Host: two.example.org\r\n"
210 uint16_t buflen = strlen((
char *)buf);
212 memset(&th_v, 0,
sizeof(th_v));
219 "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; "
220 "offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
234 static int SigTest06 (
void)
236 uint8_t *buf = (uint8_t *)
237 "GET /one/ HTTP/1.1\r\n"
238 "Host: one.example.org\r\n"
240 "GET /two/ HTTP/1.1\r\n"
241 "Host: two.example.org\r\n"
243 uint16_t buflen = strlen((
char *)buf);
252 memset(&th_v, 0,
sizeof(th_v));
253 memset(&f, 0,
sizeof(f));
254 memset(&ssn, 0,
sizeof(ssn));
262 f.
proto = IPPROTO_TCP;
275 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
302 static int SigTest07 (
void)
304 uint8_t *buf = (uint8_t *)
305 "GET /one/ HTTP/1.1\r\n"
306 "Host: one.example.org\r\n"
308 "GET /two/ HTTP/1.1\r\n"
309 "Host: two.example.org\r\n"
311 uint16_t buflen = strlen((
char *)buf);
319 memset(&th_v, 0,
sizeof(th_v));
320 memset(&f, 0,
sizeof(f));
321 memset(&ssn, 0,
sizeof(ssn));
327 f.
proto = IPPROTO_TCP;
341 "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; "
342 "pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
345 "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
369 static int SigTest08 (
void)
371 uint8_t *buf = (uint8_t *)
372 "GET /one/ HTTP/1.0\r\n"
373 "Host: one.example.org\r\n"
375 "GET /two/ HTTP/1.0\r\n"
376 "Host: two.example.org\r\n"
378 uint16_t buflen = strlen((
char *)buf);
385 memset(&f, 0,
sizeof(
Flow));
386 memset(&th_v, 0,
sizeof(th_v));
387 memset(&ssn, 0,
sizeof(ssn));
395 f.
proto = IPPROTO_TCP;
409 "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
410 "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
413 "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
437 static int SigTest09 (
void)
439 uint8_t *buf = (uint8_t *)
440 "GET /one/ HTTP/1.0\r\n"
441 "Host: one.example.org\r\n"
443 "GET /two/ HTTP/1.0\r\n"
444 "Host: two.example.org\r\n"
446 uint16_t buflen = strlen((
char *)buf);
453 memset(&th_v, 0,
sizeof(th_v));
454 memset(&f, 0,
sizeof(f));
455 memset(&ssn, 0,
sizeof(ssn));
463 f.
proto = IPPROTO_TCP;
477 "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; "
478 "depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
481 "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
505 static int SigTest10 (
void)
507 uint8_t *buf = (uint8_t *)
"ABC";
508 uint16_t buflen = strlen((
char *)buf);
515 memset(&th_v, 0,
sizeof(th_v));
516 memset(&f, 0,
sizeof(f));
517 memset(&ssn, 0,
sizeof(ssn));
524 f.
proto = IPPROTO_TCP;
538 "test (1)\"; content:\"ABCD\"; depth:4; sid:1;");
541 "(2)\"; content:\"VWXYZ\"; sid:2;");
564 static int SigTest11 (
void)
566 uint8_t *buf = (uint8_t *)
567 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
568 uint16_t buflen = strlen((
char *)buf);
576 memset(&th_v, 0,
sizeof(th_v));
577 memset(&f, 0,
sizeof(f));
578 memset(&ssn, 0,
sizeof(ssn));
584 f.
proto = IPPROTO_TCP;
600 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
628 static int SigTest12 (
void)
630 uint8_t *buf = (uint8_t *)
631 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
632 uint16_t buflen = strlen((
char *)buf);
638 memset(&th_v, 0,
sizeof(th_v));
640 memset(&f, 0,
sizeof(
Flow));
655 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
682 static int SigTest13 (
void)
684 uint8_t *buf = (uint8_t *)
685 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
686 uint16_t buflen = strlen((
char *)buf);
692 memset(&th_v, 0,
sizeof(th_v));
694 memset(&f, 0,
sizeof(
Flow));
709 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
733 static int SigTest14 (
void)
735 uint8_t *buf = (uint8_t *)
736 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
737 uint16_t buflen = strlen((
char *)buf);
743 memset(&th_v, 0,
sizeof(th_v));
754 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
777 static int SigTest15 (
void)
779 uint8_t *buf = (uint8_t *)
780 "CONNECT 213.92.8.7:31204 HTTP/1.1";
781 uint16_t buflen = strlen((
char *)buf);
789 memset(&th_v, 0,
sizeof(th_v));
794 p->
proto = IPPROTO_TCP;
808 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
833 static int SigTest16 (
void)
835 uint8_t *buf = (uint8_t *)
836 "CONNECT 213.92.8.7:31204 HTTP/1.1";
837 uint16_t buflen = strlen((
char *)buf);
843 memset(&th_v, 0,
sizeof(th_v));
844 memset(&p, 0,
sizeof(p));
859 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
883 static int SigTest17 (
void)
885 uint8_t *buf = (uint8_t *)
886 "GET /one/ HTTP/1.1\r\n"
887 "Host: one.example.org\r\n"
889 "GET /two/ HTTP/1.1\r\n"
890 "Host: two.example.org\r\n"
892 uint16_t buflen = strlen((
char *)buf);
896 memset(&th_v, 0,
sizeof(th_v));
909 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
932 static int SigTest18 (
void)
934 uint8_t *buf = (uint8_t *)
935 "220 (vsFTPd 2.0.5)\r\n";
936 uint16_t buflen = strlen((
char *)buf);
944 memset(&th_v, 0,
sizeof(th_v));
949 p->
proto = IPPROTO_TCP;
960 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
973 printf(
"signature shouldn't match, but did: ");
983 static int SigTest19 (
void)
985 uint8_t *buf = (uint8_t *)
986 "220 (vsFTPd 2.0.5)\r\n";
987 uint16_t buflen = strlen((
char *)buf);
995 memset(&th_v, 0,
sizeof(th_v));
1002 p->
proto = IPPROTO_TCP;
1031 printf(
"signature didn't match, but should have: ");
1043 static int SigTest20 (
void)
1045 uint8_t *buf = (uint8_t *)
1046 "220 (vsFTPd 2.0.5)\r\n";
1047 uint16_t buflen = strlen((
char *)buf);
1055 memset(&th_v, 0,
sizeof(th_v));
1062 p->
proto = IPPROTO_TCP;
1078 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1091 printf(
"signature didn't match, but should have: ");
1103 static int SigTest21 (
void)
1106 memset(&th_v, 0,
sizeof(th_v));
1111 memset(&f, 0,
sizeof(f));
1115 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1117 uint16_t buf1len = strlen((
char *)buf1);
1120 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1122 uint16_t buf2len = strlen((
char *)buf2);
1139 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1155 printf(
"sid 1 alerted, but shouldn't: ");
1160 printf(
"sid 2 didn't alert, but should have: ");
1167 if (det_ctx != NULL) {
1179 static int SigTest22 (
void)
1182 memset(&th_v, 0,
sizeof(th_v));
1187 memset(&f, 0,
sizeof(f));
1191 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1193 uint16_t buf1len = strlen((
char *)buf1);
1201 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1203 uint16_t buf2len = strlen((
char *)buf2);
1217 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1233 printf(
"sid 1 alerted, but shouldn't: ");
1240 printf(
"sid 2 alerted, but shouldn't: ");
1252 static int SigTest23 (
void)
1255 memset(&th_v, 0,
sizeof(th_v));
1260 memset(&f, 0,
sizeof(f));
1264 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1266 uint16_t buf1len = strlen((
char *)buf1);
1274 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1276 uint16_t buf2len = strlen((
char *)buf2);
1290 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1306 printf(
"sid 1 alerted, but shouldn't: ");
1313 printf(
"sid 2 didn't alert, but should have: ");
1325 static int SigTest24IPV4Keyword(
void)
1327 uint8_t valid_raw_ipv4[] = {
1328 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1329 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1330 0xc0, 0xa8, 0x01, 0x03};
1332 uint8_t invalid_raw_ipv4[] = {
1333 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1334 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1335 0xc0, 0xa8, 0x01, 0x06};
1349 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1351 uint16_t buflen = strlen((
char *)buf);
1355 PacketSetIPV4(p1, valid_raw_ipv4);
1360 p1->
proto = IPPROTO_TCP;
1362 PacketSetIPV4(p2, invalid_raw_ipv4);
1367 p2->
proto = IPPROTO_TCP;
1377 "alert ip any any -> any any "
1378 "(content:\"/one/\"; ipv4-csum:valid; "
1379 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1381 printf(
"sig 1 parse: ");
1386 "alert ip any any -> any any "
1387 "(content:\"/one/\"; ipv4-csum:invalid; "
1388 "msg:\"ipv4-csum keyword check(1)\"; "
1391 printf(
"sig 2 parse: ");
1400 printf(
"signature 1 didn't match, but should have: ");
1406 printf(
"signature 2 didn't match, but should have: ");
1412 if (det_ctx != NULL) {
1422 static int SigTest25NegativeIPV4Keyword(
void)
1424 uint8_t valid_raw_ipv4[] = {
1425 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1426 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1427 0xc0, 0xa8, 0x01, 0x03};
1429 uint8_t invalid_raw_ipv4[] = {
1430 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1431 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1432 0xc0, 0xa8, 0x01, 0x06};
1446 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1448 uint16_t buflen = strlen((
char *)buf);
1452 PacketSetIPV4(p1, valid_raw_ipv4);
1457 p1->
proto = IPPROTO_TCP;
1459 PacketSetIPV4(p2, invalid_raw_ipv4);
1464 p2->
proto = IPPROTO_TCP;
1474 "alert ip any any -> any any "
1475 "(content:\"/one/\"; ipv4-csum:invalid; "
1476 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1483 "alert ip any any -> any any "
1484 "(content:\"/one/\"; ipv4-csum:valid; "
1485 "msg:\"ipv4-csum keyword check(1)\"; "
1516 static int SigTest26TCPV4Keyword(
void)
1518 uint8_t raw_ipv4[] = {
1519 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1520 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1521 0xc0, 0xa8, 0x01, 0x03};
1523 uint8_t valid_raw_tcp[] = {
1524 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1525 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1526 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1527 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1528 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1530 uint8_t invalid_raw_tcp[] = {
1531 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1532 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1533 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1534 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1535 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1559 PacketSetTCP(p1, (
GET_PKT_DATA(p1) +
sizeof(raw_ipv4)));
1564 p1->
proto = IPPROTO_TCP;
1567 PacketSetTCP(p2, (
GET_PKT_DATA(p2) +
sizeof(raw_ipv4)));
1572 p2->
proto = IPPROTO_TCP;
1580 "alert ip any any -> any any "
1581 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1582 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1586 "alert ip any any -> any any "
1587 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1588 "msg:\"tcpv4-csum keyword check(1)\"; "
1610 static int SigTest26TCPV4AndNegativeIPV4Keyword(
void)
1612 uint8_t raw_ipv4[] = {
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1614 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1615 0xc0, 0xa8, 0x01, 0x03};
1617 uint8_t valid_raw_tcp[] = {
1618 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1619 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1620 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1621 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1622 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1624 uint8_t invalid_raw_tcp[] = {
1625 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1626 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1627 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1628 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1629 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1654 PacketSetTCP(p1, (
GET_PKT_DATA(p1) +
sizeof(raw_ipv4)));
1659 p1->
proto = IPPROTO_TCP;
1662 PacketSetTCP(p2, (
GET_PKT_DATA(p2) +
sizeof(raw_ipv4)));
1667 p2->
proto = IPPROTO_TCP;
1677 "alert ip any any -> any any "
1678 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1679 "ipv4-csum:invalid; "
1680 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1686 "alert ip any any -> any any "
1687 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1688 "ipv4-csum:invalid; "
1689 "msg:\"tcpv4-csum keyword check(1)\"; "
1700 printf(
"sig 1 didn't match: ");
1706 printf(
"sig 2 didn't match: ");
1721 static int SigTest26TCPV4AndIPV4Keyword(
void)
1726 uint8_t raw_ipv4[] = {
1727 0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1728 0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1729 0xc0, 0xa8, 0xb0, 0x74};
1736 uint8_t valid_raw_tcp[] = {
1737 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1738 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1739 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1740 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1741 0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1742 0x04, 0x02, 0x00, 0x00};
1744 uint8_t invalid_raw_tcp[] = {
1745 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1746 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1747 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1748 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1749 0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1750 0x04, 0x02, 0x00, 0x00};
1775 PacketSetTCP(p1, (
GET_PKT_DATA(p1) +
sizeof(raw_ipv4)));
1780 p1->
proto = IPPROTO_TCP;
1783 PacketSetTCP(p2, (
GET_PKT_DATA(p2) +
sizeof(raw_ipv4)));
1788 p2->
proto = IPPROTO_TCP;
1798 "alert ip any any -> any any "
1799 "(tcpv4-csum:valid; "
1801 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1807 "alert ip any any -> any any "
1808 "(tcpv4-csum:invalid; "
1810 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1821 printf(
"sig 1 didn't match: ");
1827 printf(
"sig 2 didn't match: ");
1841 static int SigTest27NegativeTCPV4Keyword(
void)
1843 uint8_t raw_ipv4[] = {
1844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1845 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1846 0xc0, 0xa8, 0x01, 0x03};
1848 uint8_t valid_raw_tcp[] = {
1849 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1850 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1851 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1852 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1853 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1855 uint8_t invalid_raw_tcp[] = {
1856 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1857 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1858 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1859 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1860 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1883 PacketSetTCP(p1, (
GET_PKT_DATA(p1) +
sizeof(raw_ipv4)));
1888 p1->
proto = IPPROTO_TCP;
1891 PacketSetTCP(p2, (
GET_PKT_DATA(p2) +
sizeof(raw_ipv4)));
1896 p2->
proto = IPPROTO_TCP;
1906 "alert tcp any any -> any any "
1907 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
1908 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1914 "alert tcp any any -> any any "
1915 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1916 "msg:\"tcpv4-csum keyword check(2)\"; "
1927 printf(
"sig 1 didn't match on p1: ");
1933 printf(
"sig 2 matched on p2: ");
1947 static int SigTest28TCPV6Keyword(
void)
1949 static uint8_t valid_raw_ipv6[] = {
1950 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1951 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1953 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1954 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1955 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
1956 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
1957 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
1959 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
1960 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
1961 0xf2, 0xf1, 0x00, 0x00,
1963 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
1964 0x00, 0x01, 0x69, 0x27};
1966 static uint8_t invalid_raw_ipv6[] = {
1967 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
1968 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
1970 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
1971 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
1972 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
1973 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
1974 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
1976 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
1977 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
1978 0xc2, 0xf1, 0x00, 0x00,
1980 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
1981 0x00, 0x01, 0x69, 0x28};
1997 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
1998 PacketSetTCP(p1, (valid_raw_ipv6 + 54));
2001 p1->
payload = valid_raw_ipv6 + 54 + 20;
2003 p1->
proto = IPPROTO_TCP;
2009 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2010 PacketSetTCP(p2, (invalid_raw_ipv6 + 54));
2013 p2->
payload = invalid_raw_ipv6 + 54 + 20;
2015 p2->
proto = IPPROTO_TCP;
2029 "alert tcp any any -> any any "
2030 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2031 "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2037 "alert tcp any any -> any any "
2038 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2039 "msg:\"tcpv6-csum keyword check(1)\"; "
2050 printf(
"sid 1 didn't match on p1: ");
2056 printf(
"sid 2 didn't match on p2: ");
2070 static int SigTest29NegativeTCPV6Keyword(
void)
2072 static uint8_t valid_raw_ipv6[] = {
2073 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2074 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2076 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2077 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2078 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2079 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2080 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2082 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2083 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2084 0xf2, 0xf1, 0x00, 0x00,
2086 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2087 0x00, 0x01, 0x69, 0x27};
2089 static uint8_t invalid_raw_ipv6[] = {
2090 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2091 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2093 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2094 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2095 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2096 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2097 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2099 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2100 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2101 0xc2, 0xf1, 0x00, 0x00,
2103 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2104 0x00, 0x01, 0x69, 0x28};
2120 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2121 PacketSetTCP(p1, valid_raw_ipv6 + 54);
2124 p1->
payload = valid_raw_ipv6 + 54 + 20;
2126 p1->
proto = IPPROTO_TCP;
2132 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2133 PacketSetTCP(p2, invalid_raw_ipv6 + 54);
2136 p2->
payload = invalid_raw_ipv6 + 54 + 20;
2138 p2->
proto = IPPROTO_TCP;
2150 "alert tcp any any -> any any "
2151 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2152 "msg:\"tcpv6-csum keyword check(1)\"; "
2159 "alert tcp any any -> any any "
2160 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2161 "msg:\"tcpv6-csum keyword check(1)\"; "
2180 if (det_ctx != NULL)
2189 static int SigTest30UDPV4Keyword(
void)
2191 uint8_t raw_ipv4[] = {
2192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2193 0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2194 0xc0, 0xa8, 0x01, 0x03};
2196 uint8_t valid_raw_udp[] = {
2197 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2198 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2199 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2200 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2201 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2202 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2203 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2204 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2205 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2206 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2207 0x67, 0x6c, 0x65, 0xc0, 0x26};
2209 uint8_t invalid_raw_udp[] = {
2210 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2211 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2212 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2213 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2214 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2215 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2216 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2217 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2218 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2219 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2220 0x67, 0x6c, 0x65, 0xc0, 0x27};
2230 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2231 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2235 PacketSetIPV4(p1, raw_ipv4);
2236 PacketSetUDP(p1, valid_raw_udp);
2241 p1->
proto = IPPROTO_UDP;
2243 PacketSetIPV4(p2, raw_ipv4);
2244 PacketSetUDP(p2, invalid_raw_udp);
2249 p2->
proto = IPPROTO_UDP;
2257 "alert udp any any -> any any "
2258 "(content:\"/one/\"; udpv4-csum:valid; "
2259 "msg:\"udpv4-csum keyword check(1)\"; "
2264 "alert udp any any -> any any "
2265 "(content:\"/one/\"; udpv4-csum:invalid; "
2266 "msg:\"udpv4-csum keyword check(1)\"; "
2279 if (det_ctx != NULL)
2288 static int SigTest31NegativeUDPV4Keyword(
void)
2290 uint8_t raw_ipv4[] = {
2291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2292 0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2293 0xc0, 0xa8, 0x01, 0x03};
2295 uint8_t valid_raw_udp[] = {
2296 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2297 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2298 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2299 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2300 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2301 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2302 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2303 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2304 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2305 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2306 0x67, 0x6c, 0x65, 0xc0, 0x26};
2308 uint8_t invalid_raw_udp[] = {
2309 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2310 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2311 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2312 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2313 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2314 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2315 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2316 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2317 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2318 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2319 0x67, 0x6c, 0x65, 0xc0, 0x27};
2333 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2334 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2338 PacketSetIPV4(p1, raw_ipv4);
2339 PacketSetUDP(p1, valid_raw_udp);
2344 p1->
proto = IPPROTO_UDP;
2346 PacketSetIPV4(p2, raw_ipv4);
2347 PacketSetUDP(p2, invalid_raw_udp);
2352 p2->
proto = IPPROTO_UDP;
2362 "alert udp any any -> any any "
2363 "(content:\"/one/\"; udpv4-csum:invalid; "
2364 "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2371 "alert udp any any -> any any "
2372 "(content:\"/one/\"; udpv4-csum:valid; "
2373 "msg:\"udpv4-csum keyword check(1)\"; "
2396 if (det_ctx != NULL)
2407 static int SigTest32UDPV6Keyword(
void)
2409 static uint8_t valid_raw_ipv6[] = {
2410 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2411 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2412 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2413 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2414 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2415 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2416 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2417 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2418 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2421 static uint8_t invalid_raw_ipv6[] = {
2422 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2423 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2424 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2425 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2426 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2427 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2428 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2429 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2430 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2441 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2446 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2447 PacketSetUDP(p1, valid_raw_ipv6 + 54);
2452 p1->
proto = IPPROTO_UDP;
2454 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2455 PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2460 p2->
proto = IPPROTO_UDP;
2468 "alert udp any any -> any any "
2469 "(content:\"/one/\"; udpv6-csum:valid; "
2470 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2474 "alert udp any any -> any any "
2475 "(content:\"/one/\"; udpv6-csum:invalid; "
2476 "msg:\"udpv6-csum keyword check(1)\"; "
2489 if (det_ctx != NULL)
2499 static int SigTest33NegativeUDPV6Keyword(
void)
2501 static uint8_t valid_raw_ipv6[] = {
2502 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2503 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2504 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2505 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2506 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2507 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2508 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2509 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2510 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2513 static uint8_t invalid_raw_ipv6[] = {
2514 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2515 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2516 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2517 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2518 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2519 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2520 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2521 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2522 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2537 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2542 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2543 PacketSetUDP(p1, valid_raw_ipv6 + 54);
2548 p1->
proto = IPPROTO_UDP;
2550 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2551 PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2556 p2->
proto = IPPROTO_UDP;
2566 "alert udp any any -> any any "
2567 "(content:\"/one/\"; udpv6-csum:invalid; "
2568 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2575 "alert udp any any -> any any "
2576 "(content:\"/one/\"; udpv6-csum:valid; "
2577 "msg:\"udpv6-csum keyword check(1)\"; "
2599 if (det_ctx != NULL)
2609 static int SigTest34ICMPV4Keyword(
void)
2611 uint8_t valid_raw_ipv4[] = {
2612 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2613 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2614 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2615 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2616 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2617 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2618 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2619 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2620 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2621 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2622 0x34, 0x35, 0x36, 0x37};
2624 uint8_t invalid_raw_ipv4[] = {
2625 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2626 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2627 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2628 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2629 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2630 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2631 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2632 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2633 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2634 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2635 0x34, 0x35, 0x36, 0x38};
2649 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2651 uint16_t buflen = strlen((
char *)buf);
2655 IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2662 p1->
proto = IPPROTO_ICMP;
2664 ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2671 p2->
proto = IPPROTO_ICMP;
2681 "alert icmp any any -> any any "
2682 "(content:\"/one/\"; icmpv4-csum:valid; "
2683 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2690 "alert icmp any any -> any any "
2691 "(content:\"/one/\"; icmpv4-csum:invalid; "
2692 "msg:\"icmpv4-csum keyword check(1)\"; "
2714 if (det_ctx != NULL)
2724 static int SigTest35NegativeICMPV4Keyword(
void)
2726 uint8_t valid_raw_ipv4[] = {
2727 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2728 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2729 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2730 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2731 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2732 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2733 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2734 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2735 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2736 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2737 0x34, 0x35, 0x36, 0x37};
2739 uint8_t invalid_raw_ipv4[] = {
2740 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2741 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2742 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2743 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2744 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2745 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2746 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2747 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2748 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2749 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2750 0x34, 0x35, 0x36, 0x38};
2764 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2766 uint16_t buflen = strlen((
char *)buf);
2770 IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2777 p1->
proto = IPPROTO_ICMP;
2779 ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2786 p2->
proto = IPPROTO_ICMP;
2796 "alert icmp any any -> any any "
2797 "(content:\"/one/\"; icmpv4-csum:invalid; "
2798 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2805 "alert icmp any any -> any any "
2806 "(content:\"/one/\"; icmpv4-csum:valid; "
2807 "msg:\"icmpv4-csum keyword check(1)\"; "
2830 if (det_ctx != NULL)
2840 static int SigTest38(
void)
2848 uint8_t raw_eth[] = {
2849 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
2850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2853 uint8_t raw_ipv4[] = {
2854 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
2855 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
2856 0x7f, 0x00, 0x00, 0x01
2858 uint8_t raw_tcp[] = {
2859 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
2860 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
2861 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
2862 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
2863 0x00, 0x22, 0xaa, 0x10
2866 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
2867 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
2868 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30,
2869 0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
2870 0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2871 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2872 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2873 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
2874 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
2877 uint16_t ethlen =
sizeof(raw_eth);
2878 uint16_t ipv4len =
sizeof(raw_ipv4);
2879 uint16_t tcplen =
sizeof(raw_tcp);
2880 uint16_t buflen =
sizeof(buf);
2901 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
2903 PacketSetEthernet(p1, raw_eth);
2904 PacketSetIPV4(p1, raw_ipv4);
2905 PacketSetTCP(p1, raw_tcp);
2910 p1->
proto = IPPROTO_TCP;
2919 "alert tcp any any -> any any "
2920 "(content:\"LEN1|20|\"; "
2921 "byte_test:4,=,8,0; "
2922 "msg:\"byte_test keyword check(1)\"; sid:1;)");
2928 "alert tcp any any -> any any "
2929 "(content:\"LEN1|20|\"; "
2930 "byte_test:4,=,8,5,relative,string,dec; "
2931 "msg:\"byte_test keyword check(2)\"; sid:2;)");
2945 printf(
"sid 1 didn't alert, but should have: ");
2952 printf(
"sid 2 didn't alert, but should have: ");
2957 if (det_ctx != NULL)
2967 static int SigTest39(
void)
2971 uint8_t raw_eth[] = {
2972 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
2973 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2976 uint8_t raw_ipv4[] = {
2977 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
2978 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
2979 0x7f, 0x00, 0x00, 0x01
2981 uint8_t raw_tcp[] = {
2982 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
2983 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
2984 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
2985 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
2986 0x00, 0x22, 0xaa, 0x10
2989 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
2990 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
2991 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
2992 0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
2993 0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
2994 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2995 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
2996 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
2997 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3000 uint16_t ethlen =
sizeof(raw_eth);
3001 uint16_t ipv4len =
sizeof(raw_ipv4);
3002 uint16_t tcplen =
sizeof(raw_tcp);
3003 uint16_t buflen =
sizeof(buf);
3014 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3016 PacketSetEthernet(p1, raw_eth);
3017 PacketSetIPV4(p1, raw_ipv4);
3018 PacketSetTCP(p1, raw_tcp);
3023 p1->
proto = IPPROTO_TCP;
3030 "(content:\"LEN1|20|\"; "
3031 "byte_test:4,=,8,0; "
3033 "byte_test:6,=,0x4c454e312038,0,relative; "
3034 "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3037 "(content:\"LEN1|20|\"; "
3038 "byte_test:4,=,8,4,relative,string,dec; "
3039 "byte_jump:4,4,relative,string,dec,post_offset 2; "
3040 "byte_test:4,=,0x4c454e32,0,relative; "
3041 "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3064 static int SigTest36ContentAndIsdataatKeywords01 (
void)
3067 uint8_t raw_eth [] = {
3068 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3069 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3070 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3071 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3072 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3073 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3074 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3075 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3076 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3077 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3078 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3079 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3080 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3081 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3082 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3083 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3084 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3085 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3086 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3087 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3088 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3089 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3090 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3091 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3092 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3093 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3094 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3095 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3096 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3097 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3107 memset(&th_v, 0,
sizeof(th_v));
3117 "alert tcp any any -> any any (content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3140 static int SigTest37ContentAndIsdataatKeywords02 (
void)
3146 uint8_t raw_eth [] = {
3147 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3148 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3149 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3150 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3151 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3152 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3153 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3154 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3155 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3156 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3157 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3158 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3159 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3160 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3161 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3162 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3163 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3164 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3165 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3166 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3167 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3168 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3169 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3170 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3171 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3172 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3173 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3174 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3175 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3176 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3187 memset(&th_v, 0,
sizeof(th_v));
3200 Signature *s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3202 printf(
"sig parse failed: ");
3208 printf(
"type not content: ");
3219 printf(
"sig matched, but should not have: ");
3254 static int SigTest40NoPacketInspection01(
void)
3257 uint8_t *buf = (uint8_t *)
3258 "220 (vsFTPd 2.0.5)\r\n";
3259 uint16_t buflen = strlen((
char *)buf);
3270 memset(&th_v, 0,
sizeof(th_v));
3271 memset(&pq, 0,
sizeof(pq));
3272 memset(&f, 0,
sizeof(f));
3273 memset(&tcphdr, 0,
sizeof(tcphdr));
3281 p->
proto = IPPROTO_TCP;
3286 PacketSetTCP(p, (uint8_t *)&tcphdr);
3298 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3308 Detect(&th_v, p, det_ctx);
3327 static int SigTest40NoPayloadInspection02(
void)
3330 uint8_t *buf = (uint8_t *)
3331 "220 (vsFTPd 2.0.5)\r\n";
3332 uint16_t buflen = strlen((
char *)buf);
3334 memset(&th_v, 0,
sizeof(th_v));
3343 p->
proto = IPPROTO_TCP;
3352 "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3369 static int SigTestMemory01 (
void)
3371 uint8_t *buf = (uint8_t *)
3372 "GET /one/ HTTP/1.1\r\n"
3373 "Host: one.example.org\r\n"
3375 "GET /two/ HTTP/1.1\r\n"
3376 "Host: two.example.org\r\n"
3378 uint16_t buflen = strlen((
char *)buf);
3386 memset(&th_v, 0,
sizeof(th_v));
3391 p->
proto = IPPROTO_TCP;
3400 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3419 static int SigTestMemory02 (
void)
3424 memset(&th_v, 0,
sizeof(th_v));
3432 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3437 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3453 static int SigTestMemory03 (
void)
3458 memset(&th_v, 0,
sizeof(th_v));
3466 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3471 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3476 de_ctx->
sig_list->
next->
next =
SigInit(
de_ctx,
"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3492 static int SigTestContent01 (
void)
3494 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3495 uint16_t buflen = strlen((
char *)buf);
3500 memset(&th_v, 0,
sizeof(th_v));
3511 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3524 printf(
"sig 1 didn't match: ");
3534 static int SigTestContent02 (
void)
3536 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3537 uint16_t buflen = strlen((
char *)buf);
3542 memset(&th_v, 0,
sizeof(th_v));
3552 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3572 printf(
"sig 2 didn't match: ");
3575 printf(
"sig 1 didn't match: ");
3585 static int SigTestContent03 (
void)
3587 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3588 uint16_t buflen = strlen((
char *)buf);
3593 memset(&th_v, 0,
sizeof(th_v));
3604 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3617 printf(
"sig 1 didn't match: ");
3627 static int SigTestContent04 (
void)
3629 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3630 uint16_t buflen = strlen((
char *)buf);
3635 memset(&th_v, 0,
sizeof(th_v));
3647 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3660 printf(
"sig 1 didn't match: ");
3671 static int SigTestContent05 (
void)
3673 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3674 uint16_t buflen = strlen((
char *)buf);
3679 memset(&th_v, 0,
sizeof(th_v));
3685 printf(
"de_ctx == NULL: ");
3691 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3693 printf(
"sig1 parse failed: ");
3696 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3698 printf(
"sig2 parse failed: ");
3708 printf(
"sig 1 matched but shouldn't: ");
3713 printf(
"sig 2 matched but shouldn't: ");
3720 if (det_ctx != NULL) {
3730 static int SigTestContent06 (
void)
3732 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3733 uint16_t buflen = strlen((
char *)buf);
3738 memset(&th_v, 0,
sizeof(th_v));
3749 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3754 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
3767 printf(
"sig 1 didn't match: ");
3774 printf(
"sig 2 didn't match: ");
3786 static int SigTestWithin01 (
void)
3790 uint8_t rawpkt1[] = {
3791 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3792 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3793 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
3794 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3795 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
3796 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
3797 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
3798 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3799 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3800 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3801 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3802 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3803 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3804 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3805 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3806 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3807 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3808 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3809 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3812 uint8_t rawpkt2[] = {
3813 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3814 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3815 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
3816 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3817 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
3818 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
3819 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
3820 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3821 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3822 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3823 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3824 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3825 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3826 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3827 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3828 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3829 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3830 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3831 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3834 uint8_t rawpkt3[] = {
3835 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3836 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3837 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
3838 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3839 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
3840 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
3841 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
3842 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3843 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3844 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3845 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3846 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3847 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3848 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3849 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3850 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3851 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3852 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3853 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3856 uint8_t rawpkt4[] = {
3857 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
3858 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
3859 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
3860 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
3861 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
3862 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
3863 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
3864 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
3865 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
3866 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
3867 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
3868 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
3869 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
3870 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3871 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3872 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3873 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3874 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3875 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
3879 memset(&th_v, 0,
sizeof(th_v));
3890 "alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test "
3891 "to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
3926 uint8_t *p5buf = (uint8_t *)
"Hi, this is a big test to check content matches";
3927 uint16_t p5buflen = strlen((
char *)p5buf);
3946 static int SigTestDepthOffset01 (
void)
3948 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3949 uint16_t buflen = strlen((
char *)buf);
3955 memset(&th_v, 0,
sizeof(th_v));
3966 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
3987 static int SigTestDetectAlertCounter(
void)
3992 memset(&
tv, 0,
sizeof(
tv));
3999 "content:\"boo\"; sid:1;)");
4008 p =
UTHBuildPacket((uint8_t *)
"boo", strlen(
"boo"), IPPROTO_TCP);
4016 p =
UTHBuildPacket((uint8_t *)
"roo", strlen(
"roo"), IPPROTO_TCP);
4021 p =
UTHBuildPacket((uint8_t *)
"laboosa", strlen(
"laboosa"), IPPROTO_TCP);
4034 static int SigTestDropFlow01(
void)
4038 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4039 "User-Agent: Mozilla/1.0\r\n"
4040 "Cookie: hellocatch\r\n\r\n";
4041 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4050 memset(&f, 0,
sizeof(
Flow));
4057 f.
proto = IPPROTO_TCP;
4073 "(msg:\"Test proto match\"; "
4108 static int SigTestDropFlow02(
void)
4113 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4114 "User-Agent: Mozilla/1.0\r\n"
4115 "Cookie: hellocatch\r\n\r\n";
4116 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4125 memset(&f, 0,
sizeof(
Flow));
4132 f.
proto = IPPROTO_TCP;
4150 "(msg:\"Test proto match\"; uricontent:\"one\";"
4162 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4167 if (http_state == NULL) {
4168 printf(
"no http state: ");
4176 printf(
"sig 1 didn't alert, but it should: ");
4181 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4193 if (det_ctx != NULL)
4209 static int SigTestDropFlow03(
void)
4214 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4215 "User-Agent: Mozilla/1.0\r\n"
4216 "Cookie: hellocatch\r\n\r\n";
4217 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4219 uint8_t http_buf2[] =
"POST /two HTTP/1.0\r\n"
4220 "User-Agent: Mozilla/1.0\r\n"
4221 "Cookie: hellocatch\r\n\r\n";
4222 uint32_t http_buf2_len =
sizeof(http_buf1) - 1;
4236 memset(&f, 0,
sizeof(
Flow));
4244 f.
proto = IPPROTO_TCP;
4268 "(msg:\"Test proto match\"; uricontent:\"one\";"
4277 "(msg:\"Test proto match\"; uricontent:\"two\";"
4289 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4294 if (http_state == NULL) {
4295 printf(
"no http state: ");
4303 printf(
"sig 1 didn't alert on p1, but it should: ");
4308 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4313 if (StreamTcpCheckFlowDrops(p2) == 1) {
4314 SCLogDebug(
"This flow/stream triggered a drop rule");
4315 DecodeSetNoPacketInspectionFlag(p2);
4324 printf(
"The packet was not flagged with no-inspection: ");
4331 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
4339 printf(
"sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4344 printf(
"sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4349 printf(
"A \"drop\" action should be set from the flow to the packet: ");
4358 if (det_ctx != NULL)
4377 static int SigTestPorts01(
void)
4384 uint8_t payload[] =
"AAAAAAAAAAAAAAAAAA";
4397 "(content:\"AAA\"; sid:1;)");
4409 printf(
"sig 1 alerted on p1, but it should not: ");
4415 if (det_ctx != NULL)
4426 static int SigTestBug01(
void)
4430 uint8_t payload[] =
"!mymy";
4439 "(content:\"Omymy\"; nocase; sid:1;)");
4442 "(content:\"!mymy\"; nocase; sid:2;)");
4456 static const char *dummy_conf_string2 =
4461 " address-groups:\n"
4463 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4465 " EXTERNAL_NET: \"any\"\n"
4469 " HTTP_PORTS: \"80:81,88\"\n"
4472 static int DetectAddressYamlParsing01 (
void)
4503 static const char *dummy_conf_string3 =
4508 " address-groups:\n"
4510 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4512 " EXTERNAL_NET: \"any\"\n"
4516 " HTTP_PORTS: \"80:81,88\"\n"
4519 static int DetectAddressYamlParsing02 (
void)
4550 static const char *dummy_conf_string4 =
4555 " address-groups:\n"
4557 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4559 " EXTERNAL_NET: \"any\"\n"
4563 " HTTP_PORTS: \"80:81,88\"\n"
4566 static int DetectAddressYamlParsing03 (
void)
4584 static const char *dummy_conf_string5 =
4589 " address-groups:\n"
4591 " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4593 " EXTERNAL_NET: \"any\"\n"
4597 " HTTP_PORTS: \"80:81,88\"\n"
4601 static int DetectAddressYamlParsing04 (
void)
4628 UtRegisterTest(
"SigTest05 -- distance/within mismatch", SigTest05);
4629 UtRegisterTest(
"SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
4632 UtRegisterTest(
"SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
4635 UtRegisterTest(
"SigTest10 -- long content match, longer than pkt",
4638 UtRegisterTest(
"SigTest12 -- content order matching, normal", SigTest12);
4639 UtRegisterTest(
"SigTest13 -- content order matching, diff order",
4641 UtRegisterTest(
"SigTest14 -- content order matching, distance 0",
4643 UtRegisterTest(
"SigTest15 -- port negation sig (no match)", SigTest15);
4644 UtRegisterTest(
"SigTest16 -- port negation sig (match)", SigTest16);
4645 UtRegisterTest(
"SigTest17 -- HTTP Host Pkt var capture", SigTest17);
4655 SigTest25NegativeIPV4Keyword);
4659 SigTest26TCPV4AndNegativeIPV4Keyword);
4661 SigTest26TCPV4AndIPV4Keyword);
4663 SigTest27NegativeTCPV4Keyword);
4667 SigTest29NegativeTCPV6Keyword);
4671 SigTest31NegativeUDPV4Keyword);
4675 SigTest33NegativeUDPV6Keyword);
4677 UtRegisterTest(
"SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
4679 SigTest35NegativeICMPV4Keyword);
4681 SigTest36ContentAndIsdataatKeywords01);
4683 SigTest37ContentAndIsdataatKeywords02);
4690 SigTest40NoPacketInspection01);
4692 SigTest40NoPayloadInspection02);
4698 UtRegisterTest(
"SigTestContent01 -- 32 byte pattern", SigTestContent01);
4699 UtRegisterTest(
"SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
4700 UtRegisterTest(
"SigTestContent03 -- 32 byte pattern, x2 + distance",
4702 UtRegisterTest(
"SigTestContent04 -- 32 byte pattern, x2 + distance/within",
4704 UtRegisterTest(
"SigTestContent05 -- distance/within", SigTestContent05);
4711 UtRegisterTest(
"SigTestDetectAlertCounter", SigTestDetectAlertCounter);
4717 UtRegisterTest(
"DetectAddressYamlParsing01", DetectAddressYamlParsing01);
4718 UtRegisterTest(
"DetectAddressYamlParsing02", DetectAddressYamlParsing02);
4719 UtRegisterTest(
"DetectAddressYamlParsing03", DetectAddressYamlParsing03);
4720 UtRegisterTest(
"DetectAddressYamlParsing04", DetectAddressYamlParsing04);