20 #include "../app-layer-htp.h"
21 #include "../conf-yaml-loader.h"
22 #include "../detect-parse.h"
23 #include "../detect-engine-content-inspection.h"
24 #include "../detect-engine-build.h"
25 #include "../pkt-var.h"
26 #include "../flow-util.h"
27 #include "../stream-tcp-reassemble.h"
28 #include "../util-unittest.h"
29 #include "../util-var-name.h"
30 #include "../util-unittest-helper.h"
32 static const char *dummy_conf_string =
36 "default-log-dir: /var/log/suricata\n"
40 " default-log-level: debug\n"
42 " default-format: \"<%t> - <%l>\"\n"
44 " default-startup-message: Your IDS has started.\n"
46 " default-output-filter:\n"
50 " - interface: console\n"
53 " - interface: file\n"
54 " filename: /var/log/suricata.log\n"
56 " - interface: syslog\n"
70 " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71 "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
73 " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
75 " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
77 " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
79 " SQL_SERVERS: \"!192.168.0.0/16\"\n"
83 " TELNET_SERVERS: any\n"
89 " HTTP_PORTS: \"80:81,88\"\n"
91 " SHELLCODE_PORTS: 80\n"
93 " ORACLE_PORTS: 1521\n"
98 static int SigTest01 (
void)
100 uint8_t *buf = (uint8_t *)
101 "GET /one/ HTTP/1.1\r\n"
102 "Host: one.example.org\r\n"
104 "GET /two/ HTTP/1.1\r\n"
105 "Host: two.example.org\r\n"
107 uint16_t buflen = strlen((
char *)buf);
111 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
120 if (p->http_uri.raw_size[0] == 5 &&
121 memcmp(p->http_uri.raw[0],
"/one/", 5) == 0 &&
122 p->http_uri.raw_size[1] == 5 &&
123 memcmp(p->http_uri.raw[1],
"/two/", 5) == 0)
136 static int SigTest02 (
void)
138 uint8_t *buf = (uint8_t *)
139 "GET /one/ HTTP/1.1\r\n"
140 "Host: one.example.org\r\n"
142 "GET /two/ HTTP/1.1\r\n"
143 "Host: two.example.org\r\n"
145 uint16_t buflen = strlen((
char *)buf);
147 char sig[] =
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
153 static int SigTest03 (
void)
155 uint8_t *buf = (uint8_t *)
156 "GET /one/ HTTP/1.1\r\n"
157 "Host: one.example.org\r\n"
159 "GET /two/ HTTP/1.1\r\n"
160 "Host: two.example.org\r\n"
162 uint16_t buflen = strlen((
char *)buf);
168 memset(&th_v, 0,
sizeof(th_v));
179 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
202 static int SigTest04 (
void)
204 uint8_t *buf = (uint8_t *)
205 "GET /one/ HTTP/1.1\r\n"
206 "Host: one.example.org\r\n"
208 "GET /two/ HTTP/1.1\r\n"
209 "Host: two.example.org\r\n"
211 uint16_t buflen = strlen((
char *)buf);
218 memset(&th_v, 0,
sizeof(th_v));
229 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
252 static int SigTest05 (
void)
254 uint8_t *buf = (uint8_t *)
255 "GET /one/ HTTP/1.1\r\n"
256 "Host: one.example.org\r\n"
258 "GET /two/ HTTP/1.1\r\n"
259 "Host: two.example.org\r\n"
261 uint16_t buflen = strlen((
char *)buf);
267 memset(&th_v, 0,
sizeof(th_v));
278 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
280 printf(
"sig parse failed: ");
291 printf(
"sig matched but shouldn't have: ");
304 static int SigTest06 (
void)
306 uint8_t *buf = (uint8_t *)
307 "GET /one/ HTTP/1.1\r\n"
308 "Host: one.example.org\r\n"
310 "GET /two/ HTTP/1.1\r\n"
311 "Host: two.example.org\r\n"
313 uint16_t buflen = strlen((
char *)buf);
322 memset(&th_v, 0,
sizeof(th_v));
323 memset(&f, 0,
sizeof(f));
324 memset(&ssn, 0,
sizeof(ssn));
332 f.
proto = IPPROTO_TCP;
345 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
371 static int SigTest07 (
void)
373 uint8_t *buf = (uint8_t *)
374 "GET /one/ HTTP/1.1\r\n"
375 "Host: one.example.org\r\n"
377 "GET /two/ HTTP/1.1\r\n"
378 "Host: two.example.org\r\n"
380 uint16_t buflen = strlen((
char *)buf);
389 memset(&th_v, 0,
sizeof(th_v));
390 memset(&f, 0,
sizeof(f));
391 memset(&ssn, 0,
sizeof(ssn));
398 f.
proto = IPPROTO_TCP;
414 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
430 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
457 static int SigTest08 (
void)
459 uint8_t *buf = (uint8_t *)
460 "GET /one/ HTTP/1.0\r\n"
461 "Host: one.example.org\r\n"
463 "GET /two/ HTTP/1.0\r\n"
464 "Host: two.example.org\r\n"
466 uint16_t buflen = strlen((
char *)buf);
475 memset(&f, 0,
sizeof(
Flow));
476 memset(&th_v, 0,
sizeof(th_v));
477 memset(&ssn, 0,
sizeof(ssn));
484 f.
proto = IPPROTO_TCP;
500 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
516 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
525 printf(
"sid:1 %s, sid:2 %s: ",
545 static int SigTest09 (
void)
547 uint8_t *buf = (uint8_t *)
548 "GET /one/ HTTP/1.0\r\n"
549 "Host: one.example.org\r\n"
551 "GET /two/ HTTP/1.0\r\n"
552 "Host: two.example.org\r\n"
554 uint16_t buflen = strlen((
char *)buf);
563 memset(&th_v, 0,
sizeof(th_v));
564 memset(&f, 0,
sizeof(f));
565 memset(&ssn, 0,
sizeof(ssn));
572 f.
proto = IPPROTO_TCP;
588 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
604 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
630 static int SigTest10 (
void)
632 uint8_t *buf = (uint8_t *)
634 uint16_t buflen = strlen((
char *)buf);
643 memset(&th_v, 0,
sizeof(th_v));
644 memset(&f, 0,
sizeof(f));
645 memset(&ssn, 0,
sizeof(ssn));
651 f.
proto = IPPROTO_TCP;
668 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
684 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
710 static int SigTest11 (
void)
712 uint8_t *buf = (uint8_t *)
713 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
714 uint16_t buflen = strlen((
char *)buf);
722 memset(&th_v, 0,
sizeof(th_v));
723 memset(&f, 0,
sizeof(f));
724 memset(&ssn, 0,
sizeof(ssn));
730 f.
proto = IPPROTO_TCP;
746 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
774 static int SigTest12 (
void)
776 uint8_t *buf = (uint8_t *)
777 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
778 uint16_t buflen = strlen((
char *)buf);
784 memset(&th_v, 0,
sizeof(th_v));
786 memset(&f, 0,
sizeof(
Flow));
801 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
829 static int SigTest13 (
void)
831 uint8_t *buf = (uint8_t *)
832 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
833 uint16_t buflen = strlen((
char *)buf);
839 memset(&th_v, 0,
sizeof(th_v));
841 memset(&f, 0,
sizeof(
Flow));
856 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
881 static int SigTest14 (
void)
883 uint8_t *buf = (uint8_t *)
884 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
885 uint16_t buflen = strlen((
char *)buf);
891 memset(&th_v, 0,
sizeof(th_v));
902 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
926 static int SigTest15 (
void)
928 uint8_t *buf = (uint8_t *)
929 "CONNECT 213.92.8.7:31204 HTTP/1.1";
930 uint16_t buflen = strlen((
char *)buf);
938 memset(&th_v, 0,
sizeof(th_v));
943 p->
proto = IPPROTO_TCP;
957 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
983 static int SigTest16 (
void)
985 uint8_t *buf = (uint8_t *)
986 "CONNECT 213.92.8.7:31204 HTTP/1.1";
987 uint16_t buflen = strlen((
char *)buf);
993 memset(&th_v, 0,
sizeof(th_v));
994 memset(&p, 0,
sizeof(p));
1009 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1033 static int SigTest17 (
void)
1035 uint8_t *buf = (uint8_t *)
1036 "GET /one/ HTTP/1.1\r\n"
1037 "Host: one.example.org\r\n"
1039 "GET /two/ HTTP/1.1\r\n"
1040 "Host: two.example.org\r\n"
1042 uint16_t buflen = strlen((
char *)buf);
1046 memset(&th_v, 0,
sizeof(th_v));
1059 Signature *s =
DetectEngineAppendSig(
de_ctx,
"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1081 static int SigTest18 (
void)
1083 uint8_t *buf = (uint8_t *)
1084 "220 (vsFTPd 2.0.5)\r\n";
1085 uint16_t buflen = strlen((
char *)buf);
1093 memset(&th_v, 0,
sizeof(th_v));
1098 p->
proto = IPPROTO_TCP;
1109 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1122 printf(
"signature shouldn't match, but did: ");
1133 static int SigTest19 (
void)
1135 uint8_t *buf = (uint8_t *)
1136 "220 (vsFTPd 2.0.5)\r\n";
1137 uint16_t buflen = strlen((
char *)buf);
1145 memset(&th_v, 0,
sizeof(th_v));
1152 p->
proto = IPPROTO_TCP;
1181 printf(
"signature didn't match, but should have: ");
1193 static int SigTest20 (
void)
1195 uint8_t *buf = (uint8_t *)
1196 "220 (vsFTPd 2.0.5)\r\n";
1197 uint16_t buflen = strlen((
char *)buf);
1205 memset(&th_v, 0,
sizeof(th_v));
1212 p->
proto = IPPROTO_TCP;
1228 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1241 printf(
"signature didn't match, but should have: ");
1254 static int SigTest21 (
void)
1257 memset(&th_v, 0,
sizeof(th_v));
1262 memset(&f, 0,
sizeof(f));
1266 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1268 uint16_t buf1len = strlen((
char *)buf1);
1271 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1273 uint16_t buf2len = strlen((
char *)buf2);
1290 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1306 printf(
"sid 1 alerted, but shouldn't: ");
1311 printf(
"sid 2 didn't alert, but should have: ");
1321 if (det_ctx != NULL) {
1332 static int SigTest22 (
void)
1335 memset(&th_v, 0,
sizeof(th_v));
1340 memset(&f, 0,
sizeof(f));
1344 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1346 uint16_t buf1len = strlen((
char *)buf1);
1354 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1356 uint16_t buf2len = strlen((
char *)buf2);
1370 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1386 printf(
"sid 1 alerted, but shouldn't: ");
1393 printf(
"sid 2 alerted, but shouldn't: ");
1407 static int SigTest23 (
void)
1410 memset(&th_v, 0,
sizeof(th_v));
1415 memset(&f, 0,
sizeof(f));
1419 uint8_t *buf1 = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1421 uint16_t buf1len = strlen((
char *)buf1);
1429 uint8_t *buf2 = (uint8_t *)
"GET /two/ HTTP/1.0\r\n"
1431 uint16_t buf2len = strlen((
char *)buf2);
1445 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1461 printf(
"sid 1 alerted, but shouldn't: ");
1468 printf(
"sid 2 didn't alert, but should have: ");
1482 static int SigTest24IPV4Keyword(
void)
1484 uint8_t valid_raw_ipv4[] = {
1485 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1486 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1487 0xc0, 0xa8, 0x01, 0x03};
1489 uint8_t invalid_raw_ipv4[] = {
1490 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1491 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1492 0xc0, 0xa8, 0x01, 0x06};
1506 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1508 uint16_t buflen = strlen((
char *)buf);
1520 p1->
proto = IPPROTO_TCP;
1528 p2->
proto = IPPROTO_TCP;
1538 "alert ip any any -> any any "
1539 "(content:\"/one/\"; ipv4-csum:valid; "
1540 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1542 printf(
"sig 1 parse: ");
1547 "alert ip any any -> any any "
1548 "(content:\"/one/\"; ipv4-csum:invalid; "
1549 "msg:\"ipv4-csum keyword check(1)\"; "
1552 printf(
"sig 2 parse: ");
1561 printf(
"signature 1 didn't match, but should have: ");
1567 printf(
"signature 2 didn't match, but should have: ");
1573 if (det_ctx != NULL) {
1584 static int SigTest25NegativeIPV4Keyword(
void)
1586 uint8_t valid_raw_ipv4[] = {
1587 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1588 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1589 0xc0, 0xa8, 0x01, 0x03};
1591 uint8_t invalid_raw_ipv4[] = {
1592 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1593 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1594 0xc0, 0xa8, 0x01, 0x06};
1608 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
1610 uint16_t buflen = strlen((
char *)buf);
1622 p1->
proto = IPPROTO_TCP;
1630 p2->
proto = IPPROTO_TCP;
1640 "alert ip any any -> any any "
1641 "(content:\"/one/\"; ipv4-csum:invalid; "
1642 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1649 "alert ip any any -> any any "
1650 "(content:\"/one/\"; ipv4-csum:valid; "
1651 "msg:\"ipv4-csum keyword check(1)\"; "
1683 static int SigTest26TCPV4Keyword(
void)
1685 uint8_t raw_ipv4[] = {
1686 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1687 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1688 0xc0, 0xa8, 0x01, 0x03};
1690 uint8_t valid_raw_tcp[] = {
1691 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1692 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1693 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1694 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1695 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1697 uint8_t invalid_raw_tcp[] = {
1698 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1699 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1700 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1701 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1702 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1732 p1->
proto = IPPROTO_TCP;
1741 p2->
proto = IPPROTO_TCP;
1749 "alert ip any any -> any any "
1750 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1751 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1755 "alert ip any any -> any any "
1756 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1757 "msg:\"tcpv4-csum keyword check(1)\"; "
1780 static int SigTest26TCPV4AndNegativeIPV4Keyword(
void)
1782 uint8_t raw_ipv4[] = {
1783 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1784 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1785 0xc0, 0xa8, 0x01, 0x03};
1787 uint8_t valid_raw_tcp[] = {
1788 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1789 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1790 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1791 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1792 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1794 uint8_t invalid_raw_tcp[] = {
1795 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1796 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1797 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1798 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1799 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1830 p1->
proto = IPPROTO_TCP;
1839 p2->
proto = IPPROTO_TCP;
1849 "alert ip any any -> any any "
1850 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1851 "ipv4-csum:invalid; "
1852 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1858 "alert ip any any -> any any "
1859 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1860 "ipv4-csum:invalid; "
1861 "msg:\"tcpv4-csum keyword check(1)\"; "
1872 printf(
"sig 1 didn't match: ");
1878 printf(
"sig 2 didn't match: ");
1894 static int SigTest26TCPV4AndIPV4Keyword(
void)
1899 uint8_t raw_ipv4[] = {
1900 0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1901 0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1902 0xc0, 0xa8, 0xb0, 0x74};
1909 uint8_t valid_raw_tcp[] = {
1910 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1911 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1912 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1913 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1914 0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1915 0x04, 0x02, 0x00, 0x00};
1917 uint8_t invalid_raw_tcp[] = {
1918 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1919 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1920 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1921 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1922 0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1923 0x04, 0x02, 0x00, 0x00};
1954 p1->
proto = IPPROTO_TCP;
1963 p2->
proto = IPPROTO_TCP;
1973 "alert ip any any -> any any "
1974 "(tcpv4-csum:valid; "
1976 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1982 "alert ip any any -> any any "
1983 "(tcpv4-csum:invalid; "
1985 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1996 printf(
"sig 1 didn't match: ");
2002 printf(
"sig 2 didn't match: ");
2017 static int SigTest27NegativeTCPV4Keyword(
void)
2019 uint8_t raw_ipv4[] = {
2020 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2021 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2022 0xc0, 0xa8, 0x01, 0x03};
2024 uint8_t valid_raw_tcp[] = {
2025 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2026 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2027 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2028 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2029 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2031 uint8_t invalid_raw_tcp[] = {
2032 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2033 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2034 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2035 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2036 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2065 p1->
proto = IPPROTO_TCP;
2074 p2->
proto = IPPROTO_TCP;
2084 "alert tcp any any -> any any "
2085 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2086 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2092 "alert tcp any any -> any any "
2093 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2094 "msg:\"tcpv4-csum keyword check(2)\"; "
2105 printf(
"sig 1 didn't match on p1: ");
2111 printf(
"sig 2 matched on p2: ");
2126 static int SigTest28TCPV6Keyword(
void)
2128 static uint8_t valid_raw_ipv6[] = {
2129 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2130 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2132 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2133 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2134 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2135 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2136 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2138 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2139 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2140 0xf2, 0xf1, 0x00, 0x00,
2142 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2143 0x00, 0x01, 0x69, 0x27};
2145 static uint8_t invalid_raw_ipv6[] = {
2146 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2147 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2149 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2150 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2151 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2152 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2153 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2155 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2156 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2157 0xc2, 0xf1, 0x00, 0x00,
2159 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2160 0x00, 0x01, 0x69, 0x28};
2178 p1->
tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2181 p1->
payload = valid_raw_ipv6 + 54 + 20;
2183 p1->
proto = IPPROTO_TCP;
2191 p2->
tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2194 p2->
payload = invalid_raw_ipv6 + 54 + 20;
2196 p2->
proto = IPPROTO_TCP;
2210 "alert tcp any any -> any any "
2211 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2212 "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2218 "alert tcp any any -> any any "
2219 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2220 "msg:\"tcpv6-csum keyword check(1)\"; "
2231 printf(
"sid 1 didn't match on p1: ");
2237 printf(
"sid 2 didn't match on p2: ");
2252 static int SigTest29NegativeTCPV6Keyword(
void)
2254 static uint8_t valid_raw_ipv6[] = {
2255 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2256 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2258 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2259 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2260 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2261 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2262 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2264 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2265 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2266 0xf2, 0xf1, 0x00, 0x00,
2268 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2269 0x00, 0x01, 0x69, 0x27};
2271 static uint8_t invalid_raw_ipv6[] = {
2272 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2273 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2275 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2276 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2277 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2278 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2279 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2281 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2282 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2283 0xc2, 0xf1, 0x00, 0x00,
2285 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2286 0x00, 0x01, 0x69, 0x28};
2304 p1->
tcph = (TCPHdr *) (valid_raw_ipv6 + 54);
2307 p1->
payload = valid_raw_ipv6 + 54 + 20;
2309 p1->
proto = IPPROTO_TCP;
2317 p2->
tcph = (TCPHdr *) (invalid_raw_ipv6 + 54);
2320 p2->
payload = invalid_raw_ipv6 + 54 + 20;
2322 p2->
proto = IPPROTO_TCP;
2336 "alert tcp any any -> any any "
2337 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2338 "msg:\"tcpv6-csum keyword check(1)\"; "
2345 "alert tcp any any -> any any "
2346 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2347 "msg:\"tcpv6-csum keyword check(1)\"; "
2368 if (det_ctx != NULL)
2376 static int SigTest30UDPV4Keyword(
void)
2378 uint8_t raw_ipv4[] = {
2379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2380 0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2381 0xc0, 0xa8, 0x01, 0x03};
2383 uint8_t valid_raw_udp[] = {
2384 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2385 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2386 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2387 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2388 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2389 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2390 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2391 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2392 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2393 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2394 0x67, 0x6c, 0x65, 0xc0, 0x26};
2396 uint8_t invalid_raw_udp[] = {
2397 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2398 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2399 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2400 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2401 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2402 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2403 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2404 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2405 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2406 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2407 0x67, 0x6c, 0x65, 0xc0, 0x27};
2417 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2418 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2424 p1->
udph = (UDPHdr *)valid_raw_udp;
2429 p1->
proto = IPPROTO_UDP;
2433 p2->
udph = (UDPHdr *)invalid_raw_udp;
2438 p2->
proto = IPPROTO_UDP;
2446 "alert udp any any -> any any "
2447 "(content:\"/one/\"; udpv4-csum:valid; "
2448 "msg:\"udpv4-csum keyword check(1)\"; "
2453 "alert udp any any -> any any "
2454 "(content:\"/one/\"; udpv4-csum:invalid; "
2455 "msg:\"udpv4-csum keyword check(1)\"; "
2470 if (det_ctx != NULL)
2478 static int SigTest31NegativeUDPV4Keyword(
void)
2480 uint8_t raw_ipv4[] = {
2481 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2482 0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2483 0xc0, 0xa8, 0x01, 0x03};
2485 uint8_t valid_raw_udp[] = {
2486 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2487 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2488 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2489 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2490 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2491 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2492 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2493 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2494 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2495 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2496 0x67, 0x6c, 0x65, 0xc0, 0x26};
2498 uint8_t invalid_raw_udp[] = {
2499 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2500 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2501 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2502 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2503 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2504 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2505 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2506 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2507 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2508 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2509 0x67, 0x6c, 0x65, 0xc0, 0x27};
2523 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2524 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2530 p1->
udph = (UDPHdr *)valid_raw_udp;
2535 p1->
proto = IPPROTO_UDP;
2539 p2->
udph = (UDPHdr *)invalid_raw_udp;
2544 p2->
proto = IPPROTO_UDP;
2554 "alert udp any any -> any any "
2555 "(content:\"/one/\"; udpv4-csum:invalid; "
2556 "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2563 "alert udp any any -> any any "
2564 "(content:\"/one/\"; udpv4-csum:valid; "
2565 "msg:\"udpv4-csum keyword check(1)\"; "
2590 if (det_ctx != NULL)
2600 static int SigTest32UDPV6Keyword(
void)
2602 static uint8_t valid_raw_ipv6[] = {
2603 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2604 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2605 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2606 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2607 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2608 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2609 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2610 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2611 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2614 static uint8_t invalid_raw_ipv6[] = {
2615 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2616 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2617 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2618 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2619 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2620 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2621 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2622 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2623 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2634 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2641 p1->
udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2646 p1->
proto = IPPROTO_UDP;
2650 p2->
udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2655 p2->
proto = IPPROTO_UDP;
2663 "alert udp any any -> any any "
2664 "(content:\"/one/\"; udpv6-csum:valid; "
2665 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2669 "alert udp any any -> any any "
2670 "(content:\"/one/\"; udpv6-csum:invalid; "
2671 "msg:\"udpv6-csum keyword check(1)\"; "
2686 if (det_ctx != NULL)
2695 static int SigTest33NegativeUDPV6Keyword(
void)
2697 static uint8_t valid_raw_ipv6[] = {
2698 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2699 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2700 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2701 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2702 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2703 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2704 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2705 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2706 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2709 static uint8_t invalid_raw_ipv6[] = {
2710 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2711 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2712 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2713 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2714 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2715 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2716 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2717 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2718 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2733 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP\r\n"
2740 p1->
udph = (UDPHdr *) (valid_raw_ipv6 + 54);
2745 p1->
proto = IPPROTO_UDP;
2749 p2->
udph = (UDPHdr *) (invalid_raw_ipv6 + 54);
2754 p2->
proto = IPPROTO_UDP;
2764 "alert udp any any -> any any "
2765 "(content:\"/one/\"; udpv6-csum:invalid; "
2766 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2773 "alert udp any any -> any any "
2774 "(content:\"/one/\"; udpv6-csum:valid; "
2775 "msg:\"udpv6-csum keyword check(1)\"; "
2799 if (det_ctx != NULL)
2808 static int SigTest34ICMPV4Keyword(
void)
2810 uint8_t valid_raw_ipv4[] = {
2811 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2812 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2813 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2814 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2815 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2816 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2817 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2818 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2819 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2820 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2821 0x34, 0x35, 0x36, 0x37};
2823 uint8_t invalid_raw_ipv4[] = {
2824 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2825 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2826 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2827 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2828 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2829 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2830 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2831 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2832 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2833 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2834 0x34, 0x35, 0x36, 0x38};
2848 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2850 uint16_t buflen = strlen((
char *)buf);
2862 p1->
proto = IPPROTO_ICMP;
2872 p2->
proto = IPPROTO_ICMP;
2882 "alert icmp any any -> any any "
2883 "(content:\"/one/\"; icmpv4-csum:valid; "
2884 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2891 "alert icmp any any -> any any "
2892 "(content:\"/one/\"; icmpv4-csum:invalid; "
2893 "msg:\"icmpv4-csum keyword check(1)\"; "
2917 if (det_ctx != NULL)
2926 static int SigTest35NegativeICMPV4Keyword(
void)
2928 uint8_t valid_raw_ipv4[] = {
2929 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2930 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2931 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2932 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2933 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2934 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2935 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2936 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2937 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2938 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2939 0x34, 0x35, 0x36, 0x37};
2941 uint8_t invalid_raw_ipv4[] = {
2942 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2943 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2944 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2945 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2946 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2947 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2948 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2949 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2950 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2951 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2952 0x34, 0x35, 0x36, 0x38};
2966 uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.0\r\n"
2968 uint16_t buflen = strlen((
char *)buf);
2980 p1->
proto = IPPROTO_ICMP;
2990 p2->
proto = IPPROTO_ICMP;
3000 "alert icmp any any -> any any "
3001 "(content:\"/one/\"; icmpv4-csum:invalid; "
3002 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
3009 "alert icmp any any -> any any "
3010 "(content:\"/one/\"; icmpv4-csum:valid; "
3011 "msg:\"icmpv4-csum keyword check(1)\"; "
3036 if (det_ctx != NULL)
3045 static int SigTest38(
void)
3053 uint8_t raw_eth[] = {
3054 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3055 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3058 uint8_t raw_ipv4[] = {
3059 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3060 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3061 0x7f, 0x00, 0x00, 0x01
3063 uint8_t raw_tcp[] = {
3064 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3065 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3066 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3067 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3068 0x00, 0x22, 0xaa, 0x10
3071 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3072 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3073 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30,
3074 0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3075 0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3076 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3077 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3078 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3079 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3082 uint16_t ethlen =
sizeof(raw_eth);
3083 uint16_t ipv4len =
sizeof(raw_ipv4);
3084 uint16_t tcplen =
sizeof(raw_tcp);
3085 uint16_t buflen =
sizeof(buf);
3106 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3109 p1->
ethh = (EthernetHdr *)raw_eth;
3111 p1->
tcph = (TCPHdr *)raw_tcp;
3116 p1->
proto = IPPROTO_TCP;
3125 "alert tcp any any -> any any "
3126 "(content:\"LEN1|20|\"; "
3127 "byte_test:4,=,8,0; "
3128 "msg:\"byte_test keyword check(1)\"; sid:1;)");
3134 "alert tcp any any -> any any "
3135 "(content:\"LEN1|20|\"; "
3136 "byte_test:4,=,8,5,relative,string,dec; "
3137 "msg:\"byte_test keyword check(2)\"; sid:2;)");
3151 printf(
"sid 1 didn't alert, but should have: ");
3158 printf(
"sid 2 didn't alert, but should have: ");
3166 if (det_ctx != NULL)
3175 static int SigTest39(
void)
3179 uint8_t raw_eth[] = {
3180 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3181 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3184 uint8_t raw_ipv4[] = {
3185 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3186 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3187 0x7f, 0x00, 0x00, 0x01
3189 uint8_t raw_tcp[] = {
3190 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3191 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3192 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3193 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3194 0x00, 0x22, 0xaa, 0x10
3197 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3198 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3199 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3200 0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3201 0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3202 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3203 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3204 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3205 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3208 uint16_t ethlen =
sizeof(raw_eth);
3209 uint16_t ipv4len =
sizeof(raw_ipv4);
3210 uint16_t tcplen =
sizeof(raw_tcp);
3211 uint16_t buflen =
sizeof(buf);
3222 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3225 p1->
ethh = (EthernetHdr *)raw_eth;
3227 p1->
tcph = (TCPHdr *)raw_tcp;
3232 p1->
proto = IPPROTO_TCP;
3239 "(content:\"LEN1|20|\"; "
3240 "byte_test:4,=,8,0; "
3242 "byte_test:6,=,0x4c454e312038,0,relative; "
3243 "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3246 "(content:\"LEN1|20|\"; "
3247 "byte_test:4,=,8,4,relative,string,dec; "
3248 "byte_jump:4,4,relative,string,dec,post_offset 2; "
3249 "byte_test:4,=,0x4c454e32,0,relative; "
3250 "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3272 static int SigTest36ContentAndIsdataatKeywords01 (
void)
3278 uint8_t raw_eth [] = {
3279 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3280 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3281 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3282 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3283 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3284 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3285 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3286 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3287 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3288 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3289 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3290 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3291 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3292 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3293 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3294 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3295 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3296 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3297 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3298 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3299 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3300 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3301 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3302 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3303 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3304 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3305 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3306 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3307 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3308 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3319 memset(&th_v, 0,
sizeof(th_v));
3332 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3390 static int SigTest37ContentAndIsdataatKeywords02 (
void)
3396 uint8_t raw_eth [] = {
3397 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3398 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3399 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3400 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3401 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3402 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3403 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3404 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3405 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3406 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3407 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3408 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3409 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3410 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3411 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3412 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3413 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3414 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3415 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3416 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3417 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3418 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3419 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3420 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3421 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3422 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3423 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3424 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3425 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3426 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3437 memset(&th_v, 0,
sizeof(th_v));
3450 Signature *s =
de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3452 printf(
"sig parse failed: ");
3458 printf(
"type not content: ");
3469 printf(
"sig matched, but should not have: ");
3512 static int SigTest40NoPacketInspection01(
void)
3515 uint8_t *buf = (uint8_t *)
3516 "220 (vsFTPd 2.0.5)\r\n";
3517 uint16_t buflen = strlen((
char *)buf);
3528 memset(&th_v, 0,
sizeof(th_v));
3529 memset(&pq, 0,
sizeof(pq));
3530 memset(&f, 0,
sizeof(f));
3531 memset(&tcphdr, 0,
sizeof(tcphdr));
3539 p->
proto = IPPROTO_TCP;
3556 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3566 Detect(&th_v, p, det_ctx);
3587 static int SigTest40NoPayloadInspection02(
void)
3590 uint8_t *buf = (uint8_t *)
3591 "220 (vsFTPd 2.0.5)\r\n";
3592 uint16_t buflen = strlen((
char *)buf);
3594 memset(&th_v, 0,
sizeof(th_v));
3603 p->
proto = IPPROTO_TCP;
3612 "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3628 static int SigTestMemory01 (
void)
3630 uint8_t *buf = (uint8_t *)
3631 "GET /one/ HTTP/1.1\r\n"
3632 "Host: one.example.org\r\n"
3634 "GET /two/ HTTP/1.1\r\n"
3635 "Host: two.example.org\r\n"
3637 uint16_t buflen = strlen((
char *)buf);
3645 memset(&th_v, 0,
sizeof(th_v));
3650 p->
proto = IPPROTO_TCP;
3659 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3678 static int SigTestMemory02 (
void)
3683 memset(&th_v, 0,
sizeof(th_v));
3691 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3696 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3712 static int SigTestMemory03 (
void)
3717 memset(&th_v, 0,
sizeof(th_v));
3725 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3730 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3735 de_ctx->
sig_list->
next->
next =
SigInit(
de_ctx,
"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3751 static int SigTestContent01 (
void)
3753 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3754 uint16_t buflen = strlen((
char *)buf);
3759 memset(&th_v, 0,
sizeof(th_v));
3770 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3783 printf(
"sig 1 didn't match: ");
3795 static int SigTestContent02 (
void)
3797 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901";
3798 uint16_t buflen = strlen((
char *)buf);
3803 memset(&th_v, 0,
sizeof(th_v));
3813 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3833 printf(
"sig 2 didn't match: ");
3836 printf(
"sig 1 didn't match: ");
3848 static int SigTestContent03 (
void)
3850 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3851 uint16_t buflen = strlen((
char *)buf);
3856 memset(&th_v, 0,
sizeof(th_v));
3867 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3880 printf(
"sig 1 didn't match: ");
3892 static int SigTestContent04 (
void)
3894 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3895 uint16_t buflen = strlen((
char *)buf);
3900 memset(&th_v, 0,
sizeof(th_v));
3912 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3925 printf(
"sig 1 didn't match: ");
3938 static int SigTestContent05 (
void)
3940 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3941 uint16_t buflen = strlen((
char *)buf);
3946 memset(&th_v, 0,
sizeof(th_v));
3952 printf(
"de_ctx == NULL: ");
3958 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3960 printf(
"sig1 parse failed: ");
3963 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3965 printf(
"sig2 parse failed: ");
3975 printf(
"sig 1 matched but shouldn't: ");
3980 printf(
"sig 2 matched but shouldn't: ");
3990 if (det_ctx != NULL) {
3999 static int SigTestContent06 (
void)
4001 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4002 uint16_t buflen = strlen((
char *)buf);
4007 memset(&th_v, 0,
sizeof(th_v));
4018 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
4023 de_ctx->
sig_list->
next =
SigInit(
de_ctx,
"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
4036 printf(
"sig 1 didn't match: ");
4043 printf(
"sig 2 didn't match: ");
4057 static int SigTestWithin01 (
void)
4067 uint8_t rawpkt1[] = {
4068 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4069 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4070 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4071 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4072 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4073 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4074 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4075 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4076 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4077 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4078 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4079 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4080 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4081 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4082 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4083 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4084 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4085 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4086 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4089 uint8_t rawpkt2[] = {
4090 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4091 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4092 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4093 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4094 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4095 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4096 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4097 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4098 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4099 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4100 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4101 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4102 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4103 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4104 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4105 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4106 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4107 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4108 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4111 uint8_t rawpkt3[] = {
4112 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4113 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4114 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4115 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4116 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4117 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4118 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4119 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4120 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4121 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4122 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4123 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4124 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4125 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4126 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4127 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4128 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4129 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4130 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4133 uint8_t rawpkt4[] = {
4134 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4135 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4136 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4137 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4138 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4139 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4140 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4141 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4142 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4143 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4144 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4145 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4146 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4147 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4148 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4149 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4150 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4151 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4152 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4156 memset(&th_v, 0,
sizeof(th_v));
4169 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4185 printf(
"failed to match on packet 1: ");
4196 printf(
"failed to match on packet 2: ");
4207 printf(
"failed to match on packet 3: ");
4218 printf(
"failed to match on packet 4: ");
4223 uint8_t *p5buf = (uint8_t *)
"Hi, this is a big test to check content matches";
4224 uint16_t p5buflen = strlen((
char *)p5buf);
4228 printf(
"failed to match on packet 5: ");
4240 if (det_ctx != NULL)
4266 static int SigTestDepthOffset01 (
void)
4268 uint8_t *buf = (uint8_t *)
"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4269 uint16_t buflen = strlen((
char *)buf);
4275 memset(&th_v, 0,
sizeof(th_v));
4286 de_ctx->
sig_list =
SigInit(
de_ctx,
"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4309 static int SigTestDetectAlertCounter(
void)
4314 memset(&
tv, 0,
sizeof(
tv));
4321 "content:\"boo\"; sid:1;)");
4330 p =
UTHBuildPacket((uint8_t *)
"boo", strlen(
"boo"), IPPROTO_TCP);
4338 p =
UTHBuildPacket((uint8_t *)
"roo", strlen(
"roo"), IPPROTO_TCP);
4343 p =
UTHBuildPacket((uint8_t *)
"laboosa", strlen(
"laboosa"), IPPROTO_TCP);
4355 static int SigTestDropFlow01(
void)
4359 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4360 "User-Agent: Mozilla/1.0\r\n"
4361 "Cookie: hellocatch\r\n\r\n";
4362 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4371 memset(&f, 0,
sizeof(
Flow));
4378 f.
proto = IPPROTO_TCP;
4394 "(msg:\"Test proto match\"; "
4428 static int SigTestDropFlow02(
void)
4433 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4434 "User-Agent: Mozilla/1.0\r\n"
4435 "Cookie: hellocatch\r\n\r\n";
4436 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4445 memset(&f, 0,
sizeof(
Flow));
4452 f.
proto = IPPROTO_TCP;
4470 "(msg:\"Test proto match\"; uricontent:\"one\";"
4482 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4487 if (http_state == NULL) {
4488 printf(
"no http state: ");
4496 printf(
"sig 1 didn't alert, but it should: ");
4501 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4513 if (det_ctx != NULL)
4530 static int SigTestDropFlow03(
void)
4535 uint8_t http_buf1[] =
"POST /one HTTP/1.0\r\n"
4536 "User-Agent: Mozilla/1.0\r\n"
4537 "Cookie: hellocatch\r\n\r\n";
4538 uint32_t http_buf1_len =
sizeof(http_buf1) - 1;
4540 uint8_t http_buf2[] =
"POST /two HTTP/1.0\r\n"
4541 "User-Agent: Mozilla/1.0\r\n"
4542 "Cookie: hellocatch\r\n\r\n";
4543 uint32_t http_buf2_len =
sizeof(http_buf1) - 1;
4557 memset(&f, 0,
sizeof(
Flow));
4565 f.
proto = IPPROTO_TCP;
4589 "(msg:\"Test proto match\"; uricontent:\"one\";"
4598 "(msg:\"Test proto match\"; uricontent:\"two\";"
4610 printf(
"toserver chunk 1 returned %" PRId32
", expected 0: ", r);
4615 if (http_state == NULL) {
4616 printf(
"no http state: ");
4624 printf(
"sig 1 didn't alert on p1, but it should: ");
4629 printf(
"sig 1 alerted but flow was not flagged correctly: ");
4634 if (StreamTcpCheckFlowDrops(p2) == 1) {
4635 SCLogDebug(
"This flow/stream triggered a drop rule");
4636 FlowSetNoPacketInspectionFlag(p2->
flow);
4637 DecodeSetNoPacketInspectionFlag(p2);
4646 printf(
"The packet was not flagged with no-inspection: ");
4653 printf(
"toserver chunk 2 returned %" PRId32
", expected 0: ", r);
4661 printf(
"sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4666 printf(
"sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4671 printf(
"A \"drop\" action should be set from the flow to the packet: ");
4680 if (det_ctx != NULL)
4700 static int SigTestPorts01(
void)
4707 uint8_t payload[] =
"AAAAAAAAAAAAAAAAAA";
4720 "(content:\"AAA\"; sid:1;)");
4732 printf(
"sig 1 alerted on p1, but it should not: ");
4738 if (det_ctx != NULL)
4750 static int SigTestBug01(
void)
4757 uint8_t payload[] =
"!mymy";
4770 "(content:\"Omymy\"; nocase; sid:1;)");
4775 "(content:\"!mymy\"; nocase; sid:2;)");
4787 printf(
"sig 1 alerted on p1, but it should not: ");
4791 printf(
"sig 2 did not p1, but it should have: ");
4797 if (det_ctx != NULL)
4808 static const char *dummy_conf_string2 =
4813 " address-groups:\n"
4815 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4817 " EXTERNAL_NET: \"any\"\n"
4821 " HTTP_PORTS: \"80:81,88\"\n"
4824 static int DetectAddressYamlParsing01 (
void)
4855 static const char *dummy_conf_string3 =
4860 " address-groups:\n"
4862 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4864 " EXTERNAL_NET: \"any\"\n"
4868 " HTTP_PORTS: \"80:81,88\"\n"
4871 static int DetectAddressYamlParsing02 (
void)
4902 static const char *dummy_conf_string4 =
4907 " address-groups:\n"
4909 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4911 " EXTERNAL_NET: \"any\"\n"
4915 " HTTP_PORTS: \"80:81,88\"\n"
4918 static int DetectAddressYamlParsing03 (
void)
4949 static const char *dummy_conf_string5 =
4954 " address-groups:\n"
4956 " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4958 " EXTERNAL_NET: \"any\"\n"
4962 " HTTP_PORTS: \"80:81,88\"\n"
4966 static int DetectAddressYamlParsing04 (
void)
5006 UtRegisterTest(
"SigTest05 -- distance/within mismatch", SigTest05);
5007 UtRegisterTest(
"SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
5010 UtRegisterTest(
"SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
5013 UtRegisterTest(
"SigTest10 -- long content match, longer than pkt",
5016 UtRegisterTest(
"SigTest12 -- content order matching, normal", SigTest12);
5017 UtRegisterTest(
"SigTest13 -- content order matching, diff order",
5019 UtRegisterTest(
"SigTest14 -- content order matching, distance 0",
5021 UtRegisterTest(
"SigTest15 -- port negation sig (no match)", SigTest15);
5022 UtRegisterTest(
"SigTest16 -- port negation sig (match)", SigTest16);
5023 UtRegisterTest(
"SigTest17 -- HTTP Host Pkt var capture", SigTest17);
5033 SigTest25NegativeIPV4Keyword);
5037 SigTest26TCPV4AndNegativeIPV4Keyword);
5039 SigTest26TCPV4AndIPV4Keyword);
5041 SigTest27NegativeTCPV4Keyword);
5045 SigTest29NegativeTCPV6Keyword);
5049 SigTest31NegativeUDPV4Keyword);
5053 SigTest33NegativeUDPV6Keyword);
5055 UtRegisterTest(
"SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5057 SigTest35NegativeICMPV4Keyword);
5059 SigTest36ContentAndIsdataatKeywords01);
5061 SigTest37ContentAndIsdataatKeywords02);
5068 SigTest40NoPacketInspection01);
5070 SigTest40NoPayloadInspection02);
5076 UtRegisterTest(
"SigTestContent01 -- 32 byte pattern", SigTestContent01);
5077 UtRegisterTest(
"SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5078 UtRegisterTest(
"SigTestContent03 -- 32 byte pattern, x2 + distance",
5080 UtRegisterTest(
"SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5082 UtRegisterTest(
"SigTestContent05 -- distance/within", SigTestContent05);
5089 UtRegisterTest(
"SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5095 UtRegisterTest(
"DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5096 UtRegisterTest(
"DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5097 UtRegisterTest(
"DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5098 UtRegisterTest(
"DetectAddressYamlParsing04", DetectAddressYamlParsing04);