suricata
detect-byte-extract.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2024 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22 */
23
24#include "suricata-common.h"
25#include "decode.h"
26
27#include "detect.h"
28#include "detect-engine.h"
29#include "detect-content.h"
30#include "detect-pcre.h"
31#include "detect-bytejump.h"
32#include "detect-bytetest.h"
33#include "detect-byte-extract.h"
34#include "detect-isdataat.h"
35#include "detect-engine-build.h"
36
37#include "rust.h"
38
39#include "app-layer-protos.h"
40
41#include "util-byte.h"
42#include "util-debug.h"
43#include "util-unittest.h"
44#include "util-unittest-helper.h"
45
46/* the base to be used if string mode is specified. These options would be
47 * specified in DetectByteParseData->base */
48#define DETECT_BYTE_EXTRACT_BASE_HEX BaseHex
49#define DETECT_BYTE_EXTRACT_BASE_DEC BaseDec
50#define DETECT_BYTE_EXTRACT_BASE_OCT BaseOct
51
52/* the max no of bytes that can be extracted in string mode - (string, hex)
53 * (string, oct) or (string, dec) */
54#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
55#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
56#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
57/* the max no of bytes that can be extracted in non-string mode */
58#define NO_STRING_MAX_BYTES_TO_EXTRACT 8
59
60static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
61#ifdef UNITTESTS
62static void DetectByteExtractRegisterTests(void);
63#endif
64static void DetectByteExtractFree(DetectEngineCtx *, void *);
65
66/**
67 * \brief Registers the keyword handlers for the "byte_extract" keyword.
68 */
69void DetectByteExtractRegister(void)
70{
71 sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
72 sigmatch_table[DETECT_BYTE_EXTRACT].desc = "extract <num of bytes> at a particular <offset> and store it in <var_name>";
73 sigmatch_table[DETECT_BYTE_EXTRACT].url = "/rules/payload-keywords.html#byte-extract";
74 sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
75 sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
76 sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
77#ifdef UNITTESTS
78 sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
79#endif
80}
81
82int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
83 const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
84 uint8_t endian)
85{
86 if (payload_len == 0) {
87 return 0;
88 }
89
90 /* Calculate the ptr value for the bytetest and length remaining in
91 * the packet from that point.
92 */
93 const uint8_t *ptr;
94 int32_t len;
95 SCDetectByteExtractData *data = (SCDetectByteExtractData *)smd->ctx;
96 if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
97 SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
98 "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
99
100 ptr = payload + det_ctx->buffer_offset;
101 len = payload_len - det_ctx->buffer_offset;
102
103 ptr += data->offset;
104 len -= data->offset;
105
106 /* No match if there is no relative base */
107 if (len <= 0) {
108 return 0;
109 }
110 //PrintRawDataFp(stdout,ptr,len);
111 } else {
112 SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
113
114 ptr = payload + data->offset;
115 len = payload_len - data->offset;
116 }
117
118 /* Validate that the to-be-extracted is within the packet */
119 if (ptr < payload || data->nbytes > len) {
120 SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
121 payload, ptr, len, data->nbytes);
122 return 0;
123 }
124
125 /* Extract the byte data */
126 uint64_t val = 0;
127 int extbytes;
128 if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
129 extbytes = ByteExtractStringUint64(&val, data->base,
130 data->nbytes, (const char *)ptr);
131 if (extbytes <= 0) {
132 /* ByteExtractStringUint64() set val to 0 if there is no numeric value in data string */
133 if (val == 0) {
134 SCLogDebug("No Numeric value");
135 return 0;
136 } else {
137 SCLogDebug("error extracting %d bytes of string data: %d",
138 data->nbytes, extbytes);
139 return -1;
140 }
141 }
142 } else {
143 int endianness = (endian == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
144 extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
145 if (extbytes != data->nbytes) {
146 SCLogDebug("error extracting %d bytes of numeric data: %d",
147 data->nbytes, extbytes);
148 return 0;
149 }
150 }
151
152 /* Adjust the jump value based on flags */
153 val *= data->multiplier_value;
154 if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
155 if ((val % data->align_value) != 0) {
156 val += data->align_value - (val % data->align_value);
157 }
158 }
159
160 ptr += extbytes;
161
162 det_ctx->buffer_offset = (uint32_t)(ptr - payload);
163
164 *value = val;
165 SCLogDebug("extracted value is %"PRIu64, val);
166 return 1;
167}
168
169/**
170 * \internal
171 * \brief Used to parse byte_extract arg.
172 *
173 * \param de_ctx Pointer to the detection engine context
174 * \arg The argument to parse.
175 *
176 * \param bed On success an instance containing the parsed data.
177 * On failure, NULL.
178 */
179static inline SCDetectByteExtractData *DetectByteExtractParse(
180 DetectEngineCtx *de_ctx, const char *arg)
181{
182 SCDetectByteExtractData *bed = SCByteExtractParse(arg);
183 if (bed == NULL) {
184 SCLogError("invalid byte_extract values");
185 goto error;
186 }
187
188 if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
189 SCLogError("byte_extract slice not yet supported; see issue #6831");
190 goto error;
191 }
192 if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
193 if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
194 /* if are dealing with octal nos, the max no that can fit in a 8
195 * byte value is 01777777777777777777777 */
196 if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
197 SCLogError("byte_extract can't process "
198 "more than %d bytes in \"string\" extraction",
199 STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
200 goto error;
201 }
202 } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
203 /* if are dealing with decimal nos, the max no that can fit in a 8
204 * byte value is 18446744073709551615 */
205 if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
206 SCLogError("byte_extract can't process "
207 "more than %d bytes in \"string\" extraction",
208 STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
209 goto error;
210 }
211 } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
212 /* if are dealing with hex nos, the max no that can fit in a 8
213 * byte value is 0xFFFFFFFFFFFFFFFF */
214 if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
215 SCLogError("byte_extract can't process "
216 "more than %d bytes in \"string\" extraction",
217 STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
218 goto error;
219 }
220 } else {
221 ; // just a placeholder. we won't reach here.
222 }
223 } else {
224 if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
225 SCLogError("byte_extract can't process "
226 "more than %d bytes in \"non-string\" extraction",
227 NO_STRING_MAX_BYTES_TO_EXTRACT);
228 goto error;
229 }
230 /* if string has not been specified and no endian option has been
231 * specified, then set the default endian level of BIG */
232 if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
233 bed->endian = BigEndian;
234 }
235 return bed;
236
237 error:
238 if (bed != NULL)
239 DetectByteExtractFree(de_ctx, bed);
240 return NULL;
241}
242
243/**
244 * \brief The setup function for the byte_extract keyword for a signature.
245 *
246 * \param de_ctx Pointer to the detection engine context.
247 * \param s Pointer to signature for the current Signature being parsed
248 * from the rules.
249 * \param m Pointer to the head of the SigMatch for the current rule
250 * being parsed.
251 * \param arg Pointer to the string holding the keyword value.
252 *
253 * \retval 0 On success.
254 * \retval -1 On failure.
255 */
256static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
257{
258 SigMatch *prev_pm = NULL;
259 SCDetectByteExtractData *data = NULL;
260 int ret = -1;
261
262 data = DetectByteExtractParse(de_ctx, arg);
263 if (data == NULL)
264 goto error;
265
266 int sm_list;
267 if (s->init_data->list != DETECT_SM_LIST_NOTSET) {
268 sm_list = s->init_data->list;
269
270 if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
271 prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
272 }
273 } else if (data->endian == EndianDCE) {
274 if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
275 prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
276 DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
277 DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
278 if (prev_pm == NULL) {
279 sm_list = DETECT_SM_LIST_PMATCH;
280 } else {
281 sm_list = SigMatchListSMBelongsTo(s, prev_pm);
282 if (sm_list < 0)
283 goto error;
284 }
285 } else {
286 sm_list = DETECT_SM_LIST_PMATCH;
287 }
288
289 if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) < 0)
290 goto error;
291
292 } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
293 prev_pm = DetectGetLastSMFromLists(s,
294 DETECT_CONTENT, DETECT_PCRE,
295 DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
296 DETECT_BYTEMATH, DETECT_ISDATAAT, -1);
297 if (prev_pm == NULL) {
298 sm_list = DETECT_SM_LIST_PMATCH;
299 } else {
300 sm_list = SigMatchListSMBelongsTo(s, prev_pm);
301 if (sm_list < 0)
302 goto error;
303 }
304
305 } else {
306 sm_list = DETECT_SM_LIST_PMATCH;
307 }
308
309 if (data->endian == EndianDCE) {
310 if (SCDetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
311 goto error;
312
313 if ((DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ==
314 (data->flags & (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING))) {
315 SCLogError("Invalid option. "
316 "A byte_jump keyword with dce holds other invalid modifiers.");
317 goto error;
318 }
319 }
320
321 SigMatch *prev_bed_sm = DetectGetLastSMByListId(s, sm_list,
322 DETECT_BYTE_EXTRACT, -1);
323 if (prev_bed_sm == NULL)
324 data->local_id = 0;
325 else
326 data->local_id = ((SCDetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
327 if (data->local_id > de_ctx->byte_extract_max_local_id)
328 de_ctx->byte_extract_max_local_id = data->local_id;
329
330 if (SCSigMatchAppendSMToList(de_ctx, s, DETECT_BYTE_EXTRACT, (SigMatchCtx *)data, sm_list) ==
331 NULL) {
332 goto error;
333 }
334
335 if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
336 goto okay;
337
338 if (prev_pm == NULL)
339 goto okay;
340
341 if (prev_pm->type == DETECT_CONTENT) {
342 DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
343 cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
344 } else if (prev_pm->type == DETECT_PCRE) {
345 DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
346 pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
347 }
348
349 okay:
350 ret = 0;
351 return ret;
352 error:
353 DetectByteExtractFree(de_ctx, data);
354 return ret;
355}
356
357/**
358 * \brief Used to free instances of SCDetectByteExtractData.
359 *
360 * \param ptr Instance of SCDetectByteExtractData to be freed.
361 */
362static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
363{
364 SCByteExtractFree(ptr);
365}
366
367/**
368 * \brief Lookup the SigMatch for a named byte_extract variable.
369 *
370 * \param arg The name of the byte_extract variable to lookup.
371 * \param s Pointer the signature to look in.
372 *
373 * \retval A pointer to the SigMatch if found, otherwise NULL.
374 */
375SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
376{
377 for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
378 SigMatch *sm = s->init_data->buffers[x].head;
379 while (sm != NULL) {
380 if (sm->type == DETECT_BYTE_EXTRACT) {
381 const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
382 if (strcmp(bed->name, arg) == 0) {
383 return sm;
384 }
385 }
386 sm = sm->next;
387 }
388 }
389
390 for (int list = 0; list < DETECT_SM_LIST_MAX; list++) {
391 SigMatch *sm = s->init_data->smlists[list];
392 while (sm != NULL) {
393 // Make sure that the linked buffers ore on the same list
394 if (sm->type == DETECT_BYTE_EXTRACT && (sm_list == -1 || sm_list == list)) {
395 const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
396 if (strcmp(bed->name, arg) == 0) {
397 return sm;
398 }
399 }
400 sm = sm->next;
401 }
402 }
403
404 return NULL;
405}
406
407/*************************************Unittests********************************/
408
409#ifdef UNITTESTS
410
411#include "detect-engine-buffer.h"
412
413static int g_file_data_buffer_id = 0;
414static int g_http_uri_buffer_id = 0;
415
416static int DetectByteExtractTest01(void)
417{
418 int result = 0;
419
420 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
421 if (bed == NULL)
422 goto end;
423
424 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
425 bed->endian != BigEndian || bed->align_value != 0 ||
426 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
427 goto end;
428 }
429
430 result = 1;
431 end:
432 if (bed != NULL)
433 DetectByteExtractFree(NULL, bed);
434 return result;
435}
436
437static int DetectByteExtractTest02(void)
438{
439 int result = 0;
440
441 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
442 if (bed == NULL)
443 goto end;
444
445 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
446 bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE || bed->endian != BigEndian ||
447 bed->align_value != 0 ||
448 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
449 goto end;
450 }
451
452 result = 1;
453 end:
454 if (bed != NULL)
455 DetectByteExtractFree(NULL, bed);
456 return result;
457}
458
459static int DetectByteExtractTest03(void)
460{
461 int result = 0;
462
463 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
464 if (bed == NULL)
465 goto end;
466
467 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
468 bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER || bed->endian != BigEndian ||
469 bed->align_value != 0 || bed->multiplier_value != 10) {
470 goto end;
471 }
472
473 result = 1;
474 end:
475 if (bed != NULL)
476 DetectByteExtractFree(NULL, bed);
477 return result;
478}
479
480static int DetectByteExtractTest04(void)
481{
482 int result = 0;
483
484 SCDetectByteExtractData *bed =
485 DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
486 if (bed == NULL)
487 goto end;
488
489 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
490 bed->flags !=
491 (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
492 bed->endian != BigEndian || bed->align_value != 0 || bed->multiplier_value != 10) {
493 goto end;
494 }
495
496 result = 1;
497 end:
498 if (bed != NULL)
499 DetectByteExtractFree(NULL, bed);
500 return result;
501}
502
503static int DetectByteExtractTest05(void)
504{
505 int result = 0;
506
507 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
508 if (bed == NULL)
509 goto end;
510
511 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
512 bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != BigEndian ||
513 bed->align_value != 0 ||
514 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
515 goto end;
516 }
517
518 result = 1;
519 end:
520 if (bed != NULL)
521 DetectByteExtractFree(NULL, bed);
522 return result;
523}
524
525static int DetectByteExtractTest06(void)
526{
527 int result = 0;
528
529 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
530 if (bed == NULL)
531 goto end;
532
533 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
534 bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != LittleEndian ||
535 bed->align_value != 0 ||
536 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
537 goto end;
538 }
539
540 result = 1;
541 end:
542 if (bed != NULL)
543 DetectByteExtractFree(NULL, bed);
544 return result;
545}
546
547static int DetectByteExtractTest07(void)
548{
549 int result = 0;
550
551 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
552 if (bed == NULL)
553 goto end;
554
555 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
556 bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != EndianDCE ||
557 bed->align_value != 0 ||
558 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
559 goto end;
560 }
561
562 result = 1;
563 end:
564 if (bed != NULL)
565 DetectByteExtractFree(NULL, bed);
566 return result;
567}
568
569static int DetectByteExtractTest08(void)
570{
571 int result = 0;
572
573 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
574 if (bed == NULL)
575 goto end;
576
577 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
578 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
579 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
580 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
581 goto end;
582 }
583
584 result = 1;
585 end:
586 if (bed != NULL)
587 DetectByteExtractFree(NULL, bed);
588 return result;
589}
590
591static int DetectByteExtractTest09(void)
592{
593 int result = 0;
594
595 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
596 if (bed == NULL)
597 goto end;
598
599 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
600 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
601 bed->base != DETECT_BYTE_EXTRACT_BASE_OCT || bed->align_value != 0 ||
602 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
603 goto end;
604 }
605
606 result = 1;
607 end:
608 if (bed != NULL)
609 DetectByteExtractFree(NULL, bed);
610 return result;
611}
612
613static int DetectByteExtractTest10(void)
614{
615 int result = 0;
616
617 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
618 if (bed == NULL)
619 goto end;
620
621 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
622 bed->base != DETECT_BYTE_EXTRACT_BASE_DEC || bed->align_value != 0 ||
623 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
624 goto end;
625 }
626
627 result = 1;
628 end:
629 if (bed != NULL)
630 DetectByteExtractFree(NULL, bed);
631 return result;
632}
633
634static int DetectByteExtractTest11(void)
635{
636 int result = 0;
637
638 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
639 if (bed == NULL)
640 goto end;
641
642 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
643 bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN || bed->endian != BigEndian ||
644 bed->align_value != 4 ||
645 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
646 goto end;
647 }
648
649 result = 1;
650 end:
651 if (bed != NULL)
652 DetectByteExtractFree(NULL, bed);
653 return result;
654}
655
656static int DetectByteExtractTest12(void)
657{
658 int result = 0;
659
660 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
661 if (bed == NULL)
662 goto end;
663
664 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
665 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
666 bed->endian != BigEndian || bed->align_value != 4 ||
667 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
668 goto end;
669 }
670
671 result = 1;
672 end:
673 if (bed != NULL)
674 DetectByteExtractFree(NULL, bed);
675 return result;
676}
677
678static int DetectByteExtractTest13(void)
679{
680 int result = 0;
681
682 SCDetectByteExtractData *bed =
683 DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
684 if (bed == NULL)
685 goto end;
686
687 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
688 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
689 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
690 bed->endian != BigEndian || bed->align_value != 4 ||
691 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
692 goto end;
693 }
694
695 result = 1;
696 end:
697 if (bed != NULL)
698 DetectByteExtractFree(NULL, bed);
699 return result;
700}
701
702static int DetectByteExtractTest14(void)
703{
704 int result = 0;
705
706 SCDetectByteExtractData *bed =
707 DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
708 if (bed == NULL)
709 goto end;
710
711 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
712 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
713 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
714 bed->endian != EndianDCE || bed->align_value != 4 ||
715 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
716 goto end;
717 }
718
719 result = 1;
720 end:
721 if (bed != NULL)
722 DetectByteExtractFree(NULL, bed);
723 return result;
724}
725
726static int DetectByteExtractTest15(void)
727{
728 int result = 0;
729
730 SCDetectByteExtractData *bed =
731 DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
732 if (bed == NULL)
733 goto end;
734
735 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
736 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
737 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
738 bed->endian != LittleEndian || bed->align_value != 4 ||
739 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
740 goto end;
741 }
742
743 result = 1;
744 end:
745 if (bed != NULL)
746 DetectByteExtractFree(NULL, bed);
747 return result;
748}
749
750static int DetectByteExtractTest16(void)
751{
752 int result = 0;
753
754 SCDetectByteExtractData *bed =
755 DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
756 if (bed == NULL)
757 goto end;
758
759 if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
760 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
761 DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
762 DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
763 bed->endian != LittleEndian || bed->align_value != 4 || bed->multiplier_value != 2) {
764 goto end;
765 }
766
767 result = 1;
768 end:
769 if (bed != NULL)
770 DetectByteExtractFree(NULL, bed);
771 return result;
772}
773
774static int DetectByteExtractTest17(void)
775{
776 int result = 0;
777
778 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
779 "relative, little, "
780 "multiplier 2, string hex");
781 if (bed != NULL)
782 goto end;
783
784 result = 1;
785 end:
786 if (bed != NULL)
787 DetectByteExtractFree(NULL, bed);
788 return result;
789}
790
791static int DetectByteExtractTest18(void)
792{
793 int result = 0;
794
795 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
796 "relative, little, "
797 "multiplier 2, "
798 "relative");
799 if (bed != NULL)
800 goto end;
801
802 result = 1;
803 end:
804 if (bed != NULL)
805 DetectByteExtractFree(NULL, bed);
806 return result;
807}
808
809static int DetectByteExtractTest19(void)
810{
811 int result = 0;
812
813 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
814 "relative, little, "
815 "multiplier 2, "
816 "little");
817 if (bed != NULL)
818 goto end;
819
820 result = 1;
821 end:
822 if (bed != NULL)
823 DetectByteExtractFree(NULL, bed);
824 return result;
825}
826
827static int DetectByteExtractTest20(void)
828{
829 int result = 0;
830
831 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
832 "relative, "
833 "multiplier 2, "
834 "align 2");
835 if (bed != NULL)
836 goto end;
837
838 result = 1;
839 end:
840 if (bed != NULL)
841 DetectByteExtractFree(NULL, bed);
842 return result;
843}
844
845static int DetectByteExtractTest21(void)
846{
847 int result = 0;
848
849 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
850 "multiplier 2, "
851 "relative, "
852 "multiplier 2");
853 if (bed != NULL)
854 goto end;
855
856 result = 1;
857 end:
858 if (bed != NULL)
859 DetectByteExtractFree(NULL, bed);
860 return result;
861}
862
863static int DetectByteExtractTest22(void)
864{
865 int result = 0;
866
867 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
868 "string hex, "
869 "relative, "
870 "string hex");
871 if (bed != NULL)
872 goto end;
873
874 result = 1;
875 end:
876 if (bed != NULL)
877 DetectByteExtractFree(NULL, bed);
878 return result;
879}
880
881static int DetectByteExtractTest23(void)
882{
883 int result = 0;
884
885 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
886 "string hex, "
887 "relative, "
888 "string oct");
889 if (bed != NULL)
890 goto end;
891
892 result = 1;
893 end:
894 if (bed != NULL)
895 DetectByteExtractFree(NULL, bed);
896 return result;
897}
898
899static int DetectByteExtractTest24(void)
900{
901 int result = 0;
902
903 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
904 "string hex, "
905 "relative");
906 if (bed != NULL)
907 goto end;
908
909 result = 1;
910 end:
911 if (bed != NULL)
912 DetectByteExtractFree(NULL, bed);
913 return result;
914}
915
916static int DetectByteExtractTest25(void)
917{
918 int result = 0;
919
920 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
921 "little, "
922 "relative");
923 if (bed != NULL)
924 goto end;
925
926 result = 1;
927 end:
928 if (bed != NULL)
929 DetectByteExtractFree(NULL, bed);
930 return result;
931}
932
933static int DetectByteExtractTest26(void)
934{
935 int result = 0;
936
937 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
938 "little, "
939 "relative, "
940 "multiplier 65536");
941 if (bed != NULL)
942 goto end;
943
944 result = 1;
945 end:
946 if (bed != NULL)
947 DetectByteExtractFree(NULL, bed);
948 return result;
949}
950
951static int DetectByteExtractTest27(void)
952{
953 int result = 0;
954
955 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
956 "little, "
957 "relative, "
958 "multiplier 0");
959 if (bed != NULL)
960 goto end;
961
962 result = 1;
963 end:
964 if (bed != NULL)
965 DetectByteExtractFree(NULL, bed);
966 return result;
967}
968
969static int DetectByteExtractTest28(void)
970{
971 int result = 0;
972
973 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
974 if (bed == NULL)
975 goto end;
976
977 result = 1;
978 end:
979 if (bed != NULL)
980 DetectByteExtractFree(NULL, bed);
981 return result;
982}
983
984static int DetectByteExtractTest29(void)
985{
986 int result = 0;
987
988 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
989 if (bed != NULL)
990 goto end;
991
992 result = 1;
993 end:
994 if (bed != NULL)
995 DetectByteExtractFree(NULL, bed);
996 return result;
997}
998
999static int DetectByteExtractTest30(void)
1000{
1001 int result = 0;
1002
1003 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
1004 if (bed == NULL)
1005 goto end;
1006
1007 result = 1;
1008 end:
1009 if (bed != NULL)
1010 DetectByteExtractFree(NULL, bed);
1011 return result;
1012}
1013
1014static int DetectByteExtractTest31(void)
1015{
1016 int result = 0;
1017
1018 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
1019 if (bed != NULL)
1020 goto end;
1021
1022 result = 1;
1023 end:
1024 if (bed != NULL)
1025 DetectByteExtractFree(NULL, bed);
1026 return result;
1027}
1028
1029static int DetectByteExtractTest32(void)
1030{
1031 int result = 0;
1032
1033 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
1034 if (bed == NULL)
1035 goto end;
1036
1037 result = 1;
1038 end:
1039 if (bed != NULL)
1040 DetectByteExtractFree(NULL, bed);
1041 return result;
1042}
1043
1044static int DetectByteExtractTest33(void)
1045{
1046 int result = 0;
1047
1048 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
1049 if (bed != NULL)
1050 goto end;
1051
1052 result = 1;
1053 end:
1054 if (bed != NULL)
1055 DetectByteExtractFree(NULL, bed);
1056 return result;
1057}
1058
1059static int DetectByteExtractTest34(void)
1060{
1061 DetectEngineCtx *de_ctx = NULL;
1062 int result = 0;
1063 Signature *s = NULL;
1064 SigMatch *sm = NULL;
1065 DetectContentData *cd = NULL;
1066 SCDetectByteExtractData *bed = NULL;
1067
1068 de_ctx = DetectEngineCtxInit();
1069 if (de_ctx == NULL)
1070 goto end;
1071
1072 de_ctx->flags |= DE_QUIET;
1073 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1074 "(msg:\"Testing bytejump_body\"; "
1075 "content:\"one\"; "
1076 "byte_extract:4,2,two,relative,string,hex; "
1077 "sid:1;)");
1078 if (de_ctx->sig_list == NULL) {
1079 result = 0;
1080 goto end;
1081 }
1082
1083 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1084 result = 0;
1085 goto end;
1086 }
1087
1088 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1089 if (sm->type != DETECT_CONTENT) {
1090 result = 0;
1091 goto end;
1092 }
1093 cd = (DetectContentData *)sm->ctx;
1094 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1095 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1096 cd->flags & DETECT_CONTENT_NOCASE ||
1097 cd->flags & DETECT_CONTENT_WITHIN ||
1098 cd->flags & DETECT_CONTENT_DISTANCE ||
1099 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1100 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1101 cd->flags & DETECT_CONTENT_NEGATED ) {
1102 printf("one failed\n");
1103 result = 0;
1104 goto end;
1105 }
1106
1107 sm = sm->next;
1108 if (sm->type != DETECT_BYTE_EXTRACT) {
1109 result = 0;
1110 goto end;
1111 }
1112 bed = (SCDetectByteExtractData *)sm->ctx;
1113 if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", cd->content_len) != 0 ||
1114 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1115 DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1116 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1117 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1118 goto end;
1119 }
1120
1121 result = 1;
1122
1123 end:
1124 SigGroupCleanup(de_ctx);
1125 SigCleanSignatures(de_ctx);
1126 DetectEngineCtxFree(de_ctx);
1127
1128 return result;
1129}
1130
1131static int DetectByteExtractTest35(void)
1132{
1133 DetectEngineCtx *de_ctx = NULL;
1134 int result = 0;
1135 Signature *s = NULL;
1136 SigMatch *sm = NULL;
1137 DetectContentData *cd = NULL;
1138 DetectPcreData *pd = NULL;
1139 SCDetectByteExtractData *bed = NULL;
1140
1141 de_ctx = DetectEngineCtxInit();
1142 if (de_ctx == NULL)
1143 goto end;
1144
1145 de_ctx->flags |= DE_QUIET;
1146 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1147 "(msg:\"Testing bytejump_body\"; "
1148 "content:\"one\"; pcre:/asf/; "
1149 "byte_extract:4,0,two,relative,string,hex; "
1150 "sid:1;)");
1151 if (de_ctx->sig_list == NULL) {
1152 result = 0;
1153 goto end;
1154 }
1155
1156 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1157 result = 0;
1158 goto end;
1159 }
1160
1161 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1162 if (sm->type != DETECT_CONTENT) {
1163 result = 0;
1164 goto end;
1165 }
1166 cd = (DetectContentData *)sm->ctx;
1167 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1168 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1169 cd->flags & DETECT_CONTENT_NOCASE ||
1170 cd->flags & DETECT_CONTENT_WITHIN ||
1171 cd->flags & DETECT_CONTENT_DISTANCE ||
1172 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1173 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1174 cd->flags & DETECT_CONTENT_NEGATED ) {
1175 printf("one failed\n");
1176 result = 0;
1177 goto end;
1178 }
1179
1180 sm = sm->next;
1181 if (sm->type != DETECT_PCRE) {
1182 result = 0;
1183 goto end;
1184 }
1185 pd = (DetectPcreData *)sm->ctx;
1186 if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
1187 result = 0;
1188 goto end;
1189 }
1190
1191 sm = sm->next;
1192 if (sm->type != DETECT_BYTE_EXTRACT) {
1193 result = 0;
1194 goto end;
1195 }
1196 bed = (SCDetectByteExtractData *)sm->ctx;
1197 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1198 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1199 DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1200 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1201 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1202 goto end;
1203 }
1204
1205 result = 1;
1206
1207 end:
1208 SigGroupCleanup(de_ctx);
1209 SigCleanSignatures(de_ctx);
1210 DetectEngineCtxFree(de_ctx);
1211
1212 return result;
1213}
1214
1215static int DetectByteExtractTest36(void)
1216{
1217 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1218 FAIL_IF_NULL(de_ctx);
1219 de_ctx->flags |= DE_QUIET;
1220
1221 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
1222 "content:\"one\"; byte_jump:1,13; "
1223 "byte_extract:4,0,two,relative,string,hex; "
1224 "sid:1;)");
1225 FAIL_IF_NULL(s);
1226 FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
1227
1228 SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1229 FAIL_IF(sm->type != DETECT_CONTENT);
1230 DetectContentData *cd = (DetectContentData *)sm->ctx;
1231 FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
1232 FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
1233 FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
1234 FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
1235 FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
1236 FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
1237 FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
1238 FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
1239
1240 sm = sm->next;
1241 FAIL_IF(sm->type != DETECT_BYTEJUMP);
1242 DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
1243 FAIL_IF(bjd->flags != 0);
1244 sm = sm->next;
1245 FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
1246 SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
1247 FAIL_IF(bed->nbytes != 4);
1248 FAIL_IF(bed->offset != 0);
1249 FAIL_IF(strcmp(bed->name, "two") != 0);
1250 FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1251 DETECT_BYTE_EXTRACT_FLAG_STRING));
1252 FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
1253 FAIL_IF(bed->align_value != 0);
1254 FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
1255
1256 DetectEngineCtxFree(de_ctx);
1257 PASS;
1258}
1259
1260static int DetectByteExtractTest37(void)
1261{
1262 DetectEngineCtx *de_ctx = NULL;
1263 int result = 0;
1264 Signature *s = NULL;
1265 SigMatch *sm = NULL;
1266 DetectContentData *cd = NULL;
1267 DetectContentData *ud = NULL;
1268 SCDetectByteExtractData *bed = NULL;
1269
1270 de_ctx = DetectEngineCtxInit();
1271 if (de_ctx == NULL)
1272 goto end;
1273
1274 de_ctx->flags |= DE_QUIET;
1275 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1276 "(msg:\"Testing bytejump_body\"; "
1277 "content:\"one\"; uricontent:\"two\"; "
1278 "byte_extract:4,0,two,relative,string,hex; "
1279 "sid:1;)");
1280 if (de_ctx->sig_list == NULL) {
1281 result = 0;
1282 goto end;
1283 }
1284
1285 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1286 result = 0;
1287 goto end;
1288 }
1289
1290 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1291 if (sm->type != DETECT_CONTENT) {
1292 result = 0;
1293 goto end;
1294 }
1295 cd = (DetectContentData *)sm->ctx;
1296 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1297 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1298 cd->flags & DETECT_CONTENT_NOCASE ||
1299 cd->flags & DETECT_CONTENT_WITHIN ||
1300 cd->flags & DETECT_CONTENT_DISTANCE ||
1301 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1302 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1303 cd->flags & DETECT_CONTENT_NEGATED ) {
1304 printf("one failed\n");
1305 result = 0;
1306 goto end;
1307 }
1308
1309 if (sm->next != NULL) {
1310 result = 0;
1311 goto end;
1312 }
1313
1314 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1315 if (sm->type != DETECT_CONTENT) {
1316 result = 0;
1317 goto end;
1318 }
1319 ud = (DetectContentData *)sm->ctx;
1320 if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1321 strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1322 ud->flags & DETECT_CONTENT_NOCASE ||
1323 ud->flags & DETECT_CONTENT_WITHIN ||
1324 ud->flags & DETECT_CONTENT_DISTANCE ||
1325 ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1326 !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1327 ud->flags & DETECT_CONTENT_NEGATED ) {
1328 printf("two failed\n");
1329 result = 0;
1330 goto end;
1331 }
1332
1333 sm = sm->next;
1334 if (sm->type != DETECT_BYTE_EXTRACT) {
1335 result = 0;
1336 goto end;
1337 }
1338 bed = (SCDetectByteExtractData *)sm->ctx;
1339 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1340 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1341 DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1342 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1343 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1344 goto end;
1345 }
1346
1347 result = 1;
1348
1349 end:
1350 SigGroupCleanup(de_ctx);
1351 SigCleanSignatures(de_ctx);
1352 DetectEngineCtxFree(de_ctx);
1353
1354 return result;
1355}
1356
1357static int DetectByteExtractTest38(void)
1358{
1359 DetectEngineCtx *de_ctx = NULL;
1360 int result = 0;
1361 Signature *s = NULL;
1362 SigMatch *sm = NULL;
1363 DetectContentData *cd = NULL;
1364 DetectContentData *ud = NULL;
1365 SCDetectByteExtractData *bed = NULL;
1366
1367 de_ctx = DetectEngineCtxInit();
1368 if (de_ctx == NULL)
1369 goto end;
1370
1371 de_ctx->flags |= DE_QUIET;
1372 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1373 "(msg:\"Testing bytejump_body\"; "
1374 "content:\"one\"; uricontent:\"two\"; "
1375 "byte_extract:4,0,two,string,hex; "
1376 "sid:1;)");
1377 if (de_ctx->sig_list == NULL) {
1378 result = 0;
1379 goto end;
1380 }
1381
1382 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1383 result = 0;
1384 goto end;
1385 }
1386
1387 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1388 if (sm->type != DETECT_CONTENT) {
1389 result = 0;
1390 goto end;
1391 }
1392 cd = (DetectContentData *)sm->ctx;
1393 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1394 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1395 cd->flags & DETECT_CONTENT_NOCASE ||
1396 cd->flags & DETECT_CONTENT_WITHIN ||
1397 cd->flags & DETECT_CONTENT_DISTANCE ||
1398 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1399 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1400 cd->flags & DETECT_CONTENT_NEGATED ) {
1401 printf("one failed\n");
1402 result = 0;
1403 goto end;
1404 }
1405
1406 sm = sm->next;
1407 if (sm->type != DETECT_BYTE_EXTRACT) {
1408 result = 0;
1409 goto end;
1410 }
1411 bed = (SCDetectByteExtractData *)sm->ctx;
1412 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1413 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1414 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1415 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1416 goto end;
1417 }
1418
1419 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1420 if (sm->type != DETECT_CONTENT) {
1421 result = 0;
1422 goto end;
1423 }
1424 ud = (DetectContentData *)sm->ctx;
1425 if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1426 strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1427 ud->flags & DETECT_CONTENT_NOCASE ||
1428 ud->flags & DETECT_CONTENT_WITHIN ||
1429 ud->flags & DETECT_CONTENT_DISTANCE ||
1430 ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1431 ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1432 ud->flags & DETECT_CONTENT_NEGATED ) {
1433 printf("two failed\n");
1434 result = 0;
1435 goto end;
1436 }
1437
1438 if (sm->next != NULL) {
1439 result = 0;
1440 goto end;
1441 }
1442
1443 result = 1;
1444
1445 end:
1446 SigGroupCleanup(de_ctx);
1447 SigCleanSignatures(de_ctx);
1448 DetectEngineCtxFree(de_ctx);
1449
1450 return result;
1451}
1452
1453static int DetectByteExtractTest39(void)
1454{
1455 DetectEngineCtx *de_ctx = NULL;
1456 int result = 0;
1457 Signature *s = NULL;
1458 SigMatch *sm = NULL;
1459 DetectContentData *cd = NULL;
1460 DetectContentData *ud = NULL;
1461 SCDetectByteExtractData *bed = NULL;
1462
1463 de_ctx = DetectEngineCtxInit();
1464 if (de_ctx == NULL)
1465 goto end;
1466
1467 de_ctx->flags |= DE_QUIET;
1468 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1469 "(msg:\"Testing bytejump_body\"; "
1470 "content:\"one\"; content:\"two\"; http_uri; "
1471 "byte_extract:4,0,two,relative,string,hex; "
1472 "sid:1;)");
1473 if (de_ctx->sig_list == NULL) {
1474 result = 0;
1475 goto end;
1476 }
1477
1478 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1479 result = 0;
1480 goto end;
1481 }
1482
1483 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1484 if (sm->type != DETECT_CONTENT) {
1485 result = 0;
1486 goto end;
1487 }
1488 cd = (DetectContentData *)sm->ctx;
1489 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1490 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1491 cd->flags & DETECT_CONTENT_NOCASE ||
1492 cd->flags & DETECT_CONTENT_WITHIN ||
1493 cd->flags & DETECT_CONTENT_DISTANCE ||
1494 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1495 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1496 cd->flags & DETECT_CONTENT_NEGATED ) {
1497 printf("one failed\n");
1498 result = 0;
1499 goto end;
1500 }
1501
1502 if (sm->next != NULL) {
1503 result = 0;
1504 goto end;
1505 }
1506
1507 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1508 if (sm->type != DETECT_CONTENT) {
1509 result = 0;
1510 goto end;
1511 }
1512 ud = (DetectContentData *)sm->ctx;
1513 if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1514 strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1515 ud->flags & DETECT_CONTENT_NOCASE ||
1516 ud->flags & DETECT_CONTENT_WITHIN ||
1517 ud->flags & DETECT_CONTENT_DISTANCE ||
1518 ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1519 !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1520 ud->flags & DETECT_CONTENT_NEGATED ) {
1521 printf("two failed\n");
1522 result = 0;
1523 goto end;
1524 }
1525
1526 sm = sm->next;
1527 if (sm->type != DETECT_BYTE_EXTRACT) {
1528 result = 0;
1529 goto end;
1530 }
1531 bed = (SCDetectByteExtractData *)sm->ctx;
1532 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1533 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1534 DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1535 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1536 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1537 goto end;
1538 }
1539
1540 result = 1;
1541
1542 end:
1543 SigGroupCleanup(de_ctx);
1544 SigCleanSignatures(de_ctx);
1545 DetectEngineCtxFree(de_ctx);
1546
1547 return result;
1548}
1549
1550static int DetectByteExtractTest40(void)
1551{
1552 DetectEngineCtx *de_ctx = NULL;
1553 int result = 0;
1554 Signature *s = NULL;
1555 SigMatch *sm = NULL;
1556 DetectContentData *cd = NULL;
1557 DetectContentData *ud = NULL;
1558 SCDetectByteExtractData *bed = NULL;
1559
1560 de_ctx = DetectEngineCtxInit();
1561 if (de_ctx == NULL)
1562 goto end;
1563
1564 de_ctx->flags |= DE_QUIET;
1565 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1566 "(msg:\"Testing bytejump_body\"; "
1567 "content:\"one\"; content:\"two\"; http_uri; "
1568 "byte_extract:4,0,two,string,hex; "
1569 "sid:1;)");
1570 if (de_ctx->sig_list == NULL) {
1571 result = 0;
1572 goto end;
1573 }
1574
1575 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1576 result = 0;
1577 goto end;
1578 }
1579
1580 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1581 if (sm->type != DETECT_CONTENT) {
1582 result = 0;
1583 goto end;
1584 }
1585 cd = (DetectContentData *)sm->ctx;
1586 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1587 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1588 cd->flags & DETECT_CONTENT_NOCASE ||
1589 cd->flags & DETECT_CONTENT_WITHIN ||
1590 cd->flags & DETECT_CONTENT_DISTANCE ||
1591 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1592 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1593 cd->flags & DETECT_CONTENT_NEGATED ) {
1594 printf("one failed\n");
1595 result = 0;
1596 goto end;
1597 }
1598
1599 sm = sm->next;
1600 if (sm->type != DETECT_BYTE_EXTRACT) {
1601 result = 0;
1602 goto end;
1603 }
1604 bed = (SCDetectByteExtractData *)sm->ctx;
1605 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1606 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1607 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1608 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1609 goto end;
1610 }
1611
1612 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1613 if (sm->type != DETECT_CONTENT) {
1614 result = 0;
1615 goto end;
1616 }
1617 ud = (DetectContentData *)sm->ctx;
1618 if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1619 strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
1620 ud->flags & DETECT_CONTENT_NOCASE ||
1621 ud->flags & DETECT_CONTENT_WITHIN ||
1622 ud->flags & DETECT_CONTENT_DISTANCE ||
1623 ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1624 ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1625 ud->flags & DETECT_CONTENT_NEGATED ) {
1626 printf("two failed\n");
1627 result = 0;
1628 goto end;
1629 }
1630
1631 if (sm->next != NULL) {
1632 result = 0;
1633 goto end;
1634 }
1635
1636 result = 1;
1637
1638 end:
1639 SigGroupCleanup(de_ctx);
1640 SigCleanSignatures(de_ctx);
1641 DetectEngineCtxFree(de_ctx);
1642
1643 return result;
1644}
1645
1646static int DetectByteExtractTest41(void)
1647{
1648 DetectEngineCtx *de_ctx = NULL;
1649 int result = 0;
1650 Signature *s = NULL;
1651 SigMatch *sm = NULL;
1652 DetectContentData *cd = NULL;
1653 SCDetectByteExtractData *bed = NULL;
1654
1655 de_ctx = DetectEngineCtxInit();
1656 if (de_ctx == NULL)
1657 goto end;
1658
1659 de_ctx->flags |= DE_QUIET;
1660 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1661 "(msg:\"Testing bytejump_body\"; "
1662 "content:\"one\"; "
1663 "byte_extract:4,0,two,string,hex; "
1664 "byte_extract:4,0,three,string,hex; "
1665 "sid:1;)");
1666 if (de_ctx->sig_list == NULL) {
1667 result = 0;
1668 goto end;
1669 }
1670
1671 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1672 result = 0;
1673 goto end;
1674 }
1675
1676 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1677 if (sm->type != DETECT_CONTENT) {
1678 result = 0;
1679 goto end;
1680 }
1681 cd = (DetectContentData *)sm->ctx;
1682 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1683 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1684 cd->flags & DETECT_CONTENT_NOCASE ||
1685 cd->flags & DETECT_CONTENT_WITHIN ||
1686 cd->flags & DETECT_CONTENT_DISTANCE ||
1687 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1688 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1689 cd->flags & DETECT_CONTENT_NEGATED ) {
1690 printf("one failed\n");
1691 result = 0;
1692 goto end;
1693 }
1694
1695 sm = sm->next;
1696 if (sm->type != DETECT_BYTE_EXTRACT) {
1697 result = 0;
1698 goto end;
1699 }
1700 bed = (SCDetectByteExtractData *)sm->ctx;
1701 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1702 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1703 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1704 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1705 goto end;
1706 }
1707 if (bed->local_id != 0) {
1708 result = 0;
1709 goto end;
1710 }
1711
1712 sm = sm->next;
1713 if (sm->type != DETECT_BYTE_EXTRACT) {
1714 result = 0;
1715 goto end;
1716 }
1717 bed = (SCDetectByteExtractData *)sm->ctx;
1718 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "three") != 0 ||
1719 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1720 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1721 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1722 goto end;
1723 }
1724 if (bed->local_id != 1) {
1725 result = 0;
1726 goto end;
1727 }
1728
1729 result = 1;
1730
1731 end:
1732 SigGroupCleanup(de_ctx);
1733 SigCleanSignatures(de_ctx);
1734 DetectEngineCtxFree(de_ctx);
1735
1736 return result;
1737}
1738
1739static int DetectByteExtractTest42(void)
1740{
1741 DetectEngineCtx *de_ctx = NULL;
1742 int result = 0;
1743 Signature *s = NULL;
1744 SigMatch *sm = NULL;
1745 DetectContentData *cd = NULL;
1746 DetectContentData *ud = NULL;
1747 SCDetectByteExtractData *bed = NULL;
1748
1749 de_ctx = DetectEngineCtxInit();
1750 if (de_ctx == NULL)
1751 goto end;
1752
1753 de_ctx->flags |= DE_QUIET;
1754 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1755 "(msg:\"Testing bytejump_body\"; "
1756 "content:\"one\"; "
1757 "byte_extract:4,0,two,string,hex; "
1758 "uricontent: \"three\"; "
1759 "byte_extract:4,0,four,string,hex,relative; "
1760 "byte_extract:4,0,five,string,hex; "
1761 "sid:1;)");
1762 if (de_ctx->sig_list == NULL) {
1763 result = 0;
1764 goto end;
1765 }
1766
1767 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1768 result = 0;
1769 goto end;
1770 }
1771
1772 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1773 if (sm->type != DETECT_CONTENT) {
1774 result = 0;
1775 goto end;
1776 }
1777 cd = (DetectContentData *)sm->ctx;
1778 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1779 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1780 cd->flags & DETECT_CONTENT_NOCASE ||
1781 cd->flags & DETECT_CONTENT_WITHIN ||
1782 cd->flags & DETECT_CONTENT_DISTANCE ||
1783 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1784 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1785 cd->flags & DETECT_CONTENT_NEGATED ) {
1786 printf("one failed\n");
1787 result = 0;
1788 goto end;
1789 }
1790
1791 sm = sm->next;
1792 if (sm->type != DETECT_BYTE_EXTRACT) {
1793 result = 0;
1794 goto end;
1795 }
1796 bed = (SCDetectByteExtractData *)sm->ctx;
1797 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1798 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1799 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1800 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1801 goto end;
1802 }
1803 if (bed->local_id != 0) {
1804 result = 0;
1805 goto end;
1806 }
1807
1808 sm = sm->next;
1809 if (sm->type != DETECT_BYTE_EXTRACT) {
1810 result = 0;
1811 goto end;
1812 }
1813 bed = (SCDetectByteExtractData *)sm->ctx;
1814 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "five") != 0 ||
1815 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
1816 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1817 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1818 goto end;
1819 }
1820 if (bed->local_id != 1) {
1821 result = 0;
1822 goto end;
1823 }
1824
1825 if (sm->next != NULL)
1826 goto end;
1827
1828 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
1829 if (sm->type != DETECT_CONTENT) {
1830 result = 0;
1831 goto end;
1832 }
1833 ud = (DetectContentData *)sm->ctx;
1834 if (ud->flags & DETECT_CONTENT_RAWBYTES ||
1835 strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
1836 ud->flags & DETECT_CONTENT_NOCASE ||
1837 ud->flags & DETECT_CONTENT_WITHIN ||
1838 ud->flags & DETECT_CONTENT_DISTANCE ||
1839 ud->flags & DETECT_CONTENT_FAST_PATTERN ||
1840 !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
1841 ud->flags & DETECT_CONTENT_NEGATED ) {
1842 printf("two failed\n");
1843 result = 0;
1844 goto end;
1845 }
1846
1847 sm = sm->next;
1848 if (sm->type != DETECT_BYTE_EXTRACT) {
1849 result = 0;
1850 goto end;
1851 }
1852 bed = (SCDetectByteExtractData *)sm->ctx;
1853 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "four") != 0 ||
1854 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
1855 DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1856 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1857 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1858 goto end;
1859 }
1860 if (bed->local_id != 0) {
1861 result = 0;
1862 goto end;
1863 }
1864
1865 if (sm->next != NULL)
1866 goto end;
1867
1868 result = 1;
1869
1870 end:
1871 SigGroupCleanup(de_ctx);
1872 SigCleanSignatures(de_ctx);
1873 DetectEngineCtxFree(de_ctx);
1874
1875 return result;
1876}
1877
1878static int DetectByteExtractTest43(void)
1879{
1880 DetectEngineCtx *de_ctx = NULL;
1881 int result = 0;
1882 Signature *s = NULL;
1883 SigMatch *sm = NULL;
1884 DetectContentData *cd = NULL;
1885 SCDetectByteExtractData *bed = NULL;
1886
1887 de_ctx = DetectEngineCtxInit();
1888 if (de_ctx == NULL)
1889 goto end;
1890
1891 de_ctx->flags |= DE_QUIET;
1892 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1893 "(msg:\"Testing bytejump_body\"; "
1894 "content:\"one\"; "
1895 "byte_extract:4,0,two,string,hex; "
1896 "content: \"three\"; offset:two; "
1897 "sid:1;)");
1898 if (de_ctx->sig_list == NULL) {
1899 result = 0;
1900 goto end;
1901 }
1902
1903 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
1904 result = 0;
1905 goto end;
1906 }
1907
1908 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
1909 if (sm->type != DETECT_CONTENT) {
1910 result = 0;
1911 goto end;
1912 }
1913 cd = (DetectContentData *)sm->ctx;
1914 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
1915 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
1916 cd->flags & DETECT_CONTENT_NOCASE ||
1917 cd->flags & DETECT_CONTENT_WITHIN ||
1918 cd->flags & DETECT_CONTENT_DISTANCE ||
1919 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
1920 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
1921 cd->flags & DETECT_CONTENT_NEGATED ) {
1922 printf("one failed\n");
1923 result = 0;
1924 goto end;
1925 }
1926
1927 sm = sm->next;
1928 if (sm->type != DETECT_BYTE_EXTRACT) {
1929 result = 0;
1930 goto end;
1931 }
1932 bed = (SCDetectByteExtractData *)sm->ctx;
1933 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
1934 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
1935 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
1936 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
1937 goto end;
1938 }
1939 if (bed->local_id != 0) {
1940 result = 0;
1941 goto end;
1942 }
1943
1944 sm = sm->next;
1945 if (sm->type != DETECT_CONTENT) {
1946 result = 0;
1947 goto end;
1948 }
1949 cd = (DetectContentData *)sm->ctx;
1950 if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
1951 cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
1952 cd->offset != bed->local_id) {
1953 printf("three failed\n");
1954 result = 0;
1955 goto end;
1956 }
1957
1958 if (sm->next != NULL)
1959 goto end;
1960
1961 result = 1;
1962
1963 end:
1964 SigGroupCleanup(de_ctx);
1965 SigCleanSignatures(de_ctx);
1966 DetectEngineCtxFree(de_ctx);
1967
1968 return result;
1969}
1970
1971static int DetectByteExtractTest44(void)
1972{
1973 DetectEngineCtx *de_ctx = NULL;
1974 int result = 0;
1975 Signature *s = NULL;
1976 SigMatch *sm = NULL;
1977 DetectContentData *cd = NULL;
1978 SCDetectByteExtractData *bed1 = NULL;
1979 SCDetectByteExtractData *bed2 = NULL;
1980
1981 de_ctx = DetectEngineCtxInit();
1982 if (de_ctx == NULL)
1983 goto end;
1984
1985 de_ctx->flags |= DE_QUIET;
1986 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
1987 "(msg:\"Testing bytejump_body\"; "
1988 "content:\"one\"; "
1989 "byte_extract:4,0,two,string,hex; "
1990 "byte_extract:4,0,three,string,hex; "
1991 "content: \"four\"; offset:two; "
1992 "content: \"five\"; offset:three; "
1993 "sid:1;)");
1994 if (de_ctx->sig_list == NULL) {
1995 result = 0;
1996 goto end;
1997 }
1998
1999 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2000 result = 0;
2001 goto end;
2002 }
2003
2004 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2005 if (sm->type != DETECT_CONTENT) {
2006 result = 0;
2007 goto end;
2008 }
2009 cd = (DetectContentData *)sm->ctx;
2010 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2011 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2012 cd->flags & DETECT_CONTENT_NOCASE ||
2013 cd->flags & DETECT_CONTENT_WITHIN ||
2014 cd->flags & DETECT_CONTENT_DISTANCE ||
2015 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2016 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2017 cd->flags & DETECT_CONTENT_NEGATED ) {
2018 printf("one failed\n");
2019 result = 0;
2020 goto end;
2021 }
2022
2023 sm = sm->next;
2024 if (sm->type != DETECT_BYTE_EXTRACT) {
2025 result = 0;
2026 goto end;
2027 }
2028 bed1 = (SCDetectByteExtractData *)sm->ctx;
2029 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2030 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2031 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2032 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2033 goto end;
2034 }
2035 if (bed1->local_id != 0) {
2036 result = 0;
2037 goto end;
2038 }
2039
2040 sm = sm->next;
2041 if (sm->type != DETECT_BYTE_EXTRACT) {
2042 result = 0;
2043 goto end;
2044 }
2045 bed2 = (SCDetectByteExtractData *)sm->ctx;
2046
2047 sm = sm->next;
2048 if (sm->type != DETECT_CONTENT) {
2049 result = 0;
2050 goto end;
2051 }
2052 cd = (DetectContentData *)sm->ctx;
2053 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2054 cd->flags != (DETECT_CONTENT_OFFSET_VAR | DETECT_CONTENT_OFFSET | DETECT_CONTENT_MPM) ||
2055 cd->offset != bed1->local_id) {
2056 printf("four failed\n");
2057 result = 0;
2058 goto end;
2059 }
2060
2061 sm = sm->next;
2062 if (sm->type != DETECT_CONTENT) {
2063 result = 0;
2064 goto end;
2065 }
2066 cd = (DetectContentData *)sm->ctx;
2067 if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2068 cd->flags != (DETECT_CONTENT_OFFSET_VAR |
2069 DETECT_CONTENT_OFFSET) ||
2070 cd->offset != bed2->local_id) {
2071 printf("five failed\n");
2072 result = 0;
2073 goto end;
2074 }
2075
2076 if (sm->next != NULL)
2077 goto end;
2078
2079 result = 1;
2080
2081 end:
2082 SigGroupCleanup(de_ctx);
2083 SigCleanSignatures(de_ctx);
2084 DetectEngineCtxFree(de_ctx);
2085
2086 return result;
2087}
2088
2089static int DetectByteExtractTest45(void)
2090{
2091 DetectEngineCtx *de_ctx = NULL;
2092 int result = 0;
2093 Signature *s = NULL;
2094 SigMatch *sm = NULL;
2095 DetectContentData *cd = NULL;
2096 SCDetectByteExtractData *bed = NULL;
2097
2098 de_ctx = DetectEngineCtxInit();
2099 if (de_ctx == NULL)
2100 goto end;
2101
2102 de_ctx->flags |= DE_QUIET;
2103 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2104 "(msg:\"Testing bytejump_body\"; "
2105 "content:\"one\"; "
2106 "byte_extract:4,0,two,string,hex; "
2107 "content: \"three\"; depth:two; "
2108 "sid:1;)");
2109 if (de_ctx->sig_list == NULL) {
2110 result = 0;
2111 goto end;
2112 }
2113
2114 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2115 result = 0;
2116 goto end;
2117 }
2118
2119 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2120 if (sm->type != DETECT_CONTENT) {
2121 result = 0;
2122 goto end;
2123 }
2124 cd = (DetectContentData *)sm->ctx;
2125 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2126 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2127 cd->flags & DETECT_CONTENT_NOCASE ||
2128 cd->flags & DETECT_CONTENT_WITHIN ||
2129 cd->flags & DETECT_CONTENT_DISTANCE ||
2130 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2131 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2132 cd->flags & DETECT_CONTENT_NEGATED ) {
2133 printf("one failed\n");
2134 result = 0;
2135 goto end;
2136 }
2137
2138 sm = sm->next;
2139 if (sm->type != DETECT_BYTE_EXTRACT) {
2140 result = 0;
2141 goto end;
2142 }
2143 bed = (SCDetectByteExtractData *)sm->ctx;
2144 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2145 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2146 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2147 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2148 goto end;
2149 }
2150 if (bed->local_id != 0) {
2151 result = 0;
2152 goto end;
2153 }
2154
2155 sm = sm->next;
2156 if (sm->type != DETECT_CONTENT) {
2157 result = 0;
2158 goto end;
2159 }
2160 cd = (DetectContentData *)sm->ctx;
2161 if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2162 cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
2163 cd->depth != bed->local_id || cd->offset != 0) {
2164 printf("three failed\n");
2165 result = 0;
2166 goto end;
2167 }
2168
2169 if (sm->next != NULL)
2170 goto end;
2171
2172 result = 1;
2173
2174 end:
2175 SigGroupCleanup(de_ctx);
2176 SigCleanSignatures(de_ctx);
2177 DetectEngineCtxFree(de_ctx);
2178
2179 return result;
2180}
2181
2182static int DetectByteExtractTest46(void)
2183{
2184 DetectEngineCtx *de_ctx = NULL;
2185 int result = 0;
2186 Signature *s = NULL;
2187 SigMatch *sm = NULL;
2188 DetectContentData *cd = NULL;
2189 SCDetectByteExtractData *bed1 = NULL;
2190 SCDetectByteExtractData *bed2 = NULL;
2191
2192 de_ctx = DetectEngineCtxInit();
2193 if (de_ctx == NULL)
2194 goto end;
2195
2196 de_ctx->flags |= DE_QUIET;
2197 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2198 "(msg:\"Testing bytejump_body\"; "
2199 "content:\"one\"; "
2200 "byte_extract:4,0,two,string,hex; "
2201 "byte_extract:4,0,three,string,hex; "
2202 "content: \"four\"; depth:two; "
2203 "content: \"five\"; depth:three; "
2204 "sid:1;)");
2205 if (de_ctx->sig_list == NULL) {
2206 result = 0;
2207 goto end;
2208 }
2209
2210 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2211 result = 0;
2212 goto end;
2213 }
2214
2215 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2216 if (sm->type != DETECT_CONTENT) {
2217 result = 0;
2218 goto end;
2219 }
2220 cd = (DetectContentData *)sm->ctx;
2221 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2222 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2223 cd->flags & DETECT_CONTENT_NOCASE ||
2224 cd->flags & DETECT_CONTENT_WITHIN ||
2225 cd->flags & DETECT_CONTENT_DISTANCE ||
2226 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2227 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2228 cd->flags & DETECT_CONTENT_NEGATED ) {
2229 printf("one failed\n");
2230 result = 0;
2231 goto end;
2232 }
2233
2234 sm = sm->next;
2235 if (sm->type != DETECT_BYTE_EXTRACT) {
2236 result = 0;
2237 goto end;
2238 }
2239 bed1 = (SCDetectByteExtractData *)sm->ctx;
2240 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2241 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2242 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2243 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2244 goto end;
2245 }
2246 if (bed1->local_id != 0) {
2247 result = 0;
2248 goto end;
2249 }
2250
2251 sm = sm->next;
2252 if (sm->type != DETECT_BYTE_EXTRACT) {
2253 result = 0;
2254 goto end;
2255 }
2256 bed2 = (SCDetectByteExtractData *)sm->ctx;
2257
2258 sm = sm->next;
2259 if (sm->type != DETECT_CONTENT) {
2260 result = 0;
2261 goto end;
2262 }
2263 cd = (DetectContentData *)sm->ctx;
2264 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2265 cd->flags != (DETECT_CONTENT_DEPTH_VAR | DETECT_CONTENT_DEPTH | DETECT_CONTENT_MPM) ||
2266 cd->depth != bed1->local_id) {
2267 printf("four failed\n");
2268 result = 0;
2269 goto end;
2270 }
2271
2272 sm = sm->next;
2273 if (sm->type != DETECT_CONTENT) {
2274 result = 0;
2275 goto end;
2276 }
2277 cd = (DetectContentData *)sm->ctx;
2278 if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2279 cd->flags != (DETECT_CONTENT_DEPTH_VAR |
2280 DETECT_CONTENT_DEPTH) ||
2281 cd->depth != bed2->local_id) {
2282 printf("five failed\n");
2283 result = 0;
2284 goto end;
2285 }
2286
2287 if (sm->next != NULL)
2288 goto end;
2289
2290 result = 1;
2291
2292 end:
2293 SigGroupCleanup(de_ctx);
2294 SigCleanSignatures(de_ctx);
2295 DetectEngineCtxFree(de_ctx);
2296
2297 return result;
2298}
2299
2300static int DetectByteExtractTest47(void)
2301{
2302 DetectEngineCtx *de_ctx = NULL;
2303 int result = 0;
2304 Signature *s = NULL;
2305 SigMatch *sm = NULL;
2306 DetectContentData *cd = NULL;
2307 SCDetectByteExtractData *bed = NULL;
2308
2309 de_ctx = DetectEngineCtxInit();
2310 if (de_ctx == NULL)
2311 goto end;
2312
2313 de_ctx->flags |= DE_QUIET;
2314 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2315 "(msg:\"Testing bytejump_body\"; "
2316 "content:\"one\"; "
2317 "byte_extract:4,0,two,string,hex; "
2318 "content: \"three\"; distance:two; "
2319 "sid:1;)");
2320 if (de_ctx->sig_list == NULL) {
2321 result = 0;
2322 goto end;
2323 }
2324
2325 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2326 result = 0;
2327 goto end;
2328 }
2329
2330 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2331 if (sm->type != DETECT_CONTENT) {
2332 result = 0;
2333 goto end;
2334 }
2335 cd = (DetectContentData *)sm->ctx;
2336 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2337 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2338 cd->flags & DETECT_CONTENT_NOCASE ||
2339 cd->flags & DETECT_CONTENT_WITHIN ||
2340 cd->flags & DETECT_CONTENT_DISTANCE ||
2341 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2342 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2343 cd->flags & DETECT_CONTENT_NEGATED ) {
2344 printf("one failed\n");
2345 result = 0;
2346 goto end;
2347 }
2348
2349 sm = sm->next;
2350 if (sm->type != DETECT_BYTE_EXTRACT) {
2351 result = 0;
2352 goto end;
2353 }
2354 bed = (SCDetectByteExtractData *)sm->ctx;
2355 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2356 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2357 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2358 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2359 goto end;
2360 }
2361 if (bed->local_id != 0) {
2362 result = 0;
2363 goto end;
2364 }
2365
2366 sm = sm->next;
2367 if (sm->type != DETECT_CONTENT) {
2368 result = 0;
2369 goto end;
2370 }
2371 cd = (DetectContentData *)sm->ctx;
2372 if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2373 cd->flags !=
2374 (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE | DETECT_CONTENT_MPM) ||
2375 cd->distance != bed->local_id || cd->offset != 0 || cd->depth != 0) {
2376 printf("three failed\n");
2377 result = 0;
2378 goto end;
2379 }
2380
2381 if (sm->next != NULL)
2382 goto end;
2383
2384 result = 1;
2385
2386 end:
2387 SigGroupCleanup(de_ctx);
2388 SigCleanSignatures(de_ctx);
2389 DetectEngineCtxFree(de_ctx);
2390
2391 return result;
2392}
2393
2394static int DetectByteExtractTest48(void)
2395{
2396 DetectEngineCtx *de_ctx = NULL;
2397 int result = 0;
2398 Signature *s = NULL;
2399 SigMatch *sm = NULL;
2400 DetectContentData *cd = NULL;
2401 SCDetectByteExtractData *bed1 = NULL;
2402 SCDetectByteExtractData *bed2 = NULL;
2403
2404 de_ctx = DetectEngineCtxInit();
2405 if (de_ctx == NULL)
2406 goto end;
2407
2408 de_ctx->flags |= DE_QUIET;
2409 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2410 "(msg:\"Testing bytejump_body\"; "
2411 "content:\"one\"; "
2412 "byte_extract:4,0,two,string,hex; "
2413 "byte_extract:4,0,three,string,hex; "
2414 "content: \"four\"; distance:two; "
2415 "content: \"five\"; distance:three; "
2416 "sid:1;)");
2417 if (de_ctx->sig_list == NULL) {
2418 result = 0;
2419 goto end;
2420 }
2421
2422 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2423 result = 0;
2424 goto end;
2425 }
2426
2427 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2428 if (sm->type != DETECT_CONTENT) {
2429 result = 0;
2430 goto end;
2431 }
2432 cd = (DetectContentData *)sm->ctx;
2433 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2434 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2435 cd->flags & DETECT_CONTENT_NOCASE ||
2436 cd->flags & DETECT_CONTENT_WITHIN ||
2437 cd->flags & DETECT_CONTENT_DISTANCE ||
2438 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2439 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2440 cd->flags & DETECT_CONTENT_NEGATED ) {
2441 printf("one failed\n");
2442 result = 0;
2443 goto end;
2444 }
2445
2446 sm = sm->next;
2447 if (sm->type != DETECT_BYTE_EXTRACT) {
2448 result = 0;
2449 goto end;
2450 }
2451 bed1 = (SCDetectByteExtractData *)sm->ctx;
2452 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2453 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2454 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2455 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2456 goto end;
2457 }
2458 if (bed1->local_id != 0) {
2459 result = 0;
2460 goto end;
2461 }
2462
2463 sm = sm->next;
2464 if (sm->type != DETECT_BYTE_EXTRACT) {
2465 result = 0;
2466 goto end;
2467 }
2468 bed2 = (SCDetectByteExtractData *)sm->ctx;
2469
2470 sm = sm->next;
2471 if (sm->type != DETECT_CONTENT) {
2472 result = 0;
2473 goto end;
2474 }
2475 cd = (DetectContentData *)sm->ctx;
2476 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2477 cd->flags != (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_DISTANCE |
2478 DETECT_CONTENT_DISTANCE_NEXT | DETECT_CONTENT_MPM) ||
2479 cd->distance != bed1->local_id || cd->depth != 0 || cd->offset != 0) {
2480 printf("four failed\n");
2481 result = 0;
2482 goto end;
2483 }
2484
2485 sm = sm->next;
2486 if (sm->type != DETECT_CONTENT) {
2487 result = 0;
2488 goto end;
2489 }
2490 cd = (DetectContentData *)sm->ctx;
2491 if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2492 cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
2493 DETECT_CONTENT_DISTANCE) ||
2494 cd->distance != bed2->local_id ||
2495 cd->depth != 0 ||
2496 cd->offset != 0) {
2497 printf("five failed\n");
2498 result = 0;
2499 goto end;
2500 }
2501
2502 if (sm->next != NULL)
2503 goto end;
2504
2505 result = 1;
2506
2507 end:
2508 SigGroupCleanup(de_ctx);
2509 SigCleanSignatures(de_ctx);
2510 DetectEngineCtxFree(de_ctx);
2511
2512 return result;
2513}
2514
2515static int DetectByteExtractTest49(void)
2516{
2517 DetectEngineCtx *de_ctx = NULL;
2518 int result = 0;
2519 Signature *s = NULL;
2520 SigMatch *sm = NULL;
2521 DetectContentData *cd = NULL;
2522 SCDetectByteExtractData *bed = NULL;
2523
2524 de_ctx = DetectEngineCtxInit();
2525 if (de_ctx == NULL)
2526 goto end;
2527
2528 de_ctx->flags |= DE_QUIET;
2529 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2530 "(msg:\"Testing bytejump_body\"; "
2531 "content:\"one\"; "
2532 "byte_extract:4,0,two,string,hex; "
2533 "content: \"three\"; within:two; "
2534 "sid:1;)");
2535 if (de_ctx->sig_list == NULL) {
2536 result = 0;
2537 goto end;
2538 }
2539
2540 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2541 result = 0;
2542 goto end;
2543 }
2544
2545 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2546 if (sm->type != DETECT_CONTENT) {
2547 result = 0;
2548 goto end;
2549 }
2550 cd = (DetectContentData *)sm->ctx;
2551 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2552 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2553 cd->flags & DETECT_CONTENT_NOCASE ||
2554 cd->flags & DETECT_CONTENT_WITHIN ||
2555 cd->flags & DETECT_CONTENT_DISTANCE ||
2556 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2557 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2558 cd->flags & DETECT_CONTENT_NEGATED ) {
2559 printf("one failed\n");
2560 result = 0;
2561 goto end;
2562 }
2563
2564 sm = sm->next;
2565 if (sm->type != DETECT_BYTE_EXTRACT) {
2566 result = 0;
2567 goto end;
2568 }
2569 bed = (SCDetectByteExtractData *)sm->ctx;
2570 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2571 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2572 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2573 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2574 goto end;
2575 }
2576 if (bed->local_id != 0) {
2577 result = 0;
2578 goto end;
2579 }
2580
2581 sm = sm->next;
2582 if (sm->type != DETECT_CONTENT) {
2583 result = 0;
2584 goto end;
2585 }
2586 cd = (DetectContentData *)sm->ctx;
2587 if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
2588 cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
2589 cd->within != bed->local_id || cd->offset != 0 || cd->depth != 0 || cd->distance != 0) {
2590 printf("three failed\n");
2591 result = 0;
2592 goto end;
2593 }
2594
2595 if (sm->next != NULL)
2596 goto end;
2597
2598 result = 1;
2599
2600 end:
2601 SigGroupCleanup(de_ctx);
2602 SigCleanSignatures(de_ctx);
2603 DetectEngineCtxFree(de_ctx);
2604
2605 return result;
2606}
2607
2608static int DetectByteExtractTest50(void)
2609{
2610 DetectEngineCtx *de_ctx = NULL;
2611 int result = 0;
2612 Signature *s = NULL;
2613 SigMatch *sm = NULL;
2614 DetectContentData *cd = NULL;
2615 SCDetectByteExtractData *bed1 = NULL;
2616 SCDetectByteExtractData *bed2 = NULL;
2617
2618 de_ctx = DetectEngineCtxInit();
2619 if (de_ctx == NULL)
2620 goto end;
2621
2622 de_ctx->flags |= DE_QUIET;
2623 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2624 "(msg:\"Testing bytejump_body\"; "
2625 "content:\"one\"; "
2626 "byte_extract:4,0,two,string,hex; "
2627 "byte_extract:4,0,three,string,hex; "
2628 "content: \"four\"; within:two; "
2629 "content: \"five\"; within:three; "
2630 "sid:1;)");
2631 if (de_ctx->sig_list == NULL) {
2632 result = 0;
2633 goto end;
2634 }
2635
2636 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2637 result = 0;
2638 goto end;
2639 }
2640
2641 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2642 if (sm->type != DETECT_CONTENT) {
2643 result = 0;
2644 goto end;
2645 }
2646 cd = (DetectContentData *)sm->ctx;
2647 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2648 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2649 cd->flags & DETECT_CONTENT_NOCASE ||
2650 cd->flags & DETECT_CONTENT_WITHIN ||
2651 cd->flags & DETECT_CONTENT_DISTANCE ||
2652 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2653 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
2654 cd->flags & DETECT_CONTENT_NEGATED ) {
2655 printf("one failed\n");
2656 result = 0;
2657 goto end;
2658 }
2659
2660 sm = sm->next;
2661 if (sm->type != DETECT_BYTE_EXTRACT) {
2662 result = 0;
2663 goto end;
2664 }
2665 bed1 = (SCDetectByteExtractData *)sm->ctx;
2666 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2667 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2668 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2669 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2670 goto end;
2671 }
2672 if (bed1->local_id != 0) {
2673 result = 0;
2674 goto end;
2675 }
2676
2677 sm = sm->next;
2678 if (sm->type != DETECT_BYTE_EXTRACT) {
2679 result = 0;
2680 goto end;
2681 }
2682 bed2 = (SCDetectByteExtractData *)sm->ctx;
2683
2684 sm = sm->next;
2685 if (sm->type != DETECT_CONTENT) {
2686 result = 0;
2687 goto end;
2688 }
2689 cd = (DetectContentData *)sm->ctx;
2690 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
2691 cd->flags != (DETECT_CONTENT_WITHIN_VAR | DETECT_CONTENT_WITHIN |
2692 DETECT_CONTENT_WITHIN_NEXT | DETECT_CONTENT_MPM) ||
2693 cd->within != bed1->local_id || cd->depth != 0 || cd->offset != 0 ||
2694 cd->distance != 0) {
2695 printf("four failed\n");
2696 result = 0;
2697 goto end;
2698 }
2699
2700 sm = sm->next;
2701 if (sm->type != DETECT_CONTENT) {
2702 result = 0;
2703 goto end;
2704 }
2705 cd = (DetectContentData *)sm->ctx;
2706 if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
2707 cd->flags != (DETECT_CONTENT_WITHIN_VAR |
2708 DETECT_CONTENT_WITHIN) ||
2709 cd->within != bed2->local_id ||
2710 cd->depth != 0 ||
2711 cd->offset != 0 ||
2712 cd->distance != 0) {
2713 printf("five failed\n");
2714 result = 0;
2715 goto end;
2716 }
2717
2718 if (sm->next != NULL)
2719 goto end;
2720
2721 result = 1;
2722
2723 end:
2724 SigGroupCleanup(de_ctx);
2725 SigCleanSignatures(de_ctx);
2726 DetectEngineCtxFree(de_ctx);
2727
2728 return result;
2729}
2730
2731static int DetectByteExtractTest51(void)
2732{
2733 DetectEngineCtx *de_ctx = NULL;
2734 int result = 0;
2735 Signature *s = NULL;
2736 SigMatch *sm = NULL;
2737 DetectContentData *cd = NULL;
2738 SCDetectByteExtractData *bed = NULL;
2739 DetectBytetestData *btd = NULL;
2740
2741 de_ctx = DetectEngineCtxInit();
2742 if (de_ctx == NULL)
2743 goto end;
2744
2745 de_ctx->flags |= DE_QUIET;
2746 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2747 "(msg:\"Testing bytejump_body\"; "
2748 "content:\"one\"; "
2749 "byte_extract:4,0,two,string,hex; "
2750 "byte_test: 2,=,10, two; "
2751 "sid:1;)");
2752 if (de_ctx->sig_list == NULL) {
2753 result = 0;
2754 goto end;
2755 }
2756
2757 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2758 result = 0;
2759 goto end;
2760 }
2761
2762 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2763 if (sm->type != DETECT_CONTENT) {
2764 result = 0;
2765 goto end;
2766 }
2767 cd = (DetectContentData *)sm->ctx;
2768 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2769 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2770 cd->flags & DETECT_CONTENT_NOCASE ||
2771 cd->flags & DETECT_CONTENT_WITHIN ||
2772 cd->flags & DETECT_CONTENT_DISTANCE ||
2773 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2774 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2775 cd->flags & DETECT_CONTENT_NEGATED ) {
2776 printf("one failed\n");
2777 result = 0;
2778 goto end;
2779 }
2780
2781 sm = sm->next;
2782 if (sm->type != DETECT_BYTE_EXTRACT) {
2783 result = 0;
2784 goto end;
2785 }
2786 bed = (SCDetectByteExtractData *)sm->ctx;
2787 if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
2788 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2789 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
2790 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2791 goto end;
2792 }
2793 if (bed->local_id != 0) {
2794 result = 0;
2795 goto end;
2796 }
2797
2798 sm = sm->next;
2799 if (sm->type != DETECT_BYTETEST) {
2800 result = 0;
2801 goto end;
2802 }
2803 btd = (DetectBytetestData *)sm->ctx;
2804 if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2805 btd->value != 10 ||
2806 btd->offset != 0) {
2807 printf("three failed\n");
2808 result = 0;
2809 goto end;
2810 }
2811
2812 if (sm->next != NULL)
2813 goto end;
2814
2815 result = 1;
2816
2817 end:
2818 SigGroupCleanup(de_ctx);
2819 SigCleanSignatures(de_ctx);
2820 DetectEngineCtxFree(de_ctx);
2821
2822 return result;
2823}
2824
2825static int DetectByteExtractTest52(void)
2826{
2827 DetectEngineCtx *de_ctx = NULL;
2828 int result = 0;
2829 Signature *s = NULL;
2830 SigMatch *sm = NULL;
2831 DetectContentData *cd = NULL;
2832 SCDetectByteExtractData *bed1 = NULL;
2833 DetectBytetestData *btd = NULL;
2834
2835 de_ctx = DetectEngineCtxInit();
2836 if (de_ctx == NULL)
2837 goto end;
2838
2839 de_ctx->flags |= DE_QUIET;
2840 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
2841 "(msg:\"Testing bytejump_body\"; "
2842 "content:\"one\"; "
2843 "byte_extract:4,0,two,string,hex; "
2844 "byte_extract:4,0,three,string,hex; "
2845 "byte_test: 2,=,two,three; "
2846 "byte_test: 3,=,10,three; "
2847 "sid:1;)");
2848 if (de_ctx->sig_list == NULL) {
2849 result = 0;
2850 goto end;
2851 }
2852
2853 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
2854 result = 0;
2855 goto end;
2856 }
2857
2858 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2859 if (sm->type != DETECT_CONTENT) {
2860 result = 0;
2861 goto end;
2862 }
2863 cd = (DetectContentData *)sm->ctx;
2864 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
2865 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
2866 cd->flags & DETECT_CONTENT_NOCASE ||
2867 cd->flags & DETECT_CONTENT_WITHIN ||
2868 cd->flags & DETECT_CONTENT_DISTANCE ||
2869 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
2870 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
2871 cd->flags & DETECT_CONTENT_NEGATED ) {
2872 printf("one failed\n");
2873 result = 0;
2874 goto end;
2875 }
2876
2877 sm = sm->next;
2878 if (sm->type != DETECT_BYTE_EXTRACT) {
2879 result = 0;
2880 goto end;
2881 }
2882 bed1 = (SCDetectByteExtractData *)sm->ctx;
2883 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
2884 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
2885 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
2886 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
2887 goto end;
2888 }
2889 if (bed1->local_id != 0) {
2890 result = 0;
2891 goto end;
2892 }
2893
2894 sm = sm->next;
2895 if (sm->type != DETECT_BYTE_EXTRACT) {
2896 result = 0;
2897 goto end;
2898 }
2899
2900 sm = sm->next;
2901 if (sm->type != DETECT_BYTETEST) {
2902 result = 0;
2903 goto end;
2904 }
2905 btd = (DetectBytetestData *)sm->ctx;
2906 if (btd->flags != (DETECT_BYTETEST_OFFSET_VAR |
2907 DETECT_BYTETEST_VALUE_VAR) ||
2908 btd->value != 0 ||
2909 btd->offset != 1) {
2910 printf("three failed\n");
2911 result = 0;
2912 goto end;
2913 }
2914
2915 sm = sm->next;
2916 if (sm->type != DETECT_BYTETEST) {
2917 result = 0;
2918 goto end;
2919 }
2920 btd = (DetectBytetestData *)sm->ctx;
2921 if (btd->flags != DETECT_BYTETEST_OFFSET_VAR ||
2922 btd->value != 10 ||
2923 btd->offset != 1) {
2924 printf("four failed\n");
2925 result = 0;
2926 goto end;
2927 }
2928
2929 if (sm->next != NULL)
2930 goto end;
2931
2932 result = 1;
2933
2934 end:
2935 SigGroupCleanup(de_ctx);
2936 SigCleanSignatures(de_ctx);
2937 DetectEngineCtxFree(de_ctx);
2938
2939 return result;
2940}
2941
2942static int DetectByteExtractTest53(void)
2943{
2944 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2945 FAIL_IF_NULL(de_ctx);
2946 de_ctx->flags |= DE_QUIET;
2947
2948 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
2949 "content:\"one\"; "
2950 "byte_extract:4,0,two,string,hex; "
2951 "byte_jump: 2,two; "
2952 "sid:1;)");
2953 FAIL_IF_NULL(s);
2954 FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
2955
2956 SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
2957 FAIL_IF(sm->type != DETECT_CONTENT);
2958 DetectContentData *cd = (DetectContentData *)sm->ctx;
2959 FAIL_IF(cd->flags != (DETECT_CONTENT_MPM | DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED));
2960
2961 sm = sm->next;
2962 FAIL_IF_NULL(sm);
2963 FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
2964 SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
2965
2966 FAIL_IF(bed->nbytes != 4);
2967 FAIL_IF(bed->offset != 0);
2968 FAIL_IF(strcmp(bed->name, "two") != 0);
2969 FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
2970 FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
2971 FAIL_IF(bed->align_value != 0);
2972 FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
2973 FAIL_IF(bed->local_id != 0);
2974
2975 sm = sm->next;
2976 FAIL_IF_NULL(sm);
2977 FAIL_IF(sm->type != DETECT_BYTEJUMP);
2978 DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
2979
2980 FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
2981 FAIL_IF(bjd->offset != 0);
2982
2983 FAIL_IF_NOT_NULL(sm->next);
2984 DetectEngineCtxFree(de_ctx);
2985 PASS;
2986}
2987
2988static int DetectByteExtractTest54(void)
2989{
2990 DetectEngineCtx *de_ctx = NULL;
2991 int result = 0;
2992 Signature *s = NULL;
2993 SigMatch *sm = NULL;
2994 DetectContentData *cd = NULL;
2995 SCDetectByteExtractData *bed1 = NULL;
2996 DetectBytejumpData *bjd = NULL;
2997
2998 de_ctx = DetectEngineCtxInit();
2999 if (de_ctx == NULL)
3000 goto end;
3001
3002 de_ctx->flags |= DE_QUIET;
3003 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3004 "(msg:\"Testing bytejump_body\"; "
3005 "content:\"one\"; "
3006 "byte_extract:4,0,two,string,hex; "
3007 "byte_extract:4,0,three,string,hex; "
3008 "byte_jump: 2,two; "
3009 "byte_jump: 3,three; "
3010 "sid:1;)");
3011 if (de_ctx->sig_list == NULL) {
3012 result = 0;
3013 goto end;
3014 }
3015
3016 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3017 result = 0;
3018 goto end;
3019 }
3020
3021 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3022 if (sm->type != DETECT_CONTENT) {
3023 result = 0;
3024 goto end;
3025 }
3026 cd = (DetectContentData *)sm->ctx;
3027 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3028 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3029 cd->flags & DETECT_CONTENT_NOCASE ||
3030 cd->flags & DETECT_CONTENT_WITHIN ||
3031 cd->flags & DETECT_CONTENT_DISTANCE ||
3032 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3033 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3034 cd->flags & DETECT_CONTENT_NEGATED ) {
3035 printf("one failed\n");
3036 result = 0;
3037 goto end;
3038 }
3039
3040 sm = sm->next;
3041 if (sm->type != DETECT_BYTE_EXTRACT) {
3042 result = 0;
3043 goto end;
3044 }
3045 bed1 = (SCDetectByteExtractData *)sm->ctx;
3046 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3047 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3048 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3049 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3050 goto end;
3051 }
3052 if (bed1->local_id != 0) {
3053 result = 0;
3054 goto end;
3055 }
3056
3057 sm = sm->next;
3058 if (sm->type != DETECT_BYTE_EXTRACT) {
3059 result = 0;
3060 goto end;
3061 }
3062
3063 sm = sm->next;
3064 if (sm->type != DETECT_BYTEJUMP) {
3065 result = 0;
3066 goto end;
3067 }
3068 bjd = (DetectBytejumpData *)sm->ctx;
3069 if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3070 printf("three failed\n");
3071 result = 0;
3072 goto end;
3073 }
3074
3075 sm = sm->next;
3076 if (sm->type != DETECT_BYTEJUMP) {
3077 result = 0;
3078 goto end;
3079 }
3080 bjd = (DetectBytejumpData *)sm->ctx;
3081 FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3082 FAIL_IF(bjd->offset != 1);
3083
3084 if (sm->next != NULL)
3085 goto end;
3086
3087 result = 1;
3088
3089 end:
3090 SigGroupCleanup(de_ctx);
3091 SigCleanSignatures(de_ctx);
3092 DetectEngineCtxFree(de_ctx);
3093
3094 return result;
3095}
3096
3097static int DetectByteExtractTest55(void)
3098{
3099 DetectEngineCtx *de_ctx = NULL;
3100 int result = 0;
3101 Signature *s = NULL;
3102 SigMatch *sm = NULL;
3103 DetectContentData *cd = NULL;
3104 SCDetectByteExtractData *bed1 = NULL;
3105 SCDetectByteExtractData *bed2 = NULL;
3106
3107 de_ctx = DetectEngineCtxInit();
3108 if (de_ctx == NULL)
3109 goto end;
3110
3111 de_ctx->flags |= DE_QUIET;
3112 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3113 "(msg:\"Testing byte_extract\"; "
3114 "content:\"one\"; "
3115 "byte_extract:4,0,two,string,hex; "
3116 "byte_extract:4,0,three,string,hex; "
3117 "byte_extract:4,0,four,string,hex; "
3118 "byte_extract:4,0,five,string,hex; "
3119 "content: \"four\"; within:two; distance:three; "
3120 "sid:1;)");
3121 if (de_ctx->sig_list == NULL) {
3122 goto end;
3123 }
3124
3125 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3126 goto end;
3127 }
3128
3129 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3130 if (sm->type != DETECT_CONTENT) {
3131 goto end;
3132 }
3133 cd = (DetectContentData *)sm->ctx;
3134 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3135 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3136 cd->flags & DETECT_CONTENT_NOCASE ||
3137 cd->flags & DETECT_CONTENT_WITHIN ||
3138 cd->flags & DETECT_CONTENT_DISTANCE ||
3139 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3140 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3141 cd->flags & DETECT_CONTENT_NEGATED ) {
3142 printf("one failed: ");
3143 goto end;
3144 }
3145
3146 sm = sm->next;
3147 if (sm->type != DETECT_BYTE_EXTRACT) {
3148 goto end;
3149 }
3150 bed1 = (SCDetectByteExtractData *)sm->ctx;
3151 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3152 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3153 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3154 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3155 goto end;
3156 }
3157 if (bed1->local_id != 0) {
3158 goto end;
3159 }
3160
3161 sm = sm->next;
3162 if (sm->type != DETECT_BYTE_EXTRACT) {
3163 goto end;
3164 }
3165 bed2 = (SCDetectByteExtractData *)sm->ctx;
3166
3167 sm = sm->next;
3168 if (sm->type != DETECT_BYTE_EXTRACT) {
3169 goto end;
3170 }
3171
3172 sm = sm->next;
3173 if (sm->type != DETECT_BYTE_EXTRACT) {
3174 goto end;
3175 }
3176
3177 sm = sm->next;
3178 if (sm->type != DETECT_CONTENT) {
3179 goto end;
3180 }
3181 cd = (DetectContentData *)sm->ctx;
3182 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3183 cd->flags !=
3184 (DETECT_CONTENT_DISTANCE_VAR | DETECT_CONTENT_WITHIN_VAR |
3185 DETECT_CONTENT_DISTANCE | DETECT_CONTENT_WITHIN | DETECT_CONTENT_MPM) ||
3186 cd->within != bed1->local_id || cd->distance != bed2->local_id) {
3187 printf("four failed: ");
3188 goto end;
3189 }
3190
3191 if (sm->next != NULL) {
3192 goto end;
3193 }
3194
3195 result = 1;
3196
3197 end:
3198 SigGroupCleanup(de_ctx);
3199 SigCleanSignatures(de_ctx);
3200 DetectEngineCtxFree(de_ctx);
3201
3202 return result;
3203}
3204
3205static int DetectByteExtractTest56(void)
3206{
3207 DetectEngineCtx *de_ctx = NULL;
3208 int result = 0;
3209 Signature *s = NULL;
3210 SigMatch *sm = NULL;
3211 DetectContentData *cd = NULL;
3212 SCDetectByteExtractData *bed1 = NULL;
3213 SCDetectByteExtractData *bed2 = NULL;
3214
3215 de_ctx = DetectEngineCtxInit();
3216 if (de_ctx == NULL)
3217 goto end;
3218
3219 de_ctx->flags |= DE_QUIET;
3220 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3221 "(msg:\"Testing bytejump_body\"; "
3222 "uricontent:\"urione\"; "
3223 "content:\"one\"; "
3224 "byte_extract:4,0,two,string,hex; "
3225 "byte_extract:4,0,three,string,hex; "
3226 "byte_extract:4,0,four,string,hex; "
3227 "byte_extract:4,0,five,string,hex; "
3228 "content: \"four\"; within:two; distance:three; "
3229 "sid:1;)");
3230 if (de_ctx->sig_list == NULL) {
3231 result = 0;
3232 goto end;
3233 }
3234
3235 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3236 result = 0;
3237 goto end;
3238 }
3239
3240 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3241 if (sm->type != DETECT_CONTENT) {
3242 result = 0;
3243 goto end;
3244 }
3245 cd = (DetectContentData *)sm->ctx;
3246 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3247 strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3248 cd->flags & DETECT_CONTENT_NOCASE ||
3249 cd->flags & DETECT_CONTENT_WITHIN ||
3250 cd->flags & DETECT_CONTENT_DISTANCE ||
3251 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3252 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3253 cd->flags & DETECT_CONTENT_NEGATED ) {
3254 printf("one failed\n");
3255 result = 0;
3256 goto end;
3257 }
3258
3259 if (sm->next != NULL)
3260 goto end;
3261
3262 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3263 if (sm->type != DETECT_CONTENT) {
3264 result = 0;
3265 goto end;
3266 }
3267 cd = (DetectContentData *)sm->ctx;
3268 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3269 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3270 cd->flags & DETECT_CONTENT_NOCASE ||
3271 cd->flags & DETECT_CONTENT_WITHIN ||
3272 cd->flags & DETECT_CONTENT_DISTANCE ||
3273 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3274 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3275 cd->flags & DETECT_CONTENT_NEGATED ) {
3276 printf("one failed\n");
3277 result = 0;
3278 goto end;
3279 }
3280
3281 sm = sm->next;
3282 if (sm->type != DETECT_BYTE_EXTRACT) {
3283 result = 0;
3284 goto end;
3285 }
3286 bed1 = (SCDetectByteExtractData *)sm->ctx;
3287 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3288 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3289 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3290 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3291 goto end;
3292 }
3293 if (bed1->local_id != 0) {
3294 result = 0;
3295 goto end;
3296 }
3297
3298 sm = sm->next;
3299 if (sm->type != DETECT_BYTE_EXTRACT) {
3300 result = 0;
3301 goto end;
3302 }
3303 bed2 = (SCDetectByteExtractData *)sm->ctx;
3304
3305 sm = sm->next;
3306 if (sm->type != DETECT_BYTE_EXTRACT) {
3307 result = 0;
3308 goto end;
3309 }
3310
3311 sm = sm->next;
3312 if (sm->type != DETECT_BYTE_EXTRACT) {
3313 result = 0;
3314 goto end;
3315 }
3316
3317 sm = sm->next;
3318 if (sm->type != DETECT_CONTENT) {
3319 result = 0;
3320 goto end;
3321 }
3322 cd = (DetectContentData *)sm->ctx;
3323 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3324 cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3325 DETECT_CONTENT_WITHIN_VAR |
3326 DETECT_CONTENT_DISTANCE |
3327 DETECT_CONTENT_WITHIN) ||
3328 cd->within != bed1->local_id ||
3329 cd->distance != bed2->local_id ) {
3330 printf("four failed\n");
3331 result = 0;
3332 goto end;
3333 }
3334
3335 if (sm->next != NULL) {
3336 goto end;
3337 }
3338
3339 result = 1;
3340
3341 end:
3342 SigGroupCleanup(de_ctx);
3343 SigCleanSignatures(de_ctx);
3344 DetectEngineCtxFree(de_ctx);
3345
3346 return result;
3347}
3348
3349static int DetectByteExtractTest57(void)
3350{
3351 DetectEngineCtx *de_ctx = NULL;
3352 int result = 0;
3353 Signature *s = NULL;
3354 SigMatch *sm = NULL;
3355 DetectContentData *cd = NULL;
3356 SCDetectByteExtractData *bed1 = NULL;
3357 SCDetectByteExtractData *bed2 = NULL;
3358 SCDetectByteExtractData *bed3 = NULL;
3359 SCDetectByteExtractData *bed4 = NULL;
3360
3361 de_ctx = DetectEngineCtxInit();
3362 if (de_ctx == NULL)
3363 goto end;
3364
3365 de_ctx->flags |= DE_QUIET;
3366 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3367 "(msg:\"Testing bytejump_body\"; "
3368 "content:\"one\"; "
3369 "uricontent: \"urione\"; "
3370 "byte_extract:4,0,two,string,hex,relative; "
3371 "byte_extract:4,0,three,string,hex,relative; "
3372 "byte_extract:4,0,four,string,hex,relative; "
3373 "byte_extract:4,0,five,string,hex,relative; "
3374 "uricontent: \"four\"; within:two; distance:three; "
3375 "sid:1;)");
3376 if (de_ctx->sig_list == NULL) {
3377 result = 0;
3378 goto end;
3379 }
3380
3381 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3382 result = 0;
3383 goto end;
3384 }
3385
3386 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3387 if (sm->type != DETECT_CONTENT) {
3388 result = 0;
3389 goto end;
3390 }
3391 cd = (DetectContentData *)sm->ctx;
3392 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3393 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3394 cd->flags & DETECT_CONTENT_NOCASE ||
3395 cd->flags & DETECT_CONTENT_WITHIN ||
3396 cd->flags & DETECT_CONTENT_DISTANCE ||
3397 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3398 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3399 cd->flags & DETECT_CONTENT_NEGATED ) {
3400 printf("one failed\n");
3401 result = 0;
3402 goto end;
3403 }
3404
3405 if (sm->next != NULL)
3406 goto end;
3407
3408 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3409 if (sm->type != DETECT_CONTENT) {
3410 result = 0;
3411 goto end;
3412 }
3413 cd = (DetectContentData *)sm->ctx;
3414 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3415 strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
3416 cd->flags & DETECT_CONTENT_NOCASE ||
3417 cd->flags & DETECT_CONTENT_WITHIN ||
3418 cd->flags & DETECT_CONTENT_DISTANCE ||
3419 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3420 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3421 cd->flags & DETECT_CONTENT_NEGATED ) {
3422 printf("one failed\n");
3423 result = 0;
3424 goto end;
3425 }
3426
3427 sm = sm->next;
3428 if (sm->type != DETECT_BYTE_EXTRACT) {
3429 result = 0;
3430 goto end;
3431 }
3432 bed1 = (SCDetectByteExtractData *)sm->ctx;
3433 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3434 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3435 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3436 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3437 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3438 goto end;
3439 }
3440 if (bed1->local_id != 0) {
3441 result = 0;
3442 goto end;
3443 }
3444
3445 sm = sm->next;
3446 if (sm->type != DETECT_BYTE_EXTRACT) {
3447 result = 0;
3448 goto end;
3449 }
3450 bed2 = (SCDetectByteExtractData *)sm->ctx;
3451 if (bed2->local_id != 1) {
3452 result = 0;
3453 goto end;
3454 }
3455
3456 sm = sm->next;
3457 if (sm->type != DETECT_BYTE_EXTRACT) {
3458 result = 0;
3459 goto end;
3460 }
3461 bed3 = (SCDetectByteExtractData *)sm->ctx;
3462 if (bed3->local_id != 2) {
3463 result = 0;
3464 goto end;
3465 }
3466
3467 sm = sm->next;
3468 if (sm->type != DETECT_BYTE_EXTRACT) {
3469 result = 0;
3470 goto end;
3471 }
3472 bed4 = (SCDetectByteExtractData *)sm->ctx;
3473 if (bed4->local_id != 3) {
3474 result = 0;
3475 goto end;
3476 }
3477
3478 sm = sm->next;
3479 if (sm->type != DETECT_CONTENT) {
3480 result = 0;
3481 goto end;
3482 }
3483 cd = (DetectContentData *)sm->ctx;
3484 if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
3485 cd->flags != (DETECT_CONTENT_DISTANCE_VAR |
3486 DETECT_CONTENT_WITHIN_VAR |
3487 DETECT_CONTENT_DISTANCE |
3488 DETECT_CONTENT_WITHIN) ||
3489 cd->within != bed1->local_id ||
3490 cd->distance != bed2->local_id) {
3491 printf("four failed\n");
3492 result = 0;
3493 goto end;
3494 }
3495
3496 if (sm->next != NULL) {
3497 goto end;
3498 }
3499
3500 result = 1;
3501
3502 end:
3503 SigGroupCleanup(de_ctx);
3504 SigCleanSignatures(de_ctx);
3505 DetectEngineCtxFree(de_ctx);
3506
3507 return result;
3508}
3509
3510static int DetectByteExtractTest58(void)
3511{
3512 DetectEngineCtx *de_ctx = NULL;
3513 int result = 0;
3514 Signature *s = NULL;
3515 SigMatch *sm = NULL;
3516 DetectContentData *cd = NULL;
3517 SCDetectByteExtractData *bed1 = NULL;
3518 DetectBytejumpData *bjd = NULL;
3519 DetectIsdataatData *isdd = NULL;
3520
3521 de_ctx = DetectEngineCtxInit();
3522 if (de_ctx == NULL)
3523 goto end;
3524
3525 de_ctx->flags |= DE_QUIET;
3526 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3527 "(msg:\"Testing bytejump_body\"; "
3528 "content:\"one\"; "
3529 "byte_extract:4,0,two,string,hex; "
3530 "byte_extract:4,0,three,string,hex; "
3531 "byte_jump: 2,two; "
3532 "byte_jump: 3,three; "
3533 "isdataat: three; "
3534 "sid:1;)");
3535 if (de_ctx->sig_list == NULL) {
3536 result = 0;
3537 goto end;
3538 }
3539
3540 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3541 result = 0;
3542 goto end;
3543 }
3544
3545 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3546 if (sm->type != DETECT_CONTENT) {
3547 result = 0;
3548 goto end;
3549 }
3550 cd = (DetectContentData *)sm->ctx;
3551 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3552 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3553 cd->flags & DETECT_CONTENT_NOCASE ||
3554 cd->flags & DETECT_CONTENT_WITHIN ||
3555 cd->flags & DETECT_CONTENT_DISTANCE ||
3556 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3557 cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
3558 cd->flags & DETECT_CONTENT_NEGATED ) {
3559 printf("one failed\n");
3560 result = 0;
3561 goto end;
3562 }
3563
3564 sm = sm->next;
3565 if (sm->type != DETECT_BYTE_EXTRACT) {
3566 result = 0;
3567 goto end;
3568 }
3569 bed1 = (SCDetectByteExtractData *)sm->ctx;
3570 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3571 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
3572 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3573 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3574 goto end;
3575 }
3576 if (bed1->local_id != 0) {
3577 result = 0;
3578 goto end;
3579 }
3580
3581 sm = sm->next;
3582 if (sm->type != DETECT_BYTE_EXTRACT) {
3583 result = 0;
3584 goto end;
3585 }
3586
3587 sm = sm->next;
3588 if (sm->type != DETECT_BYTEJUMP) {
3589 result = 0;
3590 goto end;
3591 }
3592 bjd = (DetectBytejumpData *)sm->ctx;
3593 if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 0) {
3594 printf("three failed\n");
3595 result = 0;
3596 goto end;
3597 }
3598
3599 sm = sm->next;
3600 if (sm->type != DETECT_BYTEJUMP) {
3601 result = 0;
3602 goto end;
3603 }
3604 bjd = (DetectBytejumpData *)sm->ctx;
3605 if (bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR || bjd->offset != 1) {
3606 printf("four failed\n");
3607 result = 0;
3608 goto end;
3609 }
3610
3611 sm = sm->next;
3612 if (sm->type != DETECT_ISDATAAT) {
3613 result = 0;
3614 goto end;
3615 }
3616 isdd = (DetectIsdataatData *)sm->ctx;
3617 if (isdd->flags != ISDATAAT_OFFSET_VAR ||
3618 isdd->dataat != 1) {
3619 printf("isdataat failed\n");
3620 result = 0;
3621 goto end;
3622 }
3623
3624 if (sm->next != NULL)
3625 goto end;
3626
3627 result = 1;
3628
3629 end:
3630 SigGroupCleanup(de_ctx);
3631 SigCleanSignatures(de_ctx);
3632 DetectEngineCtxFree(de_ctx);
3633
3634 return result;
3635}
3636
3637static int DetectByteExtractTest59(void)
3638{
3639 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3640 FAIL_IF_NULL(de_ctx);
3641 de_ctx->flags |= DE_QUIET;
3642
3643 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
3644 "content:\"one\"; "
3645 "byte_extract:4,0,two,string,hex; "
3646 "byte_extract:4,0,three,string,hex; "
3647 "byte_jump: 2,two; "
3648 "byte_jump: 3,three; "
3649 "isdataat: three,relative; "
3650 "sid:1;)");
3651 FAIL_IF_NULL(s);
3652
3653 FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
3654 SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3655 FAIL_IF(sm->type != DETECT_CONTENT);
3656
3657 DetectContentData *cd = (DetectContentData *)sm->ctx;
3658 FAIL_IF(cd->flags & DETECT_CONTENT_RAWBYTES);
3659 FAIL_IF(strncmp((char *)cd->content, "one", cd->content_len) != 0);
3660 FAIL_IF(cd->flags & DETECT_CONTENT_NOCASE);
3661 FAIL_IF(cd->flags & DETECT_CONTENT_WITHIN);
3662 FAIL_IF(cd->flags & DETECT_CONTENT_DISTANCE);
3663 FAIL_IF(cd->flags & DETECT_CONTENT_FAST_PATTERN);
3664 FAIL_IF(cd->flags & DETECT_CONTENT_RELATIVE_NEXT);
3665 FAIL_IF(cd->flags & DETECT_CONTENT_NEGATED);
3666
3667 sm = sm->next;
3668 FAIL_IF_NULL(sm);
3669 FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3670
3671 SCDetectByteExtractData *bed1 = (SCDetectByteExtractData *)sm->ctx;
3672 FAIL_IF(bed1->nbytes != 4);
3673 FAIL_IF(bed1->offset != 0);
3674 FAIL_IF(strcmp(bed1->name, "two") != 0);
3675 printf("a\n");
3676 FAIL_IF(bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
3677 printf("b\n");
3678 FAIL_IF(bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX);
3679 FAIL_IF(bed1->align_value != 0);
3680 FAIL_IF(bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
3681
3682 FAIL_IF(bed1->local_id != 0);
3683
3684 sm = sm->next;
3685 FAIL_IF_NULL(sm);
3686 FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
3687
3688 sm = sm->next;
3689 FAIL_IF_NULL(sm);
3690 FAIL_IF(sm->type != DETECT_BYTEJUMP);
3691
3692 DetectBytejumpData *bjd = (DetectBytejumpData *)sm->ctx;
3693 FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3694 FAIL_IF(bjd->offset != 0);
3695
3696 sm = sm->next;
3697 FAIL_IF_NULL(sm);
3698 FAIL_IF(sm->type != DETECT_BYTEJUMP);
3699
3700 bjd = (DetectBytejumpData *)sm->ctx;
3701 FAIL_IF(bjd->flags != DETECT_BYTEJUMP_OFFSET_VAR);
3702 FAIL_IF(bjd->offset != 1);
3703
3704 sm = sm->next;
3705 FAIL_IF_NULL(sm);
3706 FAIL_IF(sm->type != DETECT_ISDATAAT);
3707 DetectIsdataatData *isdd = (DetectIsdataatData *)sm->ctx;
3708 FAIL_IF(isdd->flags != (ISDATAAT_OFFSET_VAR | ISDATAAT_RELATIVE));
3709 FAIL_IF(isdd->dataat != 1);
3710
3711 FAIL_IF(sm->next != NULL);
3712 DetectEngineCtxFree(de_ctx);
3713
3714 PASS;
3715}
3716
3717static int DetectByteExtractTest60(void)
3718{
3719 DetectEngineCtx *de_ctx = NULL;
3720 int result = 0;
3721 Signature *s = NULL;
3722 SigMatch *sm = NULL;
3723 DetectContentData *cd = NULL;
3724 SCDetectByteExtractData *bed1 = NULL;
3725 DetectIsdataatData *isdd = NULL;
3726
3727 de_ctx = DetectEngineCtxInit();
3728 if (de_ctx == NULL)
3729 goto end;
3730
3731 de_ctx->flags |= DE_QUIET;
3732 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3733 "(msg:\"Testing bytejump_body\"; "
3734 "content:\"one\"; "
3735 "byte_extract:4,0,two,string,hex,relative; "
3736 "uricontent: \"three\"; "
3737 "byte_extract:4,0,four,string,hex,relative; "
3738 "isdataat: two; "
3739 "sid:1;)");
3740 if (de_ctx->sig_list == NULL) {
3741 result = 0;
3742 goto end;
3743 }
3744
3745 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3746 result = 0;
3747 goto end;
3748 }
3749
3750 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3751 if (sm->type != DETECT_CONTENT) {
3752 result = 0;
3753 goto end;
3754 }
3755 cd = (DetectContentData *)sm->ctx;
3756 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3757 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3758 cd->flags & DETECT_CONTENT_NOCASE ||
3759 cd->flags & DETECT_CONTENT_WITHIN ||
3760 cd->flags & DETECT_CONTENT_DISTANCE ||
3761 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3762 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3763 cd->flags & DETECT_CONTENT_NEGATED ) {
3764 printf("one failed\n");
3765 result = 0;
3766 goto end;
3767 }
3768
3769 sm = sm->next;
3770 if (sm->type != DETECT_BYTE_EXTRACT) {
3771 result = 0;
3772 goto end;
3773 }
3774 bed1 = (SCDetectByteExtractData *)sm->ctx;
3775 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3776 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3777 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3778 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3779 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3780 goto end;
3781 }
3782 if (bed1->local_id != 0) {
3783 result = 0;
3784 goto end;
3785 }
3786
3787 sm = sm->next;
3788 if (sm->type != DETECT_ISDATAAT) {
3789 result = 0;
3790 goto end;
3791 }
3792 isdd = (DetectIsdataatData *)sm->ctx;
3793 if (isdd->flags != (ISDATAAT_OFFSET_VAR) ||
3794 isdd->dataat != bed1->local_id) {
3795 printf("isdataat failed\n");
3796 result = 0;
3797 goto end;
3798 }
3799
3800 if (sm->next != NULL)
3801 goto end;
3802
3803 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3804 if (sm == NULL) {
3805 result = 0;
3806 goto end;
3807 }
3808 if (sm->type != DETECT_CONTENT) {
3809 result = 0;
3810 goto end;
3811 }
3812 cd = (DetectContentData *)sm->ctx;
3813 if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
3814 strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3815 printf("one failed\n");
3816 result = 0;
3817 goto end;
3818 }
3819
3820 sm = sm->next;
3821 if (sm->type != DETECT_BYTE_EXTRACT) {
3822 result = 0;
3823 goto end;
3824 }
3825 bed1 = (SCDetectByteExtractData *)sm->ctx;
3826 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3827 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3828 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3829 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3830 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3831 goto end;
3832 }
3833 if (bed1->local_id != 0) {
3834 result = 0;
3835 goto end;
3836 }
3837
3838 if (sm->next != NULL)
3839 goto end;
3840
3841 result = 1;
3842
3843 end:
3844 SigGroupCleanup(de_ctx);
3845 SigCleanSignatures(de_ctx);
3846 DetectEngineCtxFree(de_ctx);
3847
3848 return result;
3849}
3850
3851static int DetectByteExtractTest61(void)
3852{
3853 DetectEngineCtx *de_ctx = NULL;
3854 int result = 0;
3855 Signature *s = NULL;
3856 SigMatch *sm = NULL;
3857 DetectContentData *cd = NULL;
3858 SCDetectByteExtractData *bed1 = NULL;
3859 DetectIsdataatData *isdd = NULL;
3860
3861 de_ctx = DetectEngineCtxInit();
3862 if (de_ctx == NULL)
3863 goto end;
3864
3865 de_ctx->flags |= DE_QUIET;
3866 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
3867 "(msg:\"Testing bytejump_body\"; "
3868 "content:\"one\"; "
3869 "byte_extract:4,0,two,string,hex,relative; "
3870 "uricontent: \"three\"; "
3871 "byte_extract:4,0,four,string,hex,relative; "
3872 "isdataat: four, relative; "
3873 "sid:1;)");
3874 if (de_ctx->sig_list == NULL) {
3875 result = 0;
3876 goto end;
3877 }
3878
3879 if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
3880 result = 0;
3881 goto end;
3882 }
3883
3884 sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
3885 if (sm->type != DETECT_CONTENT) {
3886 result = 0;
3887 goto end;
3888 }
3889 cd = (DetectContentData *)sm->ctx;
3890 if (cd->flags & DETECT_CONTENT_RAWBYTES ||
3891 strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
3892 cd->flags & DETECT_CONTENT_NOCASE ||
3893 cd->flags & DETECT_CONTENT_WITHIN ||
3894 cd->flags & DETECT_CONTENT_DISTANCE ||
3895 cd->flags & DETECT_CONTENT_FAST_PATTERN ||
3896 !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
3897 cd->flags & DETECT_CONTENT_NEGATED ) {
3898 printf("one failed\n");
3899 result = 0;
3900 goto end;
3901 }
3902
3903 sm = sm->next;
3904 if (sm->type != DETECT_BYTE_EXTRACT) {
3905 result = 0;
3906 goto end;
3907 }
3908 bed1 = (SCDetectByteExtractData *)sm->ctx;
3909 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
3910 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3911 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3912 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3913 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3914 goto end;
3915 }
3916 if (bed1->local_id != 0) {
3917 result = 0;
3918 goto end;
3919 }
3920
3921 if (sm->next != NULL)
3922 goto end;
3923
3924 sm = DetectBufferGetFirstSigMatch(s, g_http_uri_buffer_id);
3925 if (sm == NULL) {
3926 result = 0;
3927 goto end;
3928 }
3929 if (sm->type != DETECT_CONTENT) {
3930 result = 0;
3931 goto end;
3932 }
3933 cd = (DetectContentData *)sm->ctx;
3934 if (cd->flags != (DETECT_CONTENT_RELATIVE_NEXT | DETECT_CONTENT_MPM) ||
3935 strncmp((char *)cd->content, "three", cd->content_len) != 0) {
3936 printf("one failed\n");
3937 result = 0;
3938 goto end;
3939 }
3940
3941 sm = sm->next;
3942 if (sm->type != DETECT_BYTE_EXTRACT) {
3943 result = 0;
3944 goto end;
3945 }
3946 bed1 = (SCDetectByteExtractData *)sm->ctx;
3947 if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
3948 bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
3949 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
3950 bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
3951 bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
3952 goto end;
3953 }
3954 if (bed1->local_id != 0) {
3955 result = 0;
3956 goto end;
3957 }
3958
3959 sm = sm->next;
3960 if (sm->type != DETECT_ISDATAAT) {
3961 result = 0;
3962 goto end;
3963 }
3964 isdd = (DetectIsdataatData *)sm->ctx;
3965 if (isdd->flags != (ISDATAAT_OFFSET_VAR |
3966 ISDATAAT_RELATIVE) ||
3967 isdd->dataat != bed1->local_id) {
3968 printf("isdataat failed\n");
3969 result = 0;
3970 goto end;
3971 }
3972
3973 if (sm->next != NULL)
3974 goto end;
3975
3976 result = 1;
3977
3978 end:
3979 SigGroupCleanup(de_ctx);
3980 SigCleanSignatures(de_ctx);
3981 DetectEngineCtxFree(de_ctx);
3982
3983 return result;
3984}
3985
3986static int DetectByteExtractTest62(void)
3987{
3988 DetectEngineCtx *de_ctx = NULL;
3989 int result = 0;
3990 Signature *s = NULL;
3991 SigMatch *sm = NULL;
3992 SCDetectByteExtractData *bed = NULL;
3993
3994 de_ctx = DetectEngineCtxInit();
3995 if (de_ctx == NULL)
3996 goto end;
3997
3998 de_ctx->flags |= DE_QUIET;
3999 s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
4000 "(file_data; byte_extract:4,2,two,relative,string,hex; "
4001 "sid:1;)");
4002 if (de_ctx->sig_list == NULL) {
4003 goto end;
4004 }
4005
4006 sm = DetectBufferGetFirstSigMatch(s, g_file_data_buffer_id);
4007 if (sm == NULL) {
4008 goto end;
4009 }
4010 if (sm->type != DETECT_BYTE_EXTRACT) {
4011 goto end;
4012 }
4013 bed = (SCDetectByteExtractData *)sm->ctx;
4014 if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 ||
4015 bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
4016 DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
4017 bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
4018 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4019 goto end;
4020 }
4021
4022 result = 1;
4023
4024 end:
4025 SigGroupCleanup(de_ctx);
4026 SigCleanSignatures(de_ctx);
4027 DetectEngineCtxFree(de_ctx);
4028
4029 return result;
4030}
4031
4032static int DetectByteExtractTest63(void)
4033{
4034 int result = 0;
4035
4036 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
4037 if (bed == NULL)
4038 goto end;
4039
4040 if (bed->nbytes != 4 || bed->offset != -2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
4041 bed->endian != BigEndian || bed->align_value != 0 ||
4042 bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4043 goto end;
4044 }
4045
4046 result = 1;
4047 end:
4048 if (bed != NULL)
4049 DetectByteExtractFree(NULL, bed);
4050 return result;
4051}
4052
4053static int DetectByteExtractTestParseNoBase(void)
4054{
4055 int result = 0;
4056
4057 SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
4058 if (bed == NULL)
4059 goto end;
4060
4061 if (bed->nbytes != 4) {
4062 goto end;
4063 }
4064 if (bed->offset != 2) {
4065 goto end;
4066 }
4067 if (strcmp(bed->name, "one") != 0) {
4068 goto end;
4069 }
4070 if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
4071 goto end;
4072 }
4073 if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
4074 goto end;
4075 }
4076 if (bed->align_value != 0) {
4077 goto end;
4078 }
4079 if (bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
4080 goto end;
4081 }
4082
4083 result = 1;
4084 end:
4085 if (bed != NULL)
4086 DetectByteExtractFree(NULL, bed);
4087 return result;
4088}
4089
4090static void DetectByteExtractRegisterTests(void)
4091{
4092 g_file_data_buffer_id = DetectBufferTypeGetByName("file_data");
4093 g_http_uri_buffer_id = DetectBufferTypeGetByName("http_uri");
4094
4095 UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01);
4096 UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02);
4097 UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03);
4098 UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04);
4099 UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05);
4100 UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06);
4101 UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07);
4102 UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08);
4103 UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09);
4104 UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10);
4105 UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11);
4106 UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12);
4107 UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13);
4108 UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14);
4109 UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15);
4110 UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16);
4111 UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17);
4112 UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18);
4113 UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19);
4114 UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20);
4115 UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21);
4116 UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22);
4117 UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23);
4118 UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24);
4119 UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25);
4120 UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26);
4121 UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27);
4122 UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28);
4123 UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29);
4124 UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30);
4125 UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31);
4126 UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32);
4127 UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33);
4128 UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34);
4129 UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35);
4130 UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36);
4131 UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37);
4132 UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38);
4133 UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39);
4134 UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40);
4135 UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41);
4136 UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42);
4137
4138 UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43);
4139 UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44);
4140
4141 UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45);
4142 UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46);
4143
4144 UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47);
4145 UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48);
4146
4147 UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49);
4148 UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50);
4149
4150 UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51);
4151 UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52);
4152
4153 UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53);
4154 UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54);
4155
4156 UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55);
4157 UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56);
4158 UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57);
4159
4160 UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58);
4161 UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59);
4162 UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60);
4163 UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61);
4164 UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62);
4165 UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63);
4166
4167 UtRegisterTest("DetectByteExtractTestParseNoBase",
4168 DetectByteExtractTestParseNoBase);
4169}
4170#endif /* UNITTESTS */
len
uint8_t len
Definition app-layer-dnp3.h:2
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition app-layer-protos.h:44
STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC
Definition detect-byte-extract.c:55
DetectByteExtractRegister
void DetectByteExtractRegister(void)
Registers the keyword handlers for the "byte_extract" keyword.
Definition detect-byte-extract.c:69
DetectByteExtractRetrieveSMVar
SigMatch * DetectByteExtractRetrieveSMVar(const char *arg, int sm_list, const Signature *s)
Lookup the SigMatch for a named byte_extract variable.
Definition detect-byte-extract.c:375
DETECT_BYTE_EXTRACT_BASE_DEC
#define DETECT_BYTE_EXTRACT_BASE_DEC
Definition detect-byte-extract.c:49
STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT
Definition detect-byte-extract.c:54
STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX
Definition detect-byte-extract.c:56
NO_STRING_MAX_BYTES_TO_EXTRACT
#define NO_STRING_MAX_BYTES_TO_EXTRACT
Definition detect-byte-extract.c:58
DetectByteExtractDoMatch
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd, const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value, uint8_t endian)
Definition detect-byte-extract.c:82
DETECT_BYTE_EXTRACT_BASE_HEX
#define DETECT_BYTE_EXTRACT_BASE_HEX
Definition detect-byte-extract.c:48
DETECT_BYTE_EXTRACT_BASE_OCT
#define DETECT_BYTE_EXTRACT_BASE_OCT
Definition detect-byte-extract.c:50
DETECT_BYTEJUMP_OFFSET_VAR
#define DETECT_BYTEJUMP_OFFSET_VAR
Definition detect-bytejump.h:44
DETECT_BYTETEST_OFFSET_VAR
#define DETECT_BYTETEST_OFFSET_VAR
Definition detect-bytetest.h:50
DETECT_BYTETEST_VALUE_VAR
#define DETECT_BYTETEST_VALUE_VAR
Definition detect-bytetest.h:49
detect-content.h
DETECT_CONTENT_DEPTH
#define DETECT_CONTENT_DEPTH
Definition detect-content.h:33
DETECT_CONTENT_DISTANCE_NEXT
#define DETECT_CONTENT_DISTANCE_NEXT
Definition detect-content.h:58
DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
#define DETECT_CONTENT_NO_DOUBLE_INSPECTION_REQUIRED
Definition detect-content.h:55
DETECT_CONTENT_RELATIVE_NEXT
#define DETECT_CONTENT_RELATIVE_NEXT
Definition detect-content.h:66
DETECT_CONTENT_RAWBYTES
#define DETECT_CONTENT_RAWBYTES
Definition detect-content.h:38
DETECT_CONTENT_WITHIN_VAR
#define DETECT_CONTENT_WITHIN_VAR
Definition detect-content.h:48
DETECT_CONTENT_WITHIN
#define DETECT_CONTENT_WITHIN
Definition detect-content.h:31
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition detect-content.h:34
DETECT_CONTENT_DEPTH_VAR
#define DETECT_CONTENT_DEPTH_VAR
Definition detect-content.h:46
DETECT_CONTENT_OFFSET_VAR
#define DETECT_CONTENT_OFFSET_VAR
Definition detect-content.h:45
DETECT_CONTENT_DISTANCE
#define DETECT_CONTENT_DISTANCE
Definition detect-content.h:30
DETECT_CONTENT_WITHIN_NEXT
#define DETECT_CONTENT_WITHIN_NEXT
Definition detect-content.h:57
DETECT_CONTENT_OFFSET
#define DETECT_CONTENT_OFFSET
Definition detect-content.h:32
DETECT_CONTENT_NEGATED
#define DETECT_CONTENT_NEGATED
Definition detect-content.h:40
DETECT_CONTENT_MPM
#define DETECT_CONTENT_MPM
Definition detect-content.h:61
DETECT_CONTENT_DISTANCE_VAR
#define DETECT_CONTENT_DISTANCE_VAR
Definition detect-content.h:47
DETECT_CONTENT_NOCASE
#define DETECT_CONTENT_NOCASE
Definition detect-content.h:29
DetectBufferGetFirstSigMatch
SigMatch * DetectBufferGetFirstSigMatch(const Signature *s, const uint32_t buf_id)
Definition detect-engine-buffer.c:157
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:56
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:2275
DETECT_BYTE_EXTRACT
@ DETECT_BYTE_EXTRACT
Definition detect-engine-register.h:85
DETECT_BYTEMATH
@ DETECT_BYTEMATH
Definition detect-engine-register.h:84
DETECT_BYTETEST
@ DETECT_BYTETEST
Definition detect-engine-register.h:82
DETECT_BYTEJUMP
@ DETECT_BYTEJUMP
Definition detect-engine-register.h:83
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition detect-engine-register.h:93
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition detect-isdataat.h:27
ISDATAAT_OFFSET_VAR
#define ISDATAAT_OFFSET_VAR
Definition detect-isdataat.h:30
DetectGetLastSMByListId
SigMatch * DetectGetLastSMByListId(const Signature *s, int list_id,...)
Returns the sm with the largest index (added last) from the list passed to us as an id.
Definition detect-parse.c:658
SCDetectSignatureSetAppProto
int SCDetectSignatureSetAppProto(Signature *s, AppProto alproto)
Definition detect-parse.c:2229
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SCSigMatchAppendSMToList
SigMatch * SCSigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition detect-parse.c:388
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition detect-parse.c:564
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition detect-parse.c:763
sigmatch_table
SigTableElmt * sigmatch_table
Definition detect-parse.c:79
DETECT_PCRE_RELATIVE_NEXT
#define DETECT_PCRE_RELATIVE_NEXT
Definition detect-pcre.h:34
DE_QUIET
#define DE_QUIET
Definition detect.h:330
DETECT_SM_LIST_NOTSET
#define DETECT_SM_LIST_NOTSET
Definition detect.h:144
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition detect.h:119
DETECT_SM_LIST_MAX
@ DETECT_SM_LIST_MAX
Definition detect.h:135
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition util-unittest.h:96
payload_len
uint16_t payload_len
Definition stream-tcp-private.h:1
DetectBytejumpData_
Definition detect-bytejump.h:46
DetectBytejumpData_::offset
int32_t offset
Definition detect-bytejump.h:50
DetectBytejumpData_::flags
uint16_t flags
Definition detect-bytejump.h:49
DetectBytetestData_
Definition detect-bytetest.h:53
DetectBytetestData_::value
uint64_t value
Definition detect-bytetest.h:62
DetectBytetestData_::offset
int32_t offset
Definition detect-bytetest.h:60
DetectBytetestData_::flags
uint16_t flags
Definition detect-bytetest.h:58
DetectContentData_
Definition detect-content.h:93
DetectContentData_::within
int32_t within
Definition detect-content.h:109
DetectContentData_::distance
int32_t distance
Definition detect-content.h:108
DetectContentData_::content_len
uint16_t content_len
Definition detect-content.h:95
DetectContentData_::depth
uint16_t depth
Definition detect-content.h:106
DetectContentData_::flags
uint32_t flags
Definition detect-content.h:104
DetectContentData_::content
uint8_t * content
Definition detect-content.h:94
DetectContentData_::offset
uint16_t offset
Definition detect-content.h:107
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineCtx_::byte_extract_max_local_id
int32_t byte_extract_max_local_id
Definition detect.h:1010
DetectEngineThreadCtx_
Definition detect.h:1244
DetectEngineThreadCtx_::buffer_offset
uint32_t buffer_offset
Definition detect.h:1268
DetectIsdataatData_
Definition detect-isdataat.h:32
DetectIsdataatData_::flags
uint8_t flags
Definition detect-isdataat.h:34
DetectIsdataatData_::dataat
uint16_t dataat
Definition detect-isdataat.h:33
DetectPcreData_
Definition detect-pcre.h:47
DetectPcreData_::flags
uint16_t flags
Definition detect-pcre.h:51
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition detect.h:351
SigMatchData_
Data needed for Match()
Definition detect.h:365
SigMatchData_::ctx
SigMatchCtx * ctx
Definition detect.h:368
SigMatch_
a single match condition for a signature
Definition detect.h:356
SigMatch_::type
uint16_t type
Definition detect.h:357
SigMatch_::next
struct SigMatch_ * next
Definition detect.h:360
SigMatch_::ctx
SigMatchCtx * ctx
Definition detect.h:359
SigTableElmt_::url
const char * url
Definition detect.h:1462
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition detect.h:1441
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition detect.h:1446
SigTableElmt_::desc
const char * desc
Definition detect.h:1461
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition detect.h:1448
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition detect.h:1421
SigTableElmt_::name
const char * name
Definition detect.h:1459
SignatureInitDataBuffer_::head
SigMatch * head
Definition detect.h:534
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition detect.h:642
SignatureInitData_::smlists_tail
struct SigMatch_ * smlists_tail[DETECT_SM_LIST_MAX]
Definition detect.h:644
SignatureInitData_::buffers
SignatureInitDataBuffer * buffers
Definition detect.h:647
SignatureInitData_::buffer_index
uint32_t buffer_index
Definition detect.h:648
SignatureInitData_::list
int list
Definition detect.h:628
Signature_
Signature container.
Definition detect.h:668
Signature_::init_data
SignatureInitData * init_data
Definition detect.h:747
ByteExtractUint64
int ByteExtractUint64(uint64_t *res, int e, uint16_t len, const uint8_t *bytes)
Definition util-byte.c:122
ByteExtractStringUint64
int ByteExtractStringUint64(uint64_t *res, int base, size_t len, const char *str)
Definition util-byte.c:234
BYTE_BIG_ENDIAN
#define BYTE_BIG_ENDIAN
Definition util-byte.h:29
BYTE_LITTLE_ENDIAN
#define BYTE_LITTLE_ENDIAN
Definition util-byte.h:30
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267