58static int StreamMpmFunc(
59 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
65 smd->
det_ctx->stream_mpm_size += data_len;
75 Packet *p,
const void *pectx)
83 SCLogDebug(
"PRE det_ctx->raw_stream_progress %"PRIu64,
87 StreamMpmFunc, &stream_mpm_data,
90 SCLogDebug(
"POST det_ctx->raw_stream_progress %"PRIu64,
113 PrefilterPktStream,
mpm_ctx, NULL,
"stream");
117 Packet *p,
const void *pectx)
136 PrefilterPktPayload,
mpm_ctx, NULL,
"payload");
215static int StreamContentInspectFunc(
216 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
221 smd->
det_ctx->stream_persig_cnt++;
222 smd->
det_ctx->stream_persig_size += data_len;
257 StreamContentInspectFunc, &inspect_data,
270static int StreamContentInspectEngineFunc(
271 void *cb_data,
const uint8_t *data,
const uint32_t data_len,
const uint64_t _offset)
276 smd->det_ctx->stream_persig_cnt++;
277 smd->det_ctx->stream_persig_size += data_len;
281 NULL,
smd->f, data, data_len, 0, 0,
300 uint8_t
flags,
void *alstate,
void *txv, uint64_t tx_id)
306 if (p->
proto == IPPROTO_UDP) {
309 }
else if (p->
proto != IPPROTO_TCP)
316 SCLogDebug(
"pre-inspect det_ctx->raw_stream_progress %"PRIu64
" FLUSH? %s",
322 StreamContentInspectEngineFunc, &inspect_data,
325 bool is_last =
false;
326 if (
flags & STREAM_TOSERVER) {
336 SCLogDebug(
"%s ran stream for sid %u on packet %"PRIu64
" and we %s",
338 match ?
"matched" :
"didn't match");
357static int PayloadTestSig01 (
void)
359 uint8_t *buf = (uint8_t *)
361 uint16_t buflen = strlen((
char *)buf);
366 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; content:\"d\"; distance:0; within:1; sid:1;)";
376static int PayloadTestSig02 (
void)
378 uint8_t *buf = (uint8_t *)
380 uint16_t buflen = strlen((
char *)buf);
385 char sig[] =
"alert tcp any any -> any any (content:\"abc\"; nocase; content:\"d\"; distance:0; within:1; sid:1;)";
395static int PayloadTestSig03 (
void)
397 uint8_t *buf = (uint8_t *)
399 uint16_t buflen = strlen((
char *)buf);
404 char sig[] =
"alert tcp any any -> any any (content:\"aBc\"; nocase; content:\"abca\"; distance:-10; within:4; sid:1;)";
416static int PayloadTestSig04(
void)
418 uint8_t *buf = (uint8_t *)
"now this is is big big string now";
419 uint16_t buflen = strlen((
char *)buf);
424 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
425 "content:\"this\"; content:\"is\"; within:6; content:\"big\"; within:8; "
426 "content:\"string\"; within:8; sid:1;)";
438static int PayloadTestSig05(
void)
440 uint8_t *buf = (uint8_t *)
"now this is is is big big big string now";
441 uint16_t buflen = strlen((
char *)buf);
446 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
447 "content:\"this\"; content:\"is\"; within:9; content:\"big\"; within:12; "
448 "content:\"string\"; within:8; sid:1;)";
460static int PayloadTestSig06(
void)
462 uint8_t *buf = (uint8_t *)
"this this now is is big string now";
463 uint16_t buflen = strlen((
char *)buf);
468 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
469 "content:\"now\"; content:\"this\"; content:\"is\"; within:12; content:\"big\"; within:8; "
470 "content:\"string\"; within:8; sid:1;)";
482static int PayloadTestSig07(
void)
484 uint8_t *buf = (uint8_t *)
" thus thus is a big";
485 uint16_t buflen = strlen((
char *)buf);
490 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
491 "content:\"thus\"; offset:8; content:\"is\"; within:6; content:\"big\"; within:8; sid:1;)";
504static int PayloadTestSig08(
void)
506 uint8_t *buf = (uint8_t *)
"we need to fix this and yes fix this now";
507 uint16_t buflen = strlen((
char *)buf);
512 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
513 "content:\"fix\"; content:\"this\"; within:6; content:!\"and\"; distance:0; sid:1;)";
525static int PayloadTestSig09(
void)
527 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
528 uint16_t buflen = strlen((
char *)buf);
533 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
534 "pcre:/super/; content:\"nova\"; within:7; sid:1;)";
546static int PayloadTestSig10(
void)
548 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
549 uint16_t buflen = strlen((
char *)buf);
554 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
555 "byte_test:4,>,2,0,relative; sid:11;)";
567static int PayloadTestSig11(
void)
569 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
570 uint16_t buflen = strlen((
char *)buf);
575 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
576 "byte_jump:1,0,relative; sid:11;)";
588static int PayloadTestSig12(
void)
590 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
591 uint16_t buflen = strlen((
char *)buf);
596 char sig[] =
"alert udp any any -> any any (msg:\"crash\"; "
597 "isdataat:10,relative; sid:11;)";
609static int PayloadTestSig13(
void)
611 uint8_t *buf = (uint8_t *)
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
612 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
613 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
614 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
615 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
616 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
617 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
618 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
619 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
620 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
621 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
622 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
623 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
624 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
625 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
626 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
627 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
628 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
629 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
630 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
632 uint16_t buflen = strlen((
char *)buf);
638 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
639 "content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
640 "byte_test:1,>,200,0,relative; sid:1;)";
647 memset(&th_v, 0,
sizeof(th_v));
678static int PayloadTestSig14(
void)
680 uint8_t *buf = (uint8_t *)
"User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4) Gecko/20090423 Firefox/3.6 GTB5";
681 uint16_t buflen = strlen((
char *)buf);
686 char sig[] =
"alert tcp any any -> any any (content:\"User-Agent|3A| Mozilla/5.0 |28|Macintosh|3B| \"; content:\"Firefox/3.\"; distance:0; content:!\"Firefox/3.6.12\"; distance:-10; content:!\"Mozilla/5.0 |28|Macintosh|3B| U|3B| Intel Mac OS X 10.5|3B| en-US|3B| rv|3A|1.9.1b4|29| Gecko/20090423 Firefox/3.6 GTB5\"; sid:1; rev:1;)";
697static int PayloadTestSig15(
void)
699 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
700 uint16_t buflen = strlen((
char *)buf);
705 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
706 "content:\"nova\"; isdataat:18,relative; sid:1;)";
715static int PayloadTestSig16(
void)
717 uint8_t *buf = (uint8_t *)
"this is a super duper nova in super nova now";
718 uint16_t buflen = strlen((
char *)buf);
723 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
724 "content:\"nova\"; isdataat:!20,relative; sid:1;)";
733static int PayloadTestSig17(
void)
735 uint8_t buf[] = { 0xEB, 0x29, 0x25, 0x38, 0x78, 0x25, 0x38, 0x78, 0x25 };
741 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
742 "content:\"%\"; depth:4; offset:0; "
743 "content:\"%\"; within:2; distance:1; sid:1;)";
752static int PayloadTestSig18(
void)
755 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
756 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
759 uint16_t buflen =
sizeof(buf);
764 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
765 "content:\"|01 02 03 04|\"; "
766 "byte_extract:1,2,one,string,dec,relative; "
767 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
776static int PayloadTestSig19(
void)
779 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
780 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
783 uint16_t buflen =
sizeof(buf);
788 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
789 "content:\"|01 02 03 04|\"; "
790 "byte_extract:1,2,one,string,hex,relative; "
791 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
800static int PayloadTestSig20(
void)
803 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
804 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
807 uint16_t buflen =
sizeof(buf);
812 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
813 "content:\"|01 02 03 04|\"; "
814 "byte_extract:1,2,one,string,dec,relative; "
815 "content:\"|06 35 07 08|\"; offset:one; sid:1;)";
824static int PayloadTestSig21(
void)
827 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
828 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
831 uint16_t buflen =
sizeof(buf);
836 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
837 "content:\"|01 02 03 04|\"; "
838 "byte_extract:1,2,one,string,dec,relative; "
839 "content:\"|03 04 05 06|\"; depth:one; sid:1;)";
848static int PayloadTestSig22(
void)
851 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x36,
852 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
855 uint16_t buflen =
sizeof(buf);
860 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
861 "content:\"|01 02 03 04|\"; "
862 "byte_extract:1,2,one,string,dec,relative; "
863 "content:\"|09 0A 0B 0C|\"; within:one; sid:1;)";
872static int PayloadTestSig23(
void)
875 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
876 0x07, 0x08, 0x09, 0x33, 0x0B, 0x0C, 0x0D,
879 uint16_t buflen =
sizeof(buf);
884 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
885 "content:\"|01 02 03 04|\"; "
886 "byte_extract:1,2,one,string,dec,relative; "
887 "byte_extract:1,3,two,string,dec,relative; "
888 "byte_test:1,=,one,two,string,dec,relative; sid:1;)";
897static int PayloadTestSig24(
void)
900 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x32,
901 0x07, 0x08, 0x33, 0x0A, 0x0B, 0x0C, 0x0D,
904 uint16_t buflen =
sizeof(buf);
909 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
910 "content:\"|01 02 03 04|\"; "
911 "byte_extract:1,2,one,string,dec,relative; "
912 "byte_jump:1,one,string,dec,relative; "
913 "content:\"|0D 0E 0F|\"; distance:0; sid:1;)";
925static int PayloadTestSig25(
void)
928 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
929 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
932 uint16_t buflen =
sizeof(buf);
937 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
938 "content:\"|35 07 08 09|\"; "
939 "byte_extract:1,-4,one,string,dec,relative; "
940 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
952static int PayloadTestSig26(
void)
955 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35,
956 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
959 uint16_t buflen =
sizeof(buf);
964 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
965 "content:\"|35 07 08 09|\"; "
966 "byte_extract:1,-3000,one,string,dec,relative; "
967 "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
979static int PayloadTestSig27(
void)
981 uint8_t buf[] =
"dummypayload";
982 uint16_t buflen =
sizeof(buf) - 1;
987 char sig[] =
"alert tcp any any -> any any (content:\"dummy\"; "
1001static int PayloadTestSig28(
void)
1003 uint8_t buf[] =
"dummypayload";
1004 uint16_t buflen =
sizeof(buf) - 1;
1009 char sig[] =
"alert tcp any any -> any any (content:\"payload\"; "
1010 "offset:4; depth:12; sid:1;)";
1023static int PayloadTestSig29(
void)
1025 uint8_t *buf = (uint8_t *)
"this is a super dupernova in super nova now";
1026 uint16_t buflen = strlen((
char *)buf);
1031 char sig[] =
"alert tcp any any -> any any (msg:\"dummy\"; "
1032 "pcre:/^.{4}/; content:\"nova\"; within:4; sid:1;)";
1041static int PayloadTestSig30(
void)
1043 uint8_t *buf = (uint8_t *)
1044 "xyonexxxxxxtwojunkonetwo";
1045 uint16_t buflen = strlen((
char *)buf);
1050 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/^two/R\"; sid:1;)";
1059static int PayloadTestSig31(
void)
1061 uint8_t *buf = (uint8_t *)
1062 "xyonexxxxxxtwojunkonetwo";
1063 uint16_t buflen = strlen((
char *)buf);
1068 char sig[] =
"alert tcp any any -> any any (content:\"one\"; pcre:\"/(fiv|^two)/R\"; sid:1;)";
1080static int PayloadTestSig32(
void)
1082 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1083 uint16_t buflen = strlen((
char *)buf);
1088 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1089 "content:\"message\"; byte_jump:2,-14,string,dec,relative; content:\"card\"; within:4; sid:1;)";
1101static int PayloadTestSig33(
void)
1103 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1104 uint16_t buflen = strlen((
char *)buf);
1109 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1110 "content:\"message\"; byte_test:1,=,2,-14,string,dec,relative; sid:1;)";
1122static int PayloadTestSig34(
void)
1124 uint8_t *buf = (uint8_t *)
"dummy2xxcardmessage";
1125 uint16_t buflen = strlen((
char *)buf);
1130 char sig[] =
"alert tcp any any -> any any (msg:\"crash\"; "
1131 "content:\"message\"; byte_extract:1,-14,boom,string,dec,relative; sid:1;)";
#define PKT_NOPAYLOAD_INSPECTION
#define PKT_DETECT_HAS_STREAMDATA
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
bool DetectEngineContentInspection(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, const SigMatchData *smd, Packet *p, Flow *f, const uint8_t *buffer, const uint32_t buffer_len, const uint64_t stream_start_offset, const uint8_t flags, const enum DetectContentInspectionType inspection_mode)
wrapper around DetectEngineContentInspectionInternal to return true/false only
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD
@ DETECT_ENGINE_CONTENT_INSPECTION_MODE_STREAM
#define DETECT_CI_FLAGS_SINGLE
uint8_t DetectEngineInspectPacketPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature.
int DetectEngineInspectStreamPayload(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const Signature *s, Flow *f, Packet *p)
Do the content inspection & validation for a signature on the raw stream.
int PrefilterPktPayloadRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
uint8_t DetectEngineInspectStream(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
inspect engine for stateful rules
void PayloadRegisterTests(void)
int PrefilterPktStreamRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, MpmCtx *mpm_ctx)
int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc, void *pectx, void(*FreeFunc)(void *pectx), const char *name)
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Data structures and function prototypes for keeping state for the detection engine.
#define DETECT_ENGINE_INSPECT_SIG_MATCH
#define DETECT_ENGINE_INSPECT_SIG_CANT_MATCH
#define DETECT_ENGINE_INSPECT_SIG_NO_MATCH
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
#define STREAMTCP_STREAM_FLAG_DEPTH_REACHED
int StreamReassembleRaw(TcpSession *ssn, const Packet *p, StreamReassembleRawFunc Callback, void *cb_data, uint64_t *progress_out, bool respect_inspect_depth)
Structure to hold thread specific data for all decode modules.
main detection engine ctx
int inspection_recursion_limit
uint64_t raw_stream_progress
uint32_t(* Search)(const struct MpmCtx_ *, struct MpmThreadCtx_ *, PrefilterRuleStore *, const uint8_t *, uint32_t)
Container for matching data for a signature group.
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
DetectEngineThreadCtx * det_ctx
DetectEngineThreadCtx * det_ctx
DetectEngineThreadCtx * det_ctx
Per thread variable structure.
MpmTableElmt mpm_table[MPM_TABLE_SIZE]
uint8_t mpm_default_matcher
#define PREFILTER_PROFILING_ADD_BYTES(det_ctx, bytes)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)