suricata
detect.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2017 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18#ifdef UNITTESTS
19
20#include "../app-layer-htp.h"
21#include "../conf-yaml-loader.h"
22#include "../detect-parse.h"
23#include "../detect-engine-content-inspection.h"
24#include "../detect-engine-build.h"
25#include "../pkt-var.h"
26#include "../flow-util.h"
27#include "../stream-tcp-reassemble.h"
28#include "../util-unittest.h"
29#include "../util-var-name.h"
30#include "../util-unittest-helper.h"
31
32static const char *dummy_conf_string =
33 "%YAML 1.1\n"
34 "---\n"
35 "\n"
36 "default-log-dir: /var/log/suricata\n"
37 "\n"
38 "logging:\n"
39 "\n"
40 " default-log-level: debug\n"
41 "\n"
42 " default-format: \"<%t> - <%l>\"\n"
43 "\n"
44 " default-startup-message: Your IDS has started.\n"
45 "\n"
46 " default-output-filter:\n"
47 "\n"
48 " output:\n"
49 "\n"
50 " - interface: console\n"
51 " log-level: info\n"
52 "\n"
53 " - interface: file\n"
54 " filename: /var/log/suricata.log\n"
55 "\n"
56 " - interface: syslog\n"
57 " facility: local5\n"
58 " format: \"%l\"\n"
59 "\n"
60 "pfring:\n"
61 "\n"
62 " interface: eth0\n"
63 "\n"
64 " clusterid: 99\n"
65 "\n"
66 "vars:\n"
67 "\n"
68 " address-groups:\n"
69 "\n"
70 " HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
71 "13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
72 "\n"
73 " EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
74 "\n"
75 " HTTP_SERVERS: \"!192.168.0.0/16\"\n"
76 "\n"
77 " SMTP_SERVERS: \"!192.168.0.0/16\"\n"
78 "\n"
79 " SQL_SERVERS: \"!192.168.0.0/16\"\n"
80 "\n"
81 " DNS_SERVERS: any\n"
82 "\n"
83 " TELNET_SERVERS: any\n"
84 "\n"
85 " AIM_SERVERS: any\n"
86 "\n"
87 " port-groups:\n"
88 "\n"
89 " HTTP_PORTS: \"80:81,88\"\n"
90 "\n"
91 " SHELLCODE_PORTS: 80\n"
92 "\n"
93 " ORACLE_PORTS: 1521\n"
94 "\n"
95 " SSH_PORTS: 22\n"
96 "\n";
97
98static int SigTest01 (void)
99{
100 uint8_t *buf = (uint8_t *)
101 "GET /one/ HTTP/1.1\r\n"
102 "Host: one.example.org\r\n"
103 "\r\n\r\n"
104 "GET /two/ HTTP/1.1\r\n"
105 "Host: two.example.org\r\n"
106 "\r\n\r\n";
107 uint16_t buflen = strlen((char *)buf);
108 Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
109 int result = 0;
110
111 char sig[] = "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)";
112 if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
113 result = 0;
114 goto end;
115 }
116#if 0
117 //printf("URI0 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[0], p.http_uri.raw_size[0]);
118 //printf("URI1 \"%s\", len %" PRIu32 "\n", p.http_uri.raw[1], p.http_uri.raw_size[1]);
119
120 if (p->http_uri.raw_size[0] == 5 &&
121 memcmp(p->http_uri.raw[0], "/one/", 5) == 0 &&
122 p->http_uri.raw_size[1] == 5 &&
123 memcmp(p->http_uri.raw[1], "/two/", 5) == 0)
124 {
125 result = 1;
126 }
127
128#endif
129 result = 1;
130end:
131 if (p != NULL)
132 UTHFreePacket(p);
133 return result;
134}
135
136static int SigTest02 (void)
137{
138 uint8_t *buf = (uint8_t *)
139 "GET /one/ HTTP/1.1\r\n"
140 "Host: one.example.org\r\n"
141 "\r\n\r\n"
142 "GET /two/ HTTP/1.1\r\n"
143 "Host: two.example.org\r\n"
144 "\r\n\r\n";
145 uint16_t buflen = strlen((char *)buf);
146 Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
147 char sig[] = "alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:41; sid:1;)";
148 int ret = UTHPacketMatchSigMpm(p, sig, MPM_AC);
149 UTHFreePacket(p);
150 return ret;
151}
152
153static int SigTest03 (void)
154{
155 uint8_t *buf = (uint8_t *)
156 "GET /one/ HTTP/1.1\r\n"
157 "Host: one.example.org\r\n"
158 "\r\n\r\n"
159 "GET /two/ HTTP/1.1\r\n"
160 "Host: two.example.org\r\n"
161 "\r\n\r\n";
162 uint16_t buflen = strlen((char *)buf);
163 Packet *p = NULL;
164 ThreadVars th_v;
165 DetectEngineThreadCtx *det_ctx = NULL;
166 int result = 0;
167
168 memset(&th_v, 0, sizeof(th_v));
169
170 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
171
172 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
173 if (de_ctx == NULL) {
174 goto end;
175 }
176
177 de_ctx->flags |= DE_QUIET;
178
179 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host: one.example.org\"; offset:20; depth:39; sid:1;)");
180 if (de_ctx->sig_list == NULL) {
181 result = 0;
182 goto end;
183 }
184
185 SigGroupBuild(de_ctx);
186 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
187
188 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
189 if (PacketAlertCheck(p, 1))
190 result = 1;
191
192 SigGroupCleanup(de_ctx);
193 SigCleanSignatures(de_ctx);
194
195 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
196 DetectEngineCtxFree(de_ctx);
197end:
198 UTHFreePackets(&p, 1);
199 return result;
200}
201
202static int SigTest04 (void)
203{
204 uint8_t *buf = (uint8_t *)
205 "GET /one/ HTTP/1.1\r\n" /* 20*/
206 "Host: one.example.org\r\n" /* 23, post "Host:" 18 */
207 "\r\n\r\n" /* 4 */
208 "GET /two/ HTTP/1.1\r\n" /* 20 */
209 "Host: two.example.org\r\n" /* 23 */
210 "\r\n\r\n"; /* 4 */
211 uint16_t buflen = strlen((char *)buf);
212
213 Packet *p = NULL;
214 ThreadVars th_v;
215 DetectEngineThreadCtx *det_ctx = NULL;
216 int result = 0;
217
218 memset(&th_v, 0, sizeof(th_v));
219
220 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
221
222 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
223 if (de_ctx == NULL) {
224 goto end;
225 }
226
227 de_ctx->flags |= DE_QUIET;
228
229 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:42; within:47; sid:1;)");
230 if (de_ctx->sig_list == NULL) {
231 result = 0;
232 goto end;
233 }
234
235 SigGroupBuild(de_ctx);
236 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
237
238 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
239 if (PacketAlertCheck(p, 1))
240 result = 1;
241
242 SigGroupCleanup(de_ctx);
243 SigCleanSignatures(de_ctx);
244
245 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
246 DetectEngineCtxFree(de_ctx);
247end:
248 UTHFreePackets(&p, 1);
249 return result;
250}
251
252static int SigTest05 (void)
253{
254 uint8_t *buf = (uint8_t *)
255 "GET /one/ HTTP/1.1\r\n" /* 20 */
256 "Host: one.example.org\r\n" /* 23, 43 */
257 "\r\n\r\n" /* 4, 47 */
258 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
259 "Host: two.example.org\r\n" /* 23, 90 */
260 "\r\n\r\n"; /* 4, 94 */
261 uint16_t buflen = strlen((char *)buf);
262 Packet *p = NULL;
263 ThreadVars th_v;
264 DetectEngineThreadCtx *det_ctx = NULL;
265 int result = 0;
266
267 memset(&th_v, 0, sizeof(th_v));
268
269 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
270
271 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
272 if (de_ctx == NULL) {
273 goto end;
274 }
275
276 de_ctx->flags |= DE_QUIET;
277
278 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP TEST\"; content:\"Host:\"; offset:20; depth:25; content:\"Host:\"; distance:48; within:52; sid:1;)");
279 if (de_ctx->sig_list == NULL) {
280 printf("sig parse failed: ");
281 goto end;
282 }
283
284 SigGroupBuild(de_ctx);
285 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
286
287 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
288 if (!PacketAlertCheck(p, 1)) {
289 result = 1;
290 } else {
291 printf("sig matched but shouldn't have: ");
292 }
293
294 SigGroupCleanup(de_ctx);
295 SigCleanSignatures(de_ctx);
296
297 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
298 DetectEngineCtxFree(de_ctx);
299end:
300 UTHFreePackets(&p, 1);
301 return result;
302}
303
304static int SigTest06 (void)
305{
306 uint8_t *buf = (uint8_t *)
307 "GET /one/ HTTP/1.1\r\n" /* 20 */
308 "Host: one.example.org\r\n" /* 23, 43 */
309 "\r\n\r\n" /* 4, 47 */
310 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
311 "Host: two.example.org\r\n" /* 23, 90 */
312 "\r\n\r\n"; /* 4, 94 */
313 uint16_t buflen = strlen((char *)buf);
314 Packet *p = NULL;
315 ThreadVars th_v;
316 DetectEngineThreadCtx *det_ctx = NULL;
317 Flow f;
318 TcpSession ssn;
319 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
320 FAIL_IF_NULL(alp_tctx);
321
322 memset(&th_v, 0, sizeof(th_v));
323 memset(&f, 0, sizeof(f));
324 memset(&ssn, 0, sizeof(ssn));
325
326 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
327 FAIL_IF_NULL(p);
328
329 FLOW_INITIALIZE(&f);
330 f.protoctx = (void *)&ssn;
331 f.flags |= FLOW_IPV4;
332 f.proto = IPPROTO_TCP;
333 p->flow = &f;
334 p->flowflags |= FLOW_PKT_TOSERVER;
335 p->flowflags |= FLOW_PKT_ESTABLISHED;
336 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
337 f.alproto = ALPROTO_HTTP1;
338
339 StreamTcpInitConfig(true);
340
341 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
342 FAIL_IF_NULL(de_ctx);
343 de_ctx->flags |= DE_QUIET;
344
345 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
346 FAIL_IF_NULL(s);
347
348 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
349 FAIL_IF_NULL(s);
350
351 SigGroupBuild(de_ctx);
352 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
353 FAIL_IF_NULL(det_ctx);
354
355 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
356 FAIL_IF(r != 0);
357
358 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
359 FAIL_IF_NOT(PacketAlertCheck(p, 1));
360 FAIL_IF_NOT(PacketAlertCheck(p, 2));
361
362 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
363 DetectEngineCtxFree(de_ctx);
364 AppLayerParserThreadCtxFree(alp_tctx);
365 UTHFreePackets(&p, 1);
366 StreamTcpFreeConfig(true);
367 FLOW_DESTROY(&f);
368 PASS;
369}
370
371static int SigTest07 (void)
372{
373 uint8_t *buf = (uint8_t *)
374 "GET /one/ HTTP/1.1\r\n" /* 20 */
375 "Host: one.example.org\r\n" /* 23, 43 */
376 "\r\n\r\n" /* 4, 47 */
377 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
378 "Host: two.example.org\r\n" /* 23, 90 */
379 "\r\n\r\n"; /* 4, 94 */
380 uint16_t buflen = strlen((char *)buf);
381 Packet *p = NULL;
382 ThreadVars th_v;
383 DetectEngineThreadCtx *det_ctx = NULL;
384 Flow f;
385 TcpSession ssn;
386 int result = 0;
387 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
388
389 memset(&th_v, 0, sizeof(th_v));
390 memset(&f, 0, sizeof(f));
391 memset(&ssn, 0, sizeof(ssn));
392
393 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
394
395 FLOW_INITIALIZE(&f);
396 f.protoctx = (void *)&ssn;
397 f.flags |= FLOW_IPV4;
398 f.proto = IPPROTO_TCP;
399 p->flow = &f;
400 p->flowflags |= FLOW_PKT_TOSERVER;
401 p->flowflags |= FLOW_PKT_ESTABLISHED;
402 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
403 f.alproto = ALPROTO_HTTP1;
404
405 StreamTcpInitConfig(true);
406
407 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
408 if (de_ctx == NULL) {
409 goto end;
410 }
411
412 de_ctx->flags |= DE_QUIET;
413
414 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
415 if (de_ctx->sig_list == NULL) {
416 result = 0;
417 goto end;
418 }
419 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"three\"; sid:2;)");
420 if (de_ctx->sig_list->next == NULL) {
421 result = 0;
422 goto end;
423 }
424
425 SigGroupBuild(de_ctx);
426 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
427
428 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
429 if (r != 0) {
430 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
431 result = 0;
432 goto end;
433 }
434
435 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
436 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
437 result = 0;
438 else
439 result = 1;
440
441end:
442 if (alp_tctx != NULL)
443 AppLayerParserThreadCtxFree(alp_tctx);
444 UTHFreePackets(&p, 1);
445 StreamTcpFreeConfig(true);
446 FlowCleanupAppLayer(&f);
447 FLOW_DESTROY(&f);
448 SigGroupCleanup(de_ctx);
449 SigCleanSignatures(de_ctx);
450
451 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
452 DetectEngineCtxFree(de_ctx);
453
454 return result;
455}
456
457static int SigTest08 (void)
458{
459 uint8_t *buf = (uint8_t *)
460 "GET /one/ HTTP/1.0\r\n" /* 20 */
461 "Host: one.example.org\r\n" /* 23, 43 */
462 "\r\n\r\n" /* 4, 47 */
463 "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
464 "Host: two.example.org\r\n" /* 23, 90 */
465 "\r\n\r\n"; /* 4, 94 */
466 uint16_t buflen = strlen((char *)buf);
467 Packet *p = NULL;
468 ThreadVars th_v;
469 DetectEngineThreadCtx *det_ctx = NULL;
470 Flow f;
471 TcpSession ssn;
472 int result = 0;
473 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
474
475 memset(&f, 0, sizeof(Flow));
476 memset(&th_v, 0, sizeof(th_v));
477 memset(&ssn, 0, sizeof(ssn));
478
479 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
480
481 FLOW_INITIALIZE(&f);
482 f.protoctx = (void *)&ssn;
483 f.flags |= FLOW_IPV4;
484 f.proto = IPPROTO_TCP;
485 p->flow = &f;
486 p->flowflags |= FLOW_PKT_TOSERVER;
487 p->flowflags |= FLOW_PKT_ESTABLISHED;
488 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
489 f.alproto = ALPROTO_HTTP1;
490
491 StreamTcpInitConfig(true);
492
493 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
494 if (de_ctx == NULL) {
495 goto end;
496 }
497
498 de_ctx->flags |= DE_QUIET;
499
500 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
501 if (de_ctx->sig_list == NULL) {
502 result = 0;
503 goto end;
504 }
505 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"one\"; sid:2;)");
506 if (de_ctx->sig_list->next == NULL) {
507 result = 0;
508 goto end;
509 }
510
511 SigGroupBuild(de_ctx);
512 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
513
514 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
515 if (r != 0) {
516 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
517 result = 0;
518 goto end;
519 }
520
521 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
523 result = 1;
524 else
525 printf("sid:1 %s, sid:2 %s: ",
526 PacketAlertCheck(p, 1) ? "OK" : "FAIL",
527 PacketAlertCheck(p, 2) ? "OK" : "FAIL");
528
529end:
530 FlowCleanupAppLayer(&f);
531 SigGroupCleanup(de_ctx);
532 SigCleanSignatures(de_ctx);
533
534 if (det_ctx)
535 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
536 DetectEngineCtxFree(de_ctx);
537 if (alp_tctx != NULL)
538 AppLayerParserThreadCtxFree(alp_tctx);
539 UTHFreePackets(&p, 1);
540 StreamTcpFreeConfig(true);
541 FLOW_DESTROY(&f);
542 return result;
543}
544
545static int SigTest09 (void)
546{
547 uint8_t *buf = (uint8_t *)
548 "GET /one/ HTTP/1.0\r\n" /* 20 */
549 "Host: one.example.org\r\n" /* 23, 43 */
550 "\r\n\r\n" /* 4, 47 */
551 "GET /two/ HTTP/1.0\r\n" /* 20, 67 */
552 "Host: two.example.org\r\n" /* 23, 90 */
553 "\r\n\r\n"; /* 4, 94 */
554 uint16_t buflen = strlen((char *)buf);
555 Packet *p = NULL;
556 ThreadVars th_v;
557 DetectEngineThreadCtx *det_ctx = NULL;
558 Flow f;
559 TcpSession ssn;
560 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
561 int result = 0;
562
563 memset(&th_v, 0, sizeof(th_v));
564 memset(&f, 0, sizeof(f));
565 memset(&ssn, 0, sizeof(ssn));
566
567 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
568
569 FLOW_INITIALIZE(&f);
570 f.protoctx = (void *)&ssn;
571 f.flags |= FLOW_IPV4;
572 f.proto = IPPROTO_TCP;
573 p->flow = &f;
574 p->flowflags |= FLOW_PKT_TOSERVER;
575 p->flowflags |= FLOW_PKT_ESTABLISHED;
576 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
577 f.alproto = ALPROTO_HTTP1;
578
579 StreamTcpInitConfig(true);
580
581 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
582 if (de_ctx == NULL) {
583 goto end;
584 }
585
586 de_ctx->flags |= DE_QUIET;
587
588 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/1\\.0\\r\\n/G\"; sid:1;)");
589 if (de_ctx->sig_list == NULL) {
590 result = 0;
591 goto end;
592 }
593 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI test\"; uricontent:\"two\"; sid:2;)");
594 if (de_ctx->sig_list->next == NULL) {
595 result = 0;
596 goto end;
597 }
598
599 SigGroupBuild(de_ctx);
600 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
601
602 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
603 if (r != 0) {
604 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
605 result = 0;
606 goto end;
607 }
608
609 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
610 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
611 result = 1;
612 else
613 result = 0;
614
615end:
616 FlowCleanupAppLayer(&f);
617 SigGroupCleanup(de_ctx);
618 SigCleanSignatures(de_ctx);
619 if (det_ctx)
620 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
621 DetectEngineCtxFree(de_ctx);
622 if (alp_tctx != NULL)
623 AppLayerParserThreadCtxFree(alp_tctx);
624 UTHFreePackets(&p, 1);
625 StreamTcpFreeConfig(true);
626 FLOW_DESTROY(&f);
627 return result;
628}
629
630static int SigTest10 (void)
631{
632 uint8_t *buf = (uint8_t *)
633 "ABC";
634 uint16_t buflen = strlen((char *)buf);
635 Packet *p = NULL;
636 ThreadVars th_v;
637 DetectEngineThreadCtx *det_ctx = NULL;
638 Flow f;
639 TcpSession ssn;
640 int result = 0;
641 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
642
643 memset(&th_v, 0, sizeof(th_v));
644 memset(&f, 0, sizeof(f));
645 memset(&ssn, 0, sizeof(ssn));
646
647 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
648
649 FLOW_INITIALIZE(&f);
650 f.protoctx = (void *)&ssn;
651 f.proto = IPPROTO_TCP;
652 f.flags |= FLOW_IPV4;
653 p->flow = &f;
654 p->flowflags |= FLOW_PKT_TOSERVER;
655 p->flowflags |= FLOW_PKT_ESTABLISHED;
656 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
657 f.alproto = ALPROTO_HTTP1;
658
659 StreamTcpInitConfig(true);
660
661 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
662 if (de_ctx == NULL) {
663 goto end;
664 }
665
666 de_ctx->flags |= DE_QUIET;
667
668 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (1)\"; content:\"ABCD\"; depth:4; sid:1;)");
669 if (de_ctx->sig_list == NULL) {
670 result = 0;
671 goto end;
672 }
673 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Long content test (2)\"; content:\"VWXYZ\"; sid:2;)");
674 if (de_ctx->sig_list->next == NULL) {
675 result = 0;
676 goto end;
677 }
678
679 SigGroupBuild(de_ctx);
680 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
681
682 int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, buf, buflen);
683 if (r != 0) {
684 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
685 result = 0;
686 goto end;
687 }
688
689 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
690 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
691 result = 0;
692 else
693 result = 1;
694
695 end:
696 FlowCleanupAppLayer(&f);
697 SigGroupCleanup(de_ctx);
698 SigCleanSignatures(de_ctx);
699 if (det_ctx)
700 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
701 DetectEngineCtxFree(de_ctx);
702 if (alp_tctx != NULL)
703 AppLayerParserThreadCtxFree(alp_tctx);
704 UTHFreePackets(&p, 1);
705 StreamTcpFreeConfig(true);
706 FLOW_DESTROY(&f);
707 return result;
708}
709
710static int SigTest11 (void)
711{
712 uint8_t *buf = (uint8_t *)
713 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
714 uint16_t buflen = strlen((char *)buf);
715 Packet *p = NULL;
716 ThreadVars th_v;
717 DetectEngineThreadCtx *det_ctx = NULL;
718 Flow f;
719 TcpSession ssn;
720 int result = 0;
721
722 memset(&th_v, 0, sizeof(th_v));
723 memset(&f, 0, sizeof(f));
724 memset(&ssn, 0, sizeof(ssn));
725
726 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
727
728 FLOW_INITIALIZE(&f);
729 f.protoctx = (void *)&ssn;
730 f.proto = IPPROTO_TCP;
731 f.flags |= FLOW_IPV4;
732 p->flow = &f;
733 p->flowflags |= FLOW_PKT_TOSERVER;
734 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
735 f.alproto = ALPROTO_HTTP1;
736
737 StreamTcpInitConfig(true);
738
739 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
740 if (de_ctx == NULL) {
741 goto end;
742 }
743
744 de_ctx->flags |= DE_QUIET;
745
746 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
747 if (de_ctx->sig_list == NULL) {
748 goto end;
749 }
750 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (content:\"VWXYZabcde\"; content:\"5678\"; content:\"89\"; sid:2;)");
751 if (de_ctx->sig_list->next == NULL) {
752 goto end;
753 }
754
755 SigGroupBuild(de_ctx);
756 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
757
758 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
759 if (PacketAlertCheck(p, 1) && PacketAlertCheck(p, 2))
760 result = 1;
761
762 end:
763 FlowCleanupAppLayer(&f);
764 SigGroupCleanup(de_ctx);
765 if (det_ctx)
766 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
767 DetectEngineCtxFree(de_ctx);
768 UTHFreePackets(&p, 1);
769 StreamTcpFreeConfig(true);
770 FLOW_DESTROY(&f);
771 return result;
772}
773
774static int SigTest12 (void)
775{
776 uint8_t *buf = (uint8_t *)
777 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
778 uint16_t buflen = strlen((char *)buf);
779 Packet *p = NULL;
780 ThreadVars th_v;
781 DetectEngineThreadCtx *det_ctx = NULL;
782 int result = 0;
783
784 memset(&th_v, 0, sizeof(th_v));
785 Flow f;
786 memset(&f, 0, sizeof(Flow));
787
788 FLOW_INITIALIZE(&f);
789
790 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
791 p->flow = &f;
792 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
793
794 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
795 if (de_ctx == NULL) {
796 goto end;
797 }
798
799 de_ctx->flags |= DE_QUIET;
800
801 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"klmnop\"; content:\"1234\"; sid:1;)");
802 if (de_ctx->sig_list == NULL) {
803 result = 0;
804 goto end;
805 }
806
807 SigGroupBuild(de_ctx);
808 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
809
810 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
811 if (PacketAlertCheck(p, 1))
812 result = 1;
813 else
814 result = 0;
815
816 if (det_ctx != NULL)
817 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
818end:
819 UTHFreePackets(&p, 1);
820 if (de_ctx != NULL) {
821 SigGroupCleanup(de_ctx);
822 SigCleanSignatures(de_ctx);
823 DetectEngineCtxFree(de_ctx);
824 }
825 FLOW_DESTROY(&f);
826 return result;
827}
828
829static int SigTest13 (void)
830{
831 uint8_t *buf = (uint8_t *)
832 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
833 uint16_t buflen = strlen((char *)buf);
834 Packet *p = NULL;
835 ThreadVars th_v;
836 DetectEngineThreadCtx *det_ctx = NULL;
837 int result = 0;
838
839 memset(&th_v, 0, sizeof(th_v));
840 Flow f;
841 memset(&f, 0, sizeof(Flow));
842
843 FLOW_INITIALIZE(&f);
844
845 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
846 p->flow = &f;
847 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
848
849 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
850 if (de_ctx == NULL) {
851 goto end;
852 }
853
854 de_ctx->flags |= DE_QUIET;
855
856 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; sid:1;)");
857 if (de_ctx->sig_list == NULL) {
858 result = 0;
859 goto end;
860 }
861
862 SigGroupBuild(de_ctx);
863 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
864
865 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
866 if (PacketAlertCheck(p, 1))
867 result = 1;
868 else
869 result = 0;
870
871 SigGroupCleanup(de_ctx);
872 SigCleanSignatures(de_ctx);
873 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
874 DetectEngineCtxFree(de_ctx);
875end:
876 UTHFreePackets(&p, 1);
877 FLOW_DESTROY(&f);
878 return result;
879}
880
881static int SigTest14 (void)
882{
883 uint8_t *buf = (uint8_t *)
884 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+";
885 uint16_t buflen = strlen((char *)buf);
886 Packet *p = NULL;
887 ThreadVars th_v;
888 DetectEngineThreadCtx *det_ctx = NULL;
889 int result = 0;
890
891 memset(&th_v, 0, sizeof(th_v));
892
893 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
894
895 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
896 if (de_ctx == NULL) {
897 goto end;
898 }
899
900 de_ctx->flags |= DE_QUIET;
901
902 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Content order test\"; content:\"ABCDEFGHIJ\"; content:\"1234\"; content:\"klmnop\"; distance:0; sid:1;)");
903 if (de_ctx->sig_list == NULL) {
904 result = 0;
905 goto end;
906 }
907
908 SigGroupBuild(de_ctx);
909 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
910
911 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
912 if (PacketAlertCheck(p, 1))
913 result = 0;
914 else
915 result = 1;
916
917 SigGroupCleanup(de_ctx);
918 SigCleanSignatures(de_ctx);
919 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
920 DetectEngineCtxFree(de_ctx);
921end:
922 UTHFreePackets(&p, 1);
923 return result;
924}
925
926static int SigTest15 (void)
927{
928 uint8_t *buf = (uint8_t *)
929 "CONNECT 213.92.8.7:31204 HTTP/1.1";
930 uint16_t buflen = strlen((char *)buf);
931 Packet *p = PacketGetFromAlloc();
932 if (unlikely(p == NULL))
933 return 0;
934 ThreadVars th_v;
935 DetectEngineThreadCtx *det_ctx = NULL;
936 int result = 0;
937
938 memset(&th_v, 0, sizeof(th_v));
939 p->src.family = AF_INET;
940 p->dst.family = AF_INET;
941 p->payload = buf;
942 p->payload_len = buflen;
943 p->proto = IPPROTO_TCP;
944 p->dp = 80;
945
946 SCConfCreateContextBackup();
947 SCConfInit();
948 SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
949
950 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
951 if (de_ctx == NULL) {
952 goto end;
953 }
954
955 de_ctx->flags |= DE_QUIET;
956
957 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
958 if (de_ctx->sig_list == NULL) {
959 result = 0;
960 goto end;
961 }
962
963 SigGroupBuild(de_ctx);
964 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
965
966 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
967 if (PacketAlertCheck(p, 2008284))
968 result = 0;
969 else
970 result = 1;
971
972 SigGroupCleanup(de_ctx);
973 SigCleanSignatures(de_ctx);
974 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
975 DetectEngineCtxFree(de_ctx);
976end:
977 SCConfDeInit();
978 SCConfRestoreContextBackup();
979 SCFree(p);
980 return result;
981}
982
983static int SigTest16 (void)
984{
985 uint8_t *buf = (uint8_t *)
986 "CONNECT 213.92.8.7:31204 HTTP/1.1";
987 uint16_t buflen = strlen((char *)buf);
988 Packet *p = NULL;
989 ThreadVars th_v;
990 DetectEngineThreadCtx *det_ctx = NULL;
991 int result = 0;
992
993 memset(&th_v, 0, sizeof(th_v));
994 memset(&p, 0, sizeof(p));
995
996 p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 1234);
997
998 SCConfCreateContextBackup();
999 SCConfInit();
1000 SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1001
1002 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1003 if (de_ctx == NULL) {
1004 goto end;
1005 }
1006
1007 de_ctx->flags |= DE_QUIET;
1008
1009 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
1010 if (de_ctx->sig_list == NULL) {
1011 goto end;
1012 }
1013
1014 SigGroupBuild(de_ctx);
1015 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1016
1017 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1018 if (PacketAlertCheck(p, 2008284))
1019 result = 1;
1020 else
1021 printf("sid:2008284 %s: ", PacketAlertCheck(p, 2008284) ? "OK" : "FAIL");
1022
1023 SigGroupCleanup(de_ctx);
1024 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1025 DetectEngineCtxFree(de_ctx);
1026end:
1027 SCConfDeInit();
1028 SCConfRestoreContextBackup();
1029 UTHFreePackets(&p, 1);
1030 return result;
1031}
1032
1033static int SigTest17 (void)
1034{
1035 uint8_t *buf = (uint8_t *)
1036 "GET /one/ HTTP/1.1\r\n" /* 20 */
1037 "Host: one.example.org\r\n" /* 23, 43 */
1038 "\r\n\r\n" /* 4, 47 */
1039 "GET /two/ HTTP/1.1\r\n" /* 20, 67 */
1040 "Host: two.example.org\r\n" /* 23, 90 */
1041 "\r\n\r\n"; /* 4, 94 */
1042 uint16_t buflen = strlen((char *)buf);
1043 Packet *p = NULL;
1044 ThreadVars th_v;
1045 DetectEngineThreadCtx *det_ctx = NULL;
1046 memset(&th_v, 0, sizeof(th_v));
1047
1048 p = UTHBuildPacketSrcDstPorts((uint8_t *)buf, buflen, IPPROTO_TCP, 12345, 80);
1049 FAIL_IF_NULL(p);
1050
1051 SCConfCreateContextBackup();
1052 SCConfInit();
1053 SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1054
1055 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1056 FAIL_IF_NULL(de_ctx);
1057 de_ctx->flags |= DE_QUIET;
1058
1059 Signature *s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any $HTTP_PORTS (msg:\"HTTP host cap\"; content:\"Host:\"; pcre:\"/^Host: (?P<pkt_http_host>.*)\\r\\n/m\"; noalert; sid:1;)");
1060 FAIL_IF_NULL(s);
1061
1062 SigGroupBuild(de_ctx);
1063 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1064 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065
1066 uint32_t capid = VarNameStoreLookupByName("http_host", VAR_TYPE_PKT_VAR);
1067 PktVar *pv_hn = PktVarGet(p, capid);
1068 FAIL_IF_NULL(pv_hn);
1069 FAIL_IF(pv_hn->value_len != 15);
1070 FAIL_IF_NOT(memcmp(pv_hn->value, "one.example.org", pv_hn->value_len) == 0);
1071
1072 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1073 DetectEngineCtxFree(de_ctx);
1074 SCConfDeInit();
1075 SCConfRestoreContextBackup();
1076 UTHFreePackets(&p, 1);
1077
1078 PASS;
1079}
1080
1081static int SigTest18 (void)
1082{
1083 uint8_t *buf = (uint8_t *)
1084 "220 (vsFTPd 2.0.5)\r\n";
1085 uint16_t buflen = strlen((char *)buf);
1086 Packet *p = PacketGetFromAlloc();
1087 if (unlikely(p == NULL))
1088 return 0;
1089 ThreadVars th_v;
1090 DetectEngineThreadCtx *det_ctx = NULL;
1091 int result = 0;
1092
1093 memset(&th_v, 0, sizeof(th_v));
1094 p->src.family = AF_INET;
1095 p->dst.family = AF_INET;
1096 p->payload = buf;
1097 p->payload_len = buflen;
1098 p->proto = IPPROTO_TCP;
1099 p->dp = 34260;
1100 p->sp = 21;
1101
1102 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1103 if (de_ctx == NULL) {
1104 goto end;
1105 }
1106
1107 de_ctx->flags |= DE_QUIET;
1108
1109 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
1110 if (de_ctx->sig_list == NULL) {
1111 result = 0;
1112 goto end;
1113 }
1114
1115 SigGroupBuild(de_ctx);
1116 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1117
1118 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1119 if (!PacketAlertCheck(p, 2003055))
1120 result = 1;
1121 else
1122 printf("signature shouldn't match, but did: ");
1123
1124 SigGroupCleanup(de_ctx);
1125 SigCleanSignatures(de_ctx);
1126 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1127 DetectEngineCtxFree(de_ctx);
1128end:
1129 SCFree(p);
1130 return result;
1131}
1132
1133static int SigTest19 (void)
1134{
1135 uint8_t *buf = (uint8_t *)
1136 "220 (vsFTPd 2.0.5)\r\n";
1137 uint16_t buflen = strlen((char *)buf);
1138 Packet *p = PacketGetFromAlloc();
1139 if (unlikely(p == NULL))
1140 return 0;
1141 ThreadVars th_v;
1142 DetectEngineThreadCtx *det_ctx = NULL;
1143 int result = 0;
1144
1145 memset(&th_v, 0, sizeof(th_v));
1146 p->src.family = AF_INET;
1147 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1148 p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1149 p->dst.family = AF_INET;
1150 p->payload = buf;
1151 p->payload_len = buflen;
1152 p->proto = IPPROTO_TCP;
1153 p->dp = 34260;
1154 p->sp = 21;
1155 p->flowflags |= FLOW_PKT_TOSERVER;
1156
1157 SCConfCreateContextBackup();
1158 SCConfInit();
1159 SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1160
1161 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1162 if (de_ctx == NULL) {
1163 goto end;
1164 }
1165
1166 de_ctx->flags |= DE_QUIET;
1167
1168 de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> 1.2.3.4 any (msg:\"IP-ONLY test (1)\"; sid:999; rev:1;)");
1169 if (de_ctx->sig_list == NULL) {
1170 result = 0;
1171 goto end;
1172 }
1173
1174 SigGroupBuild(de_ctx);
1175 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1176
1177 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1178 if (PacketAlertCheck(p, 999))
1179 result = 1;
1180 else
1181 printf("signature didn't match, but should have: ");
1182
1183 SigGroupCleanup(de_ctx);
1184 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1185 DetectEngineCtxFree(de_ctx);
1186end:
1187 SCConfDeInit();
1188 SCConfRestoreContextBackup();
1189 SCFree(p);
1190 return result;
1191}
1192
1193static int SigTest20 (void)
1194{
1195 uint8_t *buf = (uint8_t *)
1196 "220 (vsFTPd 2.0.5)\r\n";
1197 uint16_t buflen = strlen((char *)buf);
1198 Packet *p = PacketGetFromAlloc();
1199 if (unlikely(p == NULL))
1200 return 0;
1201 ThreadVars th_v;
1202 DetectEngineThreadCtx *det_ctx = NULL;
1203 int result = 0;
1204
1205 memset(&th_v, 0, sizeof(th_v));
1206 p->src.family = AF_INET;
1207 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
1208 p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
1209 p->dst.family = AF_INET;
1210 p->payload = buf;
1211 p->payload_len = buflen;
1212 p->proto = IPPROTO_TCP;
1213 p->dp = 34260;
1214 p->sp = 21;
1215 p->flowflags |= FLOW_PKT_TOSERVER;
1216
1217 SCConfCreateContextBackup();
1218 SCConfInit();
1219 SCConfYamlLoadString(dummy_conf_string, strlen(dummy_conf_string));
1220
1221 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1222 if (de_ctx == NULL) {
1223 goto end;
1224 }
1225
1226 de_ctx->flags |= DE_QUIET;
1227
1228 de_ctx->sig_list = SigInit(de_ctx,"alert ip $HOME_NET any -> [99.99.99.99,1.2.3.0/24,1.1.1.1,3.0.0.0/8] any (msg:\"IP-ONLY test (2)\"; sid:999; rev:1;)");
1229 if (de_ctx->sig_list == NULL) {
1230 result = 0;
1231 goto end;
1232 }
1233
1234 SigGroupBuild(de_ctx);
1235 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1236
1237 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1238 if (PacketAlertCheck(p, 999))
1239 result = 1;
1240 else
1241 printf("signature didn't match, but should have: ");
1242
1243 SigGroupCleanup(de_ctx);
1244 SigCleanSignatures(de_ctx);
1245 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1246 DetectEngineCtxFree(de_ctx);
1247end:
1248 SCConfDeInit();
1249 SCConfRestoreContextBackup();
1250 SCFree(p);
1251 return result;
1252}
1253
1254static int SigTest21 (void)
1255{
1256 ThreadVars th_v;
1257 memset(&th_v, 0, sizeof(th_v));
1258 DetectEngineThreadCtx *det_ctx = NULL;
1259 int result = 0;
1260
1261 Flow f;
1262 memset(&f, 0, sizeof(f));
1263 FLOW_INITIALIZE(&f);
1264
1265 /* packet 1 */
1266 uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1267 "\r\n\r\n";
1268 uint16_t buf1len = strlen((char *)buf1);
1269 Packet *p1 = NULL;
1270 /* packet 2 */
1271 uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1272 "\r\n\r\n";
1273 uint16_t buf2len = strlen((char *)buf2);
1274 Packet *p2 = NULL;
1275
1276 p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1277 p1->flow = &f;
1278 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1279 p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1280 p2->flow = &f;
1281 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1282
1283 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1284 if (de_ctx == NULL) {
1285 goto end;
1286 }
1287
1288 de_ctx->flags |= DE_QUIET;
1289
1290 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1291 if (de_ctx->sig_list == NULL) {
1292 result = 0;
1293 goto end;
1294 }
1295 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1296 if (de_ctx->sig_list == NULL) {
1297 result = 0;
1298 goto end;
1299 }
1300
1301 SigGroupBuild(de_ctx);
1302 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1303
1304 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1305 if (PacketAlertCheck(p1, 1)) {
1306 printf("sid 1 alerted, but shouldn't: ");
1307 goto end;
1308 }
1309 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1310 if (!(PacketAlertCheck(p2, 2))) {
1311 printf("sid 2 didn't alert, but should have: ");
1312 goto end;
1313 }
1314
1315 result = 1;
1316end:
1317 if (de_ctx != NULL) {
1318 SigGroupCleanup(de_ctx);
1319 SigCleanSignatures(de_ctx);
1320
1321 if (det_ctx != NULL) {
1322 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1323 }
1324 }
1325 DetectEngineCtxFree(de_ctx);
1326 UTHFreePackets(&p1, 1);
1327 UTHFreePackets(&p2, 1);
1328 FLOW_DESTROY(&f);
1329 return result;
1330}
1331
1332static int SigTest22 (void)
1333{
1334 ThreadVars th_v;
1335 memset(&th_v, 0, sizeof(th_v));
1336 DetectEngineThreadCtx *det_ctx = NULL;
1337 int result = 0;
1338
1339 Flow f;
1340 memset(&f, 0, sizeof(f));
1341 FLOW_INITIALIZE(&f);
1342
1343 /* packet 1 */
1344 uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1345 "\r\n\r\n";
1346 uint16_t buf1len = strlen((char *)buf1);
1347 Packet *p1 = NULL;
1348
1349 p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1350 p1->flow = &f;
1351 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1352
1353 /* packet 2 */
1354 uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1355 "\r\n\r\n";
1356 uint16_t buf2len = strlen((char *)buf2);
1357 Packet *p2 = NULL;
1358
1359 p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1360 p2->flow = &f;
1361 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1362
1363 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1364 if (de_ctx == NULL) {
1365 goto end;
1366 }
1367
1368 de_ctx->flags |= DE_QUIET;
1369
1370 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:set,TEST.one; flowbits:noalert; sid:1;)");
1371 if (de_ctx->sig_list == NULL) {
1372 result = 0;
1373 goto end;
1374 }
1375 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.abc; sid:2;)");
1376 if (de_ctx->sig_list == NULL) {
1377 result = 0;
1378 goto end;
1379 }
1380
1381 SigGroupBuild(de_ctx);
1382 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1383
1384 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1385 if (PacketAlertCheck(p1, 1)) {
1386 printf("sid 1 alerted, but shouldn't: ");
1387 goto end;
1388 }
1389 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1390 if (!(PacketAlertCheck(p2, 2)))
1391 result = 1;
1392 else
1393 printf("sid 2 alerted, but shouldn't: ");
1394
1395 SigGroupCleanup(de_ctx);
1396 SigCleanSignatures(de_ctx);
1397
1398 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1399 DetectEngineCtxFree(de_ctx);
1400end:
1401 UTHFreePackets(&p1, 1);
1402 UTHFreePackets(&p2, 1);
1403 FLOW_DESTROY(&f);
1404 return result;
1405}
1406
1407static int SigTest23 (void)
1408{
1409 ThreadVars th_v;
1410 memset(&th_v, 0, sizeof(th_v));
1411 DetectEngineThreadCtx *det_ctx = NULL;
1412 int result = 0;
1413
1414 Flow f;
1415 memset(&f, 0, sizeof(f));
1416 FLOW_INITIALIZE(&f);
1417
1418 /* packet 1 */
1419 uint8_t *buf1 = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1420 "\r\n\r\n";
1421 uint16_t buf1len = strlen((char *)buf1);
1422 Packet *p1 = NULL;
1423
1424 p1 = UTHBuildPacket((uint8_t *)buf1, buf1len, IPPROTO_TCP);
1425 p1->flow = &f;
1426 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1427
1428 /* packet 2 */
1429 uint8_t *buf2 = (uint8_t *)"GET /two/ HTTP/1.0\r\n"
1430 "\r\n\r\n";
1431 uint16_t buf2len = strlen((char *)buf2);
1432 Packet *p2 = NULL;
1433
1434 p2 = UTHBuildPacket((uint8_t *)buf2, buf2len, IPPROTO_TCP);
1435 p2->flow = &f;
1436 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
1437
1438 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1439 if (de_ctx == NULL) {
1440 goto end;
1441 }
1442
1443 de_ctx->flags |= DE_QUIET;
1444
1445 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT SET\"; content:\"/one/\"; flowbits:toggle,TEST.one; flowbits:noalert; sid:1;)");
1446 if (de_ctx->sig_list == NULL) {
1447 result = 0;
1448 goto end;
1449 }
1450 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"FLOWBIT TEST\"; content:\"/two/\"; flowbits:isset,TEST.one; sid:2;)");
1451 if (de_ctx->sig_list == NULL) {
1452 result = 0;
1453 goto end;
1454 }
1455
1456 SigGroupBuild(de_ctx);
1457 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1458
1459 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1460 if (PacketAlertCheck(p1, 1)) {
1461 printf("sid 1 alerted, but shouldn't: ");
1462 goto end;
1463 }
1464 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1465 if (PacketAlertCheck(p2, 2))
1466 result = 1;
1467 else
1468 printf("sid 2 didn't alert, but should have: ");
1469
1470 SigGroupCleanup(de_ctx);
1471 SigCleanSignatures(de_ctx);
1472
1473 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1474 DetectEngineCtxFree(de_ctx);
1475end:
1476 UTHFreePackets(&p1, 1);
1477 UTHFreePackets(&p2, 1);
1478 FLOW_DESTROY(&f);
1479 return result;
1480}
1481
1482static int SigTest24IPV4Keyword(void)
1483{
1484 uint8_t valid_raw_ipv4[] = {
1485 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1486 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1487 0xc0, 0xa8, 0x01, 0x03};
1488
1489 uint8_t invalid_raw_ipv4[] = {
1490 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1491 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1492 0xc0, 0xa8, 0x01, 0x06};
1493
1494 Packet *p1 = PacketGetFromAlloc();
1495 if (unlikely(p1 == NULL))
1496 return 0;
1497 Packet *p2 = PacketGetFromAlloc();
1498 if (unlikely(p2 == NULL)) {
1499 SCFree(p1);
1500 return 0;
1501 }
1502 ThreadVars th_v;
1503 DetectEngineThreadCtx *det_ctx = NULL;
1504 int result = 0;
1505
1506 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1507 "\r\n\r\n";
1508 uint16_t buflen = strlen((char *)buf);
1509
1510 memset(&th_v, 0, sizeof(ThreadVars));
1511
1512 PacketSetIPV4(p1, valid_raw_ipv4);
1513 p1->src.family = AF_INET;
1514 p1->dst.family = AF_INET;
1515 p1->payload = buf;
1516 p1->payload_len = buflen;
1517 p1->proto = IPPROTO_TCP;
1518
1519 PacketSetIPV4(p2, invalid_raw_ipv4);
1520 p2->src.family = AF_INET;
1521 p2->dst.family = AF_INET;
1522 p2->payload = buf;
1523 p2->payload_len = buflen;
1524 p2->proto = IPPROTO_TCP;
1525
1526 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1527 if (de_ctx == NULL) {
1528 goto end;
1529 }
1530
1531 de_ctx->flags |= DE_QUIET;
1532
1533 de_ctx->sig_list = SigInit(de_ctx,
1534 "alert ip any any -> any any "
1535 "(content:\"/one/\"; ipv4-csum:valid; "
1536 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1537 if (de_ctx->sig_list == NULL) {
1538 printf("sig 1 parse: ");
1539 goto end;
1540 }
1541
1542 de_ctx->sig_list->next = SigInit(de_ctx,
1543 "alert ip any any -> any any "
1544 "(content:\"/one/\"; ipv4-csum:invalid; "
1545 "msg:\"ipv4-csum keyword check(1)\"; "
1546 "sid:2;)");
1547 if (de_ctx->sig_list->next == NULL) {
1548 printf("sig 2 parse: ");
1549 goto end;
1550 }
1551
1552 SigGroupBuild(de_ctx);
1553 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1554
1555 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1556 if (!(PacketAlertCheck(p1, 1))) {
1557 printf("signature 1 didn't match, but should have: ");
1558 goto end;
1559 }
1560
1561 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1562 if (!((PacketAlertCheck(p2, 2)))) {
1563 printf("signature 2 didn't match, but should have: ");
1564 goto end;
1565 }
1566
1567 result = 1;
1568end:
1569 if (det_ctx != NULL) {
1570 SigGroupCleanup(de_ctx);
1571 SigCleanSignatures(de_ctx);
1572 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1573 DetectEngineCtxFree(de_ctx);
1574 }
1575 SCFree(p1);
1576 SCFree(p2);
1577 return result;
1578}
1579
1580static int SigTest25NegativeIPV4Keyword(void)
1581{
1582 uint8_t valid_raw_ipv4[] = {
1583 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1584 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1585 0xc0, 0xa8, 0x01, 0x03};
1586
1587 uint8_t invalid_raw_ipv4[] = {
1588 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
1589 0x40, 0x01, 0xb7, 0x52, 0xc0, 0xa8, 0x01, 0x03,
1590 0xc0, 0xa8, 0x01, 0x06};
1591
1592 Packet *p1 = PacketGetFromAlloc();
1593 if (unlikely(p1 == NULL))
1594 return 0;
1595 Packet *p2 = PacketGetFromAlloc();
1596 if (unlikely(p2 == NULL)) {
1597 SCFree(p1);
1598 return 0;
1599 }
1600 ThreadVars th_v;
1601 DetectEngineThreadCtx *det_ctx = NULL;
1602 int result = 1;
1603
1604 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
1605 "\r\n\r\n";
1606 uint16_t buflen = strlen((char *)buf);
1607
1608 memset(&th_v, 0, sizeof(ThreadVars));
1609
1610 PacketSetIPV4(p1, valid_raw_ipv4);
1611 p1->src.family = AF_INET;
1612 p1->dst.family = AF_INET;
1613 p1->payload = buf;
1614 p1->payload_len = buflen;
1615 p1->proto = IPPROTO_TCP;
1616
1617 PacketSetIPV4(p2, invalid_raw_ipv4);
1618 p2->src.family = AF_INET;
1619 p2->dst.family = AF_INET;
1620 p2->payload = buf;
1621 p2->payload_len = buflen;
1622 p2->proto = IPPROTO_TCP;
1623
1624 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1625 if (de_ctx == NULL) {
1626 goto end;
1627 }
1628
1629 de_ctx->flags |= DE_QUIET;
1630
1631 de_ctx->sig_list = SigInit(de_ctx,
1632 "alert ip any any -> any any "
1633 "(content:\"/one/\"; ipv4-csum:invalid; "
1634 "msg:\"ipv4-csum keyword check(1)\"; sid:1;)");
1635 if (de_ctx->sig_list == NULL) {
1636 result &= 0;
1637 goto end;
1638 }
1639
1640 de_ctx->sig_list->next = SigInit(de_ctx,
1641 "alert ip any any -> any any "
1642 "(content:\"/one/\"; ipv4-csum:valid; "
1643 "msg:\"ipv4-csum keyword check(1)\"; "
1644 "sid:2;)");
1645 if (de_ctx->sig_list->next == NULL) {
1646 result &= 0;
1647 goto end;
1648 }
1649
1650 SigGroupBuild(de_ctx);
1651 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1652
1653 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1654 if (PacketAlertCheck(p1, 1))
1655 result &= 0;
1656 else
1657 result &= 1;
1658
1659 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1660 if (PacketAlertCheck(p2, 2))
1661 result &= 0;
1662 else
1663 result &= 1;
1664
1665 SigGroupCleanup(de_ctx);
1666 SigCleanSignatures(de_ctx);
1667 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1668 DetectEngineCtxFree(de_ctx);
1669end:
1670 SCFree(p1);
1671 SCFree(p2);
1672 return result;
1673}
1674
1675static int SigTest26TCPV4Keyword(void)
1676{
1677 uint8_t raw_ipv4[] = {
1678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1679 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1680 0xc0, 0xa8, 0x01, 0x03};
1681
1682 uint8_t valid_raw_tcp[] = {
1683 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1684 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1685 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1686 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1687 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1688
1689 uint8_t invalid_raw_tcp[] = {
1690 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1691 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1692 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1693 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1694 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1695
1696 Packet *p1 = PacketGetFromAlloc();
1697 if (unlikely(p1 == NULL))
1698 return 0;
1699
1700 Packet *p2 = PacketGetFromAlloc();
1701 if (unlikely(p2 == NULL)) {
1702 SCFree(p1);
1703 return 0;
1704 }
1705
1706 ThreadVars th_v;
1707 DetectEngineThreadCtx *det_ctx = NULL;
1708
1709 memset(&th_v, 0, sizeof(ThreadVars));
1710
1711 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1712 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1713
1714 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1715 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1716
1717 PacketSetIPV4(p1, GET_PKT_DATA(p1));
1718 PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1719 p1->src.family = AF_INET;
1720 p1->dst.family = AF_INET;
1721 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1722 p1->payload_len = 20;
1723 p1->proto = IPPROTO_TCP;
1724
1725 PacketSetIPV4(p2, GET_PKT_DATA(p2));
1726 PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1727 p2->src.family = AF_INET;
1728 p2->dst.family = AF_INET;
1729 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1730 p2->payload_len = 20;
1731 p2->proto = IPPROTO_TCP;
1732
1733 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1734 FAIL_IF_NULL(de_ctx);
1735
1736 de_ctx->flags |= DE_QUIET;
1737
1738 de_ctx->sig_list = SigInit(de_ctx,
1739 "alert ip any any -> any any "
1740 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1741 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
1742 FAIL_IF_NULL(de_ctx->sig_list);
1743
1744 de_ctx->sig_list->next = SigInit(de_ctx,
1745 "alert ip any any -> any any "
1746 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1747 "msg:\"tcpv4-csum keyword check(1)\"; "
1748 "sid:2;)");
1749 FAIL_IF_NULL(de_ctx->sig_list->next);
1750
1751 SigGroupBuild(de_ctx);
1752 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1753
1754 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1755 FAIL_IF(!(PacketAlertCheck(p1, 1)));
1756
1757 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1758 FAIL_IF(!(PacketAlertCheck(p2, 2)));
1759
1760 SigGroupCleanup(de_ctx);
1761 SigCleanSignatures(de_ctx);
1762 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1763 DetectEngineCtxFree(de_ctx);
1764 SCFree(p1);
1765 SCFree(p2);
1766 PASS;
1767}
1768
1769/* Test SigTest26TCPV4Keyword but also check for invalid IPV4 checksum */
1770static int SigTest26TCPV4AndNegativeIPV4Keyword(void)
1771{
1772 uint8_t raw_ipv4[] = {
1773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
1775 0xc0, 0xa8, 0x01, 0x03};
1776
1777 uint8_t valid_raw_tcp[] = {
1778 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1779 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1780 0x4A, 0x04, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1781 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1782 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
1783
1784 uint8_t invalid_raw_tcp[] = {
1785 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
1786 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
1787 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1788 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
1789 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
1790
1791 Packet *p1 = PacketGetFromAlloc();
1792 if (unlikely(p1 == NULL))
1793 return 0;
1794
1795 Packet *p2 = PacketGetFromAlloc();
1796 if (unlikely(p2 == NULL)) {
1797 SCFree(p1);
1798 return 0;
1799 }
1800
1801 ThreadVars th_v;
1802 DetectEngineThreadCtx *det_ctx = NULL;
1803 int result = 0;
1804
1805 memset(&th_v, 0, sizeof(ThreadVars));
1806
1807 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1808 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1809
1810 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1811 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1812
1813 PacketSetIPV4(p1, GET_PKT_DATA(p1));
1814 PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1815 p1->src.family = AF_INET;
1816 p1->dst.family = AF_INET;
1817 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
1818 p1->payload_len = 20;
1819 p1->proto = IPPROTO_TCP;
1820
1821 PacketSetIPV4(p2, GET_PKT_DATA(p2));
1822 PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1823 p2->src.family = AF_INET;
1824 p2->dst.family = AF_INET;
1825 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
1826 p2->payload_len = 20;
1827 p2->proto = IPPROTO_TCP;
1828
1829 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1830 if (de_ctx == NULL) {
1831 goto end;
1832 }
1833
1834 de_ctx->flags |= DE_QUIET;
1835
1836 de_ctx->sig_list = SigInit(de_ctx,
1837 "alert ip any any -> any any "
1838 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
1839 "ipv4-csum:invalid; "
1840 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1841 if (de_ctx->sig_list == NULL) {
1842 goto end;
1843 }
1844
1845 de_ctx->sig_list->next = SigInit(de_ctx,
1846 "alert ip any any -> any any "
1847 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; "
1848 "ipv4-csum:invalid; "
1849 "msg:\"tcpv4-csum keyword check(1)\"; "
1850 "sid:2;)");
1851 if (de_ctx->sig_list->next == NULL) {
1852 goto end;
1853 }
1854
1855 SigGroupBuild(de_ctx);
1856 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1857
1858 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1859 if (!(PacketAlertCheck(p1, 1))) {
1860 printf("sig 1 didn't match: ");
1861 goto end;
1862 }
1863
1864 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1865 if (!(PacketAlertCheck(p2, 2))) {
1866 printf("sig 2 didn't match: ");
1867 goto end;
1868 }
1869
1870 result = 1;
1871end:
1872 SigGroupCleanup(de_ctx);
1873 SigCleanSignatures(de_ctx);
1874 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1875 DetectEngineCtxFree(de_ctx);
1876 SCFree(p1);
1877 SCFree(p2);
1878 return result;
1879}
1880
1881/* Similar to SigTest26, but with different packet */
1882static int SigTest26TCPV4AndIPV4Keyword(void)
1883{
1884 /* IPV4: src:192.168.176.67 dst: 192.168.176.116
1885 * TTL: 64 Flags: Don't Fragment
1886 */
1887 uint8_t raw_ipv4[] = {
1888 0x45, 0x00, 0x00, 0x40, 0x9b, 0xa4, 0x40, 0x00,
1889 0x40, 0x06, 0xbd, 0x0a, 0xc0, 0xa8, 0xb0, 0x43,
1890 0xc0, 0xa8, 0xb0, 0x74};
1891
1892 /* TCP: sport: 49517 dport: 445 Flags: SYN
1893 * Window size: 65535, checksum: 0x2009,
1894 * MTU: 1460, Window scale: 4, TSACK permitted,
1895 * 24 bytes of options, no payload.
1896 */
1897 uint8_t valid_raw_tcp[] = {
1898 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1899 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1900 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1901 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1902 0x19, 0x69, 0x81, 0x7e, 0x00, 0x00, 0x00, 0x00,
1903 0x04, 0x02, 0x00, 0x00};
1904
1905 uint8_t invalid_raw_tcp[] = {
1906 0xc1, 0x6d, 0x01, 0xbd, 0x03, 0x10, 0xd3, 0xc9,
1907 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff,
1908 0x20, 0x09, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
1909 0x01, 0x03, 0x03, 0x04, 0x01, 0x01, 0x08, 0x0a,
1910 0x19, 0x69, 0x81, 0x7e, 0xFF, 0xAA, 0x00, 0x00,
1911 0x04, 0x02, 0x00, 0x00};
1912
1913 Packet *p1 = PacketGetFromAlloc();
1914 if (unlikely(p1 == NULL))
1915 return 0;
1916
1917 Packet *p2 = PacketGetFromAlloc();
1918 if (unlikely(p2 == NULL)) {
1919 SCFree(p1);
1920 return 0;
1921 }
1922
1923 ThreadVars th_v;
1924 DetectEngineThreadCtx *det_ctx = NULL;
1925 int result = 0;
1926
1927 memset(&th_v, 0, sizeof(ThreadVars));
1928
1929 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
1930 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
1931
1932 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
1933 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
1934
1935 PacketSetIPV4(p1, GET_PKT_DATA(p1));
1936 PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
1937 p1->src.family = AF_INET;
1938 p1->dst.family = AF_INET;
1939 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20 + 24;
1940 p1->payload_len = 0;
1941 p1->proto = IPPROTO_TCP;
1942
1943 PacketSetIPV4(p2, GET_PKT_DATA(p2));
1944 PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
1945 p2->src.family = AF_INET;
1946 p2->dst.family = AF_INET;
1947 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20 + 24;
1948 p2->payload_len = 0;
1949 p2->proto = IPPROTO_TCP;
1950
1951 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1952 if (de_ctx == NULL) {
1953 goto end;
1954 }
1955
1956 de_ctx->flags |= DE_QUIET;
1957
1958 de_ctx->sig_list = SigInit(de_ctx,
1959 "alert ip any any -> any any "
1960 "(tcpv4-csum:valid; "
1961 "ipv4-csum:valid; "
1962 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; sid:1;)");
1963 if (de_ctx->sig_list == NULL) {
1964 goto end;
1965 }
1966
1967 de_ctx->sig_list->next = SigInit(de_ctx,
1968 "alert ip any any -> any any "
1969 "(tcpv4-csum:invalid; "
1970 "ipv4-csum:valid; "
1971 "msg:\"tcpv4-csum and ipv4-csum keyword check(1)\"; "
1972 "sid:2;)");
1973 if (de_ctx->sig_list->next == NULL) {
1974 goto end;
1975 }
1976
1977 SigGroupBuild(de_ctx);
1978 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
1979
1980 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1981 if (!(PacketAlertCheck(p1, 1))) {
1982 printf("sig 1 didn't match: ");
1983 goto end;
1984 }
1985
1986 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1987 if (!(PacketAlertCheck(p2, 2))) {
1988 printf("sig 2 didn't match: ");
1989 goto end;
1990 }
1991
1992 result = 1;
1993end:
1994 SigGroupCleanup(de_ctx);
1995 SigCleanSignatures(de_ctx);
1996 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1997 DetectEngineCtxFree(de_ctx);
1998 SCFree(p1);
1999 SCFree(p2);
2000 return result;
2001}
2002
2003static int SigTest27NegativeTCPV4Keyword(void)
2004{
2005 uint8_t raw_ipv4[] = {
2006 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2007 0x00, 0x00, 0x00, 0x00, 0x40, 0x8e, 0x7e, 0xb2,
2008 0xc0, 0xa8, 0x01, 0x03};
2009
2010 uint8_t valid_raw_tcp[] = {
2011 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2012 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2013 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2014 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2015 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x02};
2016
2017 uint8_t invalid_raw_tcp[] = {
2018 0x00, 0x50, 0x8e, 0x16, 0x0d, 0x59, 0xcd, 0x3c,
2019 0xcf, 0x0d, 0x21, 0x80, 0x50, 0x12, 0x16, 0xa0,
2020 0xfa, 0x03, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
2021 0x04, 0x02, 0x08, 0x0a, 0x6e, 0x18, 0x78, 0x73,
2022 0x01, 0x71, 0x74, 0xde, 0x01, 0x03, 0x03, 0x03};
2023
2024 Packet *p1 = PacketGetFromAlloc();
2025 if (unlikely(p1 == NULL))
2026 return 0;
2027 Packet *p2 = PacketGetFromAlloc();
2028 if (unlikely(p2 == NULL)) {
2029 SCFree(p1);
2030 return 0;
2031 }
2032 ThreadVars th_v;
2033 DetectEngineThreadCtx *det_ctx = NULL;
2034 int result = 0;
2035
2036 memset(&th_v, 0, sizeof(ThreadVars));
2037
2038 PacketCopyData(p1, raw_ipv4, sizeof(raw_ipv4));
2039 PacketCopyDataOffset(p1, GET_PKT_LEN(p1), valid_raw_tcp, sizeof(valid_raw_tcp));
2040
2041 PacketCopyData(p2, raw_ipv4, sizeof(raw_ipv4));
2042 PacketCopyDataOffset(p2, GET_PKT_LEN(p2), invalid_raw_tcp, sizeof(invalid_raw_tcp));
2043
2044 PacketSetIPV4(p1, GET_PKT_DATA(p1));
2045 PacketSetTCP(p1, (GET_PKT_DATA(p1) + sizeof(raw_ipv4)));
2046 p1->src.family = AF_INET;
2047 p1->dst.family = AF_INET;
2048 p1->payload = (uint8_t *)GET_PKT_DATA(p1) + sizeof(raw_ipv4) + 20;
2049 p1->payload_len = 20;
2050 p1->proto = IPPROTO_TCP;
2051
2052 PacketSetIPV4(p2, GET_PKT_DATA(p2));
2053 PacketSetTCP(p2, (GET_PKT_DATA(p2) + sizeof(raw_ipv4)));
2054 p2->src.family = AF_INET;
2055 p2->dst.family = AF_INET;
2056 p2->payload = (uint8_t *)GET_PKT_DATA(p2) + sizeof(raw_ipv4) + 20;
2057 p2->payload_len = 20;
2058 p2->proto = IPPROTO_TCP;
2059
2060 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2061 if (de_ctx == NULL) {
2062 goto end;
2063 }
2064
2065 de_ctx->flags |= DE_QUIET;
2066
2067 de_ctx->sig_list = SigInit(de_ctx,
2068 "alert tcp any any -> any any "
2069 "(content:\"|DE 01 03|\"; tcpv4-csum:invalid; dsize:20; "
2070 "msg:\"tcpv4-csum keyword check(1)\"; sid:1;)");
2071 if (de_ctx->sig_list == NULL) {
2072 goto end;
2073 }
2074
2075 de_ctx->sig_list->next = SigInit(de_ctx,
2076 "alert tcp any any -> any any "
2077 "(content:\"|DE 01 03|\"; tcpv4-csum:valid; dsize:20; "
2078 "msg:\"tcpv4-csum keyword check(2)\"; "
2079 "sid:2;)");
2080 if (de_ctx->sig_list->next == NULL) {
2081 goto end;
2082 }
2083
2084 SigGroupBuild(de_ctx);
2085 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2086
2087 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2088 if (!PacketAlertCheck(p1, 1)) {
2089 printf("sig 1 didn't match on p1: ");
2090 goto end;
2091 }
2092
2093 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2094 if (PacketAlertCheck(p2, 2)) {
2095 printf("sig 2 matched on p2: ");
2096 goto end;
2097 }
2098
2099 result = 1;
2100end:
2101 SigGroupCleanup(de_ctx);
2102 SigCleanSignatures(de_ctx);
2103 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2104 DetectEngineCtxFree(de_ctx);
2105 SCFree(p1);
2106 SCFree(p2);
2107 return result;
2108}
2109
2110static int SigTest28TCPV6Keyword(void)
2111{
2112 static uint8_t valid_raw_ipv6[] = {
2113 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2114 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2115
2116 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2117 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2118 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2119 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2120 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2121
2122 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2123 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2124 0xf2, 0xf1, 0x00, 0x00,
2125
2126 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2127 0x00, 0x01, 0x69, 0x27};
2128
2129 static uint8_t invalid_raw_ipv6[] = {
2130 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2131 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2132
2133 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2134 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2135 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2136 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2137 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2138
2139 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2140 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2141 0xc2, 0xf1, 0x00, 0x00,
2142
2143 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2144 0x00, 0x01, 0x69, 0x28};
2145
2146 Packet *p1 = PacketGetFromAlloc();
2147 if (unlikely(p1 == NULL))
2148 return 0;
2149 Packet *p2 = PacketGetFromAlloc();
2150 if (unlikely(p2 == NULL)) {
2151 SCFree(p1);
2152 return 0;
2153 }
2154 ThreadVars th_v;
2155 DetectEngineThreadCtx *det_ctx = NULL;
2156 int result = 0;
2157
2158 memset(&th_v, 0, sizeof(ThreadVars));
2159
2160 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2161 PacketSetTCP(p1, (valid_raw_ipv6 + 54));
2162 p1->src.family = AF_INET;
2163 p1->dst.family = AF_INET;
2164 p1->payload = valid_raw_ipv6 + 54 + 20;
2165 p1->payload_len = 12;
2166 p1->proto = IPPROTO_TCP;
2167
2168 if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2169 BUG_ON(1);
2170 }
2171
2172 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2173 PacketSetTCP(p2, (invalid_raw_ipv6 + 54));
2174 p2->src.family = AF_INET;
2175 p2->dst.family = AF_INET;
2176 p2->payload = invalid_raw_ipv6 + 54 + 20;
2177 p2->payload_len = 12;
2178 p2->proto = IPPROTO_TCP;
2179
2180 if (TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20) {
2181 BUG_ON(1);
2182 }
2183
2184 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2185 if (de_ctx == NULL) {
2186 goto end;
2187 }
2188
2189 de_ctx->flags |= DE_QUIET;
2190
2191 de_ctx->sig_list = SigInit(de_ctx,
2192 "alert tcp any any -> any any "
2193 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2194 "msg:\"tcpv6-csum keyword check(1)\"; sid:1;)");
2195 if (de_ctx->sig_list == NULL) {
2196 goto end;
2197 }
2198
2199 de_ctx->sig_list->next = SigInit(de_ctx,
2200 "alert tcp any any -> any any "
2201 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2202 "msg:\"tcpv6-csum keyword check(1)\"; "
2203 "sid:2;)");
2204 if (de_ctx->sig_list->next == NULL) {
2205 goto end;
2206 }
2207
2208 SigGroupBuild(de_ctx);
2209 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2210
2211 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2212 if (!(PacketAlertCheck(p1, 1))) {
2213 printf("sid 1 didn't match on p1: ");
2214 goto end;
2215 }
2216
2217 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2218 if (!(PacketAlertCheck(p2, 2))) {
2219 printf("sid 2 didn't match on p2: ");
2220 goto end;
2221 }
2222
2223 result = 1;
2224end:
2225 SigGroupCleanup(de_ctx);
2226 SigCleanSignatures(de_ctx);
2227 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2228 DetectEngineCtxFree(de_ctx);
2229 SCFree(p1);
2230 SCFree(p2);
2231 return result;
2232}
2233
2234static int SigTest29NegativeTCPV6Keyword(void)
2235{
2236 static uint8_t valid_raw_ipv6[] = {
2237 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2238 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2239
2240 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2241 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2242 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2243 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2244 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2245
2246 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2247 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2248 0xf2, 0xf1, 0x00, 0x00,
2249
2250 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2251 0x00, 0x01, 0x69, 0x27};
2252
2253 static uint8_t invalid_raw_ipv6[] = {
2254 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2255 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd,
2256
2257 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x40,
2258 0x3f, 0xfe, 0x05, 0x07, 0x00, 0x00, 0x00, 0x01,
2259 0x02, 0x00, 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda,
2260 0x3f, 0xfe, 0x05, 0x01, 0x04, 0x10, 0x00, 0x00,
2261 0x02, 0xc0, 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e,
2262
2263 0x03, 0xfe, 0x00, 0x16, 0xd6, 0x76, 0xf5, 0x2d,
2264 0x0c, 0x7a, 0x08, 0x77, 0x50, 0x10, 0x21, 0x5c,
2265 0xc2, 0xf1, 0x00, 0x00,
2266
2267 0x01, 0x01, 0x08, 0x0a, 0x00, 0x08, 0xca, 0x5a,
2268 0x00, 0x01, 0x69, 0x28};
2269
2270 Packet *p1 = PacketGetFromAlloc();
2271 if (unlikely(p1 == NULL))
2272 return 0;
2273 Packet *p2 = PacketGetFromAlloc();
2274 if (unlikely(p2 == NULL)) {
2275 SCFree(p1);
2276 return 0;
2277 }
2278 ThreadVars th_v;
2279 DetectEngineThreadCtx *det_ctx = NULL;
2280 int result = 0;
2281
2282 memset(&th_v, 0, sizeof(ThreadVars));
2283
2284 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2285 PacketSetTCP(p1, valid_raw_ipv6 + 54);
2286 p1->src.family = AF_INET;
2287 p1->dst.family = AF_INET;
2288 p1->payload = valid_raw_ipv6 + 54 + 20;
2289 p1->payload_len = 12;
2290 p1->proto = IPPROTO_TCP;
2291
2292 if (TCP_GET_RAW_HLEN(PacketGetTCP(p1)) != 20) {
2293 BUG_ON(1);
2294 }
2295
2296 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2297 PacketSetTCP(p2, invalid_raw_ipv6 + 54);
2298 p2->src.family = AF_INET;
2299 p2->dst.family = AF_INET;
2300 p2->payload = invalid_raw_ipv6 + 54 + 20;
2301 p2->payload_len = 12;
2302 p2->proto = IPPROTO_TCP;
2303
2304 FAIL_IF(TCP_GET_RAW_HLEN(PacketGetTCP(p2)) != 20);
2305
2306 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2307 if (de_ctx == NULL) {
2308 goto end;
2309 }
2310
2311 de_ctx->flags |= DE_QUIET;
2312
2313 de_ctx->sig_list = SigInit(de_ctx,
2314 "alert tcp any any -> any any "
2315 "(content:\"|00 01 69|\"; tcpv6-csum:invalid; dsize:12; "
2316 "msg:\"tcpv6-csum keyword check(1)\"; "
2317 "sid:1;)");
2318 if (de_ctx->sig_list == NULL) {
2319 goto end;
2320 }
2321
2322 de_ctx->sig_list->next = SigInit(de_ctx,
2323 "alert tcp any any -> any any "
2324 "(content:\"|00 01 69|\"; tcpv6-csum:valid; dsize:12; "
2325 "msg:\"tcpv6-csum keyword check(1)\"; "
2326 "sid:2;)");
2327 if (de_ctx->sig_list->next == NULL) {
2328 goto end;
2329 }
2330
2331 SigGroupBuild(de_ctx);
2332 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2333
2334 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2335 if (PacketAlertCheck(p1, 1))
2336 goto end;
2337
2338 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2339 if (PacketAlertCheck(p2, 2))
2340 goto end;
2341
2342 result = 1;
2343end:
2344 SigGroupCleanup(de_ctx);
2345 SigCleanSignatures(de_ctx);
2346 if (det_ctx != NULL)
2347 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2348 DetectEngineCtxFree(de_ctx);
2349 SCFree(p1);
2350 SCFree(p2);
2351 return result;
2352}
2353
2354static int SigTest30UDPV4Keyword(void)
2355{
2356 uint8_t raw_ipv4[] = {
2357 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2358 0x00, 0x11, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2359 0xc0, 0xa8, 0x01, 0x03};
2360
2361 uint8_t valid_raw_udp[] = {
2362 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2363 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2364 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2365 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2366 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2367 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2368 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2369 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2370 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2371 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2372 0x67, 0x6c, 0x65, 0xc0, 0x26};
2373
2374 uint8_t invalid_raw_udp[] = {
2375 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2376 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2377 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2378 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2379 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2380 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2381 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2382 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2383 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2384 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2385 0x67, 0x6c, 0x65, 0xc0, 0x27};
2386
2387 Packet *p1 = PacketGetFromAlloc();
2388 FAIL_IF_NULL(p1);
2389 Packet *p2 = PacketGetFromAlloc();
2390 FAIL_IF_NULL(p2);
2391
2392 ThreadVars th_v;
2393 DetectEngineThreadCtx *det_ctx = NULL;
2394
2395 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2396 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2397
2398 memset(&th_v, 0, sizeof(ThreadVars));
2399
2400 PacketSetIPV4(p1, raw_ipv4);
2401 PacketSetUDP(p1, valid_raw_udp);
2402 p1->src.family = AF_INET;
2403 p1->dst.family = AF_INET;
2404 p1->payload = buf;
2405 p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2406 p1->proto = IPPROTO_UDP;
2407
2408 PacketSetIPV4(p2, raw_ipv4);
2409 PacketSetUDP(p2, invalid_raw_udp);
2410 p2->src.family = AF_INET;
2411 p2->dst.family = AF_INET;
2412 p2->payload = buf;
2413 p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2414 p2->proto = IPPROTO_UDP;
2415
2416 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2417 FAIL_IF_NULL(de_ctx);
2418
2419 de_ctx->flags |= DE_QUIET;
2420
2421 de_ctx->sig_list = SigInit(de_ctx,
2422 "alert udp any any -> any any "
2423 "(content:\"/one/\"; udpv4-csum:valid; "
2424 "msg:\"udpv4-csum keyword check(1)\"; "
2425 "sid:1;)");
2426 FAIL_IF_NULL(de_ctx->sig_list);
2427
2428 de_ctx->sig_list->next = SigInit(de_ctx,
2429 "alert udp any any -> any any "
2430 "(content:\"/one/\"; udpv4-csum:invalid; "
2431 "msg:\"udpv4-csum keyword check(1)\"; "
2432 "sid:2;)");
2433 FAIL_IF_NULL(de_ctx->sig_list->next);
2434
2435 SigGroupBuild(de_ctx);
2436 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2437
2438 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2439 FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2440
2441 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2442 FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2443
2444 SigGroupCleanup(de_ctx);
2445 SigCleanSignatures(de_ctx);
2446 if (det_ctx != NULL)
2447 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2448 DetectEngineCtxFree(de_ctx);
2449 SCFree(p1);
2450 SCFree(p2);
2451 PASS;
2452}
2453
2454static int SigTest31NegativeUDPV4Keyword(void)
2455{
2456 uint8_t raw_ipv4[] = {
2457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2458 0x00, 0x00, 0x00, 0x00, 0xd0, 0x43, 0xdc, 0xdc,
2459 0xc0, 0xa8, 0x01, 0x03};
2460
2461 uint8_t valid_raw_udp[] = {
2462 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2463 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2464 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2465 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2466 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2467 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2468 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2469 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2470 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2471 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2472 0x67, 0x6c, 0x65, 0xc0, 0x26};
2473
2474 uint8_t invalid_raw_udp[] = {
2475 0x00, 0x35, 0xcf, 0x34, 0x00, 0x55, 0x6c, 0xe0,
2476 0x83, 0xfc, 0x81, 0x80, 0x00, 0x01, 0x00, 0x01,
2477 0x00, 0x00, 0x00, 0x00, 0x07, 0x70, 0x61, 0x67,
2478 0x65, 0x61, 0x64, 0x32, 0x11, 0x67, 0x6f, 0x6f,
2479 0x67, 0x6c, 0x65, 0x73, 0x79, 0x6e, 0x64, 0x69,
2480 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x03, 0x63,
2481 0x6f, 0x6d, 0x00, 0x00, 0x1c, 0x00, 0x01, 0xc0,
2482 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x01, 0x4b,
2483 0x50, 0x00, 0x12, 0x06, 0x70, 0x61, 0x67, 0x65,
2484 0x61, 0x64, 0x01, 0x6c, 0x06, 0x67, 0x6f, 0x6f,
2485 0x67, 0x6c, 0x65, 0xc0, 0x27};
2486
2487 Packet *p1 = PacketGetFromAlloc();
2488 if (unlikely(p1 == NULL))
2489 return 0;
2490 Packet *p2 = PacketGetFromAlloc();
2491 if (unlikely(p2 == NULL)) {
2492 SCFree(p1);
2493 return 0;
2494 }
2495 ThreadVars th_v;
2496 DetectEngineThreadCtx *det_ctx = NULL;
2497 int result = 1;
2498
2499 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0yyyyyyyyyyyyyyyy\r\n"
2500 "\r\n\r\nyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy";
2501
2502 memset(&th_v, 0, sizeof(ThreadVars));
2503
2504 PacketSetIPV4(p1, raw_ipv4);
2505 PacketSetUDP(p1, valid_raw_udp);
2506 p1->src.family = AF_INET;
2507 p1->dst.family = AF_INET;
2508 p1->payload = buf;
2509 p1->payload_len = sizeof(valid_raw_udp) - UDP_HEADER_LEN;
2510 p1->proto = IPPROTO_UDP;
2511
2512 PacketSetIPV4(p2, raw_ipv4);
2513 PacketSetUDP(p2, invalid_raw_udp);
2514 p2->src.family = AF_INET;
2515 p2->dst.family = AF_INET;
2516 p2->payload = buf;
2517 p2->payload_len = sizeof(invalid_raw_udp) - UDP_HEADER_LEN;
2518 p2->proto = IPPROTO_UDP;
2519
2520 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2521 if (de_ctx == NULL) {
2522 goto end;
2523 }
2524
2525 de_ctx->flags |= DE_QUIET;
2526
2527 de_ctx->sig_list = SigInit(de_ctx,
2528 "alert udp any any -> any any "
2529 "(content:\"/one/\"; udpv4-csum:invalid; "
2530 "msg:\"udpv4-csum keyword check(1)\"; sid:1;)");
2531 if (de_ctx->sig_list == NULL) {
2532 result &= 0;
2533 goto end;
2534 }
2535
2536 de_ctx->sig_list->next = SigInit(de_ctx,
2537 "alert udp any any -> any any "
2538 "(content:\"/one/\"; udpv4-csum:valid; "
2539 "msg:\"udpv4-csum keyword check(1)\"; "
2540 "sid:2;)");
2541 if (de_ctx->sig_list->next == NULL) {
2542 result &= 0;
2543 goto end;
2544 }
2545
2546 SigGroupBuild(de_ctx);
2547 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2548
2549 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2550 if (PacketAlertCheck(p1, 1))
2551 result &= 0;
2552 else
2553 result &= 1;
2554
2555 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2556 if (PacketAlertCheck(p2, 2)) {
2557 result &= 0;
2558 }
2559 else
2560 result &= 1;
2561
2562 SigGroupCleanup(de_ctx);
2563 SigCleanSignatures(de_ctx);
2564 if (det_ctx != NULL)
2565 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2566 DetectEngineCtxFree(de_ctx);
2567end:
2568 SCFree(p1);
2569 SCFree(p2);
2570 return result;
2571}
2572
2573
2574static int SigTest32UDPV6Keyword(void)
2575{
2576 static uint8_t valid_raw_ipv6[] = {
2577 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2578 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2579 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2580 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2581 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2582 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2583 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2584 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2585 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2586 0x09, 0x00};
2587
2588 static uint8_t invalid_raw_ipv6[] = {
2589 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2590 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2591 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2592 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2593 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2594 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2595 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2596 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2597 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2598 0x09, 0x01};
2599
2600 Packet *p1 = PacketGetFromAlloc();
2601 FAIL_IF_NULL(p1);
2602 Packet *p2 = PacketGetFromAlloc();
2603 FAIL_IF_NULL(p2);
2604
2605 ThreadVars th_v;
2606 DetectEngineThreadCtx *det_ctx = NULL;
2607
2608 uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2609 "\r\n\r\n";
2610
2611 memset(&th_v, 0, sizeof(ThreadVars));
2612
2613 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2614 PacketSetUDP(p1, valid_raw_ipv6 + 54);
2615 p1->src.family = AF_INET;
2616 p1->dst.family = AF_INET;
2617 p1->payload = buf;
2618 p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2619 p1->proto = IPPROTO_UDP;
2620
2621 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2622 PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2623 p2->src.family = AF_INET;
2624 p2->dst.family = AF_INET;
2625 p2->payload = buf;
2626 p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2627 p2->proto = IPPROTO_UDP;
2628
2629 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2630 FAIL_IF_NULL(de_ctx);
2631
2632 de_ctx->flags |= DE_QUIET;
2633
2634 de_ctx->sig_list = SigInit(de_ctx,
2635 "alert udp any any -> any any "
2636 "(content:\"/one/\"; udpv6-csum:valid; "
2637 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2638 FAIL_IF_NULL(de_ctx->sig_list);
2639
2640 de_ctx->sig_list->next = SigInit(de_ctx,
2641 "alert udp any any -> any any "
2642 "(content:\"/one/\"; udpv6-csum:invalid; "
2643 "msg:\"udpv6-csum keyword check(1)\"; "
2644 "sid:2;)");
2645 FAIL_IF_NULL(de_ctx->sig_list->next);
2646
2647 SigGroupBuild(de_ctx);
2648 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2649
2650 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2651 FAIL_IF_NOT(PacketAlertCheck(p1, 1));
2652
2653 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2654 FAIL_IF_NOT(PacketAlertCheck(p2, 2));
2655
2656 SigGroupCleanup(de_ctx);
2657 SigCleanSignatures(de_ctx);
2658 if (det_ctx != NULL)
2659 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2660 DetectEngineCtxFree(de_ctx);
2661
2662 SCFree(p1);
2663 SCFree(p2);
2664 PASS;
2665}
2666
2667static int SigTest33NegativeUDPV6Keyword(void)
2668{
2669 static uint8_t valid_raw_ipv6[] = {
2670 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2671 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2672 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2673 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2674 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2675 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2676 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2677 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2678 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2679 0x09, 0x00};
2680
2681 static uint8_t invalid_raw_ipv6[] = {
2682 0x00, 0x60, 0x97, 0x07, 0x69, 0xea, 0x00, 0x00,
2683 0x86, 0x05, 0x80, 0xda, 0x86, 0xdd, 0x60, 0x00,
2684 0x00, 0x00, 0x00, 0x14, 0x11, 0x02, 0x3f, 0xfe,
2685 0x05, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00,
2686 0x86, 0xff, 0xfe, 0x05, 0x80, 0xda, 0x3f, 0xfe,
2687 0x05, 0x01, 0x04, 0x10, 0x00, 0x00, 0x02, 0xc0,
2688 0xdf, 0xff, 0xfe, 0x47, 0x03, 0x3e, 0xa0, 0x75,
2689 0x82, 0xa0, 0x00, 0x14, 0x1a, 0xc3, 0x06, 0x02,
2690 0x00, 0x00, 0xf9, 0xc8, 0xe7, 0x36, 0x57, 0xb0,
2691 0x09, 0x01};
2692
2693 Packet *p1 = PacketGetFromAlloc();
2694 if (unlikely(p1 == NULL))
2695 return 0;
2696 Packet *p2 = PacketGetFromAlloc();
2697 if (unlikely(p2 == NULL)) {
2698 SCFree(p1);
2699 return 0;
2700 }
2701 ThreadVars th_v;
2702 DetectEngineThreadCtx *det_ctx = NULL;
2703 int result = 1;
2704
2705 uint8_t *buf = (uint8_t *)"GET /one/ HTTP\r\n"
2706 "\r\n\r\n";
2707
2708 memset(&th_v, 0, sizeof(ThreadVars));
2709
2710 PacketSetIPV6(p1, valid_raw_ipv6 + 14);
2711 PacketSetUDP(p1, valid_raw_ipv6 + 54);
2712 p1->src.family = AF_INET;
2713 p1->dst.family = AF_INET;
2714 p1->payload = buf;
2715 p1->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p1)) - UDP_HEADER_LEN;
2716 p1->proto = IPPROTO_UDP;
2717
2718 PacketSetIPV6(p2, invalid_raw_ipv6 + 14);
2719 PacketSetUDP(p2, invalid_raw_ipv6 + 54);
2720 p2->src.family = AF_INET;
2721 p2->dst.family = AF_INET;
2722 p2->payload = buf;
2723 p2->payload_len = IPV6_GET_RAW_PLEN(PacketGetIPv6(p2)) - UDP_HEADER_LEN;
2724 p2->proto = IPPROTO_UDP;
2725
2726 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2727 if (de_ctx == NULL) {
2728 goto end;
2729 }
2730
2731 de_ctx->flags |= DE_QUIET;
2732
2733 de_ctx->sig_list = SigInit(de_ctx,
2734 "alert udp any any -> any any "
2735 "(content:\"/one/\"; udpv6-csum:invalid; "
2736 "msg:\"udpv6-csum keyword check(1)\"; sid:1;)");
2737 if (de_ctx->sig_list == NULL) {
2738 result &= 0;
2739 goto end;
2740 }
2741
2742 de_ctx->sig_list->next = SigInit(de_ctx,
2743 "alert udp any any -> any any "
2744 "(content:\"/one/\"; udpv6-csum:valid; "
2745 "msg:\"udpv6-csum keyword check(1)\"; "
2746 "sid:2;)");
2747 if (de_ctx->sig_list->next == NULL) {
2748 result &= 0;
2749 goto end;
2750 }
2751
2752 SigGroupBuild(de_ctx);
2753 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2754
2755 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2756 if (PacketAlertCheck(p1, 1))
2757 result &= 0;
2758 else
2759 result &= 1;
2760
2761 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2762 if (PacketAlertCheck(p2, 2))
2763 result &= 0;
2764 else
2765 result &= 1;
2766
2767 SigGroupCleanup(de_ctx);
2768 SigCleanSignatures(de_ctx);
2769 if (det_ctx != NULL)
2770 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2771 DetectEngineCtxFree(de_ctx);
2772end:
2773 SCFree(p1);
2774 SCFree(p2);
2775 return result;
2776}
2777
2778static int SigTest34ICMPV4Keyword(void)
2779{
2780 uint8_t valid_raw_ipv4[] = {
2781 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2782 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2783 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2784 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2785 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2786 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2787 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2788 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2789 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2790 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2791 0x34, 0x35, 0x36, 0x37};
2792
2793 uint8_t invalid_raw_ipv4[] = {
2794 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2795 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2796 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2797 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2798 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2799 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2800 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2801 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2802 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2803 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2804 0x34, 0x35, 0x36, 0x38};
2805
2806 Packet *p1 = PacketGetFromAlloc();
2807 if (unlikely(p1 == NULL))
2808 return 0;
2809 Packet *p2 = PacketGetFromAlloc();
2810 if (unlikely(p2 == NULL)) {
2811 SCFree(p1);
2812 return 0;
2813 }
2814 ThreadVars th_v;
2815 DetectEngineThreadCtx *det_ctx = NULL;
2816 int result = 1;
2817
2818 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2819 "\r\n\r\n";
2820 uint16_t buflen = strlen((char *)buf);
2821
2822 memset(&th_v, 0, sizeof(ThreadVars));
2823
2824 IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2825 ip4h->ip_verhl = 69;
2826 (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2827 p1->src.family = AF_INET;
2828 p1->dst.family = AF_INET;
2829 p1->payload = buf;
2830 p1->payload_len = buflen;
2831 p1->proto = IPPROTO_ICMP;
2832
2833 ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2834 ip4h->ip_verhl = 69;
2835 (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2836 p2->src.family = AF_INET;
2837 p2->dst.family = AF_INET;
2838 p2->payload = buf;
2839 p2->payload_len = buflen;
2840 p2->proto = IPPROTO_ICMP;
2841
2842 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2843 if (de_ctx == NULL) {
2844 goto end;
2845 }
2846
2847 de_ctx->flags |= DE_QUIET;
2848
2849 de_ctx->sig_list = SigInit(de_ctx,
2850 "alert icmp any any -> any any "
2851 "(content:\"/one/\"; icmpv4-csum:valid; "
2852 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2853 if (de_ctx->sig_list == NULL) {
2854 result &= 0;
2855 goto end;
2856 }
2857
2858 de_ctx->sig_list->next = SigInit(de_ctx,
2859 "alert icmp any any -> any any "
2860 "(content:\"/one/\"; icmpv4-csum:invalid; "
2861 "msg:\"icmpv4-csum keyword check(1)\"; "
2862 "sid:2;)");
2863 if (de_ctx->sig_list->next == NULL) {
2864 result = 0;
2865 goto end;
2866 }
2867
2868 SigGroupBuild(de_ctx);
2869 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2870
2871 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2872 if (PacketAlertCheck(p1, 1))
2873 result &= 1;
2874 else
2875 result &= 0;
2876
2877 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2878 if (PacketAlertCheck(p2, 2))
2879 result &= 1;
2880 else
2881 result &= 0;
2882
2883 SigGroupCleanup(de_ctx);
2884 SigCleanSignatures(de_ctx);
2885 if (det_ctx != NULL)
2886 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
2887 DetectEngineCtxFree(de_ctx);
2888end:
2889 SCFree(p1);
2890 SCFree(p2);
2891 return result;
2892}
2893
2894static int SigTest35NegativeICMPV4Keyword(void)
2895{
2896 uint8_t valid_raw_ipv4[] = {
2897 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2898 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2899 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2900 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2901 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2902 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2903 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2904 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2905 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2906 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2907 0x34, 0x35, 0x36, 0x37};
2908
2909 uint8_t invalid_raw_ipv4[] = {
2910 0x45, 0x00, 0x00, 0x54, 0x00, 0x00, 0x40, 0x00,
2911 0x40, 0x01, 0x3c, 0xa7, 0x7f, 0x00, 0x00, 0x01,
2912 0x7f, 0x00, 0x00, 0x01, 0x08, 0x00, 0xc3, 0x01,
2913 0x2b, 0x36, 0x00, 0x01, 0x3f, 0x16, 0x9a, 0x4a,
2914 0x41, 0x63, 0x04, 0x00, 0x08, 0x09, 0x0a, 0x0b,
2915 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13,
2916 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b,
2917 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
2918 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
2919 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
2920 0x34, 0x35, 0x36, 0x38};
2921
2922 Packet *p1 = PacketGetFromAlloc();
2923 if (unlikely(p1 == NULL))
2924 return 0;
2925 Packet *p2 = PacketGetFromAlloc();
2926 if (unlikely(p2 == NULL)) {
2927 SCFree(p1);
2928 return 0;
2929 }
2930 ThreadVars th_v;
2931 DetectEngineThreadCtx *det_ctx = NULL;
2932 int result = 1;
2933
2934 uint8_t *buf = (uint8_t *)"GET /one/ HTTP/1.0\r\n"
2935 "\r\n\r\n";
2936 uint16_t buflen = strlen((char *)buf);
2937
2938 memset(&th_v, 0, sizeof(ThreadVars));
2939
2940 IPV4Hdr *ip4h = PacketSetIPV4(p1, valid_raw_ipv4);
2941 ip4h->ip_verhl = 69;
2942 (void)PacketSetICMPv4(p1, valid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2943 p1->src.family = AF_INET;
2944 p1->dst.family = AF_INET;
2945 p1->payload = buf;
2946 p1->payload_len = buflen;
2947 p1->proto = IPPROTO_ICMP;
2948
2949 ip4h = PacketSetIPV4(p2, invalid_raw_ipv4);
2950 ip4h->ip_verhl = 69;
2951 (void)PacketSetICMPv4(p2, invalid_raw_ipv4 + IPV4_GET_RAW_HLEN(ip4h));
2952 p2->src.family = AF_INET;
2953 p2->dst.family = AF_INET;
2954 p2->payload = buf;
2955 p2->payload_len = buflen;
2956 p2->proto = IPPROTO_ICMP;
2957
2958 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
2959 if (de_ctx == NULL) {
2960 goto end;
2961 }
2962
2963 de_ctx->flags |= DE_QUIET;
2964
2965 de_ctx->sig_list = SigInit(de_ctx,
2966 "alert icmp any any -> any any "
2967 "(content:\"/one/\"; icmpv4-csum:invalid; "
2968 "msg:\"icmpv4-csum keyword check(1)\"; sid:1;)");
2969 if (de_ctx->sig_list == NULL) {
2970 result &= 0;
2971 goto end;
2972 }
2973
2974 de_ctx->sig_list->next = SigInit(de_ctx,
2975 "alert icmp any any -> any any "
2976 "(content:\"/one/\"; icmpv4-csum:valid; "
2977 "msg:\"icmpv4-csum keyword check(1)\"; "
2978 "sid:2;)");
2979 if (de_ctx->sig_list->next == NULL) {
2980 result &= 0;
2981 goto end;
2982 }
2983
2984 SigGroupBuild(de_ctx);
2985 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
2986
2987 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
2988 if (PacketAlertCheck(p1, 1))
2989 result &= 0;
2990 else
2991 result &= 1;
2992
2993 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
2994 if (PacketAlertCheck(p2, 2))
2995 result &= 0;
2996 else {
2997 result &= 1;
2998 }
2999
3000 SigGroupCleanup(de_ctx);
3001 SigCleanSignatures(de_ctx);
3002 if (det_ctx != NULL)
3003 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3004 DetectEngineCtxFree(de_ctx);
3005end:
3006 SCFree(p1);
3007 SCFree(p2);
3008 return result;
3009}
3010
3011static int SigTest38(void)
3012{
3013 Packet *p1 = PacketGetFromAlloc();
3014 if (unlikely(p1 == NULL))
3015 return 0;
3016 ThreadVars th_v;
3017 DetectEngineThreadCtx *det_ctx = NULL;
3018 int result = 1;
3019 uint8_t raw_eth[] = {
3020 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3021 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3022 0x08, 0x00
3023 };
3024 uint8_t raw_ipv4[] = {
3025 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3026 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3027 0x7f, 0x00, 0x00, 0x01
3028 };
3029 uint8_t raw_tcp[] = {
3030 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3031 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3032 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3033 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3034 0x00, 0x22, 0xaa, 0x10
3035 };
3036 uint8_t buf[] = {
3037 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3038 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3039 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x6f, 0x30, 0x30, /* LEN1|20| ends at 17 */
3040 0x30, 0x38, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32, /* "0008" at offset 5 */
3041 0x20, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3042 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3043 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3044 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3045 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3046 0x0a
3047 };
3048 uint16_t ethlen = sizeof(raw_eth);
3049 uint16_t ipv4len = sizeof(raw_ipv4);
3050 uint16_t tcplen = sizeof(raw_tcp);
3051 uint16_t buflen = sizeof(buf);
3052
3053 memset(&th_v, 0, sizeof(ThreadVars));
3054
3055 /* Copy raw data into packet */
3056 if (PacketCopyData(p1, raw_eth, ethlen) == -1) {
3057 SCFree(p1);
3058 return 1;
3059 }
3060 if (PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1) {
3061 SCFree(p1);
3062 return 1;
3063 }
3064 if (PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1) {
3065 SCFree(p1);
3066 return 1;
3067 }
3068 if (PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1) {
3069 SCFree(p1);
3070 return 1;
3071 }
3072 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3073
3074 PacketSetEthernet(p1, raw_eth);
3075 PacketSetIPV4(p1, raw_ipv4);
3076 PacketSetTCP(p1, raw_tcp);
3077 p1->src.family = AF_INET;
3078 p1->dst.family = AF_INET;
3079 p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3080 p1->payload_len = buflen;
3081 p1->proto = IPPROTO_TCP;
3082
3083 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3084 if (de_ctx == NULL) {
3085 goto end;
3086 }
3087 de_ctx->flags |= DE_QUIET;
3088
3089 de_ctx->sig_list = SigInit(de_ctx,
3090 "alert tcp any any -> any any "
3091 "(content:\"LEN1|20|\"; "
3092 "byte_test:4,=,8,0; "
3093 "msg:\"byte_test keyword check(1)\"; sid:1;)");
3094 if (de_ctx->sig_list == NULL) {
3095 result &= 0;
3096 goto end;
3097 }
3098 de_ctx->sig_list->next = SigInit(de_ctx,
3099 "alert tcp any any -> any any "
3100 "(content:\"LEN1|20|\"; "
3101 "byte_test:4,=,8,5,relative,string,dec; "
3102 "msg:\"byte_test keyword check(2)\"; sid:2;)");
3103 if (de_ctx->sig_list->next == NULL) {
3104 result &= 0;
3105 goto end;
3106 }
3107
3108 SigGroupBuild(de_ctx);
3109 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3110
3111 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3112 if (PacketAlertCheck(p1, 1)) {
3113 result = 1;
3114 } else {
3115 result = 0;
3116 printf("sid 1 didn't alert, but should have: ");
3117 goto cleanup;
3118 }
3119 if (PacketAlertCheck(p1, 2)) {
3120 result = 1;
3121 } else {
3122 result = 0;
3123 printf("sid 2 didn't alert, but should have: ");
3124 goto cleanup;
3125 }
3126
3127cleanup:
3128 SigGroupCleanup(de_ctx);
3129 SigCleanSignatures(de_ctx);
3130
3131 if (det_ctx != NULL)
3132 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3133 DetectEngineCtxFree(de_ctx);
3134
3135end:
3136 SCFree(p1);
3137 return result;
3138}
3139
3140static int SigTest39(void)
3141{
3142 ThreadVars th_v;
3143 DetectEngineThreadCtx *det_ctx = NULL;
3144 uint8_t raw_eth[] = {
3145 0x00, 0x00, 0x03, 0x04, 0x00, 0x06, 0x00,
3146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3147 0x08, 0x00
3148 };
3149 uint8_t raw_ipv4[] = {
3150 0x45, 0x00, 0x00, 0x7d, 0xd8, 0xf3, 0x40, 0x00,
3151 0x40, 0x06, 0x63, 0x85, 0x7f, 0x00, 0x00, 0x01,
3152 0x7f, 0x00, 0x00, 0x01
3153 };
3154 uint8_t raw_tcp[] = {
3155 0xad, 0x22, 0x04, 0x00, 0x16, 0x39, 0x72,
3156 0xe2, 0x16, 0x1f, 0x79, 0x84, 0x80, 0x18,
3157 0x01, 0x01, 0xfe, 0x71, 0x00, 0x00, 0x01,
3158 0x01, 0x08, 0x0a, 0x00, 0x22, 0xaa, 0x10,
3159 0x00, 0x22, 0xaa, 0x10
3160 };
3161 uint8_t buf[] = {
3162 0x00, 0x00, 0x00, 0x08, 0x62, 0x6f, 0x6f, 0x65,
3163 0x65, 0x6b, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x31,
3164 0x20, 0x38, 0x0d, 0x0a, 0x66, 0x30, 0x30, 0x30,
3165 0x38, 0x72, 0x0d, 0x0a, 0x4c, 0x45, 0x4e, 0x32,
3166 0x20, 0x39, 0x39, 0x4c, 0x45, 0x4e, 0x32, 0x39,
3167 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3168 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39, 0x39,
3169 0x39, 0x39, 0x39, 0x0d, 0x0a, 0x41, 0x41, 0x41,
3170 0x41, 0x41, 0x41, 0x0d, 0x0a, 0x0d, 0x0a, 0x0d,
3171 0x0a
3172 };
3173 uint16_t ethlen = sizeof(raw_eth);
3174 uint16_t ipv4len = sizeof(raw_ipv4);
3175 uint16_t tcplen = sizeof(raw_tcp);
3176 uint16_t buflen = sizeof(buf);
3177
3178 memset(&th_v, 0, sizeof(ThreadVars));
3179
3180 Packet *p1 = PacketGetFromAlloc();
3181 FAIL_IF_NULL(p1);
3182 /* Copy raw data into packet */
3183 FAIL_IF(PacketCopyData(p1, raw_eth, ethlen) == -1);
3184 FAIL_IF(PacketCopyDataOffset(p1, ethlen, raw_ipv4, ipv4len) == -1);
3185 FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len, raw_tcp, tcplen) == -1);
3186 FAIL_IF(PacketCopyDataOffset(p1, ethlen + ipv4len + tcplen, buf, buflen) == -1);
3187 SET_PKT_LEN(p1, ethlen + ipv4len + tcplen + buflen);
3188
3189 PacketSetEthernet(p1, raw_eth);
3190 PacketSetIPV4(p1, raw_ipv4);
3191 PacketSetTCP(p1, raw_tcp);
3192 p1->src.family = AF_INET;
3193 p1->dst.family = AF_INET;
3194 p1->payload = GET_PKT_DATA(p1) + ethlen + ipv4len + tcplen;
3195 p1->payload_len = buflen;
3196 p1->proto = IPPROTO_TCP;
3197
3198 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3199 FAIL_IF_NULL(de_ctx);
3200 de_ctx->flags |= DE_QUIET;
3201
3202 Signature *s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3203 "(content:\"LEN1|20|\"; "
3204 "byte_test:4,=,8,0; "
3205 "byte_jump:4,0; "
3206 "byte_test:6,=,0x4c454e312038,0,relative; "
3207 "msg:\"byte_jump keyword check(1)\"; sid:1;)");
3208 FAIL_IF_NULL(s);
3209 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
3210 "(content:\"LEN1|20|\"; "
3211 "byte_test:4,=,8,4,relative,string,dec; "
3212 "byte_jump:4,4,relative,string,dec,post_offset 2; "
3213 "byte_test:4,=,0x4c454e32,0,relative; "
3214 "msg:\"byte_jump keyword check(2)\"; sid:2;)");
3215 FAIL_IF_NULL(s);
3216 SigGroupBuild(de_ctx);
3217 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3218
3219 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
3220
3221 FAIL_IF_NOT(PacketAlertCheck(p1, 1));
3222 FAIL_IF_NOT(PacketAlertCheck(p1, 2));
3223
3224 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3225 DetectEngineCtxFree(de_ctx);
3226
3227 SCFree(p1);
3228 PASS;
3229}
3230
3231/**
3232 * \test SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
3233 * \brief expecting to match a size
3234 */
3235
3236static int SigTest36ContentAndIsdataatKeywords01 (void)
3237{
3238 int result = 0;
3239
3240 // Build and decode the packet
3241
3242 uint8_t raw_eth [] = {
3243 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3244 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3245 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3246 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3247 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3248 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3249 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3250 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3251 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3252 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3253 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3254 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3255 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3256 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3257 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3258 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3259 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3260 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3261 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3262 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3263 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3264 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3265 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3266 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3267 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3268 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3269 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3270 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3271 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3272 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3273
3274 Packet *p = PacketGetFromAlloc();
3275 if (unlikely(p == NULL))
3276 return 0;
3277 DecodeThreadVars dtv;
3278
3279 ThreadVars th_v;
3280 DetectEngineThreadCtx *det_ctx = NULL;
3281
3282 memset(&dtv, 0, sizeof(DecodeThreadVars));
3283 memset(&th_v, 0, sizeof(th_v));
3284
3285 FlowInitConfig(FLOW_QUIET);
3286 DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3287
3288
3289 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3290 if (de_ctx == NULL) {
3291 goto end;
3292 }
3293
3294 de_ctx->flags |= DE_QUIET;
3295
3296 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest36ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:404, relative; sid:101;)");
3297 if (de_ctx->sig_list == NULL) {
3298 result = 0;
3299 goto end;
3300 }
3301
3302 SigGroupBuild(de_ctx);
3303 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3304
3305 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3306 if (PacketAlertCheck(p, 101) == 0) {
3307 result = 0;
3308 goto end;
3309 } else {
3310 result=1;
3311 }
3312
3313 SigGroupCleanup(de_ctx);
3314 SigCleanSignatures(de_ctx);
3315
3316 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3317 DetectEngineCtxFree(de_ctx);
3318 PacketRecycle(p);
3319 FlowShutdown();
3320
3321 SCFree(p);
3322 return result;
3323
3324end:
3325 if(de_ctx)
3326 {
3327 SigGroupCleanup(de_ctx);
3328 SigCleanSignatures(de_ctx);
3329 }
3330
3331 if(det_ctx)
3332 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3333
3334 //PatternMatchDestroy(mpm_ctx);
3335
3336 if(de_ctx)
3337 DetectEngineCtxFree(de_ctx);
3338
3339 if (p != NULL)
3340 PacketRecycle(p);
3341
3342 FlowShutdown();
3343
3344 SCFree(p);
3345 return result;
3346}
3347
3348
3349/**
3350 * \test SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
3351 * \brief not expecting to match a size
3352 */
3353
3354static int SigTest37ContentAndIsdataatKeywords02 (void)
3355{
3356 int result = 0;
3357
3358 // Build and decode the packet
3359
3360 uint8_t raw_eth [] = {
3361 0x00,0x25,0x00,0x9e,0xfa,0xfe,0x00,0x02,0xcf,0x74,0xfe,0xe1,0x08,0x00,0x45,0x00
3362 ,0x01,0xcc,0xcb,0x91,0x00,0x00,0x34,0x06,0xdf,0xa8,0xd1,0x55,0xe3,0x67,0xc0,0xa8
3363 ,0x64,0x8c,0x00,0x50,0xc0,0xb7,0xd1,0x11,0xed,0x63,0x81,0xa9,0x9a,0x05,0x80,0x18
3364 ,0x00,0x75,0x0a,0xdd,0x00,0x00,0x01,0x01,0x08,0x0a,0x09,0x8a,0x06,0xd0,0x12,0x21
3365 ,0x2a,0x3b,0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x33,0x30,0x32,0x20,0x46
3366 ,0x6f,0x75,0x6e,0x64,0x0d,0x0a,0x4c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x3a,0x20
3367 ,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c
3368 ,0x65,0x2e,0x65,0x73,0x2f,0x0d,0x0a,0x43,0x61,0x63,0x68,0x65,0x2d,0x43,0x6f,0x6e
3369 ,0x74,0x72,0x6f,0x6c,0x3a,0x20,0x70,0x72,0x69,0x76,0x61,0x74,0x65,0x0d,0x0a,0x43
3370 ,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78
3371 ,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x20,0x63,0x68,0x61,0x72,0x73,0x65,0x74,0x3d
3372 ,0x55,0x54,0x46,0x2d,0x38,0x0d,0x0a,0x44,0x61,0x74,0x65,0x3a,0x20,0x4d,0x6f,0x6e
3373 ,0x2c,0x20,0x31,0x34,0x20,0x53,0x65,0x70,0x20,0x32,0x30,0x30,0x39,0x20,0x30,0x38
3374 ,0x3a,0x34,0x38,0x3a,0x33,0x31,0x20,0x47,0x4d,0x54,0x0d,0x0a,0x53,0x65,0x72,0x76
3375 ,0x65,0x72,0x3a,0x20,0x67,0x77,0x73,0x0d,0x0a,0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74
3376 ,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x32,0x31,0x38,0x0d,0x0a,0x0d,0x0a
3377 ,0x3c,0x48,0x54,0x4d,0x4c,0x3e,0x3c,0x48,0x45,0x41,0x44,0x3e,0x3c,0x6d,0x65,0x74
3378 ,0x61,0x20,0x68,0x74,0x74,0x70,0x2d,0x65,0x71,0x75,0x69,0x76,0x3d,0x22,0x63,0x6f
3379 ,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x74,0x79,0x70,0x65,0x22,0x20,0x63,0x6f,0x6e,0x74
3380 ,0x65,0x6e,0x74,0x3d,0x22,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x3b,0x63
3381 ,0x68,0x61,0x72,0x73,0x65,0x74,0x3d,0x75,0x74,0x66,0x2d,0x38,0x22,0x3e,0x0a,0x3c
3382 ,0x54,0x49,0x54,0x4c,0x45,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76,0x65,0x64,0x3c
3383 ,0x2f,0x54,0x49,0x54,0x4c,0x45,0x3e,0x3c,0x2f,0x48,0x45,0x41,0x44,0x3e,0x3c,0x42
3384 ,0x4f,0x44,0x59,0x3e,0x0a,0x3c,0x48,0x31,0x3e,0x33,0x30,0x32,0x20,0x4d,0x6f,0x76
3385 ,0x65,0x64,0x3c,0x2f,0x48,0x31,0x3e,0x0a,0x54,0x68,0x65,0x20,0x64,0x6f,0x63,0x75
3386 ,0x6d,0x65,0x6e,0x74,0x20,0x68,0x61,0x73,0x20,0x6d,0x6f,0x76,0x65,0x64,0x0a,0x3c
3387 ,0x41,0x20,0x48,0x52,0x45,0x46,0x3d,0x22,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77
3388 ,0x77,0x77,0x2e,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x2e,0x65,0x73,0x2f,0x22,0x3e,0x68
3389 ,0x65,0x72,0x65,0x3c,0x2f,0x41,0x3e,0x2e,0x0d,0x0a,0x3c,0x2f,0x42,0x4f,0x44,0x59
3390 ,0x3e,0x3c,0x2f,0x48,0x54,0x4d,0x4c,0x3e,0x0d,0x0a };
3391
3392 Packet *p = PacketGetFromAlloc();
3393 if (unlikely(p == NULL))
3394 return 0;
3395 DecodeThreadVars dtv;
3396
3397 ThreadVars th_v;
3398 DetectEngineThreadCtx *det_ctx = NULL;
3399
3400 memset(&dtv, 0, sizeof(DecodeThreadVars));
3401 memset(&th_v, 0, sizeof(th_v));
3402
3403 FlowInitConfig(FLOW_QUIET);
3404 DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth));
3405
3406
3407 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3408 if (de_ctx == NULL) {
3409 goto end;
3410 }
3411
3412 de_ctx->flags |= DE_QUIET;
3413
3414 Signature *s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"SigTest37ContentAndIsdataatKeywords01 \"; content:\"HTTP\"; isdataat:500, relative; sid:101;)");
3415 if (de_ctx->sig_list == NULL) {
3416 printf("sig parse failed: ");
3417 result = 0;
3418 goto end;
3419 }
3420
3421 if (s->init_data->smlists[DETECT_SM_LIST_PMATCH]->type != DETECT_CONTENT) {
3422 printf("type not content: ");
3423 goto end;
3424 }
3425 SigGroupBuild(de_ctx);
3426 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3427
3428 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3429 if (PacketAlertCheck(p, 101) == 0) {
3430 result = 1;
3431 goto end;
3432 } else {
3433 printf("sig matched, but should not have: ");
3434 result=0;
3435 }
3436
3437 SigGroupCleanup(de_ctx);
3438 SigCleanSignatures(de_ctx);
3439
3440 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3441 DetectEngineCtxFree(de_ctx);
3442
3443 PacketRecycle(p);
3444 FlowShutdown();
3445
3446 SCFree(p);
3447 return result;
3448
3449end:
3450 if(de_ctx)
3451 {
3452 SigGroupCleanup(de_ctx);
3453 SigCleanSignatures(de_ctx);
3454 }
3455
3456 if(det_ctx)
3457 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3458
3459 if(de_ctx)
3460 DetectEngineCtxFree(de_ctx);
3461
3462 if (p != NULL)
3463 PacketRecycle(p);
3464
3465 FlowShutdown();
3466
3467 SCFree(p);
3468 return result;
3469}
3470
3471/**
3472 * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION
3473 * flag is set, we don't need to inspect the packet protocol header or its contents.
3474 */
3475
3476static int SigTest40NoPacketInspection01(void)
3477{
3478
3479 uint8_t *buf = (uint8_t *)
3480 "220 (vsFTPd 2.0.5)\r\n";
3481 uint16_t buflen = strlen((char *)buf);
3482 Packet *p = PacketGetFromAlloc();
3483 TCPHdr tcphdr;
3484 if (unlikely(p == NULL))
3485 return 0;
3486 ThreadVars th_v;
3487 DetectEngineThreadCtx *det_ctx = NULL;
3488 PacketQueue pq;
3489 Flow f;
3490 int result = 0;
3491
3492 memset(&th_v, 0, sizeof(th_v));
3493 memset(&pq, 0, sizeof(pq));
3494 memset(&f, 0, sizeof(f));
3495 memset(&tcphdr, 0, sizeof(tcphdr));
3496
3497 p->src.family = AF_INET;
3498 p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1");
3499 p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
3500 p->dst.family = AF_INET;
3501 p->payload = buf;
3502 p->payload_len = buflen;
3503 p->proto = IPPROTO_TCP;
3504 p->dp = 34260;
3505 p->sp = 21;
3506 p->flowflags |= FLOW_PKT_TOSERVER;
3507 p->flags |= PKT_NOPACKET_INSPECTION;
3508 PacketSetTCP(p, (uint8_t *)&tcphdr);
3509 p->flow = &f;
3510
3511 FLOW_INITIALIZE(&f);
3512
3513 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3514 if (de_ctx == NULL) {
3515 goto end;
3516 }
3517
3518 de_ctx->flags |= DE_QUIET;
3519
3520 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; flow:to_server; sid:2; rev:1;)");
3521 if (de_ctx->sig_list == NULL) {
3522 result = 0;
3523 goto end;
3524 }
3525
3526 SigGroupBuild(de_ctx);
3527 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx);
3528 det_ctx->de_ctx = de_ctx;
3529
3530 Detect(&th_v, p, det_ctx);
3531 if (PacketAlertCheck(p, 2))
3532 result = 0;
3533 else
3534 result = 1;
3535
3536 SigGroupCleanup(de_ctx);
3537 SigCleanSignatures(de_ctx);
3538 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3539 //PatternMatchDestroy(mpm_ctx);
3540 DetectEngineCtxFree(de_ctx);
3541end:
3542 SCFree(p);
3543 return result;
3544}
3545
3546/**
3547 * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION
3548 * flag is set, we don't need to inspect the packet contents.
3549 */
3550
3551static int SigTest40NoPayloadInspection02(void)
3552{
3553
3554 uint8_t *buf = (uint8_t *)
3555 "220 (vsFTPd 2.0.5)\r\n";
3556 uint16_t buflen = strlen((char *)buf);
3557 ThreadVars th_v;
3558 memset(&th_v, 0, sizeof(th_v));
3559
3560 Packet *p = PacketGetFromAlloc();
3561 FAIL_IF_NULL(p);
3562
3563 p->src.family = AF_INET;
3564 p->dst.family = AF_INET;
3565 p->payload = buf;
3566 p->payload_len = buflen;
3567 p->proto = IPPROTO_TCP;
3568 p->flags |= PKT_NOPAYLOAD_INSPECTION;
3569
3570 DetectEngineThreadCtx *det_ctx = NULL;
3571 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3572 FAIL_IF_NULL(de_ctx);
3573 de_ctx->flags |= DE_QUIET;
3574
3575 Signature *s = DetectEngineAppendSig(de_ctx,
3576 "alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)");
3577 FAIL_IF_NULL(s);
3578
3579 SigGroupBuild(de_ctx);
3580 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3581
3582 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3583
3584 FAIL_IF(PacketAlertCheck(p, 1));
3585
3586 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3587 DetectEngineCtxFree(de_ctx);
3588 SCFree(p);
3589 PASS;
3590}
3591
3592static int SigTestMemory01 (void)
3593{
3594 uint8_t *buf = (uint8_t *)
3595 "GET /one/ HTTP/1.1\r\n"
3596 "Host: one.example.org\r\n"
3597 "\r\n\r\n"
3598 "GET /two/ HTTP/1.1\r\n"
3599 "Host: two.example.org\r\n"
3600 "\r\n\r\n";
3601 uint16_t buflen = strlen((char *)buf);
3602 Packet *p = PacketGetFromAlloc();
3603 if (unlikely(p == NULL))
3604 return 0;
3605 ThreadVars th_v;
3606 DetectEngineThreadCtx *det_ctx = NULL;
3607 int result = 0;
3608
3609 memset(&th_v, 0, sizeof(th_v));
3610 p->src.family = AF_INET;
3611 p->dst.family = AF_INET;
3612 p->payload = buf;
3613 p->payload_len = buflen;
3614 p->proto = IPPROTO_TCP;
3615
3616 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3617 if (de_ctx == NULL) {
3618 goto end;
3619 }
3620
3621 de_ctx->flags |= DE_QUIET;
3622
3623 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3624 if (de_ctx->sig_list == NULL) {
3625 result = 0;
3626 goto end;
3627 }
3628
3629 SigGroupBuild(de_ctx);
3630 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3631
3632 SigGroupCleanup(de_ctx);
3633 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3634 DetectEngineCtxFree(de_ctx);
3635
3636 result = 1;
3637end:
3638 SCFree(p);
3639 return result;
3640}
3641
3642static int SigTestMemory02 (void)
3643{
3644 ThreadVars th_v;
3645 int result = 0;
3646
3647 memset(&th_v, 0, sizeof(th_v));
3648
3649 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3650 if (de_ctx == NULL) {
3651 goto end;
3652 }
3653 de_ctx->flags |= DE_QUIET;
3654
3655 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3656 if (de_ctx->sig_list == NULL) {
3657 result = 0;
3658 goto end;
3659 }
3660 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3661 if (de_ctx->sig_list->next == NULL) {
3662 result = 0;
3663 goto end;
3664 }
3665
3666 SigGroupBuild(de_ctx);
3667
3668 SigGroupCleanup(de_ctx);
3669 DetectEngineCtxFree(de_ctx);
3670
3671 result = 1;
3672end:
3673 return result;
3674}
3675
3676static int SigTestMemory03 (void)
3677{
3678 ThreadVars th_v;
3679 int result = 0;
3680
3681 memset(&th_v, 0, sizeof(th_v));
3682
3683 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3684 if (de_ctx == NULL) {
3685 goto end;
3686 }
3687 de_ctx->flags |= DE_QUIET;
3688
3689 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 456 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:1;)");
3690 if (de_ctx->sig_list == NULL) {
3691 result = 0;
3692 goto end;
3693 }
3694 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> 1.2.3.3-1.2.3.6 1:1000 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:2;)");
3695 if (de_ctx->sig_list->next == NULL) {
3696 result = 0;
3697 goto end;
3698 }
3699 de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> !1.2.3.5 1:990 (msg:\"HTTP URI cap\"; content:\"GET \"; depth:4; pcre:\"/GET (?P<pkt_http_uri>.*) HTTP\\/\\d\\.\\d\\r\\n/G\"; sid:3;)");
3700 if (de_ctx->sig_list->next->next == NULL) {
3701 result = 0;
3702 goto end;
3703 }
3704
3705 SigGroupBuild(de_ctx);
3706
3707 SigGroupCleanup(de_ctx);
3708 DetectEngineCtxFree(de_ctx);
3709
3710 result = 1;
3711end:
3712 return result;
3713}
3714
3715static int SigTestContent01 (void)
3716{
3717 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3718 uint16_t buflen = strlen((char *)buf);
3719 ThreadVars th_v;
3720 DetectEngineThreadCtx *det_ctx = NULL;
3721 int result = 0;
3722
3723 memset(&th_v, 0, sizeof(th_v));
3724
3725 Packet *p = NULL;
3726 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3727
3728 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3729 if (de_ctx == NULL) {
3730 goto end;
3731 }
3732 de_ctx->flags |= DE_QUIET;
3733
3734 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3735 if (de_ctx->sig_list == NULL) {
3736 result = 0;
3737 goto end;
3738 }
3739
3740 SigGroupBuild(de_ctx);
3741 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3742
3743 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3744 if (PacketAlertCheck(p, 1))
3745 result = 1;
3746 else
3747 printf("sig 1 didn't match: ");
3748
3749 SigGroupCleanup(de_ctx);
3750 SigCleanSignatures(de_ctx);
3751
3752 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3753 DetectEngineCtxFree(de_ctx);
3754end:
3755 UTHFreePackets(&p, 1);
3756 return result;
3757}
3758
3759static int SigTestContent02 (void)
3760{
3761 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
3762 uint16_t buflen = strlen((char *)buf);
3763 ThreadVars th_v;
3764 DetectEngineThreadCtx *det_ctx = NULL;
3765 int result = 0;
3766
3767 memset(&th_v, 0, sizeof(th_v));
3768 Packet *p = NULL;
3769 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3770
3771 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3772 if (de_ctx == NULL) {
3773 goto end;
3774 }
3775 de_ctx->flags |= DE_QUIET;
3776
3777 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
3778 if (de_ctx->sig_list == NULL) {
3779 result = 0;
3780 goto end;
3781 }
3782
3783 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
3784 if (de_ctx->sig_list->next == NULL) {
3785 result = 0;
3786 goto end;
3787 }
3788
3789 SigGroupBuild(de_ctx);
3790 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3791
3792 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3793 if (PacketAlertCheck(p, 1)) {
3794 if (PacketAlertCheck(p, 2)) {
3795 result = 1;
3796 } else
3797 printf("sig 2 didn't match: ");
3798 }
3799 else
3800 printf("sig 1 didn't match: ");
3801
3802 SigGroupCleanup(de_ctx);
3803 SigCleanSignatures(de_ctx);
3804
3805 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3806 DetectEngineCtxFree(de_ctx);
3807end:
3808 UTHFreePackets(&p, 1);
3809 return result;
3810}
3811
3812static int SigTestContent03 (void)
3813{
3814 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3815 uint16_t buflen = strlen((char *)buf);
3816 ThreadVars th_v;
3817 DetectEngineThreadCtx *det_ctx = NULL;
3818 int result = 0;
3819
3820 memset(&th_v, 0, sizeof(th_v));
3821 Packet *p = NULL;
3822 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3823
3824 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3825 if (de_ctx == NULL) {
3826 goto end;
3827 }
3828
3829 de_ctx->flags |= DE_QUIET;
3830
3831 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; sid:1;)");
3832 if (de_ctx->sig_list == NULL) {
3833 result = 0;
3834 goto end;
3835 }
3836
3837 SigGroupBuild(de_ctx);
3838 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3839
3840 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3841 if (PacketAlertCheck(p, 1))
3842 result = 1;
3843 else
3844 printf("sig 1 didn't match: ");
3845
3846 SigGroupCleanup(de_ctx);
3847 SigCleanSignatures(de_ctx);
3848
3849 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3850 DetectEngineCtxFree(de_ctx);
3851end:
3852 UTHFreePackets(&p, 1);
3853 return result;
3854}
3855
3856static int SigTestContent04 (void)
3857{
3858 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3859 uint16_t buflen = strlen((char *)buf);
3860 ThreadVars th_v;
3861 DetectEngineThreadCtx *det_ctx = NULL;
3862 int result = 0;
3863
3864 memset(&th_v, 0, sizeof(th_v));
3865
3866 Packet *p = NULL;
3867 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3868
3869 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3870 if (de_ctx == NULL) {
3871 goto end;
3872 }
3873
3874 de_ctx->flags |= DE_QUIET;
3875
3876 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3877 if (de_ctx->sig_list == NULL) {
3878 result = 0;
3879 goto end;
3880 }
3881
3882 SigGroupBuild(de_ctx);
3883 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3884
3885 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3886 if (PacketAlertCheck(p, 1))
3887 result = 1;
3888 else
3889 printf("sig 1 didn't match: ");
3890
3891 SigGroupCleanup(de_ctx);
3892 SigCleanSignatures(de_ctx);
3893
3894 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3895 DetectEngineCtxFree(de_ctx);
3896end:
3897 UTHFreePackets(&p, 1);
3898 return result;
3899}
3900
3901/** \test sigs with patterns at the limit of the pm's size limit */
3902static int SigTestContent05 (void)
3903{
3904 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901PADabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3905 uint16_t buflen = strlen((char *)buf);
3906 ThreadVars th_v;
3907 DetectEngineThreadCtx *det_ctx = NULL;
3908 int result = 0;
3909
3910 memset(&th_v, 0, sizeof(th_v));
3911 Packet *p = NULL;
3912 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3913
3914 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3915 if (de_ctx == NULL) {
3916 printf("de_ctx == NULL: ");
3917 goto end;
3918 }
3919
3920 de_ctx->flags |= DE_QUIET;
3921
3922 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3923 if (de_ctx->sig_list == NULL) {
3924 printf("sig1 parse failed: ");
3925 goto end;
3926 }
3927 de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:1; within:32; sid:2;)");
3928 if (de_ctx->sig_list->next == NULL) {
3929 printf("sig2 parse failed: ");
3930 goto end;
3931 }
3932
3933 SigGroupBuild(de_ctx);
3934 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3935
3936 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3937
3938 if (PacketAlertCheck(p, 1)) {
3939 printf("sig 1 matched but shouldn't: ");
3940 goto end;
3941 }
3942
3943 if (PacketAlertCheck(p, 2)) {
3944 printf("sig 2 matched but shouldn't: ");
3945 goto end;
3946 }
3947
3948 result = 1;
3949end:
3950 UTHFreePackets(&p, 1);
3951 SigGroupCleanup(de_ctx);
3952 SigCleanSignatures(de_ctx);
3953
3954 if (det_ctx != NULL) {
3955 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
3956 }
3957 if (de_ctx != NULL) {
3958 DetectEngineCtxFree(de_ctx);
3959 }
3960 return result;
3961}
3962
3963static int SigTestContent06 (void)
3964{
3965 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
3966 uint16_t buflen = strlen((char *)buf);
3967 ThreadVars th_v;
3968 DetectEngineThreadCtx *det_ctx = NULL;
3969 int result = 0;
3970
3971 memset(&th_v, 0, sizeof(th_v));
3972 Packet *p = NULL;
3973 p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
3974
3975 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
3976 if (de_ctx == NULL) {
3977 goto end;
3978 }
3979
3980 de_ctx->flags |= DE_QUIET;
3981
3982 de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig1\"; content:\"01234567890123456789012345678901\"; content:\"abcdefghijklmnopqrstuvwxyzABCDEF\"; distance:0; within:32; sid:1;)");
3983 if (de_ctx->sig_list == NULL) {
3984 result = 0;
3985 goto end;
3986 }
3987 de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Test 32 sig2\"; content:\"01234567890123456789012345678901\"; content:\"abcdefg\"; sid:2;)");
3988 if (de_ctx->sig_list->next == NULL) {
3989 result = 0;
3990 goto end;
3991 }
3992
3993 SigGroupBuild(de_ctx);
3994 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
3995
3996 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
3997 if (PacketAlertCheck(p, 1)){
3998 //printf("sig 1 matched :");
3999 }else{
4000 printf("sig 1 didn't match: ");
4001 goto end;
4002 }
4003
4004 if (PacketAlertCheck(p, 2)){
4005 result = 1;
4006 }else{
4007 printf("sig 2 didn't match: ");
4008 goto end;
4009 }
4010
4011 SigGroupCleanup(de_ctx);
4012 SigCleanSignatures(de_ctx);
4013
4014 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4015 DetectEngineCtxFree(de_ctx);
4016end:
4017 UTHFreePackets(&p, 1);
4018 return result;
4019}
4020
4021static int SigTestWithin01 (void)
4022{
4023 DecodeThreadVars dtv;
4024 ThreadVars th_v;
4025 int result = 0;
4026 Packet *p1 = NULL;
4027 Packet *p2 = NULL;
4028 Packet *p3 = NULL;
4029 Packet *p4 = NULL;
4030
4031 uint8_t rawpkt1[] = {
4032 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4033 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4034 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06,
4035 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4036 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72,
4037 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00,
4038 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69,
4039 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4040 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4041 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4042 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4043 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4044 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4045 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4046 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4047 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4048 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4049 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4050 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4051 0x00,0x00 }; /* end rawpkt1 */
4052
4053 uint8_t rawpkt2[] = {
4054 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4055 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4056 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06,
4057 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4058 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec,
4059 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00,
4060 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69,
4061 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4062 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4063 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4064 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4065 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4066 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4067 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4068 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4069 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4070 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4071 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4072 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4073 0x00,0x00 }; /* end rawpkt2 */
4074
4075 uint8_t rawpkt3[] = {
4076 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4077 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4078 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06,
4079 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4080 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d,
4081 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00,
4082 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69,
4083 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4084 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4085 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4086 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4087 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4088 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4089 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4090 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4091 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4092 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4093 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4094 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4095 0x00,0x00 }; /* end rawpkt3 */
4096
4097 uint8_t rawpkt4[] = {
4098 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24,
4099 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00,
4100 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06,
4101 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45,
4102 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e,
4103 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00,
4104 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69,
4105 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
4106 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
4107 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
4108 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
4109 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
4110 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00,
4111 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4112 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4113 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4114 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4115 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4116 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
4117 0x00,0x00 }; /* end rawpkt4 */
4118
4119 memset(&dtv, 0, sizeof(DecodeThreadVars));
4120 memset(&th_v, 0, sizeof(th_v));
4121
4122 DetectEngineThreadCtx *det_ctx = NULL;
4123
4124 FlowInitConfig(FLOW_QUIET);
4125
4126 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4127 if (de_ctx == NULL) {
4128 goto end;
4129 }
4130
4131 de_ctx->flags |= DE_QUIET;
4132
4133 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)");
4134 if (de_ctx->sig_list == NULL) {
4135 result = 0;
4136 goto end;
4137 }
4138
4139 SigGroupBuild(de_ctx);
4140 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4141
4142 /* packet 1 */
4143 p1 = PacketGetFromAlloc();
4144 if (unlikely(p1 == NULL))
4145 return 0;
4146 DecodeEthernet(&th_v, &dtv, p1, rawpkt1, sizeof(rawpkt1));
4147 SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
4148 if (!(PacketAlertCheck(p1, 556))) {
4149 printf("failed to match on packet 1: ");
4150 goto end;
4151 }
4152
4153 /* packet 2 */
4154 p2 = PacketGetFromAlloc();
4155 if (unlikely(p2 == NULL))
4156 return 0;
4157 DecodeEthernet(&th_v, &dtv, p2, rawpkt2, sizeof(rawpkt2));
4158 SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
4159 if (!(PacketAlertCheck(p2, 556))) {
4160 printf("failed to match on packet 2: ");
4161 goto end;
4162 }
4163
4164 /* packet 3 */
4165 p3 = PacketGetFromAlloc();
4166 if (unlikely(p3 == NULL))
4167 return 0;
4168 DecodeEthernet(&th_v, &dtv, p3, rawpkt3, sizeof(rawpkt3));
4169 SigMatchSignatures(&th_v, de_ctx, det_ctx, p3);
4170 if (!(PacketAlertCheck(p3, 556))) {
4171 printf("failed to match on packet 3: ");
4172 goto end;
4173 }
4174
4175 /* packet 4 */
4176 p4 = PacketGetFromAlloc();
4177 if (unlikely(p4 == NULL))
4178 return 0;
4179 DecodeEthernet(&th_v, &dtv, p4, rawpkt4, sizeof(rawpkt4));
4180 SigMatchSignatures(&th_v, de_ctx, det_ctx, p4);
4181 if (!(PacketAlertCheck(p4, 556))) {
4182 printf("failed to match on packet 4: ");
4183 goto end;
4184 }
4185
4186 /* packet 5 */
4187 uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches";
4188 uint16_t p5buflen = strlen((char *)p5buf);
4189 Packet *p5 = UTHBuildPacket(p5buf, p5buflen, IPPROTO_TCP);
4190 SigMatchSignatures(&th_v, de_ctx, det_ctx, p5);
4191 if (!(PacketAlertCheck(p5, 556))) {
4192 printf("failed to match on packet 5: ");
4193 goto end;
4194 }
4195 UTHFreePackets(&p5, 1);
4196
4197 result = 1;
4198end:
4199 if (de_ctx != NULL) {
4200 SigGroupCleanup(de_ctx);
4201 SigCleanSignatures(de_ctx);
4202 }
4203
4204 if (det_ctx != NULL)
4205 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4206
4207 if (de_ctx != NULL)
4208 DetectEngineCtxFree(de_ctx);
4209
4210 if (p1 != NULL) {
4211 PacketRecycle(p1);
4212 SCFree(p1);
4213 }
4214 if (p2 != NULL) {
4215 PacketRecycle(p2);
4216 SCFree(p2);
4217 }
4218 if (p3 != NULL) {
4219 PacketRecycle(p3);
4220 SCFree(p3);
4221 }
4222 if (p4 != NULL) {
4223 PacketRecycle(p4);
4224 SCFree(p4);
4225 }
4226 FlowShutdown();
4227 return result;
4228}
4229
4230static int SigTestDepthOffset01 (void)
4231{
4232 uint8_t *buf = (uint8_t *)"01234567890123456789012345678901abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
4233 uint16_t buflen = strlen((char *)buf);
4234 Packet *p = NULL;
4235 ThreadVars th_v;
4236 DetectEngineThreadCtx *det_ctx = NULL;
4237 int result = 0;
4238
4239 memset(&th_v, 0, sizeof(th_v));
4240
4241 p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
4242
4243 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4244 if (de_ctx == NULL) {
4245 goto end;
4246 }
4247
4248 de_ctx->flags |= DE_QUIET;
4249
4250 de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"depth offset\"; content:\"456\"; offset:4; depth:3; sid:1;)");
4251 if (de_ctx->sig_list == NULL) {
4252 result = 0;
4253 goto end;
4254 }
4255
4256 SigGroupBuild(de_ctx);
4257 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
4258
4259 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
4260 if (PacketAlertCheck(p, 1))
4261 result = 1;
4262
4263 SigGroupCleanup(de_ctx);
4264 SigCleanSignatures(de_ctx);
4265
4266 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
4267 DetectEngineCtxFree(de_ctx);
4268end:
4269 UTHFreePackets(&p, 1);
4270 return result;
4271}
4272
4273static int SigTestDetectAlertCounter(void)
4274{
4275 Packet *p = NULL;
4276 ThreadVars tv;
4277 DetectEngineThreadCtx *det_ctx = NULL;
4278 memset(&tv, 0, sizeof(tv));
4279
4280 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4281 FAIL_IF_NULL(de_ctx);
4282 de_ctx->flags |= DE_QUIET;
4283
4284 de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Test counter\"; "
4285 "content:\"boo\"; sid:1;)");
4286 FAIL_IF(de_ctx->sig_list == NULL);
4287
4288 SigGroupBuild(de_ctx);
4289 strlcpy(tv.name, "detect_test", sizeof(tv.name));
4290 DetectEngineThreadCtxInit(&tv, de_ctx, (void *)&det_ctx);
4291 /* init counters */
4292 StatsSetupPrivate(&tv);
4293
4294 p = UTHBuildPacket((uint8_t *)"boo", strlen("boo"), IPPROTO_TCP);
4295 Detect(&tv, p, det_ctx);
4296 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 1);
4297
4298 Detect(&tv, p, det_ctx);
4299 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 2);
4300 UTHFreePackets(&p, 1);
4301
4302 p = UTHBuildPacket((uint8_t *)"roo", strlen("roo"), IPPROTO_TCP);
4303 Detect(&tv, p, det_ctx);
4304 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 2);
4305 UTHFreePackets(&p, 1);
4306
4307 p = UTHBuildPacket((uint8_t *)"laboosa", strlen("laboosa"), IPPROTO_TCP);
4308 Detect(&tv, p, det_ctx);
4309 FAIL_IF_NOT(StatsGetLocalCounterValue(&tv, det_ctx->counter_alerts) == 3);
4310 UTHFreePackets(&p, 1);
4311
4312 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
4313 DetectEngineCtxFree(de_ctx);
4314 PASS;
4315}
4316
4317/** \test test if the engine set flag to drop pkts of a flow that
4318 * triggered a drop action on IPS mode */
4319static int SigTestDropFlow01(void)
4320{
4321 Flow f;
4322 HtpState *http_state = NULL;
4323 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4324 "User-Agent: Mozilla/1.0\r\n"
4325 "Cookie: hellocatch\r\n\r\n";
4326 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4327 TcpSession ssn;
4328 Packet *p = NULL;
4329 Signature *s = NULL;
4330 ThreadVars tv;
4331 DetectEngineThreadCtx *det_ctx = NULL;
4332 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4333
4334 memset(&tv, 0, sizeof(ThreadVars));
4335 memset(&f, 0, sizeof(Flow));
4336 memset(&ssn, 0, sizeof(TcpSession));
4337
4338 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4339
4340 FLOW_INITIALIZE(&f);
4341 f.protoctx = (void *)&ssn;
4342 f.proto = IPPROTO_TCP;
4343 f.flags |= FLOW_IPV4;
4344
4345 p->flow = &f;
4346 p->flowflags |= FLOW_PKT_TOSERVER;
4347 p->flowflags |= FLOW_PKT_ESTABLISHED;
4348 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4349 f.alproto = ALPROTO_HTTP1;
4350
4351 StreamTcpInitConfig(true);
4352
4353 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4354 FAIL_IF_NULL(de_ctx);
4355 de_ctx->flags |= DE_QUIET;
4356
4357 s = de_ctx->sig_list = SigInit(de_ctx, "drop http any any -> any any "
4358 "(msg:\"Test proto match\"; "
4359 "sid:1;)");
4360 FAIL_IF_NULL(s);
4361
4362 SigGroupBuild(de_ctx);
4363 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4364
4365 int r = AppLayerParserParse(
4366 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4367 FAIL_IF_NOT(r == 0);
4368
4369 http_state = f.alstate;
4370 FAIL_IF_NULL(http_state);
4371
4372 /* do detect */
4373 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4374
4375 FAIL_IF_NOT(PacketAlertCheck(p, 1));
4376
4377 FAIL_IF_NOT(p->flow->flags & FLOW_ACTION_DROP);
4378
4379 AppLayerParserThreadCtxFree(alp_tctx);
4380 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4381 DetectEngineCtxFree(de_ctx);
4382
4383 StreamTcpFreeConfig(true);
4384 FLOW_DESTROY(&f);
4385
4386 UTHFreePackets(&p, 1);
4387 PASS;
4388}
4389
4390/** \test test if the engine set flag to drop pkts of a flow that
4391 * triggered a drop action on IPS mode */
4392static int SigTestDropFlow02(void)
4393{
4394 int result = 0;
4395 Flow f;
4396 HtpState *http_state = NULL;
4397 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4398 "User-Agent: Mozilla/1.0\r\n"
4399 "Cookie: hellocatch\r\n\r\n";
4400 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4401 TcpSession ssn;
4402 Packet *p = NULL;
4403 Signature *s = NULL;
4404 ThreadVars tv;
4405 DetectEngineThreadCtx *det_ctx = NULL;
4406 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4407
4408 memset(&tv, 0, sizeof(ThreadVars));
4409 memset(&f, 0, sizeof(Flow));
4410 memset(&ssn, 0, sizeof(TcpSession));
4411
4412 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4413
4414 FLOW_INITIALIZE(&f);
4415 f.protoctx = (void *)&ssn;
4416 f.proto = IPPROTO_TCP;
4417 f.flags |= FLOW_IPV4;
4418
4419 p->flow = &f;
4420 p->flowflags |= FLOW_PKT_TOSERVER;
4421 p->flowflags |= FLOW_PKT_ESTABLISHED;
4422 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4423 f.alproto = ALPROTO_HTTP1;
4424
4425 StreamTcpInitConfig(true);
4426
4427 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4428 if (de_ctx == NULL) {
4429 goto end;
4430 }
4431 de_ctx->flags |= DE_QUIET;
4432
4433 s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4434 "(msg:\"Test proto match\"; uricontent:\"one\";"
4435 "sid:1;)");
4436 if (s == NULL) {
4437 goto end;
4438 }
4439
4440 SigGroupBuild(de_ctx);
4441 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4442
4443 int r = AppLayerParserParse(
4444 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4445 if (r != 0) {
4446 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4447 goto end;
4448 }
4449
4450 http_state = f.alstate;
4451 if (http_state == NULL) {
4452 printf("no http state: ");
4453 goto end;
4454 }
4455
4456 /* do detect */
4457 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
4458
4459 if (!PacketAlertCheck(p, 1)) {
4460 printf("sig 1 didn't alert, but it should: ");
4461 goto end;
4462 }
4463
4464 if ( !(p->flow->flags & FLOW_ACTION_DROP)) {
4465 printf("sig 1 alerted but flow was not flagged correctly: ");
4466 goto end;
4467 }
4468
4469 /* Ok, now we know that the flag is set for app layer sigs
4470 * (ex: inspecting uricontent) */
4471
4472 result = 1;
4473
4474end:
4475 if (alp_tctx != NULL)
4476 AppLayerParserThreadCtxFree(alp_tctx);
4477 if (det_ctx != NULL)
4478 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4479 if (de_ctx != NULL)
4480 SigGroupCleanup(de_ctx);
4481 if (de_ctx != NULL)
4482 DetectEngineCtxFree(de_ctx);
4483
4484 StreamTcpFreeConfig(true);
4485 FLOW_DESTROY(&f);
4486
4487 UTHFreePackets(&p, 1);
4488 return result;
4489}
4490
4491/** \test test if the engine set flag to drop pkts of a flow that
4492 * triggered a drop action on IPS mode, and it doesn't inspect
4493 * any other packet of the stream */
4494static int SigTestDropFlow03(void)
4495{
4496 int result = 0;
4497 Flow f;
4498 HtpState *http_state = NULL;
4499 uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
4500 "User-Agent: Mozilla/1.0\r\n"
4501 "Cookie: hellocatch\r\n\r\n";
4502 uint32_t http_buf1_len = sizeof(http_buf1) - 1;
4503
4504 uint8_t http_buf2[] = "POST /two HTTP/1.0\r\n"
4505 "User-Agent: Mozilla/1.0\r\n"
4506 "Cookie: hellocatch\r\n\r\n";
4507 uint32_t http_buf2_len = sizeof(http_buf1) - 1;
4508
4509 /* Set the engine mode to IPS */
4510 EngineModeSetIPS();
4511
4512 TcpSession ssn;
4513 Packet *p1 = NULL;
4514 Packet *p2 = NULL;
4515 Signature *s = NULL;
4516 ThreadVars tv;
4517 DetectEngineThreadCtx *det_ctx = NULL;
4518 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
4519
4520 memset(&tv, 0, sizeof(ThreadVars));
4521 memset(&f, 0, sizeof(Flow));
4522 memset(&ssn, 0, sizeof(TcpSession));
4523
4524 p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4525 p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
4526
4527 FLOW_INITIALIZE(&f);
4528 f.protoctx = (void *)&ssn;
4529 f.proto = IPPROTO_TCP;
4530 f.flags |= FLOW_IPV4;
4531
4532 p1->flow = &f;
4533 p1->flowflags |= FLOW_PKT_TOSERVER;
4534 p1->flowflags |= FLOW_PKT_ESTABLISHED;
4535 p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4536
4537 p2->flow = &f;
4538 p2->flowflags |= FLOW_PKT_TOSERVER;
4539 p2->flowflags |= FLOW_PKT_ESTABLISHED;
4540 p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
4541 f.alproto = ALPROTO_HTTP1;
4542
4543 StreamTcpInitConfig(true);
4544
4545 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4546 if (de_ctx == NULL) {
4547 goto end;
4548 }
4549
4550 de_ctx->flags |= DE_QUIET;
4551
4552 s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
4553 "(msg:\"Test proto match\"; uricontent:\"one\";"
4554 "sid:1;)");
4555 if (s == NULL) {
4556 goto end;
4557 }
4558
4559 /* the no inspection flag should be set after the first sig gets triggered,
4560 * so the second packet should not match the next sig (because of no inspection) */
4561 s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
4562 "(msg:\"Test proto match\"; uricontent:\"two\";"
4563 "sid:2;)");
4564 if (s == NULL) {
4565 goto end;
4566 }
4567
4568 SigGroupBuild(de_ctx);
4569 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4570
4571 int r = AppLayerParserParse(
4572 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
4573 if (r != 0) {
4574 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
4575 goto end;
4576 }
4577
4578 http_state = f.alstate;
4579 if (http_state == NULL) {
4580 printf("no http state: ");
4581 goto end;
4582 }
4583
4584 /* do detect */
4585 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4586
4587 if (!PacketAlertCheck(p1, 1)) {
4588 printf("sig 1 didn't alert on p1, but it should: ");
4589 goto end;
4590 }
4591
4592 if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
4593 printf("sig 1 alerted but flow was not flagged correctly: ");
4594 goto end;
4595 }
4596
4597 /* Second part.. Let's feed with another packet */
4598 if (StreamTcpCheckFlowDrops(p2) == 1) {
4599 SCLogDebug("This flow/stream triggered a drop rule");
4600 DecodeSetNoPacketInspectionFlag(p2);
4601 StreamTcpDisableAppLayer(p2->flow);
4602 p2->action |= ACTION_DROP;
4603 /* return the segments to the pool */
4604 StreamTcpSessionPktFree(p2);
4605 }
4606
4607
4608 if ( !(p2->flags & PKT_NOPACKET_INSPECTION)) {
4609 printf("The packet was not flagged with no-inspection: ");
4610 goto end;
4611 }
4612
4613 r = AppLayerParserParse(
4614 NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
4615 if (r != 0) {
4616 printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
4617 goto end;
4618 }
4619
4620 /* do detect */
4621 SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
4622
4623 if (PacketAlertCheck(p2, 1)) {
4624 printf("sig 1 alerted, but it should not since the no pkt inspection should be set: ");
4625 goto end;
4626 }
4627
4628 if (PacketAlertCheck(p2, 2)) {
4629 printf("sig 2 alerted, but it should not since the no pkt inspection should be set: ");
4630 goto end;
4631 }
4632
4633 if (!(PacketTestAction(p2, ACTION_DROP))) {
4634 printf("A \"drop\" action should be set from the flow to the packet: ");
4635 goto end;
4636 }
4637
4638 result = 1;
4639
4640end:
4641 if (alp_tctx != NULL)
4642 AppLayerParserThreadCtxFree(alp_tctx);
4643 if (det_ctx != NULL)
4644 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4645 if (de_ctx != NULL)
4646 SigGroupCleanup(de_ctx);
4647 if (de_ctx != NULL)
4648 DetectEngineCtxFree(de_ctx);
4649
4650 StreamTcpFreeConfig(true);
4651 FLOW_DESTROY(&f);
4652
4653 UTHFreePackets(&p1, 1);
4654 UTHFreePackets(&p2, 1);
4655
4656 /* Restore mode to IDS */
4657 EngineModeSetIDS();
4658 return result;
4659}
4660
4661/** \test ICMP packet shouldn't be matching port based sig
4662 * Bug #611 */
4663static int SigTestPorts01(void)
4664{
4665 int result = 0;
4666 Packet *p1 = NULL;
4667 Signature *s = NULL;
4668 ThreadVars tv;
4669 DetectEngineThreadCtx *det_ctx = NULL;
4670 uint8_t payload[] = "AAAAAAAAAAAAAAAAAA";
4671
4672 memset(&tv, 0, sizeof(ThreadVars));
4673
4674 p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_ICMP);
4675
4676 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4677 if (de_ctx == NULL) {
4678 goto end;
4679 }
4680 de_ctx->flags |= DE_QUIET;
4681
4682 s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any 80 "
4683 "(content:\"AAA\"; sid:1;)");
4684 if (s == NULL) {
4685 goto end;
4686 }
4687
4688 SigGroupBuild(de_ctx);
4689 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4690
4691 /* do detect */
4692 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4693
4694 if (PacketAlertCheck(p1, 1)) {
4695 printf("sig 1 alerted on p1, but it should not: ");
4696 goto end;
4697 }
4698
4699 result = 1;
4700end:
4701 if (det_ctx != NULL)
4702 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4703 if (de_ctx != NULL)
4704 SigGroupCleanup(de_ctx);
4705 if (de_ctx != NULL)
4706 DetectEngineCtxFree(de_ctx);
4707
4708 UTHFreePackets(&p1, 1);
4709 return result;
4710}
4711
4712/** \test almost identical patterns */
4713static int SigTestBug01(void)
4714{
4715 int result = 0;
4716 Packet *p1 = NULL;
4717 Signature *s = NULL;
4718 ThreadVars tv;
4719 DetectEngineThreadCtx *det_ctx = NULL;
4720 uint8_t payload[] = "!mymy";
4721
4722 memset(&tv, 0, sizeof(ThreadVars));
4723
4724 p1 = UTHBuildPacket(payload, sizeof(payload), IPPROTO_TCP);
4725
4726 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4727 if (de_ctx == NULL) {
4728 goto end;
4729 }
4730 de_ctx->flags |= DE_QUIET;
4731
4732 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4733 "(content:\"Omymy\"; nocase; sid:1;)");
4734 if (s == NULL) {
4735 goto end;
4736 }
4737 s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
4738 "(content:\"!mymy\"; nocase; sid:2;)");
4739 if (s == NULL) {
4740 goto end;
4741 }
4742
4743 SigGroupBuild(de_ctx);
4744 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
4745
4746 /* do detect */
4747 SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
4748
4749 if (PacketAlertCheck(p1, 1)) {
4750 printf("sig 1 alerted on p1, but it should not: ");
4751 goto end;
4752 }
4753 if (!(PacketAlertCheck(p1, 2))) {
4754 printf("sig 2 did not p1, but it should have: ");
4755 goto end;
4756 }
4757
4758 result = 1;
4759end:
4760 if (det_ctx != NULL)
4761 DetectEngineThreadCtxDeinit(&tv, det_ctx);
4762 if (de_ctx != NULL)
4763 SigGroupCleanup(de_ctx);
4764 if (de_ctx != NULL)
4765 DetectEngineCtxFree(de_ctx);
4766
4767 UTHFreePackets(&p1, 1);
4768 return result;
4769}
4770
4771static const char *dummy_conf_string2 =
4772 "%YAML 1.1\n"
4773 "---\n"
4774 "vars:\n"
4775 "\n"
4776 " address-groups:\n"
4777 "\n"
4778 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
4779 "\n"
4780 " EXTERNAL_NET: \"any\"\n"
4781 "\n"
4782 " port-groups:\n"
4783 "\n"
4784 " HTTP_PORTS: \"80:81,88\"\n"
4785 "\n";
4786
4787static int DetectAddressYamlParsing01 (void)
4788{
4789 int result = 0;
4790
4791 SCConfCreateContextBackup();
4792 SCConfInit();
4793 SCConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
4794
4795 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4796 if (de_ctx == NULL) {
4797 goto end;
4798 }
4799
4800 de_ctx->flags |= DE_QUIET;
4801
4802 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4803 goto end;
4804 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4805 goto end;
4806 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4807 goto end;
4808
4809 result = 1;
4810
4811 DetectEngineCtxFree(de_ctx);
4812end:
4813 SCConfDeInit();
4814 SCConfRestoreContextBackup();
4815 return result;
4816}
4817
4818static const char *dummy_conf_string3 =
4819 "%YAML 1.1\n"
4820 "---\n"
4821 "vars:\n"
4822 "\n"
4823 " address-groups:\n"
4824 "\n"
4825 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4826 "\n"
4827 " EXTERNAL_NET: \"any\"\n"
4828 "\n"
4829 " port-groups:\n"
4830 "\n"
4831 " HTTP_PORTS: \"80:81,88\"\n"
4832 "\n";
4833
4834static int DetectAddressYamlParsing02 (void)
4835{
4836 int result = 0;
4837
4838 SCConfCreateContextBackup();
4839 SCConfInit();
4840 SCConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
4841
4842 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4843 if (de_ctx == NULL) {
4844 goto end;
4845 }
4846
4847 de_ctx->flags |= DE_QUIET;
4848
4849 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4850 goto end;
4851 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4852 goto end;
4853 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4854 goto end;
4855
4856 result = 1;
4857
4858 DetectEngineCtxFree(de_ctx);
4859end:
4860 SCConfDeInit();
4861 SCConfRestoreContextBackup();
4862 return result;
4863}
4864
4865static const char *dummy_conf_string4 =
4866 "%YAML 1.1\n"
4867 "---\n"
4868 "vars:\n"
4869 "\n"
4870 " address-groups:\n"
4871 "\n"
4872 " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
4873 "\n"
4874 " EXTERNAL_NET: \"any\"\n"
4875 "\n"
4876 " port-groups:\n"
4877 "\n"
4878 " HTTP_PORTS: \"80:81,88\"\n"
4879 "\n";
4880
4881static int DetectAddressYamlParsing03 (void)
4882{
4883 int result = 0;
4884
4885 SCConfCreateContextBackup();
4886 SCConfInit();
4887 SCConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
4888
4889 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4890 if (de_ctx == NULL) {
4891 goto end;
4892 }
4893
4894 de_ctx->flags |= DE_QUIET;
4895
4896 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4897 goto end;
4898 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4899 goto end;
4900 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4901 goto end;
4902
4903 result = 1;
4904
4905 DetectEngineCtxFree(de_ctx);
4906end:
4907 SCConfDeInit();
4908 SCConfRestoreContextBackup();
4909 return result;
4910}
4911
4912static const char *dummy_conf_string5 =
4913 "%YAML 1.1\n"
4914 "---\n"
4915 "vars:\n"
4916 "\n"
4917 " address-groups:\n"
4918 "\n"
4919 " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
4920 "\n"
4921 " EXTERNAL_NET: \"any\"\n"
4922 "\n"
4923 " port-groups:\n"
4924 "\n"
4925 " HTTP_PORTS: \"80:81,88\"\n"
4926 "\n";
4927
4928/** \test bug #815 */
4929static int DetectAddressYamlParsing04 (void)
4930{
4931 int result = 0;
4932
4933 SCConfCreateContextBackup();
4934 SCConfInit();
4935 SCConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
4936
4937 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
4938 if (de_ctx == NULL) {
4939 goto end;
4940 }
4941
4942 de_ctx->flags |= DE_QUIET;
4943
4944 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
4945 goto end;
4946 if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
4947 goto end;
4948 if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
4949 goto end;
4950
4951 result = 1;
4952
4953 DetectEngineCtxFree(de_ctx);
4954end:
4955 SCConfDeInit();
4956 SCConfRestoreContextBackup();
4957 return result;
4958}
4959
4960void SigRegisterTests(void)
4961{
4962 SigParseRegisterTests();
4963 IPOnlyRegisterTests();
4964
4965 UtRegisterTest("SigTest01", SigTest01);
4966 UtRegisterTest("SigTest02 -- Offset/Depth match", SigTest02);
4967 UtRegisterTest("SigTest03 -- offset/depth mismatch", SigTest03);
4968 UtRegisterTest("SigTest04 -- distance/within match", SigTest04);
4969 UtRegisterTest("SigTest05 -- distance/within mismatch", SigTest05);
4970 UtRegisterTest("SigTest06 -- uricontent HTTP/1.1 match test", SigTest06);
4971 UtRegisterTest("SigTest07 -- uricontent HTTP/1.1 mismatch test",
4972 SigTest07);
4973 UtRegisterTest("SigTest08 -- uricontent HTTP/1.0 match test", SigTest08);
4974 UtRegisterTest("SigTest09 -- uricontent HTTP/1.0 mismatch test",
4975 SigTest09);
4976 UtRegisterTest("SigTest10 -- long content match, longer than pkt",
4977 SigTest10);
4978 UtRegisterTest("SigTest11 -- mpm searching", SigTest11);
4979 UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12);
4980 UtRegisterTest("SigTest13 -- content order matching, diff order",
4981 SigTest13);
4982 UtRegisterTest("SigTest14 -- content order matching, distance 0",
4983 SigTest14);
4984 UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15);
4985 UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16);
4986 UtRegisterTest("SigTest17 -- HTTP Host Pkt var capture", SigTest17);
4987 UtRegisterTest("SigTest18 -- Ftp negation sig test", SigTest18);
4988 UtRegisterTest("SigTest19 -- IP-ONLY test (1)", SigTest19);
4989 UtRegisterTest("SigTest20 -- IP-ONLY test (2)", SigTest20);
4990 UtRegisterTest("SigTest21 -- FLOWBIT test (1)", SigTest21);
4991 UtRegisterTest("SigTest22 -- FLOWBIT test (2)", SigTest22);
4992 UtRegisterTest("SigTest23 -- FLOWBIT test (3)", SigTest23);
4993
4994 UtRegisterTest("SigTest24IPV4Keyword", SigTest24IPV4Keyword);
4995 UtRegisterTest("SigTest25NegativeIPV4Keyword",
4996 SigTest25NegativeIPV4Keyword);
4997
4998 UtRegisterTest("SigTest26TCPV4Keyword", SigTest26TCPV4Keyword);
4999 UtRegisterTest("SigTest26TCPV4AndNegativeIPV4Keyword",
5000 SigTest26TCPV4AndNegativeIPV4Keyword);
5001 UtRegisterTest("SigTest26TCPV4AndIPV4Keyword",
5002 SigTest26TCPV4AndIPV4Keyword);
5003 UtRegisterTest("SigTest27NegativeTCPV4Keyword",
5004 SigTest27NegativeTCPV4Keyword);
5005
5006 UtRegisterTest("SigTest28TCPV6Keyword", SigTest28TCPV6Keyword);
5007 UtRegisterTest("SigTest29NegativeTCPV6Keyword",
5008 SigTest29NegativeTCPV6Keyword);
5009
5010 UtRegisterTest("SigTest30UDPV4Keyword", SigTest30UDPV4Keyword);
5011 UtRegisterTest("SigTest31NegativeUDPV4Keyword",
5012 SigTest31NegativeUDPV4Keyword);
5013
5014 UtRegisterTest("SigTest32UDPV6Keyword", SigTest32UDPV6Keyword);
5015 UtRegisterTest("SigTest33NegativeUDPV6Keyword",
5016 SigTest33NegativeUDPV6Keyword);
5017
5018 UtRegisterTest("SigTest34ICMPV4Keyword", SigTest34ICMPV4Keyword);
5019 UtRegisterTest("SigTest35NegativeICMPV4Keyword",
5020 SigTest35NegativeICMPV4Keyword);
5021 UtRegisterTest("SigTest36ContentAndIsdataatKeywords01",
5022 SigTest36ContentAndIsdataatKeywords01);
5023 UtRegisterTest("SigTest37ContentAndIsdataatKeywords02",
5024 SigTest37ContentAndIsdataatKeywords02);
5025
5026 UtRegisterTest("SigTest38 -- byte_test test (1)", SigTest38);
5027
5028 UtRegisterTest("SigTest39 -- byte_jump test (2)", SigTest39);
5029
5030 UtRegisterTest("SigTest40NoPacketInspection01",
5031 SigTest40NoPacketInspection01);
5032 UtRegisterTest("SigTest40NoPayloadInspection02",
5033 SigTest40NoPayloadInspection02);
5034
5035 UtRegisterTest("SigTestMemory01", SigTestMemory01);
5036 UtRegisterTest("SigTestMemory02", SigTestMemory02);
5037 UtRegisterTest("SigTestMemory03", SigTestMemory03);
5038
5039 UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01);
5040 UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02);
5041 UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance",
5042 SigTestContent03);
5043 UtRegisterTest("SigTestContent04 -- 32 byte pattern, x2 + distance/within",
5044 SigTestContent04);
5045 UtRegisterTest("SigTestContent05 -- distance/within", SigTestContent05);
5046 UtRegisterTest("SigTestContent06 -- distance/within ip only",
5047 SigTestContent06);
5048
5049 UtRegisterTest("SigTestWithinReal01", SigTestWithin01);
5050 UtRegisterTest("SigTestDepthOffset01", SigTestDepthOffset01);
5051
5052 UtRegisterTest("SigTestDetectAlertCounter", SigTestDetectAlertCounter);
5053
5054 UtRegisterTest("SigTestDropFlow01", SigTestDropFlow01);
5055 UtRegisterTest("SigTestDropFlow02", SigTestDropFlow02);
5056 UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03);
5057
5058 UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01);
5059 UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02);
5060 UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03);
5061 UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04);
5062
5063 UtRegisterTest("SigTestPorts01", SigTestPorts01);
5064 UtRegisterTest("SigTestBug01", SigTestBug01);
5065
5066 DetectEngineContentInspectionRegisterTests();
5067}
5068#endif /* UNITTESTS */
ACTION_DROP
#define ACTION_DROP
Definition action-globals.h:30
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_HTTP1
@ ALPROTO_HTTP1
Definition app-layer-protos.h:36
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition conf-yaml-loader.c:523
SCConfInit
void SCConfInit(void)
Initialize the configuration system.
Definition conf.c:120
SCConfDeInit
void SCConfDeInit(void)
De-initializes the configuration system.
Definition conf.c:703
SCConfCreateContextBackup
void SCConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition conf.c:684
SCConfRestoreContextBackup
void SCConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition conf.c:694
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition counters.c:1209
StatsGetLocalCounterValue
uint64_t StatsGetLocalCounterValue(ThreadVars *tv, uint16_t id)
Get the value of the local copy of the counter that hold this id.
Definition counters.c:1255
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition decode-ethernet.c:42
IPV4_GET_RAW_HLEN
#define IPV4_GET_RAW_HLEN(ip4h)
Definition decode-ipv4.h:96
IPV6_GET_RAW_PLEN
#define IPV6_GET_RAW_PLEN(ip6h)
Definition decode-ipv6.h:66
TCP_GET_RAW_HLEN
#define TCP_GET_RAW_HLEN(tcph)
Definition decode-tcp.h:72
UDP_HEADER_LEN
#define UDP_HEADER_LEN
Definition decode-udp.h:27
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition decode.h:213
PKT_NOPACKET_INSPECTION
#define PKT_NOPACKET_INSPECTION
Definition decode.h:1247
PKT_NOPAYLOAD_INSPECTION
#define PKT_NOPAYLOAD_INSPECTION
Definition decode.h:1252
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition decode.h:209
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition decode.h:208
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:56
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:2275
DetectEngineContentInspectionRegisterTests
void DetectEngineContentInspectionRegisterTests(void)
Definition detect-engine-content-inspection.c:317
IPOnlyRegisterTests
void IPOnlyRegisterTests(void)
Definition detect-engine-iponly.c:2350
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
SigParseRegisterTests
void SigParseRegisterTests(void)
Definition detect-parse.c:5426
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
Detect
TmEcode Detect(ThreadVars *tv, Packet *p, void *data)
Detection engine thread wrapper.
Definition detect.c:2341
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition detect.h:119
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition flow-util.h:119
FlowInitConfig
void FlowInitConfig(bool quiet)
initialize the configuration
Definition flow.c:547
FlowShutdown
void FlowShutdown(void)
shutdown the flow engine
Definition flow.c:691
FlowCleanupAppLayer
void FlowCleanupAppLayer(Flow *f)
Definition flow.c:139
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_QUIET
#define FLOW_QUIET
Definition flow.h:43
FLOW_ACTION_DROP
#define FLOW_ACTION_DROP
Definition flow.h:70
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
dtv
DecodeThreadVars * dtv
Definition fuzz_decodepcapfile.c:33
tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition decode.c:335
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition decode.c:258
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition decode.c:377
PacketRecycle
void PacketRecycle(Packet *p)
Definition packet.c:150
PktVarGet
PktVar * PktVarGet(Packet *p, uint32_t id)
Definition pkt-var.c:40
StreamTcpDisableAppLayer
void StreamTcpDisableAppLayer(Flow *f)
Definition stream-tcp-reassemble.c:447
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
StreamTcpSessionPktFree
void StreamTcpSessionPktFree(Packet *p)
Function to return the stream segments back to the pool.
Definition stream-tcp.c:380
Address_::family
char family
Definition decode.h:113
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition decode.h:963
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
DetectEngineThreadCtx_::counter_alerts
uint16_t counter_alerts
Definition detect.h:1289
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition detect.h:1364
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::alstate
void * alstate
Definition flow.h:479
Flow_::protoctx
void * protoctx
Definition flow.h:441
HtpState_
Definition app-layer-htp.h:181
IPV4Hdr_
Definition decode-ipv4.h:72
IPV4Hdr_::ip_verhl
uint8_t ip_verhl
Definition decode-ipv4.h:73
PacketQueue_
simple fifo queue for packets with mutex and cond Calling the mutex or triggering the cond is respons...
Definition packet-queue.h:49
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::action
uint8_t action
Definition decode.h:609
Packet_::src
Address src
Definition decode.h:505
Packet_::sp
Port sp
Definition decode.h:508
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::payload
uint8_t * payload
Definition decode.h:605
Packet_::payload_len
uint16_t payload_len
Definition decode.h:606
Packet_::flags
uint32_t flags
Definition decode.h:544
Packet_::dst
Address dst
Definition decode.h:506
Packet_::proto
uint8_t proto
Definition decode.h:523
Packet_::dp
Port dp
Definition decode.h:516
PktVar_
Definition decode.h:311
PktVar_::value_len
uint16_t value_len
Definition decode.h:317
PktVar_::value
uint8_t * value
Definition decode.h:319
SigMatch_::type
uint16_t type
Definition detect.h:357
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition detect.h:642
Signature_
Signature container.
Definition detect.h:668
Signature_::init_data
SignatureInitData * init_data
Definition detect.h:747
Signature_::next
struct Signature_ * next
Definition detect.h:750
TCPHdr_
Definition decode-tcp.h:149
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
ThreadVars_::name
char name[16]
Definition threadvars.h:65
BUG_ON
#define BUG_ON(x)
Definition suricata-common.h:317
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition util-strlcpyu.c:43
EngineModeSetIDS
void EngineModeSetIDS(void)
Definition suricata.c:264
EngineModeSetIPS
void EngineModeSetIPS(void)
Definition suricata.c:259
SigRegisterTests
void SigRegisterTests(void)
Definition detect.c:4960
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
SCFree
#define SCFree(p)
Definition util-mem.h:61
MPM_AC
@ MPM_AC
Definition util-mpm.h:36
unlikely
#define unlikely(expr)
Definition util-optimize.h:35
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365
UTHBuildPacketSrcDstPorts
Packet * UTHBuildPacketSrcDstPorts(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, uint16_t sport, uint16_t dport)
UTHBuildPacketSrcDstPorts is a wrapper that build packets specifying src and dst ports and defaulting...
Definition util-unittest-helper.c:442
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:473
UTHPacketMatchSigMpm
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
Definition util-unittest-helper.c:756
UTHSetIPv4Address
uint32_t UTHSetIPv4Address(const char *str)
return the uint32_t for a ipv4 address string
Definition util-unittest-helper.c:148
VarNameStoreLookupByName
uint32_t VarNameStoreLookupByName(const char *name, const enum VarTypes type)
find name for id+type at packet time. As the active store won't be modified, we don't need locks.
Definition util-var-name.c:319
VAR_TYPE_PKT_VAR
@ VAR_TYPE_PKT_VAR
Definition util-var.h:33