aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/suricata/src/detect-byte-extract.c
diff options
context:
space:
mode:
authorAshlee Young <ashlee@onosfw.com>2015-09-09 22:21:41 -0700
committerAshlee Young <ashlee@onosfw.com>2015-09-09 22:21:41 -0700
commit8879b125d26e8db1a5633de5a9c692eb2d1c4f83 (patch)
treec7259d85a991b83dfa85ab2e339360669fc1f58e /framework/src/suricata/src/detect-byte-extract.c
parent13d05bc8458758ee39cb829098241e89616717ee (diff)
suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a
Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f
Diffstat (limited to 'framework/src/suricata/src/detect-byte-extract.c')
-rw-r--r--framework/src/suricata/src/detect-byte-extract.c4897
1 files changed, 4897 insertions, 0 deletions
diff --git a/framework/src/suricata/src/detect-byte-extract.c b/framework/src/suricata/src/detect-byte-extract.c
new file mode 100644
index 00000000..bc8bdf2d
--- /dev/null
+++ b/framework/src/suricata/src/detect-byte-extract.c
@@ -0,0 +1,4897 @@
+/* Copyright (C) 2007-2010 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Anoop Saldanha <anoopsaldanha@gmail.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-content.h"
+#include "detect-pcre.h"
+#include "detect-bytejump.h"
+#include "detect-bytetest.h"
+#include "detect-byte-extract.h"
+#include "detect-isdataat.h"
+
+#include "app-layer-protos.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-byte.h"
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "util-spm.h"
+
+/* the default value of endianess to be used, if none's specified */
+#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
+
+/* the base to be used if string mode is specified. These options would be
+ * specified in DetectByteParseData->base */
+#define DETECT_BYTE_EXTRACT_BASE_NONE 0
+#define DETECT_BYTE_EXTRACT_BASE_HEX 16
+#define DETECT_BYTE_EXTRACT_BASE_DEC 10
+#define DETECT_BYTE_EXTRACT_BASE_OCT 8
+
+/* the default value for multiplier. Either ways we always store a
+ * multiplier, 1 or otherwise, so that we can always multiply the extracted
+ * value and store it, instead of checking if a multiplier is set or not */
+#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
+/* the min/max limit for multiplier */
+#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
+#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
+
+/* the max no of bytes that can be extracted in string mode - (string, hex)
+ * (string, oct) or (string, dec) */
+#define STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT 23
+#define STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC 20
+#define STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX 14
+/* the max no of bytes that can be extraced in non-string mode */
+#define NO_STRING_MAX_BYTES_TO_EXTRACT 8
+
+#define PARSE_REGEX "^" \
+ "\\s*([0-9]+)\\s*" \
+ ",\\s*(-?[0-9]+)\\s*" \
+ ",\\s*([^\\s,]+)\\s*" \
+ "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
+ "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
+ "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
+ "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
+ "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
+ "$"
+
+static pcre *parse_regex;
+static pcre_extra *parse_regex_study;
+
+int DetectByteExtractMatch(ThreadVars *, DetectEngineThreadCtx *,
+ Packet *, Signature *, SigMatch *);
+int DetectByteExtractSetup(DetectEngineCtx *, Signature *, char *);
+void DetectByteExtractRegisterTests(void);
+void DetectByteExtractFree(void *);
+
+/**
+ * \brief Registers the keyword handlers for the "byte_extract" keyword.
+ */
+void DetectByteExtractRegister(void)
+{
+ const char *eb;
+ int eo;
+ int opts = 0;
+
+ sigmatch_table[DETECT_BYTE_EXTRACT].name = "byte_extract";
+ sigmatch_table[DETECT_BYTE_EXTRACT].Match = NULL;
+ sigmatch_table[DETECT_BYTE_EXTRACT].AppLayerMatch = NULL;
+ sigmatch_table[DETECT_BYTE_EXTRACT].Setup = DetectByteExtractSetup;
+ sigmatch_table[DETECT_BYTE_EXTRACT].Free = DetectByteExtractFree;
+ sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
+
+ sigmatch_table[DETECT_BYTE_EXTRACT].flags |= SIGMATCH_PAYLOAD;
+
+ parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
+ if (parse_regex == NULL) {
+ SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed "
+ "at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb);
+ goto error;
+ }
+
+ parse_regex_study = pcre_study(parse_regex, 0, &eb);
+ if (eb != NULL) {
+ SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
+ goto error;
+ }
+
+ return;
+ error:
+ return;
+}
+
+int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, SigMatch *sm,
+ Signature *s, uint8_t *payload,
+ uint16_t payload_len, uint64_t *value,
+ uint8_t endian)
+{
+ DetectByteExtractData *data = (DetectByteExtractData *)sm->ctx;
+ uint8_t *ptr = NULL;
+ int32_t len = 0;
+ uint64_t val = 0;
+ int extbytes;
+
+ if (payload_len == 0) {
+ return 0;
+ }
+
+ /* Calculate the ptr value for the bytetest and length remaining in
+ * the packet from that point.
+ */
+ if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
+ "data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
+
+ ptr = payload + det_ctx->buffer_offset;
+ len = payload_len - det_ctx->buffer_offset;
+
+ ptr += data->offset;
+ len -= data->offset;
+
+ /* No match if there is no relative base */
+ if (len <= 0) {
+ return 0;
+ }
+ //PrintRawDataFp(stdout,ptr,len);
+ } else {
+ SCLogDebug("absolute, data->offset %"PRIu32"", data->offset);
+
+ ptr = payload + data->offset;
+ len = payload_len - data->offset;
+ }
+
+ /* Validate that the to-be-extracted is within the packet */
+ if (ptr < payload || data->nbytes > len) {
+ SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
+ payload, ptr, len, data->nbytes);
+ return 0;
+ }
+
+ /* Extract the byte data */
+ if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
+ extbytes = ByteExtractStringUint64(&val, data->base,
+ data->nbytes, (const char *)ptr);
+ if (extbytes <= 0) {
+ /* strtoull() return 0 if there is no numeric value in data string */
+ if (val == 0) {
+ SCLogDebug("No Numeric value");
+ return 0;
+ } else {
+ SCLogError(SC_ERR_INVALID_NUM_BYTES, "Error extracting %d "
+ "bytes of string data: %d", data->nbytes, extbytes);
+ return -1;
+ }
+ }
+ } else {
+ int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
+ BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
+ extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
+ if (extbytes != data->nbytes) {
+ SCLogError(SC_ERR_INVALID_NUM_BYTES, "Error extracting %d bytes "
+ "of numeric data: %d\n", data->nbytes, extbytes);
+ return 0;
+ }
+ }
+
+ /* Adjust the jump value based on flags */
+ val *= data->multiplier_value;
+ if (data->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
+ if ((val % data->align_value) != 0) {
+ val += data->align_value - (val % data->align_value);
+ }
+ }
+
+ ptr += extbytes;
+
+ det_ctx->buffer_offset = ptr - payload;
+
+ *value = val;
+
+ return 1;
+}
+
+
+int DetectByteExtractMatch(ThreadVars *tv, DetectEngineThreadCtx *det_ctx,
+ Packet *p, Signature *s, SigMatch *m)
+{
+ goto end;
+ end:
+ return 1;
+}
+
+/**
+ * \internal
+ * \brief Used to parse byte_extract arg.
+ *
+ * \arg The argument to parse.
+ *
+ * \param bed On success an instance containing the parsed data.
+ * On failure, NULL.
+ */
+static inline DetectByteExtractData *DetectByteExtractParse(char *arg)
+{
+ DetectByteExtractData *bed = NULL;
+#define MAX_SUBSTRINGS 100
+ int ret = 0, res = 0;
+ int ov[MAX_SUBSTRINGS];
+ int i = 0;
+
+ ret = pcre_exec(parse_regex, parse_regex_study, arg,
+ strlen(arg), 0, 0, ov, MAX_SUBSTRINGS);
+ if (ret < 3 || ret > 19) {
+ SCLogError(SC_ERR_PCRE_PARSE, "parse error, ret %" PRId32
+ ", string \"%s\"", ret, arg);
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid arg to byte_extract : %s "
+ "for byte_extract", arg);
+ goto error;
+ }
+
+ bed = SCMalloc(sizeof(DetectByteExtractData));
+ if (unlikely(bed == NULL))
+ goto error;
+ memset(bed, 0, sizeof(DetectByteExtractData));
+
+ /* no of bytes to extract */
+ char nbytes_str[64] = "";
+ res = pcre_copy_substring((char *)arg, ov,
+ MAX_SUBSTRINGS, 1, nbytes_str, sizeof(nbytes_str));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
+ "for arg 1 for byte_extract");
+ goto error;
+ }
+ bed->nbytes = atoi(nbytes_str);
+
+ /* offset */
+ char offset_str[64] = "";
+ res = pcre_copy_substring((char *)arg, ov,
+ MAX_SUBSTRINGS, 2, offset_str, sizeof(offset_str));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
+ "for arg 2 for byte_extract");
+ goto error;
+ }
+ int offset = atoi(offset_str);
+ if (offset < -65535 || offset > 65535) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract offset invalid - %d. "
+ "The right offset range is -65535 to 65535", offset);
+ goto error;
+ }
+ bed->offset = offset;
+
+ /* var name */
+ char varname_str[256] = "";
+ res = pcre_copy_substring((char *)arg, ov,
+ MAX_SUBSTRINGS, 3, varname_str, sizeof(varname_str));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
+ "for arg 3 for byte_extract");
+ goto error;
+ }
+ bed->name = SCStrdup(varname_str);
+ if (bed->name == NULL)
+ goto error;
+
+ /* check out other optional args */
+ for (i = 4; i < ret; i++) {
+ char opt_str[64] = "";
+ res = pcre_copy_substring((char *)arg, ov,
+ MAX_SUBSTRINGS, i, opt_str, sizeof(opt_str));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
+ "for arg %d for byte_extract", i);
+ goto error;
+ }
+
+ if (strcmp("relative", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "relative specified more "
+ "than once for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
+ } else if (strcmp("multiplier", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "multiplier specified more "
+ "than once for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
+ i++;
+
+ char multiplier_str[16] = "";
+ res = pcre_copy_substring((char *)arg, ov,
+ MAX_SUBSTRINGS, i, multiplier_str, sizeof(multiplier_str));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
+ "for arg %d for byte_extract", i);
+ goto error;
+ }
+ int multiplier = atoi(multiplier_str);
+ if (multiplier < DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT ||
+ multiplier > DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "multipiler_value invalid "
+ "- %d. The range is %d-%d",
+ multiplier,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT);
+ goto error;
+ }
+ bed->multiplier_value = multiplier;
+ } else if (strcmp("big", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
+ "more than once for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
+ bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
+ } else if (strcmp("little", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
+ "more than once for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
+ bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
+ } else if (strcmp("dce", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "endian option specified "
+ "more than once for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
+ bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
+ } else if (strcmp("string", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "string specified more "
+ "than once for byte_extract");
+ goto error;
+ }
+ if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "The right way to specify "
+ "base is (string, base) and not (base, string) "
+ "for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
+ } else if (strcmp("hex", opt_str) == 0) {
+ if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(hex) specified "
+ "without specifying string. The right way is "
+ "(string, base) and not (base, string)");
+ goto error;
+ }
+ if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
+ "specified for byte_extract");
+ goto error;
+ }
+ bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
+ } else if (strcmp("oct", opt_str) == 0) {
+ if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(oct) specified "
+ "without specifying string. The right way is "
+ "(string, base) and not (base, string)");
+ goto error;
+ }
+ if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
+ "specified for byte_extract");
+ goto error;
+ }
+ bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
+ } else if (strcmp("dec", opt_str) == 0) {
+ if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Base(dec) specified "
+ "without specifying string. The right way is "
+ "(string, base) and not (base, string)");
+ goto error;
+ }
+ if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "More than one base "
+ "specified for byte_extract");
+ goto error;
+ }
+ bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
+ } else if (strcmp("align", opt_str) == 0) {
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Align specified more "
+ "than once for byte_extract");
+ goto error;
+ }
+ bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
+ i++;
+
+ char align_str[16] = "";
+ res = pcre_copy_substring((char *)arg, ov,
+ MAX_SUBSTRINGS, i, align_str, sizeof(align_str));
+ if (res < 0) {
+ SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed "
+ "for arg %d in byte_extract", i);
+ goto error;
+ }
+ bed->align_value = atoi(align_str);
+ if (!(bed->align_value == 2 || bed->align_value == 4)) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid align_value for "
+ "byte_extract - \"%d\"", bed->align_value);
+ goto error;
+ }
+ } else if (strcmp("", opt_str) == 0) {
+ ;
+ } else {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid option - \"%s\" "
+ "specified in byte_extract", opt_str);
+ goto error;
+ }
+ } /* for (i = 4; i < ret; i++) */
+
+ /* validation */
+ if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
+ /* default value */
+ bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
+ }
+
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
+ if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Base not specified for "
+ "byte_extract, though string was specified. "
+ "The right options are (string, hex), (string, oct) "
+ "or (string, dec)");
+ goto error;
+ }
+ if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't have "
+ "endian \"big\" or \"little\" specified along with "
+ "\"string\"");
+ goto error;
+ }
+ if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
+ /* if are dealing with octal nos, the max no that can fit in a 8
+ * byte value is 01777777777777777777777 */
+ if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
+ "more than %d bytes in \"string\" extraction",
+ STRING_MAX_BYTES_TO_EXTRACT_FOR_OCT);
+ goto error;
+ }
+ } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_DEC) {
+ /* if are dealing with decimal nos, the max no that can fit in a 8
+ * byte value is 18446744073709551615 */
+ if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
+ "more than %d bytes in \"string\" extraction",
+ STRING_MAX_BYTES_TO_EXTRACT_FOR_DEC);
+ goto error;
+ }
+ } else if (bed->base == DETECT_BYTE_EXTRACT_BASE_HEX) {
+ /* if are dealing with hex nos, the max no that can fit in a 8
+ * byte value is 0xFFFFFFFFFFFFFFFF */
+ if (bed->nbytes > STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
+ "more than %d bytes in \"string\" extraction",
+ STRING_MAX_BYTES_TO_EXTRACT_FOR_HEX);
+ goto error;
+ }
+ } else {
+ ; // just a placeholder. we won't reach here.
+ }
+ } else {
+ if (bed->nbytes > NO_STRING_MAX_BYTES_TO_EXTRACT) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "byte_extract can't process "
+ "more than %d bytes in \"non-string\" extraction",
+ NO_STRING_MAX_BYTES_TO_EXTRACT);
+ goto error;
+ }
+ /* if string has not been specified and no endian option has been
+ * specified, then set the default endian level of BIG */
+ if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
+ bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
+ }
+
+ return bed;
+ error:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return NULL;
+}
+
+/**
+ * \brief The setup function for the byte_extract keyword for a signature.
+ *
+ * \param de_ctx Pointer to the detection engine context.
+ * \param s Pointer to signature for the current Signature being parsed
+ * from the rules.
+ * \param m Pointer to the head of the SigMatch for the current rule
+ * being parsed.
+ * \param arg Pointer to the string holding the keyword value.
+ *
+ * \retval 0 On success.
+ * \retval -1 On failure.
+ */
+int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, char *arg)
+{
+ SigMatch *sm = NULL;
+ SigMatch *prev_pm = NULL;
+ DetectByteExtractData *data = NULL;
+ int ret = -1;
+
+ data = DetectByteExtractParse(arg);
+ if (data == NULL)
+ goto error;
+
+ int sm_list;
+ if (s->list != DETECT_SM_LIST_NOTSET) {
+ if (s->list == DETECT_SM_LIST_FILEDATA) {
+ if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "dce byte_extract specified "
+ "with file_data option set.");
+ goto error;
+ }
+ AppLayerHtpEnableResponseBodyCallback();
+ }
+ sm_list = s->list;
+ s->flags |= SIG_FLAG_APPLAYER;
+ if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 4,
+ DETECT_CONTENT, s->sm_lists_tail[sm_list],
+ DETECT_PCRE, s->sm_lists_tail[sm_list]);
+ }
+ } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 12,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
+ if (sm_list < 0)
+ goto error;
+ }
+ } else {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ }
+
+ s->alproto = ALPROTO_DCERPC;
+ s->flags |= SIG_FLAG_APPLAYER;
+
+ } else if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ prev_pm = SigMatchGetLastSMFromLists(s, 168,
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_CONTENT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_PCRE, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTETEST, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTEJUMP, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH],
+
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_PMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_UMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCBDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_FILEDATA],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRUDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSMDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HSCDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HUADMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HHHDMATCH],
+ DETECT_ISDATAAT, s->sm_lists_tail[DETECT_SM_LIST_HRHHDMATCH]);
+ if (prev_pm == NULL) {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ } else {
+ sm_list = SigMatchListSMBelongsTo(s, prev_pm);
+ if (sm_list < 0)
+ goto error;
+ if (sm_list != DETECT_SM_LIST_PMATCH)
+ s->flags |= SIG_FLAG_APPLAYER;
+ }
+
+ } else {
+ sm_list = DETECT_SM_LIST_PMATCH;
+ }
+
+ if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_DCERPC) {
+ SCLogError(SC_ERR_INVALID_SIGNATURE, "Non dce alproto sig has "
+ "byte_extract with dce enabled");
+ goto error;
+ }
+ s->alproto = ALPROTO_DCERPC;
+ if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
+ (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
+ (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "Invalid option. "
+ "A byte_jump keyword with dce holds other invalid modifiers.");
+ goto error;
+ }
+ }
+
+ SigMatch *prev_bed_sm = SigMatchGetLastSMFromLists(s, 2,
+ DETECT_BYTE_EXTRACT, s->sm_lists_tail[sm_list]);
+ if (prev_bed_sm == NULL)
+ data->local_id = 0;
+ else
+ data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
+ if (data->local_id > de_ctx->byte_extract_max_local_id)
+ de_ctx->byte_extract_max_local_id = data->local_id;
+
+
+ sm = SigMatchAlloc();
+ if (sm == NULL)
+ goto error;
+ sm->type = DETECT_BYTE_EXTRACT;
+ sm->ctx = (void *)data;
+ SigMatchAppendSMToList(s, sm, sm_list);
+
+
+ if (!(data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE))
+ goto okay;
+
+ if (prev_pm == NULL)
+ goto okay;
+
+ if (prev_pm->type == DETECT_CONTENT) {
+ DetectContentData *cd = (DetectContentData *)prev_pm->ctx;
+ cd->flags |= DETECT_CONTENT_RELATIVE_NEXT;
+ } else if (prev_pm->type == DETECT_PCRE) {
+ DetectPcreData *pd = (DetectPcreData *)prev_pm->ctx;
+ pd->flags |= DETECT_PCRE_RELATIVE_NEXT;
+ }
+
+ okay:
+ ret = 0;
+ return ret;
+ error:
+ DetectByteExtractFree(data);
+ return ret;
+}
+
+/**
+ * \brief Used to free instances of DetectByteExtractData.
+ *
+ * \param ptr Instance of DetectByteExtractData to be freed.
+ */
+void DetectByteExtractFree(void *ptr)
+{
+ if (ptr != NULL) {
+ DetectByteExtractData *bed = ptr;
+ if (bed->name != NULL)
+ SCFree((void *)bed->name);
+ SCFree(bed);
+ }
+
+ return;
+}
+
+/**
+ * \brief Lookup the SigMatch for a named byte_extract variable.
+ *
+ * \param arg The name of the byte_extract variable to lookup.
+ * \param s Pointer the signature to look in.
+ *
+ * \retval A pointer to the SigMatch if found, otherwise NULL.
+ */
+SigMatch *DetectByteExtractRetrieveSMVar(const char *arg, Signature *s)
+{
+ DetectByteExtractData *bed = NULL;
+ int list;
+
+ for (list = 0; list < DETECT_SM_LIST_MAX; list++) {
+ SigMatch *sm = s->sm_lists[list];
+ while (sm != NULL) {
+ if (sm->type == DETECT_BYTE_EXTRACT) {
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (strcmp(bed->name, arg) == 0) {
+ return sm;
+ }
+ }
+ sm = sm->next;
+ }
+ }
+
+ return NULL;
+}
+
+/*************************************Unittests********************************/
+
+#ifdef UNITTESTS
+
+int DetectByteExtractTest01(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != 0 ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest02(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, relative");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest03(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, multiplier 10");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != 10) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest04(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, relative, multiplier 10");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != 10) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest05(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, big");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest06(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, little");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest07(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, dce");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest08(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string, hex");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest09(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string, oct");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest10(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, string, dec");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest11(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest12(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest13(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, big");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest14(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, dce");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest15(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, little");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest16(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, relative, little, multiplier 2");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != 2) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest17(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "relative, little, "
+ "multiplier 2, string hex");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest18(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "relative, little, "
+ "multiplier 2, "
+ "relative");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest19(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "relative, little, "
+ "multiplier 2, "
+ "little");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest20(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "relative, "
+ "multiplier 2, "
+ "align 2");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest21(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "multiplier 2, "
+ "relative, "
+ "multiplier 2");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest22(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "string hex, "
+ "relative, "
+ "string hex");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest23(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "string hex, "
+ "relative, "
+ "string oct");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest24(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("24, 2, one, align 4, "
+ "string hex, "
+ "relative");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest25(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("9, 2, one, align 4, "
+ "little, "
+ "relative");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest26(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "little, "
+ "relative, "
+ "multiplier 65536");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest27(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, 2, one, align 4, "
+ "little, "
+ "relative, "
+ "multiplier 0");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest28(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("23, 2, one, string, oct");
+ if (bed == NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest29(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("24, 2, one, string, oct");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest30(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("20, 2, one, string, dec");
+ if (bed == NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest31(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("21, 2, one, string, dec");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest32(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("14, 2, one, string, hex");
+ if (bed == NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest33(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("15, 2, one, string, hex");
+ if (bed != NULL)
+ goto end;
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+int DetectByteExtractTest34(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,2,two,relative,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strncmp(bed->name, "two", cd->content_len) != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest35(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectPcreData *pd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; pcre:/asf/; "
+ "byte_extract:4,0,two,relative,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_PCRE) {
+ result = 0;
+ goto end;
+ }
+ pd = (DetectPcreData *)sm->ctx;
+ if (pd->flags != DETECT_PCRE_RELATIVE_NEXT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest36(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectBytejumpData *bjd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; byte_jump:1,13; "
+ "byte_extract:4,0,two,relative,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest37(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectContentData *ud = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; uricontent:\"two\"; "
+ "byte_extract:4,0,two,relative,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ ud = (DetectContentData *)sm->ctx;
+ if (ud->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
+ ud->flags & DETECT_CONTENT_NOCASE ||
+ ud->flags & DETECT_CONTENT_WITHIN ||
+ ud->flags & DETECT_CONTENT_DISTANCE ||
+ ud->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ ud->flags & DETECT_CONTENT_NEGATED ) {
+ printf("two failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest38(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectContentData *ud = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; uricontent:\"two\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ ud = (DetectContentData *)sm->ctx;
+ if (ud->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
+ ud->flags & DETECT_CONTENT_NOCASE ||
+ ud->flags & DETECT_CONTENT_WITHIN ||
+ ud->flags & DETECT_CONTENT_DISTANCE ||
+ ud->flags & DETECT_CONTENT_FAST_PATTERN ||
+ ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ ud->flags & DETECT_CONTENT_NEGATED ) {
+ printf("two failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ result = 0;
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest39(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectContentData *ud = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; content:\"two\"; http_uri; "
+ "byte_extract:4,0,two,relative,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ ud = (DetectContentData *)sm->ctx;
+ if (ud->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
+ ud->flags & DETECT_CONTENT_NOCASE ||
+ ud->flags & DETECT_CONTENT_WITHIN ||
+ ud->flags & DETECT_CONTENT_DISTANCE ||
+ ud->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ ud->flags & DETECT_CONTENT_NEGATED ) {
+ printf("two failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest40(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectContentData *ud = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; content:\"two\"; http_uri; "
+ "byte_extract:4,0,two,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ ud = (DetectContentData *)sm->ctx;
+ if (ud->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)ud->content, "two", cd->content_len) != 0 ||
+ ud->flags & DETECT_CONTENT_NOCASE ||
+ ud->flags & DETECT_CONTENT_WITHIN ||
+ ud->flags & DETECT_CONTENT_DISTANCE ||
+ ud->flags & DETECT_CONTENT_FAST_PATTERN ||
+ ud->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ ud->flags & DETECT_CONTENT_NEGATED ) {
+ printf("two failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ result = 0;
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest41(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "three") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 1) {
+ result = 0;
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest42(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectContentData *ud = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "uricontent: \"three\"; "
+ "byte_extract:4,0,four,string,hex,relative; "
+ "byte_extract:4,0,five,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "five") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 1) {
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ ud = (DetectContentData *)sm->ctx;
+ if (ud->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)ud->content, "three", cd->content_len) != 0 ||
+ ud->flags & DETECT_CONTENT_NOCASE ||
+ ud->flags & DETECT_CONTENT_WITHIN ||
+ ud->flags & DETECT_CONTENT_DISTANCE ||
+ ud->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(ud->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ ud->flags & DETECT_CONTENT_NEGATED ) {
+ printf("two failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "four") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest43(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "content: \"three\"; offset:two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_OFFSET_BE |
+ DETECT_CONTENT_OFFSET) ||
+ cd->offset != bed->local_id) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest44(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "content: \"four\"; offset:two; "
+ "content: \"five\"; offset:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_OFFSET_BE |
+ DETECT_CONTENT_OFFSET) ||
+ cd->offset != bed1->local_id) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_OFFSET_BE |
+ DETECT_CONTENT_OFFSET) ||
+ cd->offset != bed2->local_id) {
+ printf("five failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest45(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "content: \"three\"; depth:two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DEPTH_BE |
+ DETECT_CONTENT_DEPTH) ||
+ cd->depth != bed->local_id ||
+ cd->offset != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest46(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "content: \"four\"; depth:two; "
+ "content: \"five\"; depth:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DEPTH_BE |
+ DETECT_CONTENT_DEPTH) ||
+ cd->depth != bed1->local_id) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DEPTH_BE |
+ DETECT_CONTENT_DEPTH) ||
+ cd->depth != bed2->local_id) {
+ printf("five failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest47(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "content: \"three\"; distance:two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ DETECT_CONTENT_DISTANCE) ||
+ cd->distance != bed->local_id ||
+ cd->offset != 0 ||
+ cd->depth != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest48(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "content: \"four\"; distance:two; "
+ "content: \"five\"; distance:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ DETECT_CONTENT_DISTANCE |
+ DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->distance != bed1->local_id ||
+ cd->depth != 0 ||
+ cd->offset != 0) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ DETECT_CONTENT_DISTANCE) ||
+ cd->distance != bed2->local_id ||
+ cd->depth != 0 ||
+ cd->offset != 0) {
+ printf("five failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest49(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "content: \"three\"; within:two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "three", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_WITHIN_BE |
+ DETECT_CONTENT_WITHIN) ||
+ cd->within != bed->local_id ||
+ cd->offset != 0 ||
+ cd->depth != 0 ||
+ cd->distance != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest50(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "content: \"four\"; within:two; "
+ "content: \"five\"; within:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_WITHIN_BE |
+ DETECT_CONTENT_WITHIN|
+ DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->within != bed1->local_id ||
+ cd->depth != 0 ||
+ cd->offset != 0 ||
+ cd->distance != 0) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "five", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_WITHIN_BE |
+ DETECT_CONTENT_WITHIN) ||
+ cd->within != bed2->local_id ||
+ cd->depth != 0 ||
+ cd->offset != 0 ||
+ cd->distance != 0) {
+ printf("five failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest51(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+ DetectBytetestData *btd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_test: 2,=,10, two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTETEST) {
+ result = 0;
+ goto end;
+ }
+ btd = (DetectBytetestData *)sm->ctx;
+ if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
+ btd->value != 10 ||
+ btd->offset != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest52(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectBytetestData *btd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "byte_test: 2,=,two,three; "
+ "byte_test: 3,=,10,three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTETEST) {
+ result = 0;
+ goto end;
+ }
+ btd = (DetectBytetestData *)sm->ctx;
+ if (btd->flags != (DETECT_BYTETEST_OFFSET_BE |
+ DETECT_BYTETEST_VALUE_BE) ||
+ btd->value != 0 ||
+ btd->offset != 1) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTETEST) {
+ result = 0;
+ goto end;
+ }
+ btd = (DetectBytetestData *)sm->ctx;
+ if (btd->flags != DETECT_BYTETEST_OFFSET_BE ||
+ btd->value != 10 ||
+ btd->offset != 1) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest53(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed = NULL;
+ DetectBytejumpData *bjd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_jump: 2,two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 0 ||
+ strcmp(bed->name, "two") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest54(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectBytejumpData *bjd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "byte_jump: 2,two; "
+ "byte_jump: 3,three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 1) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest55(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing byte_extract\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "byte_extract:4,0,four,string,hex; "
+ "byte_extract:4,0,five,string,hex; "
+ "content: \"four\"; within:two; distance:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed: ");
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ DETECT_CONTENT_WITHIN_BE |
+ DETECT_CONTENT_DISTANCE |
+ DETECT_CONTENT_WITHIN) ||
+ cd->within != bed1->local_id ||
+ cd->distance != bed2->local_id) {
+ printf("four failed: ");
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest56(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "uricontent:\"urione\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "byte_extract:4,0,four,string,hex; "
+ "byte_extract:4,0,five,string,hex; "
+ "content: \"four\"; within:two; distance:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ DETECT_CONTENT_WITHIN_BE |
+ DETECT_CONTENT_DISTANCE |
+ DETECT_CONTENT_WITHIN) ||
+ cd->within != bed1->local_id ||
+ cd->distance != bed2->local_id ) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest57(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectByteExtractData *bed2 = NULL;
+ DetectByteExtractData *bed3 = NULL;
+ DetectByteExtractData *bed4 = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "uricontent: \"urione\"; "
+ "byte_extract:4,0,two,string,hex,relative; "
+ "byte_extract:4,0,three,string,hex,relative; "
+ "byte_extract:4,0,four,string,hex,relative; "
+ "byte_extract:4,0,five,string,hex,relative; "
+ "uricontent: \"four\"; within:two; distance:three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "urione", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed2 = (DetectByteExtractData *)sm->ctx;
+ if (bed2->local_id != 1) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed3 = (DetectByteExtractData *)sm->ctx;
+ if (bed3->local_id != 2) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed4 = (DetectByteExtractData *)sm->ctx;
+ if (bed4->local_id != 3) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (strncmp((char *)cd->content, "four", cd->content_len) != 0 ||
+ cd->flags != (DETECT_CONTENT_DISTANCE_BE |
+ DETECT_CONTENT_WITHIN_BE |
+ DETECT_CONTENT_DISTANCE |
+ DETECT_CONTENT_WITHIN) ||
+ cd->within != bed1->local_id ||
+ cd->distance != bed2->local_id) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest58(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectBytejumpData *bjd = NULL;
+ DetectIsdataatData *isdd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "byte_jump: 2,two; "
+ "byte_jump: 3,three; "
+ "isdataat: three; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 1) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_ISDATAAT) {
+ result = 0;
+ goto end;
+ }
+ isdd = (DetectIsdataatData *)sm->ctx;
+ if (isdd->flags != ISDATAAT_OFFSET_BE ||
+ isdd->dataat != 1) {
+ printf("isdataat failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest59(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectBytejumpData *bjd = NULL;
+ DetectIsdataatData *isdd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex; "
+ "byte_extract:4,0,three,string,hex; "
+ "byte_jump: 2,two; "
+ "byte_jump: 3,three; "
+ "isdataat: three,relative; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ cd->flags & DETECT_CONTENT_RELATIVE_NEXT ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 0) {
+ printf("three failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTEJUMP) {
+ result = 0;
+ goto end;
+ }
+ bjd = (DetectBytejumpData *)sm->ctx;
+ if (bjd->flags != DETECT_BYTEJUMP_OFFSET_BE ||
+ bjd->offset != 1) {
+ printf("four failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_ISDATAAT) {
+ result = 0;
+ goto end;
+ }
+ isdd = (DetectIsdataatData *)sm->ctx;
+ if (isdd->flags != (ISDATAAT_OFFSET_BE |
+ ISDATAAT_RELATIVE) ||
+ isdd->dataat != 1) {
+ printf("isdataat failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest60(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectIsdataatData *isdd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex,relative; "
+ "uricontent: \"three\"; "
+ "byte_extract:4,0,four,string,hex,relative; "
+ "isdataat: two; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_ISDATAAT) {
+ result = 0;
+ goto end;
+ }
+ isdd = (DetectIsdataatData *)sm->ctx;
+ if (isdd->flags != (ISDATAAT_OFFSET_BE) ||
+ isdd->dataat != bed1->local_id) {
+ printf("isdataat failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
+ strncmp((char *)cd->content, "three", cd->content_len) != 0) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "four") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest61(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectContentData *cd = NULL;
+ DetectByteExtractData *bed1 = NULL;
+ DetectIsdataatData *isdd = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(msg:\"Testing bytejump_body\"; "
+ "content:\"one\"; "
+ "byte_extract:4,0,two,string,hex,relative; "
+ "uricontent: \"three\"; "
+ "byte_extract:4,0,four,string,hex,relative; "
+ "isdataat: four, relative; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_PMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags & DETECT_CONTENT_RAWBYTES ||
+ strncmp((char *)cd->content, "one", cd->content_len) != 0 ||
+ cd->flags & DETECT_CONTENT_NOCASE ||
+ cd->flags & DETECT_CONTENT_WITHIN ||
+ cd->flags & DETECT_CONTENT_DISTANCE ||
+ cd->flags & DETECT_CONTENT_FAST_PATTERN ||
+ !(cd->flags & DETECT_CONTENT_RELATIVE_NEXT) ||
+ cd->flags & DETECT_CONTENT_NEGATED ) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_UMATCH] == NULL) {
+ result = 0;
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_UMATCH];
+ if (sm->type != DETECT_CONTENT) {
+ result = 0;
+ goto end;
+ }
+ cd = (DetectContentData *)sm->ctx;
+ if (cd->flags != DETECT_CONTENT_RELATIVE_NEXT ||
+ strncmp((char *)cd->content, "three", cd->content_len) != 0) {
+ printf("one failed\n");
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed1 = (DetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 ||
+ bed1->offset != 0 ||
+ strcmp(bed1->name, "four") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+ if (bed1->local_id != 0) {
+ result = 0;
+ goto end;
+ }
+
+ sm = sm->next;
+ if (sm->type != DETECT_ISDATAAT) {
+ result = 0;
+ goto end;
+ }
+ isdd = (DetectIsdataatData *)sm->ctx;
+ if (isdd->flags != (ISDATAAT_OFFSET_BE |
+ ISDATAAT_RELATIVE) ||
+ isdd->dataat != bed1->local_id) {
+ printf("isdataat failed\n");
+ result = 0;
+ goto end;
+ }
+
+ if (sm->next != NULL)
+ goto end;
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+static int DetectByteExtractTest62(void)
+{
+ DetectEngineCtx *de_ctx = NULL;
+ int result = 0;
+ Signature *s = NULL;
+ SigMatch *sm = NULL;
+ DetectByteExtractData *bed = NULL;
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+ s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
+ "(file_data; byte_extract:4,2,two,relative,string,hex; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL) {
+ goto end;
+ }
+
+ if (s->sm_lists_tail[DETECT_SM_LIST_FILEDATA] == NULL) {
+ goto end;
+ }
+
+ sm = s->sm_lists[DETECT_SM_LIST_FILEDATA];
+ if (sm->type != DETECT_BYTE_EXTRACT) {
+ result = 0;
+ goto end;
+ }
+ bed = (DetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 ||
+ bed->offset != 2 ||
+ strncmp(bed->name, "two", 3) != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+
+ end:
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
+ DetectEngineCtxFree(de_ctx);
+
+ return result;
+}
+
+int DetectByteExtractTest63(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, -2, one");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != -2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != 0 ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
+#endif /* UNITTESTS */
+
+void DetectByteExtractRegisterTests(void)
+{
+#ifdef UNITTESTS
+ UtRegisterTest("DetectByteExtractTest01", DetectByteExtractTest01, 1);
+ UtRegisterTest("DetectByteExtractTest02", DetectByteExtractTest02, 1);
+ UtRegisterTest("DetectByteExtractTest03", DetectByteExtractTest03, 1);
+ UtRegisterTest("DetectByteExtractTest04", DetectByteExtractTest04, 1);
+ UtRegisterTest("DetectByteExtractTest05", DetectByteExtractTest05, 1);
+ UtRegisterTest("DetectByteExtractTest06", DetectByteExtractTest06, 1);
+ UtRegisterTest("DetectByteExtractTest07", DetectByteExtractTest07, 1);
+ UtRegisterTest("DetectByteExtractTest08", DetectByteExtractTest08, 1);
+ UtRegisterTest("DetectByteExtractTest09", DetectByteExtractTest09, 1);
+ UtRegisterTest("DetectByteExtractTest10", DetectByteExtractTest10, 1);
+ UtRegisterTest("DetectByteExtractTest11", DetectByteExtractTest11, 1);
+ UtRegisterTest("DetectByteExtractTest12", DetectByteExtractTest12, 1);
+ UtRegisterTest("DetectByteExtractTest13", DetectByteExtractTest13, 1);
+ UtRegisterTest("DetectByteExtractTest14", DetectByteExtractTest14, 1);
+ UtRegisterTest("DetectByteExtractTest15", DetectByteExtractTest15, 1);
+ UtRegisterTest("DetectByteExtractTest16", DetectByteExtractTest16, 1);
+ UtRegisterTest("DetectByteExtractTest17", DetectByteExtractTest17, 1);
+ UtRegisterTest("DetectByteExtractTest18", DetectByteExtractTest18, 1);
+ UtRegisterTest("DetectByteExtractTest19", DetectByteExtractTest19, 1);
+ UtRegisterTest("DetectByteExtractTest20", DetectByteExtractTest20, 1);
+ UtRegisterTest("DetectByteExtractTest21", DetectByteExtractTest21, 1);
+ UtRegisterTest("DetectByteExtractTest22", DetectByteExtractTest22, 1);
+ UtRegisterTest("DetectByteExtractTest23", DetectByteExtractTest23, 1);
+ UtRegisterTest("DetectByteExtractTest24", DetectByteExtractTest24, 1);
+ UtRegisterTest("DetectByteExtractTest25", DetectByteExtractTest25, 1);
+ UtRegisterTest("DetectByteExtractTest26", DetectByteExtractTest26, 1);
+ UtRegisterTest("DetectByteExtractTest27", DetectByteExtractTest27, 1);
+ UtRegisterTest("DetectByteExtractTest28", DetectByteExtractTest28, 1);
+ UtRegisterTest("DetectByteExtractTest29", DetectByteExtractTest29, 1);
+ UtRegisterTest("DetectByteExtractTest30", DetectByteExtractTest30, 1);
+ UtRegisterTest("DetectByteExtractTest31", DetectByteExtractTest31, 1);
+ UtRegisterTest("DetectByteExtractTest32", DetectByteExtractTest32, 1);
+ UtRegisterTest("DetectByteExtractTest33", DetectByteExtractTest33, 1);
+ UtRegisterTest("DetectByteExtractTest34", DetectByteExtractTest34, 1);
+ UtRegisterTest("DetectByteExtractTest35", DetectByteExtractTest35, 1);
+ UtRegisterTest("DetectByteExtractTest36", DetectByteExtractTest36, 1);
+ UtRegisterTest("DetectByteExtractTest37", DetectByteExtractTest37, 1);
+ UtRegisterTest("DetectByteExtractTest38", DetectByteExtractTest38, 1);
+ UtRegisterTest("DetectByteExtractTest39", DetectByteExtractTest39, 1);
+ UtRegisterTest("DetectByteExtractTest40", DetectByteExtractTest40, 1);
+ UtRegisterTest("DetectByteExtractTest41", DetectByteExtractTest41, 1);
+ UtRegisterTest("DetectByteExtractTest42", DetectByteExtractTest42, 1);
+
+ UtRegisterTest("DetectByteExtractTest43", DetectByteExtractTest43, 1);
+ UtRegisterTest("DetectByteExtractTest44", DetectByteExtractTest44, 1);
+
+ UtRegisterTest("DetectByteExtractTest45", DetectByteExtractTest45, 1);
+ UtRegisterTest("DetectByteExtractTest46", DetectByteExtractTest46, 1);
+
+ UtRegisterTest("DetectByteExtractTest47", DetectByteExtractTest47, 1);
+ UtRegisterTest("DetectByteExtractTest48", DetectByteExtractTest48, 1);
+
+ UtRegisterTest("DetectByteExtractTest49", DetectByteExtractTest49, 1);
+ UtRegisterTest("DetectByteExtractTest50", DetectByteExtractTest50, 1);
+
+ UtRegisterTest("DetectByteExtractTest51", DetectByteExtractTest51, 1);
+ UtRegisterTest("DetectByteExtractTest52", DetectByteExtractTest52, 1);
+
+ UtRegisterTest("DetectByteExtractTest53", DetectByteExtractTest53, 1);
+ UtRegisterTest("DetectByteExtractTest54", DetectByteExtractTest54, 1);
+
+ UtRegisterTest("DetectByteExtractTest55", DetectByteExtractTest55, 1);
+ UtRegisterTest("DetectByteExtractTest56", DetectByteExtractTest56, 1);
+ UtRegisterTest("DetectByteExtractTest57", DetectByteExtractTest57, 1);
+
+ UtRegisterTest("DetectByteExtractTest58", DetectByteExtractTest58, 1);
+ UtRegisterTest("DetectByteExtractTest59", DetectByteExtractTest59, 1);
+ UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60, 1);
+ UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61, 1);
+ UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62, 1);
+ UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63, 1);
+#endif /* UNITTESTS */
+
+ return;
+}