aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/suricata/src/detect-content.c
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/suricata/src/detect-content.c')
-rw-r--r--framework/src/suricata/src/detect-content.c2824
1 files changed, 0 insertions, 2824 deletions
diff --git a/framework/src/suricata/src/detect-content.c b/framework/src/suricata/src/detect-content.c
deleted file mode 100644
index 5f315cc5..00000000
--- a/framework/src/suricata/src/detect-content.c
+++ /dev/null
@@ -1,2824 +0,0 @@
-/* Copyright (C) 2007-2014 Open Information Security Foundation
- *
- * You can copy, redistribute or modify this Program under the terms of
- * the GNU General Public License version 2 as published by the Free
- * Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * version 2 along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- */
-
-/**
- * \file
- *
- * \author Victor Julien <victor@inliniac.net>
- *
- * Simple content match part of the detection engine.
- */
-
-#include "suricata-common.h"
-#include "decode.h"
-#include "detect.h"
-#include "detect-content.h"
-#include "detect-uricontent.h"
-#include "detect-engine-mpm.h"
-#include "detect-engine.h"
-#include "detect-engine-state.h"
-#include "detect-parse.h"
-#include "util-mpm.h"
-#include "flow.h"
-#include "flow-util.h"
-#include "flow-var.h"
-#include "detect-flow.h"
-#include "app-layer.h"
-#include "util-unittest.h"
-#include "util-print.h"
-#include "util-debug.h"
-#include "util-spm-bm.h"
-#include "threads.h"
-#include "util-unittest-helper.h"
-#include "pkt-var.h"
-#include "host.h"
-#include "util-profiling.h"
-
-int DetectContentMatch (ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
-int DetectContentSetup(DetectEngineCtx *, Signature *, char *);
-void DetectContentRegisterTests(void);
-
-void DetectContentRegister (void)
-{
- sigmatch_table[DETECT_CONTENT].name = "content";
- sigmatch_table[DETECT_CONTENT].desc = "match on payload content";
- sigmatch_table[DETECT_CONTENT].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords#Content";
- sigmatch_table[DETECT_CONTENT].Match = NULL;
- sigmatch_table[DETECT_CONTENT].Setup = DetectContentSetup;
- sigmatch_table[DETECT_CONTENT].Free = DetectContentFree;
- sigmatch_table[DETECT_CONTENT].RegisterTests = DetectContentRegisterTests;
-
- sigmatch_table[DETECT_CONTENT].flags |= SIGMATCH_PAYLOAD;
-}
-
-/* pass on the content_max_id */
-uint32_t DetectContentMaxId(DetectEngineCtx *de_ctx)
-{
- return MpmPatternIdStoreGetMaxId(de_ctx->mpm_pattern_id_store);
-}
-
-/**
- * \brief Parse a content string, ie "abc|DE|fgh"
- *
- * \param content_str null terminated string containing the content
- * \param result result pointer to pass the fully parsed byte array
- * \param result_len size of the resulted data
- * \param flags flags to be set by this parsing function
- *
- * \retval -1 error
- * \retval 0 ok
- */
-int DetectContentDataParse(const char *keyword, const char *contentstr,
- uint8_t **pstr, uint16_t *plen, uint32_t *flags)
-{
- char *str = NULL;
- uint16_t len;
- uint16_t pos = 0;
- uint16_t slen = 0;
-
- slen = strlen(contentstr);
- if (slen == 0) {
- return -1;
- }
-
- /* skip the first spaces */
- while (pos < slen && isspace((unsigned char)contentstr[pos]))
- pos++;
-
- if (contentstr[pos] == '!') {
- *flags = DETECT_CONTENT_NEGATED;
- pos++;
- } else
- *flags = 0;
-
- if (contentstr[pos] == '\"' && ((slen - pos) <= 1))
- goto error;
-
- if (!(contentstr[pos] == '\"' && contentstr[slen - 1] == '\"')) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "%s keyword arguments "
- "should be always enclosed in double quotes. Invalid "
- "content keyword passed in this rule - \"%s\"",
- keyword, contentstr);
- goto error;
- }
-
- if ((str = SCStrdup(contentstr + pos + 1)) == NULL)
- goto error;
- str[strlen(str) - 1] = '\0';
-
- len = strlen(str);
- if (len == 0)
- goto error;
-
- SCLogDebug("\"%s\", len %" PRIu32 "", str, len);
-
- //SCLogDebug("DetectContentParse: \"%s\", len %" PRIu32 "", str, len);
- char converted = 0;
-
- {
- uint16_t i, x;
- uint8_t bin = 0;
- uint8_t escape = 0;
- uint8_t binstr[3] = "";
- uint8_t binpos = 0;
- uint16_t bin_count = 0;
-
- for (i = 0, x = 0; i < len; i++) {
- // SCLogDebug("str[%02u]: %c", i, str[i]);
- if (str[i] == '|') {
- bin_count++;
- if (bin) {
- bin = 0;
- } else {
- bin = 1;
- }
- } else if(!escape && str[i] == '\\') {
- escape = 1;
- } else {
- if (bin) {
- if (isdigit((unsigned char)str[i]) ||
- str[i] == 'A' || str[i] == 'a' ||
- str[i] == 'B' || str[i] == 'b' ||
- str[i] == 'C' || str[i] == 'c' ||
- str[i] == 'D' || str[i] == 'd' ||
- str[i] == 'E' || str[i] == 'e' ||
- str[i] == 'F' || str[i] == 'f')
- {
- // SCLogDebug("part of binary: %c", str[i]);
-
- binstr[binpos] = (char)str[i];
- binpos++;
-
- if (binpos == 2) {
- uint8_t c = strtol((char *)binstr, (char **) NULL, 16) & 0xFF;
- binpos = 0;
- str[x] = c;
- x++;
- converted = 1;
- }
- } else if (str[i] == ' ') {
- // SCLogDebug("space as part of binary string");
- }
- else if (str[i] != ',') {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid hex code in "
- "content - %s, hex %c. Invalidating signature", str, str[i]);
- goto error;
- }
- } else if (escape) {
- if (str[i] == ':' ||
- str[i] == ';' ||
- str[i] == '\\' ||
- str[i] == '\"')
- {
- str[x] = str[i];
- x++;
- } else {
- //SCLogDebug("Can't escape %c", str[i]);
- goto error;
- }
- escape = 0;
- converted = 1;
- } else {
- str[x] = str[i];
- x++;
- }
- }
- }
-
- if (bin_count % 2 != 0) {
- SCLogError(SC_ERR_INVALID_SIGNATURE, "Invalid hex code assembly in "
- "%s - %s. Invalidating signature", keyword, contentstr);
- goto error;
- }
-
- if (converted) {
- len = x;
- }
- }
-
- *plen = len;
- *pstr = (uint8_t *)str;
- return 0;
-
-error:
- if (str != NULL)
- SCFree(str);
- return -1;
-}
-/**
- * \brief DetectContentParse
- * \initonly
- */
-DetectContentData *DetectContentParse (char *contentstr)
-{
- DetectContentData *cd = NULL;
- uint8_t *content = NULL;
- uint16_t len = 0;
- uint32_t flags = 0;
- int ret;
-
- ret = DetectContentDataParse("content", contentstr, &content, &len, &flags);
- if (ret == -1) {
- return NULL;
- }
-
- cd = SCMalloc(sizeof(DetectContentData) + len);
- if (unlikely(cd == NULL)) {
- SCFree(content);
- exit(EXIT_FAILURE);
- }
-
- memset(cd, 0, sizeof(DetectContentData) + len);
-
- if (flags == DETECT_CONTENT_NEGATED)
- cd->flags |= DETECT_CONTENT_NEGATED;
-
- cd->content = (uint8_t *)cd + sizeof(DetectContentData);
- memcpy(cd->content, content, len);
- cd->content_len = len;
-
- /* Prepare Boyer Moore context for searching faster */
- cd->bm_ctx = BoyerMooreCtxInit(cd->content, cd->content_len);
- cd->depth = 0;
- cd->offset = 0;
- cd->within = 0;
- cd->distance = 0;
-
- SCFree(content);
- return cd;
-
-}
-
-DetectContentData *DetectContentParseEncloseQuotes(char *contentstr)
-{
- char str[strlen(contentstr) + 3]; // 2 for quotes, 1 for \0
-
- str[0] = '\"';
- memcpy(str + 1, contentstr, strlen(contentstr));
- str[strlen(contentstr) + 1] = '\"';
- str[strlen(contentstr) + 2] = '\0';
-
- return DetectContentParse(str);
-}
-
-/**
- * \brief Helper function to print a DetectContentData
- */
-void DetectContentPrint(DetectContentData *cd)
-{
- int i = 0;
- if (cd == NULL) {
- SCLogDebug("DetectContentData \"cd\" is NULL");
- return;
- }
- char *tmpstr=SCMalloc(sizeof(char) * cd->content_len + 1);
-
- if (tmpstr != NULL) {
- for (i = 0; i < cd->content_len; i++) {
- if (isprint(cd->content[i]))
- tmpstr[i] = cd->content[i];
- else
- tmpstr[i] = '.';
- }
- tmpstr[i] = '\0';
- SCLogDebug("Content: \"%s\"", tmpstr);
- SCFree(tmpstr);
- } else {
- SCLogDebug("Content: ");
- for (i = 0; i < cd->content_len; i++)
- SCLogDebug("%c", cd->content[i]);
- }
-
- SCLogDebug("Content_id: %"PRIu32, cd->id);
- SCLogDebug("Content_len: %"PRIu16, cd->content_len);
- SCLogDebug("Depth: %"PRIu16, cd->depth);
- SCLogDebug("Offset: %"PRIu16, cd->offset);
- SCLogDebug("Within: %"PRIi32, cd->within);
- SCLogDebug("Distance: %"PRIi32, cd->distance);
- SCLogDebug("flags: %u ", cd->flags);
- SCLogDebug("negated: %s ", cd->flags & DETECT_CONTENT_NEGATED ? "true" : "false");
- SCLogDebug("relative match next: %s ", cd->flags & DETECT_CONTENT_RELATIVE_NEXT ? "true" : "false");
- if (cd->replace && cd->replace_len) {
- char *tmpstr=SCMalloc(sizeof(char) * cd->replace_len + 1);
-
- if (tmpstr != NULL) {
- for (i = 0; i < cd->replace_len; i++) {
- if (isprint(cd->replace[i]))
- tmpstr[i] = cd->replace[i];
- else
- tmpstr[i] = '.';
- }
- tmpstr[i] = '\0';
- SCLogDebug("Replace: \"%s\"", tmpstr);
- SCFree(tmpstr);
- } else {
- SCLogDebug("Replace: ");
- for (i = 0; i < cd->replace_len; i++)
- SCLogDebug("%c", cd->replace[i]);
- }
- }
- SCLogDebug("-----------");
-}
-
-/**
- * \brief Print list of DETECT_CONTENT SigMatch's allocated in a
- * SigMatch list, from the current sm to the end
- * \param sm pointer to the current SigMatch to start printing from
- */
-void DetectContentPrintAll(SigMatch *sm)
-{
-#ifdef DEBUG
- if (SCLogDebugEnabled()) {
- int i = 0;
-
- if (sm == NULL)
- return;
-
- SigMatch *first_sm = sm;
-
- /* Print all of them */
- for (; first_sm != NULL; first_sm = first_sm->next) {
- if (first_sm->type == DETECT_CONTENT) {
- SCLogDebug("Printing SigMatch DETECT_CONTENT %d", ++i);
- DetectContentPrint((DetectContentData*)first_sm->ctx);
- }
- }
- }
-#endif /* DEBUG */
-}
-
-/**
- * \brief Function to setup a content pattern.
- *
- * \param de_ctx pointer to the current detection_engine
- * \param s pointer to the current Signature
- * \param m pointer to the last parsed SigMatch
- * \param contentstr pointer to the current keyword content string
- * \retval -1 if error
- * \retval 0 if all was ok
- */
-int DetectContentSetup(DetectEngineCtx *de_ctx, Signature *s, char *contentstr)
-{
- DetectContentData *cd = NULL;
- SigMatch *sm = NULL;
-
- cd = DetectContentParse(contentstr);
- if (cd == NULL)
- goto error;
- DetectContentPrint(cd);
-
- int sm_list;
- if (s->list != DETECT_SM_LIST_NOTSET) {
- if (s->list == DETECT_SM_LIST_FILEDATA && s->alproto == ALPROTO_HTTP) {
- AppLayerHtpEnableResponseBodyCallback();
- s->alproto = ALPROTO_HTTP;
- }
-
- s->flags |= SIG_FLAG_APPLAYER;
- sm_list = s->list;
- } else {
- sm_list = DETECT_SM_LIST_PMATCH;
- }
-
- sm = SigMatchAlloc();
- if (sm == NULL)
- goto error;
- sm->ctx = (void *)cd;
- sm->type = DETECT_CONTENT;
- SigMatchAppendSMToList(s, sm, sm_list);
-
- return 0;
-
-error:
- DetectContentFree(cd);
- return -1;
-}
-
-/**
- * \brief this function will SCFree memory associated with DetectContentData
- *
- * \param cd pointer to DetectCotentData
- */
-void DetectContentFree(void *ptr)
-{
- SCEnter();
- DetectContentData *cd = (DetectContentData *)ptr;
-
- if (cd == NULL)
- SCReturn;
-
- BoyerMooreCtxDeInit(cd->bm_ctx);
-
- SCFree(cd);
- SCReturn;
-}
-
-#ifdef UNITTESTS /* UNITTESTS */
-
-/**
- * \test DetectCotentParseTest01 this is a test to make sure we can deal with escaped colons
- */
-int DetectContentParseTest01 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"abc\\:def\"";
- char *teststringparsed = "abc:def";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (memcmp(cd->content, teststringparsed, strlen(teststringparsed)) != 0) {
- SCLogDebug("expected %s got ", teststringparsed);
- PrintRawUriFp(stdout,cd->content,cd->content_len);
- SCLogDebug(": ");
- result = 0;
- DetectContentFree(cd);
- }
- } else {
- SCLogDebug("expected %s got NULL: ", teststringparsed);
- result = 0;
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest02 this is a test to make sure we can deal with escaped semi-colons
- */
-int DetectContentParseTest02 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"abc\\;def\"";
- char *teststringparsed = "abc;def";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (memcmp(cd->content, teststringparsed, strlen(teststringparsed)) != 0) {
- SCLogDebug("expected %s got ", teststringparsed);
- PrintRawUriFp(stdout,cd->content,cd->content_len);
- SCLogDebug(": ");
- result = 0;
- DetectContentFree(cd);
- }
- } else {
- SCLogDebug("expected %s got NULL: ", teststringparsed);
- result = 0;
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest03 this is a test to make sure we can deal with escaped double-quotes
- */
-int DetectContentParseTest03 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"abc\\\"def\"";
- char *teststringparsed = "abc\"def";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (memcmp(cd->content, teststringparsed, strlen(teststringparsed)) != 0) {
- SCLogDebug("expected %s got ", teststringparsed);
- PrintRawUriFp(stdout,cd->content,cd->content_len);
- SCLogDebug(": ");
- result = 0;
- DetectContentFree(cd);
- }
- } else {
- SCLogDebug("expected %s got NULL: ", teststringparsed);
- result = 0;
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest04 this is a test to make sure we can deal with escaped backslashes
- */
-int DetectContentParseTest04 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"abc\\\\def\"";
- char *teststringparsed = "abc\\def";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- uint16_t len = (cd->content_len > strlen(teststringparsed));
- if (memcmp(cd->content, teststringparsed, len) != 0) {
- SCLogDebug("expected %s got ", teststringparsed);
- PrintRawUriFp(stdout,cd->content,cd->content_len);
- SCLogDebug(": ");
- result = 0;
- DetectContentFree(cd);
- }
- } else {
- SCLogDebug("expected %s got NULL: ", teststringparsed);
- result = 0;
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest05 test illegal escape
- */
-int DetectContentParseTest05 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"abc\\def\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- SCLogDebug("expected NULL got ");
- PrintRawUriFp(stdout,cd->content,cd->content_len);
- SCLogDebug(": ");
- result = 0;
- DetectContentFree(cd);
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest06 test a binary content
- */
-int DetectContentParseTest06 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"a|42|c|44|e|46|\"";
- char *teststringparsed = "abcdef";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- uint16_t len = (cd->content_len > strlen(teststringparsed));
- if (memcmp(cd->content, teststringparsed, len) != 0) {
- SCLogDebug("expected %s got ", teststringparsed);
- PrintRawUriFp(stdout,cd->content,cd->content_len);
- SCLogDebug(": ");
- result = 0;
- DetectContentFree(cd);
- }
- } else {
- SCLogDebug("expected %s got NULL: ", teststringparsed);
- result = 0;
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest07 test an empty content
- */
-int DetectContentParseTest07 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- SCLogDebug("expected NULL got %p: ", cd);
- result = 0;
- DetectContentFree(cd);
- }
- return result;
-}
-
-/**
- * \test DetectCotentParseTest08 test an empty content
- */
-int DetectContentParseTest08 (void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- char *teststring = "\"\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- SCLogDebug("expected NULL got %p: ", cd);
- result = 0;
- DetectContentFree(cd);
- }
- return result;
-}
-
-/**
- * \test Test packet Matches
- * \param raw_eth_pkt pointer to the ethernet packet
- * \param pktsize size of the packet
- * \param sig pointer to the signature to test
- * \param sid sid number of the signature
- * \retval return 1 if match
- * \retval return 0 if not
- */
-int DetectContentLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize, char *sig,
- uint32_t sid)
-{
- int result = 0;
-
- Packet *p = SCMalloc(SIZE_OF_PACKET);
- if (unlikely(p == NULL))
- return 0;
- DecodeThreadVars dtv;
-
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
-
- memset(p, 0, SIZE_OF_PACKET);
- memset(&dtv, 0, sizeof(DecodeThreadVars));
- memset(&th_v, 0, sizeof(th_v));
-
- FlowInitConfig(FLOW_QUIET);
- DecodeEthernet(&th_v, &dtv, p, raw_eth_pkt, pktsize, NULL);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx, sig);
- if (de_ctx->sig_list == NULL) {
- goto end;
- }
- de_ctx->sig_list->next = NULL;
-
- if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_CONTENT) {
- DetectContentData *co = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- if (co->flags & DETECT_CONTENT_RELATIVE_NEXT) {
- printf("relative next flag set on final match which is content: ");
- goto end;
- }
- }
-
- SCLogDebug("---DetectContentLongPatternMatchTest---");
- DetectContentPrintAll(de_ctx->sig_list->sm_lists[DETECT_SM_LIST_MATCH]);
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, sid) != 1) {
- goto end;
- }
-
- result = 1;
-end:
- if (de_ctx != NULL)
- {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- if (det_ctx != NULL)
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- }
- PACKET_RECYCLE(p);
- FlowShutdown();
-
- SCFree(p);
- return result;
-}
-
-/**
- * \brief Wrapper for DetectContentLongPatternMatchTest
- */
-int DetectContentLongPatternMatchTestWrp(char *sig, uint32_t sid)
-{
- /** Real packet with the following tcp data:
- * "Hi, this is a big test to check content matches of splitted"
- * "patterns between multiple chunks!"
- * (without quotes! :) )
- */
- uint8_t raw_eth_pkt[] = {
- 0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x08,0x00,0x45,0x00,
- 0x00,0x85,0x00,0x01,0x00,0x00,0x40,0x06,
- 0x7c,0x70,0x7f,0x00,0x00,0x01,0x7f,0x00,
- 0x00,0x01,0x00,0x14,0x00,0x50,0x00,0x00,
- 0x00,0x00,0x00,0x00,0x00,0x00,0x50,0x02,
- 0x20,0x00,0xc9,0xad,0x00,0x00,0x48,0x69,
- 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69,
- 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20,
- 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20,
- 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f,
- 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61,
- 0x74,0x63,0x68,0x65,0x73,0x20,0x6f,0x66,
- 0x20,0x73,0x70,0x6c,0x69,0x74,0x74,0x65,
- 0x64,0x20,0x70,0x61,0x74,0x74,0x65,0x72,
- 0x6e,0x73,0x20,0x62,0x65,0x74,0x77,0x65,
- 0x65,0x6e,0x20,0x6d,0x75,0x6c,0x74,0x69,
- 0x70,0x6c,0x65,0x20,0x63,0x68,0x75,0x6e,
- 0x6b,0x73,0x21 }; /* end raw_eth_pkt */
-
- return DetectContentLongPatternMatchTest(raw_eth_pkt, (uint16_t)sizeof(raw_eth_pkt),
- sig, sid);
-}
-
-/**
- * \test Check if we match a normal pattern (not splitted)
- */
-int DetectContentLongPatternMatchTest01()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
- " content:\"Hi, this is a big test\"; sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check if we match a splitted pattern
- */
-int DetectContentLongPatternMatchTest02()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
- " content:\"Hi, this is a big test to check content matches of"
- " splitted patterns between multiple chunks!\"; sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check that we don't match the signature if one of the splitted
- * chunks doesn't match the packet
- */
-int DetectContentLongPatternMatchTest03()
-{
- /** The last chunk of the content should not match */
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\";"
- " content:\"Hi, this is a big test to check content matches of"
- " splitted patterns between multiple splitted chunks!\"; sid:1;)";
- return (DetectContentLongPatternMatchTestWrp(sig, 1) == 0) ? 1: 0;
-}
-
-/**
- * \test Check if we match multiple content (not splitted)
- */
-int DetectContentLongPatternMatchTest04()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"Hi, this is\"; depth:15 ;content:\"a big test\"; "
- " within:15; content:\"to check content matches of\"; "
- " within:30; content:\"splitted patterns\"; distance:1; "
- " within:30; "
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check that we match packets with multiple chunks and not chunks
- * Here we should specify only contents that fit in 32 bytes
- * Each of them with their modifier values
- */
-int DetectContentLongPatternMatchTest05()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"Hi, this is a big\"; depth:17; "
- " isdataat:30, relative; "
- " content:\"test\"; within: 5; distance:1; "
- " isdataat:15, relative; "
- " content:\"of splitted\"; within:37; distance:15; "
- " isdataat:20,relative; "
- " content:\"patterns\"; within:9; distance:1; "
- " isdataat:10, relative; "
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check that we match packets with multiple chunks and not chunks
- * Here we should specify contents that fit and contents that must be splitted
- * Each of them with their modifier values
- */
-int DetectContentLongPatternMatchTest06()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"Hi, this is a big test to check cont\"; depth:36;"
- " content:\"ent matches\"; within:11; distance:0; "
- " content:\"of splitted patterns between multiple\"; "
- " within:38; distance:1; "
- " content:\"chunks!\"; within: 8; distance:1; "
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check if we match contents that are in the payload
- * but not in the same order as specified in the signature
- */
-int DetectContentLongPatternMatchTest07()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"chunks!\"; "
- " content:\"content matches\"; offset:32; depth:47; "
- " content:\"of splitted patterns between multiple\"; "
- " content:\"Hi, this is a big\"; offset:0; depth:17; "
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check if we match contents that are in the payload
- * but not in the same order as specified in the signature
- */
-int DetectContentLongPatternMatchTest08()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"ent matches\"; "
- " content:\"of splitted patterns between multiple\"; "
- " within:38; distance:1; "
- " content:\"chunks!\"; within: 8; distance:1; "
- " content:\"Hi, this is a big test to check cont\"; depth:36;"
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check if we match contents that are in the payload
- * but not in the same order as specified in the signature
- */
-int DetectContentLongPatternMatchTest09()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"ent matches\"; "
- " content:\"of splitted patterns between multiple\"; "
- " offset:47; depth:85; "
- " content:\"chunks!\"; within: 8; distance:1; "
- " content:\"Hi, this is a big test to chec\"; depth:36;"
- " content:\"k cont\"; distance:0; within:6;"
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check if we match two consecutive simple contents
- */
-int DetectContentLongPatternMatchTest10()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"Hi, this is a big test to check \"; "
- " content:\"con\"; "
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-/**
- * \test Check if we match two contents of length 1
- */
-int DetectContentLongPatternMatchTest11()
-{
- char *sig = "alert tcp any any -> any any (msg:\"Nothing..\"; "
- " content:\"H\"; "
- " content:\"i\"; "
- " sid:1;)";
- return DetectContentLongPatternMatchTestWrp(sig, 1);
-}
-
-int DetectContentParseTest09(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = "!\"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (cd->flags & DETECT_CONTENT_NEGATED)
- result = 1;
-
- DetectContentFree(cd);
- }
-
- return result;
-}
-
-int DetectContentParseTest10(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = "!\"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (cd->flags & DETECT_CONTENT_NEGATED)
- result = 1;
-
- DetectContentFree(cd);
- }
- return result;
-}
-
-int DetectContentParseNegTest11(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = "\"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (!(cd->flags & DETECT_CONTENT_NEGATED))
- result = 1;
-
- DetectContentFree(cd);
- }
- return result;
-}
-
-int DetectContentParseNegTest12(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = "\"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (!(cd->flags & DETECT_CONTENT_NEGATED))
- result = 1;
-
- DetectContentFree(cd);
- }
- return result;
-}
-
-int DetectContentParseNegTest13(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = "!\"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (cd->flags & DETECT_CONTENT_NEGATED)
- result = 1;
-
- DetectContentFree(cd);
- }
- return result;
-}
-
-int DetectContentParseNegTest14(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = " \"!boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (!(cd->flags & DETECT_CONTENT_NEGATED))
- result = 1;
-
- DetectContentFree(cd);
- }
- return result;
-}
-
-int DetectContentParseNegTest15(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = " !\"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- if (cd->flags & DETECT_CONTENT_NEGATED)
- result = 1;
-
- DetectContentFree(cd);
- }
- return result;
-}
-
-int DetectContentParseNegTest16(void)
-{
- int result = 0;
- DetectContentData *cd = NULL;
- char *teststring = " \"boo\"";
-
- cd = DetectContentParse(teststring);
- if (cd != NULL) {
- result = (cd->content_len == 3 && memcmp(cd->content,"boo",3) == 0);
- DetectContentFree(cd);
- }
- return result;
-}
-
-/**
- * \test Test cases where if within specified is < content lenggth we invalidate
- * the sig.
- */
-int DetectContentParseTest17(void)
-{
- int result = 0;
- char *sigstr = "alert tcp any any -> any any (msg:\"Dummy\"; "
- "content:\"one\"; content:\"two\"; within:2; sid:1;)";
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->sig_list = SigInit(de_ctx, sigstr);
- if (de_ctx->sig_list != NULL)
- goto end;
-
- result = 1;
-
-end:
- SigCleanSignatures(de_ctx);
- if (de_ctx != NULL)
- DetectEngineCtxFree(de_ctx);
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-int DetectContentParseTest18(void)
-{
- Signature *s = SigAlloc();
- int result = 1;
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- result = 0;
- goto end;
- }
-
- s->alproto = ALPROTO_DCERPC;
-
- result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
- result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
-
- SigFree(s);
-
- s = SigAlloc();
- if (s == NULL)
- return 0;
-
- result &= (DetectContentSetup(de_ctx, s, "\"one\"") == 0);
- result &= (s->sm_lists[DETECT_SM_LIST_DMATCH] == NULL && s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
-
- end:
- SigFree(s);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-
-int DetectContentParseTest19(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- DetectContentData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub_data with content\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; distance:0; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf ("failed dce iface, stub_data with content ");
- result = 0;
- goto end;
- }
- s = de_ctx->sig_list;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
-
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub_data with contents & distance, within\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; distance:0; content:\"two\"; within:10; sid:1;)");
- if (s->next == NULL) {
- printf("failed dce iface, stub_data with content & distance, within");
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->within == 10);
-/*
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub_data with contents & offset, depth\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; offset:5; depth:9; "
- "content:\"two\"; within:10; sid:1;)");
- if (s->next == NULL) {
- printf ("failed dce iface, stub_data with contents & offset, depth");
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->offset == 5 && data->depth == 9);
- data = (DetectContentData *)s->sm_lists[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
-
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub with contents, distance\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; distance:0; "
- "content:\"two\"; distance:2; sid:1;)");
- if (s->next == NULL) {
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->distance == 2);
-*/
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub with contents, distance, within\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; distance:0; "
- "content:\"two\"; within:10; distance:2; sid:1;)");
- if (s->next == NULL) {
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->within == 10 && data->distance == 2);
-/*
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub_data with content, offset\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; offset:10; sid:1;)");
- if (s->next == NULL) {
- printf ("Failed dce iface, stub_data with content, offset ");
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->offset == 10);
-
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub_data with content, depth\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; depth:10; sid:1;)");
- if (s->next == NULL) {
- printf ("failed dce iface, stub_data with content, depth");
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->depth == 10);
-
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing dce iface, stub_data with content, offset, depth\"; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "dce_stub_data; "
- "content:\"one\"; offset:10; depth:3; sid:1;)");
- if (s->next == NULL) {
- printf("failed dce iface, stub_data with content, offset, depth");
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->type == DETECT_CONTENT);
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] == NULL);
- data = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_DMATCH]->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ||
- result == 0) {
- result = 0;
- goto end;
- }
- result &= (data->offset == 10 && data->depth == 13);
-*/
- s->next = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing content\"; "
- "content:\"one\"; sid:1;)");
- if (s->next == NULL) {
- printf ("failed testing content");
- result = 0;
- goto end;
- }
- s = s->next;
- if (s->sm_lists_tail[DETECT_SM_LIST_DMATCH] != NULL) {
- result = 0;
- goto end;
- }
- result &= (s->sm_lists[DETECT_SM_LIST_PMATCH] != NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-int DetectContentParseTest20(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"\"; sid:238012;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest21(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"; sid:238012;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest22(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"boo; sid:238012;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest23(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:boo\"; sid:238012;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest24(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- DetectContentData *cd = 0;
- Signature *s = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content: !\"boo\"; sid:238012;)");
- if (de_ctx->sig_list == NULL) {
- printf("de_ctx->sig_list == NULL: ");
- result = 0;
- goto end;
- }
-
- if (s->sm_lists_tail[DETECT_SM_LIST_PMATCH] == NULL || s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx == NULL) {
- printf("de_ctx->pmatch_tail == NULL || de_ctx->pmatch_tail->ctx == NULL: ");
- result = 0;
- goto end;
- }
-
- cd = (DetectContentData *)s->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
- result = (strncmp("boo", (char *)cd->content, cd->content_len) == 0);
-
-end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest25(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest26(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|af\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest27(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"af|\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest28(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|af|\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest29(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"aast|\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest30(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"aast|af\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest31(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"aast|af|\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest32(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|af|asdf\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest33(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|af|af|\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest34(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|af|af|af\"; sid:1;)");
- if (de_ctx->sig_list != NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test
- */
-int DetectContentParseTest35(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert udp any any -> any any "
- "(msg:\"test\"; content:\"|af|af|af|\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test: file_data
- */
-static int DetectContentParseTest36(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert tcp any any -> any any "
- "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("content still in PMATCH list: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
- printf("content not in FILEDATA list: ");
- goto end;
- }
-
- result = 1;
-end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test: file_data
- */
-static int DetectContentParseTest37(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert tcp any any -> any any "
- "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("content still in PMATCH list: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
- printf("content not in FILEDATA list: ");
- goto end;
- }
-
- result = 1;
-end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test: file_data
- */
-static int DetectContentParseTest38(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert tcp any any -> any any "
- "(msg:\"test\"; file_data; content:\"abc\"; content:\"def\"; within:8; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("content still in PMATCH list: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
- printf("content not in FILEDATA list: ");
- goto end;
- }
-
- result = 1;
-end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-static int SigTestPositiveTestContent(char *rule, uint8_t *buf)
-{
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
-
- memset(&th_v, 0, sizeof(th_v));
- p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx, rule);
- if (de_ctx->sig_list == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1) != 1) {
- goto end;
- }
-
- result = 1;
-end:
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
- }
-
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- * \test Parsing test: file_data, within relative to file_data
- */
-static int DetectContentParseTest39(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert tcp any any -> any any "
- "(msg:\"test\"; file_data; content:\"abc\"; within:8; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("content still in PMATCH list: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
- printf("content not in FILEDATA list: ");
- goto end;
- }
-
- result = 1;
-end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Parsing test: file_data, distance relative to file_data
- */
-static int DetectContentParseTest40(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 0;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,
- "alert tcp any any -> any any "
- "(msg:\"test\"; file_data; content:\"abc\"; distance:3; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- printf("sig parse failed: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) {
- printf("content still in PMATCH list: ");
- goto end;
- }
-
- if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_FILEDATA] == NULL) {
- printf("content not in FILEDATA list: ");
- goto end;
- }
-
- result = 1;
-end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-int DetectContentParseTest41(void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- int patlen = 257;
- char *teststring = SCMalloc(sizeof(char) * (patlen + 1));
- if (unlikely(teststring == NULL))
- return 0;
- int idx = 0;
- teststring[idx++] = '\"';
- for (int i = 0; i < (patlen - 2); idx++, i++) {
- teststring[idx] = 'a';
- }
- teststring[idx++] = '\"';
- teststring[idx++] = '\0';
-
- cd = DetectContentParse(teststring);
- if (cd == NULL) {
- SCLogDebug("expected not NULL");
- result = 0;
- }
-
- SCFree(teststring);
- DetectContentFree(cd);
- return result;
-}
-
-/**
- * Tests that content lengths > 255 are supported.
- */
-int DetectContentParseTest42(void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- int patlen = 258;
- char *teststring = SCMalloc(sizeof(char) * (patlen + 1));
- if (unlikely(teststring == NULL))
- return 0;
- int idx = 0;
- teststring[idx++] = '\"';
- for (int i = 0; i < (patlen - 2); idx++, i++) {
- teststring[idx] = 'a';
- }
- teststring[idx++] = '\"';
- teststring[idx++] = '\0';
-
- cd = DetectContentParse(teststring);
- if (cd == NULL) {
- SCLogDebug("expected not NULL");
- result = 0;
- }
-
- SCFree(teststring);
- DetectContentFree(cd);
- return result;
-}
-
-int DetectContentParseTest43(void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- int patlen = 260;
- char *teststring = SCMalloc(sizeof(char) * (patlen + 1));
- if (unlikely(teststring == NULL))
- return 0;
- int idx = 0;
- teststring[idx++] = '\"';
- teststring[idx++] = '|';
- teststring[idx++] = '4';
- teststring[idx++] = '6';
- teststring[idx++] = '|';
- for (int i = 0; i < (patlen - 6); idx++, i++) {
- teststring[idx] = 'a';
- }
- teststring[idx++] = '\"';
- teststring[idx++] = '\0';
-
- cd = DetectContentParse(teststring);
- if (cd == NULL) {
- SCLogDebug("expected not NULL");
- result = 0;
- }
-
- SCFree(teststring);
- DetectContentFree(cd);
- return result;
-}
-
-/**
- * Tests that content lengths > 255 are supported.
- */
-int DetectContentParseTest44(void)
-{
- int result = 1;
- DetectContentData *cd = NULL;
- int patlen = 261;
- char *teststring = SCMalloc(sizeof(char) * (patlen + 1));
- if (unlikely(teststring == NULL))
- return 0;
- int idx = 0;
- teststring[idx++] = '\"';
- teststring[idx++] = '|';
- teststring[idx++] = '4';
- teststring[idx++] = '6';
- teststring[idx++] = '|';
- for (int i = 0; i < (patlen - 6); idx++, i++) {
- teststring[idx] = 'a';
- }
- teststring[idx++] = '\"';
- teststring[idx++] = '\0';
-
- cd = DetectContentParse(teststring);
- if (cd == NULL) {
- SCLogDebug("expected not NULL");
- result = 0;
- }
-
- SCFree(teststring);
- DetectContentFree(cd);
- return result;
-}
-
-static int SigTestNegativeTestContent(char *rule, uint8_t *buf)
-{
- uint16_t buflen = strlen((char *)buf);
- Packet *p = NULL;
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
- memset(&th_v, 0, sizeof(th_v));
-
- p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx, rule);
- if (de_ctx->sig_list == NULL) {
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1) != 0) {
- goto end;
- }
-
- result = 1;
-end:
- if (det_ctx != NULL) {
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- }
- if (de_ctx != NULL) {
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
- }
- UTHFreePackets(&p, 1);
- return result;
-}
-
-/**
- * \test A positive test that checks that the content string doesn't contain
- * the negated content
- */
-static int SigTest41TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"GES\"; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
-}
-
-/**
- * \test A positive test that checks that the content string doesn't contain
- * the negated content within the specified depth
- */
-static int SigTest42TestNegatedContent(void)
-{ // 01 5 10 15 20 24
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; depth:22; offset:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that checks that the content string doesn't contain
- * the negated content within the specified depth, and also after the
- * specified offset. Since the content is there, the match fails.
- *
- * Match is at offset:23, depth:34
- */
-static int SigTest43TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:!\"twentythree\"; depth:34; offset:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that checks that the content string doesn't contain
- * the negated content after the specified offset and within the specified
- * depth.
- */
-static int SigTest44TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"twentythree\"; offset:40; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A positive test that uses a combination of content string with negated
- * content string
- */
-static int SigTest45TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that uses a combination of content string with negated
- * content string, with we receiving a failure for 'onee' itself.
- */
-static int SigTest46TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"onee\"; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that uses a combination of content string with negated
- * content string, with we receiving a failure of first content's offset
- * condition
- */
-static int SigTest47TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; offset:5; content:!\"twentythree\"; depth:23; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A positive test that checks that we don't have a negated content within
- * the specified length from the previous content match.
- */
-static int SigTest48TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
-}
-
-/**
- * \test A negative test that checks the combined use of content and negated
- * content with the use of within
- */
-static int SigTest49TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"Host\"; within:26; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
-}
-
-/**
- * \test A positive test that checks the combined use of content and negated
- * content with the use of distance
- */
-static int SigTest50TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GET\"; content:!\"GES\"; distance:25; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
-}
-
-/**
- * \test A negative test that checks the combined use of content and negated
- * content with the use of distance
- *
- * First GET at offset 0
- * First Host at offset 21
- */
-static int SigTest51TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"GET\"; content:!\"Host\"; distance:17; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
-}
-
-/**
- * \test A negative test that checks the combined use of content and negated
- * content, with the content not being present
- */
-static int SigTest52TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"GES\"; content:!\"BOO\"; sid:1;)", (uint8_t *)"GET /one/ HTTP/1.1\r\n Host: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n");
-}
-
-/**
- * \test A negative test that checks the combined use of content and negated
- * content, in the presence of within
- */
-static int SigTest53TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A positive test that checks the combined use of content and negated
- * content, in the presence of within
- */
-static int SigTest54TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:20; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that checks the use of negated content along with
- * the presence of depth
- */
-static int SigTest55TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; depth:5; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A positive test that checks the combined use of 2 contents in the
- * presence of within
- */
-static int SigTest56TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that checks the combined use of content and negated
- * content, in the presence of within
- */
-static int SigTest57TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A positive test that checks the combined use of content and negated
- * content, in the presence of distance
- */
-static int SigTest58TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:57; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/**
- * \test A negative test that checks the combined use of content and negated
- * content, in the presence of distance
- */
-static int SigTest59TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; content:!\"fourty\"; distance:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest60TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:!\"one\"; content:\"fourty\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest61TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/** \test Test negation in combination with within and depth
- *
- * Match of "one" at offset:0, depth:3
- * Match of "fourty" at offset:46, depth:52
- *
- * This signature should not match for the test to pass.
- */
-static int SigTest62TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:49; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest63TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:10; content:!\"fourty\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest64TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/** \test Test negation in combination with within and depth
- *
- * Match of "one" at offset:0, depth:3
- * Match of "fourty" at offset:46, depth:52
- *
- * This signature should not match for the test to pass.
- */
-static int SigTest65TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; distance:0; within:49; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest66TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"fourty\"; within:30; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest67TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:!\"four\"; within:56; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest68TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:28; content:\"fiftysix\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest69TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; depth:10; content:\"nine\"; offset:8; content:!\"fourty\"; within:48; content:\"fiftysix\"; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest70TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:52; distance:45 sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-/** \test within and distance */
-static int SigTest71TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:40; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest72TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (content:\"one\"; content:!\"fourty\"; within:49; distance:43; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest73TestNegatedContent(void)
-{
- return SigTestNegativeTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"one\"; depth:5; content:!\"twentythree\"; depth:35; sid:1;)", (uint8_t *)"one four nine fourteen twentythree thirtyfive fourtysix fiftysix");
-}
-
-static int SigTest74TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:!\"PASS\"; sid:1;)", (uint8_t *)"USER apple");
-}
-
-static int SigTest75TestNegatedContent(void)
-{
- return SigTestPositiveTestContent("alert tcp any any -> any any (msg:\"HTTP URI cap\"; content:\"USER\"; content:\"!PASS\"; sid:1;)", (uint8_t *)"USER !PASS");
-}
-
-static int SigTest76TestBug134(void)
-{
- uint8_t *buf = (uint8_t *)"test detect ${IFS} in traffic";
- uint16_t buflen = strlen((char *)buf);
- Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
- int result = 0;
- Flow f;
-
- memset(&f, 0, sizeof(Flow));
- FLOW_INITIALIZE(&f);
-
- p->dp = 515;
- p->flowflags |= FLOW_PKT_ESTABLISHED;
- p->flowflags |= FLOW_PKT_TOSERVER;
- p->flow = &f;
- p->flags |= PKT_HAS_FLOW;
-
- char sig[] = "alert tcp any any -> any 515 "
- "(msg:\"detect IFS\"; flow:to_server,established; content:\"${IFS}\";"
- " depth:50; offset:0; sid:900091; rev:1;)";
- if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
- result = 0;
- goto end;
- }
-
- result = 1;
-end:
- if (p != NULL)
- UTHFreePacket(p);
-
- FLOW_DESTROY(&f);
- return result;
-}
-
-static int SigTest77TestBug139(void)
-{
- uint8_t buf[] = {
- 0x12, 0x23, 0x34, 0x35, 0x52, 0x52, 0x24, 0x42, 0x22, 0x24,
- 0x52, 0x24, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x34 };
- uint16_t buflen = sizeof(buf);
- Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_UDP);
- int result = 0;
-
- p->dp = 53;
- char sig[] = "alert udp any any -> any 53 (msg:\"dns testing\";"
- " content:\"|00 00|\"; depth:5; offset:13; sid:9436601;"
- " rev:1;)";
- if (UTHPacketMatchSigMpm(p, sig, MPM_B2G) == 0) {
- result = 0;
- goto end;
- }
-
- result = 1;
-end:
- if (p != NULL)
- UTHFreePacket(p);
- return result;
-}
-
-static int DetectLongContentTestCommon(char *sig, uint32_t sid)
-{
- /* Packet with 512 A's in it for testing long content. */
- static uint8_t pkt[739] = {
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x45, 0x00,
- 0x02, 0xd5, 0x4a, 0x18, 0x40, 0x00, 0x40, 0x06,
- 0xd7, 0xd6, 0x0a, 0x10, 0x01, 0x0b, 0x0a, 0x10,
- 0x01, 0x0a, 0xdb, 0x36, 0x00, 0x50, 0xca, 0xc5,
- 0xcc, 0xd1, 0x95, 0x77, 0x0f, 0x7d, 0x80, 0x18,
- 0x00, 0xe5, 0x77, 0x9d, 0x00, 0x00, 0x01, 0x01,
- 0x08, 0x0a, 0x1d, 0xe0, 0x86, 0xc6, 0xfc, 0x73,
- 0x49, 0xf3, 0x50, 0x4f, 0x53, 0x54, 0x20, 0x2f,
- 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e,
- 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d,
- 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x63,
- 0x75, 0x72, 0x6c, 0x2f, 0x37, 0x2e, 0x33, 0x37,
- 0x2e, 0x30, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74,
- 0x3a, 0x20, 0x31, 0x30, 0x2e, 0x31, 0x36, 0x2e,
- 0x31, 0x2e, 0x31, 0x30, 0x0d, 0x0a, 0x41, 0x63,
- 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x2a, 0x2f,
- 0x2a, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65,
- 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74,
- 0x68, 0x3a, 0x20, 0x35, 0x32, 0x38, 0x0d, 0x0a,
- 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d,
- 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x61, 0x70,
- 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
- 0x6e, 0x2f, 0x78, 0x2d, 0x77, 0x77, 0x77, 0x2d,
- 0x66, 0x6f, 0x72, 0x6d, 0x2d, 0x75, 0x72, 0x6c,
- 0x65, 0x6e, 0x63, 0x6f, 0x64, 0x65, 0x64, 0x0d,
- 0x0a, 0x0d, 0x0a, 0x58, 0x58, 0x58, 0x58, 0x58,
- 0x58, 0x58, 0x58, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
- 0x41, 0x41, 0x41, 0x58, 0x58, 0x58, 0x58, 0x58,
- 0x58, 0x58, 0x58
- };
-
- return DetectContentLongPatternMatchTest(pkt, (uint16_t)sizeof(pkt), sig,
- sid);
-}
-
-static int DetectLongContentTest1(void)
-{
- /* Signature with 256 A's. */
- char *sig = "alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
-
- return DetectLongContentTestCommon(sig, 1);
-}
-
-static int DetectLongContentTest2(void)
-{
- /* Signature with 512 A's. */
- char *sig = "alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
-
- return DetectLongContentTestCommon(sig, 1);
-}
-
-static int DetectLongContentTest3(void)
-{
- /* Signature with 513 A's. */
- char *sig = "alert tcp any any -> any any (msg:\"Test Rule\"; content:\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; sid:1;)";
-
- return !DetectLongContentTestCommon(sig, 1);
-}
-
-#endif /* UNITTESTS */
-
-/**
- * \brief this function registers unit tests for DetectContent
- */
-void DetectContentRegisterTests(void)
-{
-#ifdef UNITTESTS /* UNITTESTS */
- UtRegisterTest("DetectContentParseTest01", DetectContentParseTest01, 1);
- UtRegisterTest("DetectContentParseTest02", DetectContentParseTest02, 1);
- UtRegisterTest("DetectContentParseTest03", DetectContentParseTest03, 1);
- UtRegisterTest("DetectContentParseTest04", DetectContentParseTest04, 1);
- UtRegisterTest("DetectContentParseTest05", DetectContentParseTest05, 1);
- UtRegisterTest("DetectContentParseTest06", DetectContentParseTest06, 1);
- UtRegisterTest("DetectContentParseTest07", DetectContentParseTest07, 1);
- UtRegisterTest("DetectContentParseTest08", DetectContentParseTest08, 1);
- UtRegisterTest("DetectContentParseTest09", DetectContentParseTest09, 1);
- UtRegisterTest("DetectContentParseTest10", DetectContentParseTest10, 1);
- UtRegisterTest("DetectContentParseNegTest11", DetectContentParseNegTest11, 1);
- UtRegisterTest("DetectContentParseNegTest12", DetectContentParseNegTest12, 1);
- UtRegisterTest("DetectContentParseNegTest13", DetectContentParseNegTest13, 1);
- UtRegisterTest("DetectContentParseNegTest14", DetectContentParseNegTest14, 1);
- UtRegisterTest("DetectContentParseNegTest15", DetectContentParseNegTest15, 1);
- UtRegisterTest("DetectContentParseNegTest16", DetectContentParseNegTest16, 1);
- UtRegisterTest("DetectContentParseTest17", DetectContentParseTest17, 1);
- UtRegisterTest("DetectContentParseTest18", DetectContentParseTest18, 1);
- UtRegisterTest("DetectContentParseTest19", DetectContentParseTest19, 1);
- UtRegisterTest("DetectContentParseTest20", DetectContentParseTest20, 1);
- UtRegisterTest("DetectContentParseTest21", DetectContentParseTest21, 1);
- UtRegisterTest("DetectContentParseTest22", DetectContentParseTest22, 1);
- UtRegisterTest("DetectContentParseTest23", DetectContentParseTest23, 1);
- UtRegisterTest("DetectContentParseTest24", DetectContentParseTest24, 1);
- UtRegisterTest("DetectContentParseTest25", DetectContentParseTest25, 1);
- UtRegisterTest("DetectContentParseTest26", DetectContentParseTest26, 1);
- UtRegisterTest("DetectContentParseTest27", DetectContentParseTest27, 1);
- UtRegisterTest("DetectContentParseTest28", DetectContentParseTest28, 1);
- UtRegisterTest("DetectContentParseTest29", DetectContentParseTest29, 1);
- UtRegisterTest("DetectContentParseTest30", DetectContentParseTest30, 1);
- UtRegisterTest("DetectContentParseTest31", DetectContentParseTest31, 1);
- UtRegisterTest("DetectContentParseTest32", DetectContentParseTest32, 1);
- UtRegisterTest("DetectContentParseTest33", DetectContentParseTest33, 1);
- UtRegisterTest("DetectContentParseTest34", DetectContentParseTest34, 1);
- UtRegisterTest("DetectContentParseTest35", DetectContentParseTest35, 1);
- UtRegisterTest("DetectContentParseTest36", DetectContentParseTest36, 1);
- UtRegisterTest("DetectContentParseTest37", DetectContentParseTest37, 1);
- UtRegisterTest("DetectContentParseTest38", DetectContentParseTest38, 1);
- UtRegisterTest("DetectContentParseTest39", DetectContentParseTest39, 1);
- UtRegisterTest("DetectContentParseTest40", DetectContentParseTest40, 1);
- UtRegisterTest("DetectContentParseTest41", DetectContentParseTest41, 1);
- UtRegisterTest("DetectContentParseTest42", DetectContentParseTest42, 1);
- UtRegisterTest("DetectContentParseTest43", DetectContentParseTest43, 1);
- UtRegisterTest("DetectContentParseTest44", DetectContentParseTest44, 1);
-
- /* The reals */
- UtRegisterTest("DetectContentLongPatternMatchTest01", DetectContentLongPatternMatchTest01, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest02", DetectContentLongPatternMatchTest02, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest03", DetectContentLongPatternMatchTest03, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest04", DetectContentLongPatternMatchTest04, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest05", DetectContentLongPatternMatchTest05, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest06", DetectContentLongPatternMatchTest06, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest07", DetectContentLongPatternMatchTest07, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest08", DetectContentLongPatternMatchTest08, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest09", DetectContentLongPatternMatchTest09, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest10", DetectContentLongPatternMatchTest10, 1);
- UtRegisterTest("DetectContentLongPatternMatchTest11", DetectContentLongPatternMatchTest11, 1);
-
- /* Negated content tests */
- UtRegisterTest("SigTest41TestNegatedContent", SigTest41TestNegatedContent, 1);
- UtRegisterTest("SigTest42TestNegatedContent", SigTest42TestNegatedContent, 1);
- UtRegisterTest("SigTest43TestNegatedContent", SigTest43TestNegatedContent, 1);
- UtRegisterTest("SigTest44TestNegatedContent", SigTest44TestNegatedContent, 1);
- UtRegisterTest("SigTest45TestNegatedContent", SigTest45TestNegatedContent, 1);
- UtRegisterTest("SigTest46TestNegatedContent", SigTest46TestNegatedContent, 1);
- UtRegisterTest("SigTest47TestNegatedContent", SigTest47TestNegatedContent, 1);
- UtRegisterTest("SigTest48TestNegatedContent", SigTest48TestNegatedContent, 1);
- UtRegisterTest("SigTest49TestNegatedContent", SigTest49TestNegatedContent, 1);
- UtRegisterTest("SigTest50TestNegatedContent", SigTest50TestNegatedContent, 1);
- UtRegisterTest("SigTest51TestNegatedContent", SigTest51TestNegatedContent, 1);
- UtRegisterTest("SigTest52TestNegatedContent", SigTest52TestNegatedContent, 1);
- UtRegisterTest("SigTest53TestNegatedContent", SigTest53TestNegatedContent, 1);
- UtRegisterTest("SigTest54TestNegatedContent", SigTest54TestNegatedContent, 1);
- UtRegisterTest("SigTest55TestNegatedContent", SigTest55TestNegatedContent, 1);
- UtRegisterTest("SigTest56TestNegatedContent", SigTest56TestNegatedContent, 1);
- UtRegisterTest("SigTest57TestNegatedContent", SigTest57TestNegatedContent, 1);
- UtRegisterTest("SigTest58TestNegatedContent", SigTest58TestNegatedContent, 1);
- UtRegisterTest("SigTest59TestNegatedContent", SigTest59TestNegatedContent, 1);
- UtRegisterTest("SigTest60TestNegatedContent", SigTest60TestNegatedContent, 1);
- UtRegisterTest("SigTest61TestNegatedContent", SigTest61TestNegatedContent, 1);
- UtRegisterTest("SigTest62TestNegatedContent", SigTest62TestNegatedContent, 1);
- UtRegisterTest("SigTest63TestNegatedContent", SigTest63TestNegatedContent, 1);
- UtRegisterTest("SigTest64TestNegatedContent", SigTest64TestNegatedContent, 1);
- UtRegisterTest("SigTest65TestNegatedContent", SigTest65TestNegatedContent, 1);
- UtRegisterTest("SigTest66TestNegatedContent", SigTest66TestNegatedContent, 1);
- UtRegisterTest("SigTest67TestNegatedContent", SigTest67TestNegatedContent, 1);
- UtRegisterTest("SigTest68TestNegatedContent", SigTest68TestNegatedContent, 1);
- UtRegisterTest("SigTest69TestNegatedContent", SigTest69TestNegatedContent, 1);
- UtRegisterTest("SigTest70TestNegatedContent", SigTest70TestNegatedContent, 1);
- UtRegisterTest("SigTest71TestNegatedContent", SigTest71TestNegatedContent, 1);
- UtRegisterTest("SigTest72TestNegatedContent", SigTest72TestNegatedContent, 1);
- UtRegisterTest("SigTest73TestNegatedContent", SigTest73TestNegatedContent, 1);
- UtRegisterTest("SigTest74TestNegatedContent", SigTest74TestNegatedContent, 1);
- UtRegisterTest("SigTest75TestNegatedContent", SigTest75TestNegatedContent, 1);
-
- UtRegisterTest("SigTest76TestBug134", SigTest76TestBug134, 1);
- UtRegisterTest("SigTest77TestBug139", SigTest77TestBug139, 1);
-
- UtRegisterTest("DetectLongContentTest1", DetectLongContentTest1, 1);
- UtRegisterTest("DetectLongContentTest2", DetectLongContentTest2, 1);
- UtRegisterTest("DetectLongContentTest3", DetectLongContentTest3, 1);
-#endif /* UNITTESTS */
-}