return result;
}
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest25(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "content:\"one\"; content:\"two\"; "
- "content:\"three\"; within:10; "
- "content:\"four\"; distance:4; "
- "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest26(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "pkt_data; "
- "content:\"one\"; "
- "content:\"two\"; "
- "content:\"three\"; within:5; "
- "content:\"four\"; distance:10; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest27(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "content:\"three\"; within:5; "
- "content:\"four\"; distance:10; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] != NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest28(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "pkt_data; "
- "content:\"three\";"
- "content:\"four\";"
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest29(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectPcreData *pd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "pkt_data; "
- "pcre:/boom/; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "content:\"three\";"
- "content:\"four\";"
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_PCRE) {
- result = 0;
- goto end;
- }
- pd = (DetectPcreData *)sm->ctx;
- if (pd->flags & DETECT_PCRE_RAWBYTES ||
- pd->flags & DETECT_PCRE_RELATIVE) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest30(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytejumpData *bd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "pkt_data; "
- "byte_jump:2,5; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "content:\"three\";"
- "content:\"four\";"
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] != NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bd = (DetectBytejumpData *)sm->ctx;
- if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
- bd->flags & DETECT_BYTEJUMP_LITTLE ||
- bd->flags & DETECT_BYTEJUMP_BIG ||
- bd->flags & DETECT_BYTEJUMP_STRING ||
- bd->flags & DETECT_BYTEJUMP_RELATIVE ||
- bd->flags & DETECT_BYTEJUMP_ALIGN ||
- bd->flags & DETECT_BYTEJUMP_DCE ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest31(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytejumpData *bd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "byte_jump:2,5,relative; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "pkt_data; "
- "content:\"three\";"
- "content:\"four\";"
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bd = (DetectBytejumpData *)sm->ctx;
- if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
- bd->flags & DETECT_BYTEJUMP_LITTLE ||
- bd->flags & DETECT_BYTEJUMP_BIG ||
- bd->flags & DETECT_BYTEJUMP_STRING ||
- !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- bd->flags & DETECT_BYTEJUMP_ALIGN ||
- bd->flags & DETECT_BYTEJUMP_DCE ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest32(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytejumpData *bd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "byte_jump:2,5,relative; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "pkt_data; "
- "content:\"three\";"
- "content:\"four\"; within:4; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bd = (DetectBytejumpData *)sm->ctx;
- if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
- bd->flags & DETECT_BYTEJUMP_LITTLE ||
- bd->flags & DETECT_BYTEJUMP_BIG ||
- bd->flags & DETECT_BYTEJUMP_STRING ||
- !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- bd->flags & DETECT_BYTEJUMP_ALIGN ||
- bd->flags & DETECT_BYTEJUMP_DCE ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest33(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectPcreData *pd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_stub_data; "
- "pcre:/boom/R; "
- "content:\"one\"; distance:10; within:5; "
- "content:\"two\"; within:5;"
- "pkt_data; "
- "content:\"three\";"
- "content:\"four\"; distance:5;"
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_PCRE) {
- result = 0;
- goto end;
- }
- pd = (DetectPcreData *)sm->ctx;
- if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- !(pd->flags & DETECT_PCRE_RELATIVE)) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("four failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "four", 4) == 0);
- if (result == 0)
- goto end;
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest34(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectPcreData *pd = NULL;
- DetectBytejumpData *bd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "pcre:/boom/R; "
- "byte_jump:1,2,relative,align,dce; "
- "content:\"one\"; within:4; distance:8; "
- "pkt_data; "
- "content:\"two\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_PCRE) {
- result = 0;
- goto end;
- }
- pd = (DetectPcreData *)sm->ctx;
- if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- !(pd->flags & DETECT_PCRE_RELATIVE)) {
- result = 0;
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bd = (DetectBytejumpData *)sm->ctx;
- if (bd->flags & DETECT_BYTEJUMP_BEGIN ||
- bd->flags & DETECT_BYTEJUMP_LITTLE ||
- bd->flags & DETECT_BYTEJUMP_BIG ||
- bd->flags & DETECT_BYTEJUMP_STRING ||
- !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- !(bd->flags & DETECT_BYTEJUMP_ALIGN) ||
- !(bd->flags & DETECT_BYTEJUMP_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest35(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytetestData *bd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "byte_test:1,=,0,0,relative,dce; "
- "pkt_data; "
- "content:\"one\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_BYTETEST) {
- result = 0;
- goto end;
- }
- bd = (DetectBytetestData *)sm->ctx;
- if (bd->flags & DETECT_BYTETEST_LITTLE ||
- bd->flags & DETECT_BYTETEST_BIG ||
- bd->flags & DETECT_BYTETEST_STRING ||
- !(bd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- !(bd->flags & DETECT_BYTETEST_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest36(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectIsdataatData *isd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "isdataat:10,relative; "
- "content:\"one\"; within:4; distance:8; "
- "pkt_data; "
- "content:\"two\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_ISDATAAT) {
- result = 0;
- goto end;
- }
- isd = (DetectIsdataatData *)sm->ctx;
- if ( isd->flags & ISDATAAT_RAWBYTES ||
- !(isd->flags & ISDATAAT_RELATIVE)) {
- result = 0;
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- result = 0;
- printf("two failed\n");
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest37(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytejumpData *bjd = NULL;
- DetectBytetestData *btd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "byte_jump:1,2,relative,align,dce; "
- "byte_test:1,=,2,0,relative,dce; "
- "pkt_data; "
- "content:\"one\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
- bjd->flags & DETECT_BYTEJUMP_LITTLE ||
- bjd->flags & DETECT_BYTEJUMP_BIG ||
- bjd->flags & DETECT_BYTEJUMP_STRING ||
- !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
- !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_BYTETEST) {
- result = 0;
- goto end;
- }
- btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags & DETECT_BYTETEST_LITTLE ||
- btd->flags & DETECT_BYTETEST_BIG ||
- btd->flags & DETECT_BYTETEST_STRING ||
- !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
- !(btd->flags & DETECT_BYTETEST_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest38(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectPcreData *pd = NULL;
- DetectBytejumpData *bjd = NULL;
- DetectBytetestData *btd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "pcre:/boom/R; "
- "byte_jump:1,2,relative,align,dce; "
- "byte_test:1,=,2,0,relative,dce; "
- "pkt_data; "
- "content:\"one\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_PCRE) {
- result = 0;
- goto end;
- }
- pd = (DetectPcreData *)sm->ctx;
- if ( pd->flags & DETECT_PCRE_RAWBYTES ||
- !(pd->flags & DETECT_PCRE_RELATIVE)) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
- bjd->flags & DETECT_BYTEJUMP_LITTLE ||
- bjd->flags & DETECT_BYTEJUMP_BIG ||
- bjd->flags & DETECT_BYTEJUMP_STRING ||
- !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
- !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_BYTETEST) {
- result = 0;
- goto end;
- }
- btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags & DETECT_BYTETEST_LITTLE ||
- btd->flags & DETECT_BYTETEST_BIG ||
- btd->flags & DETECT_BYTETEST_STRING ||
- !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
- !(btd->flags & DETECT_BYTETEST_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest39(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "content:\"one\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "content:\"two\"; within:4; distance:8; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest40(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytetestData *btd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "content:\"one\"; within:10; "
- "content:\"two\"; distance:20; within:30; "
- "byte_test:1,=,2,0,relative,dce; "
- "pkt_data; "
- "content:\"three\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_BYTETEST) {
- result = 0;
- goto end;
- }
- btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags & DETECT_BYTETEST_LITTLE ||
- btd->flags & DETECT_BYTETEST_BIG ||
- btd->flags & DETECT_BYTETEST_STRING ||
- !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
- !(btd->flags & DETECT_BYTETEST_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest41(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytetestData *btd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "content:\"one\"; within:10; "
- "pkt_data; "
- "content:\"two\"; "
- "byte_test:1,=,2,0,relative,dce; "
- "content:\"three\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_BYTETEST) {
- result = 0;
- goto end;
- }
- btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags & DETECT_BYTETEST_LITTLE ||
- btd->flags & DETECT_BYTETEST_BIG ||
- btd->flags & DETECT_BYTETEST_STRING ||
- !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
- !(btd->flags & DETECT_BYTETEST_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("three failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "three", 5) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest44(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectIsdataatData *isd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- FAIL_IF_NULL(de_ctx);
- de_ctx->flags |= DE_QUIET;
-
- s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
- "content:\"one\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "dce_opnum:10; dce_stub_data; "
- "isdataat:10,relative; "
- "content:\"one\"; within:4; distance:8; "
- "pkt_data; "
- "content:\"two\"; "
- "sid:1;)");
- FAIL_IF_NULL(s);
-
- FAIL_IF_NULL(s->init_data->smlists_tail[g_dce_stub_data_buffer_id]);
- FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
-
- /* isdataat:10,relative; */
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- FAIL_IF(sm->type != DETECT_ISDATAAT);
- isd = (DetectIsdataatData *)sm->ctx;
- FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
- FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
- FAIL_IF_NULL(sm->next);
-
- sm = sm->next;
-
- /* content:\"one\"; within:4; distance:8; */
- FAIL_IF(sm->type != DETECT_CONTENT);
- data = (DetectContentData *)sm->ctx;
- FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- !(data->flags & DETECT_CONTENT_WITHIN) ||
- !(data->flags & DETECT_CONTENT_DISTANCE) ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
- data->flags & DETECT_CONTENT_NEGATED );
-
- FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
- FAIL_IF_NOT(sm->next == NULL);
-
- /* first content:\"one\"; */
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- FAIL_IF(sm->type != DETECT_CONTENT);
- data = (DetectContentData *)sm->ctx;
- FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
- FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
- FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
- FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
- FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
- FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
- FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
- FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
-
- FAIL_IF_NULL(sm->next);
- sm = sm->next;
-
- FAIL_IF(sm->type != DETECT_CONTENT);
-
- data = (DetectContentData *)sm->ctx;
- FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_NEGATED );
-
- FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
-
- FAIL_IF_NOT(sm->next == NULL);
-
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- PASS;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest45(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytejumpData *bjd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "content:\"one\"; "
- "dce_opnum:10; dce_stub_data; "
- "byte_jump:1,2,relative,align,dce; "
- "pkt_data; "
- "content:\"two\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_BYTEJUMP) {
- result = 0;
- goto end;
- }
- bjd = (DetectBytejumpData *)sm->ctx;
- if (bjd->flags & DETECT_BYTEJUMP_BEGIN ||
- bjd->flags & DETECT_BYTEJUMP_LITTLE ||
- bjd->flags & DETECT_BYTEJUMP_BIG ||
- bjd->flags & DETECT_BYTEJUMP_STRING ||
- !(bjd->flags & DETECT_BYTEJUMP_RELATIVE) ||
- !(bjd->flags & DETECT_BYTEJUMP_ALIGN) ||
- !(bjd->flags & DETECT_BYTEJUMP_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("one failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("two failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
-/**
- * \test Test content for dce sig.
- */
-static int DcePayloadParseTest46(void)
-{
- DetectEngineCtx *de_ctx = NULL;
- int result = 1;
- Signature *s = NULL;
- SigMatch *sm = NULL;
- DetectContentData *data = NULL;
- DetectBytetestData *btd = NULL;
-
- de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL)
- goto end;
-
- de_ctx->flags |= DE_QUIET;
- s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
- "(msg:\"Testing bytejump_body\"; "
- "dce_iface:12345678-1234-1234-1234-123456789012; "
- "content:\"one\"; "
- "dce_opnum:10; dce_stub_data; "
- "byte_test:1,=,2,0,relative,dce; "
- "pkt_data; "
- "content:\"two\"; "
- "sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- if (s->init_data->smlists_tail[g_dce_stub_data_buffer_id] == NULL) {
- result = 0;
- goto end;
- }
- if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
- result = 0;
- goto end;
- }
-
- sm = s->init_data->smlists[g_dce_stub_data_buffer_id];
- if (sm->type != DETECT_BYTETEST) {
- result = 0;
- goto end;
- }
- btd = (DetectBytetestData *)sm->ctx;
- if (btd->flags & DETECT_BYTETEST_LITTLE ||
- btd->flags & DETECT_BYTETEST_BIG ||
- btd->flags & DETECT_BYTETEST_STRING ||
- !(btd->flags & DETECT_BYTETEST_RELATIVE) ||
- !(btd->flags & DETECT_BYTETEST_DCE) ) {
- result = 0;
- printf("one failed\n");
- goto end;
- }
-
- result &= (sm->next == NULL);
-
- sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("one failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "one", 3) == 0);
- if (result == 0)
- goto end;
-
- sm = sm->next;
- if (sm->type != DETECT_CONTENT) {
- result = 0;
- goto end;
- }
- data = (DetectContentData *)sm->ctx;
- if (data->flags & DETECT_CONTENT_RAWBYTES ||
- data->flags & DETECT_CONTENT_NOCASE ||
- data->flags & DETECT_CONTENT_WITHIN ||
- data->flags & DETECT_CONTENT_DISTANCE ||
- data->flags & DETECT_CONTENT_FAST_PATTERN ||
- data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
- data->flags & DETECT_CONTENT_NEGATED ) {
- printf("two failed\n");
- result = 0;
- goto end;
- }
- result &= (strncmp((char *)data->content, "two", 3) == 0);
- if (result == 0)
- goto end;
-
- result &= (sm->next == NULL);
-
- end:
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- return result;
-}
-
#endif /* UNITTESTS */
void DcePayloadRegisterTests(void)
UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
-
- UtRegisterTest("DcePayloadParseTest25", DcePayloadParseTest25);
- UtRegisterTest("DcePayloadParseTest26", DcePayloadParseTest26);
- UtRegisterTest("DcePayloadParseTest27", DcePayloadParseTest27);
- UtRegisterTest("DcePayloadParseTest28", DcePayloadParseTest28);
- UtRegisterTest("DcePayloadParseTest29", DcePayloadParseTest29);
- UtRegisterTest("DcePayloadParseTest30", DcePayloadParseTest30);
- UtRegisterTest("DcePayloadParseTest31", DcePayloadParseTest31);
- UtRegisterTest("DcePayloadParseTest32", DcePayloadParseTest32);
- UtRegisterTest("DcePayloadParseTest33", DcePayloadParseTest33);
- UtRegisterTest("DcePayloadParseTest34", DcePayloadParseTest34);
- UtRegisterTest("DcePayloadParseTest35", DcePayloadParseTest35);
- UtRegisterTest("DcePayloadParseTest36", DcePayloadParseTest36);
- UtRegisterTest("DcePayloadParseTest37", DcePayloadParseTest37);
- UtRegisterTest("DcePayloadParseTest38", DcePayloadParseTest38);
- UtRegisterTest("DcePayloadParseTest39", DcePayloadParseTest39);
- UtRegisterTest("DcePayloadParseTest40", DcePayloadParseTest40);
- UtRegisterTest("DcePayloadParseTest41", DcePayloadParseTest41);
-
- UtRegisterTest("DcePayloadParseTest44", DcePayloadParseTest44);
- UtRegisterTest("DcePayloadParseTest45", DcePayloadParseTest45);
- UtRegisterTest("DcePayloadParseTest46", DcePayloadParseTest46);
#endif /* UNITTESTS */
-
- return;
}
projects / thirdparty / suricata.git / commitdiff
