#define PARSE_REGEX "^" \
"\\s*([0-9]+)\\s*" \
- ",\\s*([0-9]+)\\s*" \
+ ",\\s*(-?[0-9]+)\\s*" \
",\\s*([^\\s,]+)\\s*" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
"(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
}
/* Validate that the to-be-extracted is within the packet */
- if (data->nbytes > len) {
+ if (ptr < payload || data->nbytes > len) {
SCLogDebug("Data not within payload pkt=%p, ptr=%p, len=%"PRIu32", nbytes=%d",
payload, ptr, len, data->nbytes);
return 0;
return result;
}
+int DetectByteExtractTest63(void)
+{
+ int result = 0;
+
+ DetectByteExtractData *bed = DetectByteExtractParse("4, -2, one");
+ if (bed == NULL)
+ goto end;
+
+ if (bed->nbytes != 4 ||
+ bed->offset != -2 ||
+ strcmp(bed->name, "one") != 0 ||
+ bed->flags != 0 ||
+ bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ goto end;
+ }
+
+ result = 1;
+ end:
+ if (bed != NULL)
+ DetectByteExtractFree(bed);
+ return result;
+}
+
#endif /* UNITTESTS */
void DetectByteExtractRegisterTests(void)
UtRegisterTest("DetectByteExtractTest60", DetectByteExtractTest60, 1);
UtRegisterTest("DetectByteExtractTest61", DetectByteExtractTest61, 1);
UtRegisterTest("DetectByteExtractTest62", DetectByteExtractTest62, 1);
+ UtRegisterTest("DetectByteExtractTest63", DetectByteExtractTest63, 1);
#endif /* UNITTESTS */
return;
return result;
}
+/*
+ * \test Test negative byte extract.
+ */
+static int PayloadTestSig25(void)
+{
+ uint8_t buf[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
+ 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
+ 0x0E, 0x0F,
+ };
+ uint16_t buflen = sizeof(buf);
+ Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
+ int result = 0;
+
+ char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
+ "content:\"|35 07 08 09|\"; "
+ "byte_extract:1,-4,one,string,dec,relative; "
+ "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
+
+ if (UTHPacketMatchSigMpm(p, sig, MPM_AC) == 0) {
+ result = 0;
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (p != NULL)
+ UTHFreePacket(p);
+ return result;
+}
+
+/*
+ * \test Test negative byte extract.
+ */
+static int PayloadTestSig26(void)
+{
+ uint8_t buf[] = {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x35, /* the last byte is 2 */
+ 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D,
+ 0x0E, 0x0F,
+ };
+ uint16_t buflen = sizeof(buf);
+ Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
+ int result = 0;
+
+ char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
+ "content:\"|35 07 08 09|\"; "
+ "byte_extract:1,-3000,one,string,dec,relative; "
+ "content:\"|0C 0D 0E 0F|\"; distance:one; sid:1;)";
+
+ if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 0) {
+ result = 0;
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (p != NULL)
+ UTHFreePacket(p);
+ return result;
+}
+
#endif /* UNITTESTS */
void PayloadRegisterTests(void) {
UtRegisterTest("PayloadTestSig22", PayloadTestSig22, 1);
UtRegisterTest("PayloadTestSig23", PayloadTestSig23, 1);
UtRegisterTest("PayloadTestSig24", PayloadTestSig24, 1);
+ UtRegisterTest("PayloadTestSig25", PayloadTestSig25, 1);
+ UtRegisterTest("PayloadTestSig26", PayloadTestSig26, 1);
#endif /* UNITTESTS */
return;
projects / thirdparty / suricata.git / commitdiff
