--- /dev/null
+/* Copyright (C) 2024 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+// Author: Jeff Lucovsky <jlucovsky@oisf.net>
+
+use crate::detect::error::RuleParseError;
+use crate::detect::parser::{parse_token, take_until_whitespace};
+use crate::detect::*;
+use std::ffi::{CStr, CString};
+use std::os::raw::c_char;
+
+use nom7::bytes::complete::tag;
+use nom7::character::complete::multispace0;
+use nom7::sequence::preceded;
+use nom7::{Err, IResult};
+use std::str;
+
+pub const DETECT_BYTE_EXTRACT_FLAG_RELATIVE: u16 = 0x01;
+pub const DETECT_BYTE_EXTRACT_FLAG_STRING: u16 = 0x02;
+pub const DETECT_BYTE_EXTRACT_FLAG_ALIGN: u16 = 0x04;
+pub const DETECT_BYTE_EXTRACT_FLAG_ENDIAN: u16 = 0x08;
+pub const DETECT_BYTE_EXTRACT_FLAG_SLICE: u16 = 0x10;
+pub const DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER: u16 = 0x20;
+pub const DETECT_BYTE_EXTRACT_FLAG_NBYTES: u16 = 0x40;
+pub const DETECT_BYTE_EXTRACT_FLAG_OFFSET: u16 = 0x80;
+pub const DETECT_BYTE_EXTRACT_FLAG_BASE: u16 = 0x100;
+
+pub const DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT: u16 = 1;
+
+const BASE_DEFAULT: ByteBase = ByteBase::BaseDec;
+
+// Fixed position parameter count: bytes, offset, variable
+const DETECT_BYTE_EXTRACT_FIXED_PARAM_COUNT: usize = 3;
+// Optional parameters: endian, relative, string, dce, slice, align, multiplier
+const DETECT_BYTE_EXTRACT_MAX_PARAM_COUNT: usize = 10;
+
+#[repr(C)]
+#[derive(Debug)]
+pub struct SCDetectByteExtractData {
+ local_id: u8,
+ nbytes: u8,
+ offset: i16,
+ name: *const c_char,
+ flags: u16,
+ endian: ByteEndian, // big, little, dce
+ base: ByteBase, // From string or dce
+ align_value: u8,
+ multiplier_value: u16,
+ id: u16,
+}
+
+impl Drop for SCDetectByteExtractData {
+ fn drop(&mut self) {
+ unsafe {
+ if !self.name.is_null() {
+ let _ = CString::from_raw(self.name as *mut c_char);
+ }
+ }
+ }
+}
+
+impl Default for SCDetectByteExtractData {
+ fn default() -> Self {
+ SCDetectByteExtractData {
+ local_id: 0,
+ nbytes: 0,
+ offset: 0,
+ name: std::ptr::null_mut(),
+ flags: 0,
+ endian: ByteEndian::BigEndian, // big, little, dce
+ base: BASE_DEFAULT, // From string or dce
+ align_value: 0,
+ multiplier_value: DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT,
+ id: 0,
+ }
+ }
+}
+
+fn parse_byteextract(input: &str) -> IResult<&str, SCDetectByteExtractData, RuleParseError<&str>> {
+ // Inner utility function for easy error creation.
+ fn make_error(reason: String) -> nom7::Err<RuleParseError<&'static str>> {
+ Err::Error(RuleParseError::InvalidByteExtract(reason))
+ }
+ let (_, values) = nom7::multi::separated_list1(
+ tag(","),
+ preceded(multispace0, nom7::bytes::complete::is_not(",")),
+ )(input)?;
+
+ if values.len() < DETECT_BYTE_EXTRACT_FIXED_PARAM_COUNT
+ || values.len() > DETECT_BYTE_EXTRACT_MAX_PARAM_COUNT
+ {
+ return Err(make_error(format!("Incorrect argument string; at least {} values must be specified but no more than {}: {:?}",
+ DETECT_BYTE_EXTRACT_FIXED_PARAM_COUNT, DETECT_BYTE_EXTRACT_MAX_PARAM_COUNT, input)));
+ }
+
+ let mut byte_extract = {
+ SCDetectByteExtractData {
+ nbytes: values[0]
+ .parse::<u8>()
+ .map_err(|_| make_error(format!("invalid nbytes value: {}", values[0])))?,
+ ..Default::default()
+ }
+ };
+
+ let value = values[1]
+ .parse::<i16>()
+ .map_err(|_| make_error(format!("invalid offset value: {}", values[1])))?;
+ byte_extract.offset = value;
+
+ let (_, value) = parse_token(values[2])?;
+ if let Ok(newval) = CString::new(value) {
+ byte_extract.name = newval.into_raw();
+ } else {
+ return Err(make_error(
+ "parse string not safely convertible to C".to_string(),
+ ));
+ }
+
+ for value in values.iter().skip(DETECT_BYTE_EXTRACT_FIXED_PARAM_COUNT) {
+ let (mut val, mut name) = take_until_whitespace(value)?;
+ val = val.trim();
+ name = name.trim();
+ match name {
+ "align" => {
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
+ return Err(make_error("align already set".to_string()));
+ }
+ byte_extract.align_value = val
+ .parse::<u8>()
+ .map_err(|_| make_error(format!("invalid align value: {}", val)))?;
+ if !(byte_extract.align_value == 2 || byte_extract.align_value == 4) {
+ return Err(make_error(format!(
+ "invalid align value: must be 2 or 4: {}",
+ val
+ )));
+ }
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
+ }
+ "slice" => {
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
+ return Err(make_error("slice already set".to_string()));
+ }
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_SLICE;
+ }
+ "dce" | "big" | "little" => {
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
+ return Err(make_error("endianess already set".to_string()));
+ }
+ byte_extract.endian = match get_endian_value(name) {
+ Ok(val) => val,
+ Err(_) => {
+ return Err(make_error(format!("invalid endian value: {}", val)));
+ }
+ };
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
+ }
+ "string" => {
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
+ return Err(make_error("string already set".to_string()));
+ }
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_BASE) {
+ return Err(make_error(
+ "base specified before string; use \"string, base\"".to_string(),
+ ));
+ }
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
+ }
+ "oct" | "dec" | "hex" => {
+ if 0 == (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
+ return Err(make_error("string must be set first".to_string()));
+ }
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_BASE) {
+ return Err(make_error("base already set".to_string()));
+ }
+ byte_extract.base = match get_string_value(name) {
+ Ok(val) => val,
+ Err(_) => {
+ return Err(make_error(format!("invalid string value: {}", val)));
+ }
+ };
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_BASE;
+ }
+ "relative" => {
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
+ return Err(make_error("relative already set".to_string()));
+ }
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
+ }
+ "multiplier" => {
+ if 0 != (byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
+ return Err(make_error("multiplier already set".to_string()));
+ }
+ let mult = val
+ .parse::<u32>()
+ .map_err(|_| make_error(format!("invalid multiplier value: {}", val)))?;
+ if mult == 0 || mult > u16::MAX.into() {
+ return Err(make_error(format!(
+ "invalid multiplier value: must be between 0 and {}: {}",
+ u16::MAX,
+ val
+ )));
+ }
+ byte_extract.multiplier_value = mult as u16;
+ byte_extract.flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
+ }
+ _ => {
+ return Err(make_error(format!("unknown byte_extract option: {}", name)));
+ }
+ };
+ }
+
+ // string w/out base: default is set to decimal so no error
+
+ // base w/out string
+ if 0 != byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_BASE
+ && (0 == byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_STRING)
+ {
+ return Err(make_error("must specify string with base".to_string()));
+ }
+
+ if 0 != byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_STRING
+ && 0 != byte_extract.flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN
+ {
+ return Err(make_error(
+ "can't specify string and an endian value".to_string(),
+ ));
+ }
+
+ if (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_SLICE)
+ == (byte_extract.flags & (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_SLICE))
+ {
+ return Err(make_error(
+ "string and slice are mutually exclusive".to_string(),
+ ));
+ }
+
+ Ok((input, byte_extract))
+}
+
+/// Intermediary function between the C code and the parsing functions.
+#[no_mangle]
+pub unsafe extern "C" fn SCByteExtractParse(c_arg: *const c_char) -> *mut SCDetectByteExtractData {
+ if c_arg.is_null() {
+ return std::ptr::null_mut();
+ }
+
+ if let Ok(arg) = CStr::from_ptr(c_arg).to_str() {
+ match parse_byteextract(arg) {
+ Ok((_, detect)) => return Box::into_raw(Box::new(detect)),
+ Err(_) => return std::ptr::null_mut(),
+ };
+ };
+
+ return std::ptr::null_mut();
+}
+
+#[no_mangle]
+pub unsafe extern "C" fn SCByteExtractFree(ptr: *mut SCDetectByteExtractData) {
+ if !ptr.is_null() {
+ let _ = Box::from_raw(ptr);
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ // structure equality only used by test cases
+ impl PartialEq for SCDetectByteExtractData {
+ fn eq(&self, other: &Self) -> bool {
+ let mut res: bool = false;
+
+ if !self.name.is_null() && !other.name.is_null() {
+ let s_val = unsafe { CStr::from_ptr(self.name) };
+ let o_val = unsafe { CStr::from_ptr(other.name) };
+ res = s_val == o_val;
+ } else if !self.name.is_null() || !other.name.is_null() {
+ return false;
+ }
+
+ res && self.local_id == other.local_id
+ && self.nbytes == other.nbytes
+ && self.offset == other.offset
+ && self.flags == other.flags
+ && self.endian == other.endian
+ && self.base == other.base
+ && self.align_value == other.align_value
+ && self.multiplier_value == other.multiplier_value
+ && self.id == other.id
+ }
+ }
+
+ fn valid_test(
+ args: &str, nbytes: u8, offset: i16, var_name_str: &str, base: ByteBase,
+ endian: ByteEndian, align_value: u8, multiplier_value: u16, flags: u16,
+ ) {
+ let bed = SCDetectByteExtractData {
+ nbytes,
+ offset,
+ name: if !var_name_str.is_empty() {
+ CString::new(var_name_str).unwrap().into_raw()
+ } else {
+ std::ptr::null_mut()
+ },
+ base,
+ endian,
+ align_value,
+ multiplier_value,
+ flags,
+ ..Default::default()
+ };
+
+ let (_, val) = parse_byteextract(args).unwrap();
+ assert_eq!(val, bed);
+ }
+
+ #[test]
+ fn parser_valid() {
+ assert!(parse_byteextract("4, 2, one").is_ok());
+ assert!(parse_byteextract("4, 2, one, relative").is_ok());
+ assert!(parse_byteextract("4, 2, one, relative, multiplier 10").is_ok());
+ assert!(parse_byteextract("4, 2, one, big").is_ok());
+ assert!(parse_byteextract("4, 2, one, little").is_ok());
+ assert!(parse_byteextract("4, 2, one, dce").is_ok());
+ assert!(parse_byteextract("4, 2, one, string").is_ok());
+ assert!(parse_byteextract("4, 2, one, string, hex").is_ok());
+ assert!(parse_byteextract("4, 2, one, string, dec").is_ok());
+ assert!(parse_byteextract("4, 2, one, string, oct").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 4").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 4, relative").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 2, relative").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 4, relative, big").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 4, relative, dce").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 4, relative, little").is_ok());
+ assert!(parse_byteextract("4, 2, one, align 4, relative, little, multiplier 2").is_ok());
+ assert!(
+ parse_byteextract("4, 2, one, align 4, relative, little, multiplier 2, slice").is_ok()
+ );
+ }
+ #[test]
+ // Invalid token combinations
+ fn parser_invalid() {
+ assert!(parse_byteextract("4").is_err());
+ assert!(parse_byteextract("4, 2").is_err());
+ assert!(parse_byteextract("4, 605536").is_err());
+ assert!(parse_byteextract("4, -605536").is_err());
+ assert!(parse_byteextract("4, 65536").is_err());
+ assert!(parse_byteextract("4, -65536").is_err());
+ assert!(parse_byteextract("4, 2, one, align 4, align 4").is_err());
+ assert!(parse_byteextract("4, 2, one, relative, relative").is_err());
+ assert!(parse_byteextract("4, 2, one, hex").is_err());
+ assert!(parse_byteextract("4, 2, one, dec").is_err());
+ assert!(parse_byteextract("4, 2, one, oct").is_err());
+ assert!(parse_byteextract("4, 2, one, little, little").is_err());
+ assert!(parse_byteextract("4, 2, one, slice, slice").is_err());
+ assert!(parse_byteextract("4, 2, one, multiplier").is_err());
+ assert!(parse_byteextract("4, 2, one, multiplier 0").is_err());
+ assert!(parse_byteextract("4, 2, one, multiplier 65536").is_err());
+ assert!(parse_byteextract("4, 2, one, multiplier -1").is_err());
+ assert!(parse_byteextract("4, 2, one, multiplier 2, multiplier 2").is_err());
+ assert!(parse_byteextract(
+ "4, 2, one, align 4, relative, little, multiplier 2, string hex"
+ )
+ .is_err());
+ }
+
+ #[test]
+ fn test_parser_valid() {
+ valid_test(
+ "4, 2, one",
+ 4,
+ 2,
+ "one",
+ BASE_DEFAULT,
+ ByteEndian::BigEndian,
+ 0,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT,
+ 0,
+ );
+ valid_test(
+ "4, 2, one, relative",
+ 4,
+ 2,
+ "one",
+ BASE_DEFAULT,
+ ByteEndian::BigEndian,
+ 0,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT,
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE,
+ );
+ valid_test(
+ "4, 2, one, string",
+ 4,
+ 2,
+ "one",
+ BASE_DEFAULT,
+ ByteEndian::BigEndian,
+ 0,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT,
+ DETECT_BYTE_EXTRACT_FLAG_STRING,
+ );
+ valid_test(
+ "4, 2, one, string, hex",
+ 4,
+ 2,
+ "one",
+ ByteBase::BaseHex,
+ ByteEndian::BigEndian,
+ 0,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT,
+ DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING,
+ );
+ valid_test(
+ "4, 2, one, dce",
+ 4,
+ 2,
+ "one",
+ BASE_DEFAULT,
+ ByteEndian::EndianDCE,
+ 0,
+ DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT,
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN,
+ );
+ valid_test(
+ "4, 2, one, align 4, relative, little, multiplier 2, slice",
+ 4,
+ 2,
+ "one",
+ ByteBase::BaseDec,
+ ByteEndian::LittleEndian,
+ 4,
+ 2,
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN
+ | DETECT_BYTE_EXTRACT_FLAG_RELATIVE
+ | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER
+ | DETECT_BYTE_EXTRACT_FLAG_ALIGN
+ | DETECT_BYTE_EXTRACT_FLAG_SLICE,
+ );
+ }
+}
-/* Copyright (C) 2007-2020 Open Information Security Foundation
+/* Copyright (C) 2007-2024 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
*/
#include "suricata-common.h"
-#include "threads.h"
#include "decode.h"
#include "detect.h"
-#include "detect-parse.h"
#include "detect-engine.h"
-#include "detect-engine-mpm.h"
-#include "detect-engine-state.h"
#include "detect-content.h"
#include "detect-pcre.h"
#include "detect-bytejump.h"
#include "detect-isdataat.h"
#include "detect-engine-build.h"
-#include "app-layer-protos.h"
+#include "rust.h"
-#include "flow.h"
-#include "flow-var.h"
-#include "flow-util.h"
+#include "app-layer-protos.h"
#include "util-byte.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
-#include "util-spm.h"
-
-/* the default value of endianness to be used, if none's specified */
-#define DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT DETECT_BYTE_EXTRACT_ENDIAN_BIG
/* the base to be used if string mode is specified. These options would be
* specified in DetectByteParseData->base */
-#define DETECT_BYTE_EXTRACT_BASE_NONE 0
-#define DETECT_BYTE_EXTRACT_BASE_HEX 16
-#define DETECT_BYTE_EXTRACT_BASE_DEC 10
-#define DETECT_BYTE_EXTRACT_BASE_OCT 8
-
-/* the default value for multiplier. Either ways we always store a
- * multiplier, 1 or otherwise, so that we can always multiply the extracted
- * value and store it, instead of checking if a multiplier is set or not */
-#define DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT 1
-/* the min/max limit for multiplier */
-#define DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT 1
-#define DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT 65535
+#define DETECT_BYTE_EXTRACT_BASE_HEX BaseHex
+#define DETECT_BYTE_EXTRACT_BASE_DEC BaseDec
+#define DETECT_BYTE_EXTRACT_BASE_OCT BaseOct
/* the max no of bytes that can be extracted in string mode - (string, hex)
* (string, oct) or (string, dec) */
/* the max no of bytes that can be extracted in non-string mode */
#define NO_STRING_MAX_BYTES_TO_EXTRACT 8
-#define PARSE_REGEX "^" \
- "\\s*([0-9]+)\\s*" \
- ",\\s*(-?[0-9]+)\\s*" \
- ",\\s*([^\\s,]+)\\s*" \
- "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
- "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
- "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
- "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
- "(?:(?:,\\s*([^\\s,]+)\\s*)|(?:,\\s*([^\\s,]+)\\s+([^\\s,]+)\\s*))?" \
- "$"
-
-static DetectParseRegex parse_regex;
-
static int DetectByteExtractSetup(DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectByteExtractRegisterTests(void);
#ifdef UNITTESTS
sigmatch_table[DETECT_BYTE_EXTRACT].RegisterTests = DetectByteExtractRegisterTests;
#endif
- DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
}
int DetectByteExtractDoMatch(DetectEngineThreadCtx *det_ctx, const SigMatchData *smd,
const Signature *s, const uint8_t *payload, uint32_t payload_len, uint64_t *value,
uint8_t endian)
{
- DetectByteExtractData *data = (DetectByteExtractData *)smd->ctx;
- const uint8_t *ptr = NULL;
- int32_t len = 0;
- uint64_t val = 0;
- int extbytes;
-
if (payload_len == 0) {
return 0;
}
/* Calculate the ptr value for the bytetest and length remaining in
* the packet from that point.
*/
+ const uint8_t *ptr;
+ int32_t len;
+ SCDetectByteExtractData *data = (SCDetectByteExtractData *)smd->ctx;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
SCLogDebug("relative, working with det_ctx->buffer_offset %"PRIu32", "
"data->offset %"PRIu32"", det_ctx->buffer_offset, data->offset);
}
/* Extract the byte data */
+ uint64_t val = 0;
+ int extbytes;
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
extbytes = ByteExtractStringUint64(&val, data->base,
data->nbytes, (const char *)ptr);
}
}
} else {
- int endianness = (endian == DETECT_BYTE_EXTRACT_ENDIAN_BIG) ?
- BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
+ int endianness = (endian == BigEndian) ? BYTE_BIG_ENDIAN : BYTE_LITTLE_ENDIAN;
extbytes = ByteExtractUint64(&val, endianness, data->nbytes, ptr);
if (extbytes != data->nbytes) {
SCLogDebug("error extracting %d bytes of numeric data: %d",
* \param bed On success an instance containing the parsed data.
* On failure, NULL.
*/
-static inline DetectByteExtractData *DetectByteExtractParse(DetectEngineCtx *de_ctx, const char *arg)
+static inline SCDetectByteExtractData *DetectByteExtractParse(
+ DetectEngineCtx *de_ctx, const char *arg)
{
- DetectByteExtractData *bed = NULL;
- int res = 0;
- size_t pcre2len;
- int i = 0;
- pcre2_match_data *match = NULL;
-
- int ret = DetectParsePcreExec(&parse_regex, &match, arg, 0, 0);
- if (ret < 3 || ret > 19) {
- SCLogError("parse error, ret %" PRId32 ", string \"%s\"", ret, arg);
- SCLogError("Invalid arg to byte_extract : %s "
- "for byte_extract",
- arg);
+ SCDetectByteExtractData *bed = SCByteExtractParse(arg);
+ if (bed == NULL) {
+ SCLogError("invalid byte_extract values");
goto error;
}
- bed = SCCalloc(1, sizeof(DetectByteExtractData));
- if (unlikely(bed == NULL))
- goto error;
-
- /* no of bytes to extract */
- char nbytes_str[64] = "";
- pcre2len = sizeof(nbytes_str);
- res = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)nbytes_str, &pcre2len);
- if (res < 0) {
- SCLogError("pcre2_substring_copy_bynumber failed "
- "for arg 1 for byte_extract");
- goto error;
- }
- if (StringParseUint8(&bed->nbytes, 10, 0,
- (const char *)nbytes_str) < 0) {
- SCLogError("Invalid value for number of bytes"
- " to be extracted: \"%s\".",
- nbytes_str);
- goto error;
- }
-
- /* offset */
- char offset_str[64] = "";
- pcre2len = sizeof(offset_str);
- res = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)offset_str, &pcre2len);
- if (res < 0) {
- SCLogError("pcre2_substring_copy_bynumber failed "
- "for arg 2 for byte_extract");
- goto error;
- }
- int32_t offset;
- if (StringParseI32RangeCheck(&offset, 10, 0, (const char *)offset_str, -65535, 65535) < 0) {
- SCLogError("Invalid value for offset: \"%s\".", offset_str);
+ if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_SLICE) {
+ SCLogError("byte_extract slice not yet supported; see issue #6831");
goto error;
}
- bed->offset = offset;
-
- /* var name */
- char varname_str[256] = "";
- pcre2len = sizeof(varname_str);
- res = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)varname_str, &pcre2len);
- if (res < 0) {
- SCLogError("pcre2_substring_copy_bynumber failed "
- "for arg 3 for byte_extract");
- goto error;
- }
- bed->name = SCStrdup(varname_str);
- if (bed->name == NULL)
- goto error;
-
- /* check out other optional args */
- for (i = 4; i < ret; i++) {
- char opt_str[64] = "";
- pcre2len = sizeof(opt_str);
- res = SC_Pcre2SubstringCopy(match, i, (PCRE2_UCHAR8 *)opt_str, &pcre2len);
- if (res < 0) {
- SCLogError("pcre2_substring_copy_bynumber failed "
- "for arg %d for byte_extract with %d",
- i, res);
- goto error;
- }
-
- if (strcmp("relative", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
- SCLogError("relative specified more "
- "than once for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_RELATIVE;
- } else if (strcmp("multiplier", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) {
- SCLogError("multiplier specified more "
- "than once for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER;
- i++;
-
- char multiplier_str[16] = "";
- pcre2len = sizeof(multiplier_str);
- res = pcre2_substring_copy_bynumber(
- match, i, (PCRE2_UCHAR8 *)multiplier_str, &pcre2len);
- if (res < 0) {
- SCLogError("pcre2_substring_copy_bynumber failed "
- "for arg %d for byte_extract",
- i);
- goto error;
- }
- uint16_t multiplier;
- if (StringParseU16RangeCheck(&multiplier, 10, 0, (const char *)multiplier_str,
- DETECT_BYTE_EXTRACT_MULTIPLIER_MIN_LIMIT,
- DETECT_BYTE_EXTRACT_MULTIPLIER_MAX_LIMIT) < 0) {
- SCLogError("Invalid value for"
- "multiplier: \"%s\".",
- multiplier_str);
- goto error;
- }
- bed->multiplier_value = multiplier;
- } else if (strcmp("big", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
- SCLogError("endian option specified "
- "more than once for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
- bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_BIG;
- } else if (strcmp("little", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
- SCLogError("endian option specified "
- "more than once for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
- bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_LITTLE;
- } else if (strcmp("dce", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN) {
- SCLogError("endian option specified "
- "more than once for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ENDIAN;
- bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DCE;
- } else if (strcmp("string", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
- SCLogError("string specified more "
- "than once for byte_extract");
- goto error;
- }
- if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
- SCLogError("The right way to specify "
- "base is (string, base) and not (base, string) "
- "for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_STRING;
- } else if (strcmp("hex", opt_str) == 0) {
- if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
- SCLogError("Base(hex) specified "
- "without specifying string. The right way is "
- "(string, base) and not (base, string)");
- goto error;
- }
- if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
- SCLogError("More than one base "
- "specified for byte_extract");
- goto error;
- }
- bed->base = DETECT_BYTE_EXTRACT_BASE_HEX;
- } else if (strcmp("oct", opt_str) == 0) {
- if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
- SCLogError("Base(oct) specified "
- "without specifying string. The right way is "
- "(string, base) and not (base, string)");
- goto error;
- }
- if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
- SCLogError("More than one base "
- "specified for byte_extract");
- goto error;
- }
- bed->base = DETECT_BYTE_EXTRACT_BASE_OCT;
- } else if (strcmp("dec", opt_str) == 0) {
- if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING)) {
- SCLogError("Base(dec) specified "
- "without specifying string. The right way is "
- "(string, base) and not (base, string)");
- goto error;
- }
- if (bed->base != DETECT_BYTE_EXTRACT_BASE_NONE) {
- SCLogError("More than one base "
- "specified for byte_extract");
- goto error;
- }
- bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
- } else if (strcmp("align", opt_str) == 0) {
- if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_ALIGN) {
- SCLogError("Align specified more "
- "than once for byte_extract");
- goto error;
- }
- bed->flags |= DETECT_BYTE_EXTRACT_FLAG_ALIGN;
- i++;
-
- char align_str[16] = "";
- pcre2len = sizeof(align_str);
- res = pcre2_substring_copy_bynumber(match, i, (PCRE2_UCHAR8 *)align_str, &pcre2len);
- if (res < 0) {
- SCLogError("pcre2_substring_copy_bynumber failed "
- "for arg %d in byte_extract",
- i);
- goto error;
- }
- if (StringParseUint8(&bed->align_value, 10, 0,
- (const char *)align_str) < 0) {
- SCLogError("Invalid align_value: "
- "\"%s\".",
- align_str);
- goto error;
- }
- if (!(bed->align_value == 2 || bed->align_value == 4)) {
- SCLogError("Invalid align_value for "
- "byte_extract - \"%d\"",
- bed->align_value);
- goto error;
- }
- } else if (strcmp("", opt_str) == 0) {
- ;
- } else {
- SCLogError("Invalid option - \"%s\" "
- "specified in byte_extract",
- opt_str);
- goto error;
- }
- } /* for (i = 4; i < ret; i++) */
-
- /* validation */
- if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER)) {
- /* default value */
- bed->multiplier_value = DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT;
- }
-
if (bed->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) {
- if (bed->base == DETECT_BYTE_EXTRACT_BASE_NONE) {
- /* Default to decimal if base not specified. */
- bed->base = DETECT_BYTE_EXTRACT_BASE_DEC;
- }
- if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
- SCLogError("byte_extract can't have "
- "endian \"big\" or \"little\" specified along with "
- "\"string\"");
- goto error;
- }
if (bed->base == DETECT_BYTE_EXTRACT_BASE_OCT) {
/* if are dealing with octal nos, the max no that can fit in a 8
* byte value is 01777777777777777777777 */
/* if string has not been specified and no endian option has been
* specified, then set the default endian level of BIG */
if (!(bed->flags & DETECT_BYTE_EXTRACT_FLAG_ENDIAN))
- bed->endian = DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT;
+ bed->endian = BigEndian;
}
-
- pcre2_match_data_free(match);
-
return bed;
+
error:
if (bed != NULL)
DetectByteExtractFree(de_ctx, bed);
- if (match) {
- pcre2_match_data_free(match);
- }
return NULL;
}
static int DetectByteExtractSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
SigMatch *prev_pm = NULL;
- DetectByteExtractData *data = NULL;
+ SCDetectByteExtractData *data = NULL;
int ret = -1;
data = DetectByteExtractParse(de_ctx, arg);
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE, -1);
}
- } else if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ } else if (data->endian == EndianDCE) {
if (data->flags & DETECT_BYTE_EXTRACT_FLAG_RELATIVE) {
prev_pm = DetectGetLastSMFromLists(s, DETECT_CONTENT, DETECT_PCRE,
DETECT_BYTETEST, DETECT_BYTEJUMP, DETECT_BYTE_EXTRACT,
sm_list = DETECT_SM_LIST_PMATCH;
}
- if (data->endian == DETECT_BYTE_EXTRACT_ENDIAN_DCE) {
+ if (data->endian == EndianDCE) {
if (DetectSignatureSetAppProto(s, ALPROTO_DCERPC) != 0)
goto error;
- if ((data->flags & DETECT_BYTE_EXTRACT_FLAG_STRING) ||
- (data->base == DETECT_BYTE_EXTRACT_BASE_DEC) ||
- (data->base == DETECT_BYTE_EXTRACT_BASE_HEX) ||
- (data->base == DETECT_BYTE_EXTRACT_BASE_OCT) ) {
+ if ((DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ==
+ (data->flags & (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING))) {
SCLogError("Invalid option. "
"A byte_jump keyword with dce holds other invalid modifiers.");
goto error;
if (prev_bed_sm == NULL)
data->local_id = 0;
else
- data->local_id = ((DetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
+ data->local_id = ((SCDetectByteExtractData *)prev_bed_sm->ctx)->local_id + 1;
if (data->local_id > de_ctx->byte_extract_max_local_id)
de_ctx->byte_extract_max_local_id = data->local_id;
}
/**
- * \brief Used to free instances of DetectByteExtractData.
+ * \brief Used to free instances of SCDetectByteExtractData.
*
- * \param ptr Instance of DetectByteExtractData to be freed.
+ * \param ptr Instance of SCDetectByteExtractData to be freed.
*/
static void DetectByteExtractFree(DetectEngineCtx *de_ctx, void *ptr)
{
- if (ptr != NULL) {
- DetectByteExtractData *bed = ptr;
- if (bed->name != NULL)
- SCFree((void *)bed->name);
- SCFree(bed);
- }
+ SCByteExtractFree(ptr);
}
/**
SigMatch *sm = s->init_data->buffers[x].head;
while (sm != NULL) {
if (sm->type == DETECT_BYTE_EXTRACT) {
- const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
+ const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
if (strcmp(bed->name, arg) == 0) {
return sm;
}
SigMatch *sm = s->init_data->smlists[list];
while (sm != NULL) {
if (sm->type == DETECT_BYTE_EXTRACT) {
- const DetectByteExtractData *bed = (const DetectByteExtractData *)sm->ctx;
+ const SCDetectByteExtractData *bed = (const SCDetectByteExtractData *)sm->ctx;
if (strcmp(bed->name, arg) == 0) {
return sm;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != 0 ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
+ bed->endian != BigEndian || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_RELATIVE || bed->endian != BigEndian ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, multiplier 10");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != 10) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER || bed->endian != BigEndian ||
+ bed->align_value != 0 || bed->multiplier_value != 10) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
+ SCDetectByteExtractData *bed =
+ DetectByteExtractParse(NULL, "4, 2, one, relative, multiplier 10");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != 10) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags !=
+ (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
+ bed->endian != BigEndian || bed->align_value != 0 || bed->multiplier_value != 10) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, big");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != BigEndian ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, little");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != LittleEndian ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, dce");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ENDIAN || bed->endian != EndianDCE ||
+ bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, hex");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, oct");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_OCT ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_OCT || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string, dec");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_DEC ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_DEC || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 4 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != DETECT_BYTE_EXTRACT_FLAG_ALIGN || bed->endian != BigEndian ||
+ bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 4 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != BigEndian || bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
+ SCDetectByteExtractData *bed =
+ DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, big");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
- DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_BIG ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 4 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != BigEndian || bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
+ SCDetectByteExtractData *bed =
+ DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, dce");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
- DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DCE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 4 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != EndianDCE || bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
+ SCDetectByteExtractData *bed =
+ DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
- DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 4 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->endian != LittleEndian || bed->align_value != 4 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
+ SCDetectByteExtractData *bed =
+ DetectByteExtractParse(NULL, "4, 2, one, align 4, relative, little, multiplier 2");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
- DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_LITTLE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 4 ||
- bed->multiplier_value != 2) {
+ if (bed->nbytes != 4 || bed->offset != 2 || strcmp(bed->name, "one") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_ALIGN | DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
+ DETECT_BYTE_EXTRACT_FLAG_ENDIAN |
+ DETECT_BYTE_EXTRACT_FLAG_MULTIPLIER) ||
+ bed->endian != LittleEndian || bed->align_value != 4 || bed->multiplier_value != 2) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "relative, little, "
- "multiplier 2, string hex");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "relative, little, "
+ "multiplier 2, string hex");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "relative, little, "
- "multiplier 2, "
- "relative");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "relative, little, "
+ "multiplier 2, "
+ "relative");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "relative, little, "
- "multiplier 2, "
- "little");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "relative, little, "
+ "multiplier 2, "
+ "little");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "relative, "
- "multiplier 2, "
- "align 2");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "relative, "
+ "multiplier 2, "
+ "align 2");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "multiplier 2, "
- "relative, "
- "multiplier 2");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "multiplier 2, "
+ "relative, "
+ "multiplier 2");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "string hex, "
- "relative, "
- "string hex");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "string hex, "
+ "relative, "
+ "string hex");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "string hex, "
- "relative, "
- "string oct");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "string hex, "
+ "relative, "
+ "string oct");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
- "string hex, "
- "relative");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, align 4, "
+ "string hex, "
+ "relative");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
- "little, "
- "relative");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "9, 2, one, align 4, "
+ "little, "
+ "relative");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "little, "
- "relative, "
- "multiplier 65536");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "little, "
+ "relative, "
+ "multiplier 65536");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
- "little, "
- "relative, "
- "multiplier 0");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, align 4, "
+ "little, "
+ "relative, "
+ "multiplier 0");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "23, 2, one, string, oct");
if (bed == NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "24, 2, one, string, oct");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "20, 2, one, string, dec");
if (bed == NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "21, 2, one, string, dec");
if (bed != NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "14, 2, one, string, hex");
if (bed == NULL)
goto end;
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "15, 2, one, string, hex");
if (bed != NULL)
goto end;
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strncmp(bed->name, "two", cd->content_len) != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_STRING) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", cd->content_len) != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
DetectPcreData *pd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_STRING) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
FAIL_IF(bjd->flags != 0);
sm = sm->next;
FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
- DetectByteExtractData *bed = (DetectByteExtractData *)sm->ctx;
+ SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
FAIL_IF(bed->nbytes != 4);
FAIL_IF(bed->offset != 0);
FAIL_IF(strcmp(bed->name, "two") != 0);
- FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_STRING));
- FAIL_IF(bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE);
+ FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING));
FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
FAIL_IF(bed->align_value != 0);
FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_STRING) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_STRING) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags !=DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "three") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "three") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 1) {
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
DetectContentData *ud = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "five") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "five") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 1) {
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "four") != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE |
- DETECT_BYTE_EXTRACT_FLAG_STRING) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "four") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_RELATIVE | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
sm = sm->next;
if (sm->type != DETECT_CONTENT) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
sm = sm->next;
if (sm->type != DETECT_CONTENT) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
sm = sm->next;
if (sm->type != DETECT_CONTENT) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
sm = sm->next;
if (sm->type != DETECT_CONTENT) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
DetectBytetestData *btd = NULL;
de_ctx = DetectEngineCtxInit();
result = 0;
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 0 ||
- strcmp(bed->name, "two") != 0 ||
- bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 0 || strcmp(bed->name, "two") != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
DetectBytetestData *btd = NULL;
de_ctx = DetectEngineCtxInit();
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
sm = sm->next;
FAIL_IF_NULL(sm);
FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
- DetectByteExtractData *bed = (DetectByteExtractData *)sm->ctx;
+ SCDetectByteExtractData *bed = (SCDetectByteExtractData *)sm->ctx;
FAIL_IF(bed->nbytes != 4);
FAIL_IF(bed->offset != 0);
FAIL_IF(strcmp(bed->name, "two") != 0);
- FAIL_IF(bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING);
- FAIL_IF(bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE);
+ FAIL_IF(bed->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
FAIL_IF(bed->base != DETECT_BYTE_EXTRACT_BASE_HEX);
FAIL_IF(bed->align_value != 0);
FAIL_IF(bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
DetectBytejumpData *bjd = NULL;
de_ctx = DetectEngineCtxInit();
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
if (sm->type != DETECT_BYTE_EXTRACT) {
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
if (sm->type != DETECT_BYTE_EXTRACT) {
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
sm = sm->next;
if (sm->type != DETECT_BYTE_EXTRACT) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
sm = sm->next;
if (sm->type != DETECT_BYTE_EXTRACT) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
- DetectByteExtractData *bed2 = NULL;
- DetectByteExtractData *bed3 = NULL;
- DetectByteExtractData *bed4 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed2 = NULL;
+ SCDetectByteExtractData *bed3 = NULL;
+ SCDetectByteExtractData *bed4 = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed2 = (DetectByteExtractData *)sm->ctx;
+ bed2 = (SCDetectByteExtractData *)sm->ctx;
if (bed2->local_id != 1) {
result = 0;
goto end;
result = 0;
goto end;
}
- bed3 = (DetectByteExtractData *)sm->ctx;
+ bed3 = (SCDetectByteExtractData *)sm->ctx;
if (bed3->local_id != 2) {
result = 0;
goto end;
result = 0;
goto end;
}
- bed4 = (DetectByteExtractData *)sm->ctx;
+ bed4 = (SCDetectByteExtractData *)sm->ctx;
if (bed4->local_id != 3) {
result = 0;
goto end;
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
DetectBytejumpData *bjd = NULL;
DetectIsdataatData *isdd = NULL;
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
FAIL_IF_NULL(sm);
FAIL_IF(sm->type != DETECT_BYTE_EXTRACT);
- DetectByteExtractData *bed1 = (DetectByteExtractData *)sm->ctx;
+ SCDetectByteExtractData *bed1 = (SCDetectByteExtractData *)sm->ctx;
FAIL_IF(bed1->nbytes != 4);
FAIL_IF(bed1->offset != 0);
FAIL_IF(strcmp(bed1->name, "two") != 0);
- FAIL_IF(bed1->flags != DETECT_BYTE_EXTRACT_FLAG_STRING);
- FAIL_IF(bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE);
+ printf("a\n");
+ FAIL_IF(bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_BASE | DETECT_BYTE_EXTRACT_FLAG_STRING));
+ printf("b\n");
FAIL_IF(bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX);
FAIL_IF(bed1->align_value != 0);
FAIL_IF(bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT);
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
DetectIsdataatData *isdd = NULL;
de_ctx = DetectEngineCtxInit();
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "four") != 0 ||
- bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *cd = NULL;
- DetectByteExtractData *bed1 = NULL;
+ SCDetectByteExtractData *bed1 = NULL;
DetectIsdataatData *isdd = NULL;
de_ctx = DetectEngineCtxInit();
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "two") != 0 ||
- bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "two") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
result = 0;
goto end;
}
- bed1 = (DetectByteExtractData *)sm->ctx;
- if (bed1->nbytes != 4 ||
- bed1->offset != 0 ||
- strcmp(bed1->name, "four") != 0 ||
- bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING |
- DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed1->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed1->align_value != 0 ||
- bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed1 = (SCDetectByteExtractData *)sm->ctx;
+ if (bed1->nbytes != 4 || bed1->offset != 0 || strcmp(bed1->name, "four") != 0 ||
+ bed1->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed1->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed1->align_value != 0 ||
+ bed1->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
if (bed1->local_id != 0) {
int result = 0;
Signature *s = NULL;
SigMatch *sm = NULL;
- DetectByteExtractData *bed = NULL;
+ SCDetectByteExtractData *bed = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
if (sm->type != DETECT_BYTE_EXTRACT) {
goto end;
}
- bed = (DetectByteExtractData *)sm->ctx;
- if (bed->nbytes != 4 ||
- bed->offset != 2 ||
- strncmp(bed->name, "two", 3) != 0 ||
- bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_HEX ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ bed = (SCDetectByteExtractData *)sm->ctx;
+ if (bed->nbytes != 4 || bed->offset != 2 || strncmp(bed->name, "two", 3) != 0 ||
+ bed->flags != (DETECT_BYTE_EXTRACT_FLAG_STRING | DETECT_BYTE_EXTRACT_FLAG_BASE |
+ DETECT_BYTE_EXTRACT_FLAG_RELATIVE) ||
+ bed->base != DETECT_BYTE_EXTRACT_BASE_HEX || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, -2, one");
if (bed == NULL)
goto end;
- if (bed->nbytes != 4 ||
- bed->offset != -2 ||
- strcmp(bed->name, "one") != 0 ||
- bed->flags != 0 ||
- bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_DEFAULT ||
- bed->base != DETECT_BYTE_EXTRACT_BASE_NONE ||
- bed->align_value != 0 ||
- bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
+ if (bed->nbytes != 4 || bed->offset != -2 || strcmp(bed->name, "one") != 0 || bed->flags != 0 ||
+ bed->endian != BigEndian || bed->align_value != 0 ||
+ bed->multiplier_value != DETECT_BYTE_EXTRACT_MULTIPLIER_DEFAULT) {
goto end;
}
{
int result = 0;
- DetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
+ SCDetectByteExtractData *bed = DetectByteExtractParse(NULL, "4, 2, one, string");
if (bed == NULL)
goto end;
if (bed->flags != DETECT_BYTE_EXTRACT_FLAG_STRING) {
goto end;
}
- if (bed->endian != DETECT_BYTE_EXTRACT_ENDIAN_NONE) {
- goto end;
- }
if (bed->base != DETECT_BYTE_EXTRACT_BASE_DEC) {
goto end;
}
projects / thirdparty / suricata.git / commitdiff
