val += 4 - (val % 4);
}
}
- val += extbytes + data->post_offset;
+ val += data->post_offset;
/* Calculate the jump location */
if (flags & DETECT_BYTEJUMP_BEGIN) {
//printf("NEWVAL: payload %p + %ld = %p\n", p->payload, val, jumpptr);
}
else {
+ val += extbytes;
jumpptr = ptr + val;
//printf("NEWVAL: ptr %p + %ld = %p\n", ptr, val, jumpptr);
}
val += 4 - (val % 4);
}
}
- val += extbytes + data->post_offset;
+ val += data->post_offset;
/* Calculate the jump location */
if (data->flags & DETECT_BYTEJUMP_BEGIN) {
//printf("NEWVAL: payload %p + %ld = %p\n", p->payload, val, jumpptr);
}
else {
+ val += extbytes;
jumpptr = ptr + val;
//printf("NEWVAL: ptr %p + %ld = %p\n", ptr, val, jumpptr);
}
return result;
}
+/**
+ * \test check matches of with from_beginning (bug 626/627)
+ */
+int DetectByteJumpTestPacket04 (void) {
+ int result = 0;
+ uint8_t *buf = (uint8_t *)"XYZ04abcdABCD";
+ uint16_t buflen = strlen((char *)buf);
+ Packet *p;
+ p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+ if (p == NULL)
+ goto end;
+
+ char sig[] = "alert tcp any any -> any any (content:\"XYZ\"; byte_jump:2,0,relative,string,dec; content:\"ABCD\"; distance:0; within:4; sid:1; rev:1;)";
+
+ result = UTHPacketMatchSig(p, sig);
+
+ UTHFreePacket(p);
+end:
+ return result;
+}
+
+/**
+ * \test check matches of with from_beginning (bug 626/627)
+ */
+int DetectByteJumpTestPacket05 (void) {
+ int result = 0;
+ uint8_t *buf = (uint8_t *)"XYZ04abcdABCD";
+ uint16_t buflen = strlen((char *)buf);
+ Packet *p;
+ p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+ if (p == NULL)
+ goto end;
+
+ char sig[] = "alert tcp any any -> any any (content:\"XYZ\"; byte_jump:2,0,relative,string,dec; content:\"cdABCD\"; within:6; sid:1; rev:1;)";
+
+ result = UTHPacketMatchSig(p, sig) ? 0 : 1;
+
+ UTHFreePacket(p);
+end:
+ return result;
+}
+
+/**
+ * \test check matches of with from_beginning (bug 626/627)
+ */
+int DetectByteJumpTestPacket06 (void) {
+ int result = 0;
+ uint8_t *buf = (uint8_t *)"XX04abcdABCD";
+ uint16_t buflen = strlen((char *)buf);
+ Packet *p;
+ p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+ if (p == NULL)
+ goto end;
+
+ char sig[] = "alert tcp any any -> any any (content:\"XX\"; byte_jump:2,0,relative,string,dec,from_beginning; content:\"ABCD\"; distance:4; within:4; sid:1; rev:1;)";
+
+ result = UTHPacketMatchSig(p, sig);
+
+ UTHFreePacket(p);
+end:
+ return result;
+}
+
+/**
+ * \test check matches of with from_beginning (bug 626/627)
+ */
+int DetectByteJumpTestPacket07 (void) {
+ int result = 0;
+ uint8_t *buf = (uint8_t *)"XX04abcdABCD";
+ uint16_t buflen = strlen((char *)buf);
+ Packet *p;
+ p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
+
+ if (p == NULL)
+ goto end;
+
+ char sig[] = "alert tcp any any -> any any (content:\"XX\"; byte_jump:2,0,relative,string,dec,from_beginning; content:\"abcdABCD\"; distance:0; within:8; sid:1; rev:1;)";
+
+ result = UTHPacketMatchSig(p, sig) ? 1 : 0;
+
+ UTHFreePacket(p);
+end:
+ return result;
+}
+
#endif /* UNITTESTS */
UtRegisterTest("DetectByteJumpTestPacket01", DetectByteJumpTestPacket01, 1);
UtRegisterTest("DetectByteJumpTestPacket02", DetectByteJumpTestPacket02, 1);
UtRegisterTest("DetectByteJumpTestPacket03", DetectByteJumpTestPacket03, 1);
+ UtRegisterTest("DetectByteJumpTestPacket04", DetectByteJumpTestPacket04, 1);
+ UtRegisterTest("DetectByteJumpTestPacket05", DetectByteJumpTestPacket05, 1);
+ UtRegisterTest("DetectByteJumpTestPacket06", DetectByteJumpTestPacket06, 1);
+ UtRegisterTest("DetectByteJumpTestPacket07", DetectByteJumpTestPacket07, 1);
#endif /* UNITTESTS */
}
projects / thirdparty / suricata.git / commitdiff
