else
f = 1;
- SCLogDebug("f %d", f);
- SCLogDebug("IP_GET_IPPROTO(p) %u", IP_GET_IPPROTO(p));
-
- /* find the right mpm instance */
- DetectAddress *ag = DetectAddressLookupInHead(de_ctx->flow_gh[f].src_gh[IP_GET_IPPROTO(p)], &p->src);
- if (ag != NULL) {
- /* source group found, lets try a dst group */
- ag = DetectAddressLookupInHead(ag->dst_gh, &p->dst);
- if (ag != NULL) {
- if (ag->port == NULL) {
- SCLogDebug("we don't have ports");
- sgh = ag->sh;
- } else {
- SCLogDebug("we have ports");
-
- DetectPort *sport = DetectPortLookupGroup(ag->port,p->sp);
- if (sport != NULL) {
- DetectPort *dport = DetectPortLookupGroup(sport->dst_ph,p->dp);
- if (dport != NULL) {
- sgh = dport->sh;
- } else {
- SCLogDebug("no dst port group found for the packet with dp %"PRIu16"", p->dp);
- }
- } else {
- SCLogDebug("no src port group found for the packet with sp %"PRIu16"", p->sp);
- }
- }
- } else {
- SCLogDebug("no dst address group found for the packet");
- }
+ int proto = IP_GET_IPPROTO(p);
+ if (proto == IPPROTO_TCP) {
+ DetectPort *list = de_ctx->flow_gh[f].tcp;
+ uint16_t port = f ? p->dp : p->sp;
+ DetectPort *sghport = DetectPortLookupGroup(list, port);
+ if (sghport != NULL)
+ sgh = sghport->sh;
+ } else if (proto == IPPROTO_UDP) {
+ DetectPort *list = de_ctx->flow_gh[f].udp;
+ uint16_t port = f ? p->dp : p->sp;
+ DetectPort *sghport = DetectPortLookupGroup(list, port);
+ if (sghport != NULL)
+ sgh = sghport->sh;
} else {
- SCLogDebug("no src address group found for the packet");
+ sgh = de_ctx->flow_gh[f].sgh[proto];
}
SCReturnPtr(sgh, "SigGroupHead");
}
}
+static DetectPort *RulesGroupByPorts(DetectEngineCtx *de_ctx, int ipproto, uint32_t direction) {
+ /* step 1: create a list of 'DetectPort' objects based on all the
+ * rules. Each object will have a SGH with the sigs added
+ * that belong to the SGH. */
+
+ uint32_t max_idx = 0;
+ const Signature *s = de_ctx->sig_list;
+ DetectPort *list = NULL;
+ while (s) {
+ /* IP Only rules are handled separately */
+ if (s->flags & SIG_FLAG_IPONLY)
+ goto next;
+ if (!(s->proto.proto[ipproto / 8] & (1<<(ipproto % 8)) || (s->proto.flags & DETECT_PROTO_ANY)))
+ goto next;
+ if (!(s->flags & direction))
+ goto next;
+
+ DetectPort *p = NULL;
+ if (direction == SIG_FLAG_TOSERVER)
+ p = s->dp;
+ else if (direction == SIG_FLAG_TOCLIENT)
+ p = s->sp;
+ else
+ BUG_ON(1);
+
+ while (p) {
+ DetectPort *tmp = DetectPortCopySingle(de_ctx, p);
+ BUG_ON(tmp == NULL);
+ SigGroupHeadAppendSig(de_ctx, &tmp->sh, s);
+
+ int r = DetectPortInsert(de_ctx, &list , tmp);
+ BUG_ON(r == -1);
+
+ p = p->next;
+ }
+ max_idx = s->num;
+ next:
+ s = s->next;
+ }
+
+ /* step 2: deduplicate the SGH's */
+ SigGroupHeadHashFree(de_ctx);
+ SigGroupHeadHashInit(de_ctx);
+
+ uint32_t cnt = 0;
+ uint32_t own = 0;
+ uint32_t ref = 0;
+ DetectPort *iter;
+ for (iter = list ; iter != NULL; iter = iter->next) {
+ BUG_ON (iter->sh == NULL);
+ cnt++;
+
+ SigGroupHead *lookup_sgh = SigGroupHeadHashLookup(de_ctx, iter->sh);
+ if (lookup_sgh == NULL) {
+ SCLogDebug("port group %p sgh %p is the original", iter, iter->sh);
+
+ SigGroupHeadSetSigCnt(iter->sh, max_idx);
+ SigGroupHeadBuildMatchArray(de_ctx, iter->sh, max_idx);
+
+ /* init the pattern matcher, this will respect the copy
+ * setting */
+ BUG_ON(PatternMatchPrepareGroup(de_ctx, iter->sh) != 0);
+ SigGroupHeadHashAdd(de_ctx, iter->sh);
+ SigGroupHeadStore(de_ctx, iter->sh);
+ de_ctx->gh_unique++;
+ own++;
+ } else {
+ SCLogDebug("port group %p sgh %p is a copy", iter, iter->sh);
+
+ SigGroupHeadFree(iter->sh);
+ iter->sh = lookup_sgh;
+ iter->flags |= PORT_SIGGROUPHEAD_COPY;
+ iter->sh->flags |= SIG_GROUP_HEAD_REFERENCED;
+
+ de_ctx->gh_reuse++;
+ ref++;
+ }
+ }
+#if 0
+ for (iter = list ; iter != NULL; iter = iter->next) {
+ SCLogInfo("PORT %u-%u %p (sgh=%s)", iter->port, iter->port2, iter->sh, iter->flags & PORT_SIGGROUPHEAD_COPY ? "ref" : "own");
+ }
+#endif
+ SCLogInfo("%u port groups, %u unique SGH's, %u copies", cnt, own, ref);
+ return list;
+}
+
/**
* \brief Preprocess signature, classify ip-only, etc, build sig array
*
return -1;
}
-static int DetectEngineLookupBuildSourceAddressList(DetectEngineCtx *de_ctx,
- DetectEngineLookupFlow *flow_gh,
- Signature *s, int family)
-{
- DetectAddress *gr = NULL, *lookup_gr = NULL, *head = NULL;
- int proto;
-
- if (family == AF_INET) {
- head = s->src.ipv4_head;
- } else if (family == AF_INET6) {
- head = s->src.ipv6_head;
- } else {
- head = s->src.any_head;
- }
-
- /* for each source address group in the signature... */
- for (gr = head; gr != NULL; gr = gr->next) {
- BUG_ON(gr->ip.family == 0 && !(gr->flags & ADDRESS_FLAG_ANY));
-
- /* ...and each protocol the signature matches on... */
- for (proto = 0; proto < 256; proto++) {
- if ((s->proto.proto[(proto/8)] & (1<<(proto%8))) || (s->proto.flags & DETECT_PROTO_ANY)) {
- /* ...see if the group is in the tmp list, and if not add it. */
- if (family == AF_INET) {
- lookup_gr = DetectAddressLookupInList(flow_gh->tmp_gh[proto]->ipv4_head,gr);
- } else if (family == AF_INET6) {
- lookup_gr = DetectAddressLookupInList(flow_gh->tmp_gh[proto]->ipv6_head,gr);
- } else {
- lookup_gr = DetectAddressLookupInList(flow_gh->tmp_gh[proto]->any_head,gr);
- }
-
- if (lookup_gr == NULL) {
- DetectAddress *grtmp = DetectAddressCopy(gr);
- if (grtmp == NULL) {
- goto error;
- }
- SigGroupHeadAppendSig(de_ctx, &grtmp->sh, s);
-
- /* add to the lookup list */
- if (family == AF_INET) {
- DetectAddressAdd(&flow_gh->tmp_gh[proto]->ipv4_head, grtmp);
- } else if (family == AF_INET6) {
- DetectAddressAdd(&flow_gh->tmp_gh[proto]->ipv6_head, grtmp);
- } else {
- DetectAddressAdd(&flow_gh->tmp_gh[proto]->any_head, grtmp);
- }
- } else {
- /* our group will only have one sig, this one. So add that. */
- SigGroupHeadAppendSig(de_ctx, &lookup_gr->sh, s);
- lookup_gr->cnt++;
- }
- }
- }
- }
-
- return 0;
-error:
- return -1;
-}
-
/**
* \brief add signature to the right flow group(s)
*/
-static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s, int family)
+static int DetectEngineLookupFlowAddSig(DetectEngineCtx *de_ctx, Signature *s)
{
SCLogDebug("s->id %u", s->id);
- if (s->flags & SIG_FLAG_TOCLIENT) {
- SCLogDebug("s->id %u (toclient)", s->id);
- DetectEngineLookupBuildSourceAddressList(de_ctx,
- &de_ctx->flow_gh[0], s, family);
+ uint32_t cnt_ts = 0;
+ uint32_t cnt_tc = 0;
+
+ int p;
+ for (p = 0; p < 256; p++) {
+ if (p == IPPROTO_TCP || p == IPPROTO_UDP)
+ continue;
+
+ if (s->proto.proto[p / 8] & (1<<(p % 8)) || (s->proto.flags & DETECT_PROTO_ANY)) {
+ if (s->flags & SIG_FLAG_TOCLIENT) {
+ SigGroupHeadAppendSig(de_ctx, &de_ctx->flow_gh[0].sgh[p], s);
+ cnt_tc++;
+ }
+ if (s->flags & SIG_FLAG_TOSERVER) {
+ SigGroupHeadAppendSig(de_ctx, &de_ctx->flow_gh[1].sgh[p], s);
+ cnt_ts++;
+ }
+ }
}
- if (s->flags & SIG_FLAG_TOSERVER) {
- SCLogDebug("s->id %u (toserver)", s->id);
- DetectEngineLookupBuildSourceAddressList(de_ctx,
- &de_ctx->flow_gh[1], s, family);
+ /* see which rules use many protos. > 2 as alert icmp actually is also icmpv6. */
+ if (cnt_ts > 2 || cnt_tc > 2) {
+ SCLogDebug("Rule %u added to multiple proto groups (%u ts/%u tc)", s->id, cnt_ts, cnt_tc);
}
return 0;
IPOnlyInit(de_ctx, &de_ctx->io_ctx);
- int f, proto;
- for (f = 0; f < FLOW_STATES; f++) {
- for (proto = 0; proto < 256; proto++) {
- de_ctx->flow_gh[f].src_gh[proto] = DetectAddressHeadInit();
- if (de_ctx->flow_gh[f].src_gh[proto] == NULL) {
- goto error;
- }
- de_ctx->flow_gh[f].tmp_gh[proto] = DetectAddressHeadInit();
- if (de_ctx->flow_gh[f].tmp_gh[proto] == NULL) {
- goto error;
- }
- }
- }
+ de_ctx->flow_gh[1].tcp = RulesGroupByPorts(de_ctx, IPPROTO_TCP, SIG_FLAG_TOSERVER);
+ de_ctx->flow_gh[0].tcp = RulesGroupByPorts(de_ctx, IPPROTO_TCP, SIG_FLAG_TOCLIENT);
+ de_ctx->flow_gh[1].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOSERVER);
+ de_ctx->flow_gh[0].udp = RulesGroupByPorts(de_ctx, IPPROTO_UDP, SIG_FLAG_TOCLIENT);
/* now for every rule add the source group to our temp lists */
for (tmp_s = de_ctx->sig_list; tmp_s != NULL; tmp_s = tmp_s->next) {
if (tmp_s->flags & SIG_FLAG_IPONLY) {
IPOnlyAddSignature(de_ctx, &de_ctx->io_ctx, tmp_s);
} else {
- DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_INET);
- DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_INET6);
- DetectEngineLookupFlowAddSig(de_ctx, tmp_s, AF_UNSPEC);
+ /* handle non-tcp/non-udp rules */
+ DetectEngineLookupFlowAddSig(de_ctx, tmp_s);
}
if (tmp_s->init_flags & SIG_FLAG_INIT_DEONLY) {
sigs++;
}
- /* create the final src addr list based on the tmplist. */
- for (f = 0; f < FLOW_STATES; f++) {
- for (proto = 0; proto < 256; proto++) {
- int groups = (f ? de_ctx->max_uniq_toserver_src_groups : de_ctx->max_uniq_toclient_src_groups);
-
- CreateGroupedAddrList(de_ctx,
- de_ctx->flow_gh[f].tmp_gh[proto]->ipv4_head, AF_INET,
- de_ctx->flow_gh[f].src_gh[proto], groups,
- CreateGroupedAddrListCmpMpmMinlen, DetectEngineGetMaxSigId(de_ctx));
-
- CreateGroupedAddrList(de_ctx,
- de_ctx->flow_gh[f].tmp_gh[proto]->ipv6_head, AF_INET6,
- de_ctx->flow_gh[f].src_gh[proto], groups,
- CreateGroupedAddrListCmpMpmMinlen, DetectEngineGetMaxSigId(de_ctx));
- CreateGroupedAddrList(de_ctx,
- de_ctx->flow_gh[f].tmp_gh[proto]->any_head, AF_UNSPEC,
- de_ctx->flow_gh[f].src_gh[proto], groups,
- CreateGroupedAddrListCmpMpmMinlen, DetectEngineGetMaxSigId(de_ctx));
-
- DetectAddressHeadFree(de_ctx->flow_gh[f].tmp_gh[proto]);
- de_ctx->flow_gh[f].tmp_gh[proto] = NULL;
- }
- }
- //DetectAddressPrintMemory();
- //DetectSigGroupPrintMemory();
-
- //printf("g_src_gh strt\n");
- //DetectAddressPrintList(g_src_gh->ipv4_head);
- //printf("g_src_gh end\n");
-
IPOnlyPrepare(de_ctx);
IPOnlyPrint(de_ctx, &de_ctx->io_ctx);
-#ifdef DEBUG
- DetectAddress *gr = NULL;
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("%" PRIu32 " total signatures:", sigs);
- }
-
- /* TCP */
- uint32_t cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->any_head; gr != NULL; gr = gr->next) {
- cnt_any++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv4_head; gr != NULL; gr = gr->next) {
- cnt_ipv4++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_TCP]->ipv6_head; gr != NULL; gr = gr->next) {
- cnt_ipv6++;
- }
- }
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("TCP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
- }
-
- cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
- /* UDP */
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->any_head; gr != NULL; gr = gr->next) {
- cnt_any++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv4_head; gr != NULL; gr = gr->next) {
- cnt_ipv4++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_UDP]->ipv6_head; gr != NULL; gr = gr->next) {
- cnt_ipv6++;
- }
- }
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("UDP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
- }
-
- cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
- /* SCTP */
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->any_head; gr != NULL; gr = gr->next) {
- cnt_any++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv4_head; gr != NULL; gr = gr->next) {
- cnt_ipv4++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP]->ipv6_head; gr != NULL; gr = gr->next) {
- cnt_ipv6++;
- }
- }
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("SCTP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
- }
-
- /* ICMP */
- cnt_any = 0, cnt_ipv4 = 0, cnt_ipv6 = 0;
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[1]->any_head; gr != NULL; gr = gr->next) {
- cnt_any++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[1]->ipv4_head; gr != NULL; gr = gr->next) {
- cnt_ipv4++;
- }
- }
- for (f = 0; f < FLOW_STATES; f++) {
- for (gr = de_ctx->flow_gh[f].src_gh[1]->ipv6_head; gr != NULL; gr = gr->next) {
- cnt_ipv6++;
- }
- }
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("ICMP Source address blocks: any: %4u, ipv4: %4u, ipv6: %4u.", cnt_any, cnt_ipv4, cnt_ipv6);
- }
-#endif /* DEBUG */
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogInfo("building signature grouping structure, stage 2: building source address list... complete");
- }
return 0;
-error:
- printf("SigAddressPrepareStage2 error\n");
- return -1;
}
/**
int SigAddressPrepareStage3(DetectEngineCtx *de_ctx)
{
- int r;
-
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("building signature grouping structure, stage 3: "
- "building destination address lists...");
- }
- //DetectAddressPrintMemory();
- //DetectSigGroupPrintMemory();
- //DetectPortPrintMemory();
-
- int f = 0;
- int proto;
- for (f = 0; f < FLOW_STATES; f++) {
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET,f,IPPROTO_TCP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET,f,IPPROTO_UDP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET,f,IPPROTO_SCTP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_INET6,f,IPPROTO_TCP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_INET6,f,IPPROTO_UDP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_INET6,f,IPPROTO_SCTP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_TCP],AF_UNSPEC,f,IPPROTO_TCP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[6],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_UDP],AF_UNSPEC,f,IPPROTO_UDP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[17],AF_INET) failed\n");
- goto error;
- }
- r = BuildDestinationAddressHeadsWithBothPorts(de_ctx, de_ctx->flow_gh[f].src_gh[IPPROTO_SCTP],AF_UNSPEC,f,IPPROTO_SCTP);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[IPPROTO_SCTP],AF_INET) failed\n");
- goto error;
- }
- for (proto = 0; proto < 256; proto++) {
- if (proto == IPPROTO_TCP || proto == IPPROTO_UDP || proto == IPPROTO_SCTP)
- continue;
-
- r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_INET,f,proto);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[%" PRId32 "],AF_INET) failed\n", proto);
- goto error;
- }
- r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_INET6,f,proto);
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[%" PRId32 "],AF_INET6) failed\n", proto);
- goto error;
- }
- r = BuildDestinationAddressHeads(de_ctx, de_ctx->flow_gh[f].src_gh[proto],AF_UNSPEC,f,proto); /* for any */
- if (r < 0) {
- printf ("BuildDestinationAddressHeads(src_gh[%" PRId32 "],AF_UNSPEC) failed\n", proto);
- goto error;
- }
- }
- }
-
/* prepare the decoder event sgh */
DetectEngineBuildDecoderEventSgh(de_ctx);
-
- if (!(de_ctx->flags & DE_QUIET)) {
- SCLogDebug("max sig id %" PRIu32 ", array size %" PRIu32 "", DetectEngineGetMaxSigId(de_ctx), DetectEngineGetMaxSigId(de_ctx) / 8 + 1);
- SCLogDebug("signature group heads: unique %" PRIu32 ", copies %" PRIu32 ".", de_ctx->gh_unique, de_ctx->gh_reuse);
- SCLogDebug("port maxgroups: %" PRIu32 ", avg %" PRIu32 ", tot %" PRIu32 "", g_groupportlist_maxgroups, g_groupportlist_groupscnt ? g_groupportlist_totgroups/g_groupportlist_groupscnt : 0, g_groupportlist_totgroups);
-
- SCLogInfo("building signature grouping structure, stage 3: building destination address lists... complete");
- }
return 0;
-error:
- printf("SigAddressPrepareStage3 error\n");
- return -1;
}
int SigAddressCleanupStage1(DetectEngineCtx *de_ctx)
if (!(de_ctx->flags & DE_QUIET)) {
SCLogDebug("cleaning up signature grouping structure...");
}
-
- int f, proto;
- for (f = 0; f < FLOW_STATES; f++) {
- for (proto = 0; proto < 256; proto++) {
- /* XXX fix this */
- DetectAddressHeadFree(de_ctx->flow_gh[f].src_gh[proto]);
- de_ctx->flow_gh[f].src_gh[proto] = NULL;
- }
- }
-
if (de_ctx->decoder_event_sgh)
SigGroupHeadFree(de_ctx->decoder_event_sgh);
de_ctx->decoder_event_sgh = NULL;
uint32_t idx = 0;
+ for (idx = 0; idx < 256; idx++) {
+ int f = 0;
+ for (f = 0; f <= 1; f++) {
+ SigGroupHead *sgh = de_ctx->flow_gh[f].sgh[idx];
+ if (sgh == NULL) {
+ //SCLogInfo("skipped %u/%d", idx, f);
+ continue;
+ }
+
+ uint32_t max_idx = DetectEngineGetMaxSigId(de_ctx);
+ SigGroupHeadSetSigCnt(sgh, max_idx);
+ SigGroupHeadSetProtoAndDirection(sgh, idx,
+ ((f == 1) ? SIG_FLAG_TOSERVER : SIG_FLAG_TOCLIENT));
+ SigGroupHeadBuildMatchArray(de_ctx, sgh, max_idx);
+ SigGroupHeadSetFilemagicFlag(de_ctx, sgh);
+ SigGroupHeadSetFileMd5Flag(de_ctx, sgh);
+ SigGroupHeadSetFilesizeFlag(de_ctx, sgh);
+ SigGroupHeadSetFilestoreCount(de_ctx, sgh);
+ SCLogDebug("filestore count %u", sgh->filestore_cnt);
+
+ PatternMatchPrepareGroup(de_ctx, sgh);
+ SigGroupHeadBuildNonMpmArray(de_ctx, sgh);
+ }
+ }
+
+
for (idx = 0; idx < de_ctx->sgh_array_cnt; idx++) {
SigGroupHead *sgh = de_ctx->sgh_array[idx];
if (sgh == NULL)
SCReturnInt(0);
}
-/* shortcut for debugging. If enabled Stage5 will
- * print sigid's for all groups */
-#define PRINTSIGS
-
-/* just printing */
-int SigAddressPrepareStage5(DetectEngineCtx *de_ctx)
+static int SigMatchListLen(SigMatch *sm)
{
- DetectAddressHead *global_dst_gh = NULL;
- DetectAddress *global_src_gr = NULL, *global_dst_gr = NULL;
- uint32_t u;
+ int len = 0;
+ for (; sm != NULL; sm = sm->next)
+ len++;
- printf("* Building signature grouping structure, stage 5: print...\n");
+ return len;
+}
- int f, proto;
- printf("\n");
- for (f = 0; f < FLOW_STATES; f++) {
- printf("\n");
- for (proto = 0; proto < 256; proto++) {
- if (proto != IPPROTO_TCP)
- continue;
+static int SigMatchPrepare(DetectEngineCtx *de_ctx)
+{
+ SCEnter();
- for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->ipv4_head; global_src_gr != NULL;
- global_src_gr = global_src_gr->next)
- {
- printf("1 Src Addr: "); DetectAddressPrint(global_src_gr);
- printf(" (sh %p)\n", global_src_gr->sh);
- //printf("\n");
-
-#ifdef PRINTSIGS
- SigGroupHeadPrintSigs(de_ctx, global_src_gr->sh);
- if (global_src_gr->sh != NULL) {
- printf(" - ");
- for (u = 0; u < global_src_gr->sh->sig_cnt; u++) {
- Signature *s = global_src_gr->sh->match_array[u];
- printf("%" PRIu32 " ", s->id);
- }
- printf("\n");
+ Signature *s = de_ctx->sig_list;
+ for (; s != NULL; s = s->next) {
+ int type;
+ for (type = 0; type < DETECT_SM_LIST_MAX; type++) {
+ SigMatch *sm = s->sm_lists[type];
+ int len = SigMatchListLen(sm);
+ if (len == 0)
+ s->sm_arrays[type] = NULL;
+ else {
+ SigMatchData *smd = (SigMatchData*)SCMalloc(len * sizeof(SigMatchData));
+ if (smd == NULL) {
+ SCLogError(SC_ERR_DETECT_PREPARE, "initializing the detection engine failed");
+ exit(EXIT_FAILURE);
}
-#endif
-
- global_dst_gh = global_src_gr->dst_gh;
- if (global_dst_gh == NULL)
- continue;
+ /* Copy sm type and Context into array */
+ s->sm_arrays[type] = smd;
+ for (; sm != NULL; sm = sm->next, smd++) {
+ smd->type = sm->type;
+ smd->ctx = sm->ctx;
+ smd->is_last = (sm->next == NULL);
+ }
+ }
+ }
+ }
- for (global_dst_gr = global_dst_gh->ipv4_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" 2 Dst Addr: "); DetectAddressPrint(global_dst_gr);
+ SCReturnInt(0);
+}
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf(" (COPY): ");
- } else {
- printf(" (ORIGINAL): ");
- }
- } else {
- printf(" ");
- }
-
-#ifdef PRINTSIGS
- if (global_dst_gr->sh != NULL) {
- printf(" - ");
- for (u = 0; u < global_dst_gr->sh->sig_cnt; u++) {
- Signature *s = global_dst_gr->sh->match_array[u];
- printf("%" PRIu32 " ", s->id);
- }
- printf("\n");
- }
-#endif
-
-
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" 3 Src port(range): "); DetectPortPrint(sp);
- //printf(" (sh %p)", sp->sh);
- printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" 4 Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ", sgh %p, minlen %" PRIu32 ")", dp->sh->sig_cnt, dp->sh, dp->sh->mpm_content_minlen);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = dp->sh->match_array[u];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- for (global_dst_gr = global_dst_gh->any_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" - "); DetectAddressPrint(global_dst_gr);
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf("(COPY)\n");
- } else {
- printf("\n");
- }
- }
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" * Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = dp->sh->match_array[u];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- }
-#if 0
- for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->ipv6_head; global_src_gr != NULL;
- global_src_gr = global_src_gr->next)
- {
- printf("- "); DetectAddressPrint(global_src_gr);
- //printf(" (sh %p)\n", global_src_gr->sh);
-
- global_dst_gh = global_src_gr->dst_gh;
- if (global_dst_gh == NULL)
- continue;
-
- for (global_dst_gr = global_dst_gh->ipv6_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" - "); DetectAddressPrint(global_dst_gr);
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf("(COPY)\n");
- } else {
- printf("\n");
- }
- }
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" * Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = de_ctx->sig_array[dp->sh->match_array[u]];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- for (global_dst_gr = global_dst_gh->any_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" - "); DetectAddressPrint(global_dst_gr);
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf("(COPY)\n");
- } else {
- printf("\n");
- }
- }
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" * Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = de_ctx->sig_array[dp->sh->match_array[u]];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- }
-
- for (global_src_gr = de_ctx->flow_gh[f].src_gh[proto]->any_head; global_src_gr != NULL;
- global_src_gr = global_src_gr->next)
- {
- printf("- "); DetectAddressPrint(global_src_gr);
- //printf(" (sh %p)\n", global_src_gr->sh);
-
- global_dst_gh = global_src_gr->dst_gh;
- if (global_dst_gh == NULL)
- continue;
-
- for (global_dst_gr = global_dst_gh->any_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" - "); DetectAddressPrint(global_dst_gr);
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf("(COPY)\n");
- } else {
- printf("\n");
- }
- }
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" * Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = de_ctx->sig_array[dp->sh->match_array[u]];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- for (global_dst_gr = global_dst_gh->ipv4_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" - "); DetectAddressPrint(global_dst_gr);
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf("(COPY)\n");
- } else {
- printf("\n");
- }
- }
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" * Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = de_ctx->sig_array[dp->sh->match_array[u]];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- for (global_dst_gr = global_dst_gh->ipv6_head;
- global_dst_gr != NULL;
- global_dst_gr = global_dst_gr->next)
- {
- printf(" - "); DetectAddressPrint(global_dst_gr);
- //printf(" (sh %p) ", global_dst_gr->sh);
- if (global_dst_gr->sh) {
- if (global_dst_gr->sh->flags & ADDRESS_SIGGROUPHEAD_COPY) {
- printf("(COPY)\n");
- } else {
- printf("\n");
- }
- }
- DetectPort *sp = global_dst_gr->port;
- for ( ; sp != NULL; sp = sp->next) {
- printf(" * Src port(range): "); DetectPortPrint(sp); printf("\n");
- DetectPort *dp = sp->dst_ph;
- for ( ; dp != NULL; dp = dp->next) {
- printf(" * Dst port(range): "); DetectPortPrint(dp);
- printf(" (sigs %" PRIu32 ")", dp->sh->sig_cnt);
-#ifdef PRINTSIGS
- printf(" - ");
- for (u = 0; u < dp->sh->sig_cnt; u++) {
- Signature *s = de_ctx->sig_array[dp->sh->match_array[u]];
- printf("%" PRIu32 " ", s->id);
- }
-#endif
- printf("\n");
- }
- }
- }
- }
-#endif
- }
- }
-
- printf("* Building signature grouping structure, stage 5: print... done\n");
- return 0;
-}
-
-static int SigMatchListLen(SigMatch *sm)
-{
- int len = 0;
- for (; sm != NULL; sm = sm->next)
- len++;
-
- return len;
-}
-
-static int SigMatchPrepare(DetectEngineCtx *de_ctx)
-{
- SCEnter();
-
- Signature *s = de_ctx->sig_list;
- for (; s != NULL; s = s->next) {
- int type;
- for (type = 0; type < DETECT_SM_LIST_MAX; type++) {
- SigMatch *sm = s->sm_lists[type];
- int len = SigMatchListLen(sm);
- if (len == 0)
- s->sm_arrays[type] = NULL;
- else {
- SigMatchData *smd = (SigMatchData*)SCMalloc(len * sizeof(SigMatchData));
- if (smd == NULL) {
- SCLogError(SC_ERR_DETECT_PREPARE, "initializing the detection engine failed");
- exit(EXIT_FAILURE);
- }
- /* Copy sm type and Context into array */
- s->sm_arrays[type] = smd;
- for (; sm != NULL; sm = sm->next, smd++) {
- smd->type = sm->type;
- smd->ctx = sm->ctx;
- smd->is_last = (sm->next == NULL);
- }
- }
- }
- }
-
- SCReturnInt(0);
-}
-
-/**
- * \brief Convert the signature list into the runtime match structure.
- *
- * \param de_ctx Pointer to the Detection Engine Context whose Signatures have
- * to be processed
- *
- * \retval 0 On Success.
- * \retval -1 On failure.
- */
-int SigGroupBuild(DetectEngineCtx *de_ctx)
-{
- Signature *s = de_ctx->sig_list;
+/**
+ * \brief Convert the signature list into the runtime match structure.
+ *
+ * \param de_ctx Pointer to the Detection Engine Context whose Signatures have
+ * to be processed
+ *
+ * \retval 0 On Success.
+ * \retval -1 On failure.
+ */
+int SigGroupBuild(DetectEngineCtx *de_ctx)
+{
+ Signature *s = de_ctx->sig_list;
/* Assign the unique order id of signatures after sorting,
* so the IP Only engine process them in order too. Also
return result;
}
-static int SigTestSgh01 (void)
+static int SigTestContent01 (void)
{
+ uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
+ uint16_t buflen = strlen((char *)buf);
ThreadVars th_v;
- int result = 0;
DetectEngineThreadCtx *det_ctx = NULL;
+ int result = 0;
+
memset(&th_v, 0, sizeof(th_v));
Packet *p = NULL;
- p = UTHBuildPacketSrcDstPorts((uint8_t *)"a", 1, IPPROTO_TCP, 12345, 80);
+ p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
}
de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"1\"; content:\"one\"; sid:1;)");
+ de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
- if (de_ctx->sig_list->num != 0) {
- printf("internal id != 0: ");
- goto end;
- }
-
- de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two\"; content:\"abcd\"; sid:2;)");
- if (de_ctx->sig_list->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->num != 1) {
- printf("internal id != 1: ");
- goto end;
- }
-
- de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"3\"; content:\"three\"; sid:3;)");
- if (de_ctx->sig_list->next->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->next->num != 2) {
- printf("internal id != 2: ");
- goto end;
- }
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-#if 0
- printf("-\n");
- printf("sgh->mpm_content_maxlen %u\n", sgh->mpm_content_maxlen);
- printf("sgh->mpm_uricontent_maxlen %u\n", sgh->mpm_uricontent_maxlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
-#endif
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->match_array == NULL) {
- printf("sgh->match_array == NULL: ");
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list);
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 3, should have: ");
- goto end;
- }
-
- p->dp = 81;
-
- SigGroupHead *sgh2 = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh2 == NULL) {
- printf("no sgh2: ");
- goto end;
- }
-#if 0
- if (!(SigGroupHeadContainsSigId(de_ctx, sgh2, 1))) {
- printf("sgh2 doesn't have sid 1: ");
- goto end;
- }
-#endif
- if (sgh2->sig_cnt != 1) {
- printf("expected one sig, got %u in sgh2: ", sgh2->sig_cnt);
- goto end;
- }
-
- if (sgh2->match_array[0] != de_ctx->sig_list->next) {
- printf("sgh doesn't contain sid 2, should have (sgh2->match_array[0] %p, expected %p): ",
- sgh2->match_array[0], de_ctx->sig_list->next);
- goto end;
- }
-
-#if 0
- printf("-\n");
- printf("sgh2->mpm_content_minlen %u\n", sgh2->mpm_content_minlen);
- printf("sgh2->mpm_uricontent_minlen %u\n", sgh2->mpm_uricontent_minlen);
- printf("sgh2->sig_cnt %u\n", sgh2->sig_cnt);
- printf("sgh2->sig_size %u\n", sgh2->sig_size);
-#endif
- if (sgh2->mpm_content_minlen != 4) {
- printf("sgh2->mpm_content_minlen %u, expected 4: ", sgh2->mpm_content_minlen);
- goto end;
- }
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+ if (PacketAlertCheck(p, 1))
+ result = 1;
+ else
+ printf("sig 1 didn't match: ");
- if (sgh2->match_array[0] != de_ctx->sig_list->next) {
- printf("sgh2 doesn't contain sid 2, should have: ");
- goto end;
- }
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- SigGroupCleanup(de_ctx);
DetectEngineCtxFree(de_ctx);
-
- result = 1;
end:
+ UTHFreePackets(&p, 1);
return result;
}
-static int SigTestSgh02 (void)
+static int SigTestContent02 (void)
{
+ uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
+ uint16_t buflen = strlen((char *)buf);
ThreadVars th_v;
- int result = 0;
DetectEngineThreadCtx *det_ctx = NULL;
- Packet *p = NULL;
- p = UTHBuildPacketSrcDstPorts((uint8_t *)"a", 1, IPPROTO_TCP, 12345, 80);
+ int result = 0;
memset(&th_v, 0, sizeof(th_v));
+ Packet *p = NULL;
+ p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
}
de_ctx->flags |= DE_QUIET;
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80:82 (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)");
+ de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
- if (de_ctx->sig_list->num != 0) {
- printf("internal id != 0: ");
- goto end;
- }
- de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any 81 (msg:\"2\"; content:\"two2\"; content:\"abcdef\"; sid:2;)");
+ de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
if (de_ctx->sig_list->next == NULL) {
result = 0;
goto end;
}
- if (de_ctx->sig_list->next->num != 1) {
- printf("internal id != 1: ");
- goto end;
- }
- de_ctx->sig_list->next->next = SigInit(de_ctx,"alert tcp any any -> any 80:81 (msg:\"3\"; content:\"three\"; content:\"abcdefgh\"; sid:3;)");
- if (de_ctx->sig_list->next->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->next->num != 2) {
- printf("internal id != 2: ");
- goto end;
- }
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
- SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
+ if (PacketAlertCheck(p, 1)) {
+ if (PacketAlertCheck(p, 2)) {
+ result = 1;
+ } else
+ printf("sig 2 didn't match: ");
}
+ else
+ printf("sig 1 didn't match: ");
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->match_array == NULL) {
- printf("sgh->match_array == NULL: ");
- goto end;
- }
-
- if (sgh->sig_cnt != 2) {
- printf("sgh sig cnt %u, expected 2: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list);
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 3, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- p->dp = 81;
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->sig_cnt != 3) {
- printf("sgh sig cnt %u, expected 3: ", sgh->sig_cnt);
- goto end;
- }
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next) {
- printf("sgh doesn't contain sid 2, should have: ");
- goto end;
- }
- if (sgh->match_array[2] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 3, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- p->dp = 82;
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->sig_cnt != 1) {
- printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- p->src.family = AF_INET6;
- p->dst.family = AF_INET6;
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->sig_cnt != 1) {
- printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- result = 1;
-end:
- return result;
-}
-
-static int SigTestSgh03 (void)
-{
- ThreadVars th_v;
- int result = 0;
- Packet *p = SCMalloc(SIZE_OF_PACKET);
- if (unlikely(p == NULL))
- return 0;
- DetectEngineThreadCtx *det_ctx = NULL;
-
- memset(&th_v, 0, sizeof(th_v));
- memset(p, 0, SIZE_OF_PACKET);
- p->src.family = AF_INET;
- p->dst.family = AF_INET;
- p->payload_len = 1;
- p->proto = IPPROTO_TCP;
- p->dp = 80;
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->num != 0) {
- printf("internal id != 0: ");
- goto end;
- }
-
- de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.5 any (msg:\"2\"; content:\"two2\"; content:\"abcdef\"; sid:2;)");
- if (de_ctx->sig_list->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->num != 1) {
- printf("internal id != 1: ");
- goto end;
- }
- de_ctx->sig_list->next->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.5 any (msg:\"3\"; content:\"three\"; content:\"abcdefgh\"; sid:3;)");
- if (de_ctx->sig_list->next->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->next->num != 2) {
- printf("internal id != 2: ");
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-#if 0
- printf("-\n");
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->match_array == NULL) {
- printf("sgh->match_array == NULL: ");
- goto end;
- }
-
- if (sgh->sig_cnt != 2) {
- printf("sgh sig cnt %u, expected 2: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list);
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 3, should have: ");
- goto end;
- }
-
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.5");
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-#if 0
- printf("-\n");
- printf("sgh %p\n", sgh);
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- if (sgh->sig_cnt != 3) {
- printf("sgh sig cnt %u, expected 3: ", sgh->sig_cnt);
- goto end;
- }
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
- if (sgh->match_array[2] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3 (%x): ", sgh->mpm_content_minlen, p->dst.addr_data32[0]);
- goto end;
- }
-
-
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.6");
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-#if 0
- printf("-\n");
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->sig_cnt != 1) {
- printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- result = 1;
-end:
- SCFree(p);
- return result;
-}
-
-static int SigTestSgh04 (void)
-{
- ThreadVars th_v;
- int result = 0;
- Packet *p = SCMalloc(SIZE_OF_PACKET);
- if (unlikely(p == NULL))
- return 0;
- DetectEngineThreadCtx *det_ctx = NULL;
-
- memset(&th_v, 0, sizeof(th_v));
- memset(p, 0, SIZE_OF_PACKET);
- p->src.family = AF_INET;
- p->dst.family = AF_INET;
- p->payload_len = 1;
- p->proto = IPPROTO_TCP;
- p->dp = 80;
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->num != 0) {
- printf("internal id != 0: ");
- goto end;
- }
-
- de_ctx->sig_list->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.5 any (msg:\"2\"; content:\"two2\"; content:\"abcdef\"; sid:2;)");
- if (de_ctx->sig_list->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->num != 1) {
- printf("internal id != 1: ");
- goto end;
- }
- de_ctx->sig_list->next->next = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.5 any (msg:\"3\"; content:\"three\"; content:\"abcdefgh\"; sid:3;)");
- if (de_ctx->sig_list->next->next == NULL) {
- result = 0;
- goto end;
- }
- if (de_ctx->sig_list->next->next->num != 2) {
- printf("internal id != 2: ");
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->match_array == NULL) {
- printf("sgh->match_array == NULL: ");
- goto end;
- }
-
- if (sgh->sig_cnt != 2) {
- printf("sgh sig cnt %u, expected 2: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have (sgh->match_array[0] %p, expected %p): ", sgh->match_array[0], de_ctx->sig_list);
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 3, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.5");
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->sig_cnt != 3) {
- printf("sgh sig cnt %u, expected 3: ", sgh->sig_cnt);
- goto end;
- }
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
- if (sgh->match_array[1] != de_ctx->sig_list->next) {
- printf("sgh doesn't contain sid 2, should have: ");
- goto end;
- }
- if (sgh->match_array[2] != de_ctx->sig_list->next->next) {
- printf("sgh doesn't contain sid 3, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.6");
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->sig_cnt != 1) {
- printf("sgh sig cnt %u, expected 1: ", sgh->sig_cnt);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
-#if 0
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- p->proto = IPPROTO_GRE;
-
- sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-#if 0
- printf("-\n");
- printf("sgh->mpm_content_minlen %u\n", sgh->mpm_content_minlen);
- printf("sgh->mpm_uricontent_minlen %u\n", sgh->mpm_uricontent_minlen);
- printf("sgh->sig_cnt %u\n", sgh->sig_cnt);
- printf("sgh->sig_size %u\n", sgh->sig_size);
- printf("sgh->refcnt %u\n", sgh->refcnt);
-#endif
- if (sgh->mpm_content_minlen != 3) {
- printf("sgh->mpm_content_minlen %u, expected 3: ", sgh->mpm_content_minlen);
- goto end;
- }
-
- if (sgh->match_array[0] != de_ctx->sig_list) {
- printf("sgh doesn't contain sid 1, should have: ");
- goto end;
- }
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- result = 1;
-end:
- SCFree(p);
- return result;
-}
-
-/** \test setting of mpm type */
-static int SigTestSgh05 (void)
-{
- ThreadVars th_v;
- int result = 0;
- Packet *p = SCMalloc(SIZE_OF_PACKET);
- if (unlikely(p == NULL))
- return 0;
- DetectEngineThreadCtx *det_ctx = NULL;
-
- memset(&th_v, 0, sizeof(th_v));
- memset(p, 0, SIZE_OF_PACKET);
- p->src.family = AF_INET;
- p->dst.family = AF_INET;
- p->payload_len = 1;
- p->proto = IPPROTO_TCP;
- p->dp = 80;
- p->dst.addr_data32[0] = UTHSetIPv4Address("1.2.3.4");
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
- de_ctx->flags |= DE_QUIET;
- de_ctx->mpm_matcher = MPM_AC;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> 1.2.3.4-1.2.3.6 any (msg:\"1\"; content:\"one\"; content:\"1\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigGroupHead *sgh = SigMatchSignaturesGetSgh(de_ctx, det_ctx, p);
- if (sgh == NULL) {
- printf("no sgh: ");
- goto end;
- }
-
- if (sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL ||
- sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL ||
- sgh->mpm_proto_other_ctx != NULL) {
- printf("sgh->mpm_proto_tcp_ctx_ts != NULL || sgh->mpm_proto_tcp_ctx_tc != NULL"
- "sgh->mpm_proto_udp_ctx_ts != NULL || sgh->mpm_proto_udp_ctx_tc != NULL"
- "sgh->mpm_proto_other_ctx != NULL: ");
- goto end;
- }
-
- if (sgh->mpm_stream_ctx_ts == NULL || sgh->mpm_stream_ctx_tc == NULL) {
- printf("sgh->mpm_stream_ctx == NULL || sgh->mpm_stream_ctx_tc == NULL: ");
- goto end;
- }
-
- if (sgh->mpm_stream_ctx_ts->mpm_type != MPM_AC) {
- printf("sgh->mpm_type != MPM_AC, expected %d, got %d: ", MPM_AC, sgh->mpm_stream_ctx_ts->mpm_type);
- goto end;
- }
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- SigGroupCleanup(de_ctx);
- DetectEngineCtxFree(de_ctx);
-
- result = 1;
-end:
- SCFree(p);
- return result;
-}
-
-static int SigTestContent01 (void)
-{
- uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
- uint16_t buflen = strlen((char *)buf);
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
-
- memset(&th_v, 0, sizeof(th_v));
-
- Packet *p = NULL;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1))
- result = 1;
- else
- printf("sig 1 didn't match: ");
-
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
-
- DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
- DetectEngineCtxFree(de_ctx);
-end:
- UTHFreePackets(&p, 1);
- return result;
-}
-
-static int SigTestContent02 (void)
-{
- uint8_t *buf = (uint8_t *)"01234567890123456789012345678901";
- uint16_t buflen = strlen((char *)buf);
- ThreadVars th_v;
- DetectEngineThreadCtx *det_ctx = NULL;
- int result = 0;
-
- memset(&th_v, 0, sizeof(th_v));
- Packet *p = NULL;
- p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
-
- DetectEngineCtx *de_ctx = DetectEngineCtxInit();
- if (de_ctx == NULL) {
- goto end;
- }
-
- de_ctx->flags |= DE_QUIET;
-
- de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 32\"; content:\"01234567890123456789012345678901\"; sid:1;)");
- if (de_ctx->sig_list == NULL) {
- result = 0;
- goto end;
- }
-
- de_ctx->sig_list->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Test 31\"; content:\"0123456789012345678901234567890\"; sid:2;)");
- if (de_ctx->sig_list->next == NULL) {
- result = 0;
- goto end;
- }
-
- SigGroupBuild(de_ctx);
- DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
-
- SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
- if (PacketAlertCheck(p, 1)) {
- if (PacketAlertCheck(p, 2)) {
- result = 1;
- } else
- printf("sig 2 didn't match: ");
- }
- else
- printf("sig 1 didn't match: ");
-
- SigGroupCleanup(de_ctx);
- SigCleanSignatures(de_ctx);
+ SigGroupCleanup(de_ctx);
+ SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UtRegisterTest("SigTestMemory02", SigTestMemory02, 1);
UtRegisterTest("SigTestMemory03", SigTestMemory03, 1);
- UtRegisterTest("SigTestSgh01", SigTestSgh01, 1);
- UtRegisterTest("SigTestSgh02", SigTestSgh02, 1);
- UtRegisterTest("SigTestSgh03", SigTestSgh03, 1);
- UtRegisterTest("SigTestSgh04", SigTestSgh04, 1);
- UtRegisterTest("SigTestSgh05", SigTestSgh05, 1);
-
UtRegisterTest("SigTestContent01 -- 32 byte pattern", SigTestContent01, 1);
UtRegisterTest("SigTestContent02 -- 32+31 byte pattern", SigTestContent02, 1);
UtRegisterTest("SigTestContent03 -- 32 byte pattern, x2 + distance", SigTestContent03, 1);
projects / thirdparty / suricata.git / commitdiff
