From: Victor Julien <victor@inliniac.net>
Date: Fri, 30 Mar 2012 08:09:03 +0000 (+0200)
Subject: Fix parsing of tcp-pkt and tcp-stream sigs, add unittest.
X-Git-Tag: suricata-1.3beta1~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=073ce64786b2f71b39bde32f3b7d7a1bd657952f;p=thirdparty%2Fsuricata.git

Fix parsing of tcp-pkt and tcp-stream sigs, add unittest.
---

diff --git a/src/detect-engine-proto.c b/src/detect-engine-proto.c
index fcee7149d1..4af96b8c1d 100644
--- a/src/detect-engine-proto.c
+++ b/src/detect-engine-proto.c
@@ -471,6 +471,43 @@ cleanup:
 end:
     return result;
 }
+
+/**
+ * \test signature parsing with tcp-pkt and tcp-stream
+ */
+
+static int DetectProtoTestSig02(void) {
+    Signature *s = NULL;
+    int result = 0;
+
+    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
+    if (de_ctx == NULL) {
+        goto end;
+    }
+
+    de_ctx->flags |= DE_QUIET;
+
+    s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp-pkt any any -> any any "
+            "(msg:\"tcp-pkt\"; content:\"blah\"; sid:1;)");
+    if (s == NULL) {
+        printf("tcp-pkt sig parsing failed: ");
+        goto end;
+    }
+
+    s = s->next = SigInit(de_ctx,"alert tcp-stream any any -> any any "
+            "(msg:\"tcp-stream\"; content:\"blah\"; sid:2;)");
+    if (s == NULL) {
+        printf("tcp-pkt sig parsing failed: ");
+        goto end;
+    }
+
+    result = 1;
+
+end:
+    if (de_ctx != NULL)
+        DetectEngineCtxFree(de_ctx);
+    return result;
+}
 #endif /* UNITTESTS */
 
 /**
@@ -488,6 +525,7 @@ void DetectProtoTests(void)
     UtRegisterTest("ProtoTestParse07", ProtoTestParse07, 1);
     UtRegisterTest("DetectProtoTestSetup01", DetectProtoTestSetup01, 1);
     UtRegisterTest("DetectProtoTestSig01", DetectProtoTestSig01, 1);
+    UtRegisterTest("DetectProtoTestSig02", DetectProtoTestSig02, 1);
 #endif /* UNITTESTS */
 }
 
diff --git a/src/detect-parse.c b/src/detect-parse.c
index b9535904dc..98a651fa9b 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -91,7 +91,7 @@ typedef struct SigDuplWrapper_ {
 #define CONFIG_OPTS   7
 
 //                    action       protocol       src                                      sp                        dir              dst                                    dp                            options
-#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9]+)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+)\\s+([\\:A-z0-9_\\$\\!,]+)\\s+(-\\>|\\<\\>|\\<\\-)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,/]+)\\s+([\\:A-z0-9_\\$\\!,]+)(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?\\s*$"
+#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9\\-]+)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+)\\s+([\\:A-z0-9_\\$\\!,]+)\\s+(-\\>|\\<\\>|\\<\\-)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,/]+)\\s+([\\:A-z0-9_\\$\\!,]+)(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?\\s*$"
 #define OPTION_PARTS 3
 #define OPTION_PCRE "^\\s*([A-z_0-9-\\.]+)(?:\\s*\\:\\s*(.*)(?<!\\\\))?\\s*;\\s*(?:\\s*(.*))?\\s*$"